Select Committee on Health Written Evidence

Further Supplementary evidence submitted by the Department of Health (EPR 01E)

  Note from Department of Health to the House of Commons Health Select Committee commenting on the evidence provided by various witnesses.

  1.  The Health Select Committee is conducting an enquiry into the NHS electronic patient record, which is the cornerstone of the NHS National Programme for IT (the Programme). The Department of Health submitted written evidence in March 2007 and again on 12 June 2007. Departmental officials also gave oral evidence on 26 April 2007 and, with the then Minister of State Lord Hunt, on Thursday 14 June 2007.

  2.  The Committee has also taken or received evidence from a wide range of other witnesses. It is noted that this evidence contains a number of inaccuracies and a number of flawed conclusions. It is also clear that there has been some collaboration between witnesses who have made the same point without any supporting evidence whatsoever. To assist the Committee in reaching conclusions, this note comments on that evidence.

  3.  Where appropriate, specific witness statements are cited or reference is made to the relevant paragraph numbers from the transcripts of the oral hearings.

  4.  The comments are divided into the following sections:

    1.  Data standards, IT system security, system performance and general IT issues.

    2.  Timing and delays.

    3.  Local NHS costs and affordability.

    4.  The summary care record and patient confidentiality.

    5.  Consultation and professional engagement on the system specification.

    6.  Evaluation and benefits.

    7.  Public information and patient safety.

    8.  Other issues.


Section 1.1:   Issues Relating to Data Standards and Interoperability

Data standards

  5.  A number of witnesses raised issues relating to the adoption of common standards:

  5.1  In EPR 29 the UK Computing Research Committee says (at paragraph 25) that:

    " ... many of the technologies are new and have not been tested. In particular, at the heart of the EPR are two standards—HL7 v3 and SNOMED-CT. We understand that neither has ever been implemented anywhere on a large scale on their own, let alone together. Both have been criticised as seriously flawed. It is imprudent to base the Electronic Patient Record, which will be part of the UK's national critical infrastructure, on a technology experiment."

  5.2  This statement needs to be read in context. Currently the formally approved European (CEN TC251) and International (ISO 215) Standards' Bodies in health informatics do not require standards to be tested formally before approval. As many of the UK computing research community contribute to them, it is hoped they can improve the current situation, which is not peculiar to the National Programme but is a global issue. It is surprising that the UK Computer Research Committee has not acknowledged the substance and extent of the standards being used within the National Programme for IT, and particularly the prevalence and authenticity of SNOMED-CT and HL7v3.

  5.3  At the heart of the National Programme is a range of standards that are both international and national. Many of these standards are pan-government like the e-government interoperability framework (e-GIF) and many have a long history (for example the Data Dictionary data standards, which arose from the Körner Report in 1981[13]). There are a range of special standards in the Electronic Patient Record which involve information governance and "health record and communication practice standards" which by definition are relatively new and rapidly emerging technologies.

  5.4  SNOMED-CT is the most widely used, most comprehensive, and most extensively tested clinical terminology in the world. It builds upon the successful use of its component Read Codes (1983) in the UK and the successful use of its component SNOMED codes (since 1965) in a variety of settings worldwide. For example Kaiser Permanente is a fully integrated health-care delivery system in the United States that cares for 8.5 million people. Kaiser Permanente HealthConnect is their electronic health record and information system. Deployment began in 2003 and is now almost complete, with over 13,000 physicians and 150,000 staff using it for nearly all daily duties and more than two million of their members logging-on to use their health data (with more every day). SNOMED-CT is also a foundational element of secondary data use for research and health services' planning in Kaiser Permanente. It is one of the critical factors in helping them produce value from the system by measuring and improving health.

  5.5  The most important characteristic of a coding system for clinical care is comprehensiveness, that is, the ability to provide a coding solution for the vast breadth of health care. In independent evaluations of content coverage, SNOMED-CT is uniformly found to be the most comprehensive of all extant clinical coding systems, usually by a fairly large margin. SNOMED-CT is now owned by nine countries globally through an open International Health Terminology Standards Development Organisation based in Denmark. They have made quality improvement at the heart of its operation so SNOMED CT will become even better to meet the needs of clinicians and citizens worldwide.

  5.6  Within health informatics HL7 is the international standard for messaging. HL7 V2 is a widely adopted standard within the NHS and V3 updates that standard using XML formats for interchange (XML is the underpinning formatting standard for modern internet communications).

  5.7  HL7 V3 allows for rich interchange of clinical information, embedding modern clinical terminologies such as SNOMED-CT. HL7 is supported by a wide international community, with working group meetings three times a year. In particular, the Programme is using Clinical Document Architecture (CDA) for key parts of the Summary Care Record, which allows for blending of rich semantic information using SNOMED-CT with textual clinical information. CDA is a key HL7 V3 standard that is being widely adopted internationally.

  5.8  The National Programme is leading the way in the implementation of interoperable healthcare solutions. Hence, we are implementing requirements which stretch the international standards. Where standards are found lacking for our use we endeavour to incorporate our work back into the international standard, taking a leadership role where possible.

  5.9  We have engaged with HL7 in a number of ways, through the co-chairs appointed to key committees. We have initiated a number of projects in this arena for the benefit of the National Programme and the wider supplier community. Current ones include message format improvements (known as an Implementation Technology Specification or ITS) and clinical content modelling (known as HL7 Templates).

  5.10  The standards arena is developing for clinical communications. HL7 V3 is a leading standard, and is working towards harmonisation with other standards such as CEN13606. We are monitoring these standards, and working with the standards' organisations, to ensure that our messaging strategy is reflected in the development of those standards.

  5.11  HL7 has a working group known as TermInfo that provides standard guidelines on the embedding of terminologies in HL7 messages. In addition, NHS Connecting for Health's message development team provides a variety of additional and detailed constraints on the use of SNOMED-CT inside messages, distributed to suppliers in the Message Implementation Manual (MIM). This ensures a consistent and interoperable exchange of coded clinical information.

  5.12  In case Dr Thomas' comments (Q108) should be interpreted as casting doubt on the matter, NHS Connecting for Health has ensured that the many systems and services that have been delivered, and continue to be delivered, through the Programme are compliant with HL7 version 3 and the Dicom digital imaging international standards. NHS Connecting for Health is, in fact, the global leader in the implementation of HL7 V3 messaging and is also the host organisation of the International Health Terminology Standards Development Organisation National Release Centre in the UK, which will provide a central point for managing, distributing, supporting and controlling the use of SNOMED-CT terminology and related assets throughout the UK. Adoption of these standards will ensure interoperability, so that confidential patient information will be more readily and securely transferable across the NHS.

  5.13  It is noted that a number of members of the UK Computer Research Committee have contributed to evidence from other sources. In particular, Professor Randell and Dr Thomas, along with Ross Anderson, are among the 23 academics who called for an independent review of the National Programme.

System interoperability

  5.14  It would be helpful to expand on some of the evidence on system interoperability. There have been a number of assurance / accreditation / compliance schemes for existing systems' providers in the NHS. including the Requirements for Accreditation (RFA) scheme commonly referred to as RFA99.

  5.15  RFA99 was a technical aid for suppliers to develop systems for testing and accreditation. It was also used by Health Authorities and purchasers of GP systems in providing guaranteed levels of functionality. It included an accreditation process that focussed on a set of test scripts.

  5.16  The Common Assurance Process (CAP) is the replacement for all of the existing schemes. RFA99 requirements have been superseded by the CAP-GP Core Requirements, which have been updated to include the Programme's standards and policies, including the use of the international standard HL7V3 and the N3 network.

  5.17  CAP-GP supports the GP Systems of Choice (GPSoC) programme. GPSoC provides six levels of system compliance, each of which provides increased functionality in line with the strategic objectives of the National Programme. Each level comprises a detailed set of requirements and standards that a supplier must meet. These include the interoperability requirements defined in the Message Implementation Manual using HL7V3, including the use of the Personal Demographics Service, Choose and Book, Electronic Prescriptions and GP2GP messages. This approach is driving interoperability across the GP-provider environment.

NHS number as the unique identifier

  5.18  The evidence relating to the use of the NHS number (Q617) would also benefit from expansion.

  5.19  The work on the NHS number in the 1990s provided a set of basic enabling tools, such as the NHS Tracing Service. However, there were initially few incentives for the NHS to use the number, mainly because the concentration was on systems within individual organisations. After the NHS Plan was published in 2000, it became increasingly clear that this work was not sufficient, and three major steps were taken:

    —  the commissioning of the NHS Numbers for Babies Programme;

    —  the investigation of groups of individuals without NHS numbers (eg service personnel);

    —  reviewing the mechanisms to encourage NHS organisations to use the NHS number.

  5.20  The Building the Information Core statement in 2001 outlined targets for trusts to use the NHS number in communications such as requests for tests and results.

  5.21  The National Programme then considered recommendations from the Information Standards Board (ISB) that the NHS number should be adopted as a key identifier for use by the Programme's systems and by associated existing IT systems that do or will interface with those of the Programme. Whilst the benefits of using the NHS number were recognised, the issues for organisations migrating from local numbers and the consequential need for the transition to be managed carefully, were also recognised. The Programme accepted the recommendations and asked that the ISB adopt the NHS number as a fundamental national standard as soon as possible. However, given the recognition that the work involved in adopting the NHS number was not a trivial task, it was agreed that a project-based, incremental, approach should be adopted to undertake the co-ordination, communication, steering and issue resolution that would be required.

  5.22  The establishing of the National Programme provided the opportunity to rationalise the demographics systems in use across the NHS to provide an operational, up-to-date record (the Personal Demographics Service (PDS)) which could be accessed by authorised users across the country. This was critical to ensuring the delivery of care records which were intended for individual patients, rather than for separate institutions. The Personal Demographics Service (PDS) is an essential element of the NHS Care Records Service, underpinning the creation of an electronic care record for every registered NHS patient in England. It serves as a gateway to the clinical record, enabling authorised healthcare professionals to locate quickly the clinical record that is uniquely associated with each demographic record.

Unlike the previous services, this single authoritative source of demographics is accessible throughout the NHS and is integrated fully with the other applications and services delivered as part of the National Programme for IT. These include Choose and Book, Electronic Prescription Service (EPS), GP to GP and HealthSpace. It provides more convenience for patients as they need only notify one authorised healthcare organisation of a change of address and this change will be available to all healthcare organisations as and when the patient records are accessed.

  5.23  Progress made with the PDS since the NHS numbers programme includes:

    —  Integration with LSP Systems—Local Service Provider systems integrate with the PDS to allow nationally held patient demographics to be used at the point of care. This means that it is possible to use the NHS number reliably as soon as the patients presents themselves.

    —  Immediate Birth Notifications to PDS—the NHS Numbers for Babies System (NN4B) issues NHS numbers on new births. From 1 June 2006, a link between NN4B and the PDS made information on new births available immediately in the NHS Care Record Service. As a result, 93% of babies are now allocated an NHS number within 12 hours of being born. Prior to this, it could take up to eight weeks for a baby's demographic information to be available to the NHS outside the unit in which the baby was born.

    —  All Primary Care Back Offices in England can immediately identify a patient's NHS number from the PDS. Where the patient is not present on the PDS, 53% of Primary Care Back Offices can allocate a NHS Number immediately. This will be extended to all sites by the end of September 2007. Subsequently, it will be made available through the Local Service Provider solutions across the NHS as a whole.

  5.24  Finally on this topic, at Q523 Dr Markham suggested that:

    "we have no unique identifier in England, and ... ..this is one of the reasons why at the moment we cannot share images across the borders" and that "the technicalities of issuing them (NHS numbers) are too challenging at the moment."

  5.25  On the contrary, a standard format NHS number has been introduced across the NHS in England and is used as the primary record key for the NHS Care Record Service. The NHS number is issued at birth to all babies born in England and Wales, and to adults and children not born in the UK when they register with a GP practice. From later this year the NHS Care Record Service will be able to assign NHS numbers for adults presenting for care in emergency scenarios. Although Scotland (which has a separate healthcare administration) uses a different numbering system, there is close coordination and cooperation between the two health services, and the numbering schemes are designed to be compatible with each other. It is not the use of different numbering schemes which prevents the sharing of digital images or other information between the two countries, but rather the legacy of locally-commissioned systems that are not interoperable and hence do not support the transfer of information across the NHS. In a typical week 6.5 million HL7v3 messages are processed by the demographics service and 5.3 million messages by the central database, which is accessed on a typical NHS day by 50,000 authenticated unique users.

  5.26  Work underway currently with the authority of the National Programme Board is aiming to ensure that the NHS number is mandated by the Information Standards Board and subsequently adopted incrementally for use within IT systems across the NHS within a reasonable period.

Section 1.2:   Issues Relating to IT System Security

  6.  Many of the witnesses raised issues relating to the security of the systems that the National Programme will provide:

Access controls

  6.1  The Department's evidence to the Committee in paragraphs 30-39 of EPR1 and in paragraphs 31-32 of the further written evidence provided on 12 June 2007 demonstrate that the new systems will be protected by state of the art security measures of the highest standards, well in advance of what has been the case previously. As such, the fears expressed by some witnesses are unfounded.

  6.2  In paragraph 7 of EPR 37, Symantec implies that presently there are no access controls on NHS electronic records. This is not true. Existing systems have a range of access controls and the Programme's systems use a proven information governance framework including role-based access control, auditing actions by individual user account and checks for established legitimate relationships between a clinician's work group and the patient. These mechanisms, which are already in place, ensure that only appropriately authorised NHS personnel with an appropriate role and an established legitimate relationship with the patient can access patient confidential information in the NHS. Access rights given to NHS personnel are already monitored and audited and alerts are generated automatically when attempts to transgress these controls are made.

  6.3  The Programme has therefore already introduced all the controls Symantec assert are needed. A national NHS data store is not necessary to enforce these controls, merely that a national identity is used within a common information security framework with consistent information security functions applied across applications. This exists for all the Programme's applications. Paragraph 6 of the Symantec evidence relates to the same issue but actually illustrates something that the National Programme for IT in the NHS is already providing, ie a data management solution that enables patient information to be held securely and only made available to appropriately authorised NHS professionals. However, existing NHS procedures mean that, from time to time, patient information (eg demographic information) will need to be accessed by non-medical staff, so it is not true to assert that only medical staff will need access to patient information and also not true to assert therefore that only medical staff are able to keep patient information confidential. It is surprising that Symantec are so ill informed.

Security of email and instant messaging

  6.4  Paragraph 8 of Symantec's evidence concerns the security of email and Instant Messaging within the NHS. NHSmail, the email service operated by Cable and Wireless on behalf of NHS Connecting for Health, is designed and operates as a secure email service for the transmission of patient confidential data. NHSmail is open to all NHS employees, regardless of whether their employing trust has taken the opportunity to eliminate the cost of their local email service. Again, information was provided as part of the Department of Health's written evidence submission EPR01. Guidelines exist for local NHS trusts to understand the risks associated with Instant Messaging (in the Information Governance Toolkit and in the Information Governance Good Practice Guides). Use of Instant Messaging and the guidance given to users locally on appropriate use are matters for the local trust, which must ensure they also comply with related data protection legislation. NHS Connecting for Health secured an Enterprise Agreement with Microsoft in 2004 that made secure Instant Messaging technologies available to the NHS. Implementation of these technologies according to existing "good practice" guidelines is the responsibility of each NHS organisation. The policies that Symantec assert should be given "serious consideration" already exist, either at local or national level. They do not need to be uniform across the NHS in order to comply with the legislation.

Security of mobile devices

  6.5  Symantec then continues (in paragraphs 11 and 12 of EPR 37) to question the security of mobile devices used by the NHS. In practice, the Enterprise Agreement with Microsoft that began in 2004 gives access to technologies that allow NHS organisations to protect information held on mobile devices that are adequate for the display or use of Programme applications. All clinical applications within the Programme use either Transmission Layer Security (TLS) or Socket Layer Security (SSL) or Internet Protocol Security (IPSec) to protect patient confidential data in transit across data communications' networks, regardless of whether these are across private (within N3) or public (the Internet) networks. Additionally, on Microsoft Windows XP, the use of Microsoft's Encrypting File System, according to guidelines published through the NHS Common User Interface Programme, enables trusts to secure any information stored on mobile computer hard disks.

  6.6  Whilst NHS Connecting for Health has been providing guidance to NHS organisations on the use and security of mobile devices used in the NHS, these devices remain the responsibility of local NHS organisations. NHS Connecting for Health has been providing guidance to trusts on appropriate techniques to manage and secure all devices connected to their networks and used to access patient confidential information. Guidance exists that, if followed ensures trusts can secure communications over wireless networks. NHS Connecting for Health entered into a Corporate License Agreement with Novell in 2005 that made Identity Management and Electronic Software Distribution software available to all NHS organisations. It remains a local trust responsibility to implement these technologies. The assertion (in paragraph 13 of EPR 37) of the need for common policies is rendered redundant by the existence of a central single sign-on capability in the Spine and the use of this Public Key Infrastructure (PKI) across all Programme clinical applications, regardless of local supplier. In other words, what Symantec suggest is needed already exists.

  6.7  The above paragraphs also respond to the points made by Dr Sarah Dilks in her evidence (EPR 10) relating to the security of data in mobile devices. Other issues that she raises are dealt with elsewhere in this note.

Testing system security

  6.8  Andrew Hawker told the Committee, in response to Q160:

    "I did suggest that there should be ... some testing that showed that you were actually operating in line with internationally approved information security standards, and, in the end, the simplest way is to have people have a go at getting into it and use other objective measures of whether it is easy or not to get across the security barriers that you have laid down."

  6.9  It is easy to make such statements that imply a lack of attention to security testing but nothing could be further from the truth. The Committee will wish to be aware that NHS Connecting for Health places security testing as a fundamental requirement on all suppliers. NHS Connecting for Health incorporates security penetration testing requirements into its compliance process, including the requirement for compliance with ISO-27001. Guy Hains' evidence to the Committee (Q280) outlined just how all-embracing this was.

  6.10  It is a NHS Connecting for Health standard that security testing of National Application products or services is performed by "CHECK" approved security teams. This provides assurance that all primary and secondary suppliers to the National Programme will conduct testing to an agreed standard. The CHECK standard is managed by the Communications Electronic Security Group (CESG), which is the information assurance arm of the Government Communications Headquarters (GCHQ). The CHECK Teams are commissioned by the supplier of the product or service to be placed under test, both at the "Ready for Operations (RFO)" phase, and annually thereafter.

  6.11  The CHECK Teams work with suppliers and NHS Connecting for Health to provide the following service:

    (a)  Devise the scope of the security testing. This may be any (or a combination) of:

    —  external network penetration test;

    —  internal infrastructure test (weak passwords, systems unpatched etc);

    —  an "Ethical Hacker" test of the actual application or database.

    (b)  With the scope set, the CHECK team then produces a test plan which is agreed by both the supplier and NHS Connecting for Health as valid and fit for purpose.

    (c)  The security test is performed by the CHECK Team.

    (d)  The output of the test comprises a list of vulnerabilities. These are rated as "High", "Medium" or "Low" by the CHECK Team, which identifies any vulnerabilities in the product or service which may compromise the confidentiality, integrity or availability of information processed. The test output is considered extremely sensitive and is made available only to NHS Connecting for Health's Infrastructure Security Team, via encrypted media.

    (e)  A Corrective Action Plan (CAP) is produced by the supplier detailing how, and within what timescale, each vulnerability will be fixed. This must be agreed by NHS Connecting for Health.

  6.12  Mr Hains also confirmed (Q315) that:

    "there is not a statement which says 10 breaches over a period are acceptable; it is a zero tolerance environment."

  The Programme's contracts in fact contain obligations on suppliers to comply with comprehensive and detailed security requirements. Suppliers are obligated to report any breach of the security requirements and to make recommendations for the remedy of any such breaches. NHS Connecting for Health may call in a third party to monitor its suppliers and make reasonable recommendations in the event of any such breach and/or escalate the matter for dispute resolution if the remedy proposed by the supplier is not acceptable. In the event of a breach of security incapable of remedy or which is not remedied, NHS Connecting for Health ultimately has a right to terminate the relevant contract immediately without paying any compensation to the supplier.

Public access to the data

  6.13  Many industries now use the Internet to allow the public to access their data. The National Programme is developing HealthSpace to deliver this facility for the Summary Care Record. Healthspace is being developed with security integral to its design and undergoes security penetration testing from external experts prior to being deployed.

  6.14  Patients have the choice of having a Summary Care Record or not and of having a HealthSpace account or not. Where a HealthSpace account is required, strict criteria are applied for the registration of the patient. Once registered the patient is provided with a card containing a unique set of numbers. These are required to allow access to their record and avoid the weaknesses of simple username/password access approaches. This provides a more secure approach than adopted by most financial organisations. This approach will be evaluated during the early adopter programme. Other "token" technologies to manage access are also being considered.

  6.15   Evidence from Joyce Robins (Q190) stated that no website was secure and cited the MTAS site as demonstrating the fact. MTAS was not delivered by NHS Connecting for Health and did not meet the standards that NHS Connecting for Health operates for the National Programme. There are no grounds for linking MTAS with NHS Connecting for Health.

Security of the NHS Smartcard

  6.16  The NHS Smartcard is a "chip and pin" type of card. The "chip" contains an electronic certificate. The NHS Smartcard uses a passcode which can be alphanumeric and longer than the four digit bank pin. Chip and pin cards are in use for UK retail banking and issues have been raised about the cloning of these cards. The cloning of chip and pin bank cards relies on the fact that most bank chip and pin cards also have a magnetic strip. The magnetic strip is maintained to allow for backwards compatibility with older payment systems and ATM access abroad. It is the magnetic strip that is copied and manipulated in the cloning activity.

  6.17  NHS Smartcards are not susceptible to cloning. They do not have a magnetic strip used for authentication and so are not vulnerable to this attack (some do have a magnetic strip if local Trusts wish to use the strip for access to buildings/car parks etc but not for logon to computer systems). The "chip" part cannot be cloned and it is the chip that NHS Smartcards use for authentication.

Security of centralised/distributed databases

  6.18  In paragraph 12 of EPR 03, Dr Smith said that:

    "a distributed database, with file servers in each practice, is less vulnerable to massive data loss through equipment failure or power outages and malicious interceptions than area-wide or National databases."

  This is simply untrue, as recent events evidence. In the recent flooding at Sheffield, 12 GP practices were without power on the Tuesday morning. Nine of these were on shared servers. The PCT was able to facilitate authorised access to information to the affected practices that operated with hosted servers to enable safe effective care until their power was restored. This, of course was not possible for the practices without hosted servers.

  6.19  At the same time two practices had to be abandoned due to flooding of the premises. In the first, a practice of four GPs in Louth, with a list of over 10,000 patients, relocated to the local hospital emergency department. The practice was operational within 30 minutes of arrival due to their clinical system being hosted in a data centre. All that was required was their own NHS Connecting for Health security smart cards to allow the staff to access the system. Equipment at the practice was replaced and they returned within 48 hours. A similar success was achieved in North Lincolnshire, where a 1500-patient practice had to vacate its premises.

  6.20  The security measures in place on the national system are far in advance of any implemented on file servers at individual practices. There is also a considerable degree of maintenance and monitoring of malicious activity, which we know from experience is simply not undertaken on practice-based systems.

Security of facsimile machines

  6.21  Dr Peter Smith also claims (paragraph 11 of EPR 03) that a facsimile machine cannot be hacked. This is a bold statement and not borne out by the evidence.

  6.22  Due to the unauthenticated nature of facsimile transmissions, devices are susceptible to Denial of Service (DoS) attacks such as the sending of large documents or documents with large areas of black colouring. It may be possible within certain devices to limit the size of incoming documents although this may not prevent smaller documents being sent many times. Published facsimile device vulnerabilities include:

    —  Polling—a feature that permits a facsimile machine to call another machine and request it to transmit documents

    —  Redirection.

    —  Forwarding.

    —  Remote Control.

  6.23  Many modern facsimile devices include remote diagnostic facilities which allow hackers to monitor and amend the following:

    —  Configuration.

    —  Details of incoming calls.

    —  Copies of faxes stored in the device buffer.

  6.24  Many modern multi-function devices include facsimile capability and may operate using a compact operating system such as Windows CE. These devices are therefore susceptible to all attacks against the operating system and the proprietary software which runs on them. The use and physical security of machines also raises security issues and, if procedures are not in place to ensure that devices which receive sensitive information are secured, and paper copies of faxes are not exposed to unauthorised users, then significant security breaches can occur. Good practice includes the use of:

    —  Logging and audit of fax use.

    —  Storage of fax machines in manned offices.

    —  Access control to devices handling sensitive information.

    —  Authorisation of faxes to prevent forgery and masquerade.

  6.25  Fundamentally, the modern facsimile is a computer with a hard drive. It stores information and sits on a network. It presents vulnerability because it is considered low-tech when that is not the case, and therefore is not appropriately patched and managed.

  6.26  As with all technology the risks identified above can be mitigated, but to pretend they do not exist is quite wrong. The technology also, of course, carries with it the inherent security risks of a paper environment and of sensitive material being accessible on an indiscriminate basis where, for example, machines are left unattended.

Illegitimate use of databases

  6.27  At paragraph 15 of EPR 08, Dr Gooderham refers to the illegitimate use of a database by those with legitimate access being an important potential threat to confidentiality. Whilst this is undoubtedly the case, the only alternative to safeguards and controls is to fail to take advantage of the significant benefits for patients that result from ensuring that those who need access to data have that access. Our position on the misuse of data was made clear in a statement published, jointly with the General Medical Council and the Information Commissioner, on 25 April 2007.

  6.28  Dr Gooderham also refers to the sharing of usernames and passwords in a busy A&E setting in Warwickshire as a cause for concern. Whilst this concern is right, in this often-quoted example the sharing was limited to a small number of A&E clinicians and there was no breach of patient confidentiality. The A&E Department has recognised that they were acting in breach of NHS Connecting for Health's smartcard policy and the poor practice has now ceased. The time taken for authentication and to start the application was the key reason cited for the need to share cards. These have been reduced significantly through improvements in the technology and process over the past 12 months. NHS Connecting for Health is working with SHAs and PCTs on reviewing smartcard usage across the NPfIT with the aim of ensuring smartcards are not shared and that organisations enforce the no smartcard sharing policy.

Security of locally-owned desktop computers

  6.29  NHS Connecting for Health does not own or manage the desktop computers through which users access the Programme's applications. This is the responsibility of the local organisation and as such comes under the organisation's security policy. The local organisation is responsible for ensuring that local applications are suitably protected against unauthorised access through the implementation of solutions such as desktop screensavers.

  6.30  NHS Connecting for Health ensures that National Programme applications provide functionality to protect against unauthorised access to patient information from unattended sessions. This functionality ensures that the application is terminated after a set period of inactivity. The applications are protected by NHS Connecting for Health's Spine Idle Timeout solution. NHS Connecting for Health is working with the health professional bodies to provide national guidance on the appropriate values of inactivity timeouts across different care settings.

  6.31  Access to NPfIT applications can be protected further through the ability to disable access for users reporting lost or stolen smartcards.

Reliability and security documentation

  6.32   Finally on system security, Professor Randell was not told (Q316) that NHS Connecting for Health did not have reliability and security documentation. He was told that this existed but that, for reasons of confidential and commercially sensitive content, they could not be disclosed to third parties without reference to the suppliers.

Section 1.3:   Issues Relating to System Performance

  7  A number of issues were raised relating to the capacity, reliability and performance of the Programme's systems:

System resilience

  7.1  The Department supplied a note on system performance and resilience to the Committee. In respect of Symantec's evidence (paragraph 9 of EPR 37), relating to ensuring critical information, applications and systems are available continuously, all Programme systems have the levels of protection Symantec assert to be vital; and all the assertions made in Symantec's evidence are therefore without foundation. Professor Randell also commented on NPfIT systems' resilience and the likelihood of failure (Q325). It should be noted that Professor Randell is one of the 23 academics who called for an independent review of the National Programme in April/May 2006. At that time, this group foretold of catastrophic failures with the systems being implemented. Whilst no new problems have emerged, many more systems have been implemented and system reliability and resilience continue to be high, as evidenced by the system availability figures published on NHS Connecting for Health's website. The group of academics has not produced any evidence to warrant a review but merely produced newspaper articles and a series of Parliamentary Questions—hardly the "evidence" one would expect from computer scientists. However, in view of the comments from these two sources, a further note of evidence is enclosed as Annex 1 of this note.

Professionally run data centres

  7.2  It is also worth adding some information in support of the points made about the merits of professionally run data centres (Q594). The TPP primary care application is a data centre hosted application provided by CSC to NHS providers in the North, Midlands and East of England. Whilst the service is well regarded in its own right, recent flooding in the UK has demonstrated very clearly the additional benefits of the National Programme's approach at GP surgeries in flood affected areas:

    —  data is held securely in a remote data centre, not locally, and therefore no loss of data occurred and no re-creation of records was required;

    —  no data loss was experienced, where a locally hosted system could have endured a hard service shut down due to sudden electricity power failure;

    —  local Business Continuity Plans are enhanced because GPs can connect to the service from any N3 connected site (eg in an alternative GP surgery or local hospital) with minimal configuration;

    —  there is minimal disruption to re-establish service once the local GP premises and infrastructure are restored—no locally hosted servers to be rebuilt to enable access to system.

  As explained above, these benefits have been demonstrated at GP surgeries in Grimsby and Louth in the last two weeks.

Response times of IT applications

  7.3  In respect of Q598, which related to the speed of IT Applications and/or networks in GP surgeries, a lot of support has in fact been provided by NHS Connecting for Health to PCTs and GP practices to ensure that local configuration of legacy systems provides a good end user experience. Local PCT IT teams have a key role to play in this. For example a study of over 900 PCs at one PCT showed that poor user experience relating to 71% of the PCs was because the PCs themselves required remedial action, or were under the minimum specification.

  7.4  The N3 broadband network service provider (BT) and the principal legacy system supplier (EMIS) have also worked together to investigate reported performance issues of the EMIS LV application, when operating over the N3 "Main to Branch" Network, and to provide a fix to the issue. The results from the trials have been very encouraging with the joint team witnessing significant improvements to how the application is now running over N3.

Dependency on the systems of Choose and Book

  7.5  Returning to the evidence of Dr Peter Smith, he says, in paragraph 18 of EPR 03, that access to services such as Choose and Book should not be dependent upon the medical record upload. It is important to note that with respect to the data around individual patients, it is not. It does, however, depend on the infrastructure, namely, the N3 network, the security framework, the demographics service and the messaging infrastructure.

Capacity of the bandwidth

  7.6  In EPR 37, paragraph 3, Symantec said that:

    " ... due to the lack of bandwidth allocated to the database, the Spine will not be able to hold all the medical information relevant to each patient. The lack of bandwidth means the amount of data able to be stored on the database will be limited and the ability to download the data in any meaningful timeframe restricted."

  7.7  This statement is not only untrue, but also makes little sense. The term "bandwidth", as commonly used in the context of Information Technology, is a measure of the capacity of a data communications network to transmit a volume of data over a period of time (usually expressed in millions of bits (binary digits) per second). The NHS New National Network (N3) has sufficient capacity to provide adequate bandwidth between any two locations in the NHS that need to exchange data. As evidence of this, NHS organisations routinely transfer diagnostic images in digital format of several tens of megabytes (there are eight bits per byte and a megabyte is over one million bytes) across this network, throughout the day, using the Picture Archiving and Communications Service (PACS). The N3 network transmits seven terabytes (millions of megabytes) of data each day. Further information has already been provided as part of the Department of Health's written evidence EPR01.

  7.8  Clinical records, in comparison to diagnostic images (X-ray or MRI scan images), are relatively small amounts of data; perhaps a few megabytes at maximum, once coded using appropriate clinical terminology. To suggest that there is insufficient bandwidth for the Spine and that this limits its ability to hold all medical information is clearly wrong. Even if the assertion related only to the database capacity necessary to store all detailed patient records, this is still wrong, since the database products that store Spine data are already used for other databases many times the size of that needed to store 50 million detailed patient records.

  7.9  To exemplify the point with more specific detail, the data centres hosting the Spine are provisioned with resilient (dual) network links. These links have recorded 99.99% availability over the last 12 months (against a 99.9% Service Level Agreement (SLA)). The availability of the Spine Data Centre and its services has been 99.97% over the last 12 months (against a 99.7% SLA). All Data Centres in this infrastructure are architected to have fault tolerant network connections featuring assured end-to-end separation of the two physical cables entering the Data Centre. This means that at no point in their journey between the Data Centre and the rest of the network are they close enough to fail or be damaged in a single action. Within the Data Centre, this separation continues, with separate local area network links, separate power supplies, separate network adapters in the separated pairs (or clusters) of servers providing this service.

  7.10  Presently, the average size of a detailed medical record sent over the National Programme's GP2GP service between GP EHR systems is approximately 547 kilobytes (indeed, less than 1% of detailed medical records so far transferred are larger than 5 Megabytes). Even if these detailed records were to be transferred to the Spine it would not cause problems for the links in the N3 network or to the Spine Data Centres. The N3 network has a range of capacities available for site connection, each installed appropriate to the site's individual needs. The "core" of the N3 network has a capacity of 4.5Gbps. Such a network is able to transmit an average detailed medical record in less than one millisecond. The links into the Spine Data Centres can transmit the average detailed record in just over 56 milliseconds (a twentieth of a second). This means that even if all detailed records did need to be transmitted to the Spine in one go (a highly unlikely situation, but useful as a "worst case scenario") with the network links upgraded to their maximum capacity, it would take less than 5 days to transfer 50 million records. This highly unrealistic "worst case scenario" illustrates that the capacity available in the network to deal with detailed medical records, even if they were to be sent to the Spine, is easily adequate for the job.

Section 1.4:   General Programme Related IT Issues

  8.  A number of more general issues were raised in respect of the Programme's IT products and services:

Cerner Millennium Release 0

  8.1  To clarify Q389/90, Cerner Millennium Release 0 (R0) is the clinical application implemented at both the Newham and the Homerton Hospitals. 15 NHS hospital trusts to date across London and the South have elected to implement Release 0 as a precursor to the full clinical suite of Cerner Millennium Release 1. This incorporates a fully anglicised Patient Administrative System, together with the clinical applications that support Ordering and Results Reporting of diagnostic tests and care pathways.

Maintenance of the vision of integrated records

  8.2  In response to Q398, where it is suggested that the focus has been on hospitals rather than primary care and that the vision of an integrated system has been lost, it should be noted that In London 42% of all PCTs and half of all mental health trusts have implemented the Local Service Provider (LSP) Rio application. This solution will be integrated fully with the Cerner Millennium solution to provide a patient centric integrated solution, working across organisational and professional boundaries. In the North, Midlands and East, the LSPs have implemented nine GP systems and over 1,200 applications to Primary Care Trusts to support the delivery of Community Services.

Would the same progress have been made without the Programme?

  8.3  Dr Cundy observed (Q81) that:

    "we have now recently developed technology, through a project which was begun before the national programme, to exchange GP records wholesale from one practice to another. Six hundred practices in the country have that, and it is almost getting on for 10%, and that exchange can occur in a matter of minutes."

  It is a matter of speculation as to how far forward this process would have moved without the involvement of NHS Connecting for Health, bearing in mind that enabling it depends on the existence of a reliable network with suitable bandwidth and the definition of adequate standardisation and messaging structures. None of these would have been in place without the Programme. When NHS Connecting for Health announced on 19 March 2007 the first interoperable transfers of Electronic Health Records in Croydon PCT, Dr Cundy was widely quoted as saying:

    "These first transfers of GP electronic patient records between different practices using different computer systems is a watershed for patients, practices, the Programme and the NHS. It represents a significant and tangible leap forwards in the modernisation of the NHS and is a tribute to close collaborative and clinician led working. I would like to personally congratulate the entire team and look forward to the next stages of widened supplier involvement and national rollout."

  8.4  To make it happen on the ground NHS Connecting for Health has driven GP2GP forward within a structured project management framework and ensured that the solutions developed, and being developed, by the clinical system suppliers are subject to a rigorous compliance process. This ensures that clinical and patient safety is at the fore and that Spine interactions are carried out safely. Clinical systems which do not comply in these areas cannot be accredited as GP2GP-compliant.

  8.5  Dr Cundy also stated (Q96) that many of the PACS systems being installed now are the PACS systems that were on order books in 2001-2004 but were put on hold:

    —  Of the 122 Trusts that no had form of PACS in 2003, only 31 had live PACS projects.

    —  Ten of these 31 Trusts went on to implement these projects outside of the Programme. They were therefore not "put on hold".

    —  The other 21 have implemented, or are implementing, NHS Connecting for Health's PACS solution. In many cases delays were experienced because of trusts' failure to write business cases. They could hardly be described as ready to procure their systems.

  8.6  In a similar vein, Dr Markham told the Committee (Q508) that:

    "the Southern Cluster, as is now, was almost ready to roll out (PACS)."

  This is not so. The Southern cluster was in fact purely a consequence of co-operation between the newly-created National Programme and the Broadband Britain initiative, to segment the NHS into regional groupings suitable for the maintenance of a contestable framework.

  8.7  Finally, Dr Cundy stated (Q99) that it was "not a good thing" that general practitioners will be offered a choice of suppliers for their electronic record system. This is in direct conflict with a quote by him in the 13 February edition of "e-health Insider" magazine that:

    "this (The GP Systems of Choice initiative) is great news for GPs and great news for the programme. I am reassured that this is finally going to happen."

Sealed envelope functionality

  8.8  Guy Hains commented (Q305) that he would need to see a more detailed specification than that contained in the spine functionality plan to implement sealed envelopes within his Local Service Provider (LSP) environment. Sealed Envelope functionality will be delivered in the Spine in 2008. LSP solutions will deliver Sealed Envelope functionality in two phases:

    —  in the detailed care record;

    —  in the messages that the LSPs exchange with the Spine.

  The Sealed Envelope integration with the Spine can occur only post 2008 after the Spine functionality is delivered. The major sub-contractors (iSoft and Cerner) have committed to delivering Sealed Envelope functionality in 2009.

Direction of information flow

  8.9  Professor Korff was wrong to suggest (Q198/99) that there will be only one direction to the flow of information from local to central records. Right now local NHS records are deriving their demographic information from the centrally held Personal Demographics Service. We envisage that local records will pull through elements of the national record to ensure patients enjoy continuity of information. Medications and allergies are an obvious example. At the very least local records should compare themselves to the national Summary Care Record and highlight to the responsible clinician when they are different.

Purpose of the secondary uses service

  8.10  Dr Walport was not well informed when he said (Q336) that the initial aim of the Secondary Uses Service (SUS) was about management. Misgivings about the name should not be taken as implying that the need to support research was not designed into the care record specification at the outset. The published specification in July 2002, the contract specification in May 2003 and the first SUS consultation document in February 2004 were all explicit in identifying the requirement to support research.

Structure of the electronic health record

  8.11  Dr Sarah Dilks (in paragraph 3 of EPR 10) seems to assume that the electronic health record is a single unstructured document. That is not the case. The electronic health record is structured in a number of ways, and access to information is "partitioned" in a number of ways. Additional evidence was provided to the Committee on this subject on 12 June 2007. To be clear:

  For the Summary Care Record held on the Spine:

    —  Each entry is held separately with a set of data to identify it including author and organisation.

    —  Within each entry Care Record Elements categorize the data, eg, Medications, Allergies, etc.

    —  Entries to the Summary Care Record are submitted using structured HL7v3 messages so the structure can be maintained.

    —  If an entry contains sensitive information the patient may place it in a Sealed Envelope.

    —  Role based access ensures that people can access only the information about a patient which is relevant for them in their role, so a doctor can access clinical information, but a receptionist may access only booking data.

    —  Legitimate relationships ensure that in all instances access to patient information held in the NHS Care Records Service creates an audit trail of who accessed what information and when. Inappropriate access generates an alert to a Caldicott Guardian who may investigate the matter further.

  For the Detailed Care Record held on local systems:

    —  Data is stored in a structured data store (typically a relation database) with each element identified within that structure.

    —  The principles of Legitimate Relationships and Role Based Access Controls referenced above are also applicable to accessing detailed records.


  9.  Delays to the Programme were cited by a number of witnesses. The Department's evidence accepted that delays have occurred though some of the evidence of individuals is worth commenting on:

Priority of electronic prescribing

  9.1  Frank Burns said (Q544) that electronic prescribing:

    "is not a priority of NPfIT, and it should be one of the first things that are rolled out across the hospital service".

  In fact, ePrescribing is a priority but the specification was not available at the commencement of the National Programme and NHS Connecting for Health has worked hard to get it in place. This has involved wide consultation.

  9.2  The functionality to be provided by ePrescribing systems is now extensively detailed in the ePrescribing Functional System. It will include:

    —  computerised entry and management of prescriptions;

    —  knowledge support, with immediate access to medicines information;

    —  decision support, aiding the choice of medicines and other therapies with alerts such as drug interactions;

    —  computerised links between hospital wards/departments and pharmacies;

    —  ultimately, links to other elements of patients' individual care records.

  9.3  The programme will also focus on supporting the new working processes and cultural changes needed to make the introduction of ePrescribing systems a success.

  9.4  LSPs are currently developing the basic and advanced ePrescribing components of their strategic solutions and are currently contracted to deliver ePrescribing between 2008 and 2010. Separately, £11.5 million capital funding has been made available to acute trusts via SHAs to purchase interim oncology ePrescribing systems, to treat oncology ePrescribing as a priority, in support of the National Cancer Plan. It was a condition of the funding that procurements should commence by 31 March 31 2007.

Problems with legacy data

  9.5  In general, the extent to which the time required for the implementation of Patient Administration Systems (PASs) is affected by data quality is determined by the priority given, and the resources made available, in individual organisations to cleanse data prior to migration. In total this can easily amount to several man years of specialist input. Indeed the scale of the task, exemplified by Mr Hains (Q276), to eliminate duplicate and corrupt data when replacing existing computerised records cannot be overstated. NHS organisations have an accumulation of current and historic data held within their patient indices on their PASs and other electronic systems, or on paper records. Duplicate records exist in all PAS systems, mostly created when patients use different names or addresses to records already held, or when NHS numbers are not used. Duplicates also exist when hospitals merge and continue to operate two or more PASs simultaneously. It is estimated that most existing/legacy systems operate with a duplicate rate in excess of 9%.

  9.6  The introduction of the NHS Care Record Service will result in closer integration of national and local records (both demographic and clinical) and the opportunity to build an individual's summary of key clinical events, diagnostic results and current medication. It is important therefore that the quality of the information recorded is high and that the number of duplicate records on the system is minimised, as any level of duplication will increase clinical risk.

Progress on interoperability

  9.7  The reference by Dr Paul Cundy (Q102) to "moving towards" interoperability does not adequately reflect the level of progress achieved. Some 115 systems have now been through the compliance programmes for the new IT systems. This has created a level of systems' interoperability that was unimaginable three years ago, as a result of which, in a typical week 6.5 million HL7v3 messages are processed by the demographics service and 5.3 million messages by the central database, which is accessed on a typical NHS day by 50,000 authenticated unique users."

Delays to PACS in the North West

  9.8  Dr Markham told the Committee (Q551) that:

    "the North West and the West Midlands [PACS] is delayed, because there were some contractual problems initially."

  In fact, the subcontracted PACS' provider to the main supplier missed a number of key milestones. Their contract was terminated and another vendor was selected by CSC. A proven alternative solution was subsequently delivered to the NHS within three months. This is an example of the procurement arrangements working as designed.


  10.  There has been much misinformation about the costs and affordability of the Programme, most of which can be dismissed following the publication of the NAO's study of the Programme last year.

  10.1  Frank Burns told the Committee (Q556) that:

    "the resources are all locked up in NPfIT, and ... . nobody can do anything because NPfIT has the money."

  The figures simply do not bear out this assertion. Whilst there has been significant investment centrally in the National Programme through NHS Connecting for Health it is also the case that local IT spending in the NHS is significantly greater than that on the central programme and NHS IT spendind is also continuing to increase. This is demonstrated in the table below:

Table:  Local NHS spending on Information Management and Technology—increases on previous year:
2004-052005-06 2006-07 (planned)
Total IM&T spend (£'000s)1,251,814 1,398,3351,576,716
£'000s increase over previous year 103,286146,521178,381
% increase over previous year8.99% 11.7%12.76%

  10.2  There is further evidence that local costs are reduced significantly as the systems are supplied through the Programme. Annex 2 contains illustrative examples of affordability comparisons between NPfIT solutions and local procurements.

  10.3  The central PACS' procurement also demonstrated significant advantages over local procurements; with many commodity items costing 70% less than previous procurements. The significant delays in rolling out the PACS applications were due to NHS trusts' inability to get business cases approved by their Boards and the subsequent raising of Purchase Orders. There would have been considerable additional delay had Trusts attempted to justify business cases where the cost of ownership was considerably more expensive than was achieved by the Programme.

  10.4  Dr. Markham implied (Q512) that the lack of availability of resources—subsequently provided through the National Programme—was the key obstacle to the rapid deployment of PACS. When the National Programme took on board acceleration of the procurement and deployment of PACS, one difficulty was that many radiologists wished to specify a local system, which would have driven up costs and delayed implementation. However, deployment of PACS under the Programme is not necessarily the same product as the earlier deployments. The National Programme systems offer a Trust:

    —  Trust-wide PACS

    —  Radiology Information System integrated fully with the PAS and PACS

    —  PACS in A&E, theatres and on wards

    —  Cross site access to images

    —  Access from outpatient clinics and outreach clinics

    —  The support of specialisms such as orthopaedics.

  The installations prior to the National Programme did not all have this scope and it is this broadening of scope and widening of availability that has led to the delivery of benefits.

  10.5  Frank Burns stated (Q516/7) that he had had a very sophisticated, fully functioning clinical system for 17 years. The Wirral Hospital NHS Trust elected to undertake independent procurement in 2004 for the replacement of the system that had a very high cost of ownership. The procurement was based on the NPfIT specification for clinical applications for an NHS acute hospital. The Trust, at considerable cost to the NHS and to the supplier community, got to "preferred bidder" stage in 2006. However, the cost of the solution was over twice that already achieved by NHS Connecting for Health for the Cerner Millennium Solution. Minded of the advanced functionality already enjoyed by Wirral Hospitals NHS Trust, and that their solution would "expire" at the end of 2007-08, putting patients and staff at risk, NHS Connecting for Health agreed with Fujitsu Services (the LSP for the South) to make available the Trust's preferred supplier's application at the NPfIT contracted rates. Subject to satisfactory conclusion of commercial discussions, the Wirral Hospital NHS Trust is planning to take the Cerner Millennium PAS in the first quarter 2008. Of course the substantial cost of procurement incurred by the NHS could not be recovered.

  10.6  Contrary to Dr Taylor's evidence (Q546) the Shires Consortium did not include early delivery of the PACS applications. The consortium was a loosely federated purchasing consortium that demanded different applications and approaches to implementation, but that agreed to procure services locally. The cost of the Shires' procurement as determined in the business case was at least double that obtained during the NPfIT procurement. The NPfIT procurement further enjoyed more beneficial terms and conditions, greater levels of integration and significantly improved service availability for the NHS.


  11.  Many witnesses commented on the summary care record and the confidentiality issues. Most of the witnesses support the concept. The Department of Health gave extensive oral evidence on this issue, as well as making the case for the record in its initial written evidence (EPR 01) and in its further note dated 12 June 2007, which aimed to clarify some of the issues that had arisen at the oral hearings.

The summary care record

  11.1  The Summary Care Record will be populated initially from the patient's computerised GP notes (unless a patient dissents from storing or sharing their record with the Summary Care Record system). It will be made available to authorised clinicians within the Out-of-Hours setting. As the Department indicated in its original written evidence to the Committee, the initial summary upload will include:

    (1)  Patient demographic details:

    —  Current and other address details (eg contact address when different).

    —  Date of birth.

    —  Contact details (telephone numbers, email address etc).

    —  NHS number.

    —  Contact preferences including preferred language.

    —  Consent status.

    (2)  Medications (Repeat prescriptions in last six months, acute prescriptions in previous six months, discontinued in last six months)

    (3)  Allergies and adverse reactions.

  11.2  Subsequent uploads can include other information that the GP and the patient think would be useful in the Summary Care Record, including:

    —  Diagnosis.

    —  Treatments.

    —  Problems and issues.

    —  Care events.

    —  Clinical observations and findings.

    —  Investigation results.

    —  Risks to patient.

    —  Family history.

    —  Lifestyle.

    —  Social and personal circumstances.

    —  Personal preferences.

    —  Provision of advice and information to patients and carers.

    —  Administrative procedures.

  11.3  In areas where hosted GP systems are being rolled out by Local Service Providers, out-of-hours services will be able to access shared GP systems directly from the LSP data centre. Specific Out-of-Hours functionality is being developed to ensure that appropriate controls and functions are available to the out-of-hours' community. This will provide data and facilities to ensure far greater continuity of care than that currently generally available.

Consultation on the summary care record

  11.4  The answers given by witnesses to questions 177-186 do not reflect the extensive consideration and consultation that has taken place on the consent issue. The issue has been considered by seven separate groups, all of which concluded that opt-out was the most appropriate policy.

  11.5  The policy that patients should opt out of having a Summary Care Record was proposed in 2003 by the NPfIT National Programme Board based on recommendations from the NPfIT Patient Advisory Group and the National Clinical Advisory Group, the membership of which included the Medical Royal Colleges and other clinical bodies. The recommendation from the National Programme Board was approved by a Ministerial Taskforce on NHS Information Technology in November 2003 and was subsequently endorsed by Ministers. The Ministerial Taskforce included members from the patient community, the NHS, the Department of Health, the Academy of Medical Royal Colleges, the BMA, the Royal College of Psychiatrists and the Government e-Envoy. Information has already been provided as part of the Committee's evidence session on 26 April 2007.

  11.6  The Care Record Development Board (CRDB), established in 2004 and chaired by Harry Cayton, asked its Ethics Advisory Group, chaired by Professor Dame Joan Higgins, who also chairs the statutory Patient Information Advisory Group, to revisit the opt-out policy. The Ethics Advisory Group recommended that the previous decision that patients should opt out was appropriate. The CRDB considered the evidence and accepted the advice of the Ethics Advisory Group.

  11.7  In September 2006 a Ministerial Taskforce on the Summary Care Record was established, chaired by Harry Cayton. The membership of the Taskforce included the NHS, patient representation, the BMA, the Royal College of General Practitioners, the Royal College of Nursing, the Professor of Bio-ethics from Oxford University and the College of Emergency Medicine. The Taskforce considered the opt-out policy and, having recommended an appropriate period to allow patients to opt out, supported it unanimously. The Taskforce set out clearly the arguments for and against both the opt-out and opt-in positions in paragraphs 4.3-4.5 of its report. They concluded that it was more ethical to allow patients to opt out.

  11.8  All the information published makes it clear that patients have a choice and that the NHS will continue to provide the best care that it can irrespective of whether patients have a Summary Care Record.

Explicit consent

  11.9  In paragraph 6 of its written evidence to the Committee (EPR 11) Patient Concern expressed the view that the explicit consent of patients should be gained prior to uploading data into the Summary Care Record. The Ministerial Taskforce did not support this approach. Concerns over an explicit consent approach have been that it would:

    —  take considerable time to implement and therefore delay the delivery of the benefits associated with having a Summary Care Record;

    —  disadvantage the most vulnerable members of society who may benefit most from the new record but may not be provided with one for a considerable period, or who may be difficult to contact to gain consent. Patient Concern's suggestion that vulnerable people could be contacted in writing to obtain consent is misleading as the very nature of their vulnerability would exclude many such individuals;

    —  require everyone to take action when, based on the experience of other countries who have implemented similar electronic records, only a very small minority will request not to have a Summary Care Record at all. In Canada a legal requirement for explicit consent was swiftly amended when health professionals complained about the time taken away from patient care when more than 99% of patients were not concerned about appropriately managed electronic health records.

  11.10  Patient Concern also suggested that developments in France and Greece had demonstrated that explicit consent can be gained for the upload of records. No specific evidence was provided about the relative scale of developments in those countries, though it is accepted that in some circumstances it would be practicable to gain explicit consent. However, there are no true comparisons between the creation of the Summary Care Record and developments in these other countries. The cost of an explicit consent process for 50 million people, in terms of NHS staff time and the associated opportunity cost of patients not seen, particularly in the light of the position adopted by the Ministerial Taskforce, is not sustainable.

Sealed envelopes

  11.11  Professor Korff told the Committee (Q195) that:

    "provisions about sealed envelopes that cannot be opened without the consent of the data subject; and the right of every patient regularly to receive a log of every person in the NHS who has had access to his data, including, I daresay, any researcher who has access to his data and who can be identified. Those are safeguards that can be built in; they are not envisaged here now."

  11.12  Professor Korff also stated (Q218) that he understands that:

    "all the data in the sealed envelope will be available for research with minimal anonymisation and pseudonymisation."

  He said that the

    "envelopes are not sealed very well" and that "It is fairly easy for practitioners to break them open."

  11.13  Professor Korff's understanding is flawed and the statements he made are incorrect. Patients will have the choice of two types of sealed envelope:

    —  The first, which we refer to as sealed and locked, prevents data from being available outside of the clinical team that recorded the information, whether for research or any other purpose. The data will remain available to those who recorded it whilst they are caring for the patients.

    —  The second, the ordinary sealed envelope, does permit data to be extracted, in a fully anonymised form for research purposes, and it will also be available for clinical staff in emergencies when the patient is unconscious or with the patient's consent. The mechanism for breaking the seal in these circumstances is simple, though there are strong managerial controls to prevent misuse, as it is expected the seal will need only to be broken without consent at times when the patient concerned is in desperate need for urgent care. Whenever the seal is broken the circumstances will be investigated and the patient will be informed.

  11.14  The NHS Alliance presented written evidence to the Committee on this topic (EPR 19). In their paragraph 3.1.4 they said:

    "Again, the NHS Alliance would recommend that ... patients should also be informed when their sealed envelopes have been opened. This is not planned at present and is a SERIOUS omission; ... "

  11.15  In due course patients will be notified, through HealthSpace, whenever there is activity on the record involving a change in the sealed record status. This includes creating a seal, breaking a seal, and any action to override dissent. In addition, a NHS Caldicott Guardian/Privacy Officer will receive an alert when a seal is broken (with or without consent from the patient). Virtually any action, including changes to sealed record status and clinicians self-claiming legitimate relationships so they can break the seal, creates an audit trail. Patients cannot access their audit trail directly (through HealthSpace or any other route); though Data Protection Act Subject Access Request provisions will provide this information on application.

Safeguarding confidentiality for patients with mental and sexual health issues

  11.16  Joyce Robins expressed her concerns on confidentiality for patients with mental and sexual health issues to the Committee on 10 May 2007 (Q204). On 15 March 2007, over a hundred clinicians, information governance staff and representatives of patient groups in Reproductive and Sexual Health Medicine came together to debate whether the safeguards being offered by the National Programme were enough for the specific confidentiality needs of this community. Throughout the day, delegates were asked to discuss a range of issues and provide answers using tablet PCs on their tables; some were repeated at the end to see whether opinions had changed.

  11.17  One question that showed a shift in views was: How do you feel the National Programme for IT will affect the confidentiality of information (including test results) in your clinical environment?
  Before After
   Will improve 6% 15%
   May improve23%51%
   Unlikely to impact15% 7%
   May worsen37%16%
   Will worsen19%11%

  11.18  A very clear steer on what delegates wanted was provided by questions such as: Who should decide how far information is shared?

    —  Patient: 23%

    —  Clinicians (Genito-Urinary Medicine clinic, reproductive health service or GP): 0%

    —  Patient and clinician together: 77%

    —  NHS Connecting for Health: 0%.

Section 10 of the Data Protection Act

  11.19  In paragraphs 5-11 of his written evidence (EPR 08), Dr Peter Gooderham refers to and quotes Section 10 of the Data Protection Act 1998, which provides patients with the right to require a Data Controller, in this case, the Department of Health, to cease processing personal data where this is causing, or may cause, substantial damage or substantial distress where that damage or distress are unwarranted. He suggests that breach of confidentiality may be regarded as "substantial damage", but recognises that there are exceptions to Section 10 and quotes one such exception where the processing is in the vital interests of the data subject.

  11.20  The Department of Health accepts that this may be the case, but any consideration of the application of Section 10 must be conducted on a case by case basis. This would need to consider:

    —  the content of the record and the damage or distress that might be caused by unauthorised disclosure;

    —  the circumstances of the data subject—keeping records of an individual who puts others at significant risk may be warranted even where this causes the individual concerned substantial damage or distress;

    —  the importance of the record to the data controller or others—the need to maintain evidence against future complaint or litigation may require the record to be kept even where a patient objects;

    —  the safeguards and controls that are in place, as, if there is no risk of breach of confidence, then the Section 10 notice may be rejected.

  11.21  In paragraph 10 of his submission, Dr Gooderham suggests that if prominent individuals such as MPs are allowed to object, but others are not, then such a distinction may be discriminatory. Whilst, at the direction of Ministers, all adult patients may choose not to have a Summary Care Record, there is no other automatic right to prevent processing. Any request, regardless of the celebrity of an individual, will need to be considered on a case by case basis.

How many will opt-out of the summary care record?

  11.22  Experience from the early adopter primary care trust areas in England where the summary care record is being trialled shows that the number of people who wish to opt out of the Summary Care Record has been very significantly exaggerated on the strength of the views of a small minority. Only just over a thousand people out of a total of over 350,000—less than one third of one percent—have to date requested not to have a summary care record. The following statistics provide the latest information from the Early Adopter Programme:

    —  9,952 clinical records have been uploaded to the NHS CRS;

    —  350,759 letters detailing the NHS CRS options available have been sent to patients, resulting in a total of628 calls to the NHS CRS Helpline;

    —  939 consultations have taken place at public events and at the practices that have so far contacted their patients;

    —  the number of patients choosing not to have a summary care record is 1,068 (0.29%).

Incremental approach to developing the summary care record

  11.23  Joyce Robbins, apparently on the strength of attending a single presentation, misrepresents (Q203) as ill-considered and ad hoc what is in fact a planned incremental design and consultation process for developing the Summary Care Record. Our Care Records Service National Clinical Reference Panel (Chaired by Dr Simon Eccles, NHS Connecting for Health) is actively considering further content and enhancements of the Summary Care Record. The Reference Panel includes representative clinicians from a wide range of nursing, medical and allied health backgrounds and many different care settings. It also includes patient and patient advocate representatives. Information was provided as part of the oral evidence session on 14 June 2007.

  11.24  The Panel is taking a very broad look at the future of the Summary Care Record, taking care to balance any possible future addition against the need to keep the summary record as a clinically useful and accessible record which does not swamp the user with information. It will be looking at suggested future content with specific regard to enhancing patient safety; increasing clinical and patient utility; and the benefits of the additions compared to the technical difficulty of achieving them. As ever, the intention is to consult with the widest possible range of clinical and patient stakeholders.

Early adopter sites

  11.25  As explained in the Department's written evidence EPR01, the deployment of the Summary Care Record (SCR) has started in the Early Adopter PCTs. The Early Adopter Programme will run to April 2008 and is subject to an independent evaluation by University College London. The Early Adopter Programme will refine the implementation approach and facilitate preparation for the subsequent National roll-out that is expected to commence in financial year 2008-2009. To date:

    —  SCR implementation has started in two PCTs (Bolton and Bury).

    —  So far, the two PCTs have sent letters to over 350,000 patients (100% Bolton patients and 59% Bury patients) initiating the process.

    —  Both PCTs have launched significant public information programmes to inform their patients.

    —  The SCR upload process has begun in Bolton and the local out-of-hours provider is preparing to begin access (to commence in August).

    —  Bury PCT will follow shortly (there is a 16 week period between the patients being informed through letters and the commencement of access to their records).

    —  Shortly following access for out-of-hours in Bolton and Bury, access will be made available in other unscheduled care settings (eg Accident and Emergency, NHS Walk-in Centres, Minor Injuries Units and Ambulance Services).

  11.26  The other Early Adopter PCTs have plans in place and are currently in the advance stages of preparation for launching the SCR.

Electronic records for children

  11.27  On 10 May 2007 the Committee considered some issues relating to electronic health records for children (Q206 onwards). The Care Record Development Board has established a working group to examine the issues around electronic records for children. The group is chaired by the DH National Clinical Director for Children, Young People and Maternity Services and its members represent the National Children's Bureau, the Royal College of Nursing, the General Medical Council, Safeguarding Children, Sure Start and Information Sharing and Assessment Units of the Department for Education and Skills, the Royal College of General Practitioners, the Royal College of Midwives, the Royal College of Paediatrics and Child Health, the Royal College of Obstetricians and Gynaecologists, the Office of the Children's Commissioner, the Royal College of Psychiatrists, the Community Practitioners' and Health Visitors' Association, the Department of Health and the NHS.

  11.28  The group has considered the issues surrounding electronic records for children, including discussing them with a group of children, and has produced a new section for parents and older children in the 2007 revision of the Care Record Guarantee (already submitted to the Committee by Harry Cayton). This describes the rights of parents and children around access to children's records. The group is also producing an appropriately targeted version of the Care Record Guarantee for younger children. The children and young people's section of the Guarantee stresses the importance of developing autonomy for young people.

  11.29  It seems that in responding to these questions Ms Robins and Prof. Korff have confused detailed care records and the Summary Care Record. The question asked whether it should be mandatory for children's detailed care records to be stored electronically. The position is that detailed records of treatment have to be kept and it is the responsibility of the clinician providing the treatment not only to keep the record but also to decide the medium on which the record will be kept. Patients, or in this case possibly their parents, can request that records are not kept electronically but they cannot demand it. The merits of electronic records in terms of security, legibility and transferability via the GP to GP transfer functionality are well documented.

  11.30  Professor Korff raised the issue of parents consenting to a detailed record for a child. His example was one of a child with leukaemia where the child requested not to have a record at an age when they were considered competent. As far as detailed records are concerned, paper records have a minimum retention period and it is right that electronic ones do too. We are currently consulting with the regulatory bodies and the medical insurers what the retention period for electronic records should be. The Committee might wish to note the reduced storage requirements of electronic records.

  11.31  It has always been made clear that, having initially said that they wanted a Summary Care Record, patients can change their minds and this applies equally if a parent has decided that a child should have a Summary Care Record and when they become competent the child disagrees. As the Summary Care Record may have been used as part of treatment it cannot be deleted and so is archived and can only be accessed if needed for medico-legal purposes.

  11.32  The National Programme's Child Health Programme is also exploring the potential for information sharing to the benefit of the child. This includes consideration of issues relating to children's records in terms of accessibility and sharing. They will be taken fully into account when drawing conclusions, with specific attention to:

    —  the current and emerging policy position and initiatives, including the obligations currently placed on NHS bodies to provide certain information about children to other public agencies;

    —  guidance from the joint work of the Care Record Development Board, under the chairmanship of Harry Cayton, and the Director for Children, Young People and Maternity (Sheila Shribman);

    —  the outcome of legal advice that has been sought.

  11.33  The Child Health Programme is also looking to build on the existing (paper-based) Personal Child Health Record (the "Red Book"), issued for all children, as an exemplar of the potential content of a shared record and also of the issues involved in access and sharing of this record for health professionals with the consent of the parent.

  11.34  The Child Health Programme sees its remit as to identify solutions to implement current policy for children as it relates to information sharing, taking account of professional and legal perspectives as well as policy drivers.

  11.35  Professor Korff's assertion that the NHS will attempt in a divisive way to incorrectly infer the competence of children is wrong. Neither the NHS, nor the Programme, is developing or seeking to assert its own policies regarding information sharing.

  11.36  In addition, NHS Connecting for Health has been working very closely with the previous Department for Education and Skills to implement the policy "Every Child Matters." This work aims to ensure that healthcare practitioners and other care professionals working with children can be identified to share information when vulnerable children are at risk.

Availability of HealthSpace

  11.37  Joyce Robins also said (Q191):

    "I do not know when [Healthspace] will be available."

  Basic HealthSpace functionality to act as a personal health organiser is already available to all patients aged 16 or over in England. Patients are currently able to record and manipulate information such as their weight, smoking habit or alcohol consumption to help them manage their health. Calendar and diary functions are also available and Healthspace also gives patients access to the Choose and Book on-line booking service. It is therefore wrong to assert that HealthSpace does not exist.

  11.38   Recently, HealthSpace has added the capability for patients to view their Summary Care Record (SCR) once they have been uploaded to the Spine. This capability is being rolled out to a number of Early Adopter PCTs during the remainder of the year in line with the roll-out of the SCR itself. A national roll-out of this functionality is intended from 2008 onwards. Detailed planning to achieve this will be undertaken once the lessons learned and feedback from the Early Adopters is available.

  11.39  It is expected that from some point in 2008, HealthSpace will allow patients to add information to their SCR. The items that can potentially be added to the SCR are:

    —  Religion—the religion of the patient

    —  Spiritual support—whether the patient would like to see a representative of their faith during a stay in hospital

    —  Religious customs—details of any religious customs that the patient would like to observe during a stay in hospital that may require special facilities or considerations (eg prayer facilities, Ramadan etc)

    —  Dietary requirements—patient's dietary preferences eg Vegetarian, vegan, etc

    —  Access requirements—what special access needs does the patient have?

    —  Transportation—does the patient require hospital transport to get to their appointment?

    —  Wheelchair user—Is the patient a wheelchair user?

    —  Hearing aid user—does the patient have a hearing aid?

    —  Patient comment—multi-purpose free text comment entered by the patient.

  11.40  The Care Record Service Design Steering Group is considering these options and HealthSpace will implement those items which are considered to be suitable by the appropriate HealthSpace governance boards.

  11.41  Separately from the SCR, future options for HealthSpace to become a utility provider of personalised health information are being considered. This is likely to include more facilities to help patients manage long term conditions and chronic diseases.

NHS use of identifiable and non-identifiable patient data for care and for secondary uses

  11.42  The oral evidence provided by certain witnesses to the Committee on the distinction between identifiable data and non-identifiable data, how these may be used and shared, and how they are protected in the National Programme's systems, was poorly informed and at times misleading. To provide clarification, a note has been included as Annex 3.


  12.  One recurrent criticism is that there has been insufficient consultation, especially with clinicians, around the overall design and operational aspects of the National Programme. This was examined extensively by the Committee on 14 June 2007, when the Department gave evidence of just how much had been done, whilst agreeing that there is always a case for doing more.

  12.1   Attached for information (at Annex 4) is a copy of a response to a Parliamentary Question given on 21 June 2007 to Stephen O'Brien MP by the Department's then Minister of State, Caroline Flint, on this matter. This demonstrates the depth of consultation on the specification of the NHS Care Records Service.

  12.2  Dr Hale told the Committee (Q273 and Q312) that:

    "speaking from the point of view of my own trust and the Royal College of Psychiatrists, we have not been able to make a great deal of input."

  In fact clinicians from across the spectrum of clinical specialties were given the opportunity to contribute to the specification of the requirements. The extent to which this opportunity was taken up in each case is not something the Department could necessarily influence. The specification itself was built on years of experience across the NHS, and many clinicians were involved in the drafting—in particular the Academy of Colleges Information Group contributed the first module of the specification for the NHS Care Record Service. During 2003, a group of clinical advisors worked with the National Programme; this included Martin Elphick, a consultant psychiatrist from Oxford. The nature of the contracts (using the OGC-approved method of producing an Output-Based Specification) means that the specific design is the responsibility of suppliers, but with users involved in the review of supplier proposals. The later consultation activities, covering areas such as consent and sealed envelopes, have been led by the National Clinical Leads within NHS Connecting for Health, in conjunction with representative professional bodies. The principle is to ensure full user engagement in the definition of requirements rather than the technical design of the solution.

  12.3  Engagement with the Royal Colleges has been an ongoing process throughout the life of the Programme. In 2002, the representative body was the Academy of Colleges Information Group (ACIG), which brought together input from all the Royal Colleges. This group commented on the July 2002 specification and contributed an entire module to the 2003 specification. From the earliest days of the Programme meetings were held with leaders of the colleges. Peter Hutton then set up the National Clinical Advisory Board is 2003, and this took over the responsibility for bringing input from the Royal Colleges. Professor Michael Thick, as the Chief Clinical Officer of the Programme, with his team, has now taken on this liaison role.


  13.  The Programme will be subject to evaluation. In 2006 NHS Connecting for Health commissioned Birmingham University to run an overall programme of evaluation on its behalf—the "NHS Connecting for Health Evaluation Programme." This programme of work is headed by Professor Richard Lilford.

Evaluation of the NHS Summary Care Record Early Adopter Programme

  13.1  Subsequently, University College London (UCL) was awarded the contract to conduct a year-long independent evaluation of the NHS Summary Care Record Early Adopter Programme, to fall within the wider programme. UCL were selected following a competitive tendering exercise run by Birmingham University which saw seven applicants submit bids to conduct the evaluation. The year-long evaluation commenced formally on 1 May 2007 and a final report is due to be published in the summer of 2008.

  13.2  The primary aims of the evaluation can be summarised as: to assess usability, usage, functionality and impact of the Summary Care Record in Early Adopter sites, and place this in context; to set the stage for the step-wise inclusion of further sites and further data sources; to provide timely feedback to stakeholders; and to contribute to the generation of an evaluation culture within NHS Connecting for Health and the National Programme for IT.

  13.3  The evaluation will inform the national rollout of the SCR from 2008 onwards although any emerging findings will of course feed into the ongoing implementation of the Summary Care Record within Early Adopter communities.

Benefits of PACS

  13.4  In her evidence (Q217), Joyce Robins cast doubt on the benefits of having digital X-rays automatically uploaded to detailed care records. At the end of June 2007 benefits analysis for the first year of PACS implementation had been completed for 65 Trusts. The total financial benefit in the first year of service was approximately £18.5m, with £9.9m of this total saving being projected by 48 trusts from data recorded 3 months after the implementation of PACS. Additionally some Trusts have reported reductions in the incidence of repeat X-Rays by over 75%. Reporting times and the percentage of reports completed in 48 hours have also improved significantly, and this has been shown to be influenced by the deployment of digital dictation and voice recognition.

Loss of benefits if patients have the right to remove their NHS electronic record

  13.5  Returning to the evidence from Symantec in EPR 37, paragraphs 4 and 5 effectively support the objectives and case for the National Programme, although the assertion that full benefits will not be realised if patients have the right to remove their NHS electronic record is a gross oversimplification. Benefits of storing medical data electronically accrue largely to the patients themselves; hence lack of an electronic medical record mostly impairs the patient's ability to receive safe and efficient medical care. The reduction of NHS benefits is largely a consequence of lowering the efficiency of processes to deal with patients when they have no electronic record and these inefficiencies scale with the number of patients electing this option. These inefficiencies are largely operational (it will take more time to treat a patient without an electronic record) and are only indirectly related to the inability to benefit from the change in technology.

Benefits of mobile clinical records

  13.6  The recently reported evidence emerging from the early implementations of mobile clinical records is precisely the opposite of what Dr Dilks suggests at paragraph 8 of EPR 10. In the community staff-based trial in Nottingham[14] where laptop computers were connected through encrypted wireless links to the NHS network (N3), the results of the trial showed that on average staff had 38 minutes additional productive time per person per day with the potential to save 60 minutes a day. The trust saw a reduction in travel times of 32% and realistic additional potential to reduce commuting by 50%, with the potential for a 25% increase in productivity.

  Nationally, in broad terms the number of front line staff who have access under the National Programme for IT to shared electronic health records is as follows—

  13.7  On average 96% of patient notes were completed on the day, rather than a typical delay of up to 48 hours previously. Users perceived an average of 70% improvement in facilities to do their job. The success was not limited to one particular group of clinicians. The trial included community matrons, paediatric physiotherapists, paediatric occupational therapists, and paediatric speech and language therapists. A video of the clinicians talking about their experiences is available[15]. Security and staff training were included within the trial.

  13.8  Emerging evidence of savings and efficiencies on this scale are extremely compelling. When the new hardware (discussed below) becomes available at the end of the year we expect to see rapid take-up and deployment of clinical systems in the community-based services.

  13.9  Trials of mobile computing platforms are currently in progress in several acute trusts, including Salford Royal NHS Foundation Trust and University Hospitals Coventry and Warwickshire NHS Trust. Evidence from the Salford trial with the phlebotomy service showed very rapid changes and improvements in clinical workflow. This has led to Phlebotomists being able to:

    —  start new orders whilst mobile. This enabled laboratory processing to begin sooner—potentially speeding result-reporting, as well as treatment plan adjustments;

    —  resolve questions quickly. The portability made it easy for phlebotomists to locate requesting clinicians, address questions, and capture corresponding order-updates;

    —  chart each blood draw at, or close to, the time of the event. This gave phlebotomists a sense of completion, minimising the chance of forgetting important information, and making information available more quickly to other clinicians;

    —  ensure positive patient identification. The built-in radio frequency identification (RFID) reader enabled phlebotomists to positively identify those patients wearing RFID wristbands;

    —  reduce paperwork;

    —  eliminate the need to wait for access to a hospital ward's personal computers to enter patient data;

    —  avoid unnecessary blood draws resulting from previously unrecognized discontinued orders. Needle sticks are painful and stressful for patients. Avoiding these unnecessary draws has benefited patients and enhanced overall service efficiency.

  13.10  A larger business benefits analysis is currently underway in Salford but early results show patient discharge being accelerated by a half day.

  13.11  As part of the wider picture NHS Connecting for Health's Technology office has been working closely with Intel to catalyse and define a new category of mobile computer ("mobile clinical assistant") designed specifically with the clinician in mind. Four suppliers (with more to follow) have announced that they are working on the delivery of units to this specification. Without the input from NHS Connecting for Health it is unlikely that these units would have been built. The work was done by Intel and the suppliers at their own risk. No NHS monies were spent on the development or prototyping of the devices.


Section 7.1  Issues Relating to Public Information

Use of the postal service

  14.1  Also in her evidence (Q187), Joyce Robins said that what:

    "we suggest is that when this bit of rubbish goes out to patients with it should go a copy of the record that is going to go in. Connecting for Health very quickly jumped on me and said that the postal system was not nearly secure enough for that."

  This point needs further explanation.

  14.2  The letter had, in fact, been trialled with patients during its development and discussed with the Information Commissioner. Sending letters and leaflets to patients in the post is one of several strands of the Public Information Programme that supports the introduction of the Summary Care Record. Alongside the letters and leaflets are road-shows in prominent local locations, support centres (Information Booths) within PCT premises, posters and leaflets in GP surgeries and advertising campaigns in local media. The independent evaluation of the Early Adopter Programme will examine the effectiveness of each strand of public information activity.

  14.3  Whilst sending letters and leaflets is an effective part of a wider information programme, it is not a suitable mechanism for sending print-outs of patient records to large numbers of patients. Information from the University Hospital Birmingham suggests that 3% of mail was misdirected prior to the introduction of the Personal Demographics Service and 0.44% after its introduction. For a PCT with 300,000 patients, a 0.44% misdirection rate would lead to over 1000 misdirected patient records. In addition, there are further concerns and risks posed by shared addresses and potential risks in the postal service itself (for example, Postcomm's £9.62 million fine applied to Royal Mail in August 2006 for failing to secure mail).

  14.4  Instead, through the Public Information Campaign, the patients will be told where they can go to view their record (the location is arranged by the PCT). This way, a patient's identity can be checked prior to revealing sensitive patient data.

The public information campaign

  14.5  In her response to Q196, Joyce Robins either seems to believe the Hampshire project was a part of the National Programme, or seeks to make direct comparison between the two. Both are a misconception. The public information programme supporting Summary Care Record Early Adopters is not the same as the information campaign implemented in Hampshire and the Isle of Wight. NHS Connecting for Health held a workshop with the team from Hampshire and the Isle of Wight specifically to learn the lessons from the information campaign that had been implemented there. These were:

    —  that patients need to be told a specific date by which they need to make their decision on whether to opt-out or not. As a result, the letter sent to patients in Early Adopter PCTs tells them by which date they need to tell their GP surgery if they wish to opt-out;

    —  that not enough information was available to patients who wished to opt-out. Additional information is available to patients who wish to opt-out of having a Summary Care Record. This includes information on the implications of choosing to not have a Summary Care Record;

    —  that more information was needed about where the information came from and who would have access to it. The information available at Early Adopter PCTs tells patients where the information comes from and who can access it;

    —  that there weren't enough sources of information for patients other than by phone or email. NHS Connecting for Health has made additional materials available to patients including a detailed leaflet about confidentiality and patient records and the Care Record Guarantee Drop-in sessions are also available for face-to-face conversations for those people who would prefer to discuss their options;

    —  more could have been done to reach foreign language speakers and ethnic minority groups. The leaflet about the Summary Care Record is available in twelve languages, the leaflet about confidentiality in six and the Care Record Guarantee in thirteen. Leaflets are also available in Braille and large print. Audio support is also available. Leaflets can be ordered by phone, post or email. As a result, NHS Connecting for Health supports the Early Adopter PCTs to engage and reach hard-to-reach groups within their local areas;

    —  Hampshire and Isle of Wight used Royal Mail's household drop service which means one un-personalised letter or information pack per household. This was thought ineffective. The NHS Connecting for Health Public Information Programme includes sending a personalised information pack to all registered patients aged 16 and over.

Section 7.2:   Issues Relating to Patient Safety

  15.1  In response to Q246, Joyce Robins presents a partial interpretation of patient safety statistics. The figures she quotes imply a level of significant (if non-fatal) incidents resulting from lost records of roughly equivalent numbers to those of MRSA-related deaths annually. But this is only a small piece of the greater issue. A study of adverse drug reactions as a cause of hospital admission published in the British Medical Journal in 2004[16]16 concluded that:

    —  one in 16 hospital admissions are the result of an adverse drug reaction (ADR)—72% of which are avoidable;

    —  this equates to 4% of hospital bed capacity;

    —  at any one time the equivalent of 7 x 800 bed hospitals are occupied by patients admitted with ADRs;

    —  ADRs causing hospital admissions are responsible for the death of 5,700 patients every year;

    —  the annual cost to the NHS is £466 million.

  15.2  This and other powerful evidence of the very significant patient safety benefits to be achieved from electronic patient records is provided in the paper attached as Annex 5.

  15.3  To suggest that:

    "medical records ... ..can be provided by GPs within 48 hours, or shorter"

  is a disingenuous comfort to patients who present for treatment, ever increasingly, out-of-hours or for unscheduled care. To cite one tragic recently-reported case, that of Penny Campbell, who contacted the out-of-hours service eight times over four days, the doctors working for the out-of-hours service treated each contact as a "one off" because none of them had access to her clinical record; and none of the doctors after the first had been aware of the earlier contacts. One of the criticisms of the circumstances was that the patient had been required to describe her symptoms on eight separate occasions. The inquiry concluded that the paper-based system of record keeping used by the out-of-hours service was a direct factor in the patient's death.


Accountability for delivery of the Programme

  16.1  In his oral evidence (Q519/20) Frank Burns suggested that accountability for delivering the Programme has been and remains too centralised. This issue has in fact been addressed. The NHS Chief Executive, David Nicholson, initiated the NPfIT Local Ownership Programme (NLOP) in October 2006, in line with the recommendations of the National Audit Office report, to re-position the Programme as part of mainstream NHS business, and to ensure that the products and services being delivered under NPfIT were meeting the current priorities of the NHS.

  16.2  On 1 April 2007 formal accountability for implementation and the realisation of benefits moved to the Strategic Health Authorities. SHAs are now responsible for the local prioritisation of NPfIT systems, establishing and overseeing local implementation plans and local product and service requirements.

  16.3  NHS Connecting for Health continues to be responsible, within the Department, for the NPfIT commercial strategy, contractual negotiations with suppliers, management of NPfIT funds, national services and products, the provision of the Programme Office and the development, maintenance and enforcement of the national NPfIT architecture. To ensure relationships with Local Service Providers continue effectively, three local Programmes for IT have been established, for London; the South; and the North, Midland and East. The Programmes for IT will work alongside the SHAs to facilitate a joined-up approach in implementing NPfIT across constituent SHAs.

  16.4  In respect of the response given to question 501, whilst the National Programme has been in existence since 2002, NHS Connecting for Health was established on 1 April 2005.

  16.5  Nicholas Beale (in EPR 14) suggests that the creation of NHS Connecting for Health was simply a re-branding exercise. This is not the case. The NHS National Programme for IT has retained the same name since its inception. The Programme is delivered by NHS Connecting for Health which, as an agency of the Department of Health, delivers all the national IT requirements of the NHS, including the legacy services. The Agency was set up in April 2005 following the closure of the NHS Information Authority. This was done for administrative and efficiency reasons, taking account of a separate decision to establish the NHS Information Centre. It had nothing to do with re-branding the Programme and no action was taken to suggest that it was.

  16.6  Whilst dealing with Nicholas Beale's evidence, it is not right to suggest that the Programme's origins are at arms' length from the front line of the NHS. The Chief Executive of the NHS is the Senior Responsible Owner of the Programme.

Evidence submitted by Stalis Ltd (EPR 05)

  16.7  The evidence from Stalis makes a number of inaccurate claims and appears to reflect the fact that the company failed in its bid to be a National Programme contractor and wishes to continue to market its existing systems.

  16.8  Their remarks about the "haste" in getting the contracts in place contrasts with the NAO's conclusion of "commendable speed." The NAO also reported on the strength of the contracts. Although Stalis complain of haste, it should be noted that most successful suppliers complain that multi-year government procurement arrangements are unsatisfactory.

  16.9   Annex 6 of this note shows that 115 existing systems' suppliers have obtained work under the Programme, which refutes Stalis' allegations in their paragraphs 6-11. Stalis inaccurately quotes remarks made by Richard Granger regarding the very poor level of interoperability of systems, including those provided by Stalis Ltd. These remarks were made some five years ago, expressly about systems which were unable to move data on the same software between sites. It is assumed that this is a failing in functionality which Stalis would not continue to support.

  16.10  In respect of paragraph 8 of Stalis' evidence, the very considerable number of NHS existing systems' suppliers that have obtained work under the National Programme (Annex 6) provides substantial contradiction of the selective marshalling of information on this matter. Some 60% of the hospital-based systems were procured from a UK listed entity; the major central infrastructure components of the Programme (the Spine and N3) were also procured from a UK listed company; and a UK entity, ConMedica, was selected originally for 20% of PACS business.

  16.11  Contrary to the assertion made in paragraph 9, relevant experience of comparable projects and subcontractor mix was evaluated alongside the resource arrangements that the suppliers had in place. For example, the selection of IDX from the USA, though not an LSP, as the main subcontractor for the London and the South Cluster areas was on the basis of their successful deployment at the Chelsea and Westminster NHS Trust, which remains far in advance of the product marketed by Stalis Ltd.

  16.12  The assertion at paragraph 10 regarding experience of the NHS on the Programme in 2002 through to 2005 is also untrue. In 2002 the Programme was led by Professor Sir John Pattison, the former Dean of a medical school, the Director of Research, Analysis and Information at the Department of Health. Subsequently, the Programme was co-led by the Deputy Chief Medical Officer, a distinguished gynaecologist and obstetrician, Professor Aidan Halligan and a substantial number of senior NHS personnel have been involved continuously in the Programme both as clinicians and senior managers. Similarly, the assertion that the suppliers had had no NHS involvement is also untrue. BT was, in 2002, the largest supplier of services to NHS trusts with an annual turnover in excess of £200 million.

  16.13  Contrary to paragraph 11, it is not true that funding was unavailable for migration and cleansing of data. Funding for this is provided in two ways. Firstly, the trusts get to keep the savings from their existing contracts with organisations such as Stalis Ltd, following the implementation of national systems. In addition, £166 million has been provided over the period 2004-5 and 2005-6 for this express purpose. It should not go without comment that the cleansing of data within existing systems, such as those supplied by Stalis, is something which the company assumes it is right should funded by the National Programme.

  16.14  Paragraph 12 alleges that:

    "the LSPs commenced the programme with little or no experience in UK healthcare and little experience anywhere of the systems required by the NHS. Although this has improved with some LSPs it is not consistent across the NHS and remains an issue today."

  In fact, assessment of prime contractor capacity and capability at the pre-qualification stage of the NPfIT procurements required evaluation of relevant similar services. The prime contractors who subsequently became LSPs provided examples of their experience. These are contained in Annex 7 of this note.

  16.15  Contrary to paragraph 14, the substantial cost of ownership of legacy systems was very well understood. This cost remains a driving force for reducing the number of configurable components within the Programme, since the cost of acquiring interoperability is above and beyond the NHS funding envelope.

  16.16  Paragraphs 20 and 21 contain some broad-brush assertions that are not borne out by the facts. The involvement of, for example, System C, Hedra, Tribal and others are examples of pre-existing NHS expertise being used to the greatest extent possible, but, unlike previously, within contracts which now provide adequate protection to the taxpayer.

  16.17  The National Programme is a transformation programme for the NHS that will underpin the Government's system reform programme. It is supporting delivery of key reforms such as patient choice, the 18 weeks referral to treatment patient pathway, the GP contract, and practice-based commissioning, but at the same time is designed and is being engineered to retain flexibility to adapt to, and adopt, future policy. The risks suggested in paragraph 23 are therefore being managed.

  16.18  Far from being a "counterproductive" task as suggested in paragraph 26, replacement of some long-standing PASs is essential. Many are facing hardware obsolescence and software which is unsupported. Not to replace them will put the care of patients in those hospitals at unacceptable levels of risk and it would be irresponsible not to proceed with replacement, simply because some software suppliers would like to see continuity of revenue.

  16.19  In paragraph 27 Stalis fails to acknowledge that the devolved approach had not made acceptable progress across the NHS as a whole. The NHS Care Records Service will provide an integrated national service for all NHS clinical applications. This is being delivered as part of an overarching information strategy that allows the portfolio of systems from the Local Service Providers and the existing systems' providers to be integrated into a coherent service. The clear evidence that this approach is proving effective is that 115 systems have been through the compliance programmes, creating a level of systems interoperability that was unimaginable three years ago.

  16.20  The statement in paragraph 34 that the UK supplier industry was ruled out is fundamentally wrong. That they were uncompetitive in part, undercapitalised and unable to contract with well-capitalised global players, is not something which could be blamed on the Department of Health. Further, the corporate failures or frailties of Torex, iSoft, and ConMedica all validate arrangements which avoided direct contracting with small and mid-sized entities that were unable to bear payment on completion risk for a programme of this scale. Preferential treatment for domestic suppliers, on this criterion alone, would have been unlawful under the EU Procurement Directive and WTO arrangements.

  16.21  The final specific comment on the Stalis evidence relates to their paragraph 43. The policy of self-determination advocated by Stalis is largely incompatible with the objective of safer patient care—recognised as important at their paragraph 39—which is supported and enhanced by the interoperability of systems and Spine compliance provided under the National Programme.

  16.22  More generally, Stalis clearly believes that it is possible to integrate multiple different systems to common standards to allow joined up care. However, they fail to acknowledge that prior to the inception of the National Programme for IT there was little evidence of this being done. The NPfIT has created the environment which will allow this multi-system approach to become a reality through the central architecture (that has been successfully delivered) and by the Local Service Providers acting to coordinate multiple suppliers in the overall delivery. The LSPs have become more plural over time (eg BT using Rio and InPractice Systems as well as Cerner; CSC using The Phoenix Partnership and HSW as well as iSOFT). This trend is increasing and will become more apparent in the coming months.

  16.23  The criticisms levelled by Stalis are of an already past world from which NHS Connecting for Health has moved on in order to serve the NHS better. The LSP actions to diversify their portfolio of systems, the Existing Systems Programme, GPSoC and more recently the procurement exercise to increase the number of suppliers to the Programme are all clear evidence of this.

  16.24  Stalis' reference to statements made by Richard Granger to the UK supplier community at the outset of the Programme seem not to appreciate that this was in effect part of a negotiation which has led to a much better deal for the NHS both in the short term and for years to come. Many UK suppliers have benefited from this process. Contrary to what Stalis imply, many UK NHS expert IT suppliers are part of NPfIT. These include for example:

    —  The Phoenix Partnership, providing GP/Primary Care/Child Health/Community solutions across the North, Midlands and East;

    —  CSE Servelec, providing Mental Health/Community solutions in London;

    —  HSS providing Radiology Information Systems in all areas other than London;

    —  In Practice Systems providing GP Systems in London;

    —  Liquid Logic and CSW providing Single Assessment Process (SAP) solutions to link with Social Care;

    —  Health Solutions Wales (HSW) providing Child Health Systems in the North-West;

    —  Clinisys providing Pathology Systems in London;

    —  PICIS providing Theatre Systems in London;

    —  SystemC providing implementation support services nationally.

  16.25  All of these organisations are peers to Stalis in terms of size and expertise in the NHS and all of them are UK companies. Stalis was not offered the opportunity to become Choose and Book/Spine Compliant because they had only one EPR installation within the NHS at the time (2005). All investment made by the NHS would have been just for that one site. In choosing Silverlink as the replacement PAS, Moorfields chose a system from a company that had successfully replicated and grown its business, working with iSOFT (Silverlink Patient Care System (PCS) was sold as iSOFT iCS). Silverlink was also amongst the first Acute suppliers to achieve Choose and Book compliance (it is installed at Harrogate and Mid Cheshire, both early Choose and Book adopters).

  16.26  The current list of Choose and Book compliant Acute PAS systems (non-LSP ie equivalent to Stalis) is as follows:
IMS MaximsHearts
IQ SystemsUtopia
iSOFTiCS (Silverlink PCS)
Streets HeaverCompucare

  16.27  Stalis also fails to recognise that the required expertise in programme management necessary to implement the programme was non-existent within the NHS, which had never previously managed programmes of anywhere near the same size. The appointment of Richard Granger and that of other IT professionals brought large-scale programme management expertise and included NHS expertise in the team from the outset.

Evidence submitted by Symantec (EPR 37)

  16.28  Comments on Symantec's evidence are included in relevant parts of this note. On a general point, their generally critical stance with regard to the National Programme needs to be understood in the context of its own commercial interests. In early 2005 Symantec approached the National Programme for IT with a proposition to procure licenses centrally, on behalf of the NHS, for Symantec's Ghost Solution Suite product. Symantec presented NPfIT with anecdotal information it had gathered about the use of Ghost within the NHS. Symantec had performed a survey of NHS trusts in the months leading up to contact with NPfIT, ostensibly to gauge demand for their anti-virus products, but had also asked how trusts had installed "images" of their standard desktop software onto new computers. Without validating their responses, several trusts had replied that they used Ghost. Symantec took this anecdotal information from the trusts they spoke to and extrapolated it across the whole of the NHS in England. When compared with their sales records from their resellers and direct channels, this information suggested a significant under-licensing of the Ghost product across the NHS. NPfIT were presented with an offer to agree an enterprise wide agreement on behalf of the NHS or Symantec would start legal action. The scale of the NHS and the relative immaturity of its local IT asset management capabilities in 2005 meant that to prove whether Symantec's claims were accurate or not would have cost the NHS several millions of pounds in largely manual surveys. It was known that other technologies had been used to create these desktop "images", but to prove the relative use of these versus Symantec's Ghost product would still have necessitated a full survey. As the least cost and least risk option for the NHS, NPfIT robustly negotiated an agreement with Symantec to cover the NHS with an Enterprise Wide Agreement for Ghost Solution Suite at a cost approaching £1.8 million for perpetual licenses and time-limited support, which was duly put in place in July 2005. Symantec did not then pursue any legal action.

Evidence submitted Tom Brookes (EPR 70)

  16.29  The evidence submitted by Tom Brookes contains some significant inaccuracies which is surprising since he claims to have been involved in the early stages of the programme and continues to operate as a management consultant in the NHS. He declares other connections that link him with evidence submitted by other groups. The NHS Numbers project that he claims to have led in the mid-1990s installed a 1970s batch system that, whilst improving the allocation of NHS numbers from manual processes at the time, has significant drawbacks through the time taken for batch processes to operate in the effective allocation of NHS numbers when babies are born to ensure accurate identification. The on-line Personal Demographic Service that provides a much needed replacement for Mr Brookes' project under the Spine contract will enable immediate access from over 7,000 locations with over 70,000 users to 50 million records to immediately allocate a NHS number on-line and enable improved and accurate identification of babies in the first hours and days when attention is needed by multiple clinicians and midwives.

  16.30  Mr Brookes maintains that Newham and Homerton hospitals procured IT systems outside of NPfIT. This is because the contracts were awarded in 2003 following a procurement that preceded NPfIT. The Trust has since assigned their contracts to BT within NPfIT and took disaster recovery and affordability issues into account in coming to that decision. The Chief Executive of Homerton has taken a leading role on the Programme Board of the London Programme for IT as part of the National Programme which demonstrates evidence of commitment that Mr Brookes overlooks. Similarly, Wirral hospital initially investigated a separate procurement route but chose to continue within NPfIT with a Cerner product. The same is true of Bradford, Shires and University College London who decided that NPfIT offered the greatest value.

  16.31  The references to the detailed care record are simply inaccurate. It has never been the intention to make a detailed care record available nationally and evidence was submitted on 12 June 2007 to clarify the difference between the summary and the detailed record. All published documentation refers to a summary care record being made available at the point of need and this will bring real benefits for patients requiring unscheduled care. In contradiction with the allegation that this is too complicated and unachievable, the summary care record is already live in the early adopter sites in Bolton. The witness casts doubt on the delivery of the Spine functionality. However, the performance of BT in meeting Spine release delivery dates has delivered the last 14 of 14 releases on or ahead of time.

  16.32  The allegations about the architecture and the Spine being unable to cope are unfounded. The Spine has been sized and tested to accommodate the needs of the NHS and the performance in supporting over 350,000 registered users who have accessed Spine records over 350 million times to date is regularly meeting or exceeding service levels. The publication of the Message Implementation Manual (MIM) to all suppliers working with NPfIT demonstrates a robust approach to standards and architecture that enables on-line interoperability between multiple systems that transfer patient information for the benefit of the patient. This was not possible with the NHS Number system that is lauded by this witness.

  16.33  The references to a monopoly situation with suppliers are also untrue. The replacement of ComMedica as a PACS supplier for poor performance and the replacement of Accenture and IDX demonstrate that there is a competitive marketplace. The inclusion of existing system suppliers having achieved over 100 compliant releases of software also bears testimony against this incorrect allegation.

  16.34  This witness is in collaboration with the other groups that have called for an independent review but have, as yet, produced no evidence that would warrant such a review.

Helen Wilkinson

  16.35  Ms Robins stated incorrectly (Q247) that Helen Wilkinson has been denied registration with a doctor. The fact is that Ms Wilkinson refuses to be registered with a doctor because the consequence of registration is that a record is kept centrally of that registration as a matter of law. Ms Wilkinson continues to claim that she is being denied NHS care. Again, that is absolutely not the case. Ms Wilkinson refuses to present for NHS care because of the consequential record keeping that would result. The care is there and available to her, but not on her terms. The architecture of NHS IT and NHS business processes must respect the legal rights of individuals, but it must also be as efficient and cost effective as possible and cannot be tailored to provide individuals with costly bespoke arrangements. Ms Wilkinson continues to pursue her claim for financial compensation from the Department of Health and the NHS and to actively campaign against the NHS IT modernisation programme.

Department of Health

16 July 2007

Annex 1:  System resilience and the likelihood of failure

  Note:  Detailed information about system performance and resilience has been provided previously by the Department in a note to the Committee. However, further information is provided here.

  In evidence submitted by Prof Randell, he quotes a friend's guesstimate that the NPfIT system would be likely to fail every four days. This assertion is not supported by any evidence and does not concur with the live service availability consistently being demonstrated by the Programme's systems. Service availability statistics are published weekly on the NHS Connecting for Health web site.

  It appears that Prof Randell is making the assumption that the NPfIT is delivering a single computer system. The NPfIT in fact consists of a large number of discrete computer systems or "Services" built and delivered by many different suppliers. Each Service interoperates with other NPfIT Services by utilising mandated clinical coding and messaging standards with the common objective of providing patient data at the point of need. Each Service is built to satisfy a particular set of functional and non-functional demands to support a particular clinical usage.

  Each service is itself made up of a number of components, eg, application software, hardware, network and storage. It is inevitable that some of these components will fail, and, given the scale of the NHS, failures can be expected to occur frequently—a natural consequence of operating any large, complex, interconnected system. The idea is thus to implement a system that minimises the impact of failures—what is termed "resilience. This was recognised by the NPfIT from the beginning and the solution has therefore been architected and designed to be resilient to component failures. There are two fundamental architectural approaches that have been used to provide the required resilience:

    (1)  The component systems are loosely coupled, that is to say a system should be able to continue operation even if it cannot access the other services (for example, should the central demographic service be unavailable, the hospital PAS will continue to operate).

    (2)  The component systems are delivered without single points of failure, so, should a component fail, the system automatically fails over to "spare" (backup) components.

  The failover requirement is taken extremely seriously. As an example, the BT data centre has three generators and sufficient fuel to provide weeks of independent power, so, should there be a power failure to the site, the dedicated generators can be deployed to provide power. There are three generators so that should the site be running off their power and maintenance is needed on a generator; there is still a backup generator in case of failure. And of course BT has two geographically separated data centres both of which are equipped in this way should a catastrophic event happen at one of them.

  It is NHS Connecting for Health's preference to host centrally as many services as is practical, because:

    —  It is difficult to offer a resilient service on locally owned and deployed infrastructures.

    —  Hosted services offer increased resilience options and controlled environments for backup and maintenance operations.

    —  Hosted environments are easier to physically secure and keep up-to-date with the latest security countermeasures.

    —  It is much more cost effective to deliver centrally hosted hardware resilience than equivalent resilience at multiple locations.

  NHS Connecting for Health does not own all of the services deployed as part of the National Programme—so, for example, external organisations transmitting electronic prescriptions do so from their own networks, using their own infrastructure and using NPfIT accredited software of their choice. As such, there are many failure conditions outside of the direct control of the Programme. However, every service that can be deployed within the NPfIT goes through extensive clinical safety reviews and compliance testing before it can be connected and utilised as part of the NPfIT.

  Those services that are procured directly by the NPfIT are typically operated by external suppliers in highly resilient data centre environments which offer industry-leading levels of resiliency and disaster recovery. This typically includes:

    —  An Active/Active Primary Data Centre configuration and a secondary data centre that is either an active (Spine) or passive (London) replica of the Primary data centre:

    —  There is Active/Active resilience built into the Primary Data Centres, and, should a disaster occur, the backup data centre is available to support the operations within the availability requirements for the System (currently 99.999% at the Spine, and 99.9% with improved performance objectives over time in London[17]17)

    —  Interrupted connections will resume according to the agreed SLA.

    —  Multiple network connections, so should one connection be lost, another is available automatically.

    —  Hardware redundancy at all levels:

    —  Protects against disk and hardware failure

    —  Redundant processing power is available should a machine fail.

    —  Zero data loss architectures :

    —  Data is written simultaneously to the two Spine data centres, thus ensuring that no patient data is lost (there are effectively ten copies of each database across the two Spine data centres).

    —  The Primary Data Centre at the London LSP shares a Storage Area Network (SAN) across the Active/Active configuration, and the SAN at the backup site is synchronously updated with the Primary Site.

    —  End-to-end system monitoring against specific Service level agreements:

    —  Automatic real-time alerting occurs in case services degrade or become unavailable for any reason.

    —  Rigorous data security standards:

    —  The System is designed, developed, tested and operated according to BS7799-2 Security Standards.

    —  The Data Centres are secured physically at a level similar to Ministry of Defence systems (secure premises, guarded and badge access control, etc.)

    —  Patient data confidentiality is protected via Role Based Access Control.

    —  All authorised users are required to have Smart Cards issued by a central Registration Authority for Single Sign-on to the system via access rights granted through Spine Security Services.

  Availability, failover and recovery of each Service have been designed to match clinical need. Dependencies between Services have been clearly identified and consideration given to various failure scenarios. Guidance has thus been given to all suppliers regarding how to construct their applications to limit the impact should a failure occur.

  This decoupling approach is pervasive through all of the NPfIT and supplier-proposed solutions are evaluated against this as part of the NHS Connecting for Health assurance process. Such decoupling allows Services to continue to offer a range of capabilities regardless of whether a dependant service (eg, the National Summary Record) is available. The NPfIT end-to-end architecture supports the local queuing of messages for onward transmission to the failed service when it becomes available.

  NHS Connecting for Health services currently deployed have proven to be highly resilient in live service. But regardless of this, NHS Connecting for Health continues to work with suppliers and NHS Organisations to help maintain coordinated Business Continuity Plans in the event of a catastrophic failure. Each plan is tailored to which service could be affected and is highly specific to the clinical function it supports and the way it is integrated within a particular organisation's business and technical infrastructure.

  All NHS Connecting for Health Services have been designed with high availability, and SLAs and performance statistics are made public. It is expected that the Trust Organisation will select and deploy any NPfIT services that are appropriate and update their Business Continuity Plan accordingly, based upon the Services they use and the clinical usage for which they are employed.

Annex 2:   Savings by Local NHS Organisations
Acute Trusts Mental Health Trusts Primary Care
University Hospital Birmingham Hospitals NHS Trust Barnsley PCT North Sheffield PCT

1. Cost of current level PAS: (over term)

Operating cost

Implementation costs for new system

Net saving to Trust by transfer to CfH Solution




1. Cost of System renewal with no additional functionality: (over term)

Operating cost

Implementation cost for new system

Net saving to Trust by transfer to CfH Solution




1. Cost of GP Implementations:

Cost of operating existing contracts

Implementation cost for new system

Net saving to Trust of transfer to CfH Solution




Case Studies 2. Cost of Trust Procurement: (over term)

Cost of local purchase of more sophisticated PAS Operating Costs

Net saving to Trust of CfH solution




2.Cost of System renewal with additional functionality: (over term)

Operating cost

Implementation cost for new system

Net saving to Trust of transfer to

CfH Solution




Bradford and Airedale PCT

(Bradford City, North Bradford, Bradford West)

2. Estimated savings case study

Annual savings

Net Savings to Trusts over term



Wirral Hospitals NHS Trust:

3. Cost of NHS CRS Level 6 PAS etc procured independently of Programme (over term)

Implementation Costs (based on UHB Business Case)

Net saving to Trust by transfer to CfH solution




SW Manchester Community PAS Project:

3. Community PAS Projects:

Cost of operating existing contracts (Avg NHS stocktake)

Implementation cost for new system

Net saving to Trust of transfer to CfH Solution




West Yorkshire Community

4. The Trust identified that it will cost £10k per practice to implement the NHS CRS solution. Savings to date have been in the region of £5k pa. The Trust will recover all implementation costs within two years of "Go Live".

National Equivalent Value Net savings to NHS of implementing nationally procured NHS CRS Acute solution with additional functionality

(excludes local procurement costs)

(£4.008bn)Net cost of savings for Mental Health Trusts of implementing CfH procured solution between




1. Net savings to GPs

2. Net savings for PCTs implementations

3. Net saving for Community PAS implementation




Annex 3:   NHS use of identifiable and non-identifiable patient data for care and for secondary uses

  1.  The oral evidence provided by certain witnesses to the Committee on the distinction between identifiable data and non-identifiable data, how these may be used and shared, and how they are protected in NHS Connecting for Health systems, was poorly informed and at times misleading. This note aims to provide clarification.

  2.  Joint working between the Department of Health, the General Medical Council, the British Medical Association, the Information Commissioner and a range of patient groups, followed by extensive formal consultation, resulted in the publication of a confidentiality code of practice for the NHS in November 2003. This represented, for the first time, an agreed interpretation of how confidentiality law, and key aspects of Data Protection law, should apply in the NHS.

  3.  Clinical patient information is confidential and classed as sensitive in the Data Protection Act 1998 when it is held in a form that would enable the patient to be identified, as is the case with clinical records. The Data Protection Act regulates how this information is used, but does not prevent it being used for legitimate NHS purposes. Confidentiality law goes further and prevents information from being shared without consent except in exceptional circumstances (statutory provisions, court orders or significant public interest justification).

  4.  The confidentiality code of practice clarified the circumstances where consent could be implied (opt-out) and those where a stronger evidentiary basis (opt-in) was required. Essentially implied consent was deemed appropriate for care purposes and work to assure the quality of care provided, but not for secondary uses of data, eg research and management.

  5.  Patient contact, or demographic, details are subject to Data Protection Act provisions but are generally not confidential and so do not require consent for processing. Exceptions exist however and many people regard their address details as private, so it is Department of Health policy to safeguard contact details to the extent that NHS business requirements permit. NHS Connecting for Health will also make available controls that prevent NHS staff from viewing these details when a patient requests that this be the case.

  6.  The Courts[18] have determined that when effective steps have been taken to prevent the individual from being identified, the information is no longer confidential and patient consent is no longer required. Where the process used to anonymise the information is reversible, the information, whilst exempt from consent requirements, may remain subject to the Data Protection Act provisions—this has not been tested in Court, but Department of Health policy is to accept that this is the case. Where it is irreversibly anonymised it is not subject to either consent requirements or the Data Protection Act.

  7.  The NHS Connecting for Health Secondary Uses Service is being introduced to make anonymised and pseudonymised data available to appropriate users so that essential research and other work can be conducted without breaching confidentiality or privacy. Although information disclosed for secondary uses in a pseudonymised or anonymised form cannot identify individuals and doesn't require consent management controls, it is still subject to a range of safeguards.

  8.  There is considerable evidence however, that some purposes cannot be satisfied through use of anonymised information and that it may not be practicable to gain consent for these purposes either. In these cases, a statutory basis is required. A key statutory provision in respect of research and other secondary uses of patient data is Section 251 of the NHS Consolidation Act 2006 (previously known as Section 60 of the Health and Social Care Act 2001) which allows obligations of confidentiality to be set aside in limited circumstances under the supervision of the statutory Patient Information Advisory Group (PIAG). Key conditions for use of information under these provisions are that it must be impracticable to gain consent or to anonymise the information concerned.

  9.  Professor Korff suggested in his evidence that PIAG is "quite easy about giving access" to data but it is evident that the research community would not support this view. In its January 2006 report on Personal data for public good: using health information in medical research the Academy of Medical Sciences stated that "Although admirable, this [PIAG's] approach creates difficulties for research because PIAG has set a policy direction that appears to ratchet up existing legal standards. Rather than assess whether applications involve proportionate interference in privacy, PIAG applies a stricter standard of absolute and proven necessity."

  10.  The application of law, requirements for consent and the safeguards that are being developed and deployed for data held within the NHS Care Records Service and the Secondary Uses Service are set out in table 1. This illustrates the strong safeguards that are in place for all types of data.

Table 1 (to Annex 3)
Non-clinical personal data Personal clinical data for care Personal clinical data for secondary uses Pseudonymised data for

secondary uses

Anonymised data for secondary uses
Confidentiality law applies? Not generallyYes YesNo No
Data Protection Act applies? YesYes YesYes—the legal position is unclear but accepted as a matter of policy No
Patient consent required for creating a record? NoNo, but patients given choice around the Summary Care Record as a matter of policy NoN/A N/A
Patient consent required for sharing? NoYes Yes, unless there is a statutory basis NoNo
Implied consent sufficient? N/AYes NoN/A N/A
E-GIF level 3 registration of staff ? YesYes YesYes Yes
E-GIF level 3 authentication of users via smartcard? YesYes YesYes Yes
Audit Trail of user actions? YesYes YesYes Yes
Audit Trail available to patients on request? NoYes NoNo No
Role Based Access Controls? YesYes YesYes Yes
Legitimate Relationship Access Controls? NoYes NoNo No
Patient dissent to information sharing recorded and acted upon? NoYes YesYes No
Sealed envelope prevents sharing of identifiable data? NoYes YesYes No
Locked envelope prevents sharing of any data? NoYes N/AN/A N/A
System alerts generated when users change their own access rights eg to break a seal? NoYes N/AN/A N/A
Patient may request that contact details are hidden from NHS staff? YesN/A N/AN/A N/A

Annex 4:   Reply to Parliamentary Question given on 21 June to Stephen O'Brien MP by the Department's then Minister of State, Caroline Flint

21 Jun 2006 : Column 1946W

  Caroline Flint: A list of names of all the organisations and individuals that responded at one or other stage of the consultation process around the national specification for integrated care records service is not held centrally. Some of the responses were provided by organisations which are no longer active.

  The original "National Specification for Integrated Care Records Service (Consultation Draft)" was issued in July 2002 by the NHS Information Authority. Some 190 responses to the document were received from suppliers, clinicians, chief information officers (CIOs) information technology (IT) departments of national health service bodies and others, commenting on such aspects as architecture, functional omissions and the realisation of benefits that such a system would produce. These comments were included and formed the base document for the early draft of the output based specification (OBS). This draft was then refined. The clinical input was provided by almost three hundred individuals and the IT community (IT managers and CIOs) numbered a further one hundred. A broad spectrum of NHS stakeholders was then engaged to review the draft OBS. The review group encompassed leading clinicians, practitioners, policy advisors, health informaticians and managers and included representatives from the Department, the NHS Information Authority, strategic health authorities, NHS trusts, primary care trusts, general practitioners, academic groups and other Government Departments.

  It is known that many of these people also sought input from colleagues and we estimate that this cascade has resulted in many thousands of individuals having had a material input to the content and quality of the product.

  A final list of 239 people was invited to review the OBS, from which a total of 105 formal review documents were received. From the 900 pages reviewed there were 1,175 comments of substance. These comments resulted in a further refined version of the OBS which was then distributed for any final comment. A response to every individual comment was returned to the reviewer in question.

  Reflecting a level of transparency unprecedented for major projects within Government, the OBS was published to the public domain in July 2003 and is available on the Department's website at .uk/PublicationsAndStatistics/.

  In addition to many hundreds of internal meetings, there were 44 meetings held by the clinicians from the national programme with important stakeholders and stakeholder groups. These included several chairs of the Royal Colleges, and presentations to many hundreds of clinicians at various locations around the country.

  Data on those consulted on ways of managing the confidentiality of patient health information have been placed in the Library [see list below].

  23 meetings were carried out as part of the research phase in addition to eight focus groups and 56 face-to-face interviews, involving patients, researchers, suppliers, senior care service managers, and NHS information governance professionals.

    Addenbrookes NHS Trust

    Age Concern

    Age Concern Harrow

    Association for Improvements in the Maternity Services (AIMS)

    Aintree Hospitals NHS Trust

    Airedale NHS Trust

    Airedale Primary Care Trust

    Alderney Hospital

    Alzheimer's Society

    AMS Consulting

    Anite Public Sector

    Ashford & St Peters NHS Trust

    Association of Community Health Councils for England & Wales (ACHCEW)

    Association of Directors of Social Services (ADSS)

    Avon Gloucestershire & Wiltshire Health Authority

    Avon Information Management & Technology Consortium

    Avon/Wilts Mental Health

    Barnet Enfield & Haringey Mental Health Trust

    Barnsley Community Health Council

    Barnsley District General Hospital NHS Trust

    Barts & the London NHS Trust

    Basildon & Thurrock General Hospitals NHS Trust

    Bebington and West Wirral Primary Care Trust

    Bed & Herts Local Medical Committee

    Birkenhead and Wallasey Primary Care Trust

    Birmingham Children's Hospital

    Birmingham Heartlands Hospital

    Black Country Mental Health NHS Trust

    Blackpool Primary Care Trust

    Blackpool Victoria Hospital

    Bolton Asian Elders drop-in Centre

    Brain and Spine Foundation

    Brain Injury Rehabilitation Trust

    Braintree Care Trust

    Bridgend Local Health Group

    Brighton & Sussex University Hospitals

    British Heart Foundation

    British Medical Association (BMA)

    British Paediatric Surveillance Unit

    British Polio Fellowship

    Bro Morgannwg NHS Trust

    Bro Taf Health Authority

    Bromsgrove & Redditch Community Health Council

    Broomfield Hospital

    Buckinghamshire Mental Health NHS Trust

    Buckland Hospital

    Bucknall Hospital

    Budshead Health Centre


    BUPA Hospital Southampton

    Burnley, Pendle & Rossendale Community Health Council

    Burton Hospitals NHS Trust

    Bury & Knowle Health Centre

    Calderdale & Huddersfield NHS Trust

    Cambridge Community Health Council

    Cambridgeshire & Peterborough Mental Health Partnership NHS Trust

    Cambridgeshire Constabulary

    Cancer Bacup

    Canterbury & Thanet Community Health Council

    Carers UK

    Central Cornwall Primary Care Trust

    Central Derby Primary Care Trust

    Central Lancashire & Fylde Coast Hospital Information Systems

    Central Manchester and Manchester

    Children's University Hospitals

    Central North West London Mental Health Trust

    Central Suffolk Primary Care Trust

    Centre for Health Services Studies (CHSS)

    Charlotte Keel Health Centre

    Charlton Lane Centre

    Chelford Surgery

    Cheltenham General Hospital

    Cherwell Vale Primary Care Trust

    Cheshire Central Community Health Council

    Chichester Community Health Council

    Child & Family Service (Wellington)

    Child Health Centre

    Child Health Informatics Consortium

    Children's Heart Foundation

    Chorley & South Ribble Primary Care Trust

    Christie Hospital NHS Trust

    Churches Together in England

    Citizens Advice Bureaux (CAB)

    City & Hackney Community Health Council

    City General Hospital

    Civica Services Ltd

    Clatterbridge Hospital

    Clinical Trials Service Unit

    Colchester General Hospital

    College for Health in London

    College of Health

    College of Occupational Therapists

    College of Optometrists

    Commission for Healthcare Audit and Inspection (CHAI)

    Communicable Disease Surveillance Centre

    Community Health Council Pensioners' Forum

    Community Pharmacy

    Consumer Association

    Contact A Family

    Convent of Mercy

    Conwy Federation of Community Health Council's

    Cornwall Information Services

    Countess of Chester Hospital NHS Trust

    County Durham Health Authority

    Courtesy Call Ltd

    Coventry & Warwickshire NHS Trust

    Coventry Community Council

    Coventry Primary Care Trust

    Crown House Surgery


    Darlington Memorial Hospital

    Darlington Primary Care Trust

    Dental Practice Board

    Department of Health (DH)

    Derby City General Hospital

    Derbyshire Royal Infirmary

    Derriford Hospital

    Derwent Shared Services

    Dewsbury District Community Health Council

    Diabetes UK

    District Hospital (Roehampton)

    Diverse Minds

    Doncaster Central Primary Care Trust

    Doncaster Community Health Council

    Doncaster Royal Infirmary

    Dudley Beacon & Castle Primary Care Trust

    Dudley Group of Hospitals

    Dudley Social Services

    Dudley South Primary Care Trust

    Durham & Chester-le-street Primary Care Trust

    Durham Dales Primary Care Trust

    Dyfed & Powys Health Authority

    East Dorset Community Health Council

    East Hertfordshire Community Health Council

    East Kent Hospitals NHS Trust

    East Kent Primary Care Trust

    East Staffs Primary Care Trust

    East Surrey Community Health Council

    East Sussex Hospitals NHS Trust

    East Yorkshire Community Health Council

    Eastern Cheshire Primary Care Trust

    Eastern Leicester Primary Care Trust

    Epilepsy Action

    Enigma Health UK Ltd


    Fairfield Hospital

    Farnborough Hospital

    Federation of Irish Societies

    Fellowship of Depressives Anonymous

    Ferndown Primary Care Trust

    Fertilization and Embryo Authority

    Fleet Hospital

    Foundation of Information Policy Research(FIPR)

    Frimley Children's Centre

    Frimley Park Hospital NHS Trust

    Front Street Surgery

    Gateshead Health

    General Medical Council

    George Eliot Hospital NHS Trust

    Glen Acre House CFS

    Gloucester Local Implementation Strategy

    Gloucester Partnership NHS Trust

    Gloucestershire Royal Hospital

    Goole Hospital

    Gosport Health Centre

    Grantham and District Hospital


    Great Ormond Street Hospital for Children NHS Trust

    Great Western Hospital

    Green Lane Hospital

    Greenwich Community Health Council

    Gwent Community Health Council

    Hackney Social Services

    Harefield NHS Trust

    Hampshire and Isle of Wight Strategic

    Health Authority

    Hampton Clinic

    Harrow Pensioners' Forum

    Harrow Primary Care Trust

    Health Data Protection Ltd

    Health Service Ombudsman

    Healthy Islington

    Hearing Voices Network

    Heatherwood and Wexham Park Hospitals NHS Trust

    Help the Aged

    Hertford County Hospital

    Hertfordshire County Council

    Hicom Technology

    Hillingdon Hospital NHS Trust

    Hillingdon Primary Care Trust

    HM Prison Service

    Holy Family Presbytery

    Hospice care

    Hounslow Community Health Council

    Hull Community Health Council


    Humberstone Grange Clinic


    IMECE Turkish Speaking Women's Group

    IMS Health


    Independent Complaints Advocacy Service

    Independent Healthcare Association

    Information Commissioner

    Institute for Quality Assurance

    Institute of Health Sciences

    Intellect (UK system supplier trade body)

    Interface Devices Ltd

    Ipswich Hospital NHS Trust

    Iranian Community Centre

    Island & Portsmouth Health ICT Service

    Isle of Wight Healthcare NHS Trust

    Islington Bangladeshi Association

    Islington Community Health Council

    Islington Health and Race Forum Group

    Islington Primary Care Trust

    Islington Zairean Refugee Group

    JADE Direct UK

    Jewish Care

    Jubilee Day Hospital

    Kennet and North Wiltshire Primary Care Trust

    Kent and Medway Hospital Information Systems

    Kent County Council

    Kettering General Hospital NHS Trust

    Kidderminster Community Health Council

    King's College Hospital

    Kingston Hospital NHS Trust

    Kirkham Health Centre

    Kokai Supplementary School

    Leeds Community Health Council

    Leeds General Infirmary

    Leeds North West Primary Care Trust

    Leeds Teaching Hospitals NHS Trust

    Leicester City West PCT—Child Health Services

    Leicester General Hospital

    Lincoln County Hospital

    Lincolnshire Shared Services

    Liverpool Central & Southern Community Health Council

    Liverpool Eastern Community Health Council

    Lloyds Pharmacy

    London School Hygiene and Tropical Medicine

    Macclesfield District General Hospital

    Macmillan Cancer Relief

    Manchester Mental Health and Social Care Trust

    Manchester NHS Agency

    Manchester Royal Infirmary

    Manor Gardens Advocacy Project

    Medical Defence Union

    Medical Protection Society

    Medical Research Council

    Medical Research Council Consumer Liaison Group

    Medway Maritime Hospital

    Mendip Primary Care Trust

    Mentis Management Consultants Ltd

    Mersey Care Trust

    Mid Downs Community Health Council

    Mid Surrey Community Health Council

    Mid Surrey Wheelchair Service

    Mid Yorkshire Hospitals

    Milton Keynes Community Health Council

    Moorfields Eye Hospital

    Moss Pharmacy

    Musgrove Hospital

    National Audit Governance

    National Care Standards Commission

    National Confidential Enquiry into Perioperative Deaths

    National Council of Women

    National Patient Safety Agency

    National Pharmaceutical Association

    National Programme for Information Technology (work stream leads)

    NDC health

    New Roots

    Newcastle General Hospital

    Newchurch Ltd

    Newhall Surgery


    NHS Confederation

    NHS Information Authority

    NHS Litigation Authority

    Nightingale Macmillan Unit

    Health & Social Care Community of North & East Devon (previously N&E Devon Health Authority)

    North & Mid Hants Health Authority

    North East Yorkshire & North Lincolnshire Strategic Health Authority

    North Manchester General Hospital

    North Staffordshire Community Health Council

    North Staffordshire Hospital Information Systems

    North Staffordshire Hospital NHS Trust

    North Tees & Hartlepool NHS Trust

    North Tyneside Community Health Council

    North Warwickshire Primary Care Trust

    North West Lincolnshire Community Health Council

    North West London Hospitals NHS Trust

    North West London Strategic Health Authority

    Northallerton & District Community Health Council

    Northampton General Hospital NHS Trust

    Northern Cancer Network

    Northern General Hospital

    Northrop Grumman Missions Systems

    Norwich Primary Care Trust

    Nottingham Acute Hospitals Partnership

    Nottingham City Hospital NHS Trust

    Nottingham Health Informatics Service

    Nuffield Orthopaedic Centre NHS Trust

    Nurses of British Computer Society

    Oldwell Surgery

    Optx Ltd

    Orion Health

    Ottery St. Mary Hospital

    Our Lady's Convent

    Oxford City Primary Care Trust

    Oxford Radcliffe Hospital

    Parkinsons Disease Society

    Partnership with Older People

    Patient Concern

    Patient Forum

    Patient Reference Group

    Patient Voice

    Patients' Association

    Peapod consulting

    Peninsular Medical School

    Pennine Acute Hospitals NHS Trust

    Pennine Care NHS Trust

    Perinatal and Epidemiology, Oxford

    Per-Se Technologies

    Peterborough District Hospital

    Pilot Patient Project Lewisham

    Plaistow Hospital

    Plymouth Primary Care Trust

    Pontypridd & Rhonda NHS Trust

    Poole Hospital NHS Trust

    Portman Clinic

    Portsmouth City Council Social Services

    Portsmouth City Primary Care Trust

    Prescription Pricing Authority (PPA)

    Prison Health Department (DH)

    Psychological Support Service


    Public Health Laboratory Service

    Queen Elizabeth Hospital

    Queen Mary's Hospital

    Queen Victoria Memorial Hospital

    Queens Hospital

    Queen's Hospital (Burton upon Trent)

    Queen's Park Hospital

    Queens Park Medical Centre

    Railway Medina Tavern

    Redbridge Assertive Outreach Team

    Rethink Mind

    Richmond & Twickenham Primary Care Trust

    Robert Jones/Agnes Hunt Orthopaedic and District Hospital NHS Trust

    Romsey Dental Care

    Rotherham District General Hospital

    Royal Albert Edward Infirmary

    Royal Alexandra Hospital

    Royal Berkshire Hospital

    Royal Bolton Hospital

    Royal Bournemouth Hospital

    Royal Brompton Hospital

    Royal College of Anaesthetists

    Royal College of General Practitioners

    Royal College of Paediatrics and Child Health

    Royal College of Physicians

    Royal College of Speech and Language Therapists

    Royal College of Surgeons of Edinburgh

    Royal College of Surgeons of England

    Royal Devon & Exeter Health Care NHS Trust

    Royal Free Hampstead NHS Trust

    Royal Gwent Hospital

    Royal Hallamshire Hospital

    Royal Leamington Spa Rehabilitation Hospital

    Royal London Hospital

    Royal Manchester Children's hospital

    Royal National Institute for the Blind (RNID)

    Royal National Orthopaedic Hospital NHS Trust

    Royal Oldham Hospital

    Royal Pharmaceutical Society

    Royal Preston Hospital

    Royal Surrey County Hospital NHS Trust

    Royal United Hospital

    Royal Victoria Infirmary

    Royal West Sussex NHS Trust

    Royston, Buntingford & Bishops Stortford Primary Care Trust

    Rusholme Health Centre

    Salford Royal Hospitals NHS Trust

    Salisbury Healthcare NHS Trust

    Salters Meadow Health Centre

    Sandwell Hospital

    Scarborough Hospital

    Schlumberger Sema

    Sedgefield Primary Care Trust

    Selby & York Primary Care Trust

    Selly Oak Hospital

    Sexually Transmitted Disease Clinic

    Sheffield South West Primary Care Trust

    Sheffield Teaching Hospital NHS Trust

    Sisters of St Joseph of Peave

    Social and Community Services

    Social Care Information Policy Unit

    Society & College of Radiographers

    Society of Chiropodists & Podiatrists

    Somerset Coast Primary Care Trust

    Somerset Local Medical Committee

    Somerset Partnership NHS and Social Care Trust

    Somerville Medical Centre

    South Birmingham Mental Health Trust

    South Brooks Community Health Council

    South Bucks Community Health Council

    South Devon Healthcare Trust

    South Downs Health NHS Trust

    South East Oxon Primary Care Trust

    South Staffordshire Healthcare

    South Tees Acute Hospitals

    South Tees Community Health Council

    South Tees Hospitals NHS Trust

    South Tyneside Community Health Council

    South Warwickshire Community Health Council

    South West Dorset Primary Care Trust

    South West Kent Primary Care Trust

    South West Surrey Community Health Council

    Southampton General Hospital

    Southend Community Health Council

    Southend Hospital NHS Trust

    Southend Patients' Public Voice

    Southern Derbyshire Acute Hospitals NHS Trust

    Southern Derbyshire Community Health Council

    Southport & Formby Community Health Council

    Southport District General Hospital

    Southward Primary Care Trust

    St Andrew's Hospital

    St Bartholomew's Hospital

    St Catherine's Hospital,

    St Dominic's Priory

    St Francis Presbytery

    St Georges Hospital

    St Helens & Knowsley Community Health Council

    St Helens & Knowsley Hospitals Trust

    St Helier Hospital

    St James' Hospital

    St James' University Hospital

    St Joseph's Church

    St Luke's Hospice

    St Nicholas' Hospice

    St Teresa's Presbytery

    Stafford General Hospital

    Staffordshire Moorlands Primary Care Trust

    Staffordshire University

    Stockport NHS Trust

    Stockport Primary Care Trust

    Stoke Mandeville Hospital NHS Trust

    Suffolk Social Services

    Sunderland Community Health Council

    Sunderland Royal Hospital

    Sunderland Teaching Primary Care Trust

    Surrey Ambulance NHS Trust

    Surrey Oaklands NHS Trust

    Sutton & Merton Primary Care Trust

    SW Surrey Community Health Council

    Swindon & Marlborough NHS Trust

    Syntegra UK

    Tameside & Glossop Acute Trust

    Tameside & Glossop Primary Care Trust

    Target Four

    Taunton and Somerset Hospital

    Taunton Deane Primary Care Trust

    Teddington Memorial Hospital

    Tees and North East Yorkshire NHS Trust

    Telford & Wrekin Primary Care Trust

    The Audit Commission

    The British Polio Fellowship

    The Haemophilia Society

    The Health Centre

    The Hospice of St Francis

    The Medical Centre

    The Surgery

    The Walton Centre for Neurology & Neurosurgery

    Tolworth Hospital

    Torbay Hospital


    Tower Hamlets Community Health Council

    Trafford General Hospital

    Trent Cancer Registry

    Triple G

    Tunbridge Wells Community Health Council

    UK Carers Organisation

    UK National Screening Committee

    UK Newborn Screening programme Centre

    UK Transplant

    United Bristol Healthcare NHS Trust

    University College Hospital London

    University Hospital Aintree

    University Hospital of Hartlepool

    University Hospitals of Coventry & Warwickshire NHS Trust

    University Hospitals of Leicester

    University of Birmingham

    University of Central England

    University of Leeds—School of Healthcare

    University of Leicester

    University of Salford

    University of Sheffield

    University of Warwick

    Vale of Aylesbury Primary Care Trust

    Vega consulting

    Victim Support

    Voluntary Action Leeds

    Wakefield West Primary Care Trust

    Walsall Community Health Council

    Walsall Primary Care Trust

    Wandsworth Community Health Council

    Wandsworth Contact a Family

    Wandsworth Pilot Patients Forum

    Warrington Community Health Council

    Watch Tower (Jehovah's Witnesses)

    Watercress Medical Centre

    Watford & Three Rivers Primary Care Trust

    Webstar Health

    Welsh Assembly Government

    Welsh Language Board

    Wessex Local Medical Committee's

    West Cheshire Hospital

    West Hertfordshire Hospitals NHS Trust

    West Kent NHS & Social Care Trust

    West Lancashire Primary Care Trust

    West Lincolnshire Primary Care Trust

    West London Mental Health NHS Trust

    West Middlesex University Hospital

    West Midland Strategic Health Authority

    West Midlands Ambulance NHS Trust

    West Midlands Perinatal Institute

    West Suffolk Community Health Council

    West Suffolk Hospitals NHS Trust

    West Surrey Health Community

    West Sussex Health and Social Care

    Weston Area Health Trust

    Weston General Hospital

    Wexham Park Hospital

    Whiston Health Centre

    Whiston Hospital

    Whittingdon Hospital NHS Trust

    William Brown Centre

    Winchester and Central Hampshire Community Health Council

    Winchester and Eastleigh NHS Trust

    Wirral NHS Trust

    Wolfson Institute of Preventive Medicine

    Wolverhampton City Council

    Worcestershire Mental Health Partnership NHS Trust

    Worthing and Southlands NHS Trust

    Wyre Forest Primary Care Trust

    York Hospital

Annex 5:   Patient safety benefits to be achieved from electronic patient records

  Key to understanding how the systems being developed by NHS Connecting for Health can play a part in reducing adverse events, particularly medication errors, is an appreciation of:

    —  the scale of the problem,

    —  the root causes of any avoidable errors,

    —  the evidence supporting the role of IT in reducing some of the root causes, and

    —  an explanation of the new systems themselves.

Scale of the Problem:

  There is evidence from international literature that medication errors occur in all health care settings, with some errors occurring repeatedly not just within one healthcare system, but across healthcare systems worldwide. Whilst the UK evidence base is not as strong as it is in other countries, particularly the United States, this does not mean that the NHS in England is immune from this problem. As such, the study by Charles Vincent et al is particularly helpful in demonstrating the reality of this global phenomenon within the context of the health service in England.

  Whilst the authors do indeed state that "we can not extrapolate with any precision" it is nevertheless the authors themselves who do extrapolate the findings to the whole of the NHS with the conclusion:

    "Our findings strongly suggest that adverse events are a serious problem in the NHS, as they are in the United States and Australia. We estimate that around 5% of the 8.5 million patients admitted to hospitals in England and Wales each year experience preventable adverse events, leading to an additional three million bed days. The total cost to the NHS of these adverse events in extra beds days alone would be around £1billion a year".

  Of course, this study only looks at adverse events occurring within hospitals. It is important not to overlook adverse events occurring outside the hospital setting. In this respect you may be interested in another UK based study which looked specifically into adverse drug reactions as a cause of hospital admission. This study, published in the British Medical Journal in 2004[19] concluded that:

    —  One in 16 hospital admissions are the result of an adverse drug reaction (ADR)—72% of which are avoidable.

    —  This equates to 4% of hospital bed capacity.

    —  At any one time the equivalent of 7 x 800 bed hospitals are occupied by patients admitted with ADRs.

    —  ADRs causing hospital admissions are responsible for the death of 5,700 patients every year.

    —  Cost to the NHS = £466 million.

  Whilst neither of these studies is without its limitations, they nevertheless are extremely important in helping to quantifying the scale of the actual problem we face, and indeed are facing up to in England. Academic studies such as these do not become irrelevant just because they were conducted a number of years ago or because the situation may have improved since the study was conducted. Having acknowledged the scale of the problem, our focus now is on tackling the root causes of avoidable patient safety incidents rather than simply engaging in further studies to re-confirm that there is indeed a problem.

Root Causes:

  Although patient safety incidents are diverse in nature, a study carried out by National Audit Office in 2003-04 and reported in "A Safer Place for Patients"[20] revealed that the most common patient safety incidents in hospitals after patient falls related to medication errors, record documentation error and communication failure.

  This is supported by the Audit Commission in their report "A Spoonful of Sugar"[21] which made the following conclusions:

    —  Complications arising from medicines treatment are the most common cause of adverse events in hospital patients.

    —  Errors may occur from the initial decision to prescribe to the final administration of the medicine, and these include choice of the wrong medicine, dose, route, form, and frequency.

    —  Most errors are caused by the prescriber not having immediate access to accurate information about either the medicine (its indications, contraindications, interactions, therapeutic dose, or side effects); or the patient (allergies, other medical conditions, or the latest laboratory results).

    —  Hand-written prescriptions or patients' notes also contribute to errors as they may be illegible, incomplete, subject to transcription errors or make use of inappropriate shorthand.

    —  Prescription sheets themselves may also be temporarily unavailable or lost.

  Safe, effective clinical care also depends on reliable, error-free communication between different providers of care. Communication breakdowns between healthcare providers are a common feature in episodes of avoidable patient harm. This was highlighted in the Department of Health publication "Building a Safer NHS for Patients: Improving Medication Safety":

    "Effective communications are critically important when patients move from one care setting to another; many medication errors occur at such `handover points'. Serious errors have occurred because of poor communication between primary and secondary care. Accurate information about current treatment is essential when patients are admitted to hospital to enable an accurate clinical assessment and to plan future treatment. And on discharge, the patient's drug regimen and treatment plan need to be communicated in a timely and reliable way to ensure safe and seamless transfer of care back to the primary care team"[22].

Information Technology & Patient Safety—The Evidence

  Research sources provide ample evidence that information technology can improve patient safety through eliminating many of the root causes described above. The enclosure to this Annex provides a summary of just some of the available evidence. NHS Connecting for Health has taken account of this research evidence in framing the scope of the Programme to ensure the delivery of better care and improved safety for patients.

National Programme for IT in the NHS- Supporting Patient Safety

  The following is a brief explanation of how some of the elements of the overall NHS Care Record Service will contribute to reducing incidents of patient harm. In places this includes data obtained from the National Patient Safety Agency's, National Reporting & Learning System (NRLS) to help highlight the potential patient safety benefits. However, it should be noted that whilst the reporting of patient safety incidents to the NRLS is becoming more established practice, and is now a core standard the NHS is expected to adhere to, the figures are still likely to underestimate the full scale of such patient safety incidents.

Personal Demographics Service—Right Patient, Right Care:

  Use of the NHS number as the unique identifier in all healthcare interactions in England will, when fully achieved, make a major contribution to patient safety.

  Currently, an individual patient has different identifying numbers in different NHS organisations and sometimes even within the same NHS organisation.

  The dangers of this are well illustrated by information extracted from the NRLS which shows that between November 2003 and May 2006 there were 600 patient safety incidents reported which related directly to patients' identifying numbers. Furthermore, the NRLS also reveals that between January 2006 and December 2006 alone there were 7,984 patient safety incidents reported where the incident type was "Patient Incorrectly Identified".

  In this respect, the Personal Demographic Service (PDS)—which allows authorised NHS health and social care practitioners accurately and efficiently to trace patients against the patient's most up to date demographic details; thus identifying the patient's unique NHS number will make a key contribution to patients' safety benefits.

  PDS underpins all current and future NHS Connecting for Health products and, with approximately 50 million demographic records for everyone in England stored on the database, it is already supporting the delivery of the Choose and Book Service (potentially benefiting over 45 million patients with in excess of 17,500 bookings daily) and the Electronic Prescription Service (potentially benefiting about 15 million patients with in excess of 185,000 prescription messages daily).

  The PDS is of course central to realising the ultimate goal of delivering high quality and safe care across different health care organisations through the NHS Care Record Service. But even now, over 1.5 million patient records are successfully retrieved from the PDS every day, helping to correctly identify patients.

NHS Summary Care Record:

  The Summary Care Record (SCR) forms the national element of the NHS Care Record Service and will provide authorised health care professionals with access to key clinical information about a patient anywhere, at any time.

  The record will grow over time but will go live from this year under the Early Adopter Programme before moving to full national roll out. In the initial stages, the record (subject to patient consent) will contain the following information held on the GPs record:

    —  Known allergies

    —  Known adverse reactions

    —  Medications—acute prescriptions in past 6mths and repeat prescriptions in past 18mths

    —  Significant diagnoses and problems (+ any other significant issues, treatments, operative procedures etc)

  This information was provided as part of the HSC oral evidence session on 26 April 2007.

  Future phases of the SCR will see it hooking up with the Electronic Prescription Service to provide a richer view of medications, and the Choose and Book service to provide referral information as well as capturing information from secondary care such as discharge information, outpatient letters and emergency care reports.

  The importance of having access to this basic patient information is highlighted by the following information obtained from the NRLS (England only) between January and December 2006:

    —  1,678 reported patient safety incidents where the patient was allergic to the treatment given.

    —  916 patient safety incidents where the patient suffered an adverse drug reaction (when the drug was used as intended).

    —  1,147 reported patient safety incidents where the treatment given was contraindicated in relation to drugs or conditions.

    —  821 patient safety incidents reported where the primary cause given for the incident was "missing / inadequate / illegible referral letter".

    —  28,875 patient safety incidents reported relating to "documentation" eg missing / illegible / misfiled (See footnote for specific search filters)[23]

Electronic Prescription Service (EPS):

  With around 1.3 million prescriptions now being issued every working day in England, and this figure expected to rise by 5% each year, the development of the EPS (which replaces a paper based system with an electronic one which is more efficient and consistently accurate) is absolutely critical to providing health care professionals with up to date and accurate information about the range of medications a patient might be taking at any point in time.

  In a study of older people at the University Hospital of North Durham, a structured review of patients' medication was conducted after admission. An average of almost one drug per patient was found to be inappropriate and stopped and an average of approximately one drug per two patients was started following identification of omissions in the drug history.[24]

  The importance of having up to date medication information for older patients is further illustrated as follows[25]:

    —  As people get older, their use of medication tends to increase. Four in five people over 75 take at least one prescribed medicine, with 36% taking four or more medicines.

    —  Adverse reactions are implicated in 5%-17% of hospital admissions for older people.

    —  While in hospital, 6%-17% of older inpatients experience adverse drug reactions.

    —  Older people who are taking four or more medicines have increased risk of suffering an adverse reaction to a medicine and being readmitted to hospital as a result.

  The EPS has been designed to provide medication data to the NHS Care Record. The NHS Care Record, populated by data from the EPS will, over time, provide a single, authoritative point of reference for the medication a patient has been prescribed and dispensed and has the potential to lead to a significant reduction in medication errors caused by a lack of instantly available medication information.

  Already, over 4,825 pharmacies and 5,778 GP practices have EPS technology benefiting a potential 9.1 million patients. To date, over 26.5 million prescription messages have been issued electronically, with the weekly count exceeding 900,0000.

  Details of the status of Pharmacy Systems Suppliers can be found on the NHS CFH web site at



  Whereas the patient safety benefits of the Electronic Prescription Service lie principally in providing clinicians with up to date information about a patient's medications through links to the NHS Care Record, the benefits of e-Prescribing systems lie in reducing actual prescribing errors and administration errors often associated with prescribing.

  A study[26] into the incidence of adverse drug events and potential adverse drug events reviewed 4,031 patient records and found an incidence of 6.5% actual and 5.5% potential errors. Of these:

    —  56% related to errors at the ordering stage

    —  34% related to administrative errors

    —  6% were transcription errors

    —  4% were dispensing errors

  The Agency for Health Care Policy and Research (USA) published a research in action paper claiming that computerised medication order entry (also known as e-Prescribing systems) has the potential to prevent an estimated 84% of dose, frequency and route errors in prescribing. This report cites numerous other research studies, which claim safety benefits from computerised medication order entry systems or e-prescribing systems.[27]

  NHS Connecting for Heath is providing the functional specification to be incorporated into the local detailed record solutions being developed by the Local Service Providers and will allow for:

    —  Computerised entry and management of prescriptions.

    —  Decision support, aiding the choice of medicine and other therapies, with alerts covering, for example, drug interactions, contra-indications, allergic reactions and other safety-related issues.

    —  Knowledge support, giving users immediate access to up-to-date drug information such as the British National Formulary.

    —  Electronic links between hospital wards/departments and pharmacies.

    —  A robust audit trail for the entire medicines provision process.

  E-Prescribing systems will be underpinned by the Dictionary of Medicines and Devices (dm+d), a dictionary containing agreed unique identifiers and associated textual descriptions for medicines and medical devices. The dm+d will help make e-Prescribing systems interoperable with other NHS IT systems, enabling safe and reliable exchanges of information on medicines and devices and effective decision support through linkages of data.

  Of course, others of the many products and initiatives being developed and deployed by NHS Connecting for Health will also contribute to improving patient safety.

Enclosure to Annex 5

Supporting Evidence

  Bates and Gawande 2003. The conclusions of the work by Bates, et al. reports the following benefits:

    —  Information technology can substantially improve the safety of medical care by structuring actions, catching errors, and bringing evidence-based, patient-centred decision support to the point of care to allow necessary customisation.

    —  The use of decision support for clinical decisions can also result in major reductions in the rate of complications associated with antibiotics, and can decrease costs and the rate of nosocomial infections.

    —  53%-83% reduction in serious medication errors.

  Bates, D W and Gawande, A A, Improving Safety with Information Technology. New England Journal of Medicine 2003, 348:2526-34


  The Agency for Health Care Policy and Research (USA) published a research in action paper claiming that computerised medication order entry has the potential to prevent an estimated 84% of dose, frequency and route errors. This report cites numerous other research studies, which claim safety benefits from computerised medication order entry systems.

  Reducing and Preventing Adverse Drug Events to Decrease Hospital Costs. Research in Action, Issue1 AHRQ Publication Number 01-0020 March 2001. Agency for Healthcare Research and Quality, Rockville .MD.

  The LEAPFROG Group for patient safety Rewarding Higher Standards (USA) quotes the following examples of safety benefits from physician order entry systems:

    (i)  A study by David Bates, MD, Chief of General Medicine at Boston's Brigham and Women's Hospital, demonstrated that their Computer Physician Order Entry (CPOE) system reduced error rates by 55% from 10.7 to 4.9 per 1,000 patient days.

  Bates DW, Leape LL, Cullen DJ, Laird N, et al. Effect of computerized physician order entry and team intervention on prevention of serious medication errors JAMA. 1998;280:1311-6.

    (ii)  Rates of serious medication errors fell by 86% in a subsequent study by the same group. The prevention of errors was attributed to the CPOE system's structured orders and medication checks.

  Bates DW, Teich JM Lee J Seger D, Kuperman GJ, Ma'Luf N, Boyle D, Leape L The impact of computerized physician order entry on medication error prevention JAMIA. 1999;6:313-21

    (iii)  John Birkmeyer, MD, a surgeon and health services researcher at Dartmouth Medical School, estimates that implementation of CPOE systems at all non-rural US hospitals could prevent over 500,000 serious medication errors each year.

  Birkmeyer JD, Birkmeyer CM, Wennberg DE, Young MP. Leapfrog safety standards: potential benefits of universal adoption. The Laepfrog Group. Washington DC: 2000

  E-prescribing report prepared by First Consulting Group for California Healthcare Foundation claims patient safety benefits from e-prescribing and references a Movement championed by the Institute for Safe Medication Practices, calling for the universal adoption of e-prescribing and the abandonment of hand written prescriptions by 2004, for the improvement of prescribing safety.

  Kilbridge Peter, MDE & Gladysheva Katy, First Consulting Group, E-Prescribing prepared for California Healthcare Foundation 2001.

  A report on the prevention of medical errors by First Consulting asserts that it is through understanding and altering the processes by which complex systems operate that quality is best achieved and improved. Healthcare quality requires, perhaps more than anything does, access to reliable information at the point of medical decision-making. As such, the provision of clinical care is an information-dependent process.

  Two principal kinds of information management support care quality. The first is collection of and access to real-time clinical data at the point of care. What did this patient's X-ray reveal? What medications is she receiving? Access to point-of-care information assists the clinician in treating the patient "here and now." A second kind of information is aggregate data on populations of patients. This data can be retrospectively examined to identify practice patterns, incidence of disease or complications, and the like. It can also be used to target specific practitioner behaviours for improvement.

  Both types of information management are required as part of any coherent strategy to measure and improve the quality of healthcare delivered. Implementing evidence-based medicine in a healthcare delivery organization requires a substantial investment in rethinking and fine-tuning clinical processes across the continuum of care. Moreover, creating more reliable and effective clinical processes and practices necessitates introducing information technology into the hands of physicians and other caregivers.

  Classen D and Kilbridge P—Health quality and the prevention of medical errors, First Consulting Group June 2000.

  Smart tags and packaging are already saving lives, preventing illnesses and sharply reducing costs in healthcare. The Protti World Review Report 14 cites examples of radio frequency identification technology and its benefits in healthcare.

  Radio-frequency identification: Its potential in Healthcare. Health Devices 34(5), May 2005:149-60 (no Authors listed)


  Right patient, right blood new advice for safer transfusions—NHS Connecting for Health has supported the National Patient Safety Agency in the development of new measures to improve the safety of blood transfusions, including photo ID cards and electronic tracking systems for patients and blood.


  Protti World View Report 8 is the first of two reports providing an overview of clinical information technologies that are helping to save lives and improve the quality of life for patients. This report includes references to the benefits of Picture Archiving and Communications Systems (PACS) such as improved speed and accuracy of diagnosis.


  Protti World View Report 3 shows how the value of computers in healthcare can be about improving decision-making. This report includes references to the benefits of computerised electronic patient record systems. It suggests that electronic systems enable physicians and nurses to make better, quicker decisions with the aid of on-line access to evidence-based results, assistance in placing orders, detecting drug interactions, and receiving alerts after abnormal test results. This delivers more efficiency with fewer errors.


  Protti World View Report 2 specifically focuses on how the use of computers in healthcare can reduce errors, improve patient safety and enhance the quality of care. Incomplete information in records and the difficulty that clinicians have in keeping up with the rapidly growing clinical evidence base are significant problems that can be mediated by IT. The US Institute of Medicine—Quality Chasm report 2001 is quoted "The current care systems cannot do the job. Trying harder will not work. If we want safer, higher-quality care, we will need to have redesigned systems of care, including the use of IT to support clinical and administrative processes.


  The Audit Commission report "a spoonful of sugar—medicines management in NHS hospitals—2001" reported that:

    —  Electronic prescribing reduces medicine errors significantly by providing timely, legible information. One study concluded that improved information systems could contribute to the prevention of 78% of transcription errors leading to adverse medicine events.

    —  Computerised systems containing rules to prevent incorrect or inappropriate prescribing have also reduced the incidence of errors and increased the appropriateness of medicine treatment.

    —  Computerised prescribing linked with electronic health records will radically alter the way in which care is provided and will deliver significant improvements in the quality of patient care (Ref. 86). The introduction of these systems, which ultimately need to be accessible by primary care and other hospitals, is vital to provide access to common clinical data. It is one of the biggest challenges currently facing the NHS.


Annex 6:   NHS existing systems suppliers that have obtained work under the National Programme

  Existing Systems Compliance Programme (Technical Authority to Deploy at 13 June 2007).

ESP Programme

  Patient Administration Systems

C&Bv1—McKesson Totalcare

    C&Bv1—iSOFT Clinicom

    C&Bv1—Harrogate (Silverlink/Anglia)

    C&Bv1—Capula Elan Oasis


    C&Bv1—Silverlink ICS

    C&Bv1—IMS Maxims BLKHEARTS

    C&Bv1—York Trust ICE/In house PAS

    C&Bv1—Ascribe (HEIS) eCamis

    C&Bv1—iSOFT IPM

    C&Bv2—Cerner Millennium

    C&Bv1—IMS Maxims Hammersmith



    C&Bv2—ATOS Origin SemaHelix

    C&Bv2—System C Medway

    C&Bv2—Royal Marsden Anglia/In house

    C&Bv2—iSOFT Clinicom

    C&Bv2 prov—Ascribe EPEX

    C&Bv2—Silverlink ICS

    C&Bv2—Royal Devon&Exeter SWIFT

    C&Bv2—iSOFT IPM

    C&Bv2—McKesson Totalcare

    C&Bv2—Filetek Magic

    C&Bv2—McKesson Star

    C&Bv1—Misys CPR

    C&Bv2—UCLH (GE Healthcare)

    C&Bv2—IMS Maxims PAS/CAB

    C&Bv2—Norfolk & Norwich


Community Pharmacy Systems


    ETPv1—Hadley Healthcare Eclipse (Local/FDB)

    ETPv1—Cegedim Pharmacy Manager

    ETPv1—Enigma Nexphase

    ETPv1 -System Sol QicScript

    ETPv1—Lloyds PMR

    ETPv1—Positive Solutions PSL ETP

    ETPv1—Pharmacy Plus

    ETPv1—Enigma Mediphase

    ETPv1—RX System Proscript

    ETPv1—Boots Smartscript EPS

    ETPv1—Hadley Healthcare Eclipse (Local/HHPD)

    ETPv1—Cegedim Central Message Broker

    ETPv1—Lloyds Compass

General Practice Systems

    C&Bv1—Seetec GP Ent

    C&Bv1—InPS Vision

    ETPv1—The Phoenix Partnership SystmOne

    ETPv1—InPS Vision

    C&Bv1—The Phoenix Partnership SystmOne

    ETPv1—Seetec GP Ent

    C&Bv1—EMIS LV

    C&Bv1—Microtest—Evolution Practice Manager

    GP2GPv1.0-EMIS LV

    C&Bv1—iSOFT Synergy

    C&Bv1—iSOFT Premiere



    ETPv1—iSOFT Synergy

    ETPv1—iSOFT Premiere

    ETPv1—Microtest Practice Manager

    C&Bv1—EMIS PCS

    GP2GPv1.0-InPS Vision

    GP2GPv1.1-InPS Vision

    C&Bv2—Seetec GP Ent

    C&Bv2—iSOFT Synergy

    C&Bv2—iSOFT Premiere

    GP2GPv1.1-EMIS LV


Independent Sector Treatment Centre

    C&Bv1—Cambio Cosmic

    C&Bv2—iQ System Serv iQUTopia

    C&Bv2—Streets Heaver Compucare

    C&Bv2—Cambio Cosmic

QMAS & RFA (Level 0 GPSoC)

    QMAS v7—Microtest

    QMAS v7—In Practice




    QMAS v7—Ascribe Protechnic Exeter

    QMAS v7—iSOFT

    QMAS v7—The Computer Room

    QMAS v7—Seetec

    QMAS v7—The Phoenix Partnership

    QMAS v7—Healthy Systems

    QMAS v8.5 (R10)—Microtest

    QMAS v8.5 (R10)—EMIS LV

    QMAS v8.5 (R10)—EMIS GV

    QMAS v8.5 (R10)—EMIS PCS

    QMAS v8.5 (R10)—The Phoenix Partnership

    QMAS v8.5 (R10)—Healthy Systems

    QMAS v8.5 (R10)—InPS Vision 4

    QMAS v8.5 (R10)—iSOFT

    QMAS v8.5 (R10)—In Practice

    QMAS v8.5 (R10)—Ascribe Protechnic Exeter

    QMAS v8.5 (R10)—Seetec

    QMAS v8.5 (R10)—iSOFT Synergy Enterprise

    QMAS v9—iSOFT

    QMAS v9—Microtest


    QMAS v9—Ascribe Protechnic Exeter



    QMAS v9—In Practice

    QMAS v9—The Phoenix Partnership

    QMAS v9—Healthy Systems

    QMAS v9—Seetec

Secondary User Service




    SUS—NHSIA Exeter



    SUS—NHSIA Exeter

Summary Care Record


Annex 7:   LSPs provided the following examples of their experience in delivering systems and services as those required under the National Programme

Fujitsu:Usha Mullapudi Cardiac Centre (UMCC), Hyderabad

  Implementation of a Hospital Management System to a 150-bed cardiac hospital equipped with four operating theatres, three catheterisation labs, a blood bank, a modern pathology lab, a spiral CT scanner and a pharmacy unit.

  The EPR maintained the overall patient medical history including past and present clinical findings, treatment details, medication details and progress notes. In-patient EPRs contained chart monitoring, test results, ward movement, discharge summary and visit details. The workflows generated by patient activities were mapped to modules for different hospital departments and functions: Reception; Wards; Billing; Pharmacy; Laboratory; Operation Theatre; Blood Bank; Electronic Patient Records; Financial; Accounting and Payroll; Stores; Duty Roster; Security and Administration; House Keeping and Laundry; Diet and Kitchen; Equipment Interface; Fixed Assets and Pathology Lab.

Fujitsu: The Southern Derbyshire Acute Hospitals NHS Trust

  Development of a Trust Workforce Plan making effective use of information technology, suitable for internal and external purposes, to be integrated with service and financial planning and able to accommodate future changes.

  The Trust has a total of 1,147 beds across 44 wards and serves a population of over half a million people through Southern Derbyshire. The Trust employs approximately 5,500 staff from medical and nursing staff to ancillary staff within an annual budget of around £200 million.

Accenture:Andalusian Heath Care Service, Spain

  Design, build and run of a System and Technology Management centre serving the region and the management of the infrastructure to support "smart card" based electronic patient records as part of an ambitious modernization programme. The Andalusian Healthcare service is the largest public healthcare service in Spain with 75,000 employees including 14,000 physicians serving 7.3 million citizens. It has a complex health network made of 32 hospitals, 1300 primary health centres and over 100 specialized health centres.

  In November 1997 Accenture won a public offering to carry out the project, which consisted of building an Information Technology Management Centre in six months. This centre would assume the management of the health centres environment for the next three years, starting as of July 1st 1998.

Accenture:The Milwaukee County Medical Centre

  The Milwaukee County Medical Centre is a 450-bed acute care hospital with a Level 1 trauma centre for the region. Its integrated delivery system includes 30 outpatient clinics, an eye institute and links to the Medical College of Wisconsin, Curative Rehab Hospital and Milwaukee County Behavioural Health Facility, a 600-bed psych, alcohol and drug treatment facility.

  Accenture served as the total outsourcing provider (all IT functions, including computer operations, technical services, help desk, WAN / LAN, desktop support and applications support, and all strategic planning, budgeting, etc.) since 1991. In 1996, the County sold the acute care facility. From 1996 to present, Accenture has provided Applications Management services to the remaining County-owned facility, Behavioural Health.

CSC:  40 Danish Counties

  CSC Scandihealth is the largest supplier of healthcare IT software and services in Denmark and Scandinavia and the leading provider of electronic patient records systems to Danish hospitals.

CSC:  St Vincent's Catholic Medical Center, New York

  The St. Vincent's Catholic Medical Centers (SVCMC) comprises seven facilities including acute centres and ambulatory clinics. In 2001, CSC has been awarded two contracts within the health system. The first outsourcing contract calls for supplying all aspects of the IT management for the duration of five years; the second, calls for creation of an integrated software and hardware platform for the Patient Management, Patient Accounting, Hospital Procurement and Accounting functions.

CSC:  Children's Hospital Los Angeles (CHLA)

  Management of business and clinical information systems, including mainframe and midrange computers, desktop computers, helpdesk operations, voice and data communications, and applications maintenance and development.

BT:  NHS Information Authority, NHSNet Broadband Upgrade

  BT is delivering 256Kbps NHS Net upgrades to 6,536 GP surgeries.

  BT is delivering 2Mbps NHS Net upgrades to 223 Hospitals.

  BT is providing the intensive programme management to upgrade 30 GP sites per day.

  The upgrade process takes 40 days, therefore BT is concurrently managing delivery to 1,200 sites at any one time.

  Contract value is in the region of £168 million, with rollout having commenced in December 2002. BT is currently rolling out 600 sites per month, and committed to complete by March 2004.

BT:  Salford & Trafford Health Authority

  This health authority serves around one million patients. It includes 113 GP practices, two major hospitals and a community NHS trust.

  BT partnered with the customer to assess current levels of equipment at its 113 sites and then developed an appropriate and cost-effective solution, which would meet the individual needs of the GP Primary Care Groups.

  BT implemented reliable electronic communication between all GP practices through a standard communications network.

  BT delivered, trained and supported 250 desktop PCs (and 84 network connected printers, with access to BT managed email services and web browsing of the NHSnet and Internet, for users at GP practices.

  BT ensured that all existing GP System software (from the 3 clinical application suppliers) could be used on the desktop PCs.

  BT provides end-to-end service ownership, helpdesk and Service Level Guarantees for the end-to-end service.

  BT remotely accesses PCs to ensure maximum availability, optimum problem fix time and software downloads.

BT:Walsall Trust

  Walsall Hospitals NHS Trust is responsible for the Manor Hospital—a 600-bed full acute hospital with A&E, maternity, dermatology, oncology, etc—and the nearby 120-bed non-surgical Goscote Hospital

  BT was prime contractor for the delivery of the Clinical Image Management Service 2000-01. The initial scope was for PACS storage for new CR in A&E Imaging. This included diagnostic and referential workstations for the Imaging and A&E Department, with potential to have web referential views across the extended campus.

CSC:  Scandihealth

  CSC's EMEA public sector business was initially focused in the Nordic region, where CSC acquired Datacentralen, a state-owned IT service firm, and Scandinavian Healthcare Informatics.

  The Scandihealth business (with 300 professionals provides healthcare solutions to 70% of hospital beds in Denmark) was the starting point of CSC growth in healthcare in Europe. Nowadays the portfolio includes the full range of system integration, application development, consulting and operations management services, as well as vertical specific solutions, such as hospital information systems, laboratory systems and home care systems based on various partner platforms; for instance Oracle HTB is the key development and integration platform used in Denmark and CSC intends to leverage it in other countries too (eg Norway, Sweden, and Italy).

National Switch Point (LSP) for the Dutch healthcare sector

  The National Switching Point enables healthcare players throughout the country to exchange patient information in a fast and safe way. With this initiative, CSC has built the foundations for the countrywide roll-out of a reliable Electronic Patient Record.

  The LSP is at the heart of the National Information Infrastructure (called Aorta) for the healthcare sector and enables parties in the sector to exchange patient information safely and quickly. This `mission critical control' handles the access to patient information. Through the LSP, healthcare providers can ask for up-to-date patient information from systems of other hospitals, pharmacies and general practitioners.

CSC's Healthcare Experience outside the NHS NPfIT contract

  The Department of Health's aim is to improve the health and wellbeing of the people of England. Its work includes setting national standards and shaping the direction of the NHS and social care services, and promoting healthier living. Health and social care services are delivered through the NHS, local authorities, arm's length bodies and other public and private sector organisations.

  In 2002 CSC was awarded a seven-year IT outsourcing contract. The contract has since been extended for a further two2 years, the agreement will now run until 2011 and now includes an innovative new Managed Print Service. CSC's service to DH comprises provision of a full infrastructure outsource, a number of areas of application support and development, as well as targeted consultancy provision.

  CSC and the Department have created an IT partnership which will support and enhance the Department of Health's information and communications investments. Since the beginning of the relationship CSC has been involved in many projects to deliver new and improved services to the Department of Health, examples range from technology refresh programmes, to provision of flexible hosting services and innovative managed service solutions.

13   First Report of the Steering Group on Health Services Information (The Korner Report), HMSO, London. Back

14 Back

15 Back

16   Pirmohamed, M. et al: Adverse drug reactions as a cause of admission to hospital: prospective analysis of 18,820 patients: BMJ 2004; 329: 15-19. Back

17   99.9% availability equates to approximately 45 minutes of outage per month for the System. Back

18   R v Department of Health, ex parte Source Informatics (2000). Back

19   Pirmohamed, M et al: Adverse drug reactions as a cause of admission to hospital: prospective analysis of 18,820 patients: BMJ 2004; 329: 15-19. Back

20   A Safer Place for Patients: National Audit Office, HC 456 Session 2005-06. Back

21   A Spoonful of Sugar: medicine management in NHS hospitals: Audit Commission 2001. Back

22   Building a Safer NHS for Patients: Improving Medication Safety-Department of Health 2004. Back

23   NRLS Search Filters = "Documentation- no access to" + "Documentation- missing / inadequate / illegible referral letter or healthcare record / card" + "Documentation- delay in obtaining healthcare record / card" + "Documentation- misfiled". Back

24   Building a Safer NHS for Patients: Improving Medication Safety-Department of Health 2004. Back

25   A Spoonful of Sugar: medicine management in NHS hospitals: Audit Commission 2001. Back

26   Bates DW, Cullen DJ, Laird N, Petersen LA, Small SD, Servi D, et al. Incidence of adverse drug events and potential adverse drug events. JAMA 1995; 274: 29-34. Back

27   Reducing and Preventing Adverse Drug Events to Decrease Hospital Costs. Research in Action, Issue1 AHRQ Publication Number 01-0020 March 2001. Agency for Healthcare Research and Quality, Rockville .MD. Back

previous page contents

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2007
Prepared 13 September 2007