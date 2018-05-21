Medical staff in a hospital were given access to patient files for their research and studies without the consent of the patients concerned, a major investigation by the Data Protection Commissioner has found.

The investigation into the treatment of confidential patient records at 20 hospitals across the State by the regulator’s special investigation unit commenced in January last year and took over a year to complete.

Inspectors uncovered a range of problems where confidential patient files were potentially exposed, including to potential “snooping” by staff who had no legitimate reason to access them, and a lack of proper audit trails to show who had accessed computer records and whether they had been edited.

They examined the processing of sensitive patient data in areas to which patients and the public have access, finding that files were sometimes not properly protected from disclosure to people who should not have access to them.

In some cases, auditors from health insurance companies were also able to access the full details of a patient’s medical history, even though the auditors should only have had access to details relating to a specific claim made against the patient’s health insurance.

The report also makes recommendations that hospitals should ensure patients have “speech privacy” so they are able to discuss their personal and health information without being overheard by people, including other patients.

The audit covered Health Service Executive (HSE) facilities, private hospitals and voluntary hospitals.

Eight hospitals were inspected in the Dublin area, five in the greater Leinster region, two in Connacht, four in Munster, and one hospital was inspected in Ulster.

The 20 hospitals subjected to the special investigation were the Royal Victoria Eye and Ear Hospital, Dublin, the Mater hospital, Beaumont Hospital, Our Lady’s Children’s Hospital, Crumlin, Tallaght hospital, the Blackrock Clinic, the National Maternity Hospital, Holles Street, St Vincent’s University Hospital and the Midlands Regional Hospital, Mullingar.

Also examined were Aut Even Hospital and St Luke’s Hospital in Kilkenny, Our Lady’s Hospital, Navan, Wexford General Hospital, the Bon Secours Hospital, Cork, Cork University Hospital, University Hospital Kerry, University Hospital Limerick, Sligo University Hospital, University Hospital Galway, and Letterkenny University Hospital in Donegal.

The Data Protection Commissioner’s report said it was intentionally not identifying by hospital the specific matters of concern that arose in each of the hospitals inspected.

“Many of the matters of concern arose in several of the hospitals inspected while a small number of the matters of concern were particular to a handful of hospitals inspected,” it said.

“Given the breadth of this special investigation both in terms of the range and the geographical spread of the facilities inspected, it follows that the matters of concern identified during those inspections are ones that likely currently arise in other hospital facilities throughout the State.”

Assistant data protection commissioner Tony Delaney, who led the investigation, said its purpose was to bring to the attention of every hospital in the State matters of concern that his inspectors found in the sample of 20 hospitals inspected.

Secondly, its purpose was to prompt every hospital in the State to examine whether any or all of the matters of concern highlighted were occurring or could occur in their own facilities and, if so, to implement the recommendations made in the report to remedy that.

Mr Delaney said no similar data protection investigation on this scale had ever previously been undertaken in the State.

“As a result, several of the risks identified in the matters of concern are ones that may not have been pointed out before to the hospitals sector.”

The report, Data Protection Investigation in the Hospitals Sector, is being issued to every hospital in the State on Monday.

It warns that some hospitals are engaged in practices that may risk breaching current data protection legislation, as well as being in breach of the EU’s General Data Protection Regulation, a major new regime, which will be enforceable from next Friday.