The NHS IT agency Connecting for Health has admitted it has no idea how many of nearly 400,000 smartcards giving healthcare staff access to patient records have been lost or stolen.
The admission comes amid continuing concerns about the confidentiality and security of the electronic care records being introduced as the central element of the NHS’s £12.4bn National Programme for IT (NPfIT).
Last month, the British Medical Association wrote to health minister Ben Bradshaw calling for a halt to the roll-out of patients’ summary care records – basic patient information that will be held on a national data “spine” – until the results of pilot projects have been reviewed.
Concerns about confidentiality are likely to grow as work progresses to allow NHS records to be shared with thousands more staff in local authority social services departments.
So far 398,271 staff among the NHS’s 1.3m strong workforce have been issued with smartcards that give varying levels of access to patient records, including more than 60,000 with GP-level access and 63,000 with nurse-level access. A total of 22,729 NHS staff have been made “sponsors”, allowing them to approve smartcards for new holders.
Local NHS organisations that need access to care records are required to set up registration authorities to manage the process and verify the identity of staff applying for smartcards.
But records of lost or stolen cards – or the number of replacements issued - are not kept nationally, Connecting for Health admitted. A spokesperson said: “If a smartcard is lost, the individual must inform their local registration authority at the earliest opportunity so that they can continue to work and deliver patient care.
“Once informed the registration authority will cancel their previous smartcard so that it no longer permits NHS care record service access and re-issue a new smartcard, along with new passcode. As smartcards are issued and managed at local level no records are kept nationally.”
He added that access rights were not based on job titles but on NHS organisations’ decisions on what an individual staff member “needs to view or update” in the electronic record system. This meant, for example, that some nurses might be given the greater access rights enjoyed by GPs if their work included tasks such as prescribing drugs that required a higher level of access.
“We expect that the majority of non clinical profiles will not permit substantial access to clinical data,” he said.