Population Health Management

Can we still have confidential GP records, when the UK Government themselves are joining in with a Health Data Gold Rush?


11 min read

Population Health Management

Health data is big business. The data within the NHS is highly valuable, but to no group is it more valuable than our patients, whose data it actually is. You only get one health record. Once it's divulged, they can't just give you a new account and start again like a bank.

We have a responsibility to protect our patients' health data from misuse and exploitation, in the same way as we have a duty of care for our patients. The NHS data landscape is confusing and (in my opinion deliberately) obfuscated, making it hard for patients and professionals to understand what is happening, and protect themselves and their patients accordingly.

Patients have a right to private, confidential health records, and giving the Government access to their medical record doesn't sound like privacy to me.

Population Health Management

Representatives of the GP profession have been trying to work in good faith with NHS England and NHS Digital for several years, to enable safe and privacy-respecting Research and Planning uses of data, and this work has been ongoing for several years. Sadly, last summer NHS England tried to unilaterally impose the GP Data for Planning and Research (GPDPR) system on the country, but were (eventually) forced to step back from this rollout because of the privacy and safeguarding concerns which we warned them about.

However, things seem to be getting worse. NHS England have started to creep beyond even planning and research, and want even more data about our citizens to be held in governmental hands.

In the new #DataSavesLives paper, there is a new category of data use which I think isn't getting enough attention, and has only recently started to creep its way into NHS England's public-facing websites: "Population Health Management"

What is Population Health Management?

Probably the most prominent examples of Population Health Management (PHM) in the past couple of years have been related to the COVID pandemic.

The NHS Shielded Patient List was administered nationally but contacted patients directly to tell them that they should shield. Similarly, the COVID vaccination programme also ran nationally but contacted patients directly.

The legal basis for these programmes was all centred around the COPI (Control Of Patient Infection) notices, which gave national bodies special emergency powers because of the pandemic.

These were 'special emergency powers', because the pandemic was not a normal time. In normal times, those special emergency powers should not exist.

Before the pandemic, national direct care programmes have existed, but these were either small, focused screening programmes (cervical cancer/cervical cytology, breast cancer/mammography, aortic aneurysm/ultrasound, bowel cancer/faecal occult blood tests ) and thereby fairly innocuous data-wise because the data never left the agency tasked with the screening programme, or the direct care was provided by your own GP, where the national priority or goal is set using a system called the Quality and Outcomes Framework (QOF), and your GP - who knows you well and can tailor the treatment to best fit you - gets paid for doing that work (the payment is indirect though, it's not a fee per-item of-service).

Now, NHS England is indicating that it wants to continue with 'pandemic-style' PHM, although as yet no details exist as to what this entails. "To improve population health through the proactive targeting of services" could be anything from well-organised, well-evidenced NHS interventions to selling patient data to third parties to target ads for private health services. There has been no public or professional consultation on this new function. We have not been asked, as patients or clinicians whether we consent to this new function. It is being done to us "for our own good", it would seem.


My concern is that a programme like this can be 'sold' to a public who trust it because the trust their clinicians and 'the NHS' -but they don't know that NHS England is just another branch of government and has no clinicians in positions of real authority or oversight. Most importantly, NHS England is not a care-giving organisation, it is a commissioning arm of the Department of Health and Social Care. aka - The Government.

I'd like to stress that I'm not 'anti-Data' nor some kind of modern-day Luddite. I welcome some of the healthcare benefits that increased use of data can bring for our patients.

But that cannot be at the expense of abolishing patient privacy.

So, what's the problem with Population Health Management?

1. It requires fully identifiable data

Unlike Research and Planning uses, which can function absolutely perfectly in a privacy-preserving fashion with pseudonymised or even completely anonymised data, PHM requires fully identifiable data, because the system has to know who the patients are, in order to be able to contact the patients to offer an intervention.

This means that NHS England (who are the UK Government, let's be clear) are going to have (initially) parts of your identifiable healthcare record, but following this direction of travel, and other stated policy imperatives such as 'separating the data from the application layer', I think it will be inevitable that all of your health record will eventually be stored at NHS England.

This would include sensitive parts of the record including sexual orientation, gender identity, serious medical illnesses, addictions and prison time, as well as ethnicity, which we already know is in the NHS England COVID Data store.

I wonder how much it would take for the Home Office to be able to access Ethnicity data if Priti asked Sajid in the right way. My guess is it would be pretty easy, it's happened before, even. If you think can get away with trying to send asylum seekers to Rwanda, you would probably be happy to stoop to use health records to track whoever you think might be 'illegal' immigrants.

So in amongst those nice safe, privacy-respecting Planning and Research uses, there are potential PHM uses which will give the Government access to identifiable health data.

And at this stage, we have no real information as to the extent of these plans. Even if we as a profession are reassured now, it only takes a small change in policy at NHS England to throw out any agreed safeguards that the profession might have insisted on.

2. There is very poor evidence for ANY efficacy of PHM

The examples we do have of nationally-administered PHM programmes were all set up during the COVID-19 pandemic - a very unusual time - making it difficult to safely draw conclusions from them about the potential efficacy of other programmes. This has not stopped the Government and NHS England themselves from uncritically lauding the SPL as a major success and proof of the need for PHM, when actually no independent studies have taken place, often citing the success of the Shielded Patient List.

The Shielded Patient List (SPL) was actually noted to be very inaccurate when it was released, as it tended to overestimate a person's risk, including categorising women who had previously had Gestational Diabetes as currently diabetic and therefor at increased risk. GPs had to go through the lists of patients manually to tailor them properly for their patients.

(Additionally, the risk factors for increased mortality and morbidity from COVID turned out to be rather different from those for Influenza, which the SPL was based on. But, admittedly, nobody had any way to know that at the time. My intention with this is not to criticise the actual Shielding List itself. I know the authors of the SNOMED code list, and they did well on a tight deadline under pressure. I’m asking the question of whether we should be lauding 2020’s Shielding List as ‘excellence’ in data science and good medicine.)

So the SPL overestimated risk and also identified risk in the wrong groups during COVID. This is not at all a vote of confidence that says we should do more of it, it is at the very least a suggestion that we need to do research to get better at it, and to learn which national interventions can work and which can't. More research needed.

3. PHM tends to deliver poor quality, top-down, 'algorithmic' medicine

Medicine is accepted to be a difficult field, and decisions about healthcare tend to be nuanced, requiring knowledge of the individual patient the skill to tailor the medicine to their needs. This is what the practice of healthcare is all about. As good clinicians we are expected to personalise the intervention to the wishes and needs of the individual.

But Population Health Management tends to favour a one-size-fits-all type of approach, where some national criteria are set and then actions are taken regardless of the individual. If the rules don't suit you as an individual patient, that's just tough.

Unless such programmes are being assessed rigorously by researchers in order to independently check whether the programme is beneficial to people or not, then there is a risk that programmes will be declared a success by the politicians that initiated them, and the dissatisfied and harmed patients simply viewed as collateral damage.

4. It provides a rapid route to privatisation

When the government is looking to procure a PHM service, one can fairly well guarantee that your own GP, as a single tiny 'cottage industry' healthcare business, does not have the scale to bid to provide national-level services to millions of patients. So the contracts will inevitably go to giant health providers, just as they did during the pandemic.

This is bad for the publicly-delivered parts of the NHS, which is already suffering from the worst underfunding in its history, and on the verge of collapse, with ambulance waiting times beyond anything I've seen in my 20-year career, and pretty much every service creaking under the strain of COVID catchup and genuine healthcare demand from a deserving public.

Without an influential owner, and armies of lobbyists, the publicly-delivered NHS simply doesn't have a way to attract the attention of the current government. But the corporations with the scale to bid for Population Health Management contracts have absolutely perfected the art of insinuating themselves into huge contracts - in fact Palantir wrote the 'playbook' on this with their £1-£1m-£23m-£350m accumulator bet working out quite nicely, and leaving them sitting pretty as the main NHS England analytics provider, without so much as a sniff of a competitive tender. A neat trick.

But we absolutely can't afford to see large companies walking away with more NHS funds. There's not enough funding as it is.

5. NHS England is not a care-giving organisation

NHS England is an Arms Length Body derived from the Department of Health and Social Care. It does not and should not deliver care. It's original name, from the 2012 Health and Social Care Act, was the 'NHS Commissioning Board'.

It does not have a legal basis to obtain data for Population Health Management. Only clinician providers of direct care, with clinical oversight and guidance, and most importantly - a sworn oath to protect patients' information - should have access to direct care data.

We deserve to know what plans NHS England have for Population Health Management

Over the past few years I've been involved in the committees which oversee proposals for data use and this is the first time I've seen any plans written down that suggest Population Health Management is actively being planned for. All of the previous discussions we've had have focused on pseudonymised and anonymised data for Planning and Research, which the profession was working carefully with NHS Digital to allow. This, however, is a total change in the negotiations and one that we must question and challenge.

In the medical press, and even in the mainstream media, there has been alarm and concern over NHS England's proposed choice of data platform partner, Palantir. But what I want this article to drive home is not that appalling choice of partner but on the simple fact that no matter who the data platform is provided by, you can't trust any Government with your identifiable health record data (and especially not this Government).

What can I do about this as a patient?

  1. Spread the word and find out more - share this blog, sign the #nopalantirnhs petition, search the web for "NHS", "data", "Palantir", "Foundry" (the name of the data platform) and read what's out there.

  2. Opt out of any of your own GP data leaving your GP practice - this is called a Type 1 Opt Out. It's different to the 'National Data Opt Out' (NDOO) which you can fill in through the NHS App, which is a watered-down version of the Type 1 Opt Out. You can do a NDOO as well, but an NDOO is not enough on its own to protect your data.

  3. Write to your MP to say you are concerned about NHS England taking your medical record, and send a copy to the Royal College of GPs - the RCGP is then able to use these letters to evidence that patients have genuine concerns. Tell them that you know there are alternatives like OpenSAFELY which can do all of the important planning and research work without impinging on patient privacy - by leaving the data where it is in the GP system, and performing their analytics in-situ without anyone needing access to the data.

What can I do about this as a clinician?

  1. Consider creating 'co-operatives' of GPs that can provide GP services at a larger scale - eg at Integrated Care System (ICS) level, or even at national level. Wouldn't it be amazing if the next time NHS England try to tender out a PHM service to a private provider, a bunch of non-profit NHS GPs get the contract?

  2. Lobby within the profession for the adoption of OpenSAFELY, which is a much better alternative, allowing essential research and planning to be done, and without requiring data to be stored within NHS England.

Dr Marcus Baw General Practitioner, Clinical Informatician, Software Developer. Immediate Past Chair of Royal College of GPs Health Informatics Group.