Monday, 1 February 2016

Liverpool Care Pathway - No Confidence In Confidentiality

A Prometheus unchained or the State unrestrained?
And does Pandora let mischief reign...?





Dot Data ‘safe havens’: Impregnable fortresses or sitting targets?

They are acronymised as DaSH (Data Safe Haven) and ASH (Accredited Safe Haven) but is it just so much hash?

This is A Charter for Safe Havens in Scotland  
This charter sets out the agreed principles and standards for the routine operation of Safe Havens in Scotland where data from electronic National Health Service (NHS) patient records can be processed, linked with other data and analysed to support research when it is not practicable to obtain individual patient consent while protecting patient identity and privacy. It also describes, at a high level, how Safe Havens will work together across Scotland on collaborative research projects as part of a federated network.
“Not practicable to obtain individual patient consent.”

Positive liberties; negative rights.

Again and again, it is underlined that this is the world as it now is...

Consent is being assumed.

Data is coded and uploaded but data is just that: Data.

Actual data entry may be subject to error. Data also has context and context is not coded and codable, uploaded and uploadable.

The GP with access to the patient and the patient record has context. Data uploaded is data out of context with no patient reference point.

Doctors do actually use flow charts in diagnostic procedure. It is the fallibility of the flow chart that, like that of the machine, it is a linear, yes-no thought process with no 'but'. In getting the machine to think like the human, humans are beginning to think like machines.

Actual medical misdiagnosis is not uncommon. This, too, will enter the data record...
“Diagnostic error is barely on anybody’s radar screen,” said Dr. Mark Graber, 62, a nephrologist in Long Island, N.Y., and an expert on diagnostic errors.  The “To Err” report estimated that at least 44,000 and as many as 98,000 Americans die each year from all types of medical errors. More recent studies indicate there has been little progress since 1999, with as many as one in three or one in four hospitalized patients being harmed in some way by medical errors.

The statistics indicate as many as 9 million patients nationwide and between 400,000 and 528,000 patients in Illinois are harmed each year. According to Graber and other researchers, deaths and serious harm associated with diagnostic errors are uncommon even though an estimated 5 percent to 15 percent of medical diagnoses are incorrect. But for those harmed, Graber said the impact can be devastating.
BMJ Quality & Safety
This is The Big Questions 
Jackie Leotardi - 

We, we would argue that, of course, there’s a case for high quality palliative care in hospitals and in the home but, when that’s rolled out indiscriminately in the NHS, it becomes very, very dangerous. My father was admitted to hospital on a Friday evening, parked on a ward all weekend. We begged them to do a CT scan. They kept saying, oh, we’ll have to see, we’ll have to see, we’ll have to see. We got the consultant brought down to his bed; she still refused to do a CT scan. On the Tuesday morning, they called us in. Oh, it’s too late now, he’s too poorly. We were given a definitive diagnosis of perforation. We said, how can you say that based on inconclusive x-rays? Oh, we’re sure it’s a perforation. He was put on the Liverpool Care Pathway and died. At the post mortem , it was found that he actually had a pulmonary embolism.

Nicky Campbell –

It was a misdiagnosis.

Jackie Leotardi - 

Yes. It was a total misdiagnosis. The reason we’re here is because elderly care in the NHS is appalling.


There is fallibility in Dot Data.

There is also risk...

What is a Safe Haven?

According to the HSCIC on its FAQs page 


What is an Accredited Safe Haven (ASH)?

An ASH is an accredited organisation, or a designated part of an organisation, which is contractually and legally bound to process data in ways that prevent the identity of individuals to whom the data relates from being identified.

Whilst all organisations may lawfully process data that has been anonymised through aggregation or robust pseudonymisation techniques for legitimate purposes, an ASH may process data that is only weakly pseudonymised where the data has the potential to readily identify individuals outside of the ASH environment. This data may contain a single “identifying” data item such as the NHS Number or a postcode that do not directly identify individuals but which, without the controls that apply to an ASH, render the data identifiable.

Fundamental to this, is that ASHs do not have access to other data such as that provided by the Personal Demographics Service to be able to look up the identity of individuals. The data may continue to be personal data even within an ASH but the common law duty of confidentiality is not breached by the ASH processing data in this form under the ASH controls to prevent re-identification and inappropriate use.

An ASH may process data that is only weakly pseudonymised. This data may contain a single “identifying” data item such as the NHS Number or a postcode that, without the controls that apply to an ASH, render the data identifiable.
What does this mean for patient identifiable data?

The HSCIC Data Service for Commissioners will be able to process personal confidential data for specific purposes but will not be able to pass on personal confidential data to other bodies without a lawful basis. Such a lawful basis could be: where the data is for the purposes of direct patient care; where consent has been gained; or, where section 251 support for the relevant purposes and data flow is in place.
HSCIC
What is section 251?
Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.

Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.
HRA (Health Research Authority)
Section 251 of the NHS Act 2006 permits the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes.

The Regulations that enable this power are called the Health Service (Control of Patient Information) Regulations 2002. Any reference to ‘section 251 support or approval’ actually refers to approval given under the authority of the Regulations.

The HRA took on responsibility for Section 251 in April 2013, establishing the Confidentiality Advisory Group (CAG) function.

Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.

“Not practicable to obtain individual patient consent.”

Positive liberties; negative rights.

Although Section 251 approval can temporarily set aside the common law duty of confidentiality, compliance with the Data Protection Act (1998) must still be maintained and data must still be fairly collected – i.e. individuals have a right to know who holds information about them and why.

The Health and Social Care Act 2012 axed the Primary Care Trusts and neglected to pass on key data handling responsibilities to the new commissioning bodies.

Initially, the newly formed CCGs were in a state of chaos, no-one knowing who or which was what. That was our experience initially in attempting to chase a matter of concern for a client.

There was no longer a legal basis for the flow of information. NHS England applied to the CAG for a section 251 exemption.

Needs must and needs must and the legal genie comes round with new laws for old, new laws for old.

Laws are not always used as, perhaps, they were intended...

See -
Liverpool Care Pathway - By Intrusion And By Stealth
...Or even acted upon at all.

Last year we were attempting to address numerous issues at our little project...

See -
Liverpool Care Pathway - Litigating The Litigants

We are a HMO by definition. However, we were told by those who should know - the local council - that we are not legally a HMO because we are social landlords.

It was left to us to dig into the legislation and we now have agreement that, while as social landlords we are not licensable as a HMO, the management regulations pertaining to HMOs still apply. We may use the regulations to address the issues.

The council have confirmed this to be the case but have told us, in confidence, that their only resort under the legislation would be to seek conviction and that it is highly unlikely that they would act to seek a conviction.

Catch 22, Catch 22 and mate.

The more they legislate, the more they need to legislate to paper over the cracks. This is rather a mirror image of Microsoft Windows.

The Care Act 2014 amended the Control of Patient Information Regulations 2002.

Specifically, concerning Regulations 5 and 6, these amendments may be seen as an additional 'patch' to provide for transfer of patient information to CCGs and empower the HRA -
General 
5. Subject to regulation 7, confidential patient information may be processed for medical purposes in the circumstances set out in the Schedule to these Regulations provided that the processing has been approved— 
(a) in the case of medical research, by both the Secretary of State and a research ethics committee, and 
(b) in any other case, by the Secretary of State
Became...
Approval for processing information 
5. 
(1) Subject to regulation 7, confidential patient information may be processed for medical purposes in the circumstances set out in the Schedule to these Regulations provided that the processing has been approved—   (a) in the case of medical research, by the Health Research Authority, and   (b) in any other case, by the Secretary of State. 
(2) The Health Research Authority may not give an approval under paragraph (1)(a) unless a research ethics committee has approved the medical research concerned. 
(3) The Health Research Authority shall put in place and operate a system for reviewing decisions it makes under paragraph (1)(a).


Even so, the existing Regulation 5 could have provided for passing on of data handling responsibilities to CCGs by the Secretary of State who may permit...
...the transfer of confidential patient information between bodies or persons who may determine the purposes for which, and the manner in which, the information may be processed
[Regulation 6]
The Care Act 2014 paves the way toward 'joined-up services' and an integrated NHS as Health takes over Social Care. See -
Liverpool Care Pathway - Transformation
The Regulation 6 amendments provide similar empowerment to the HRA in regard to Registration to record such transfers of information and their purpose and, "in such manner and to such extent as it considers appropriate, publish entries it records in the register".

The HRA has power to determine and approve the standing of the research ethics committee and to decide whether any transfer of patient data recorded in the register is published. Furthermore -
(3) The Health Research Authority shall retain the particulars of each entry it records in the register, and the Secretary of State shall retain the particulars of each entry he records in the register, for so long as confidential patient information may be processed under the approval to which the entry relates and for not less than 12 months after the termination of that approval.
All particulars of such transfer of patient data may not be kept and could be lost to the public record.

There is much left to trust where those in whom we have invested our trust have shown themselves, time and again, not to be worthy.
Registration
6.—(1) Where an approval granted by the Health Research Authority or the Secretary of State under regulation 5 permits the transfer of confidential patient information between bodies or persons who may determine the purposes for which, and the manner in which, the information may be processed, it or he shall record in a register the name and address of the bodies or persons to whom that information may be transferred together with the particulars specified in paragraph (2). 
(2) The following particulars are specified for inclusion in each entry in the register—
(a) a description of the confidential patient information to which the approval relates;
(b) the medical purposes for which the information may be processed;
(c) the provisions in the Schedule to these Regulations under which the information may be processed; and
(d) such other particulars as the Health Research Authority or (as the case may be) the Secretary of State may consider appropriate to enter in the register. 
(3) The Health Research Authority shall retain the particulars of each entry it records in the register, and the Secretary of State shall retain the particulars of each entry he records in the register, for so long as confidential patient information may be processed under the approval to which the entry relates and for not less than 12 months after the termination of that approval. 
(4) The Health Research Authority shall, in such manner and to such extent as it considers appropriate, publish entries it records in the register; and the Secretary of State shall, in such manner and to such extent as he considers appropriate, publish entries he records in the register.
Risk: Data may be used and misused.

Risk: Data may not be secure...

Each impregnable fortress must communicate and data is only as secure as its lines of communication. Data is also outsourced for research purposes.

How secure is outsourced data? Can security be guaranteed? Security experts have called 2015 the "Year of the Healthcare Hack".

This is Phoenix Health Systems 


It is just over a year since the FBI issued a special warning to healthcare organizations that they should prepare for a strong increase in cyberattacks. Since then, in the wake of several new blockbuster HIPAA security breaches,  2015 has been coined as the “Year of the Healthcare Hack,” by concerned security experts hoping to add weight to the FBI warning. The latest security breach just announced by UCLA Health System — among the “most wired” health organizations in the USA — underscores just how much cyber danger faces healthcare. Here’s why….

It should come as no surprise  that UCLA Health System has announced the fourth biggest HIPAA security breach ever. On Friday it notified 4.5 million patients across four hospitals  that their protected health information and Social Security numbers had been compromised by hackers.

The healthcare industry’s painful cyberattack record thus far in 2015 includes the January hacker attack against Premera Blue Cross, which compromised the financial and medical data of 11 million members, and the Anthem cyberattack reported in February, when nearly 80 million members and employees were similarly affected. CareFirst announced a major hacking incident in May that exposed information of approximately 1.1 million consumers.
According to the US Department of Healththere have been over 1,100 security breaches since 2009 involving the protected health data of nearly a third of the U.S. population — more than 120 million people — 


Government data is not secure.

Here is CBS News 
The sensitive information of nearly 22 million Americans was stolen from the Office of Personnel Management (OPM), according to the latest investigation by federal officials.

The investigation concluded with "high confidence" that personal information, including the Social Security numbers of 21.5 million individuals, was stolen from the agency's background investigation databases.

The newest damage assessment by OPM is significantly larger than the initial reports in June, when federal agencies said the hacks compromised the records of as many as 18 million people. A separate but related hack discovered earlier this year compromised the personnel data of 4.2 million people -- a cyber crime that affected not only OPM but also records at Department of the Interior. About 3.6 million people were affected by both crimes.
This is Bloomberg News 


The Internal Revenue Service must answer in court for a data breach in which hackers gained access to personal identifying data belonging to at least 330,000 people.
Two Texas women sued the agency Thursday in Washington, complaining that “the U.S. government cannot be relied upon to keep the personal data of its citizens safe.”

The women, Becky Welborn of Dripping Springs and Wendy Windrich of Conroe, are seeking to represent anyone whose information was stolen after using the IRS “Get Transcript” service 
A major US health insurer has suffered.

This is RTV6 
Hackers have stolen personal information from tens of millions of people with Anthem health insurance. The nation's second-largest health insurer, formerly known as WellPoint, said hackers stole Social Security numbers, names, birthdates, email addresses, employment details, incomes and street addresses of people who are currently covered or had coverage in the past.
The Anthem hack adds to massive data breaches at JPMorgan, Sony Pictures, Target and Home Depot in the past 18 months.
The nation’s second-largest health insurance company said its computers were hacked and the data of 80 million customers and employees may have been exposed.

Anthem Inc. said Wednesday that investigators were still determining the extent of the breach -- which was discovered last week -- but it was likely that "tens of millions" of records were stolen.

Anthem officials said both former and current customers and employees were impacted.

"Cyber attackers executed a very sophisticated attack to gain unauthorized access to one of Anthem’s IT systems and have obtained personal information relating to consumers and Anthem employees who are currently covered, or who have received coverage in the past."

This is USA Today 




Excellus, an upstate New York health care company, says information for as many as 10 million of its clients nationwide may have been exposed in an attack dating back to 2013.

The cyber breach was first discovered on August 5, Excellus spokesman Kevin Kane said.

Criminal attacks on healthcare computer systems are up 125% since 2010 and are now the leading cause of data breaches, a study by the Ponemon Institute found in March.
This is The Hill 
Federal law enforcement sources told CNN that the site was infiltrated and personal data was stolen. Personal emails belonging to FBI Deputy Director Mark Giuliano and his wife were posted by a Twitter account that is believed to be connected to the Crackas With Attitude group.

FBI spokesperson Carol Cratty declined to comment to CNN about the specific claims. She said the agency “takes these matters very seriously” and will work with its partners to “identify and hold accountable those who engage in illegal activities in cyberspace."

Further reading -
Liverpool Care Pathway - AC/DC

Liverpool Care Pathway - A Data Bonanza

Liverpool Care Pathway - Threshing The Data

No comments:

Post a Comment