(Fwd) R.I.P. and NHSNet

Dr Alan Hassey alan.hassey at btinternet.com
Mon, 31 Jul 2000 17:59:04 +0100 

Mike
The NHS Encryption Programme Board will have to reconsider the use of
encryption in the light of RIP. As far as I can tell, NHSnet is the same as
the internet for legal purposes. The law may require NHS professionals to
provide clear text of encrypted messages (initially path results) & even
keys in the same way as for ISPs. NHS data is not to be treated as a special
case to the best of my knowledge. I've got some background reading to do on
all this & may be able to report further later...

Mary's concerns are mostly justified, but she does need to remember that
doctors do not have an absolute duty of confidence & never have enjoyed the
same privileged client relationship that solicitors do. We always could be
compelled to disclose confidential information or risk a contempt charge. I
am not sure how we stand on disclosing to a patient that a request for
access to "their" records has been made.... Each EDI message (initially at
least) will contain multiple EDI transfers - potentially hundreds - for
incorporation into individual EPRs. Disclosure of the the clear text EDI
message will therefore be a breach of confidentiality for many patients at a
time.

For now the - message must be informed consent... Tell patients what's
happening & talk to your medical defence society if any of the security
agencies ask for clear text transcripts of EDI messages.

As for later - patient-held records look increasingly sensible

Hope this helps...

===
Dr Alan Hassey (mailto:alan.hassey@btinternet.com)
RCGP Health Informatics Group
Joint Computing Group (GPC - RCGP)



I am forwarding this inot UKCRYPTO, in the hope that someone
can answer Mary Hawking's list of rather frightening questions.

Mike Wells
------- Forwarded Message Follows -------
Date sent:      	Mon, 31 Jul 2000 08:13:39 +0100
Subject:        	R.I.P. and NHSNet
From:           	Mary Hawking <maryhawking@tigers.demon.co.uk>
To:             	gp-uk@mailbase.ac.uk, wisdom-informatics@mailbase.ac.uk,
       	PCGIT@Schin.NCL.AC.UK
Send reply to:  	gp-uk@mailbase.ac.uk

Thinking about the RIP Act, confidentiality of medical records if
transfered electronically and NHSNet, could someone enlighten me?

Does the Act refer only to the Internet or does it apply also to
intranets?

Is NHSNet an internet service provider? or is it an intranet?

If it *is* an intranet, is encrypted email, carrying confidential
patient information, travelling between two NHSNet addresses subject to
the same police  investigatory procedures as encrypted email travelling
across the internet?

To preserve a possibility of patient confidentiality, are we going to
have to foreswear email?

MaryH