“Asking a patient or representative to confirm the address verbally when handing out dispensed prescription items can be deemed a breach of the General Data Protection Regulation (GDPR) if others can hear this.”
And that encapsulates in one sentence the reason why a slim majority in this country voted for Brexit. Instead of evolving with developing need, the GDPR sums up everything about legislation created by a large unaccountable committee that has complete separation from the reality of the implementation of its decision making.
One of the most common dispensing errors is that of handing out a bagged prescription to the wrong patient, and the simplest way to reduce that risk is to ask for confirmation of the address. It’s drummed into pharmacy staff from day one, despite the fact it is a frequent source of confusion and derision by patients who respond with everything from the child-like “27 High Street, Middletown, England, The World…” to the smart alec: “Why, do you want to come home with me?”
OK, I do get that there are some people who do not wish to reveal their address, such as estranged partners from an abusive relationship, celebrities, and perhaps members of the security services. We have a women’s refuge not far from our pharmacy and their prescription address is a P.O. Box, so we ask them to confirm their name and date of birth – a decision we came to without the threat of a punitive fine, such as the 4% of turnover that can accompany a breach of the GDPR.
Of course it’s right that we protect the vulnerable in society, but we shouldn’t make society weak by treating everyone as vulnerable. A greater danger is that available data is not used for our benefit, such as the summary care record, which came with such overt warnings about inappropriate access that we had to be bribed with a ‘quality payment’ to start using it.
So the suggested way around the problem of confirming patient identity is to have a notice displayed that says patients may wish to confirm their identity in a way other than their address, and that this can be done in a private room.
This would not be needed if genuine intentional or negligent breaches were addressed in a way commensurate to the intended gain. I know that if my pharmacy sold patient data to a marketing firm or was unable to dispense scripts for three weeks I’d have my contract revoked.
We should absolutely not be careless with patient data, but will the GDPR stop Pharmacy2U selling patient information to a marketing company again or Cambridge Analytica persuading Facebook users to vote Europe out and Trump in? It’s probably a breach of data for me to answer out loud, so come close and I’ll whisper in your ear.
Read the National Pharmacy Association’s answers to pharmacists’ most commonly asked questions about GDPR here