top of page

UK Hospital's PHI Policy

The UK's National Health Service is the largest single payer healthcare system in the world. The Royal Marsden Hospital of the NHS was the first hospital in the world dedicated to caring for cancer patients, and currently it is the largest cancer center in European. Its information governance policy provides an excellent example of how a world class organization secures Protected Health Information (PHI).

The hospital's policy requires non-confidential information to be made public. Openness and confidentiality are given equal importance. An annual audit is performed of its cyber security program. It must also assess each year if its policy complies with legal requirements, and the collected information meets an adequate standard of quality. The policy references the principles established by the National Data Guardian for Health and Care in England. The National Data Guardian is an independent body which provides guidance to the UK on the data confidentiality in its health care system. Its Data Security Standards require that:

1. Staff ensure that personal data is handled securely.

2. Staff understand their accountability for data breaches.

3. Staff pass an annual data security test.

4. Personal data can only accessed by those who need it.

5. Annual audits must address workarounds used by staff which compromise data security.

6. A report must be made to senior management within 12 hours of a data breach being discovered.

7. A continuity plan must be implemented.

8. Unsupported software cannot be used.

9. A cyber security framework should be used to protect against threats.

10. IT contractors must meet these standards.

A Data Protection Officer ensures compliance with the GDPR and an Information Governance Manager ensures compliance with the data security standards.

bottom of page