Fragmented medical information, data silos and patients repeatedly sharing their medical history has been the reality of the NHS experience for far too long. The Single Patient Record is being posed as the latest attempt to change this. It’s a technology orientated solution and recently announced legislation defines what the limits of the technology will be.
For over a decade, the NHS has been trying to solve the same basic problem: how to make information flow around the patient. It’s not impossible, many countries have managed to achieve this! The problem is not an abstract technical problem it has real implications for people. Patients are tired of repeating their history at every appointment. Staff are too often making decisions without the information they need or delaying decisions. In some cases, that lack of information causes real harm.
Previous attempts to improve data sharing have left scars. care.data and GP Data for Planning and Research still haunt conversations on data sharing. The controversy around the federated data platform contributes to the trust erosion. The Federated Data Platform and the Single Patient Record are separate initiatives, but they are likely to interact in practice: in care delivery, service planning, research and potentially clinical trials. This adds more complexity and concern into an already charged subject matter.
The public response to the idea of a Single Patient Record has been overwhelmingly positive. Public engagement describes the relief and enthusiasm, particularly around the promise of better care, less repetition, greater efficiency and improved outcomes. But there are conditions, people want security, transparency, role-based access, audit trails, accountability, patient access and genuine choice over how sensitive information is shared. They rejected the idea that every health and care professional should have full access to everything. They want access to be justified, constrained with accountability for misuse.
The government has set out a series of new legal capabilities to create permissions and limits around the creation of the single patient record. This is all set out in the NHS Modernisation Bill. The Bill does not create a single patient record in one stroke. It creates the legislative scaffolding (permissions and limits for data sharing and processing). This needs to go through a specific process before what is proposed becomes the reality.
The bill means regulations can now mandate patient information becomes available to patients and to the people involved in providing health and social care. It also enables regulations to require or authorise sharing, processing and availability of that information from NHS, private care, social care and IT suppliers.
That is useful, without data flow there’s no single patient record! The Bill can create the permissions and requirement to make medical information flow. It can require organisations and suppliers to participate. It can enforce this through financial penalties when requirements are not met.
However, legislation alone will not solve the problem. We have had duties, standards and penalties before. Too often they have not been operationalised. The Data Use and Access Act requires that suppliers comply with data standards, great! But the standards need to exist first and then enforced!
We still lack clear definitions of what good data sharing looks like, who is failing to share, what timeframes are acceptable, and how enforcement will actually work. Without that, the penalties created in the bill remain theoretical. Similarly, the bill means the government can create an accreditation scheme to assess suppliers against published criteria, accredit them to recognise an accepted quality standard. But how will this be operationalised?
There is also a bigger trust issue, which care.data and GPDPR failed to address. Alongside the single patient record provisions, the Bill contains much broader information sharing potential. It allows the Secretary of State to publish or disclose information in certain circumstances, which are broad encompassing research, clinical trials and to achieve a legitimate aim. Even where those powers are legally bounded, they will feel broad to the public unless they are explained with absolute clarity. Yes it future proofs but it also creates reason for concern and doubt in an area that has been beset by low trust for decades!
These disclosure capabilities risk weakening any existing patient control of data. Public trust is not a nice-to-have, as we’ve seen with past attempts it is absolutely non-negotiable. The bigger risk is that broad, poorly explained data powers create public pushback and weaken confidence in the whole programme.
We’ve been here before.
The technical work is important. Role-based permissions, audit trails, transparency and patient access can all be made possible by technology. But it is also not enough. Too often a technological approach is applied, without being operationalised and ignoring the cultural and structural factors. For example: liability, data quality, responsibilities when errors are introduced, and confidence that data sharing will not simply shift risk onto frontline organisations.
The Single Patient Record is a positive step. The Bill is a positive step. But neither is sufficient.
Once again the risk is proving being adept at describing the future better than it can be delivered.
I hope you enjoyed this post, if so please share with others and subscribe to receive posts directly via email.
Get in touch via Bluesky or LinkedIn.
Transparency on AI use: GenAI tools have been used to help draft and edit this publication and create the images. But all content, including validation, has been by the author.