Buried deep in the new Care Bill is the first amendment we recall seeing to what is commonly referred to as ‘Section 251’ – the power of the Secretary of State to set aside the common law duty of confidentiality in order that identifiable patient information can be passed on without individuals’ consent.
The history is hellishly convoluted but Section 251 of the NHS Act 2006 re-enacted Section 60 of the Health and Social Care Act 2001, drawing on powers in the Health Service (Control of Patient Information) Regulations 2002. Officials now seem to want to drop “Section 251” and use “Regulation 5” instead, but they are basically referring to the same thing.
The restructuring of the NHS under the Health and Social Care Act 2012 has already caused quite a few problems, for which Section 251 exemptions were used to paper over the cracks.
But now we see in Clause 115 of the Care Bill 2013-14, entitled ‘Approval for processing confidential patient information’, amendments to Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 which would make it read as follows: [changes in red]
Approval for processing information [why drop the words “confidential” and “patient” from the title of the Regulation?]
5. (1) Subject to regulation 7, confidential patient information may be processed for medical purposes in the circumstances set out in the Schedule to these Regulations provided that the processing has been approved—
(a) in the case of medical research, by the Health Research Authority, and
(b) in any other case, by the Secretary of State.
(2) The Health Research Authority may not give an approval under paragraph (1)(a) unless a research ethics committee has approved the medical research concerned.
(3) The Health Research Authority shall put in place and operate a system for reviewing decisions it makes under paragraph (1)(a).
And Regulation 6 would change as follows:
6. (1) Where an approval granted by the Health Research Authority or the Secretary of State under regulation 5 permits the transfer of confidential patient information between persons who may determine the purposes for which, and the manner in which, the information may be processed, it or he shall record in a register the name and address of each of those persons together with the particulars specified in paragraph (2).
(2) The following particulars are specified for inclusion in each entry in the register—
(a) a description of the confidential patient information to which the approval relates;
(b) the medical purposes for which the information may be processed;
(c) the provisions in the Schedule to these Regulations under which the information may be processed; and
(d) such other particulars as the Health Research Authority or (as the case may be) the Secretary of State may consider appropriate to enter in the register.
(3) The Health Research Authority shall retain the particulars of each entry it records in the register, and the Secretary of State shall retain the particulars of each entry he records in the register, for so long as confidential patient information may be processed under an approval and for not less than 12 months after the termination of an approval.
(4) The Health Research Authority shall, in such manner and to such extent as it considers appropriate, publish entries it records in the register; and the Secretary of State shall, in such manner and to such extent as he considers appropriate, publish entries he records in the register.
While paragraph 6(4) may represent a relatively minor change from the old wording, which was “in such manner and to the extent to which he considers it appropriate”, both wordings mean that the register(s) will not necessarily be published in full. This means that in some instances – how many we would never know – there may be no public record of the setting aside of the common law duty of confidentiality for identifiable patient data to be used.
The main effect of clause 155 of the Care Bill is that approval for research access to patient confidential data – i.e. identifiable information about patients or from patients’ medical records – will essentially be made arms-length, a role of the Health Research Authority (HRA).
The Secretary of State meanwhile splits off a separate register of non-research ‘customers’ for patient data, which he may or may not decide to publish in full. (N.B. The Confidentiality Advisory Group (CAG) at HRA split the register of approved applications into research and non-research categories at its latest publication.)
Paragraph 5(2) of the amended Regulations may tend to weaken ethical approval with regard to confidentiality: as drafted, any HRA-recognised research ethics committee would suffice for approval, so HRA CAG could be cut out of the equation altogether.
For example, an potential customer could come to the HRA and say, “Our own ethics committee that has been recognised by you [under clause 112 of the Care Bill] has passed this already. Under Regulation 5(2) this doesn’t need to go past CAG – they’re busy enough already with all those other care.data related applications. All we need is the green light from you, as we’ve fulfilled the requirements.”
Unfortunately history has shown that if something can happen, it almost certainly will.
The amendments to Regulations 5 and 6 in clause 115 also highlight that it is the Secretary of State alone who approves the release of patient confidential data for uses other than research. It is therefore vital to keep an eye out for any amendments that replace or remove the word “medical” in 5(1) and/or 6(2)(b) and/or the Schedule.
As this is a Care Bill, not a Health Bill, it may appear strange that the Secretary of State’s powers should remain limited to medical purposes. Is all of social care to be redefined as a “medical purpose”?
Assuming some sort of last minute amendment were to be laid in order to ‘fix’ this, then depending on the exact wording used, the last constraint could be removed from preventing any use of confidential patient data .
There are amendments that might look relatively benign, e.g. adding “and care” to “health professional” in Regulation 7(2) or a consequential amendment to DPA 69(1), adding a list of others – but anything that changed or removed “medical” or “medical purposes” should be scrutinised very carefully.
As the merging of health and social care systems continues, we feel these words are almost certain to be changed at some point – with intended and unintended consequences, and some potentially devastating effects – not least the corrosion of trust in NHS confidentiality.
 In much the same way as NHS England’s care.data addendum, ostensibly to extend access to patient data for researchers, will in matter of fact open it up to all organisations while simultaneously broadening the uses to which patient data could be put – including for non-research purposes.
Furthermore, while some of the information extracted from GP-held patient records under the care.data programme is intended to be passed on in ‘pseudonymised’ – i.e. potentially re-identifiable – form, the clear intention is for Section 251 / Regulation 5 approval to be used to pass on other patient information in identifiable form – which should make Clause 115’s amendments to Regulations 5 and 6 of particular interest.