The UK’s National Health Service (NHS) has informed 150,000 patients that their health data was shared for clinical research and planning even though they had expressed wishes not to have their information shared for such purposes.
In Britain, patients can choose from two types of opt-outs if they do not want their health data shared. In a Type 1 opt-out, patients can say that the health data included in their GP or general practitioner medical record can only be used for the provision of their care. In a Type 2 opt-out, patients opt out of having NHS Digital share their healthcare data for any purpose except individual care.
In this case, the 150,000 patients already submitted a Type 2 opt-out and yet their data was still shared. The improper sharing was due to a coding error by EHR vendor, TPP. TPP is the provider of the SystmOne EHR system to the NHS. This particular EHR system is used in GP practices all over the UK..
The coding error meant NHS Digital did not receive the Type 2 opt-out requests. So, NHS Digital did not know that the patients’ had opted-out. The flaw affected patients who submitted Type 2 requests after March 31, 2015.
NHS Digital contacted TPP and the flaw has now been corrected. All organizations that received patients’ data were informed about the breach and were told to delete the data of patients that opted-out.
The NHS had executed changes before discovering the breach which will stop similar incidents from occurring in the future. The type 2 opt outs have finally been swapped with a national opt out system, whereby patients can manage their data sharing options by using a secure web page, by telephone, or by sending a written request. The new system makes sure that NHS Digital gets the requests instantly, instead of the previous system that saw the requests registered through GP practices using a third-party system.
U.S. healthcare companies ought to pay attention to breaches such as this and check that their EHR vendors have the necessary systems in place to be able to check for system errors that could lead to privacy violations. In this case it took three years for the flaw to be discovered.
EHR vendors are considered as business associates and may be fined directly for errors that result to PHI exposure, but healthcare organizations may likewise be fined if found to have failed to acquire assurances that vendors are following HIPAA Rules. Breaches such as this could also cause significant damage to healthcare providers’ reputations, regardless of who was responsible for the privacy violation.