John Appleby:—your bits in their hands

Over the past few months there has been considerable debate and argument about plans by the NHS to collect and centrally collate details of individual patient records from general practice for the first time. Many have expressed worries about the initiative and how potentially sensitive patient information will be used, who will have access to it (and for what reasons), and not least its security. Such fears are perhaps not just hypothetical given past examples of lost patient notes and what appear to be the misuse of sensitive patient information (even for the best of intentions).

With examples like these (and the revelations of the scale and detail of surveillance undertaken by the US National Security Authority and the UK’s GCHQ for example), the disquiet about is perhaps not surprising.

However, as not only a contributor of my own medical information as part of (including other datasets built up from NHS patient records), but also as a research user of such data, I will not take up the option to opt out of—an option provided despite the mandatory inclusion set out in the Health and Social Care Act. Others will take a different view of course, but for those still wondering what to do it’s worth considering the experience of another national data set—the hospital episode statistics (HES)—which has been in existence for a number of decades and which is now expanding to cover out-of-hospital care.

“Big (and personal) Data” are not new to the NHS. For nearly a quarter of a century the NHS in England has collected and collated a vast array of data from patients’ hospital records—the hospital episode statistics (HES). This is collected not just for NHS patients treated in NHS hospitals, but private patients treated in the NHS and for patients treated in non-NHS hospitals, but paid for by the NHS. This data—over 125 million individual inpatient, outpatient, and A&E records each year—are warehoused and controlled by the Health and Social Care Information Centre (HSCIC). The HES Data Dictionary details all the data collected and includes not only details of patients’ diagnoses and treatment, but how long they stayed in hospital and how long they waited to get into hospital.

While the HES database does not contain patient names, it does hold other identifying information such as gender, age, patients’ full postcode, referring GP practice, and patients’ NHS number. However, before being released to researchers like me, HES replaces the date of birth with year of birth, removes the second part of the postcode, and replaces the NHS number with a unique, meaningless pseudonym so that I can still link episodes of care within and between years without seeing any of the patient’s “real world” identifiers.

At this point, for those who have never heard of HES and are worried about, you may be thinking hold on, where’s my opt out for HES? Well, the reasons for highlighting HES—which is just the secondary care equivalent of the primary care data that will now be linked through—is to provide some assurance about some of the worries some people have about Moreover, as the Privacy Impact Assessment for makes clear, the opt out does not just apply to data from GP practices, but now to any other information flows from the Health and Social Care Information Centre.

In terms of its uses, the first set of data from HES was made available in 1989 and has since been used for various administrative purposes—such as providing essential data on the use of hospital services in different areas to allow the NHS to allocate money to reflect the different needs of different populations. This has helped ensure the NHS strives to live up to one of its founding principles to provide equal opportunity of access to those in equal need. Latterly, it has also been used to ensure hospitals are paid correctly (via payment by results) for the work they do. HES has also enabled the NHS and researchers to investigate important policy issues such as the (variable) performance of hospitals based on deaths in hospitals, length of stay, or the rates of readmission of patients. Without the comprehensive coverage HES provides, research to evaluate the impact of competition on patient outcomes would not have been possible. And further, the detail contained in HES has enabled researchers and others to investigate whether and to what extent there are inequalities in the use of hospital services. Do populations in economically deprived areas receive or use services more or less than other areas for instance?

Some of these examples of the uses to which HES data has been put do not require a full census of patient data (they could have relied on a sample) contained in HES. On the other hand, other examples (such as the payment of hospitals) really do require as comprehensive a data set as possible. And for some research examples, such as the impact of competition between hospitals, some extra details (eg the first part of patients’ postcodes, the referring practice etc) are essential to the analysis.

HES data also has direct clinical uses. An analysis using HES data was able to identify the rogue obstetrician Rodney Ledward as an outlier relative to his peers. This research raised the possibility of using routine HES data as an early warning system not just for exceptional cases such as Ledward, but to identify poorly performing medics. HES data also provided the basis for studying and identifying which patients were at risk of readmission to hospital and then to tailor services to reduce such inappropriate admissions. Both these examples of the clinical use of HES required access to pseudonymised patient information.

But do these or any other examples of the use of HES justify the risks of collecting and collating such large volumes of patient data? There is no straightforward or simple technical answer to this question as it depends in part on factors almost totally immune to facts or evidence—such as individuals’ attitudes and perceptions of risk, their views about, and trust in, government in general or particular governments. Others may hold ideological objections to the use of data like HES by commercial organisations either on the basis that they think no one should profit from “adding value” from the use of what they see as “public” data or because they feel such organisations may be more motivated to in some way misuse the data than others (such as academic researchers) with “purer” motives.

Some fear that medical insurers would be able to access confidential data, identify individuals, and then use this information to, say, refuse to insure or demand high premiums. However, it is unclear why insurers would want to do this when full disclosure of pre-existing medical conditions is in any case requested by insurers as a condition of offering insurance.

It may be that for some, no benefit is worth the existence of even the tiniest of risk of, for example, the identification of an individual patient or the accidental leakage of confidential data. And ultimately, no absolute guarantee can be given that confidential data might not escape either by accident, incompetence, and human error, or maliciously as a result of some criminal action. This is the rock and a hard place NHS England find themselves with

However, the experience of HES should, I think, give those who want to opt out of pause for thought. HES has provided significant benefits in terms of the running of the NHS and analysis of its activities and performance which ultimately and directly benefit patients. Moreover, as far as I am aware—and I stand to be corrected—there have been no recorded examples in its history of data loss leading to patient or public harm, or the actual (as opposed to theoretical) identification of individual patients (through linking to other non-HES data for example). This must in part be due to the rules and processes governing access to, and use of, the identifiers contained in HES—rules which will not only apply with, but which have been strengthened.

So, should you opt out of I strongly think not. And while some have argued for an “opt in” approach, through inertia alone this would almost certainly jeopardise the whole point of the exercise. Just like the practice of medicine, the collection, collation, and use of medical data will not be 100% risk free. But as the operation of HES has shown over the last quarter of a century, the risks can be minimised (to zero it would seem) to allow us to enjoy the benefits.

John Appleby is the chief economist at The King’s Fund.

  • I have for the last10 years tried to opt out of HES/SUS. I have a Sec 10 of the DPA agreed by Patricia Hewitt Secretary of State for Health yet I have been repeatedly denied hospital care.

    HES/SUS is covered by Sec 251 which does not override patient consent so patients can opt out of HES/SUS. I do not believe SUS/HES are complaint with fair processing under the DPA. A google search this week revealed NO patient information for patients from the NHS with regards to HES/SUS.

    We also do not know if HSCIC have done any audits to check for data breaches. Additionally if patients do not know of HES/SUS existence they cannot check, by obtaining a Subject Access Request, that their data is accurate and that from their audit trail there have been no breaches. When I checked my own SUS/HES data I found it included my full address not just postcode and I had been incorrectly labelled an alcoholic.

    In the last couple of months I contacted 86 Hospital Trusts regarding opting out of HES/SUS none had any patient information explaining HES/SUS and bar a handful of Trusts their response to patients wishing to opt out was utterly abysmal. They just could not comply with the DPA.

    Patients need to fully informed about HES/SUS and the right to opt out respected.

  • susanne stevens

    Presumably those who opt in will be compromising the privacy of relatives who may wish to opt out in some cases or where children are involved their information will be included on a permanent data base?

  • Tokyo Nambu

    ” full disclosure of pre-existing medical conditions is in any case requested by insurers as a condition of offering insurance.”

    You do not need to declare the outcomes of, or even that you have had, either AIDS or genetic tests. Not only are the outcome of those of deep interest to insurers, that you have chosen to have such tests is indicative that you, at least, and probably your GP think you have an elevated risk.

  • trevor50

    Why is the data not available to the individual? Surely it is unethical that personal data can be shared with 3rd parties, but it is kept secret from the patient, who is not allowed to have online access,

  • Rob N

    Dear Mr Appleby, does the admission in that selling HES data “broke rules” change your opinion?

  • Scott Maxwell

    You said that there is no absolute guarantee that confidential data cannot escape by accident. You also said that there were no records of this that had happened. But still, the fear exists. isn’t exactly doing something to relieve the people about it, patients and GPs alike. Some of the information asked can actually be important data that can be used to acquire access to the patient’s other personal accounts. We cannot overlook the possibility of criminals who get the info ‘by accident’ to take this as an opportunity to misuse the info. Read more about the extent of their concern here: Check this