The Sunday Business Post, 29th June 2014
The hospital records of every patient in the country are available on request to various pharmaceutical companies and health insurers, The Sunday Business Post can reveal.
The revelation has alarmed patient groups rights campaigners and privacy advocates, as it has occurred without the informed consent of patients.
This means that health insurers, marketing companies and pharma giants can access intimate personal medical records.
The Healthcare Pricing Office (HPO), which collates the national database from patient records provided by 57 acute hospitals, refused to disclose which organisations and researchers have secured access to the data.
The HPO, which is part of the HSE, said the data was scrubbed of certain personal identifiers, such as a patient’s name and date of birth.
However, organisations can request the age, sex year of hospital discharge, county of residence of the patient and the county in which the patient was treated.
Privacy experts warned that it was possible to piece together a person’s identity using their location and age.
They said there were countless international examples whereby data miners has reverse-engineered the data and used additional databases, to discover the names of patients.
For example, if someone knew a high-profile personality had been admitted to hospital on a certain date for a specific treatment that person’s medical data could potentially be identified.
This has happened in other countries.
Fintan Lawlor, a solicitor who specialises in data protection, said gthat6 under the Data Protection Acts the HSE, ‘should seek to have the consent or explicit consent of the data subject to the transferring of that information to a third party’.
Lawlor said; “Section One of the Data Protection Acts gives a definition of personal data and is described as ‘data relating to an individual who is or can be identified either from the data or from the data in conjunction with other information that is in, (or) likely to come into, the possession of the data controller.’
Lawlor, who is a partner at the Dublin-based Lawlor Partners, said’ where sensitive data is concerned, it is important that explicit consent is obtained from the data subject and that they understand the implications of the consent.’
The ESRI managed the data since the 1990s. In January of this year the Healthcare Pricing Office took over. It is unclear how long third parties have been allowed to access the data; the HSE did not say.
“I would say that they suspect that they may be in breach of the Acts and, accordingly, are not prepared to disclose the information”, said Lawlor.
The HSE said it could not disclose what organisations had received medical records as it had assured them anonymity.
The Irish Council for Civil Liberties (ICCL) called on the HSE to ‘come clean’. Mark Kelly, director of ICCL, said patients had a ‘legitimate interest in knowing what external organisations are receiving their highly sensitive and personal records.’
Stephen McMahon, director for the Irish Patients Association, said; ‘if privacy is dead for Citizen U, them why should those that benefit from the harvesting of Citizen U’s life data be given privacy?’
McMahon said a ‘basic right for all patients is the right to confidentiality and a right to consent to allow others to access data about them if they so wish, including the state’.
McMahon called on the Data Protection Commissioners to publish an annual report of the requests that were made, as well as the names of the organisations that requested access to data.
Advocates for sharing health data say it can be used to improve overall patient health data say it can be used to improve overall patient health outcomes, make medical advances easier and ultimately save lives. Privacy experts warn there is no way for the public to work out who will ultimately have possession of their medical records or to what use their data will be put.
The HSE said it was not selling patients’ data.