This site is intended for health professionals only

Patient records handed out to 56 private sector organisations data controller reveals

Medical record information has been released by the Health and Social Care Information Centre on more than 450 occasions, to recipients including 56 private sector organisations, according to a new register published in response to transparency concerns.

The HSCIC’s first audit of data disclosures since being established in April 2013 shows that private healthcare providers – including Bupa, BMI and Care UK – and management consultants, like McKinsey, PwC, Ernst & Young and GE Finnamore, have received patient data.

In total 160 organisations have been given data, with 104 classified as health and social care organisations – including universities and charities.

The audit of data disclosures was published to demonstrate the NHS is working to improve ‘transparency’ in the way patient data is used, after NHS England’s controversial GP data sharing scheme was delayed because of lack of public awareness.

It found that data was released 347 times in ‘pseudonymised’ form – with key identifiers removed – but identifiable data has been released on 75 occasions. The majority of records were Health Episode Statistics collected from hospitals.

The HSCIC states that all data releases were done with a strict legal basis, such as patient consent or with a section 251 exemption, where identifiable data can be released without consent if approved by an independent advisory group.

It does not profit from the selling of data and only charges the cost of recovery for creating data sets.

The reasons for disclosures varied from disease research to annual outcomes censuses.

A spokesperson for BUPA said: ‘Bupa has a dedicated company in the UK, Bupa Health Dialog, that provides analytics services for the NHS and we use the NHS data to allow us to do this work. The data is anonymised and we cannot identify any individual patient. This work helps the NHS to use its resources efficiently and benefits the UK taxpayer. The data is ringfenced by law and only specific named individuals can see or access it.’

A spokesperson for E&Y, one of the consultancies that received data, said: ‘This data helps inform statistical research on the links between quality and cost, to help NHS trusts deliver high quality safe services efficiently. It will not be resold to any organisation, and is used solely for work with our NHS clients. Data is made available under the UK Government Licensing Framework and release is compliant with the Data Protection Act 1998.’

HSCIC chair Kingsley Manning said: ‘By placing this register before the public the HSCIC is taking an important step towards the full transparency needed to help the public gain confidence in the services we provide.’

‘We are absolutely committed to encouraging scrutiny of our work and we welcome feedback on today’s register, which is important towards informing the structure and clarity of future publications and indeed to the organisation as it develops.’

‘This is about ensuring citizens and patients are clear about how data is used to improve the health and social care received by them directly and by communities as a whole.’

However, patient privacy group medConfidential claims that the HSCIC had failed to disclose particularly sensitive examples of data releases.

Phil Booth coordinator of medConfidential said: ‘Despite saying it has turned a new leaf, HSCIC is deliberately concealing releases of data that might cause itself, or ministers or other officials, embarrassment or political damage.’

‘The Information Centre’s lack of transparency is clearly not as “innocent” as its Chair has claimed.’

The HSCIC denies these allegations, saying: ’ The Health and Social Care Information Centre (HSCIC) strongly refutes any allegations that information has been omitted from this register.

Adding: ‘We are confident that the register covers all releases that were within the publicly defined scope of the document,’.