Nigel Hawkes

DOI: https://doi.org/10.1136/bmj.k2371

2018-01-01

Abstract:From 25 May patients in the UK have a simpler way of choosing not to share their patient records, a change that could damage health related research, a report from the King’s Fund warns.1The change has been introduced at the same time as the General Data Protection Regulation, which has been discussed widely as organisations email people on their lists to seek their permission to continue doing so.But the change to the NHS opt-out has been less widely publicised, and no special effort has been made to convince patients that their data will be safe and that using the data could improve care and the way the NHS is run.The …

Nigel Hawkes

DOI: https://doi.org/10.1136/bmj.h619

2015-01-01

BMJ

Abstract:Criminal sanctions, including imprisonment, should be brought in for people who misuse personal health data, the UK Nuffield Council on Bioethics has recommended in a new report.1Arguing that greater reassurance on data security is needed to achieve the wholehearted support of the public for “big data” projects, the report says that existing legislation needs to be strengthened to make misuse a criminal offence, whether or not such misuse causes demonstrable harm to individuals. At present the Data Protection Act provides grounds for an action under civil but not criminal law.The report says that current data projects have the potential to generate new knowledge, improve medical practice, increase service efficiency, and drive innovation. These projects include …

Wayne Bradford,John F Hurdle,Bernie LaSalle,Julio C Facelli

DOI: https://doi.org/10.1136/amiajnl-2013-001769

Abstract:High-performance computing centers (HPC) traditionally have far less restrictive privacy management policies than those encountered in healthcare. We show how an HPC can be re-engineered to accommodate clinical data while retaining its utility in computationally intensive tasks such as data mining, machine learning, and statistics. We also discuss deploying protected virtual machines. A critical planning step was to engage the university's information security operations and the information security and privacy office. Access to the environment requires a double authentication mechanism. The first level of authentication requires access to the university's virtual private network and the second requires that the users be listed in the HPC network information service directory. The physical hardware resides in a data center with controlled room access. All employees of the HPC and its users take the university's local Health Insurance Portability and Accountability Act training series. In the first 3 years, researcher count has increased from 6 to 58.

C Ilioudis,G Pangalos

DOI: https://doi.org/10.2196/jmir.3.2.e14

Abstract:Background: The Internet provides many advantages when used for interaction and data sharing among health care providers, patients, and researchers. However, the advantages provided by the Internet come with a significantly greater element of risk to the confidentiality, integrity, and availability of information. It is therefore essential that Health Care Establishments processing and exchanging medical data use an appropriate security policy. Objective: To develop a High Level Security Policy for the processing of medical data and their transmission through the Internet, which is a set of high-level statements intended to guide Health Care Establishment personnel who process and manage sensitive health care information. Methods: We developed the policy based on a detailed study of the existing framework in the EU countries, USA, and Canada, and on consultations with users in the context of the Intranet Health Clinic project. More specifically, this paper has taken into account the major directives, technical reports, law, and recommendations that are related to the protection of individuals with regard to the processing of personal data, and the protection of privacy and medical data on the Internet. Results: We present a High Level Security Policy for Health Care Establishments, which includes a set of 7 principles and 45 guidelines detailed in this paper. The proposed principles and guidelines have been made as generic and open to specific implementations as possible, to provide for maximum flexibility and adaptability to local environments. The High Level Security Policy establishes the basic security requirements that must be addressed to use the Internet to safely transmit patient and other sensitive health care information. Conclusions: The High Level Security Policy is primarily intended for large Health Care Establishments in Europe, USA, and Canada. It is clear however that the general framework presented here can only serve as reference material for developing an appropriate High Level Security Policy in a specific implementation environment. When implemented in specific environments, these principles and guidelines must also be complemented by measures, which are more specific. Even when a High Level Security Policy already exists in an institution, it is advisable that the management of the Health Care Establishment periodically revisits it to see whether it should be modified or augmented.

M Jackson

DOI: https://doi.org/10.1071/ah970001

Abstract:The Commonwealth Government and a number of State governments are proposing to introduce legislation based on the Information Privacy Principles contained in the Privacy Act 1988 (Cwlth). This will allow individuals access to any personal information held on them by an organisation or person, including private practitioners, private health facilities and State government agencies. This article discusses this proposed legislation and its implications for the health sector. Although in the public health area patients can already gain access to their medical records through the use of the various Freedom of Information Acts and, in the case of Commonwealth government agencies, the Privacy Act 1988 (Cwlth), the proposed data protection legislation will provide more than access rights to individuals. The effect of the proposed legislation on the private sector, where no obligation exists on the part of the doctor to grant a patient access to his or her records, will be substantial.

Steve G Langer

DOI: https://doi.org/10.1007/s10278-016-9913-x

Abstract:In 1999-2003, SIIM (then SCAR) sponsored the creation of several special topic Primers, one of which was concerned with computer security. About the same time, a multi-society collaboration authored an ACR Guideline with a similar plot; the latter has recently been updated. The motivation for these efforts was the launch of Health Information Portability and Accountability Act (HIPAA). That legislation directed care providers to enable the portability of patient medical records across authorized medical centers, while simultaneously protecting patient confidentiality among unauthorized agents. These policy requirements resulted in the creation of numerous technical solutions which the above documents described. While the mathematical concepts and algorithms in those papers are as valid today as they were then, recent increases in the complexity of computer criminal applications (and defensive countermeasures) and the pervasiveness of Internet connected devices have raised the bar. This work examines how a medical center can adapt to these evolving threats.

Nigel Hawkes

DOI: https://doi.org/10.1136/bmj.i1414

2016-01-01

BMJ

Abstract:Most people are willing to have their health records used by commercial organisations, as long as there is a clear public benefit and it is not solely for private profit. The conclusions emerged from one of the most detailed studies yet into what the public thinks about the use of its data by commercial organisations.1 The Wellcome Trust commissioned Ipsos MORI to carry out the research, which included workshops and a poll of 2000 people. The aim was to inform and influence a review being carried out for the health secretary for England, Jeremy Hunt, by Fiona Caldicott, the national data guardian. The Caldicott review, which is expected to be published soon, will include …

Hansen, D.P.,Pang, C.,Maeder, A.

DOI: https://doi.org/10.1109/ICMLC.2005.1527926

2005-01-01

Abstract:Health systems around the world are moving to integrate health data sources to improve the efficiency of their services through data sharing. However, major technical and legal questions exist concerning data integration, data quality, data security and privacy in health data usage. In this paper, we discuss the Health Data Integration™ (HDI™) solution currently being developed at the e-Health Research Centre. Firstly we describe the architecture of HDI™ and how it performs the tasks of knowledge based me dical system . We then consider two of its core capabilities (1) privacy-preserving similarity linkage, and (2) on-line analytical techniques and report generator component. The e-Health Research Centre is currently working with the Queensland Health department to deploy the software in practice.

Macey L Murray,Laura Sato,Jaspal Panesar,Sharon B Love,Rebecca Lee,James R Carpenter,Marion Mafham,Mahesh KB Parmar,Heather Pinches,Matthew R Sydes

DOI: https://doi.org/10.1177/14604582241276969

2024-09-20

Health Informatics Journal

Abstract:Health Informatics Journal, Volume 30, Issue 3, July-September 2024. Introduction/aims: Healthcare systems data (also known as real-world or routinely collected health data) could transform the conduct of clinical trials. Demonstrating integrity and provenance of these data is critical for clinical trials, to enable their use where appropriate and avoid duplication using scarce trial resources. Building on previous work, this proof-of-concept study used a data intelligence tool, the "Central Metastore," to provide metadata and lineage information of nationally held data. Methods: The feasibility of NHS England's Central Metastore to capture detailed records of the origins, processes, and methods that produce four datasets was assessed. These were England's Hospital Episode Statistics (Admitted Patient Care, Outpatients, Critical Care) and the Civil Registration of Deaths (England and Wales). The process comprised: information gathering; information ingestion using the tool; and auto-generation of lineage diagrams/content to show data integrity. A guidance document to standardise this process was developed. Results/Discussion: The tool can ingest, store and display data provenance in sufficient detail to support trust and transparency in using these datasets for trials. The slowest step was information gathering from multiple sources, so consistency in record-keeping is essential.

health care sciences & services,medical informatics

Ingrid Ann Whiteman

DOI: https://doi.org/10.1177/1477750915591293

2015-06-17

Clinical Ethics

Abstract:It is reasonable to consider and trust that information taken from us about our medical health and history will be protected by rules on confidentiality and consent. Apart from very rare cases, perhaps of major public interest or for public health reasons, this information will not be shared with others without our consent. However, both a number of reforms in National Health Service patient data management policy (now enshrined in legislation) and developments in the general law on privacy challenge this traditional view of our control and choice over our medical information, as this article will show. In doing so, it analyses the question as to whether in spite of the rhetoric do any of us now really have choice over the access to and use of our medical data? In reality, our choices are limited and in any relationship of trust and shared decision making this ought to be transparent.

Denis Horgan,Marian Hajduch,Marilena Vrana,Jeannette Soderberg,Nigel Hughes,Muhammad Imran Omar,Jonathan A. Lal,Marta Kozaric,Fidelia Cascini,Verena Thaler,Oriol Solà-Morales,Mário Romão,Frédéric Destrebecq,Edith Sky Gross

DOI: https://doi.org/10.3390/healthcare10091629

2022-08-27

Health Care

Abstract:The May 2022 proposal from the European commission for a 'European health data space' envisages advantages for health from exploiting the growing mass of health data in Europe. However, key stakeholders have identified aspects that demand clarification to ensure success. Data will need to be freed from traditional silos to flow more easily and to cross artificial borders. Wide engagement will be necessary among healthcare professionals, researchers, and the patients and citizens that stand to gain the most but whose trust must be won if they are to allow use or transfer of their data. This paper aims to alert the wider scientific community to the impact the ongoing discussions among lawmakers will have. Based on the literature and the consensus findings of an expert multistakeholder panel organised by the European Alliance for Personalised Medicine (EAPM) in June 2022, it highlights the key issues at the intersection of science and policy, and the potential implications for health research for years, perhaps decades, to come.

health care sciences & services,health policy & services

Mohammad Al-Ubaydli

DOI: https://doi.org/10.1136/bmj.q1753

2024-08-18

BMJ

Abstract:Coulter and colleagues call for patients to have access to their medical records.1 Patients Know Best's software is the only one releasing hospital test results into England's NHS App (and soon the NHS Wales App). Every month, we release 20 million test results from hospitals, covering 25% of the UK.Most of our patients see their results immediately, often before their doctor knows they're back. This contrasts with England's general practitioners, who release data at their discretion. We work with each hospital to identify results that require a delay, such as biopsy results, radiology reports, and HIV diagnoses, which are automatically released after a set period. If a patient has cancer, and their doctor hasn't informed them after four weeks, our software will notify them.GPs' upcoming industrial action includes restricting access to medical records. Many GPs recently shut down the ability of other providers to write into the record using GP...

medicine, general & internal

M J Mourby

DOI: https://doi.org/10.23889/ijpds.v5i4.1402

2021-04-07

Abstract:The UK government announced in March 2020 that it would create an NHS Covid-19 'Data Store' from information routinely collected as part of the health service. This 'Store' would use a number of sources of population data to provide a 'single source of truth' about the spread of the coronavirus in England. The initiative illustrates the difficulty of relying on automated processing when making healthcare decisions under the General Data Protection Regulation (GDPR). The end-product of the store, a number of 'dashboards' for decision-makers, was intended to include models and simulations developed through artificial intelligence. Decisions made on the basis of these dashboards would be significant, even (it was suggested) to the point of diverting patients and critical resources between hospitals based on their predictions. How these models will be developed, and externally validated, remains unclear. This is an issue if they are intended to be used for decisions which will affect patients so directly and acutely. We have (by default) a right under the GDPR not to be subject to significant decisions based solely on automated decision-making. It is not obvious, at present, whether resource allocation within the NHS could take place in reliance on this automated modelling. The recent A Level debacle illustrates, in the context of education, the risks of basing life-changing decisions on the national application of a single equation. It is worth considering the potential consequences for the health service if the NHS Data Store is used for resource planning as part of the Covid-19 response.

Brian Kennedy

DOI: https://doi.org/10.1136/bmj.q2475

2024-11-09

BMJ

Abstract:Access to the UK's rich and vast banks of health data should be streamlined and simplified, to capitalise on the unique opportunity it offers to boost biomedical research and improve lives, a major review has recommended.The independent review led by neurologist Cathie Sudlow was commissioned by England's chief medical officer to examine how to overcome barriers and inefficiencies in the secure use of health data across the four UK nations, with a focus on England.1The UK has one of the world's largest and deepest health databases that stretches back decades. The report points out that, besides being used for patient care, the data are also used to support the delivery of equitable health and care, as well as research and innovation.Data relevant to health also come from sources beyond the NHS. The review argues that, to fulfil the potential of health data to improve lives, governments should collate data on...

medicine, general & internal

John Gardner,Daniel Herron,Nick McNally,Bryan Williams

DOI: https://doi.org/10.1177/20552076231186513

2023-07-12

Abstract:Objective: Healthcare systems require transformation to meet societal challenges and projected health demands. Digital and computational tools and approaches are fundamental to this transformation, and hospitals have a key role to play in their development and implementation. This paper reports on a study with the objective of exploring the challenges encountered by hospital leaders and innovators as they implement a strategy to become a data-driven hospital organisation. In doing so, this paper provides guidance to future leaders and innovators seeking to build computational and digital capabilities in complex clinical settings. Methods: Interviews were undertaken with 42 participants associated with a large public hospital organisation within England's National Health Service. Using the concept of institutional readiness as an analytical framework, the paper explores participants' perspectives on the organisation's capacity to support the development of, and benefit from, digital and computational approaches. Results: Participants' accounts reveal a range of specific institutional readiness criteria relating to organisational vision, technical capability, organisational agility, and talent and skills that, when met, enhance the organisations' capacity to support the development and implementation of digital and computational tools. Participant accounts also reveal challenges relating to these criteria, such as unrealistic expectations and the necessary prioritisation of clinical work in resource-constrained settings. Conclusions: The paper identifies a general set of institutional readiness criteria that can guide future hospital leaders and innovators aiming to improve their organisation's digital and computational capability. The paper also illustrates the challenges of pursuing digital and computational innovation in resource-constrained hospital environments.

Amy Barnett,Michelle Winning,Stephen Canaris,Michael Cleary,Andrew Staib,Clair Sullivan

DOI: https://doi.org/10.1071/AH18125

Abstract:The Australian Commission for Safety and Quality in Health Care has created the National Safety and Quality Health Service standards that all hospitals must address in order to remain accredited. This case study details the first known digitisation of the 10 national quality and safety standards mandated in a quaternary integrated digital hospital. A team of clinical informaticians, information technology experts and clinicians was assembled. Data were chosen and the data were then extracted and validated and presented (often in near real time) in an easily consumable dashboard format with appropriate governance to allow clinicians and executives to monitor the quality and safety standards across the hospital. All 10 standards were defined and extracted contemporaneously from the digital hospital for every patient, every time. This is in stark contrast with traditional retrospective point prevalence surveys. This case study details the first known fully digital accreditation in a sophisticated integrated digital hospital. Digitisation of hospital quality and safety to produce real-time data is the future of clinical redesign to improve patient care.

Nigel Hawkes

DOI: https://doi.org/10.1136/bmj.g211

2014-01-01

BMJ

Abstract:Eight UK medical research organisations have launched a campaign promoting the use of anonymised medical records to improve healthcare. They fear that a new leaflet from NHS England, which details plans to access patients’ data, will alarm some people and cause them to opt out, potentially damaging the usefulness of the database. The original plan had been to begin extracting patients’ data from GPs in autumn last year, but this was pushed back to March 2014 after GPs complained they had not been given enough time to inform patients of their right to opt out. NHS England agreed to launch a national awareness campaign to ensure that nobody could claim that …

Sophia Amjad,Rachael Williams,Rachael Brannan,Tariq Malik,Janet Valentine

DOI: https://doi.org/10.23889/ijpds.v1i1.332

2017-04-19

International Journal of Population Data Science

Abstract:ABSTRACTObjectivesTo enhance the research value and capability of its primary care database, the Clinical Practice Research Datalink (CPRD) has collaborated with Public Health England (PHE)’s National Cancer Registration and Analysis Service to facilitate access to linked cancer registration data for use in research, pharmacovigilance, drug monitoring and health outcomes analysis. Since 2009, access to this linked resource has been co-managed by CPRD and PHE, through two parallel, independent approvals processes: (a) the MHRA Independent Scientific Advisory Committee (ISAC) and (b) the PHE Office for Data Release (ODR). In upholding the Office for Life Science Ministerial Industry Strategy Group (Health Data Programme)’s vision to minimise process barriers to accessing real world data, CPRD and PHE have worked together to unify and streamline these two processes into a single end-to-end application and approval process. ApproachEach organisation reviewed each other’s approval processes to achieve an improved mutual understanding of the respective organisation’s governance approach, the risk based assessments applied to disclosure risk, risk appetites and policies, with the goal to harmonise these into a single approval process. ResultsCPRD and PHE are finalising a contract establishing a clear operating framework allowing CPRD to grant approval to researchers for the use of linked cancer registry data. The contract names CPRD as a joint data controller and sets out the purposes for processing, the manner of processing and the means by which joint data controller responsibilities will be satisfied. An associated service level agreement is in discussion which will enable robust timelines and performance management for both organisations. These developments are important milestones towards achieving the single approval process by allowing CPRD to review applications for cancer registry data in-house, simultaneously to the ISAC review. ConclusionThe strong relationship built between CPRD and PHE, and willingness to develop a single application and approval process, will strengthen and streamline access to these data, whilst assuring patients and the public that scientific integrity is maintained and proportionate information governance checks are in place. Upon completion of this work, applicants will experience associated faster review and feedback time, ultimately leading to faster approvals. Researchers wishing to utilise these linked data will soon be able to submit one application to ISAC, have one point of contact and one approval.

Frank J Manion,Robert J Robbins,William A Weems,Rebecca S Crowley

DOI: https://doi.org/10.1186/1472-6947-9-31

2009-06-15

Abstract:Background: Data protection is important for all information systems that deal with human-subjects data. Grid-based systems--such as the cancer Biomedical Informatics Grid (caBIG)--seek to develop new mechanisms to facilitate real-time federation of cancer-relevant data sources, including sources protected under a variety of regulatory laws, such as HIPAA and 21CFR11. These systems embody new models for data sharing, and hence pose new challenges to the regulatory community, and to those who would develop or adopt them. These challenges must be understood by both systems developers and system adopters. In this paper, we describe our work collecting policy statements, expectations, and requirements from regulatory decision makers at academic cancer centers in the United States. We use these statements to examine fundamental assumptions regarding data sharing using data federations and grid computing. Methods: An interview-based study of key stakeholders from a sample of US cancer centers. Interviews were structured, and used an instrument that was developed for the purpose of this study. The instrument included a set of problem scenarios--difficult policy situations that were derived during a full-day discussion of potentially problematic issues by a set of project participants with diverse expertise. Each problem scenario included a set of open-ended questions that were designed to elucidate stakeholder opinions and concerns. Interviews were transcribed verbatim and used for both qualitative and quantitative analysis. For quantitative analysis, data was aggregated at the individual or institutional unit of analysis, depending on the specific interview question. Results: Thirty-one (31) individuals at six cancer centers were contacted to participate. Twenty-four out of thirty-one (24/31) individuals responded to our request- yielding a total response rate of 77%. Respondents included IRB directors and policy-makers, privacy and security officers, directors of offices of research, information security officers and university legal counsel. Nineteen total interviews were conducted over a period of 16 weeks. Respondents provided answers for all four scenarios (a total of 87 questions). Results were grouped by broad themes, including among others: governance, legal and financial issues, partnership agreements, de-identification, institutional technical infrastructure for security and privacy protection, training, risk management, auditing, IRB issues, and patient/subject consent. Conclusion: The findings suggest that with additional work, large scale federated sharing of data within a regulated environment is possible. A key challenge is developing suitable models for authentication and authorization practices within a federated environment. Authentication--the recognition and validation of a person's identity--is in fact a global property of such systems, while authorization - the permission to access data or resources--mimics data sharing agreements in being best served at a local level. Nine specific recommendations result from the work and are discussed in detail. These include: (1) the necessity to construct separate legal or corporate entities for governance of federated sharing initiatives on this scale; (2) consensus on the treatment of foreign and commercial partnerships; (3) the development of risk models and risk management processes; (4) development of technical infrastructure to support the credentialing process associated with research including human subjects; (5) exploring the feasibility of developing large-scale, federated honest broker approaches; (6) the development of suitable, federated identity provisioning processes to support federated authentication and authorization; (7) community development of requisite HIPAA and research ethics training modules by federation members; (8) the recognition of the need for central auditing requirements and authority, and; (9) use of two-protocol data exchange models where possible in the federation.

Alexis Paton

DOI: https://doi.org/10.3399/bjgp24x740049

2024-11-29

British Journal of General Practice

Abstract:I bet you're reading this on your phone, right? Maybe on the train or waiting for the kettle to boil. Some of you, go on, admit it, are reading this in the loo. OK, so it might not be a phone, but it will likely be some kind of tech: tablet, Kindle, maybe a computer. For many people, our tech is the gateway into the digital world that we use every single day, practically every minute that we are awake. Against this backdrop, the announcement of a digital patient passport, that carries our medical record with us, makes sense. It may even seem to be so obvious that it's odd the NHS hasn't done it yet. On the day of the announcement I told Wes Streeting, our Secretary of State for Health and Social Care, that I welcome his goal of more easily accessible medical records across trusts and for patients. But, before I could endorse it, I needed to know the answer to an important question: for their latest foray into the shift from analogue to digital, just who were the Government including in the consultation and how were they going to consult with them? I ask, because not everyone has a smart phone. Not everyone has a tablet or computer. Heck, lots of people in the UK don't even have regular access to the internet1,2 — and it's not just patients. Some NHS trusts have such aged, broken down digital infrastructure that a fax machine remains a primary form of communication.3 But, seeing as the Government is hellbent on moving to a fully digitised system, let's talk a minute about ...

medicine, general & internal,primary health care