UNAIDS and UK both issue draft confidentiality guidelines for patient record sharing

In lower- and middle-income countries, the scale-up of HIV testing and treatment is moving ahead at rapid speed. At the same time, information regarding individuals accessing testing, treatment and care is required for the management, monitoring and evaluation of HIV services. For this to happen as effectively as possible, information systems – which can be paper-based or electronic – must allow for relatively easy access to information. To ensure that patient confidentially is not compromised in the process, new guidelines have been released by UNAIDS.

The Interim Guidelines on Protecting the Confidentiality and Security of HIV Information were produced following a three-day workshop in May 2006 attended by health professionals and people living with HIV, and supported by UNAIDS and PEPFAR.

They provide guidance on how to balance greater data sharing with the malicious or inadvertent inappropriate release of individually identifiable data – which can have devastating consequences due to the adverse impact of HIV-related stigma and discrimination – and suggest appropriate policies, procedures, and technical methods for the sharing of sensitive data. The guidelines note that three interrelated concepts – privacy, confidentiality and security – play an equally important role in the development and implementation of these protections.

The guidelines’ main recommendations are:

• Using health data for public health goals must be balanced against individuals’ rights to privacy and confidentiality.
• Health data need to serve the improvement of health and reduction of harm for all people. Policies, procedures, and technical methods must be balanced to protect both.
• Individual and public rights must be balanced, and should be based on human rights principles.
• Within countries, privacy and confidentiality laws should be developed and put in place; relevant parameters of privacy or confidentiality laws must be reviewed and known by all persons accessing health data.
• The development and review of laws and procedures related to HIV information needs active participation from relevant stakeholders, including people living with and affected by HIV, health care professionals, and legal and ethical experts.
• Funding organisations should comply with these guidelines and make funding available to implement them. Maintaining security and confidentiality must be a condition for funding.

The interim guidelines will be field tested and additional training materials will be developed, following feedback from UNAIDS and PEPFAR focus countries and PEPFAR implementing partners.

Two new documents highlight the tensions between the optimal clinical care of an HIV-positive individual and the critical need for maintaining confidentiality. UNAIDS has produced draft guidelines for lower- and middle-income countries that aim to help protect patient confidentiality during the scale-up of HIV testing and treatment. In the United Kingdom, the British Association of Sexual Health and HIV (BASHH) and the British HIV Association (BHIVA) have also produced draft guidelines on protecting patient confidentiality in the era of electronic information sharing.

In the UK, there has been a great deal of debate in the national media regarding the changes that are ongoing in the way that the various parts of the National Health Service (NHS) – from hospital-running NHS Trusts to individual GP surgeries – plan to store and distribute sensitive patient information.

For people living with HIV there are three main areas of concern – consent, content and confidentiality. Although the issue was briefly addressed as part of BHIVA’s recent Standards for HIV Clinical Care document, BHIVA and BASHH have now produced Draft guidance on confidentiality of HIV identifying information. These guidelines are open for consultation until July 27^th.

As with the UNAIDS document, it describes a tension between providing wider access to an HIV-positive individual's current treatment and other health-related information and ensuring that this information remains confidential and is accessed purely on a need to know basis.

It also notes that “robust processes for information governance are lagging behind” the move to electronic patient records (EPR) by individual NHS Trusts and describes in detail some of the problems that have already been experienced, such as inappropriate disclosure of HIV status.

The guidelines recommend that HIV identifying information should be available on NHS Trusts’ electronic patient records systems, as long as:

• Each Trust’s Information Governance Committee takes responsibility for ensuring that information is held securely and confidentially within the legal and NHS frameworks.
• Procedures are put in place for active audit of access to records of individuals with HIV.
• Procedures are put in place for disciplinary action against anyone who accesses records inappropriately.

The guidelines’ other main recommendations include:

• Every employee dealing with patient information should be specifically trained with regards confidentiality of health information at or shortly after induction.
• If outside organisations (usually another hospital) or GPs are allowed to access a Trust’s EPR system then the same information governance procedures must be applied. In this situation HIV identifying (and other sensitive) information should not normally be accessible.
• If results of tests not ordered by GPs are sent directly to GPs this should not include HIV identifying information.
• Ideally access should be role based, so that for example all doctors (and perhaps nurses or allied health professionals) can access HIV related information, but administration staff cannot.
• When sending letters about patients with sensitive health information permission to disclose this information to GPs and permission to send copies to the patient should be sought and recorded.
• Patients should be made aware of how HIV identifying information (or any other sensitive health information) is held. This is especially important for members of staff, individuals with relatives working within the Trust at which they have their care and high profile individuals.
• There must be a process in place for recording HIV status and HIV identifying information in the event that a patient objects to the normal recording procedures e.g. use of GUM number. This should be offered to members of staff and high profile individuals.
• At present GUM records should not be part of EPR unless they are recorded under different GUM numbers, with the number and date of birth only as identifiers. There should be no linkage to the patient’s name and address in this system, which needs to be recorded separately.
• For statutory data collection purposes such as SOPHID reports, commissioning and cross charging ‘out of area’ care only PCT of residence (not full post-codes) should be provided.

In addition, a new electronic document known as a Summary Care Record is being created as part of the National Programme for IT (Information Technology) in the NHS in England. It will not affect people living in Wales, Scotland or Northern Ireland, where different systems are being used.

The Summary Care Record will contain information about an individual, including current medications, allergies and adverse reactions and will be uploaded on to a ‘national data spine’ from the Detailed Care Record held by an individual’s GP.

The guidelines make a further recommendation about both types of records:

• There MUST be a discussion with patients with regard to HIV identifying information and the Detailed Care Record (local health community) and the Summary Care Record (national IT spine) before the system goes live in each area. Patients should be able to choose (opt-in) whether HIV related information is included in this or is hidden from view.

The Interim Guidelines on Protecting the Confidentiality and Security of HIV Information can be downloaded directly from the UNAIDS website.

The Draft guidance on confidentiality of HIV identifying information can be downloaded directly from the BASHH website. The guidelines are open for consultation until July 27th. Any comments should be sent to: mary.poulton@kch.nhs.uk

A four-page briefing paper from Terrence Higgins Trust with more details about the Summary Care Record is available from the THT website.