Patient and public views about the security and privacy of Electronic Health Records (EHRs) in the UK: results from a mixed methods study
Quantitative results
Sample characteristics
The overall response rate for the survey was 85.5 %, (N?=?5331), but fewer participants (N?=?2761, i.e., 51.8 % of respondents) provided complete data for all variables included
in the analysis for this paper (responses with missing data have been excluded – see
Additional file 1). Table 1 describes our sample by birth year, sex, ethnicity, educational qualifications, recruitment
site, long-term conditions and frequency of healthcare visits. Almost half of the
respondents (47.7 %) belonged to relatively young age groups between 25–34 and 35–44
years old, many were female (59.1 %) and more than half self-identified as White British
(56 %). Around two thirds of participants reported having degrees or higher degrees
(61.2 %), and 66.4 % were recruited from outpatient clinics for the survey. In terms
of health-related characteristics, the sample consisted of a large proportion of people
with at least one long-term health condition (65.2 %) and a moderate number of visits
to health services: 36.4 % of participants had visited health services 0–2 times in
the 6 months prior to the survey and 34.7 % had made 3–5 visits in the same period.
Respondent views about security
Overall, 78.9 % of respondents stated that they would worry about the security of
their health record if it were part of a national electronic records system (Fig. 1). Similarly, 71.3 % voiced doubts about the ability of the NHS to guarantee the security
of EHRs at the time the survey was carried out (Fig. 2). Almost half (46.9 %) of respondents said that detailed, integrated EHRs would be
less secure than the way they assumed their health records were held at the time of
the survey, 43.5 % said security risks would be equal, and 9.5 % that security would
be increased (Fig. 3).
Relationship between security perceptions and overall support for EHRs
Previously published results drawing on a preliminary analysis from the same study
showed moderately high levels of support for the development of national EHRs used
simultaneously for healthcare provision, planning and policy, and health research:
62.5 % of participants reported overall support, 27.9 % reported being undecided and
9.6% said they would not support a national EHR system used for multiple purposes
15]. Higher levels of support were reported for specific uses of EHRs. Most participants
were in favour of EHRs specifically for personal healthcare provision (89.7 %), for
health services policy and planning (79.5 %), or for research (81.4 %), although 59.7
% and 67.1 % of respondents would prefer their personal identifiers to be removed
for health policy and research respectively 15].
To further understand whether those stating that they would be worried about national
EHRs also report being in favour or against their development, we carried out analysis
showing the relationships between the different variables (Table 2). Of those who said they would worry if their records were part of a national EHR
system, 55 % nevertheless reported that they would support the development of this
system, 32.6 % were undecided in their views, while 12.3 % would not be in favour
of national EHRs. There was a similar pattern between those who thought that the NHS
would be unable to guarantee the security of EHRs at the time of the survey: 53.5
% reported support for the development of national EHRs, 33.5 % were undecided and
13 % would not support the system. Of those who thought EHRs would be less secure
compared with current records, 46.5 % said that they would support the development
of national EHRs, 17.4 % said they would not support them, and 36 % reported being
undecided. People who did not report being worried about national EHR security were
not necessarily fully supportive of EHR development: 11.2 % said they were undecided
and 2.7 % that they were not in favour of the development of this system. We explored
these findings in greater detail in focus group discussions (presented in a separate
section).
Associations between security perceptions and socio-demographic and health-related
characteristics
We used logistic regression models to identify associations between socio-demographic
and other health-related characteristics of the sample, in relation to views about
EHR security and what participants thought about the ability of the NHS to safeguard
EHRs when the survey was conducted (Table 3). Respondents between 35 and 64 years old were more likely to report that they would
be worried about the security of their records as part of an integrated EHR system
(OR?=?1.98 to 2.45, p??0.05) than the base group consisting of individuals 25–34 years old (for age categories
over 64 years old differences from the base group were not statistically significant).
Respondents over 35 years old were also more likely to report less confidence in the
ability of the NHS to safeguard EHRs when the survey was conducted (OR?=?0.27 to 0.71,
p??0.05), than participants aged 25–34. Individuals with no academic qualifications
were less likely to say that they would worry about security if their record were
part of a national EHR (RR?=?0.44, p??0.05), compared with participants with higher degrees. Reported confidence in the
NHS to make EHRs secure at the time of the survey was similarly inversely related
to educational levels.
After adjusting for all variables in multivariate multinomial models, we identified
further age, ethnicity and education differences in security perceptions between integrated
EHRs and established systems (Table 4). In comparison with the base group aged 25–34, participants over 35 years of age
were less likely to report that integrated EHRs would be equally (RR?=?0.52 to 0.67,
p??0.05) or more (RR?=?0.52 to 0.68, p??0.05) secure compared with the system they thought their health providers used
for patient record management at the time the survey was completed. Individuals who
self-identified as White non-British, Asian/Asian British and Black/African/Caribbean/British
Black were more likely to respond that EHRs would be as secure as (OR?=?1.25 and 1.26
respectively, p??0.05) or more secure than (OR?=?1.45 and 2.28 respectively, p??0.05) the existing system, compared with White British groups. Those identifying
as Black/African/Caribbean/British Black were also more likely to say that EHRs would
be more secure (RR?=?1.48, p?=?0.05) than those self-reporting as White British. Participants with no educational
qualifications or holding General Certificates of Secondary Education (GCSEs) were
more likely than those with higher degrees to suggest that EHRs would be more secure
(RR?=?3.05, p??0.05). No other associations between security perceptions, socio-demographic and
health related variables were statistically significant.
Qualitative results
Drawing on the results of the quantitative survey, focus group discussions further
explored patient and public views about the security of cradle-to-grave integrated
EHRs and the various rationales underlying readiness to support their development.
Debating benefits for patient care against perceived EHR security risks
Most participants expected EHRs to improve patient care and treatment, from short-term
emergencies to long-term multifaceted management of chronic conditions. In particular,
they said that wider information-sharing between health professionals could provide
the potential for faster diagnosis, more targeted interventions and ‘linked up’ care
for patients with complex needs, among other benefits. Not having to repeat medical
histories could also enable more dignified care, some said, especially for frail or
vulnerable patients.
But also I think, if the electronic health records would help so that my daughter
doesn’t have to have assessment after assessment after assessment, maybe have one
assessment and that’s shared between everyone, because she has to constantly have
all these assessments, and it’s depressing to have to keep talking about what you
can’t do all the time. (FG10)
Rarely did participants express full support for the development of EHRs without adding
any caveats. More often people engaged in a negotiation process where they weighed
up perceived benefits from using integrated records against concerns about EHR security
and other risks. Hacking and identity theft were frequently mentioned as being of
concern, alongside unauthorised access. People said they were particularly worried
about insurance companies, employers and ‘people outside the NHS’ having access to their records, as the more the information was shared, the more
difficult it would be to control:
My concern is exactly that: who has access to my files and how can we make sure that
only those I want to have access would have access? […]
A record could just be available within the health profession to begin with.
But is [this where] the cancer begins, is [this where] we say, yes, that’s fine [to
share with other health professionals] and then it gets taken out of hand five years
later?
Now it may be [that we] need to concede that somewhere along the line things may get
contaminated. And there might be some exposure [of health information to other occupational
groups]. (FG12)
Focus group participants preferred different access levels for different occupational
groups, with certain professionals being permitted access to full medical records
(e.g., general practitioners) as opposed to a more restricted or limited version being
accessible to other professionals who were not as involved with their care. However,
they also recognised that there might be legitimate reasons for different staff members
to require access to medical records. Some said they would feel uncomfortable with
health professionals having access to their information beyond what would be strictly
necessary for the situation at hand, for example, instead of pharmacists only being
able to see what medication has been prescribed, also being able to access the reasons
for the prescription. Others suggested that pharmacists could act as a type of ‘safety net’ to correct mistakes if they had access to more information. Participants often talked
about how particular sensitive details warranted more security measures, although
this raised questions about how to ensure that measures are not routinely circumvented,
while still being possible to override in emergencies. Discussions also developed
to encompass a recognition that ‘no system is failsafe’.
And even if you put in security levels, it’s very difficult because you could justifiably
say that most of those 12 [occupational groups], it’s good they should have access
to your records. But I take the attitude, and I’ve been in IT, you can have all the
security systems you’ve got, but if somebody wants to break into them they’ll break
into them. (FG5)
Participants from socially disadvantaged or ethnic minority backgrounds specifically
expressed worries about how information included in patient notes might unduly influence
subsequent consultations in different settings. Beyond information seen as potentially
stigmatising (e.g., in relation to sexual or mental health) participants said they
worried that health professionals might also make character judgments, such as labelling
a patient as ‘hypochondriac’ or as having social problems, and that this could lead to difficulties accessing
appropriate care.
I know it could lead to negative labelling, definitely. And it just comes down to
the human level, with the nurse, the GP dealing with patients, how it will affect
their treatment of people, I’m sure it will have an influence on that. There will
be someone down the line that will react negatively, there’s no doubt about it. (FG7)
Other participants had found errors in their medical records and worried that if incorrect
information was more widely shared it might have consequences on further diagnoses
or treatment decisions.
I now habitually collect a record of everything. If I have blood tests or anything,
I will say to the GP I would like a copy of the records […] there’s an awful lot of
stuff on my records that isn’t accurate […] and if people aren’t properly informed
then they may not be making the right decisions. (FG2)
Debating the value of EHRs for research and planning
Most participants said they were happy for large datasets to be shared with researchers
and policy-makers if this would lead to better understanding of causes of disease,
the development of more effective treatments, and better resource allocation, particularly
if this could be of direct benefit to themselves or to future generations. In general,
participants said they wanted to be informed if details from their own medical records
were shared for purposes beyond their clinical care. Many wanted to know how and why
their information might be shared, and who would benefit from this, especially in
relation to information being used for research and planning purposes.
[If they] explain to me that the database is not only for medical purposes but would
also get us access to more medical [services] in terms of the way the commissioning
is taking place, then yes, you are making a good case to get me on the database, but
if you are saying that, oh, I should just provide my [information] what’s this all
this research going on for? (FG13)
Although focus group participants debated the value of anonymisation, there was little
consensus on what would qualify as identifying information, or how anonymisation could
be achieved effectively. Many wondered whether the information from health records
would be reliable and accurate enough to be used for other purposes such as research
and planning – ‘rubbish in, rubbish out’ was one phrase used to convey concern for data quality. However, people living with
sickle cell disorders discussed how EHRs would allow the collection of population-level
data on conditions where patient populations are smaller or more difficult to locate,
which they thought was not done adequately at the time, leading to decision-making
bias and inequalities.
If they want to know how many sickle cell patients is out there, they don’t know it
right now, but if they had that database they’ll be able to go there and get more
information. (FG13)
Ownership and accountability
Although participants highly valued the role of the English healthcare system in terms
of care provision, many were sceptical when discussing their views on the ability
of the NHS to safeguard medical information and manage large technological projects.
I just have very little faith in the way that the NHS handles databases. I don’t think
it’s got a very good record. […] I know how bad some of the IT systems have been.
I’ve had to work with them myself, and we just hope the National Health Service will
get this one right. They’ve got a few wrong in the past […] (FG3)
A previous project introducing integrated electronic systems in the NHS (National
Programme for IT) had received negative publicity in the years before the focus groups
took place and was eventually scaled down to a much narrower scope than initially
envisaged. Many participants raised this in their comments, along with other media
reports discussing data breaches in the NHS and other government bodies.
Always thought that [the NHS] would mess it up.
I’ve heard a bit about it, that they done it, but they paid lots of money.
Yeah but then what they do is that they leave it on a train, don’t they usually. (FG11)
Some said that they could not fully trust the NHS, which they characterised as ‘big and bureaucratic’: the size and bureaucracy being something they linked with lack of ability to protect
sensitive personal and health information. This was particularly the case when they
had worked in the NHS themselves.
[…] there’s less attention to detail, people are careless, they’re poorly trained
and nobody wants to be accountable. […]
And the other thing about the NHS, because I also worked in the NHS as a temporary
administrator, people are incredibly badly paid and demotivated.
That’s what I was going to say, temping, they get lots of temps. (FG9)
Others, however, thought that when information is held by government-controlled bodies,
such as the NHS, accountability would be easier to achieve. This discussion led on
to many participants expressing concern about the increasing privatisation of the
NHS and the impact this would have on information sharing with private companies,
where, they said, it would be more difficult to hold people accountable for security
breaches.
But what I’m also trying to communicate is even though your information are [sic]
within the government system, you can have an employee who might be paid by [the]
private sector. (FG13)
For many participants commercial exploitation of health information was seen as a
detrimental outcome of sharing information with private organisations. Pharmaceutical
companies, for example, were not viewed as equal partners in the healthcare system.
Although participants commented on their importance for advances in medication and
treatment, they also feared that medical information would increasingly be used for
purposes that would provide most profit, as opposed to improving the wellbeing of
the whole population.
Transparency is what we all want to talk about. We’re not terribly worried about [the
development of EHRs], but don’t use it for profit, just use it for research and so
our carers and our family can deal with [health] matters. (FG3)
In weighing up benefits and risks from increased information sharing, some of the
discussions concluded that there would only be a small probability that privacy risks
would be realised, and that risks would generally carry significant consequences for
specific individuals rather than the majority of the patient population. As long as
risks are ‘controlled’, some conceded, overall benefits would outweigh any security concerns. However, many
participants seemed to remain undecided in their views or said that framing the relationship
between benefits and risks in terms of balance might miss dimensions of the problem
they would be concerned about, such as aspects of the context that would influence
where the balance lies under different circumstances. Many expressed the need to find
out more details about how EHRs might look like in practice and how data would be
used for different purposes (e.g., administrative, clinical, research, policy) before
being able to decide how their preferences may vary.