Online services: Information governance and online access
Online services: Information governance and online access Guidance for general practice Information governance (IG) is the term used to describe how organisations manage the way information is handled within health and social care. It covers the behaviour and standards needed to ensure that confidential information is handled legally, securely, efficiently, effectively and in a way which maintains public trust. It is based on the balance established in law between privacy and sharing of confidential data which is fundamental to health and social care. The introduction of online patient access to services does not change the right that patients already have to request access to their medical records provided by the subject access provisions of the Data Protection Act (DPA) 1998.The DPA principles and confidentiality requirements apply in the same way as they do for subject access requests for paper copies of the record. Online access does bring a new dimension to practice responsibilities for information governance that practices must be aware of as the new GMS contractual requirements to offer online services come into force. Far more patients are likely to ask for online access to their record than used to ask for their paper record, and they will look at their records more often. This brief guidance aims to support GP practices and particularly their information governance leads, to meet the challenges that will arise and consider the implications of what online access might mean to practices and their patients. Links are provided to further resources and guidance. Implications for practices and for patients Enabling patients’ access to services and their health records online encourages greater engagement with healthcare. They will have a more immediate way of finding out what is in their records and could use that information to feel more in control of their care. However, patients also need to understand the risks of online access. Security and privacy must be maintained in a similar way to other services, such as online banking. Before they are registered for access to any of their practice’s electronic services, they need to understand the implications of not keeping their access details or information they copy or download secure. Online access may be requested by the patient or suggested by the practice but whoever proposes it, it is essential that the practice confirms the identity of the person who will receive access to a patient’s record. If this is not the patient, but someone asking for access on behalf of the patient, it is essential to confirm the identity of this person and establish that they have the explicit informed consent of the patient to access their record. It is also necessary in this situation to verify the identity of the person giving consent. Under certain circumstances, in which a patient lacks capacity to give consent, it may be possible for the practice to give someone else access as a proxy. There is more information about proxy access and identity verification at the end of the guidance. Practices should also bear in mind that some patients may be coerced by others into sharing information unwillingly or they may reveal information without realising the implications for them of not keeping the information confidential. For guidance about what a member of the practice should do if a staff member who receives a request for online access has any suspicion that a patient may be coerced or tricked into providing access to their health record to a third-party, please read Coercion guidance for general practice. V 1.1 27 March 2015 The practice should also ensure that the patient takes into account the risk that the record may contain information that they don't understand or that might worry them. This may include information that they may have forgotten, particularly if the practice allows retrospective access to historical data in the record. The risks are reduced if the practice only offers prospective access to the limited elements of the record. It may include abnormal results or bad news which may be upsetting. Patients may also misunderstand the data in the record. There may be inaccuracies or omissions. The patient should be advised to contact the practice as soon as possible if any of these things happen. The patient may see information in their record that is about someone else, to which the patient would not otherwise have access. This is usually referred to as “third party information”. Patients should be asked to logout of the record access and inform the practice as soon as possible if this happens. The practice should withdraw access until the data has been assessed and appropriate action taken in line with the practice’s information governance policies and the Information Commissioner’s online code of practice. This may include deleting the data and informing the third-party of what has happened and complying with legal reporting requirements. Practice actions to support information governance for patient online access While each practice may face unique situations and circumstances, there are some information governance issues that can be predicted and planned for when implementing online services. • Practices need to complete NHS Information Governance Toolkit assessments regularly to ensure they are managing information responsibly in compliance with their legal obligations. The Information Governance Review is a useful resource about the practice’s responsibilities • A designated information governance lead should be appointed and information governance policies put in place that provide clear guidance to help staff manage information safely and securely • Information governance leads need to be certain that these policies and any associated guidelines are appropriately updated to cover the provision of access to online services. All staff members need to understand what to do, particularly in circumstances that may be unfamiliar to them • Staff members who make entries in patient records should be aware that patients will be able to view their entries online, and bear this in mind when deciding what to enter in the records. In addition to the usual care over data quality, staff should take care to avoid the use of abbreviations and euphemisms that may be misunderstood by patients and avoid recording third-party data • Screening records for third-party references before allowing access can be a time consuming process, especially if full record access or retrospective access, which are beyond the scope of GMS and PMS contractual requirements, is offered to patients. Practices should have a process that allows this to be done in a timely fashion, particularly if they are receiving many requests for online access. It may be possible to offer limited access, depending on which system the practice uses, as an interim measure, until the full record can be screened. Information governance issues should be discussed regularly at practice meetings to help ensure policies are maintained and adhered to. Practice staff members should be encouraged to help each other raise standards of handling information about patients. Practices are encouraged to seek specialist advice on information governance issues locally from Local Medical Committees, medical defence organisations, or the clinical commissioning group (CCG) Caldicott Guardian. V 1.1 27 March 2015 NHS England’s Area Teams should have put additional local support for practices in place. Advice can be sought centrally from the Information Governance Alliance, a team drawn from DH, NHS England and HSCIC by writing to [email protected]. System suppliers can provide advice about the best way to use their system to provide safe and secure online services. Information Governance planning checklist for practices Information Governance foundations Practices need to ensure that they have a robust approach to information governance. The NHS Information Governance Toolkit is a useful place to start and all practices should achieve a ‘satisfactory’ result. The practice information governance lead should ensure that there are clear guidelines for staff on information handling and data quality. Patients should also be reassured that their data will remain subject to the practice’s confidentiality protocols, which will ensure access is only granted to those who require it to deliver care. Their information will normally only be divulged to anyone not directly involved in their care (including family and friends and health professionals) with their consent except in special circumstances (such as where it would be required by law or in the public interest. or if a vulnerable child or adult needs protection). Identity verification Applicants for online services must have their identity verified before access is switched on. This is essential to protect against unlawful disclosure of confidential information to someone pretending to be the patient. Practices could nominate an access management lead to take responsibility for identity verification procedures. Verification should be simple, quick, patient-friendly and not overly demanding for the practice or the patient. Please refer to the more detailed Identity verification guidance for general practice. V 1.1 27 March 2015 Third-party data Third-party data is data received from a third-party, such as a family member, or data about a thirdparty (e.g. agreed recorded family history data) recorded in the patient’s record. It may include consultation data, test results or scanned documents recorded by mistake in the wrong patient’s record. Before enabling access online for a patient (whether at the patient’s request or for clinical reasons), to more than summary information which are beyond the scope of GMS and PMS contractual requirements, clinicians will need to screen the record for third-party data. Disclosure may be a breach of data protection law and may result in harm or distress to the patient or breach the confidentiality of the third-party. This is particularly important if access to retrospective records is to be granted. It is no different to providing patients with access to paper copies of their records. Before they record anything about a third-party, including an attribution of information about the patient in a patient’s record clinicians should discuss the possibility that the patient will see the information if they have access to their records. This applies to both paper copies of the record and online access. Clinicians should do the following: • Seek and record the consent of the third-party before they record the information • Ensure that the third-party understands that the patient may be able to infer the source of the information • Ensure that the third-party is prepared to bear that risk or to have their identity explicitly recorded. The third-party may decide to withhold the information or make it clear that they do not wish it to appear on the record of the patient. The source of the third-party data and their consent to record it should be recorded in the notes so that in the future, it is clear that the patient can be allowed access to the data. These principles are highlighted by the Caldicott Information Governance Review of 2013 which lays out the professional standards around managing third-party data. • If third-party data is found in the record when it is screened before online access is granted, there are a number of options that may be available to the practice, apart from refusing access. Some clinical systems offer facilities to hide elements of the record, to prevent access to records made before a specific date, or to limit access to parts of the record. It may be possible to hide particular sensitive data from display online • But on occasions, it may be that sensitive information cannot be hidden or redacted and access is ‘all or nothing’, so in some cases enabling online access may not be appropriate. Medical defence organisations have produced useful guidance on how to handle third-party data if it is liable to be sensitive, to seek consent for divulging from the third-party, how to redact data if needed and general principles of confidentiality. Services and record keeping Medical records serve many purposes and The Good Practice Guidelines for GP electronic patient records (version 4, 2011), highlights the function of patient records. However clinicians will need to review their record-keeping practice and think carefully about the content and comprehensibility of patient records in a world where access to online services is enabled. This is relevant to any type of record. It requires the priority of data accuracy and data quality as well as patient appropriate language, no omissions, no euphemisms and minimal abbreviations. Patient concerns over online access Patients may have questions or concerns about online access. The practice needs to ensure that its staff are trained to provide advice and support to such patients. V 1.1 27 March 2015 Patient concerns over record contents As with records that are currently disclosed to patients under the DPA, patients may have questions about the content of their online records and clinical staff will need to be available to deal with queries. Many patients’ records contain very sensitive information that could cause significant distress and/or harm, including information taken from documents such as letters written many years ago. Patients may also be distressed if they see test results that are abnormal without an opportunity to discuss them with their doctor. Patients must also be aware that there could be details in their record that reveal information about them without specifically stating it. For example it might include a list of medicines that indicate particular health conditions and patients at risk of coercion need to be particularly wary. Patients need also be aware that insurance companies may seek this information. There may be rare occasions where the patient may come across information about a different patient in their record. This might be a scanned letter that has been filed in the wrong record or data recorded in the wrong patient’s record by mistake. Careful screening of records by the practice before online access is made available should eliminate this sort of risk, but no system is ever perfect and it is possible that it might happen. Patients who have online access should be advised to let the practice know as soon as possible if they come across anything that should not be in their records, whether or not it relates to another identifiable person. The practice will need to investigate swiftly and thoroughly and will need to consider whether the error is isolated or whether it could have occurred in more than one record. In such situations practices will need to follow the Information Commissioner’s guidelines and also to seek specialist advice, such as from their medical defence organisations. Having identified the source and extent of the problem, the Information Commissioner’s guidelines and the GPs’ professional duty of candour require the practice to inform the patient(s) affected, apologise and provide a full explanation of what has happened and what steps will be taken to resolve the problem. Data controllers do have to report breaches of privacy of confidential data to the Information Commissioner’s office which are detrimental to the data subject. Further guidance is available from the perspective of the Information Commissioners office. V 1.1 27 March 2015 Practice and patient responsibilities Where online access is considered, the practice has a duty to ensure the patient understands the potential implications. There is advice for patients in Records access patient information leaflet, as well as an Example registration form. They should be aware of the risk that there may be errors or third-party data in the record. There is a risk of a breach of their privacy if they make paper copies of their records or do not keep their personal access details secure. It must be made clear to patients that once they have accessed, downloaded or printed their record, the security of that information is their own responsibility and they choose to share that information with other people at their own risk. It could be explained to the patient that the record presented in the online access is often unfit for the purpose of an accurate insurance or legal report. It may not be complete enough to meet the purposes of whoever is requesting it. It may only show some of the required information. It may not provide an accurate picture because the online record is not written or designed for this purpose. They should also be aware of the risk of being coerced into sharing information unwillingly. Practices should be able to assess the risk of coercion and discuss it with the patient when they have concerns (see Coercion guidance for general practice). Reassurance might also be provided to patients that the practice takes the security and confidentiality of the records very seriously. Guidance on information sharing is available in the GMC Confidentiality Guidance and the NHS Information Governance Toolkit. Protecting and managing passwords If a patient knows or suspects that their record has been accessed by someone without their agreement then they should change their password immediately. If they can’t do this for some reason, then the patient should contact the practice so that staff can remove online access until the patient is able to reset their password. Staff members therefore need to know how to manage password resets for patients and how and when to remove online access to safeguard patient confidentiality. Audit trails Audit trails may record details about everyone who has accessed a patient’s record. Practices may need to liaise with system suppliers to determine the available audit functionality. Practices are then encouraged to make audit trails available to a patient if they express concerns and ask to see it. Patients may need help to interpret the content of audit trails. Proxy access Staff teams need to know how to manage proxy access arrangements when a patient has chosen to share access login details with family, friends or carers (including a care home). Nominated thirdparties can be granted full access to a patient record or access can be limited to booking or cancelling appointments, or ordering repeat prescriptions depending on the patient’s preference. Doctors and other practice staff need to be satisfied that they have either the explicit informed consent of the patient to proxy access or have followed a formal authorisation process where the patient lacks capacity to consent. More detailed Proxy access guidance for general practice is available. V 1.1 27 March 2015 Coercion Patients may be coerced to unwillingly share information from their record or login details if they have online access. A similar risk arises if they possess a paper copy of their record. GPs, practice managers and administration staff involved in registering patients for online services must be aware of the potential impact of coercion and look for signs that a patient may be at risk of coercion to help anyone who might be subject to coercion. For more information please refer to Coercion guidance for general practice. Children When young people have the capacity to understand all of the implications around online access they have the same rights in law as adults. Decisions about providing children with online access to their records and about enabling parents to access the records of competent children and young adults can be complex. Please see the Proxy access guidance for general practice. The GMC provides detailed guidance on confidentiality, including confidentiality and children. Advice can also be sought from medical defence organisations. Disclaimer This guidance is a public resource providing general information and not advice relating to specific issues. Practices and other users of this guidance should consider taking advice tailored to their particular circumstances. This guidance is intended, but not promised or guaranteed, to be correct and up-to-date at the time of its publication. The Royal College of General Practitioners does not warrant, nor does it accept any responsibility or liability for, the accuracy or completeness of the content or for any loss which may arise from reliance on information and material contained in this guidance. Additional resources: • • • • • • • • • • • • • • Patient Online: The Road Map Patient Online: The Road Map: Information Governance Risk Register Patient Online: Records access Patient Information Leaflet Patient Online: Identity Verification Patient Online: Proxy access guidance for general practice Patient Online: Coercion guidance for general practice GMC Confidentiality Guidance NHS Information Governance Toolkit NHS: Keeping your online health and social care records safe and secure RCGP: It’s your practice – A patient guide to GP services HSCIC: Information Governance (IG) HSCIC: Caldicott Guardians National Register of Caldicott Guardians The Information Governance Review V 1.1 27 March 2015
© Copyright 2024