The Committee has announced that the focus of its inquiry will be on Home Office responsibilities, but that it will also look, where relevant, at those of other departments, and has mentioned in that context "databases being developed by the Department of Health". We have interpreted this as a reference to the NHS Care Records Service (NHS CRS).

  The following evidence is very largely drawn from written evidence recently submitted to the Health Select Committee in connection with its current inquiry into electronic patient records.

EXECUTIVE SUMMARY

  The NHS CRS will, in due course, provide a nationally available, secure, lifelong patient record that holds patient demographic data and, from 2007, will start to hold summary clinical information such as allergies, adverse medical events, medication etc. Access is via secure smartcard technology, available at the point of need by healthcare professionals who have a role based, legitimate relationship with the patient.

  We believe that holding summary care records, and doing so on a national database, will deliver very significant benefits for safety and the efficient management of NHS services, improving healthcare outcomes for millions whilst preventing thousands of unnecessary deaths.

  In all cases, access to records will only be permitted to the staff of organisations involved in the care of NHS patients, working as part of a team that is providing a patient with care, and will be limited to only as much information as is needed for the purpose of the care or other job role being performed in relation to the patient. Where those providing care are not NHS staff then patients will be informed of this and any objections raised respected.

  The NHS CRS will incorporate stringent security controls and safeguards to prevent unrestricted or uncontrolled access to personal information. Beyond that, patients will have the right to restrict access to their clinical information, and clinicians responsible for treating them have a duty of care to explain to those who choose to do so the potential impact their decisions may have on their future care. If nonetheless a patient does not want important data to be available to other than those who have collected it, even though absence of that information may lead to future harm, they will have the right to seal the information and accept the consequences.

  It will be open to individuals to choose not to have a summary care record at all.

Patient information that will be held on the new local and national electronic record systems, and the options patients will have to prevent their personal data being placed on systems

CLINICAL INFORMATION

  1.  The recording of clinical information is a matter for professional regulation and will also depend in part on policies and protocols in local NHS organisations. Doctors are required by the General Medical Council to keep clear, accurate, legible and contemporaneous patient records which report the relevant clinical findings, the decisions made, the information given to patients, and any drugs or other treatment prescribed, and which serve to keep colleagues well informed when sharing the care of patients. Other health professionals have similar obligations.

DEMOGRAPHIC INFORMATION

  2.  Patients' demographic details are already held in the Personal Demographics Service (PDS), a key component of the NHS Care Records Service. It is estimated that in the region of 3.5 million patients per annum change GP Practices and for an increasingly mobile population, and with an ever more diverse range of NHS healthcare providers, the PDS provides a consistent accurate source of demographic information. This includes items such as:

—    name;

—    address;

—    date of birth;

—    NHS number; and

—    Current GP.

  3.  Currently, in a typical week, 6.5 million messages are processed by the demographics service which is accessed on a typical NHS day by 50,000 authenticated unique users. The total number of queries to date now exceeds 230 million. As a result of the central personal demographics database some three quarters of a million letters per year are now correctly addressed. The introduction of the Personal Demographic Service (PDS) at University Hospital Birmingham has seen a reduction from 3% of misdirected letters down to 0.44%, improving overall accuracy rates for patient correspondence to 99.56%.

  4.  Access to the Personal Demographics Service (PDS) will reduce clinical risks arising from a failure to match patients with their clinical record, and help minimise cases of correspondence and documents being misdirected. Currently, some trusts send tens of thousands of misdirected items of mail a year, and nationally the figure runs into millions of items. Early evidence from one trust has shown a six-fold reduction in misdirected mail addressed using data held in the Personal Demographics Service (PDS), with a saving in postal and staff-related costs that would translate into many millions of pounds nationally per year.

  5.  People registered with the NHS will not be able to prevent their basic demographic and contact details from being held within the NHS CRS. The NHS has maintained registers of its service users from the earliest days of its existence and for a variety of reasons to support the delivery of healthcare.

  6.  Regulations require the NHS to keep a record of which GP practice each person is registered with and reasons of efficiency and probity require this to be held centrally (eg to prevent multiple GPs from being paid for the same patient and to ensure that the correct commissioning body meets the cost of care provided). A register is also needed to enable the Secretary of State to meet legal obligations to provide healthcare, free at the point of contact, for those patients who are ordinarily resident in England.

  7.  Access to the Personal Demographics Service (PDS) by NHS staff is restricted to those issued with a smartcard and an appropriate role. To locate a specific individual's records it is necessary for these staff to input sufficient information to obtain a unique match, generally only possible where the individual concerned is present and can be asked for details. If this proves difficult because there are too many individuals with similar details, a list can be accessed but doing so generates an alert to other staff responsible for ensuring and checking that the system is not being misused. Further, whilst it is not practicable to give patients choice about whether their demographic details will be held in the system, safeguards have been built into the PDS which allow an individual's contact details to be hidden from NHS staff if they request this level of protection. These safeguards, termed sensitive flagging or shielding of records, were developed originally for witness protection and similar cases but are now available for all patients who have strong concerns about NHS staff accessing their contact details. It is intended that all staff involved in care who need to access demographic information, even those who are not employed directly by the NHS, will be subject to at least the same levels of registration as NHS employees when being granted access to patient information.

SUMMARY CARE RECORD

  8.  The Summary Care Record forms the national element of the NHS Care Record Service and will provide authorised healthcare professionals with access to key clinical information about a patient anywhere at any time. Piloting of the Summary Care Record, part of the NHS Care Records Service (NHS CRS), in "early adopter sites" will begin from Spring 2007. The ready availability of information about patients in the Summary Care Record will help prevent medication errors which cause 1,200 unnecessary deaths a year in England and Wales. It will also help reduce unnecessary admissions to hospital particularly of older people The Summary Care Record will be created by copying data currently held within GP systems with the agreement of the GP Practices concerned. At first, the Summary Care Record will contain only basic information such as known allergies, known adverse reactions to medications and other substances (eg peanuts) acute prescriptions in the past six months and repeat prescriptions that are not more than six months beyond their review date.

  9.  In due course more information will be added about current health conditions and treatment. "Adverse drug reactions (ADRs) continue to represent a considerable burden on the NHS, accounting for 1 in 16 hospital admissions and 4% of the hospital bed capacity. Most ADRs were predictable from the known pharmacology of the drugs and many represented known interactions and are therefore likely to be preventable. Over 2% of patients admitted with an adverse drug reaction died, suggesting that adverse effects may be responsible for the death of 0.15% of all patients admitted" (Source : BMJ abstract of research at two general hospitals in Merseyside—BMJ 2004; 329:15-19).

  10.  Discussions are under way with representatives of the medical professions, patients and the public about the final scope and implementation of the Summary Care Record. Experience in the early adopter sites will be thoroughly evaluated before wider roll-out of the Summary Care Record.

  11.  Individuals who have concerns can choose not to have a Summary Care Record created for them. They will be advised to inform their GP of their views and to request that a note be made of their concerns and the choice they have made. The GP practice may ask the patient to sign a form indicating that they understand and accept that it may not be possible for the NHS to provide them with the same care as others receive in circumstances where the Summary Care Record will enable improved care. They can alternatively choose to have a Summary Care created but not accessible to anyone but themselves. They will be able to access it anytime using a secure internet site called HealthSpace. Patients will of course be able to change their mind and request a Summary Care Record at any point.

DETAILED CARE RECORD

  12.  Records containing information about a patient's medical care exist currently in a variety of places, for example, at their GP surgery or at hospitals where they have received treatment but at present they cannot easily be shared. Over the next few years, as the NHS Care Records Service (NHS CRS) develops, NHS organisations such as hospitals, clinics and GPs will be able to share their electronic records where appropriate. This may vary from area to area depending on the physical infrastructure. A patient who has attended NHS organisations in different areas may have more than one set of shared detailed records.

  13.  The detailed care record component of the NHS Care Records Service (NHS CRS) will support the care process and will typically contain:

—    Name;

—    address;

—    date of birth and NHS Number;

—    past and current health conditions, allergies;

—    assessment, investigations and diagnosis including test result and digital images;

—    care plans and reminders;

—    treatments including operations and medications; and

—    care reviews and discharge information.

  14.  Individuals may ask those who are providing care for them whether or not it is possible to withhold information from the new IT systems but in many cases this will be impracticable. Some forms of care, X-rays, laboratory tests etc will generate records within the new systems automatically and the only way to prevent this is to choose not to have that particular care or treatment. Where clinicians feel that they can keep adequate records outside of the new systems there will need to be robust arrangements for clinical audit in order to assure the quality of care and protect patient safety. The Department of Health is to conduct a consultation on processes for managing patient requests of this sort. However, even where information has to be held within the new systems, patients have considerable control over who may access that information as described below. Alternatively, people can choose to have their information held electronically but not accessible to anyone outside the organisation that created it—thereby recreating an electronic version of the status quo.

How third-party access to locally and nationally held clinical and demographic information will be managed and controlled

  15.  Only the duly authorised staff of organisations that are involved in providing care will have access to confidential medical information held within the NHS Care Records Service (NHS CRS). Such staff will need to have a "legitimate relationship" to access the information in an individual patient's record and will only have access to system functions, and hence to data, as required by their role. Organisations that are not involved in providing or supporting the delivery of health and social care, will not have direct access to any confidential medical data.

  16.  Exceptionally, disclosure of clinical information outside of a health context may be considered in cases of serious crime or where there are significant risks to other people, but public interest rules for disclosure to the police or other agencies are not changed by the introduction of the NHS Care Records Service (NHS CRS). In rare circumstances, the law or the Courts require clinical information to be disclosed and requirements such as these must necessarily be met. This is exactly the same as what happens now with paper records and non-linked computer systems.

  17.  Demographic data—contact details—has not always been held under the same strict rules of confidentiality as clinical data but some individuals provide their contact details in circumstances where confidentiality needs to apply. To reflect this, and also to reflect the importance that the Department of health places on sustaining the trust of patients, as a matter of policy all patient demographic data is treated as if it were confidential for most purposes. Such data is therefore only disclosed to support health and social care or under the same public interest rules as clinical data or where there is a statutory basis for the disclosure.

PROTECTING PATIENT CONFIDENTIALITY

  18.  The benefits of the NHS Care Records System (NHS CRS) for both patients and NHS staff depend on safeguarding sensitive patient information from inappropriate disclosure. The NHS Care Record System provides a set of technical access controls and audit facilities that, along with the professional standards of staff in the NHS, safeguard sensitive patient information from inappropriate disclosure. They provide much more rigorous controls than exist now for either paper records or existing electronically held records.

  19.  The Department of Health sets stringent standards for patient confidentiality and has taken the lead in government in developing a comprehensive privacy statement in the form of the NHS Care Record Guarantee, articulating in plain language precisely what NHS organisations must do to meet legal and policy requirements. The Department is also strongly supporting the Information Commissioner in seeking stronger penalties for breaches.

  20.  International security standards are applied across all system implementations. These include the use of encryption to communication links between systems, and to user interfaces with systems. The security of data centres is assured using both international and British standards, and all suppliers to the National Programme are contractually bound to auditing their adherence to these.

  21.  The NHS Care Records Service (NHS CRS) incorporates stringent security controls and safeguards to prevent unauthorised access to personal information and to detect potential abuse. These controls are complex to implement and there is a trade-off between usability and ease of access to data and questions relating to security and patient safety. The Department is therefore proceeding cautiously and consultatively and is providing the NHS with a set of security tools to deliver centrally determined standards.

  22.  The Department is aware that some patients will not be reassured by NHS security controls and is therefore providing patients with choice about participation in many of the new developments. Uniquely, the Department is also providing security controls that are set at the direction of patients. This provides unprecedented confidentiality management for patients of the NHS in England.

SECURITY CONTROLS MANAGED BY THE NHS

  23.  Users (healthcare professionals) are vetted and sponsored by their local organisations for specific access appropriate to their job role and area of work. There is a strong registration process compliant with the government standard eGif level 3 which means the user has to initially appear in person to prove their identity before access is assigned by the "Registration Authority" governed by NHS Connecting for Health. On successful completion of the registration process, a user is issued a smartcard—a secure token that, together with a passcode, confirms the identity of a user at the time of access. The registration process assigns them a role profile consistent with their area of work and responsibilities and establishes a unique electronic footprint when used to access systems. These records can be analysed to identify suspect behaviours. Where suspect behaviour is identified, local trusts will follow their procedures for investigating staff.

  24.  No system functionality will be available to an individual who does not possess a smartcard and know the associated pass code. The role profile that has been assigned to an individual through the registration process determines which system functions, and consequently which parts of a record, an individual who has logged on to the system can access.

  25.  A central record is also maintained within the systems of which patients each staff team—workgroup—are currently caring for. A GP Practice, an A&E Department or a clinic would be typical workgroups. This relationship, termed a "legitimate relationship" (LR) is a prerequisite of access to a specific patient's record. Without such a relationship access is prevented.

  26.  Full audit trails of who has done what, made possible by the unique identity associated with each smartcard, are maintained within systems and it is intended that these will be available to patients on request, as well as to staff charged with checking for system misuse by authorised staff. This is a considerable advance on what exists now with either paper or electronically held records.

  27.  NHS organisations must undertake to observe strict conditions to ensure the NHS CRS is used appropriately, and users are required to sign up to a set of conditions for use of the smartcard. These obligations and conditions are complemented by the various existing codes of conduct and professional responsibilities by which all NHS staff are bound. Actions which do not conform to them, which includes the sharing of smartcards, are dealt with locally. Sharing of information between members of a team has happened routinely prior to the introduction of smartcards, but we recognise that the sharing of smartcards could undermine the assurance that patient confidentiality will always be appropriately respected. Staff who breach patient confidentiality are subject to professional disciplinary measures. Offending doctors and nurses will be reported to their professional regulatory bodies and may face additional disciplinary action, including losing their licence to practice.

OPTIONS AND CONTROLS AVAILABLE TO PATIENTS

  28.  Patients have a number of options. They were developed following extensive research and consultation with patients/carers/citizens and the NHS.

(i)  Not to have a Summary Care Record (SCR) by requesting this through the GP Practice where they are registered. Individuals who opt-out of having a SCR may change their minds at any point in the future. Electronic prescriptions and electronic bookings are also optional.

(ii)  To direct that controls are set to prevent data sharing. In this case the SCR can only be viewed with the individual's express permission or in accordance with the exceptions to English common law confidentiality obligations. Local sharing of Detailed care records across organisational boundaries will also be prevented—essentially recreating the pre-NCRS situation.

(iii)  To have their address and contact numbers hidden so that they are not available to NHS staff. Whilst the NHS is legally required to hold non-clinical patient contact details for all patients where these can be obtained, this option has been provided so that even the most concerned individuals can still receive care and have joined-up records.

  In time, patients will also be able to have an SCR but to designate some data items as sensitive so that they cannot be viewed outside of the team that recorded the information without the individual's express permission. This type of control is referred to as a "sealed envelope".

DISCLOSURE OVERRIDES: COURT ORDERS, AND THE PUBLIC INTEREST TEST

  29.  Whilst all information held by a doctor about a patient is subject to the requirements of the Data Protection Act 1998, and patients' consent to share, and ability to limit the sharing of their care record, is covered by the NHS Care Record Guarantee, circumstances may arise requiring authorised users of the care records database to open sealed envelopes without patients' permission. In part this will depend upon the type of information that patients choose to seal. For example, the law requires some forms of communicable disease to be notified to the National Patient Safety Agency, so if a patient sealed information about this, the information would be extracted without the patient's permission.

  30.  Where information is sealed it will be opened without specific permission only where there is an explicit statutory requirement to disclose information, as in the above example, where a Court orders the disclosure, or where the holder of the information determines that the public interest outweighs the patient's right to confidentiality, for example in cases of serious crime or where there are significant risks to other people. By their nature, these will be very unusual circumstances.

Use of data held on the new systems for purposes other than the delivery of care eg clinical research

  31.  The primary purpose of the NHS Care Records Service (NHS CRS) is to support the delivery of care to patients. However, as a by-product of collecting information for operational patient care, the introduction of the NHS Care Records Service (NHS CRS) represents a major opportunity for supporting the secondary analysis and reporting of information for a variety of purposes. The architecture of the NHS Care Records Service (NHS CRS) provides the opportunity to rationalise data abstraction, data flows, data management, analysis and reporting. This supports management and clinical purposes other than direct patient care, such as healthcare planning, commissioning, public health, clinical audit, benchmarking, performance improvement, research and clinical governance. The system by which this is done is called the Secondary Uses Service (SUS).

  32.   Wherever possible, data will extracted automatically as a by-product of NHS services supporting direct patient care, including the NHS Care Records Service (NHS CRS), Choose and Book and Electronic Transmission of Prescriptions. Initial Secondary Uses Service (SUS) content will cover the NHS in England and will be patient-specific. It will build on operational information already being shared by the NHS such as commissioning of healthcare services (eg diagnosis and procedures), cancer waiting times, clinical audit and supporting demographic data. Data will in due course cover all care settings (primary, community and acute) and all NHS-commissioned activity, including services provided for the NHS by the independent sector.

  33.  The aim is for this data to be made available either in aggregate form or, where detailed information is provided, in anonymised or pseudonymised form. This process removes patient identifiable information and allocates a consistent "pseudonym" so that individual cases can still be tracked, but only with explicit approval.

  34.  Access to identifiable information is available only where patient consent has been given, or where specific permissions apply. Permission is required from an expert group called the Patient Information Advisory Group (PIAG), set up under the Health and Social Care Act (2001). This group assesses each application to test that the use of patient information is justified, taking into account issues of confidentiality and consent.

  35.  Access to the Secondary Uses Service requires each user to be formally registered and to use individual smart card access, just as for other systems in the National Programme for IT in the NHS. Each user is allocated a role which determines the functions (ie what reports they can access) and the coverage (eg the organisation or geography of data which may be accessed). Key user activities, eg, logon and performing an extract, are logged.

  36.  In January 2006, the new national health research strategy Best Research for Best Health announced that the Department of Health would ensure the capability exists within the national NHS IT system to facilitate, strictly within the bounds of patient confidentiality, the recruitment of patients to clinical trials and the gathering of data to support work on the health of the population and the effectiveness of health interventions. The UK Clinical Research Collaboration established an expert group under Professor Ian Diamond, Chief Executive of the Economic & Social Research Council, to advise NHS Connecting for Health on maximising the use of the NHS Care Record for research. It has simulated how clinical trials and large observational studies could draw on the NHS infrastructure, and will report shortly.

  37.  The Secondary Uses Group set up by the Care Record Development Board to advise on the ethical use of patient data and how the potential for research, statistics and management can be realised without compromising confidentiality or security is due to report shortly.

CONCLUSION

  38.  There is no room for complacency in a large and complex change programme that aims to achieve major and lasting improvements in patient safety and patient care. The supporting IT systems will process often intimate information about people and there needs to be a programme of continuous appraisal and improvement. The Department of Health intends to establish a National Information Governance Board (NIGB) answerable to the Secretary of State for Health, to provide a single authoritative source of monitoring, oversight and advice on the use of information in health and social care. The NIGB will review compliance with the NHS Care Record Guarantee and report annually to the Secretary of State. With increased availability of patient information, it is important to safeguard access and to retain the confidence of the public. The NIGB will prevent complacency by adopting and maintaining high standards and by being ever watchful and in touch with public perceptions.

April 2007