To ask how i can find out who has accessed my medical records?

[sellotape2021]

Posting in here for traffic!
This is in Wales, so specifically I need help accessing it in wales - i can't find any information online

an (ex) friend has accessed my medical records, or someone she works with/knows has.

A mutual friend bumped into my ex friend and ex friend told her all about the problems I have been having lately and the hospital treatment i received. I have not told anyone, not even close friends or family about this particular treatment I received so it has been leaked from someone and I intend to find out who.

She works in a doctors surgery in a different town that I live in but the hospital i received the treatment in, is in the same town that she works in so I'm assuming that system is somehow interlinked. I'm not a patient at her surgery but apparently that doesn't matter as they can still access me on the hospital database?

I know she is best mates with the practice manager at the surgery where she works so ringing and asking them for help would be no good as she would be altered that I'm on to her.

I don't fully understand how it all works but as far as i can work out it is possible to access "some" information in the hospital records if you work in an admin position in a doctors.

All I can find out online is how to access my own records but not the audit trail about who has accessed them and when.

I don't think asking my GP surgery would help because I don't think she has accessed that information, i think it would have been the hospital information she accessed.

Does anyone know who I can contact please?

Of you think there has been a data breach you could contact the ICO

ico.org.uk/for-organisations/report-a-breach/

As far as I know (family member in NHS Scotland), there is a system that they can access being in that line of work. It logs who has accessed what and there are strict rules in place for not accessing yours, families or known acquaintances details. I'd definitely put a complaint in.

This happened to me, and a friend of mine. It was a nurse who accessed our records where worked and blabbed about them in her local pub.

Friend and I made a formal complaint to the nurse's Hospital Trust. They did an investigation - and let the nurse retire. So they dropped the investigation because she was no longer an employee.

I should have gone to the ICO simultaneously, looking back, and complained about the Trust as an organisation.

If it’s your hospital records that have been accessed inappropriately, I would contact PALS at the hospital with your concerns, they should investigate as it’s data held by them, rather than either your GP or the surgery where this person works.

I don't know, but I wonder if the hospital would be able to see a log of what access has happened from doctors surgeries? That might be a way to find out without alerting her via her friend?

I am surprised that she could access hospital details from a Dr's surgery though - I didn't realise the NHS was interlinked like that. I know in the past that my Dr's haven't been able to access blood test results ordered by the hospital and vice versa. I wonder if the hospital have sent an informational letter to your GP to keep them in the loop, which she has seen?

Ring whichever health board you are under and ask for details of the information officer. They should be able to help.

Sorry, just realised she doesn't work at your GPs!

Although I wonder if a letter has been sent to your GP and the access coding means any GP can see it?

I don't understand how she could have accessed your hospital records? She doesn't work in the hospital and doesn't work in your GP surgery? How could she have got your information?

Your gp surgery is the owner of your records and can see whoever goes in those records on that system. Most hospitals do not use the same system as gp although mental heath do.

I work in NHS Scotland, but when requesting your records here, there is an entry for each time someone has accessed your records. We certainly can't access information from a hospital or another practice though.

I would imagine it is down to the gp surgery and hospital being in the same ‘trust’. In our area we have different trusts and those that are linked all have access to the same record yet if I go to a hospital fourty minutes away as they’re a different trust they dont have access. However, there is a very strong audit trail of who logged in, had access etc

Are you sure the hospital haven’t sent letters to your GP detailing your attendance/treatment?
Where I work we send a clinic letter to the GP after every appointment and hospitals always send discharge summaries to GPs to for A&E and inpatient treatment.

Argh will read the thread properly next time sorry!

I work in the NHS in England and we use a system that is, as far as I know, nationwide and you can search for anyone using name and dob. If you have an NHS number, you'll be on there along with your full medical history. If you try to access someone who isn't under your care you have to give a reason why but this can be as simple as 'administration' and it doesn't tend to get picked up on if someone has viewed a patient's records without good reason until afterwards unfortunately.

As others have said, definitely get in contact with PALS and also report it to CQC as they'll take it very seriously.

I think some trusts use their own system but all the hospitals and GP surgeries here use the main database and its very easy to access anyone's records. I know of a handful of nurses and healthcare assistants who all lost their jobs in the past couple years for accessing records of a high-profile patient being treated at a different hospital.

Thanks all I just managed to contact PALS at the hospital who have confirmed that yes she can access my data at the hospital from her surgery but she can't access the data at my GP's surgery.

They are running a check on who has accessed my data internally in the hospital incase someone she knows that works there has accessed it on her behalf but for some reason they can't see who has logged in externally which doesn't make sense to me...

So the only way I can see if she has accessed the hospital records is to contact HER surgery and speak to (her best mate) the practice manager who of course will probably tell me there's been no dodgy activity going on.

If she has accessed your records, regardless of what GP she works at it will be auditable on the system. Every time someone accesses your records it logs their name against it. It is gross misconduct, even if it is YOU accessing YOUR OWN records.

If you contact her manager, best mate or not, it is physically impossible for them to cover it up, even on their internal system. I am also pretty sure there is a way to complain above her as the GP may be a part of a smaller network.

Hi OP

This is a data breach so it’s not simply of case of you phoning the practice and being fobbed off.

Put in a complaint to her practice and ask for a log of everyone who has accessed. There are solicitors who deal with data breach claims who can do all this for you too.

If PALS can't find anything I'd contact the practice manager via email to leave a record of the conversation, and if they do indeed say nothing is going on report it to CQC. It quite easy to submit a report via their website and they are very thorough. You could also ask PALS if there's a regional director responsible for the GP surgeries in your area.

There are two different systems (NHS data person here). SystmOne (national) and EPR (the hospital I work in) both have user access logs to check who has viewed records. GP surgeries can access SystmOne. The only other way she can know that kevel of information is if she has read letters. GP surgeries can not access EPR. You need to contact the ICO and your Caldicott Guardian and the SIRO at the trust. Google Senior Information Risk Owner and your trust name. HTH.

This is very serious and I can't believe the practice won't take it seriously if you make a formal complaint. Confidential medical information that she has no business having accessed to have been divulged by her to another friend of yours.

Make a complaint to the practice and they will have to investigate. There is an audit trail on all electronic records so that it can be seen who accessed them but it can only be seen by a system administrator. They should do that as part of the complaint investigation. It won't immediately be obvious to anyone who sees the record and it would not tell you that info if you just ask for a copy.
Follow the practice complaints procedure. Complain to them directly first and only if you feel their investigation isn't adequate then take it further eg to ICO or the CCG.

This happened in my trust recently and the police got involved and disciplinary action against the individuals involved btw. You must only access medical records with a legitimate reason which include: direct clinical care, reviewing a record to provide an opinion (including training purposes), or assessing suitability for admission.

I have an almost exact dilemmia. I think a friend of mine who is a dietician has viewed my health records. She works at a different hospital but she knows things that I have not told her. From what has been said, it seems it is do able and that you can get away with it

This is what trusts say about illegitimate access to patient records:

• If anyone accesses a record for a reason that is not legitimate, it will be treated as a serious breach of our standards and will be dealt with as a conduct matter in line with our disciplinary policy. The Trust is at risk of receiving heavy fines (potentially millions of pounds), the patient whose record has been accessed may take action regardless of whether any harm has come to them as a result of the breach, and the breach may be considered a criminal offence, involving prosecution of individual staff.
• Staff should be aware that whenever a record is accessed, that access is recorded; including the elements that were reviewed and where this took place. These logs are audited regularly and are available to patients.
• Information Governance training is mandatory and available to all staff and it is your responsibility to ensure you are aware of the strict legislation and rules that exist to protect both our patients and staff