My “friend” looked at my medical record.. Question for anyone who works in a NHS hospital

[AdviceNeeded3282]

As the title says. A friend of mine who works as an admin in the back office of a hospital has access to patient medical records/information. One night out she openly admitted that she has looked through people’s medical records?!?! (My guess is it’s all computerised). I was gob smacked to say the least. She found it funny/said it was interesting then realised I was angry. She openly admitted she has looked at all of our (close friends) records. My guess she has looked at my DH’s and anyone she is friends with? Anyhow about 2 years ago I went to my GP as I was suffering with depression which I told NO ONE about. This was at my doctors, not my hospital. Are all the systems linked ???? I do not want her knowing my private business like this. Before you say you should report her, I am not going down that road.

@madmum5811 - your no contact dm committed a criminal offence. Report her to the Information Commissioner.

I'm ex NHS IT and IG
GDPR is tightening up security holes and bringing in higher fines
It is known that many hospitals have holes in their data security- lack of investment
Smart cards hold more than one set of credentials - for temporary or bank staff with multiple contracts for instance
But I am appalled at the lax attitude - it is not the norm!!! Her hospital could have a very high fine for technically allowing her to abuse her position!!
Please see if there is a whistleblower phone number, or speak to PALS in total confidence

What you could do was say "I have reason to believe that X has been inappropriately accessing records of her friends and acquaintances. Please can you audit my own personal file: Full Name/Date of Birth for any evidence of her accessing it without cause. I am gravely concerned that this individual has been in serious breach of data protection laws, and I would like a response on this matter as soon as possible "

For what it's worth, I don't think she could see your GP visit. You can only view GPS referral letters. Those have a full medical history though and also have some social/domestic stuff, so even if you are safe, your friends have certainly been referred to someone somewhere and she could have read every thing about them.

The person who looked through my medical record was picked up in the monthly audit and was dismissed from their post. Still have no idea who it was.

I used to work in the medical records section of an outpatient dept so had access to the paper files medical staff wrote in, as well as the doctor's letters that would be sent to a patient & GP following an appointment (it was my job to file them)

On our system you could see a patient's previous appointments in any department within our 3 local hospitals.

The secretaries used a different system for the doctor's letters that was inaccessible to us, but we could see the physical copies of the letters when they were to be filed.

It was a no go even back then (10 year ago) to look at the records of anyone you knew. You weren't even supposed to check an appointment for a family member at their request...

Please do report her, there will be a way for IT to check what records she has accessed without a need to.

It is one thing to check on a system for previous appointments to track down a missing set of notes, it's another to just go moseying around

Musti I think that would greatly increase the risk of entering info onto the wrong patient record, which would be a bigger problem. I work in the NHS and add notes for my patients. Sometimes I search by a system number but will then check the name to check it is the right patient. Also clinicians often check with the patient what their name or dob is e.g. before giving an injection to make sure it is correct.

Please do report her, there will be a way for IT to check what records she has accessed without a need to.

I design some of these types of system. You are correct, there is an insert only tamper proof audit on almost all systems with detection of legitimate relationship etc. These are used for Caldicott Guardian audits etc.

It might or might not have been linked at the time she looked.
Depends on the trust, and what department she works in.

I work for a MH trust and I can see who people's (patients) GP's are, a brief summary of their conditions and what medication they have been on.

What I cannot see are detailed records of gp visits.

I understand you don't want to report her, but please contact PALS and discuss doing it annonymously.

They can start and investigation. There should be a computerised 'paper trail' of what she has accessed.

She absolutely is only authorised to access medical records for patients she needs to, and unless specifically requested by a healthcare professional, she should not be looking through in detail anyway!

She said she sees a lot though - like details of sexual assault etc

God that's made me proper rage. That a victim at their most vulnerable should be used as someone's sick entertainment - "Ooh, someone got raped! Oh it sounds proper nasty, you'll never guess what he did..."

Fuck this bitch in both ears.

Glad you're reporting OP.

As an aside, I'm sick of hearing "If you don't report it you're just as bad as the person who committed the crime." It's victim blamey and completely unnecessary.

I'm glad you're reporting, this is a serious breach of confidentiality and she should be dismissed.

As others have said, consequences for this are made very clear to NHS staff. Trusts take patient confidentiality very seriously

Also as admin staff she doesn't need access to the whole record and it sounds as if she has been having a good look around which is completely unacceptable. If you report, IT should be able to see this too.

@cinders15

Massive issue with managers not removing units from smart cards. I did some work in a couple of other departments a while back, and the managers still haven’t removed me. I have access to 7 units I don’t need! I will email them to get me removed this has reminded me. I always disable people but one slipped through and I realised she had logged on even though she had left. Was easy to audit her that this was an accident and she didn’t open any patient records just left a log in footprint

@PookieDo
Hi Pookie
RA is 2 pronged - if the user is disabled in the clinical system, then the RA access code will only let them see the module - but not to login to it
I used to run reports on the spine and the clinical system and then compare them
Anybody not logged in for a long time I queried with the manager concerned and checked that they had been removed
Unfortunately it was a data breach that caused us to do this a lot more than we used to - and IT were the worst offenders as they had access to support - so we had a massive housekeeping of ourselves as well
But it has to be constant to be effective! 😬
You will need to fill out an RA02 form (I think) to get yourself removed from units on the spine

Report her. If any of my friends did this to me, who are nurses that would be it. I would take it further and complain. Any staff in hospitals have to understand confidentiality she clearly isn't in the right job!

Haven't read the whole thread but sounds like a data breach to me, I would report

She must know what she has done has broken the law. She is also stupid as she has told a group of people what she has done. Did you not pull her up on it at the time? I really think you must report this.

I work in a surgery it's gross misconduct and she would be fired . IT can track everything we do so it's all monitored. I do think you need to report her it's honestly awful behaviour. The systems aren't usually linked as such but you know when you go to say the walk in centre and they ask if they can share with the Gp if you agree it shows in your notes the same as what the health visitor or district nurses ECT the hospitals don't usually use the same system but she would be able to see the referral letter do it depends what the doctor wrote on the letter they are only meant to include what is relevant to the referral not your full past medical history I hope that helps

She would be asked each time she accessed records why she was accessing them. It’s not accidental.

She is in the wrong job if she can’t respect confidentiality.

She will not be 'sacked on the spot'. This isn't how it happens. She may well be suspended following such an allegation whilst an investigation is carried out. If that reveals that an act of gross misconduct has been committed, then it's likely that she will be dismissed. The end result is the same but it's so misleading to say sacked on the spot.

They will know. They know what information she should be accessing, why she needs to access it, and how long she should be accessing it based on her job. They'll also know that she was accessing non-recent information and whether or not she had a need to do so.

It's pretty obvious when someone is 'browsing' someone records. I'm in the US and worked for the US Govt. And our investigations staff was usually pretty spot on in detecting a privacy breach vs someone accessing a record for a valid work purpose.

She deserves to lose her job. Accessing and then disclosing personal information deserves sacking! If she's told you about someone else's sexual assault (even if she didn't give you the person's name) means that it's likely she's revealed information about you to another person even if she didn't reveal your name.

Before you say you should report her, I am not going down that road.

You need to report this. What if she has looked at the records for someone vulnerable? And gossips about it? She was brazen enough to tell you and your friends, and there are rules for a reason.

I don't have anything to hide, but that doesn't mean I want everyone to know about my medical history. It's private to me and no-one else's business.

I would agree with the comments above that the way NHS computer systems work varies wildly by area. It is technically possible that hospital staff do have access to your GP record - both EMIS Web and SystmOne have data sharing mechanisms within them but this is controlled by the practice and your consent would be sought.

I think it is extremely unlikely that she has access to your GP record, but you can put your mind at rest by asking your practice if they have shared your record with users outside the practice and by asking them to put a consent code on your record to prevent this should they wish to do so in the future.

By the sounds of it, it’s only a matter of time before she’s caught, with a bit of luck.

You need to report her, I can’t understand why you haven’t? She’s abusing her position and then boasting about it?? She deserves to lose her job!!
Or is she a bull shitter? Surely anyone in that type of job would know the consequences of looking up information that they shouldn’t!! She must be completely stupid!!

I’m another person on here who has had legitimate access to peoples’ records and it turns my stomach that she has bragged about this. There is no defence, ever.
She deserves to be sacked, no excuses, no recriminations.
She is incredibly stupid and should never again be granted the ‘ ‘privilege’ of having this access.

Bit late here and I haven’t read all the comments. Doing this is against her contract, against the trust policies and the whole of the nhs information governance that is mandatory training!!!!

As to whether you’re records will be linked or not depends on the area and how advanced they are in IT and information sharing. Most trusts can’t see gp records, only what you’ve visited the hospital for.

You can actually request to view your medical records in the gp practice and would be in your right to ask who else has access to this information.

I would also like to say your “friend” sounds like a cheeky b!@ch and I would definitely report her

op I would just like to say that in no way are you "just as bad as her" even if you didn't report her