Adrian Midgeley writes:

> Now, the instruction is that any misdirected mail is to be sent to the
> Chief Executive of the Trust which originated it.
> ...
> I think they should be returned to the originator, or preferably to a Chief
> Medical Officer (the Medical Superintendent perhaps) in the Trust.
> They would then be going from the hand of one doctor to the hand of
> another
> ...
> The BMA handbook on ethics doesn't give a clear guide on this, and I would
> be genuinely grateful for thoughts on the matter.

The BMA security policy, though, does give guidance. You can only add
clinical professionals to the access control list, so your system
should not allow you to send the record to a Chief Executive - unless
that person is also a registered doctor, nurse or whatever.

The emerging consensus between the BMA and the IMG on how to handle
communications security will implement this in a straightforward way.
Clinical data traffic will be encrypted, and (unless you use an
emergency manual override) you will have to use a certified key. Key
certification will rest with professional bodies such as the GMC and
the UKCC. The GMC, so the current thinking goes, will certify your
long term signing key, and you will use this in turn to certify the
working keys you use for encryption and so on. So by checking a
short chain of certificates and a public list of lost/stolen keys,
anyone can see whether a given key is the current encryption key of a
registered healthcare professional.

So the options available to deal with a misdirected clinical email
will be (1) return it to the originator (or equivalently, notify them)
or (2) send it to the relevant Medical Director.

There is an interesting tension here between safety and privacy. For
safety reasons, one would expect the HA to tell you where your former
patients have gone. Of course, some patients might not want you to
know, and for this reason the HA acts as a forwarding agency - a kind
of `anonymous remailer' for patient correspondence. Is this the best
solution that we can engineer?

One can envision a scheme in which there is a standard format for the
transfer of electronic patient records (we're slowly getting there)
and they would normally be signed, encrypted and emailed from one GP
to another when patients moved. In the small proportion of cases where
the patients don't want you to know where they've gone, there would be
other mechanisms. The obvious one is just to give the patient a signed
copy of his record on a diskette (or a printout). This could be best
for patients going abroad. A slightly fancier solution would be an
anonymous remailer service, like those run by the cipherpunks; this
could cope with things like recalls which would cause problems for a
system of patient-held diskette.

There is also the problem that some people want to be able to consult
a doctor who has not seen their previous record. The Patients'
Association feels strongly on this topic: they have a number of cases
in which serious and treatable illnesses were only diagnosed when the
patient was seen by someone who was unaware of the views expressed by
their previous physicians. One example, as I recall from the June
meeting, was a case of cancer misdiagnosed as hypochondriasis. Suppose
you are a hypochondriac, and you suddenly realise that something is
actually wrong. How do you communicate this to your long-suffering GP?
In Germany, seeing a doctor who has not seen your file is a basic
right; in Britain, you have to go private.

How should systems cope? Should the patient be entitled to delete
sections of the record, and if so, how do you deal with the safety
aspects? Should patients be entitled to treatment under a pseudonym?
In theory they are, but the internal market places all sorts of
practical obstacles in the way. If these are removed, then how do you
stop addicts collecting prescriptions for opiates under multiple
names? If they are not, how do you stop the Home Office using the
healthcare system to track illegal immigrants?

My suggestion: somebody should look hard at this problem, and try to
specify what a record transfer system should do.

Ross


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%