When it comes to protecting privacy, medical records are the public’s top concern, according to a survey commissioned by the Data Protection Commission in 2008.1 This is hardly surprising considering the recent spate of high-profile cases, both in Ireland and the UK, in which sensitive patient information has either gone astray or been found in rubbish dumps.
The key to safeguarding your patients’ confidential information is a sensible records management policy, incorporating strong security controls with clear policies governing access to and use of information contained in the records. There should also be policies setting out the circumstances in which certain information may and may not be disclosed and protocols for dealing with requests for access (see Appendix 2 for guidance on DPA and FOI requirements regarding access requests).
The records management policy should apply to both computerised and manual records and include measures to protect the physical integrity of the records (See Appendix 1).
Good records management makes everybody’s life easier and facilitates continuity of care, reducing the risk of adverse incidents through misplaced or untraceable records. According to an article on records management in Ireland, “the average organisation … spends €120 in labour searching for a lost/misfiled document, loses 1 out of every 20 documents and office workers can each spend 400 hours per year looking for lost files. As between 1% & 5% of all documents are misfiled this is not really surprising.”2
Many patient safety incidents have been attributed to lost and misplaced files, reports placed in the wrong records, mix-ups with patients’ names and poor flagging up of crucial information
While the article’s author bemoans the monetary cost to businesses, the implications for healthcare services are even more profound – many patient safety incidents have been attributed to lost and misplaced files, reports placed in the wrong records, mix-ups with patients’ names and poor flagging up of crucial information such as drug allergies.
For the sake of efficiency and patient safety, every practice should have a records management policy in place, and this should be regularly reviewed and updated to keep pace with technological advances and legislative requirements. The international standard for records management – ISO 15489:2001 – Information and Documentation: Records Management – can be purchased via the NSAI website.
There is also a European standard for electronic records management – MoReq2 – which has the advantage of being available as a free download (see Further reading
for the link). This sets out the minimum software requirements for electronic records management – a useful tool for drawing up specifications for computerising a practice.
- Data Protection Commissioner, Results of Data Protection Public Awareness Survey Published, Press Release (12 August 2008)
- Andy Ellwood, Setting the Records Straight, Knowledge Ireland, April: 28–31 (2005)