APPENDIX 36
Memorandum submitted by the Department
of Health
The Committee has announced that the focus of
its inquiry will be on Home Office responsibilities, but that
it will also look, where relevant, at those of other departments,
and has mentioned in that context "databases being developed
by the Department of Health". We have interpreted this as
a reference to the NHS Care Records Service (NHS CRS).
The following evidence is very largely drawn
from written evidence recently submitted to the Health Select
Committee in connection with its current inquiry into electronic
patient records.
EXECUTIVE SUMMARY
The NHS CRS will, in due course, provide a nationally
available, secure, lifelong patient record that holds patient
demographic data and, from 2007, will start to hold summary clinical
information such as allergies, adverse medical events, medication
etc. Access is via secure smartcard technology, available at the
point of need by healthcare professionals who have a role based,
legitimate relationship with the patient.
We believe that holding summary care records,
and doing so on a national database, will deliver very significant
benefits for safety and the efficient management of NHS services,
improving healthcare outcomes for millions whilst preventing thousands
of unnecessary deaths.
In all cases, access to records will only be
permitted to the staff of organisations involved in the care of
NHS patients, working as part of a team that is providing a patient
with care, and will be limited to only as much information as
is needed for the purpose of the care or other job role being
performed in relation to the patient. Where those providing care
are not NHS staff then patients will be informed of this and any
objections raised respected.
The NHS CRS will incorporate stringent security
controls and safeguards to prevent unrestricted or uncontrolled
access to personal information. Beyond that, patients will have
the right to restrict access to their clinical information, and
clinicians responsible for treating them have a duty of care to
explain to those who choose to do so the potential impact their
decisions may have on their future care. If nonetheless a patient
does not want important data to be available to other than those
who have collected it, even though absence of that information
may lead to future harm, they will have the right to seal the
information and accept the consequences.
It will be open to individuals to choose not
to have a summary care record at all.
Patient information that will be held on the new
local and national electronic record systems, and the options
patients will have to prevent their personal data being placed
on systems
CLINICAL INFORMATION
1. The recording of clinical information
is a matter for professional regulation and will also depend in
part on policies and protocols in local NHS organisations. Doctors
are required by the General Medical Council to keep clear, accurate,
legible and contemporaneous patient records which report the relevant
clinical findings, the decisions made, the information given to
patients, and any drugs or other treatment prescribed, and which
serve to keep colleagues well informed when sharing the care of
patients. Other health professionals have similar obligations.
DEMOGRAPHIC INFORMATION
2. Patients' demographic details are already
held in the Personal Demographics Service (PDS), a key component
of the NHS Care Records Service. It is estimated that in the region
of 3.5 million patients per annum change GP Practices and for
an increasingly mobile population, and with an ever more diverse
range of NHS healthcare providers, the PDS provides a consistent
accurate source of demographic information. This includes items
such as:
3. Currently, in a typical week, 6.5 million
messages are processed by the demographics service which is accessed
on a typical NHS day by 50,000 authenticated unique users. The
total number of queries to date now exceeds 230 million. As a
result of the central personal demographics database some three
quarters of a million letters per year are now correctly addressed.
The introduction of the Personal Demographic Service (PDS) at
University Hospital Birmingham has seen a reduction from 3% of
misdirected letters down to 0.44%, improving overall accuracy
rates for patient correspondence to 99.56%.
4. Access to the Personal Demographics Service
(PDS) will reduce clinical risks arising from a failure to match
patients with their clinical record, and help minimise cases of
correspondence and documents being misdirected. Currently, some
trusts send tens of thousands of misdirected items of mail a year,
and nationally the figure runs into millions of items. Early evidence
from one trust has shown a six-fold reduction in misdirected mail
addressed using data held in the Personal Demographics Service
(PDS), with a saving in postal and staff-related costs that would
translate into many millions of pounds nationally per year.
5. People registered with the NHS will not
be able to prevent their basic demographic and contact details
from being held within the NHS CRS. The NHS has maintained registers
of its service users from the earliest days of its existence and
for a variety of reasons to support the delivery of healthcare.
6. Regulations require the NHS to keep a
record of which GP practice each person is registered with and
reasons of efficiency and probity require this to be held centrally
(eg to prevent multiple GPs from being paid for the same patient
and to ensure that the correct commissioning body meets the cost
of care provided). A register is also needed to enable the Secretary
of State to meet legal obligations to provide healthcare, free
at the point of contact, for those patients who are ordinarily
resident in England.
7. Access to the Personal Demographics Service
(PDS) by NHS staff is restricted to those issued with a smartcard
and an appropriate role. To locate a specific individual's records
it is necessary for these staff to input sufficient information
to obtain a unique match, generally only possible where the individual
concerned is present and can be asked for details. If this proves
difficult because there are too many individuals with similar
details, a list can be accessed but doing so generates an alert
to other staff responsible for ensuring and checking that the
system is not being misused. Further, whilst it is not practicable
to give patients choice about whether their demographic details
will be held in the system, safeguards have been built into the
PDS which allow an individual's contact details to be hidden from
NHS staff if they request this level of protection. These safeguards,
termed sensitive flagging or shielding of records, were developed
originally for witness protection and similar cases but are now
available for all patients who have strong concerns about NHS
staff accessing their contact details. It is intended that all
staff involved in care who need to access demographic information,
even those who are not employed directly by the NHS, will be subject
to at least the same levels of registration as NHS employees when
being granted access to patient information.
SUMMARY CARE
RECORD
8. The Summary Care Record forms the national
element of the NHS Care Record Service and will provide authorised
healthcare professionals with access to key clinical information
about a patient anywhere at any time. Piloting of the Summary
Care Record, part of the NHS Care Records Service (NHS CRS), in
"early adopter sites" will begin from Spring 2007. The
ready availability of information about patients in the Summary
Care Record will help prevent medication errors which cause 1,200
unnecessary deaths a year in England and Wales. It will also help
reduce unnecessary admissions to hospital particularly of older
people The Summary Care Record will be created by copying data
currently held within GP systems with the agreement of the GP
Practices concerned. At first, the Summary Care Record will contain
only basic information such as known allergies, known adverse
reactions to medications and other substances (eg peanuts) acute
prescriptions in the past six months and repeat prescriptions
that are not more than six months beyond their review date.
9. In due course more information will be
added about current health conditions and treatment. "Adverse
drug reactions (ADRs) continue to represent a considerable burden
on the NHS, accounting for 1 in 16 hospital admissions and 4%
of the hospital bed capacity. Most ADRs were predictable from
the known pharmacology of the drugs and many represented known
interactions and are therefore likely to be preventable. Over
2% of patients admitted with an adverse drug reaction died, suggesting
that adverse effects may be responsible for the death of 0.15%
of all patients admitted" (Source : BMJ abstract of research
at two general hospitals in MerseysideBMJ 2004; 329:15-19).
10. Discussions are under way with representatives
of the medical professions, patients and the public about the
final scope and implementation of the Summary Care Record. Experience
in the early adopter sites will be thoroughly evaluated before
wider roll-out of the Summary Care Record.
11. Individuals who have concerns can choose
not to have a Summary Care Record created for them. They will
be advised to inform their GP of their views and to request that
a note be made of their concerns and the choice they have made.
The GP practice may ask the patient to sign a form indicating
that they understand and accept that it may not be possible for
the NHS to provide them with the same care as others receive in
circumstances where the Summary Care Record will enable improved
care. They can alternatively choose to have a Summary Care created
but not accessible to anyone but themselves. They will be able
to access it anytime using a secure internet site called HealthSpace.
Patients will of course be able to change their mind and request
a Summary Care Record at any point.
DETAILED CARE
RECORD
12. Records containing information about
a patient's medical care exist currently in a variety of places,
for example, at their GP surgery or at hospitals where they have
received treatment but at present they cannot easily be shared.
Over the next few years, as the NHS Care Records Service (NHS
CRS) develops, NHS organisations such as hospitals, clinics and
GPs will be able to share their electronic records where appropriate.
This may vary from area to area depending on the physical infrastructure.
A patient who has attended NHS organisations in different areas
may have more than one set of shared detailed records.
13. The detailed care record component of
the NHS Care Records Service (NHS CRS) will support the care process
and will typically contain:
date of birth and NHS Number;
past and current health conditions,
allergies;
assessment, investigations and
diagnosis including test result and digital images;
care plans and reminders;
treatments including operations
and medications; and
care reviews and discharge information.
14. Individuals may ask those who are providing
care for them whether or not it is possible to withhold information
from the new IT systems but in many cases this will be impracticable.
Some forms of care, X-rays, laboratory tests etc will generate
records within the new systems automatically and the only way
to prevent this is to choose not to have that particular care
or treatment. Where clinicians feel that they can keep adequate
records outside of the new systems there will need to be robust
arrangements for clinical audit in order to assure the quality
of care and protect patient safety. The Department of Health is
to conduct a consultation on processes for managing patient requests
of this sort. However, even where information has to be held within
the new systems, patients have considerable control over who may
access that information as described below. Alternatively, people
can choose to have their information held electronically but not
accessible to anyone outside the organisation that created itthereby
recreating an electronic version of the status quo.
How third-party access to locally and nationally
held clinical and demographic information will be managed and
controlled
15. Only the duly authorised staff of organisations
that are involved in providing care will have access to confidential
medical information held within the NHS Care Records Service (NHS
CRS). Such staff will need to have a "legitimate relationship"
to access the information in an individual patient's record and
will only have access to system functions, and hence to data,
as required by their role. Organisations that are not involved
in providing or supporting the delivery of health and social care,
will not have direct access to any confidential medical data.
16. Exceptionally, disclosure of clinical
information outside of a health context may be considered in cases
of serious crime or where there are significant risks to other
people, but public interest rules for disclosure to the police
or other agencies are not changed by the introduction of the NHS
Care Records Service (NHS CRS). In rare circumstances, the law
or the Courts require clinical information to be disclosed and
requirements such as these must necessarily be met. This is exactly
the same as what happens now with paper records and non-linked
computer systems.
17. Demographic datacontact detailshas
not always been held under the same strict rules of confidentiality
as clinical data but some individuals provide their contact details
in circumstances where confidentiality needs to apply. To reflect
this, and also to reflect the importance that the Department of
health places on sustaining the trust of patients, as a matter
of policy all patient demographic data is treated as if it were
confidential for most purposes. Such data is therefore only disclosed
to support health and social care or under the same public interest
rules as clinical data or where there is a statutory basis for
the disclosure.
PROTECTING PATIENT
CONFIDENTIALITY
18. The benefits of the NHS Care Records
System (NHS CRS) for both patients and NHS staff depend on safeguarding
sensitive patient information from inappropriate disclosure. The
NHS Care Record System provides a set of technical access controls
and audit facilities that, along with the professional standards
of staff in the NHS, safeguard sensitive patient information from
inappropriate disclosure. They provide much more rigorous controls
than exist now for either paper records or existing electronically
held records.
19. The Department of Health sets stringent
standards for patient confidentiality and has taken the lead in
government in developing a comprehensive privacy statement in
the form of the NHS Care Record Guarantee, articulating in plain
language precisely what NHS organisations must do to meet legal
and policy requirements. The Department is also strongly supporting
the Information Commissioner in seeking stronger penalties for
breaches.
20. International security standards are
applied across all system implementations. These include the use
of encryption to communication links between systems, and to user
interfaces with systems. The security of data centres is assured
using both international and British standards, and all suppliers
to the National Programme are contractually bound to auditing
their adherence to these.
21. The NHS Care Records Service (NHS CRS)
incorporates stringent security controls and safeguards to prevent
unauthorised access to personal information and to detect potential
abuse. These controls are complex to implement and there is a
trade-off between usability and ease of access to data and questions
relating to security and patient safety. The Department is therefore
proceeding cautiously and consultatively and is providing the
NHS with a set of security tools to deliver centrally determined
standards.
22. The Department is aware that some patients
will not be reassured by NHS security controls and is therefore
providing patients with choice about participation in many of
the new developments. Uniquely, the Department is also providing
security controls that are set at the direction of patients. This
provides unprecedented confidentiality management for patients
of the NHS in England.
SECURITY CONTROLS
MANAGED BY
THE NHS
23. Users (healthcare professionals) are
vetted and sponsored by their local organisations for specific
access appropriate to their job role and area of work. There is
a strong registration process compliant with the government standard
eGif level 3 which means the user has to initially appear in person
to prove their identity before access is assigned by the "Registration
Authority" governed by NHS Connecting for Health. On successful
completion of the registration process, a user is issued a smartcarda
secure token that, together with a passcode, confirms the identity
of a user at the time of access. The registration process assigns
them a role profile consistent with their area of work and responsibilities
and establishes a unique electronic footprint when used to access
systems. These records can be analysed to identify suspect behaviours.
Where suspect behaviour is identified, local trusts will follow
their procedures for investigating staff.
24. No system functionality will be available
to an individual who does not possess a smartcard and know the
associated pass code. The role profile that has been assigned
to an individual through the registration process determines which
system functions, and consequently which parts of a record, an
individual who has logged on to the system can access.
25. A central record is also maintained
within the systems of which patients each staff teamworkgroupare
currently caring for. A GP Practice, an A&E Department or
a clinic would be typical workgroups. This relationship, termed
a "legitimate relationship" (LR) is a prerequisite of
access to a specific patient's record. Without such a relationship
access is prevented.
26. Full audit trails of who has done what,
made possible by the unique identity associated with each smartcard,
are maintained within systems and it is intended that these will
be available to patients on request, as well as to staff charged
with checking for system misuse by authorised staff. This is a
considerable advance on what exists now with either paper or electronically
held records.
27. NHS organisations must undertake to
observe strict conditions to ensure the NHS CRS is used appropriately,
and users are required to sign up to a set of conditions for use
of the smartcard. These obligations and conditions are complemented
by the various existing codes of conduct and professional responsibilities
by which all NHS staff are bound. Actions which do not conform
to them, which includes the sharing of smartcards, are dealt with
locally. Sharing of information between members of a team has
happened routinely prior to the introduction of smartcards, but
we recognise that the sharing of smartcards could undermine the
assurance that patient confidentiality will always be appropriately
respected. Staff who breach patient confidentiality are subject
to professional disciplinary measures. Offending doctors and nurses
will be reported to their professional regulatory bodies and may
face additional disciplinary action, including losing their licence
to practice.
OPTIONS AND
CONTROLS AVAILABLE
TO PATIENTS
28. Patients have a number of options. They
were developed following extensive research and consultation with
patients/carers/citizens and the NHS.
(i) Not to have a Summary Care Record (SCR)
by requesting this through the GP Practice where they are registered.
Individuals who opt-out of having a SCR may change their minds
at any point in the future. Electronic prescriptions and electronic
bookings are also optional.
(ii) To direct that controls are set to prevent
data sharing. In this case the SCR can only be viewed with the
individual's express permission or in accordance with the exceptions
to English common law confidentiality obligations. Local sharing
of Detailed care records across organisational boundaries will
also be preventedessentially recreating the pre-NCRS situation.
(iii) To have their address and contact numbers
hidden so that they are not available to NHS staff. Whilst the
NHS is legally required to hold non-clinical patient contact details
for all patients where these can be obtained, this option has
been provided so that even the most concerned individuals can
still receive care and have joined-up records.
In time, patients will also be able to have
an SCR but to designate some data items as sensitive so that they
cannot be viewed outside of the team that recorded the information
without the individual's express permission. This type of control
is referred to as a "sealed envelope".
DISCLOSURE OVERRIDES:
COURT ORDERS,
AND THE
PUBLIC INTEREST
TEST
29. Whilst all information held by a doctor
about a patient is subject to the requirements of the Data Protection
Act 1998, and patients' consent to share, and ability to limit
the sharing of their care record, is covered by the NHS Care Record
Guarantee, circumstances may arise requiring authorised users
of the care records database to open sealed envelopes without
patients' permission. In part this will depend upon the type of
information that patients choose to seal. For example, the law
requires some forms of communicable disease to be notified to
the National Patient Safety Agency, so if a patient sealed information
about this, the information would be extracted without the patient's
permission.
30. Where information is sealed it will
be opened without specific permission only where there is an explicit
statutory requirement to disclose information, as in the above
example, where a Court orders the disclosure, or where the holder
of the information determines that the public interest outweighs
the patient's right to confidentiality, for example in cases of
serious crime or where there are significant risks to other people.
By their nature, these will be very unusual circumstances.
Use of data held on the new systems for purposes
other than the delivery of care eg clinical research
31. The primary purpose of the NHS Care
Records Service (NHS CRS) is to support the delivery of care to
patients. However, as a by-product of collecting information for
operational patient care, the introduction of the NHS Care Records
Service (NHS CRS) represents a major opportunity for supporting
the secondary analysis and reporting of information for a variety
of purposes. The architecture of the NHS Care Records Service
(NHS CRS) provides the opportunity to rationalise data abstraction,
data flows, data management, analysis and reporting. This supports
management and clinical purposes other than direct patient care,
such as healthcare planning, commissioning, public health, clinical
audit, benchmarking, performance improvement, research and clinical
governance. The system by which this is done is called the Secondary
Uses Service (SUS).
32. Wherever possible, data will extracted
automatically as a by-product of NHS services supporting direct
patient care, including the NHS Care Records Service (NHS CRS),
Choose and Book and Electronic Transmission of Prescriptions.
Initial Secondary Uses Service (SUS) content will cover the NHS
in England and will be patient-specific. It will build on operational
information already being shared by the NHS such as commissioning
of healthcare services (eg diagnosis and procedures), cancer waiting
times, clinical audit and supporting demographic data. Data will
in due course cover all care settings (primary, community and
acute) and all NHS-commissioned activity, including services provided
for the NHS by the independent sector.
33. The aim is for this data to be made
available either in aggregate form or, where detailed information
is provided, in anonymised or pseudonymised form. This process
removes patient identifiable information and allocates a consistent
"pseudonym" so that individual cases can still be tracked,
but only with explicit approval.
34. Access to identifiable information is
available only where patient consent has been given, or where
specific permissions apply. Permission is required from an expert
group called the Patient Information Advisory Group (PIAG), set
up under the Health and Social Care Act (2001). This group assesses
each application to test that the use of patient information is
justified, taking into account issues of confidentiality and consent.
35. Access to the Secondary Uses Service
requires each user to be formally registered and to use individual
smart card access, just as for other systems in the National Programme
for IT in the NHS. Each user is allocated a role which determines
the functions (ie what reports they can access) and the coverage
(eg the organisation or geography of data which may be accessed).
Key user activities, eg, logon and performing an extract, are
logged.
36. In January 2006, the new national health
research strategy Best Research for Best Health announced
that the Department of Health would ensure the capability exists
within the national NHS IT system to facilitate, strictly within
the bounds of patient confidentiality, the recruitment of patients
to clinical trials and the gathering of data to support work on
the health of the population and the effectiveness of health interventions.
The UK Clinical Research Collaboration established an expert group
under Professor Ian Diamond, Chief Executive of the Economic &
Social Research Council, to advise NHS Connecting for Health on
maximising the use of the NHS Care Record for research. It has
simulated how clinical trials and large observational studies
could draw on the NHS infrastructure, and will report shortly.
37. The Secondary Uses Group set up by the
Care Record Development Board to advise on the ethical use of
patient data and how the potential for research, statistics and
management can be realised without compromising confidentiality
or security is due to report shortly.
CONCLUSION
38. There is no room for complacency in
a large and complex change programme that aims to achieve major
and lasting improvements in patient safety and patient care. The
supporting IT systems will process often intimate information
about people and there needs to be a programme of continuous appraisal
and improvement. The Department of Health intends to establish
a National Information Governance Board (NIGB) answerable to the
Secretary of State for Health, to provide a single authoritative
source of monitoring, oversight and advice on the use of information
in health and social care. The NIGB will review compliance with
the NHS Care Record Guarantee and report annually to the Secretary
of State. With increased availability of patient information,
it is important to safeguard access and to retain the confidence
of the public. The NIGB will prevent complacency by adopting and
maintaining high standards and by being ever watchful and in touch
with public perceptions.
April 2007
|