Coding Error by EHR Vendor Results in Impermissible Sharing of 150,000 Patients’ Health Data
The UK’s National Health Service (NHS) has announced that approximately 150,000 patients who had opted out of having their health data shared for the purposes of clinical research and planning have had their data shared against their wishes.
In the UK, there are two types of opt-outs patients can choose if they do not want their confidential health data shared. A type 1 opt-out allows patients to stop the health data held in their general practitioner (GP) medical record from being used for anything other than their individual care. A Type 2 opt-out is used to prevent health care data being shared by NHS Digital for purposes other than providing individual care.
150,000 patients who had registered a Type 2 opt-out have had their data shared. The impermissible sharing of health data occurred as a result of an error by one of its EHR vendors, TPP. TPP provides the NHS with the SystmOne EHR system, which is use in many GP practices throughout the UK.
A coding error in the system meant that these Type 2 requests were not passed on to NHS Digital, and as a result, NHS Digital was unaware that opt-outs had been registered. Patients affected had opted out after March 31, 2015.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Action has now been taken to correct the error and all patients affected have been notified. NHS Digital has also contacted all organizations with whom the data were shared and they have been instructed to permanently delete the data received since the opt-outs were registered.
The NHS had implemented changes prior to the discovery of this breach that will prevent such an incident from occurring in the future. The type 2 opt outs have now been replaced with a national opt out system, in which patients are able to control their data sharing preferences via a secure website, by phone, or by submitting a written request. This system ensures that NHS Digital receives the requests directly, rather than the previous system which saw the requests recorded via GP practices on a third-party systems.
While the issue has now been corrected and similar privacy breaches should be prevented, what is of particular concern is the length of the breach. This suggests the appropriate processes were not in place to continuously monitor the EHR system for errors.
Healthcare organizations in the U.S. should take note of the breach and take steps to ensure similar privacy breaches cannot occur at their own organization. It is important to ensure that current and future vendors have appropriate systems in place to monitor for errors and security flaws and that they meet all appropriate standards.
While EHR vendors, as business associates, can be fined directly for errors and mistakes that lead to the exposure of PHI, healthcare providers can similarly be fined if they have failed to obtain assurances that HIPAA Rules will be followed by their vendors, and breaches can also cause significant damage to reputation.
