With the advent of the Care Act, Richard Walsh looks for solutions to the ever-controversial issue of data sharing.
Insurers’ access to and their use of confidential medical information will always be controversial, whether it is medical records of individual patients or aggregated data collected by NHS bodies.
Nevertheless, insurers have a legal requirement under the Equality Act to discriminate on grounds of disability only when they can show that such discrimination is evidence based and reasonable. This tricky balance has been shifted recently by two new developments.
In May, the Care Act was passed. The new law means that a person’s data can be shared and analysed only when there is a benefit to healthcare, and that all uses will be scrutinised by an independent statutory body. In addition, there will now be a legal basis for people to stop their data being shared if they wish to.
The second development, in June, was the publication of the Partridge review on data released by the NHS Information Centre (NHS IC) from 2005 to 2013. Its role was to collect and manage health records data, which included sharing it with third parties under data sharing agreements that restricted its use.
The review discovered lapses in the arrangements that were supposed to be in place to ensure that people’s personal data would never be used improperly.
The NHS IC should have imposed restrictions on what information can and cannot be used for, how it must be stored securely and how it must eventually be destroyed. Some of the data provided under data sharing agreements was not fully anonymised.
The process of data sharing now has added importance because of plans to upload information from patients’ GP records to a national database known as the care.data programme.
The review found there were 3,059 releases of data of which 588 were to private sector organisations. There were four data-sharing agreements made by the NHS IC with three re-insurance companies (Pacific Life, RGA and ScoR).
The agreements allowed these re-insurers to continue to use the data until the agreements expired, but the HSCIC has not released any new data to these companies and has asked them to delete the data they hold.
Data was also released to the Institute of Actuaries CI Working Party, BUPA, the Foresters Friendly Society and Scottish Re. All of the data fell into one category: hospital episode statistics (HES).
Since 1 April 2005, just under one-third (529) of HES data releases were made to private sector organisations, including pharmaceutical companies and consultancies.
So what next? Clearly a large number of private sector organisations will want some level of access to HES data and possibly access to GP data under the new care data scheme.
One way forward could be to work with HSCIC to ensure that any data released to the private sector is fully anonymised.
For insurers, so an independent body that is not subject to commercial interests, such as perhaps the Institute of Actuaries, holds the data. That way, data can be gathered as envisaged in the Equality Act.
Richard Walsh is a fellow of SAMI Consulting, www.samiconsulting.co.uk