Reading records raises red flags

Almost 80 Canterbury clinicians raised red flags for potentially prying on patient medical records in the two months after the birth of the country's first online health database.

The Canterbury District Health Board (CDHB) rolled out the electronic Shared Care Record View (eSCRV) system in September, which allows thousands of community nurses, GPs, pharmacists and hospital clinicians access to the medical records of the region's 400,000 enrolled patients.

The system has been hailed by the health sector as a revolutionary life-saver, but it also raises some prickly privacy questions as medical records are about as private as it gets.

In the first two months of eSCRV's implementation, at least 76 red flags highlighting possible inappropriate access of a patient's file were picked up by audits, according to figures obtained under the Official Information Act.

The CDHB is in the process of investigating all 76 "proximity indicators".

Of those investigated so far, all had been genuine and the health board was yet to find a nosy clinician, CDHB chief medical officer Nigel Millar said.

The remainder would be checked soon, he said.

The implementation of the new online system has forced the health sector to walk the tightrope between sharing clinical information to provide the best health care for patients, while protecting their privacy at the same time.

This balancing act has hit the headlines recently, with some major high-profile privacy breaches occurring in New Zealand in the past year.

In April, four South Island clinicians snooped on bashed cricket star Jesse Ryder's medical records and later that month, 33 Auckland Hospital staff were punished for peeking at an X-ray of a man who had an eel stuck up his bottom.

These two incidents were among the 20 privacy breaches dealt with by New Zealand's 20 district health boards in 2013, some of which resulted in medical staff being sacked. Since the birth of eSCRV, Christchurch is home to the country's most extensive electronic record pool, a system that is likely to be rolled out across the South Island soon.

Millar said the 76 red flags raised between September and November proved the audit system was robust.

To put the figure into perspective, in those same two months, more than 10,000 patient records would probably have been accessed so it was predicted that a number of proximity indicators would pop up, he said.

Every time a clinician accesses a patient's file when they are not directly or currently linked to their care they leave a digital fingerprint and an audit will automatically highlight it as a "proximity indicator".

GPs treating patients at different medical practices around the city were the root cause of the majority of the red flags, Millar said.

If a flag is raised by an audit, it is initially screened and then the health professional is sent a letter asking them to justify why they accessed the file.

The CDHB would be reviewing the eSCRV proximity criteria and refining its audit process "to make sure we are not annoying busy people by sending them letters asking them to explain things that are perfectly legitimate", Millar said.

The consequences for a health professional who inappropriately accesses eSCRV records range from removal of access rights to disciplinary action, health board chief executive David Meates said.

"The individual also risks further action by their professional governing body."

There are no CDHB staff currently facing disciplinary action over privacy breaches, but the health board has disciplined and dismissed staff for inappropriately accessing patient information in the past, he said.

Cantabrians can opt out of eSCRV by having part or all of their information removed from the online database by talking to their GP.

So far 250 people have chosen to opt out of the system.

The Press