You are here: Parliament home page > Parliamentary business > Publications and Records > Committee Publications > All Select Committee Publications > Commons Select Committees > Health > Health
Select Committee on Health Sixth Report

Conclusions and recommendations

Electronic Patient Record systems

1.  The National Programme for IT (NPfIT) is a complex and ambitious set of projects intended to transform the use of information technology in the NHS. At the heart of the programme is the NHS Care Records Service (NCRS), which aims to introduce a range of electronic patient record (EPR) systems. EPR systems offer significant potential improvements to the safety, quality and efficiency of care and are being implemented in most health systems in the developed world. (Paragraph 40)

2.  NPfIT is characterised by a centralised management structure and large-scale procurement from private suppliers. This approach aims to offer improved value for money and to address the previously patchy adoption of IT systems across the health service. The Department defended the progress made by NPfIT to date, arguing that the programme is on course to succeed. However, serious doubts have been raised, from sources including the Public Accounts Committee, about how much has been achieved and about the likely completion date. In particular, progress on the development of the NCRS has been questioned. (Paragraph 41)

3.  During our inquiry, both at home and abroad, similar messages were given to us repeatedly from different sources. We commend these to the Department:

The Summary Care Record

4.  The Committee is pleased that trials of the national Summary Care Record (SCR) are now going ahead following delays to the project. The SCR has the potential to improve the safety and efficiency of care and to make the health service more patient-centred. The SCR has the potential to improve the safety and efficiency of care especially in emergency situations when care is delivered by staff unfamiliar with the patient involved. The Committee supports the aim of introducing a nationally available summary record as soon as possible and deplores the delays and continuing indecision about its content. (Paragraph 113)

5.  The SCR has less comprehensive clinical value than shared Detailed Care Record (DCR) systems and is a comparatively straightforward application which extracts information from existing GP systems, whereas DCR systems must be built up from a range of complex and interdependent component applications. Given that there is expected to be clinical value from the SCR, its roll-out should not be held back by delays to DCR systems. (Paragraph 114)

6.  The Committee was dismayed, however, by the lack of clarity about what information will be included in the SCR and what the record will be used for. Officials gave different answers to these questions on different occasions. The Committee was told at various times that the SCR will be used for the delivery of unscheduled care, for the care of patients with long-term conditions, and to exchange information between primary and secondary care. It is little wonder that patient groups expressed confusion about the purpose and content of the SCR. (Paragraph 115)

7.  The Committee is aware of the Department's most recent plans but is concerned that the complexity of the SCR appears to be increasing. This will make the SCR more difficult to use, particularly in emergency situations. The Department must be clear about the purpose of the SCR, and it must ensure that the record is easy to use. To this end, we recommend that the SCR include a single standardised front screen to display key health information which is vital for emergency care. (Paragraph 116)

8.  The Committee has also received inconsistent information about the patient consent arrangements for the SCR. Initially, we were told that information will be added to the SCR with "implied consent", provided patients do not opt out. This approach was strongly criticised by clinical and patient groups. However, it subsequently became clear that while the creation of the SCR, and the addition of "life-saving" details such as prescription information, will require "implied consent", the addition of detailed clinical information will only take place with "explicit consent" from the patient. This hybrid consent system represents a much more satisfactory model but one which has not been well communicated to patients or clinicians. (Paragraph 117)

9.  The inclusion of prescription information on the SCR with only "implied consent" remains problematic, however. On the one hand, prescription information can often make a patient's diagnosis obvious. On the other hand, excluding some prescription information from the SCR would be clinically dangerous. If the Department of Health does use the "implicit consent" model for prescription information, it should make clear to patients the implications both for data privacy and clinical safety. (Paragraph 118)

10.  The Committee considers that much of the controversy over privacy and consent arrangements for the SCR would have been avoided if Connecting for Health had communicated its plans more clearly to patients. We recommend that Connecting for Health:

11.  The arrangements for the SCR will be strengthened when "sealed envelopes" are made available to protect sensitive information and when patients can access their record via the HealthSpace website. It is unfortunate that these elements of the SCR are not yet in place, but the Committee understands and supports the decision to press ahead in any case with trials of the SCR. Connecting for Health must ensure that both "sealed envelopes" and HealthSpace are introduced as soon as possible, particularly so that their effectiveness can be assessed during the independent evaluation of the early adopter programme. (Paragraph 120)

12.  "Sealed envelopes" are a vital mechanism if sensitive information is to be held on the SCR. We recommend that:

  • The right to break the seal protecting information in "sealed envelopes" should only be held by patients themselves, except where there is a legal requirement to override this measure; and
  • Information in "sealed envelopes" should not be made available to the Secondary Uses Service under any circumstances; this will allow patients to prevent data being used for research purposes without their consent. (Paragraph 121)

13.  HealthSpace is an excellent addition to the SCR programme and has huge potential to improve the safety and efficiency of care by allowing patients to check the accuracy of their SCR and to access detailed information about their own health. In order to take fuller advantage of HealthSpace, we recommend that Connecting for Health:

  • Trial the use of HealthSpace for patients, particularly those with long-term conditions, to record their own measurements of key health information;
  • Ensure that HealthSpace allows patients to view audit trails, showing who has accessed their SCR record and under what circumstances, and offers mechanisms for investigating inappropriate access;
  • Promote the use of HealthSpace, monitor levels of uptake, and ensure that there is equitable access across the country and that coercive access is prevented; and
  • Commission an independent evaluation of HealthSpace once the system is widely available. (Paragraph 122)

14.  We note that in France patients will own their national summary record. This approach gives patients more control over who can access their record and more opportunity to influence and take control of their own care. We therefore recommend that Connecting for Health consider a similar model for the SCR in England. (Paragraph 123)

15.  The Committee does not have the knowledge or expertise to make specific judgements about the likely effectiveness of planned technical security systems at protecting the SCR from external attack. We received strong assurances from officials and suppliers about the quality of security systems, and we accept the inevitability of a trade-off between levels of security and the need to ensure that systems are user-friendly. We also acknowledge that no information storage system can be considered 100% secure. (Paragraph 124)

16.  However, serious concerns were expressed regarding the lack of information both about how security systems will work and about the outcomes of security testing. We agree with these concerns and recommend that Connecting for Health ensure that BT's planned security systems for its national applications are subject to independent evaluation and that the outcomes of this are made public. (Paragraph 125)

17.  Maintaining the operational security of the new SCR system is a substantial challenge. We acknowledge that Connecting for Health and its suppliers have made significant efforts to minimise the risk of operational security breaches. Individual smartcards, rigorous user authentication, role-based access controls, legitimate relationships and audit trails will all help to increase operational security, both individually and in combination. However, many of these measures are new and untested on the scale that they will be used in the NHS. As a result, their impact and vulnerabilities are difficult to predict. We therefore recommend that Connecting for Health:

  • Ensure that the evaluation of the early adopter sites examines both the individual and the collective impact of the new operational security measures for the SCR, commissioning a separate evaluation if necessary; and
  • Undertake a program of operational security training for all staff with access to the SCR, emphasising the importance of not divulging information to those who request it under false pretexts. (Paragraph 126)

18.  Operational security also depends on effective enforcement. The Department of Health and the Information Commissioner's Office have called for custodial sentences for people who unlawfully access personal information. The Committee welcomes this, and recommends that a substantial audit resource be provided to detect and prosecute those who access the system unlawfully. (Paragraph 127)

The Detailed Care Record

Vision and potential

19.  Patient record systems which record detailed clinical information that can be shared or joined electronically within and between a range of local organisations are the "holy grail" for NPfIT. Such Detailed Care Record (DCR) systems can bring dramatic improvements to the safety, quality and efficiency of NHS care, not only through faster access to and sharing of patient information, but also by supporting key clinical processes such as imaging and prescribing. More sophisticated clinical systems can further improve care, for example by supporting clinical decision-making and providing automatic messages and alerts to challenge unsafe practices. (Paragraph 227)

20.  Achieving the widespread uptake of DCR systems is therefore the single most important advance that the NHS can make towards the provision of faster, better integrated and more patient-centred care. The potential benefits from detailed systems are wider than those offered by the national SCR system. Moreover, the goal of providing DCR systems to all NHS providers in England was clearly set out in the specification document on which NPfIT was based and tendered. It is thus on NPfIT's success in implementing DCR systems that the programme's effectiveness should ultimately be judged. (Paragraph 228)

21.  Yet there is a perplexing lack of clarity about exactly what NPfIT will now deliver. It is not clear what information will be recorded and shared on DCR systems, nor the range of organisations that will be able to share information. Suppliers told us there will be significant variation between the size of different areas. The Department stated that DCR systems may be confined to areas as small as a single hospital or as large as an entire SHA. While local control over the new systems is a desirable goal, it is surprising that the architects of the DCR were not able to provide a clearer vision of what is planned. There is an explanatory vacuum surrounding DCR systems and this must be addressed if duplication of effort at a local level is to be avoided. We recommend that Connecting for Health:

Progress and implementation

22.  Progress on delivering the various elements of shared DCR systems has varied considerably. Projects such as the N3 network and the deployment of Picture Archiving and Communication Systems are on the way to successful completion: Connecting for Health deserves some credit for these successes. However, the continuing delays to delivering new Patient Administration Systems (PAS) and functions such as electronic prescribing in hospitals are a major concern. As a result of such delays, the shared DCR remains a distant prospect. Only BT provided an estimate, 2010, of when shared records will be available. This timetable only applies to the London area, however, and the level of information sharing which will be possible by this date was unclear. (Paragraph 230)

23.  There have been many causes of the delays in delivering new systems. One of these has been the expansion to the scope of the programme since 2002. Changes were perhaps inevitable given the scale of NPfIT, but it is disappointing that essentially administrative applications such as Choose and Book were given priority ahead of clinically useful DCR systems. It is also apparent that the original timescales for deploying DCR systems were over-ambitious and did not take sufficient account of the complexity of replacing existing systems. The failure to give hospitals responsibility for implementing their own systems, and the lack of focus on changing local working practices to accommodate newly deployed systems, have also caused delays. (Paragraph 231)

24.  The lack of progress on implementing new hospital PAS software, which has in turn prevented suppliers from deploying more sophisticated clinical systems, remains the biggest obstacle to delivering shared local records. The implementation of new hospital systems is more than two years behind schedule. In London and the South, where Cerner's Millennium system is to be deployed, there is some evidence of progress, as well as a timetable for completing implementation in London. Yet in the remaining three clusters, which are awaiting iSoft's Lorenzo product, delays drag on. Such delays have left many hospitals relying on increasingly outdated systems for their day-to-day administration. Most worryingly, the failure to deliver systems on time has reduced the confidence of local clinicians and managers in the programme, something which has itself contributed to delays. (Paragraph 232)

25.  We recommend that Connecting for Health:

  • Ensure that all LSPs publish detailed timetables for delivering new PAS applications, electronic prescribing systems and shared local record systems, indicating what level of information sharing will be possible when DCRs are first implemented; and
  • Set a deadline for the successful deployment of the Lorenzo system in an NHS hospital, making clear that if the deadline is not achieved then other systems with similar capability will be offered to local hospitals. (Paragraph 233)

The way forward

26.  In light of a range of concerns, including the delays to elements of the DCR programme, a number of witnesses called for an independent review of the whole of NPfIT. Whilst we understand the reasons for this, we do not agree that a comprehensive review is the best way forward. First, many of the questions raised by the supporters of a review would be addressed if Connecting for Health provided the additional information and independent evaluation which we recommend in this report. Secondly, the programme has already been scrutinised by the National Audit Office, the Public Accounts Committee and ourselves. We therefore recommend that:

  • The implementation of DCR systems be addressed in the short term by increasing both the local ownership and the professional leadership of the programme; and
  • The ongoing review by Lord Darzi on the future of the NHS include in its remit the long-term prospects for using electronic systems to improve the quality of care, particularly for the growing number of patients with long-term conditions. (Paragraph 234)

27.  The Committee recognises the need to maintain a balance between central and local input into the development of DCR systems. We acknowledge the success of NPfIT's national leadership in ensuring economies of scale and effective contract management. However, we disagree that this highly centralised approach is necessary to ensure consistent development of new systems across the NHS, provided that sufficient attention is given to nationally agreed technical and clinical standards. It is also clear that centrally driven implementation of local systems has stifled local activity and caused frustration and resentment at trust level. The successful delivery of DCR systems depends upon the ability of Connecting for Health to harness the benefits from local as well as national input, something which it has not achieved so far. (Paragraph 235)

28.  There are already signs of a change of approach to increase local ownership of system implementation. Accountability is being devolved through the NPfIT Local Ownership Programme and control for some users is being increased through GP Systems of Choice. These measures are welcome but overdue. There is a need to go further and faster with reforms of this type. We recommend that:

  • Connecting for Health devolve responsibility for performance managing implementation of all NPfIT systems to Strategic Health Authorities (SHAs);
  • SHAs devolve responsibility for operational deployment by giving individual hospital trusts control over implementing their own new systems. SHAs should also devolve responsibility for implementing shared record systems across local health communities to their constituent Primary Care Trusts (PCTs);
  • SHAs, PCTs and hospital trusts be given the authority to negotiate directly with LSPs and to hold suppliers to account, so that local organisations are not given responsibility without power; and
  • Connecting for Health offer all local organisations a choice of systems from a catalogue of accredited suppliers, as far as this approach is possible within the limitations of existing contracts. (Paragraph 236)

29.  Connecting for Health's own role should switch as soon as possible to focus on setting and ensuring compliance with technical and clinical standards for NHS IT systems, rather than presiding over local implementation. Clear standards would allow systems to be accredited nationally but would also ensure that local trusts have a choice of system and control over implementation. (Paragraph 237)

30.  Technical standards should cover system security and reliability but should focus in particular on ensuring full interoperability between accredited systems. Comprehensive interoperability standards should guarantee that data can be seamlessly exchanged between systems whilst ensuring that users are not committed to a single supplier. In order to develop transparent technical standards, we recommend that Connecting for Health:

  • Establish an independent technical standards body responsible for setting the interoperability requirements for data exchange for all systems deployed in the NHS. These standards should be published and subjected to full external scrutiny;
  • Require all system suppliers to the NHS to meet and demonstrate conformity with these standards. Systems should be "kite marked" or classified to give details of their compatibility; and
  • Work with industry and academia to establish an independent technical standards testing service to evaluate and accredit systems for use in the NHS. (Paragraph 238)

31.  Safe and effective data sharing, the fundamental aim of DCR systems, also requires a more standardised approach to the recording of clinical information. Such an approach is at the heart of ensuring real interoperability between systems and is vital if data from DCR systems is to be used as a basis either for the SCR or for research. The NHS Data Dictionary and the SNOMED CT coding system are important to achieving more consistent recording of patient information. We recommend that Connecting for Health publish a timetable for introducing SNOMED CT across the NHS. (Paragraph 239)

32.  But Connecting for Health must do much more to ensure that the recording of detailed clinical data is standardised. Professionally developed datasets and agreed approaches to the structure and content of detailed records are urgently needed for each of the main clinical specialties and for use in a range of different care settings. Developing such standards will require close collaboration with Royal Colleges and other professional bodies. We recommend that Connecting for Health work with professional groups to:

  • Identify the information standards which will be required within their specialty area; and
  • Develop and implement consensus-based clinical information standards. (Paragraph 240)

33.  Separate clinical records on an individual patient can only be combined safely if each person can be accurately identified. The introduction of the new NHS number as the unique patient identifier and its allocation at birth through NHS Numbers for Babies is therefore a significant achievement. Yet the value of this work and the future integrity of clinical information will be undermined if organisations are unable to retrieve an individual's NHS number when they need to use it or to allocate temporary NHS numbers for use in emergencies. We recommend that:

  • The Department of Health set a timetable for mandating the use of the correct NHS number on all clinical communications, and make this a performance measure for all NHS organisations;
  • Processes are introduced to allow temporary NHS numbers to be allocated which can subsequently be reconciled with the patient's permanent NHS number through the Personal Demographic Service; and
  • Systems are maintained to treat patients under a separate, pseudonymous NHS number where this is necessary. (Paragraph 241)

Security, reliability and consent

34.  The resilience of new systems will be enhanced by distributing data across a range of hosting centres. Suppliers assured us that systems will be distributed in this way but the impact of the power failure at the Maidstone data centre, which affected 80 trusts, suggests otherwise. We recognise that lessons have been learned from the Maidstone incident. Nonetheless, we recommend that Connecting for Health instruct suppliers to publish details of all significant reliability problems along with a full incident log. (Paragraph 242)

35.  The sharing of unique smartcards between users is unacceptable and undermines the operational security of DCR systems. However, we sympathise with the A&E staff who shared smartcards when faced with waits of a minute or more to access their new PAS software. Unless unacceptably lengthy log-on times are addressed, security breaches are inevitable. We recommend that Connecting for Health:

  • Ensure that suppliers have clear plans for achieving access times compatible with realistic clinical requirements for all of their systems; and
  • Continue to monitor the potential for introducing more sophisticated access systems, such as facial pattern recognition, in busy areas such as A&E. (Paragraph 243)

36.  The Department has indicated that explicit consent will be required before DCR information can be shared between separate organisations. The Committee supports this approach and recommends that the consent model for the shared DCR be communicated to patients as clearly and as early as possible. (Paragraph 244)

37.  However, if sensitive information is to be stored and shared on DCR systems, it is important that local "sealed envelope" systems are developed and tested as soon as possible. We were concerned to hear that suppliers have not yet received specifications for local "sealed envelopes". We recommend that Connecting for Health provide such specifications as a matter of urgency and set a clear timetable for the introduction of this technology at a local level. (Paragraph 245)

The Secondary Uses Service

38.  The Secondary Uses Service (SUS), which succeeded the NHS-Wide Clearing Service, has for some years helped to improve the health service by providing access to and analysis of data for commissioning, management and audit purposes. However, the development of the SCR and DCR will allow access to clinical data which are timelier, better integrated and of a profoundly higher quality than those currently available. This will transform the SUS and offers significant benefits, most notably for health research. In particular, if the highly detailed data captured by DCR systems can be made available through the SUS then the possibilities for new and improved research are outstanding. (Paragraph 280)

39.  The Department has acknowledged the need to take advantage of the research opportunities offered by the SUS and has established a partnership with the UK Clinical Research Collaboration to achieve this. We welcome this, but researchers nevertheless told us that much more could be done to maximise these opportunities. We recommend that Connecting for Health:

40.  Increasing access to health data brings new challenges for safeguarding patient privacy. It is therefore vital that the systems which regulate availability of, and access to, data through the SUS are safe and effective. Governance systems must strike a difficult balance between the need to protect patient privacy and the need to take advantage of the increasing availability of data, between safeguarding individual rights and promoting the public good. Unless such a balance can be struck, there is a risk either that the potential of the SUS will not be realised, or that public confidence will be damaged. (Paragraph 282)

41.  There are a number of weaknesses within current access and governance systems. While explicit patient consent is the ideal means of allowing access to data, it is often impossible to ask for consent in practice, particularly for studies using historical data. Pseudonymisation is a good idea in principle, but full pseudonymisation is only possible in some situations because potentially identifying data are often needed for effective research. It follows that some research will continue to require access to partially pseudonymised data in situations where obtaining explicit consent is impossible. However, the Patient Information Advisory Group (PIAG), which considers such requests, remains a temporary body. PIAG has attracted criticism both for its processes and for its decisions. (Paragraph 283)

42.  There is an urgent need to address these problems, especially as the amount and type of data potentially available through the SUS will proliferate rapidly in future. We recommend that the Department of Health conduct a review of both national and local procedures for controlling access to electronic health data for "secondary" uses. In particular, the review should examine:

  • How best to balance the opportunity to improve access to data for research purposes with the ongoing need to safeguard patient privacy;
  • Whether to establish a national Information Governance Board to oversee the arrangements for access to data for secondary uses;
  • The case for establishing a permanent body to succeed the Patient Information Advisory Group and whether this should be a subcommittee of the national Board;
  • The effectiveness of the pseudonymisation process proposed by Connecting for Health and its suppliers, which should be subject to independent public evaluation;
  • What compensating controls, such as third party brokerage, should be used to protect patient privacy in situations where research must be conducted with partially rather than fully pseudonymised information; and
  • How governance arrangements for access to data for research purposes should differ from those which apply to other "secondary" purposes, such as immigration and counter-terrorism. (Paragraph 284)


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index
© Parliamentary copyright 2007
Prepared 13 September 2007