There were some extraordinary revelations at the Health Select Committee’s second evidence session of its (expanded) inquiry into the handling of NHS patient data on Tuesday 8th April.

This post is to draw attention to just one of them: a third opt-out form that the Health and Social Care Information Centre (HSCIC) has produced, on top of the two care.data opt-out codes you need to instruct your GP to add to your record.

The form that HSCIC has produced is dangerous. We don’t propose to link to it in case people download it, fill it in and accidentally de-register themselves from their GP!

In essence, HSCIC completely unnecessarily added a section to its form relating to a system called NHAIS (National Health Applications and Infrastructure Services) which if someone had completed – as many do when filling in complex forms, by signing wherever the form asks for a signature – would have meant they’d be de-registered by their GP and not be called for essential screening.

This exchange between Select Committee member Barbara Keeley MP and HSCIC Chair, Kingsley Manning gives you a sense of how this was viewed by the Committee:

Barbara Keeley MP: But it’s the way its phrased, it just looks like a threat. If you opt out…
Kingsley Manning: No, I agree, I agree…
Barbara Keeley MP: …your GP will drop you, and you’ll never have any screening.
Kingsley Manning: …I entirely agree.

You can download a safe version of the form, from which we have removed the offending section, via either of these links:

Withdrawal of Consent form (Microsoft Word format)

Withdrawal of Consent form (PDF format)

The Withdrawal of Consent form we provide should enable you to opt-out* of any one or more of the following ‘secondary use’ data sets, i.e. data sets that are not used for your direct medical care:

Hospital Episode Statistics (HES) – holds records on hospital episodes of care including inpatient, outpatient and A&E.

Secondary Uses Service (SUS) – the single source of comprehensive data for a range of reporting and analysis.  NHS hospital trusts submit patient activity to SUS for performance monitoring, reconciliation and payments purposes.

Mental Health Minimum Data Set (MHMDS) – contains patient-level data about NHS services delivered to people with severe and enduring mental health problems.

Diagnostic Imaging Dataset (DIDS) – a central collection of detailed information about diagnostic imaging tests carried out on NHS patients, extracted from local radiology information systems.

*In this instance, ‘opt-out’ does not mean that your data will be deleted. Data held about you will instead be ‘anonymised’, i.e. items or links to anything that identifies you will be removed. For statistical audit purposes, NHS systems still require a de-identified record to exist.

Thanks to Professor Julia Hippisley-Cox and Helen Wilkinson for pointing out that the Clinical Practice Research Datalink (CPRD) has extracted highly sensitive ‘free text’ from patients’ GP records without approval or fair processing.

Free text is your GP’s own notes, attached to the codes that are entered onto their computer systems. It can basically contain anything – names, highly sensitive personal details, medical and non-medical information about you or other people. Free text is for your doctor’s own use when providing you care, and to provide context that will help any other doctor you may see in future to provide you care.

See page 15 of CAG meeting minutes 3 October 2013 – 6a. CPRD – processing of free text information [CAG 6-06(a)/2013]

N.B. CAG is the Confidentiality Advisory Group, now based at the Health Research Authority, which advises the Secretary of State on the use of the extraordinary ‘Section 251‘ powers that allow the common law duty of confidence to be set aside so that patient identifiable information may be used without consent.

That free text has been extracted is confirmed by this presentation on Using free text in primary care research, on slide 55, which states:

“We plan to run FMA on free text within +/- 90 days of myocardial infarction [heart attack] for 2000 patients… Software will be run at CPRD without anonymisation”

(N.B. You will need to add .pdf to the filename of the file once downloaded in order to view it in Acrobat Reader.)

And this published study on BioMed Central suggests that GPRD (the General Practice Research Database) the precursor to CPRD, had been collecting free text for years.

Even more worrying is this statement on page 16 of the CAG minutes from 3/10/13:

“It was noted from the discussion that CPRD were seeking to progress solutions and were in discussion with those leading on the care.data mechanism.”

So CPRD had been using an out-of-date leaflet from 2008 to ‘notify’ patients about what it was doing and was in discussion with care.data leaders about using whatever ‘mechanism’ they were going to use to inform the public – which we now know was a junk mail leaflet!

If you even received a junk mail leaflet in January, did you see any mention of CPRD? Or any suggestion that your doctor’s private free text notes about you would be extracted? If you didn’t, why not check the leaflet out now. It says:

“Details that could identify you will be removed before your information is made available to others, such as those planning NHS services and approved researchers.

We sometimes release confidential information to approved researchers, if this is allowed by law and meets the strict rules that are in place to protect your privacy.”

So, you have been lied to on at least two counts; details that could identify you (i.e. free text) clearly are not always removed before information has been made available to researchers, and confidential information has been ‘released’ unlawfully and without meeting these so-called “strict rules”.

Because, as the CAG minutes clearly state:

“The CAG agreed that the minimum criteria under the Regulations did not currently appear to be met, and therefore advised recommending deferral to the SofS and the Health Research Authority, to enable the following actions to take place to bring the application within the framework of the Regulations:

a. Fair processing actions to be progressed in conjunction with the Information Commissioner’s Office; assurance and approved patient information materials to be provided at the relevant time before any final approval could come into effect.

b. Revision of the application form to fully incorporate responses to the issues set out above. This was to include a cover paper to clearly show which sections reflected these responses within the application.

c. A favourable ethical opinion to be provided from a Research Ethics Committee on the revised application to be considered by the CAG.

d. A satisfactory level to be achieved within the IG Toolkit before any final approval could be provided; this could be carried out in parallel to CAG consideration of the application.”

So there you have it. Yet another way that sensitive patient information has been taken from GP records without consent or proper approval. And care.data leaders knew all about it.

The problems aren’t just limited to HSCIC, folks.

We’re not saying research shouldn’t happen – of course it should – but it must be done with proper consent and/or proper authorisation, e.g. Section 251 support, which CPRD clearly didn’t have and doesn’t have yet.

—

Please note: we are not suggesting that the researchers referred to in this post are necessarily at fault; they may simply have been using a ‘service’ provided by GPRD / CPRD, without knowing that the free text had not been gathered with consent or proper approval.

It has become increasingly clear in recent weeks that patients have been kept in the dark about where their data has been going, in what form and what is being done with it.

Well now for the first time, we can show you a picture:

Click on the image to show full size.
For obvious reasons, we have redacted the day element of every date.

Please note that we are not suggesting the following is unlawful or that patient confidentiality has been deliberately breached.

The image above comes from a company called OmegaSolver Ltd, formed in March 2013, which sells a product called HALO Patient Analyser, which it describes thus:

Patient Treatment Analyser is a unique dataset solution provided to pharmaceutical companies and trusts, who want to analyse and understand the treatment given to patients suffering from a specific disease…

The patient Analyser provides a robust query engine where users can query based on a large number of fields such as –

Gender
Age
First Diagnosis
Period (Years)
Hospital Visit Frequency
Hospital Stays
Procedures
Diagnosis
CCG / TRUST / Hospitals
Treatment Specialist
Planned / Unplanned Admissions and many more

The Patient summary report gives a summarised report of the queried data for new and overlapping patients, Gender split with age range distribution over a three year period. Patient Analyser is a one of its kind analytical tool with a simple yet understandable data visualization tool, which is currently a unique offering.

The image, a screenshot looking at five out of 163,316 patients’ data, shows detailed information about each individual patient including their medical diagnoses ordered by actual dates of each hospital visit, tracking episode to episode – the detailed state of each individual patient’s health as he or she passes through hospital care.

For example, patient OS060900 (the ‘pseudonym’) is aged 81-85 and had 5 conditions diagnosed in October 2010. She has visited hospital 257 times, mostly as outpatient visits, but spent 5 days in hospital at which point 8 conditions were diagnosed, then 6 days later the incidents scroll off the screen.

Patient OS084761, also 81-85 years old, was in hospital in April 2010 and he was still there with the same diagnoses 3 days later, though it looks like he left a day later with at least one additional diagnosis.

We are not certain that the codes in the screenshot are the same as the ones used by GPs, but if they are then some of the events and/or diagnoses referenced in the screenshot would include:

• Posterior fixation of rectum
• Removal of left breast
• Suberosis (cork-handlers’ lung)
• Explosive personality disorder
• Bilateral mastectomy or mammoplasty
• Removal of left fallopian tube
• Removal of left ovary

What this illustrates quite starkly about pseudonyms is just how irrelevant they are when there is so much other identifiable data in the rest of the row. ‘Pseudonymised’ data may obscure some of the most obvious pieces of identifying information, such as your NHS number, but it clearly doesn’t hide rich detail about a person’s life and health that could just as easily be used to identify them.

Given that companies are already combining health data with social media data, you can see the ever-growing risk of re-identification from simply having tweeted about having had an accident on a certain date, or having posted a Facebook update about a relative going into hospital.

N.B. We sincerely hope this screenshot was taken from a set of mock data, not the actual HES data of 163,316 NHS patients. We look forward to clarification from OmegaSolver in due course.

—

We have noticed in recent days that some of the “information intermediaries” supplied with data by the Health and Social Care Information Centre under “commercial re-use licenses” are pulling web pages when contacted by the press about what they are doing.

Last Monday the Guardian, Wired and others reported on a company called Earthware with a ‘Hopsital [sic] Episodes Map’ on its website, which it described thus:

Healthcare companies and the NHS use Hospital Episode Statistics (HES) data to understand the flow of patients through the healthcare system. HES is a dataset containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England.

The map appeared to be making Hospital Episodes Statistics (HES) data available for arbitrary queries on a public web page without any form of password protection. The company pulled the map, but later put out a statement saying:

The third party, which cannot be named at this point, has since removed all the text from pages on its website that mentioned HES data.

Another information intermediary which last week was happy to declare it held “over 900 million linked patient HES records” and “patient level linked HES data”, has updated its site and now claims to hold “over 1 billion linked patient HES records dating back 10 years” but adds the qualification, “this data is non identifiable and non sensitive”. The company’s website also clearly states, “HES data provided by the Health & Social Care Information Centre under Commercial Re-use licence 2013.”

We suspect HSCIC and its information intermediaries’ definition of “non sensitive” may be somewhat different from the patients whose hospital details are being sold.

And in the light of the OmegaSolver image, the bald assertion that vast quantities of information-rich patient-level health data are completely “non identifiable” simply will not wash.

On 7th February, GP magazine Pulse reported that “Patients who have opted out of the [care.data] scheme will still have their records sent to the HSCIC stripped of identifiers” – see 4th paragraph from bottom of this article. This confirmed something buried on page 9 of NHS England’s care.data Privacy Impact Assessment [PDF], which states:

Where patients have objected to the flow of their personal confidential data from the general practice record, the HSCIC will receive clinical data without any identifiers attached (i.e. anonymised data).

So the intention was to extract information from the medical records of people who had opted out, just without their NHS number, postcode, date of birth and gender attached.

This is not what any reasonable person would understand by opt out – if you opt out, no information from your medical record should leave your GP practice.

We immediately got to work, engaging with the Secretary of State and Department of Health and HSCIC amongst others. By the middle of the following week it was clear that the opt outs were going to have to be fixed, in ways we were invited to put to the Secretary of State for Health in a letter. By Friday 14th we were pretty sure that they would be fixed, but no-one seemed willing to confirm this – maybe because to do so would confirm that NHS England had been caught misleading the public.

Things moved on rapidly the following Monday with the launch of the first online opt out, faxyourgp.com, following on from critical statements by the Royal College of General Practitioners, British Medical Association and the Information Commissioner’s Office, clear signals that 38Degrees and SumOfUs supporters might opt out en masse – not to mention the fact that medConfidential had over the previous 4 weeks served out over 300,000 opt out forms and letters. And we instructed Leigh Day Solicitors to write a ‘letter before action’ to NHS England, i.e. we began a legal challenge based on misleading information in its junk mail leaflet.

On Tuesday 18th we received a letter from Dr Mark Davies, the outgoing Director of Clinical and Public Assurance at HSCIC, confirming the way in which the opt out codes would work. His letter ended: “This proposal will be considered by the GPES Independent Advisory Group (IAG) in February for their confirmation” – thus confirming that the opt outs had changed. This wasn’t an outright admission that the public had been deceived, but it clearly shows that the opt outs were not set up to work as patients would expect at the point we intervened.

And then later that afternoon, bowing to serious pressure, NHS England announced a second six month delay – while allowing themselves the possibility of uploading patient data from some ‘pilot’ practices before September.

Without fanfare that same afternoon, a new web page was published on the HSCIC website. You will probably want to read this – it’s a public document, clearly explaining the operation of the opt out codes:

http://www.hscic.gov.uk/article/3915/what-we-will-collect-from-gp-records-under-caredata

Hopefully from this point on, this page will be where any further changes to the process are published.

BUT…

You will note that the HSCIC page says, “Currently, no other data relating to those who have made this objection will be extracted from their GP record in relation to care.data”

“Currently”? Are they intending to change how the opt out codes work all over again? We sincerely hope not!

Following yesterday’s evidence session on care.data before the Health Select Committee we shall be writing to the Committee to ask that they (i.e. Parliament) ensure that the final few loose ends are tied up.

So our advice remains as follows; if you have any concerns – and the performance of Tim Kelsey (NHS England), Max Jones (HSCIC) and the Under-Secretary of State for Health in front of the Committee yesterday was less than confidence-inspiring – then opt out now. And don’t forget your kids!

If NHS England manages to convince you that they’ve got things right by September, you can always opt back in. But if you’re in one of the proposed ‘pilot’ practices (no, we don’t know where they are yet) and you don’t find out that you are until after your data has been uploaded, you may regret delaying taking action.