Select Committee on Health Written Evidence

Evidence submitted by the British Computer Society (EPR 66)


  The BCS is delighted to have been invited by the House of Commons Select Committee to comment on its Inquiry into Electronic Patient Record and it's use.

  The British Computer Society (BCS) is the industry body for IT professionals and a chartered engineering institution for information technology (IT). With members in over 100 countries, the BCS is the leading professional and learned society in the field of computers and information systems.

  In the limited time available we have consulted members of our Health Informatics Forum (BCSHIF). Members of the Forum are from a wide range of interested parties, representing clinicians, managers and informatics experts. We are therefore confident that the views expressed represent those from a much larger body of IT professionals in the health sector.


  1.1  BCSHIF comprises groups containing clinicians, managers and informatics experts working directly and indirectly for the NHS: in the design, development, implementation and use of current and future NHS information systems. For their credentials, see . Supplementary evidence is attached in the form of the BCSHIF Statement of the Way Forward for NHS Health Informatics, available also from .

  1.2  BCSHIF supports the concept that successful implementation of appropriate electronic patient records systems is essential to providing safer and more appropriate patient care and to the viability of the NHS and its constituent organisations.

  1.3  Patient information held must be fit for purpose, be only held for as long as necessary and for use by authorised professionals with a need to know as required by the Data Protection Act and other relevant legal requirements.

  1.4  Access should be for explicit purposes agreed by the individual record subject; both for direct patient care and for secondary uses, except where there is an emergency requirement or an over-riding need to know for the public good.

  1.5  We suggest that patient confidentiality can be best ensured with three levels of patient data confidentiality deployed within a distributed record with access mechanisms that balance patient rights with wider public benefits. Informed patient consent to access should be paramount.

  1.6  Patient data can and should be used for other purposes beyond personal care and treatment, predominantly in anonymised/pseudoanonymised form. Secondary uses requiring personally-identifiable information should continue to require explicit patient consent for information use. No other uses of the patient record should be permitted.

  1.7  Progress in developing the National Care Records Service (NCRS) varies depending on the mix of application solutions in each geographic area, the current state of readiness of the organisations and the fitness for purpose of those solutions. There are fundamental questions of structure, content, confidentiality and security that require resolution before further implementation of the NCRS.

  1.8  BCSHIF seeks to work with the relevant agencies in resolving the issues it has identified. We would be pleased to expand on analysis and recommendations contained in this report if the Health Select Committee so wishes.


  1.9  Sharing patient information with those making decisions about the care of the patient (professional and non-professional) is vital to ensure safe and appropriate care. Patient information may be shared by "push" (where someone gives unsolicited information to someone else, as in a referral or discharge message or email containing a test result), or "pull" (where someone makes an enquiry of a person or Electronic Patient Record (EPR). Previously, sharing between care providers has predominantly been via messaging and personal enquiry. Sharing record(s) per se has largely been restricted to staff caring for the patient within a care provider organisation acting as the EPR(s) "owner".

  1.10  NHS Connecting for Health (NHS CFH) is proposing to change the balance between the various methods, so that sharing the patient's EPR(s) assumes a more important role. This change is non-trivial. Ensuring that the author's meaning is transferred to the enquirer is a real challenge. Enquirers will also need to selectively filter EPR contents to suit their needs and avoid information overload. There is therefore an onus on content authors to make their record entries as comprehensive, contemporaneous and consistently understandable as is practicable. It is also relevant to note here that NHS EPRs exist outside NHS CFH.

2.   What patient information will be held on the new local and national electronic record systems, including whether patients may prevent their personal data being placed on systems

  2.1  The information held must meet legal requirements and tried and tested standards. The primary purpose of the EPR is to support direct patient care and treatment. For this, extensive detailed personal and clinical data about the patient is necessary. These include demographic details (name address date of birth, ethnicity, etc), details of the past and current state of the patient (including diagnoses), investigation results, treatments, family history, and relevant social details (including information about third parties). Only the patient and those involved in their care and treatment should have access to this personally-identifiable data and this access should be governed by their role in that care.

  2.2  Patients' requirements are central to any EPR records developments. Patients' reluctance to opt in to having their information stored and shared have led to delays which will not be resolved until their concerns are addressed (see "Big Opt Out",

  2.3  Unless patients are confident that their data is secure and only used for health-related purposes, they will not allow selected significant information to be recorded or may withhold their entire record. In either case, their care may suffer. We support a patient's right to withhold personally-identifiable data, given that they are informed of any possible effect on their care. Patient withholding of data will be minimized by restricting uses of personally-identified information and ensuring security, and respecting their concerns about confidentiality.

  2.4  Most sharing of personally-identifiable patient data, takes place during episodes of care in a local health economy, and the data should be retained for legal and clinical purposes at that level. There are other legitimate needs to share patient data more widely during treatment. These include patients moving between the UK home countries, or NHS and private care, or choosing to use alternative facilities, or accessing national specialist units or receiving shared care with social services. In such circumstances appropriate patient information needs to accompany the patient on their journey through care. What is shared and how it is shared depends on the intended use, and requires further consultation to confirm.

  2.5  There is a case for a simple EPR summary to support emergency care, similar to Scottish Emergency Care Summary (ECS). It currently contains safety-related patient data. Scottish patients must provide consent before it is used (if possible), and may opt out of having an ECS. The BMA has approved these arrangements, unlike those for the NHS CFH Summary Care Record.

  2.6  If a distributed (virtual) record architecture is adopted for the NHS Care Record Service (NCRS), then minimal patient information needs to be held at national level (see 5.5)

3.   Who will have access to locally and nationally held information and under what circumstances

  3.1  Who has access to a specific record depends on the agreed purposes for using that data. In line with current practice and guidance, use of patient-identifiable information for anything other than direct patient care should only be with the explicit informed consent of the patient; unless there is an over-riding public interest or legal requirement. See 6 for more on secondary uses.

  3.2  Those involved in the direct care and treatment of a patient should have access to all information necessary to provide those services effectively, subject to their role and any patient-derived restrictions (see 5.2). Accessors should include the patient, and if they so wish, their non-professional carers.

  3.3  Delivery of care increasingly requires cross-organisational, multi-disciplinary team working (eg in clinical pathway management, mental health care programmes, single assessment processes and complex multi-agency scheduling) and related information sharing. Sound interoperable systems must reflect the complex supply chains involved in delivering healthcare, and securely and sensitively handle information linkage across organisational boundaries.

  3.4  Future extensions to remote patient record sharing means that increasingly substantial patient-identifiable data will be in the custody of organisations other than those that collected it and that are not clinical in nature. Patient trust in such organisations is significantly less than in the clinical professions, and such organisations should not be the data controllers. Confidentiality procedures that meet concerns already expressed by patients will be challenging, but must be put in place in addition to consent given at or prior to time of use.

  3.5  Nationally, data quality is critical to realising benefits from raised investment in IT and to ensuring patient confidence in the sharing of their data (reference the Helen Wilkinson case,,,1937302,00.html). Enabling patients to access their records, add to them and initiate corrections will significantly assist this. It will also encourage patients &/or their carers to become "primus inter pares" of their care teams, and to assume greater responsibility for their health and healthcare, a key element of current healthcare policy (for current work see Patient custodianship of their EPR(s) should be seriously considered.

  3.6  Information governance requires establishing generic requirements for information sharing; to improve the quality of individual patient care and the efficiency of care provision. .Any arrangements to use EPR content, at local or national level, must support the trust that is crucial to clinician-patient relationship, and technical issues should not be allowed to unduly dominate the discussions. This work goes beyond the boundaries of NHS CFH, but the results will form the foundation for revisiting the National Care Records Service (see 7).

  3.7  Transferring EPR data between systems where the user does not explicitly initiate that transfer, raises difficult technical issues and concepts such as "role-based access controls", "legitimate relationships" and "sealed envelope" mechanisms. These are not yet acceptable to clinicians and the public.

4.   Whether patient confidentiality can be adequately protected

  4.1  Privacy issues will escalate as multi-agency sharing of care—and therefore patient data—becomes more prevalent. The nature of the EPR requires a high degree of confidentiality and other privacy mechanisms to restrict access only for agreed purposes and to authorised professionals with a recognised need to know, subject to any restrictions that the patient wishes to place on the sharing of their data (in whole or part).

  4.2  Research, suggests that patients see their data as having one of three levels of confidentiality:

    (a)  available wherever required by those providing personal care to the patient (the vast majority of patient records and their contents). Such data could be shared as need for the purpose of personal care;

    (b)  available to all clinicians caring for the patient within a specific provider organisation, eg hospital or practice (common now where individual provider organisations hold their own EPRs). Such data would not leave the custody of the organisation without explicit patient consent; and

    (c)  availability restricted to the original recipient only (applying to very limited parts of EPR for a small minority of patients). Such data would not be viewable by any other person without explicit patient consent.

  There are also information environments, such as community pharmacies, with which patients feel less comfortable sharing their information. However implementation of these constraints is feasible, and offer a more acceptable alternative to the "sealed envelope" mechanism proposed by NHSCFH.

  4.3  From the record user's point of view, NHSCFH assume that the complex technological and policy challenges are answered by restricting access to patient records to those having an appropriate role (eg NHS hospital consultant) and relationship with the patient (eg GP registered with). In practice these mechanisms have sometimes proved cumbersome to use, and manual workarounds have been deployed which enable inappropriate access to patient data. Accessors can also override the software's controls, although this is reported after the event to the organisation's information governance monitor—the Caldicott guardian. The mechanisms also depend on near real-time updating of roles and legitimate relationships as they change. Such evidence as exists suggests that patients prefer clinicians as data custodians rather than algorithms driven by accessor properties.

  4.4  The NCRS can develop structurally in a number of ways:

    (a)  a comprehensive patient record held in its entirety in one or more national/central databases;

    (b)  a distributed virtual record pulled together in whole or in part when required, from disparate patient record databases, and presented for a single instant for a specific user; or

    (c)  a mixture of both.

  4.5  The different structures have different risks and therefore need to be protected in different ways. For example, a higher risk is posed to a celebrity's EPR from a central database presenting "one place to look" to those with malicious intent; whereas a distributed database makes lower demands. There are unresolved questions about data duplication, and data that has been changed and copied to several locations. Ensuring the consistency and timeliness of centrally-held patient data and local records is a concern.

  4.6  BCSHIF believe a distributed, (virtual) record approach is the most sensible way forward and most easily secured. It can make use of heterogeneous records from multiple agencies (including those outside NHSCFH), offers a basis for information privacy and confidentiality, and can interact with different informatics solutions proposed in other UK home countries. It would also encourage the convergence of record architectures and semantics over time. This approach seems more in keeping with web-enabled 21st century than a central record.

5.   How data held on the new systems can and should be used for purposes other than the delivery of care eg clinical research

  5.1  Valid acceptable secondary uses (those other than for care delivery) include audit, research and development of clinical services, population health management, financial management, performance monitoring and development of healthcare facilities and services. No other uses of the patient record should be permitted.

  5.2  Patient consent is still necessary to use patient-identifiable data for secondary purposes, for example for disease registers, clinical trials or research. Where patient data is anonymised/pseudo-anonymised before use, patient consent is not required. However the onus is on those who anonymise/pseudoanonymise data to ensure that patients' identities cannot be inferred from other patient data present. Given that linkage of anonymised/pseudoanonymised fragments of patient data is possible, ongoing use of the Health & Social Care Act 2001 to permit the use of patient-identifiable data for secondary purposes should be greatly reduced. Proposals for secondary uses should be made clear to patients and care providers at the earliest possible time to obtain agreement and allay ongoing concerns.

  5.3  In future, analysis of the "cradle to grave" record will improve the way care is delivered and change clinical practice. Currently, little prepares clinicians for the ensuing changes in the way they work. Clinical professions and informaticians should provide clear and comprehensive guidance on good clinical record keeping and sensitive data management in all care sectors during systems implementation. Clinical (and health management) education should include these concepts.

  5.4  Patient demographics services, spine directory services and a transaction and messaging service present new challenges. New secondary data sources based on the Secondary Uses Service will require management/administrative staff to have improved management skills and education for handling that data.

5.5  Data quality is critical to realising the benefits of IT investment. Access to comprehensive, accessible and accurate record data, in whatever form, is crucial to appropriate clinical and health management decision making. Work to monitor and improve data quality are key to achieving this.

6.   Current progress on the development of the NHS Care Records Service and the National Data Spine, and why delivery of the new systems is up to two years behind schedule

  6.1  Major reasons for delay are the information governance issues raised in section 5. The Ministerial Taskforce Report on the NHS Summary Care Record,—record—taskforce—doc.pdf, is a small step in the right direction, but not enough.

  6.2  Work on the technical standards to allow EPR interoperability are now under way, but should have been pursued vigorously from the start of NPfIT to enable greater EPR product convergence sooner.

  6.3  The problems outlined in 2.2 are still unresolved. These are particularly apparent in secondary care and mental health providers, where EPRs are a rarity, and coded content in them rarer still. The cultural and information management issues require serious investment to ensure the effective use of the EPR systems being provided. The consequent changes in business processes will take time and resources to introduce. Funding and planning for these activities is not earmarked nationally, and have to compete with other more pressing local priorities.

  6.4  Whatever form it takes, the NCRS depends upon comprehensively implementing local EPR systems. Relatively few local systems are operational outside general medical practice, though the number is growing. The readiness of NHS organisations to adopt EPRs varies widely, as does acceptance of the business case for them by local management and would-be users.

  6.5  Recent implementations of CBS (Choose & Book) and PACS (Picture Archiving & Communications Systems) demonstrate the need for firm foundations to avoid delay. PACS implementations are relatively trouble free. The systems are tried and tested, have a clear business case and benefits and have clinical support. CBS on the other hand is developing as it is being implemented, and the business case and benefits to those who use it are unclear. Significant delays are being observed.

  6.6  Secondary care EPR solutions that are a good fit with local needs are frequently not yet supplied, causing some organisations to take interim non-NHSCFH systems to avoid risks to patient safety. Local Service Provider (LSP) contracts have sometimes meant replacing satisfactory operational systems with NHSCFH-compliant systems that are functionally poorer. Advanced users of existing systems have been understandably reluctant to move to LSP applications that offer little significant benefit to them. This may be answered by increasing the NHSCFH EPR system portfolio from which Trusts and practices can select.

  6.7  Better communication/consultation with those with informed domain knowledge and experience will engage health professionals more effectively; and maximize the likelihood of successful deployments that really benefit patient outcomes and NHS efficiency. BCSHIF recommends that NHSCFH is transformed into an open partnership with NHS management, users, the informatics community, suppliers, patients and their carers, grounded in understanding, trust and respect.

  6.8  BCSHIF recommends that the Personal Spine Information System (PSIS) element of NCRS be put on hold until its purpose, and overall requirements for, and design of, the NCRS are agreed.

  6.9  The NCRS requires realignment with a more realistic business-based informatics strategy and with patient confidentiality requirements to ensure that solutions are fit for purpose and acceptable to users, costs are contained and delays minimized. A framework is required in which a wider range of heterogeneous systems can share information and workflows, and in which existing systems and existing solution suppliers play a greater part.

Dr M G Rodd

Director, External Relations of the British Computer Society (BCS)

March 2007

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2007
Prepared 25 April 2007