medconfidential’s BMJ rapid response to “Slow and costly access to anonymised patient data impedes academic research”

Research is vital, and it is always unfortunate when any research project fails to deliver the promise in the funding proposal, irrespective of the reason. But railing against the custodian of the nation’s medical histories (BMJ 2015;351:h5087), the HSCIC, seems an odd choice if given any consideration.

The author’s institution was unable to give the assurances required that they were capable of looking after the data to the standard that the public expects. The standards have barely changed; what’s changed is that HSCIC has started checking the assurances more carefully – something it should have been doing all along.

Those necessary assurances are steered and delivered by institutions and supervisors on behalf of their students, not individual students themselves. It is not the students’ fault if their institution refuses to assure that it will take due care of 1 billion health events. And it is precisely the lack of verification of such assurances that sent 25 years of medical records to insurers, to marketers, and elsewhere.

Academia emerged with its reputation pretty much unscathed from the data debacles of 2014 and 2015. The high standards legitimate institutions expect of their researchers are one of the factors that justify the access to sensitive medical data, sometimes without consent, that academia is in a position to receive. Complaining that the standards are too high for your institution to agree to meet says more about the institution than the standards.

All research is important, but no single project – and no one institution – is more important than public confidence in all research. That is why a wide range of organisations support the “one strike principle for abuse or misuse of medical records. With the Hospital Episode Statistics, i.e. linked, longitudinal medical records of the population for the past 30 years, every woman with 3 children is uniquely identifiable – and with 2 children that’s about 90% likely (quite literally, a birthday attack).

In the last week, the ICO has fined the UK’s largest internet pharmacy for selling NHS patient and customer details to spammers, quacks and charlatans, pushing “innovative treatments and lottery scams (paragraphs 49, 51, 52). Those participating in the abuse of these records stand to make a great deal of money, and until there is a ban on marketing to patients that leads to jail time for these predators, there will continue to have to be deep scrutiny of every project, and every release.

The “promotion of health”, as undefined in the Care Act 2014, is a loophole so broad you could slip a Saatchi advertising hoarding through it, quacking.

The author’s experience is unfortunate. Both the researcher and their funder deserve a clear answer as to why their institution doesn’t provide them the infrastructure necessary for modern data-driven health research. But corners cannot be cut if patient confidence is to be maintained.

The debacle includes lessons for many. While BMJ readers would always uphold the highest standards of Information Governance, readers may consider (former) colleagues who might – in similar or related circumstances – find themselves with a highly-cited paper, for all the wrong reasons?

HSCIC is the custodian of the nation’s medical histories. In making it available for legitimate research, it simply requires you fill in a form honestly. That shouldn’t be too high a bar*.

* Paragraph 62


Excerpt from our last newsletter on the Saatchi/CHH bill:

medConfidential had some questions for Mr Heaton-Harris on the content of the draft Bill, and had a meeting with him last week. Our comments and suggestions arising from that meeting covered a ban on marketing to patientsData Usage Reports (including our example of what one might look like) and an alternative approach that might deliver the policy intent of the Bill without creating another new database, or giving DH duplicates of powers it already has.