Dr Ellie Mein
Oops! A private GP’s mistake leads to a breach of confidential data, something which can result in a massive fine. Dr Ellie Mein advises on how to respond in this situation
What should I do after data error?
Q I’m a private GP who recently emailed a letter intended for one patient to another with a similar name.
While this was an accident, the letter – which a patient had requested for ongoing custody proceedings – outlined mental health history, medication history and details relating to drug and alcohol misuse.
I was then contacted by the second patient who was shocked to receive a letter containing such sensitive details, realising that it did not relate to her.
I apologised to the second patient for this data breach, have ensured that the letter was deleted and have also rung the patient who was the subject of the letter to explain what had happened. What else should I do?
A A personal data breach is defined as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’
Under data protection law, practices are responsible for patient data and legally obliged to store it securely and protect it from unauthorised or unlawful processing.
Data security incidents are relatively common within healthcare settings. The most recent data security incident trends published by the Information Commissioner’s Office (ICO), show that between April 2021 to June 2021 there were 607 data security incidents in the health sector, up from 420 the previous quarter.
The ease and speed in which data can be shared, along with the current surge in clinical administration being experienced, may partly be behind the increase in data loss incidents.
According to the ICO, the commonest reasons for data to fall into the wrong hands were that it was lost or stolen from an insecure location (112 incidents) or sent to the incorrect recipient – 67 by email and 56 by post or fax.
In 73 incidents, there was unauthorised access to the system – 65 non-cyber and eight via cyber methods. In 19 cases, there was verbal disclosure. In eight cases, failing to use bcc (‘blind carbon copy’) in an email meant email addresses were visible to all recipients.
As you have discovered, such breaches are distressing for the patients involved, but they also have wider implications such as reputational damage and potentially a significant financial penalty.
The General Data Protection Regulation (GDPR) states that you should inform the data subject if a breach is likely to result in a high risk to their rights and freedoms, such as if the data refers to a person’s health. This is a higher level of risk than under the ICO notification procedures.
An accidental disclosure of patient records or sensitive medical information is likely to be of high risk to the rights and freedoms of patients, requiring you to inform the data subject.
This is because of the significant impact on those affected due to the sensitivity of the data and the potential for confidential medical details to become known to
Failure to notify a breach appropriately can result in an administrative fine which could be up to €10m or 2% of your global turnover.
Consequently, make sure all your staff are aware of what constitutes a data breach, and that it is not just loss of personal data. Have robust procedures in place to detect, investigate and report breaches.
Finally, contact your medical defence organisation for further advice and support on dealing with a data breach.
Dr Ellie Mein is medico-legal adviser at the Medical Defence Union
Rules on issuing patients’ fit notes
Dr Kathryn Leask
Just when you can and cannot provide a fit note for a patient is often a source of confusion. Dr Kathryn Leask answers a private GP’s query
Can I backdate their fit note?
Q I am a private GP and have seen and assessed a patient recently. He’d had a minor operation on his hand three weeks previously but wasn’t given a fit note by the hospital.
The patient has asked me to provide a fit note. I was happy to provide this from the date of my assessment, but the patient has asked me to backdate this, as he had been off work for three weeks before he saw me.
I explained that I wasn’t able to do this; however, the patient says I can use the assessment from the hospital. Can I issue a fit note in these circumstances?
A The Department of Work and Pensions has provided specific guidance on the issuing of fit notes, which may be helpful to discuss with your patient.
The section entitled ‘When can I backdate a Statement of Fitness for Work?’ is most relevant to your situation. The guidance states that a backdated certificate can only be provided if it is based on a previous assessment.
This would be, for example, a face-to-face or phone consultation. Although a report from another doctor or registered healthcare professional can be considered, the fit note cannot be backdated from the date of your assessment.
While you would not be able to issue a fit note, you could offer to provide a letter to the appropriate person to confirm the patient’s clinical history.
This should be a factual account of the care provided to the patient and you should make it clear at which point you were and were not involved in the patient’s care and what assessments you did personally. You should ensure you have appropriate evidence to justify the information you are providing.
The other option would be for the patient to contact the hospital where the operation was performed to see whether the consultant whose care the patient was under would be prepared to provide a backdated certificate, as presumably this wasn’t issued at the time of his discharge or follow-up outpatient review.
The consultant may be happy to do so, given that they would have formally assessed the patient and can base any certificate on this.
Dr Kathryn Leask is a medico-legal adviser at the Medical Defence Union