The British Medical Association's response to these problems, following wide professional consultation, was to develop the `Blue Book', a security policy for clinical information systems (available for free both on the net and in paper form from the British Medical Association in London) [6]. The Blue Book sets out system design and administration principles which, if followed, ensure that personal health information is not shared without patient consent, except in the case of statutory exemptions. It is a conservative document, seeking to encapsulate accepted good paper records practice into systems language. Its recommendations have been implemented in a general practice, and in a hospital system now used at three sites (Hastings, Aintree and Exeter) [8].
This exercise showed that ethical computerisation of hospitals and medical practices was no problem, but what about the secondary uses of medical records, as in research, clinical audit, quality management and administration generally? In June 1996, the BMA reached an agreement with commercial providers of health data (such as the firms which buy data from hospitals and sell back performance statistics) would carefully ensure that no personal health information supplied by a provider (such as a hospital or general practice) would be identifiable to anyone outside that provider. (The first guidelines on this issue had already been issued by the RCGP and the BMA in 1988.) Industry has experienced no problem in abiding by these ethical guidelines. Since then, the private sector use of de-identified data has grown and tackled ever more complex challenges. In a recent project, a system has been built to collect prescription data from pharmacies for resale to drug companies (its principal use at present is in calculating drug sales staff commission payments). This was particularly difficult as the identity of doctors as well as patients had to be protected, to ensure that alert drug representatives could not identify doctors from the fall off in prescription volumes when they went on holiday [9].
The experience of the past three years have taught us that it is indeed possible to build clinical infromation systems that deal ethically with personal health information -- and once the problems have been carefully analysed, and experience has been gathered from some prototypes, it is not even particularly difficult. Every reasonable non-clinical use of medical records that we have come across has been susceptible to a solution involving de-identified data. This is not solely a UK experience; similar systems are reported in Germany [10] and New Zealand [11]. Meanwhile, Switzerland has experienced a similar controversy over whether medical data held in central databases were properly de-identified, and following intervention by their Federal Data Protection Commissioner, systems are being redeveloped to much higher standards [12].
Building ethical systems is thus a matter of will rather than technology. This brings us to the last of the main lessons learned in the UK - an inappropriate systems culture, such as that of a civil service department, can fatally undermine the will to build systems properly. Safe clinical systems require a design team that can operate openly with a high level of user collaboration and consultation, just as in avionics or the nuclear industry. Above all, one must avoid organisational mistakes that allow clinical systems development to be hijacked by administrators; many of the NHS's problems arose from the fact that its computer department was controlled by the Department of Health in London whose principal goal was cost control. Administrative concerns thus naturally came to dominate the thinking of its management.
The problem now facing healthcare information technologists in the UK is how to climb out of the hole we find ourselves in. We need an environment in which doctors, nurses and other healthcare professionals can tell system engineers what they need, and the engineers can get on with the job of building it. But given all the interests vested in the old system, this is turning out to be easier said than done.