Case Summary
A complainant alleged that a GlaxoSmithKline representative downloaded a disc on to the practice system. He then, with the practice nurse’s knowledge, chose which patients should attend the clinic GlaxoSmithKline was providing and they were then invited. The complainant believed this was a breach of patient confidentiality. The complainant would be very angry if she knew that a representative had access to her personal information and felt it was important to prevent it happening again.
The Panel noted GlaxoSmithKline’s submission that the ‘representative’ at issue was in fact a Diabetes First Associate (DFA) - a non-promotional role.
The Panel noted that once the software was installed a diabetes report which had no patient identifiable information could be generated. The identifying numbers were held in the practice on a spreadsheet.
The DFA did not have access to this spreadsheet. The priority patients search criteria were decided by the practice which also decided who attended for review.
GlaxoSmithKline submitted that the DFA did not have access to any patient identifiable information at any stage of the process. The DFA in question had installed and demonstrated the software including how to produce mail merge letters to patients. The administrator produced the letters to patients.
GlaxoSmithKline submitted that the DFA never had access to the spreadsheet and when using the practice computer was supervised by the practice nurse.
On the basis of the parties’ submissions the Panel did not consider that there was sufficient evidence to show that, on the balance of probabilities, there had been a breach of patient confidentiality as alleged, as the DFA had not had access to identifiable patient data. The Panel ruled no breach of the Code.
AUTH/1963/2/07 - Independent nurse advisor v GlaxoSmithKline
A complainant alleged that a GlaxoSmithKline representative downloaded a disc on to the practice system. He then, with the practice nurse’s knowledge, chose which patients should attend the clinic GlaxoSmithKline was providing and they were then invited. The complainant believed this was a breach of patient confidentiality. The complainant would be very angry if she knew that a representative had access to her personal information and felt it was important to prevent it happening again.
The Panel noted GlaxoSmithKline’s submission that the ‘representative’ at issue was in fact a Diabetes First Associate (DFA) - a non-promotional role.
The Panel noted that once the software was installed a diabetes report which had no patient identifiable information could be generated. The identifying numbers were held in the practice on a spreadsheet. The DFA did not have access to this spreadsheet. The priority patients search criteria were decided by the practice which also decided who attended for review. GlaxoSmithKline submitted that the DFA did not have access to any patient identifiable information at any stage of the process. The DFA in question had installed and demonstrated the software including how to produce mail merge letters to patients. The administrator produced the letters to patients. GlaxoSmithKline submitted that the DFA never had access to the spreadsheet and when using the practice computer was supervised by the practice nurse.
On the basis of the parties’ submissions the Panel did not consider that there was sufficient evidence to show that, on the balance of probabilities, there had been a breach of patient confidentiality as alleged, as the DFA had not had access to identifiable patient data. The Panel ruled no breach of the Code.
A complaint was received about the conduct of a representative from GlaxoSmithKline UK Ltd in relation to a clinic provided by the company at a medical centre.
COMPLAINT
The complainant stated that the representative downloaded a disc on to the practice system. He then, with the practice nurse’s knowledge, chose which patients should attend the clinic GlaxoSmithKline was providing and they were then invited. The complainant believed this was a breach of patient confidentiality. This was in September 2006. The complainant would be very angry if she knew that a representative had access to her personal information within her GP practice and felt it was important to prevent it happening again.
When writing to GlaxoSmithKline, the Authority asked it to respond in relation to Clauses 2, 9.1, 18.1 and 18.4 of the Code.
RESPONSE
GlaxoSmithKline stated that the service referred to was the Diabetes Patient Review Service (DPRS). This was a non-promotional service provided by GlaxoSmithKline as a service to medicine through non-promotional representatives known as Diabetes First Associates (DFAs). GlaxoSmithKline confirmed that the person referred to as a representative by the complainant was a DFA and had no promotional elements to his role.
The service included:-
• Software installed on the practice database to run-audit reports, identify where the practice could improve data reporting and enable a list of priority patients, where the practice might wish to focus its efforts, to be generated.
• The use of external nurses from an independent,third party company to review patients, if required by the practice.
The practice had complete freedom to choose some or all of these services which were offered free of charge, unconditionally and not linked to the promotion of any medicine.
GlaxoSmithKline was confident that the review service, and its execution in this practice, complied with the Code. This service had been the subject of previous complaints that were found not in breach (Cases AUTH/1806/3/06 and AUTH/1809/3/06).
The objective of the DPRS was to work with health professionals to improve the outcomes of patients with Type 2 diabetes. The service aimed to:
• Improve patient health status.
• Provide the practice with a report that outlined progress against GMS contract requirements.
• Provide the practice with a comprehensive diabetes audit.
• Support the practice in diabetes review.
• Provide benefits to the practice in improving the overall health and management of diabetes patients.
Diabetes Patient Review Service outline
The DPRS was implemented against a standard procedure which began with an introduction to the service from a non-promotional representative, the DFA. The representative’s role was to outline the review service to the practice and gain signed consent to proceed from at least two GPs and the practice manager. Once the DFA had agreement to proceed with the review service, the DFA introduced an agency nurse advisor to the practice. The nurse advisors were employed and managed by the agency and were completely independent of any pharmaceutical organisation. The nurse advisor set up a meeting with the practice to explain the program in full and in particular: • To agree the search criteria for patients and gain signed agreement to define those patients appropriate for review.
• To discuss the practice protocol for diabetes, which was generated by the practice, and ensure that any recommendations made by the nurse advisor were in line with this protocol, that had been agreed by all members of the practice. Any change in an individual’s treatment remained the complete responsibility of the GP.
• To discuss groups of patients that were to be reviewed and gain further authorization.
• To agree with the practice appropriate measures to ensure patient confidentiality.
There were a number of documents that must be reviewed and signed prior to commencing the service. These documents ensured that there were clear search criteria, a written protocol and referral system for patients. Included within these documents was an explanation of the nurse advisor having access to patient information and a clear explanation of the use of any data extracted.
The software used was provided by a third party independent of any pharmaceutical company. GlaxoSmithKline gave details of the way in which the software was installed and data and reports generated. The data seen by the DFA only identified patients by a unique identifying (ID) number – this could be decoded by the practice but not by the DFA.
The software could be used to identify and recall 'priority patients' for review. The criteria for priority review eg smoking status, BMI, blood pressure, cholesterol, glycaemic control were decided by the practice which also decided who attended for review.
The DFA did not have access to any patient identifiable information at any stage of this process. The software system ensured that confidentiality was maintained.
GlaxoSmithKline acknowledged the serious nature of this complaint. It had investigated fully and the DFA involved had been interviewed.
The medical centre agreed to proceed with the review and to hold clinics on two days in August 2006.
The complainant stated that ‘…a rep from a pharma company downloaded a disc on a practice system…’. As previously explained, the practice was given software that enabled it to produce a report of its diabetes patients, which it could use to identify which patients it wanted to review, based on which patients would benefit most from a comprehensive review of all aspects of their diabetes. There was no ability to ‘download’ any information.
The software was installed and demonstrated by the DFA to the practice nurse. This was usual procedure. A spreadsheet was produced, that was anonymised, each line of the spreadsheet referred to a patient by a unique ID number.
The demonstration consisted of viewing the spreadsheet and performing the following actions:
• Data chasing (highlighting gaps in codes, etc, in the data against patients).
• Practice audit and how the patients identified as a potential priority could be exported to a facility that allowed for mailing of letters to attend clinic. This process was carried out by the practice administrator.
• How to generate a practice report by the sending of data to the third party.
A baseline report in the form of a spreadsheet was generated: this could be used to demonstrate pre- and post-clinic performance. At all stages any data displayed in reports or on the computer screen was anonymised. Patients were listed by unique ID number. The ID numbers could only be matched up to a spreadsheet held in the practice. The DFA never had access to this spreadsheet and was never left unattended beside a practice computer - the only time the DFA was beside the practice computer was to install the software or demonstrate its capability and this was done in full view of the practice nurse who supervised his actions.
‘…he then, with the practice nurse’s knowledge, chose which patients should attend the clinic…’ The DFA did not choose which patients were invited to the clinic. Criteria were drawn up by the practice based on which patients would benefit most from a comprehensive review of their diabetes, blood pressure and lipids and would fulfil the practice’s GMS contract requirements. This predefined criteria, decided by the medical centre practice, could be seen in the Type 2 Diabetes Patient Review Service authorization form.
The software compiled a list of priority patients, based on the predefined criteria. The list was by patient ID number and contained no personal information, so the non-promotional representative would not be able to identify individual patients. This list of priority patients was presented to the practice nurse with unique ID numbers: this information was passed to the administrator by the practice nurse to facilitate letter production and thus recall of patients. Patients were again only identified by unique ID number. Under no circumstances did the non-promotional representative decide on or invite the patients to clinic.
‘…I believe this is a breach of patient confidentiality…’
The DFA had no access to data/records that could identify or could be linked to particular patients. The software gave patients unique ID numbers and only the practice had access to information identifying these patients. There was a tick box in the program that could unmask the unique numbers and display names on the spreadsheet. The DFA showed the tick box on the screen to the practice nurse but did not click it.
GlaxoSmithKline took patient confidentiality very seriously and had clear guidelines for staff working in this area to make sure any patient information was confidential. This was an important part of the DFA training. As set out, the review service offered complied with the Code. GlaxoSmithKline assured the Authority that the DFA did not deviate from the process outlined. This was evidenced by paper work enclosed from this practice. This service was offered in full cooperation and agreement with the practice.
Clauses 18.1 and 18.4 of the Code allowed medical and educational goods and services which enhanced patient care, or benefited the NHS and maintained patient care, to be provided as long as such goods or services did not bear the name of any medicine and did not act as an inducement to prescribe, supply, administer, recommend, buy or sell any medicine. GlaxoSmithKline contended that its review service complied with Clauses 18.1 and 18.4 of the Code as it was clear from the protocols and agreements on which this service was strictly based that the service did enhance patient care in terms of identifying and reviewing appropriate patients, as determined by predefined criteria and strict protocols agreed with clinicians prior to the implementation of the service; and this service was not an inducement to prescribe, supply, administer, recommend, buy or sell any medicine. The service agreements set out which treatment recommendations clinicians would endorse according to the patients’ current clinical regimen from a complete list of appropriate therapeutic options for patients that included, but was not exclusive to, medicines supplied by GlaxoSmithKline. The service was not linked to promotion of any particular product and was offered to the practice unconditionally. All materials clearly stated that GlaxoSmithKline was the provider of this non promotional service and had been certified as required by Clause 14.3.
Promotional representatives were not involved in the DPRS, in fact they were told when a nurse advisor was undertaking DPRS in a practice, that for a period of 2 days either side, no promotional activity could take place.
GlaxoSmithKline had endeavoured to set up beneficial services to patients and the NHS which took account of all aspects of the Code. The provision of a review service was based on informed consent to the service from the practice and the establishment of a number of detailed agreements as to the appropriate activities and actions undertaken. The DPRS provided a comprehensive review of individuals offering a wide range of non therapeutic and therapeutic options. All patient contact was by appropriately qualified staff and all treatment decisions were made by appropriate health professionals within the practice.
GlaxoSmithKline had taken the utmost caution to ensure patient confidentiality was maintained at all times.
GlaxoSmithKline considered that the highest standards had been maintained and that all activities at this practice and by this representative and review service provided complied with all aspects of the Code. Consequently GlaxoSmithKline considered there was no breach of Clause 2.
As far as GlaxoSmithKline was concerned the practice was satisfied with the services provided except for the performance of one of the nurse advisors. Following the first clinic run by a nurse advisor on 5 September, the practice received several complaints from patients. GlaxoSmithKline was told of these complaints by the practice nurse on 6 September, in particular regarding the quality of the clinic. A second clinic run by a different nurse advisor, on 12 September was satisfactory. Copies of the letter of complaint from the practice nurse and the response from GlaxoSmithKline were provided.
PANEL RULING
The Panel noted GlaxoSmithKline’s submission that the ‘representative’ at issue was in fact a DFA - a non-promotional role.
The Panel noted that once the software was installed a diabetes report could be generated. The report had no patient identifiable information. The unique ID numbers were held in the practice on a spreadsheet. The DFA did not have access to this spreadsheet. The priority patients search criteria were decided by the practice which also decided who attended for review. GlaxoSmithKline submitted that the DFA did not have access to any patient identifiable information at any stage of the process. The DFA in question had installed and demonstrated the software including how to produce mail merge letters to patients. The administrator produced the letters to patients. GlaxoSmithKline submitted that the DFA never had access to the spreadsheet and when using the practice computer was supervised by the practice nurse.
On the basis of the parties’ submissions the Panel did not consider that there was sufficient evidence to show that, on the balance of probabilities, there had been a breach of patient confidentiality as alleged as the DFA had not had access to identifiable patient data, the Panel ruled no breach of Clauses 18.1, 18.4 and 9.1. It thus followed there was no breach of Clause 2 .
Complaint received 19 February 2007
Case completed 20 April 2007
