The challenge of accessing and sharing patient data in Ireland

Discover PlayDecide. Download games, prepare, play. GET STARTED

Play the game

Download, prepare, discuss & collect results.

In European countries, under GDPR, individuals 'own' their personal data, which includes medical information i.e. patient data.

In Ireland, individuals 'own' their patient data, but not necessarily the record that houses that data.

Author / translator Marie Boran

In European countries, under GDPR, individuals 'own' their personal data, which includes medical information i.e. patient data.

In Ireland, individuals 'own' their patient data, but not necessarily the record that houses that data.

So, people in Ireland have a right to access their medical records but can only do so on request. Meanwhile, health systems are collecting more and more information about patients as well as their diseases and treatments and how they impact individual patients. Often data is stored in incompatible, inaccessible systems that make it difficult or even impossible to share or even reuse the information to improve patient outcomes.

In addition, researchers and companies who are seeking new treatments and processes are finding it increasingly difficult to obtain anonymised or de-identified patient data for these purposes, which could bring potential benefit to Irish patients. The challenges for all stakeholders (individual patients, hospitals, private industry) to accessing and sharing patient data to fulfil their value are not just practical and legal, but also cultural and ethical.

Created 19 November 2019

Last edited 10 December 2019

Topics Health, Science, Technology

Policy positions

Policy position 1

People in Ireland should have instant access to a summary of their medical records in user-friendly language on an accessible government website. Similar to e.g. Revenue.ie they could log in to see a history of their appointments, treatments, medications, and so on.

Policy position 2

People should have instant access to their full medical record up to and including clinical notes from a doctor’s appointment. It should be fully transparent: the patient should be able to see everything the healthcare professional sees.

Policy position 3

People should have access to their medical record, but upon request. This would ensure that healthcare professionals have the opportunity to determine the sensitivity or confidentiality of certain data.

Policy position 4

Individuals own their medical data, so we should trust them to share when they are comfortable doing so. People should be able to control access to and sharing of their own medical data using an opt-in system for everything from an x-ray to notes from a meeting with their consultant.

Story cards

My name is Emma, I am 28 years of age and I am an illustrator for children’s books. I have hypermobile Ehlers Danlos syndrome (hEDS) and battle chronic joint pain.

Not enough is known about this rare disease and I want to use my patient voice as much as possible to help other patients. I have taken part in the EURORDIS Rare Barometer Voices initiative because I want to contribute to generating evidence that will help others like me understand and manage their illness.

I’m very much in favour of sharing my personal health data including genetic information because I believe it will further research in this area and lead to improvements in healthcare. As long as there are stringent ethical guidelines in place I am happy to see health data being shared across clinical and research environments. Besides, it’s for the public good.

Emma: ensuring my data is used to improve healthcare

My name is Edward. I am 54 years of age and I run my own business. I have mild hypertension and slightly elevated cholesterol, which I am happy to self-manage for the most part. I want my visits to my doctor to be in and out: pick up my prescription, get my medication and leave.

I hope my GP continues to keep my records on paper in a filing cabinet because who knows what might happen if a digital copy gets shared. I’ve read about HSE data breaches in the past and I don’t want my private medical information turning up on a bus seat somewhere.

If my doctor needs to share a critical piece of information with a hospital for treatment purposes that’s okay but I should be notified when this happens. The sharing of patient data should be completely transparent and only done with my consent and for my individual care.

Edward: where would my data end up?

My name is Gillian and I was diagnosed with Multiple Sclerosis two years ago at the age of 36. This has changed my life and I have had to cut back dramatically on my work as a HR consultant.

I feel tired all the time and spend a lot of the week bouncing between my family doctor, neurologist, ophthalmologist, physical therapist, and psychiatrist. I am frustrated with the lack of connection between these health care professionals because they don’t all share the same records.

It feels like I spend half of my life filling out the same details over and over again; it’s exhausting. Why can’t all hospitals, clinics and GPs have access to - and be able to update - the exact same patient data records? It’s 2019 for heaven’s sake!

Gillian: frustrated at the lack of shared records

My name is Zuzanna and I am 19 years old. I have epileptic seizures due to a severe form of epilepsy. As a child, my parents used to keep track of all my medical history, treatments, interactions with multiple services, in a notebook.

Since I started college, and moved away from home, I’ve been a little distracted by college life and have missed some appointments and my logging of information has not been as good.

At my most recent appointment, I forgot to mention a new medication which I started last year. I don’t know why I forgot about it, but it didn’t seem to bother the consultant.

Zuzanna (Patient)

My name is John and I am the Data Protection Officer of a large hospital in Cork. As a hospital we endeavour to ensure any patient’s medical information is treated with the utmost respect and confidentiality and we must comply with Data Protection Legislation (GDPR).

I am constantly asked for advice in relation to medical information being used for purposes other than a patient’s direct medical care including for research, quality assurance, clinical audit, claims management, patient experience surveys, staff education and training, etc..

We have to ensure at a minimum that the hospital handles peoples’ personal information securely and for the purpose it was collected. The truth is that consequences for sharing inappropriately can potentially be very significant for the hospital, whereas the consequences for not sharing are less so.

John: we need to ensure trust in the systems in place

My name is Maura and I’m a General Practitioner (GP) with a practice in Co. Meath. I see an average of 10 patients per day during my clinic hours, which means I have an average of 15 min per patient. I can now refer patients into any hospital in Ireland electronically, which frees up consultation time rather than having to physically write out referral letters. I can see the benefits of eHealth in general.

However, I have concerns about any proposals which would make GP records available to other GPs or other services, without first putting in place the necessary protections and guarantees about how this information will be used.

Additionally, there is too much information being asked to be shared, and I am not resourced as a GP, to perform these requests.

Maura: eHealth needs appropriate protections

My name is Reuben and I am an orthopaedic surgeon in a Dublin hospital. I am a strong believer in patient empowerment and involvement in care/research.

I take my patient’s data, and am responsible for its safe-keeping and protection. I also study it and use it to help develop high quality treatments. High quality data includes data that I can re-use for other purposes. This means that the data I have can be integrated with any new datasets, so that new insights can be identified. I am concerned that data may be too difficult to integrate or that I may have to analyse datasets with missing data.

I also draw the line when it comes to patients being able to read/review/access my clinical notes as part of their record.

Reuben: patient data is difficult to integrate

My name is Evan and I’m the co-founder of a Dundalk-based diagnostics and data company that works with pharmaceutical companies on ‘precision medicine’ projects. Our core focus is to ensure patients get access to potentially life-saving therapies by enabling ‘biomarker testing’ and therefore potentially gain access to the right drug for their specific condition.

All of our work is based in the US and EU with little or no work being conducted in Ireland due to the lack of a data sharing and research infrastructure in the Irish health service. Also, clinical trials which are seeking sites in Ireland are having to be turned away due to the difficulty of collecting consent for research, as outlined in the Health research Regulations recently passed.

Evan - over-regulation?

My name is Samira and I am head of research for a large multi-national technology company. Our main business is in applying artificial intelligence technologies to large datasets to assist decision-making in the public sector. Our goal is to build new tools that could help doctors and nurses in hospitals around Ireland to more quickly and easily access relevant patient information.

To build these tools, we need access to vast amounts of de-anonymised patient data but the hospitals we approached are not in a position to share this. To be clear, we won't use patient data for any other purpose than for providing these services we’re offering under an agreement with the individual hospital - and patient data will not be combined with any other data we have (e.g. consumer data). We adhere to industry-wide regulations on data privacy, security, and usage.

Samira - infrastructure not in place for Big Data in Ireland

Hi, my name is Fiachra and I am a cancer researcher. I collaborate with Biobank Ireland, which collects human tissue and blood samples that are invaluable for my lab-work. Ideally, I would like to use the patient data linked to these biobank samples because it would lead to better research outcomes.

This must be done in a secure and ethical manner in order to maintain public trust in scientific research. Therefore, we must a) obtain the explicit consent of research participants and b) ensure this data is used in aggregate (not individually identifiable). A big challenge is in providing transparency about the process and the safeguards in place for informed consent without information overload.

Fiachra - we need plain language and transparency around the use of patient data in research

INFO CARDSISSUE CARDS

Access to data puts the patient in control

Without access to their data, patients cannot fully review their personal health information and cannot be fully engaged in their care. Many patients want access to their health records so they can better understand their treatment plans and feel motivated to adhere to it.

Patients want to know how their data is being used

When someone consents to their data being collected/shared, they want to know for what purpose it will be used (e.g. to perform research on a disease area). They are also concerned about re-use, which changes the purpose for which it was originally collected. Many existing datasets would lose their value if patients had to be re-consented for a new type of analysis.

Individual access to data is not a priority for the patient

While many people would like their GP or consultant to be sharing their records amongst themselves for the convenience of both the patient and the healthcare professional, accessing the data themselves is not a priority. The data is there to help the doctors do their job, nor burden the patient with extra, unnecessary information.

Healthcare professionals are in favour of patient databases

The overwhelming majority of doctors and nurses support the introduction of a digitised, centralised database of patient information. They believe it will improve patient care and patient safety. These health professionals are in agreement with the potential for improved communications, improved data quality and improved efficiencies in work practices that digitised patient data can offer.

Digitised patient data has potential but there are risks

A digitised, connected and shared database of patient information is useful and has the potential to save significant amounts of time for heathcare professionals. It is also likely to result in improved patient care. But it must be balanced with the risks of breaches of confidentiality - and deal appropriately with sensitive data. Caution is advisable and there should be adequate protections in place.

Data protection is not to the level it should be

In some industries, e.g. the telecom industry, a high level of encryption of data is used. Patient data has varying levels of security and is at risk of being compromised. Higher levels of data security could be costly and difficult to implement for legacy (i.e. older) existing datasets. The risks related to data loss and disclosure is often understated. It may be impossible to eliminate risk, so a balance of benefit vs risk is required.

Lack of understanding of the basics about data

Many patients do not understand the basics about data and how it is used. This raises questions as to how ‘informed’ they are in consenting to the use of their patient data. This extends down to understanding how this data is protected. There may be misconceptions about the level of risk for the re-use of patient data. In comparison, many people willingly share sensitive personal data on a daily basis on social media platforms.

Data Anonymisation is a myth

Most people expect that their data is anonymised or ‘de-identified’ before it is shared outside of the data collector but is complete data anonymisation possible? There is a growing belief that data anonymisation is in fact impossible due to various techniques that can be used for what is known as de-anonymisation or data re-identification.

Collaborating with eHealth Start-ups is potentially risky

Would you give your personal patient data to Google or Facebook? Let’s say an Irish technology start-up is working with a hospital, using data analytics to reduce re-admission levels. This is regulated by the GDPR but what happens if a company like Google buys the start-up? We cannot always be sure where and how patient data will be re-used.

Doctors don’t always see the value of electronic patient databases

A repository of connected patient data can be a useful tool for diagnosis or triage but most doctors and other healthcare professionals see their primary value as a nothing more than data storage. A 2018 Stanford study showed that only 8 percent of healthcare professionals view these systems as clinically related. Additionally, almost half of primary-care physicians think using such systems actually detracts from their own clinical effectiveness.

Access to patient data needs strict adherence to regulations

In 2018 we saw the case of medical staff in an Irish hospital being given access to patient files for their research and studies without the consent of the patients concerned. The Data Protection Commissioner found that the hospital in question felt it 'had a right' to this patient data because it was the ‘data controller’. This case shows the need for strict compliance with regulations in order to protect data rights of the patient.

Doctors don't want patients to see ‘warts and all’ medical data

Giving patients access to all data including clinical notes written by a doctor or other healthcare professional is not necessarily useful or desirable. Some doctors worry that patients may object to notes with medical descriptions such as ‘anxious’ or ‘alcohol dependant’. Doctors may alter their notes in order to avoid upsetting a patient, which could in turn lead to a loss of important information on the patient's condition.

The GDPR & Personal Data Rights

Under GDPR an individual has legal rights concerning their information and how it is processed by a public body such as the HSE. These rights include: access to your personal information; requesting the correction of inaccurate information; requesting deletion of personal information excluding medical records; receiving one’s personal information in a portable electronic format; and lodging a complaint with the data protection commissioner.

What is an Electronic Health Record (EHR)?

The Electronic Health Record of a patient contains information documented by healthcare professionals when they interact with a patient i.e. patient data. It may contain e.g. a patient’s symptom history, clinical observations such as a blood pressure reading, or public health activities such as immunisations. These records are sometimes connected between organisations for the purpose of sharing patient information.

Who Creates Patient Data?

Patient data can be produced and/or processed by: patients (e.g. personal health records; consumer medical and health device data), clinicians (prescriptions; all medical records such as charts, x-rays, summary reports), medical services (automated data analysis and reporting services), and external entities (genome sequencing services; insurance companies; data aggregators; patients).

Is patient data a form of personal data?

Yes, patient data is a form of personal data that relates to the health status of a person. Under EU legislation (GDPR) patient data is classed as sensitive data. It is subject to strict rules and can only be processed by healthcare professionals.

What is patient data?

Patient data is medical or health information held about an individual patient. Patient data may include information relating to past and current health or illness, treatment history, lifestyle choices. It may also include biometric data e.g. fingerprint or DNA processed by a computer. In Ireland patient data is held in individual medical records which may be accessed by health care professionals in e.g. a GP's surgery or local hospital.

Big Data in healthcare

Big Data is a term used to describe vast amount of data and the techniques applied to it in order to find useful patterns. For example, computer analytics could be applied to diverse types of patient data i.e. everything from diet, medication and previous hospital admissions, to identify individuals who would benefit from preventative care or lifestyle changes.

Consent for the processing of patient data

Under the GDPR consent is any freely given, specific, informed and unambiguous indication of the data subject's wishes by a statement or a clear affirmative action, that signifies agreement to the processing of his/her personal data. A model of consent has been created for health research in Ireland with consent models for the use and sharing of information for individual care & service improvement currently in development.

Who 'owns' patient data?

When someone in Ireland visits a GP as a private patient, the GP retains the medical record and other patient data collected but you are entitled to access this data under data protection laws. Likewise, a visit to a public hospital generates patient data (medical charts, x-rays, invoices) but these are retained by the HSE. In this case, patients are entitled to request access to their data.

How patient data is understood by the general public

Beyond individual care, not many people are aware of how patient data is used. Most associate it with a clinical setting, but they may not be aware of the extent to which academic researchers, commercial organisations or government can utilise patient data. For example, surveys in the UK show most people have never heard of the UK’s National Cancer Registry, which automatically creates a record for someone when they are diagnosed with cancer.

What is explicit consent?

An organisation seeking permission to use an individual’s data should provide enough information to the individual to allow them to make an informed decision. Consent must be freely given and voluntary. It must also be an express statement of consent .e.g. a signed document, leaving no room for misinterpretation of consent or lack thereof.