According to the figures recently published by the UK Department of Health, to the date 31st March 2011, only 186 out of 396 acute, mental health, ambulance and primary care trusts reported to have met the targets set by the" Pseudonymisation Implementation Project". According to this project (description available at: http://bit.ly/k1utU1) , comprised within the Connecting for Health strategy, to undertake secondary use of patient data in a legal, safe and secure manner, all NHS trusts need first to encrypt information to pseudonymise records, thus ensuring complete patient privacy.
The overall aim of implementing pseudonymisation is to facilitate the legal and secure use of patient data for secondary purposes by the NHS and other organizations involved in the commissioning and provision of NHS-commissioned care (including performance monitoring, analyzing clinical trends and other business requirements). As set out in the NHS policy and good practice guidance document "Confidentiality: the NHS Code of Practice", it is a legal requirement that when patient data is used for purposes not involving the direct care of the patient (secondary uses), the patient should not be identified unless other legal means hold, such as the patient's consent or "Section 251" approval. The implementation of the project is based on each local organization undertaking its own pseudonymisation as appropriate. The decision to go for a "local implementation approach", instead of a centralized one, was taken by the government, during the summer of 2010, after a financial and practical feasibility analysis. Moreover, the local approach is expected to better support the growing number of communications between NHS providers and commissioners.
As information cannot be labeled as for primary or secondary ab origine (it's actually their usage that can be actually classified "for patient direct care" or not) NHS providers need to continually review and modify aspects of their management of and user access to identifiable and pseudonymised data as well as business processes, end user applications and the relevant logging and auditing facilities. In order to guarantee a uniform level of security across all organizations the Department of Health created the Information Governance Toolkit, which describes all requirements relating to the protection and confidentiality of information. It draws together the legal rules and central guidance set out above and presents them in one place as a set of information governance requirements. Organizations are required to carry out self-assessments of their compliance against the Information Governance requirements using the online assessment that is part of the Toolkit and, obviously, NHS regulatory bodies use the Toolkit to assess the performance of NHS organizations. The toolkit provides a way to deal consistently with the many different rules about how information is handled, including among others, those set out in: the Data Protection Act 1998, the common law duty of confidentiality, the Confidentiality NHS Code of Practice, the NHS Care Record Guarantee for England, the Social Care Record Guarantee for England, the international information security standard: ISO/IEC 27002: 2005, the Information Security NHS Code of Practice, the Records Management NHS Code of Practice and with the Freedom of Information Act 2000.
The low adoption showed by NHS trusts is raising some question on the real efficacy of the initiative especially under the light of the envisaged (but now postponed) reorganization of the UK NHS and the considerable cuts planned by the Healthcare and Social Bill. Have all the envisaged budget cuts transformed Information Governance in a less significant priority? Did the fact that primary care trusts were expected to cease their activities in 2013 and to be focused on how to deal with short term budget rationalization make the Pseudonymisation Implementation Project something that can be postponed? IDC Health Insights has just made a survey focused on assessing the information security strategy of healthcare organization in EMEA, Asia Pacific and Latin America. Security in surveys often emerge as first area of priority and of investments in our surveys, however, analyzing the results of the EMEA healthcare organizations, we noticed that some organizations still show a poor management of health information governance. Where policies and strategies are in place, the gap between good intentions and operational execution and implementation, is frequently low. Many organizations appear to lack basic monitoring of security events, their frequency, nature or source. The publication of the UK Department of Health further corroborates our recent survey results.
If as stated in the Health and Social Bill, the UK government aims to enhance productivity of the NHS through comparison of the various providers in order to identify best practices, and, from a clinical research perspective, it aims to transform the NHS into the "world biggest laboratory " through the use of anonymized patient data for research purposes, it is time to reopen the discussion around how information security is handled by healthcare providers and to ensure adequate resources and time to it.
If you are interested in more details on this subject please keep an eye open for the forthcoming publication "How secure is your information security strategy? 10 + 1 recommendations on cyber security for EMEA Healthcare organizations" (doc ref: HIOH02T)