EHR Vendor’s Coding Error Caused the Impermissible Sharing of Patient Health Data

The UK’s National Health Service (NHS) has informed 150,000 patients that their health data was shared for clinical research and planning even though they had expressed wishes not to have their information shared for such purposes.

In Britain, patients can choose from two types of opt-outs if they do not want their health data shared. In a Type 1 opt-out, patients can say that the health data included in their GP or general practitioner medical record can only be used for the provision of their care. In a Type 2 opt-out, patients opt out of having NHS Digital share their healthcare data for any purpose except individual care.

In this case, the 150,000 patients already submitted a Type 2 opt-out and yet their data was still shared. The improper sharing was due to a coding error by EHR vendor, TPP. TPP is the provider of the SystmOne EHR system to the NHS. This particular EHR system is used in GP practices all over the UK..

The coding error meant NHS Digital did not receive the Type 2 opt-out requests. So, NHS Digital did not know that the patients’ had opted-out. The flaw affected patients who submitted Type 2 requests after March 31, 2015.

NHS Digital contacted TPP and the flaw has now been corrected. All organizations that received patients’ data were informed about the breach and were told to delete the data of patients that opted-out.

The NHS had executed changes before discovering the breach which will stop similar incidents from occurring in the future. The type 2 opt outs have finally been swapped with a national opt out system, whereby patients can manage their data sharing options by using a secure web page, by telephone, or by sending a written request. The new system makes sure that NHS Digital gets the requests instantly, instead of the previous system that saw the requests registered through GP practices using a third-party system.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

U.S. healthcare companies ought to pay attention to breaches such as this and check that their EHR vendors have the necessary systems in place to be able to check for system errors that could lead to privacy violations. In this case it took three years for the flaw to be discovered.

EHR vendors are considered as business associates and may be fined directly for errors that result to PHI exposure, but healthcare organizations may likewise be fined if found to have failed to acquire assurances that vendors are following HIPAA Rules. Breaches such as this could also cause significant damage to healthcare providers’ reputations, regardless of who was responsible for the privacy violation.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: