eMedia Policy Park Road Medical Centre 1a Park Road, Wallington Surrey, SM6 8AW Tel 0208 647 4485 Written by : Dr Raza Toosy GP Princpal Date: 4th June 2012 Approved by: Date: th Review Date: 4 June 2014 Introduction As more of the population is becoming aware of communicating with other originations via methods other than telephone and face to face, so the NHS has to become aware of these methods and find more practical ways to engage patients with the appropriate consent in order to improve their health outcomes. Security of information and appropriate access to patient information is important in the trust between a doctor and patients. However the responsibility of this should be a mutual agreement between the doctor and his patient so long as patients are fully aware of the risks vs benefits of how information is received from and sent by them. Patients are in a position now to be responsible enough to know how they would like to receive and send information around this security vs convenience dilemma. This protocol looks at these issues and around future modes of communication and puts them into one document. This Protocol should be read in the context of the Data Protection Act, Freedom of Information Act, Copyright, Designs and Patents Act, Computer Misuse Act, Caldicott Principles and other Organisation policies. Channels of Communication currently and in the future Texting (SMS or Short Message Service) Texting relates to sending and receiving messages of short character length (about 200 characters+) between a GP Surgery and a patient. Currently there are several companies which offer this service in the way of appointment reminders and EMIS Web plans to integrate this into its appointments module. NHS.net or other mobile portals are used as the broker service which transfers messages. With NHS.net the message can only be one way (ie from GP surgery to patient), but with other mobile portals they can be 2 way with a reply from a message from a GP surgery The content of a message can be generic with non-identifiable information to being specific to the intended recipient. Email Emailing has been a known method of communication for some time but hasn’t been used much as a tool to communicate between the patient and the GP surgery for several reasons which will be outlined below. Smartphone Apps Smartphone Apps are a newer way of being able to allow a channel of communication between the patient and the GP surgery. It is similar to a SMS text but allows a much richer communication experience and is securer as further mechanisms can be placed in the App to ensure that only the recipient will get the message. EMIS Access and booking appointments online plan to use an app for this purpose. Voice Messaging Similar to SMS texts, appointment reminders can also be sent via automated voice messaging software. When the patient picks up the phone, a voice message confirms the patient as the recipient then gives them information around their health care. This can be an appointment reminder or awareness of a change in climate so they can provision for their COPD (Chronic Obstructive Pulmonary Disease) with the MET office scheme. Information can also be sent back to the GP surgery in the way of key presses on the keypad of the telephone, thus also creating a 2-way form of communication. Video Conferencing Video conferencing is a newer way of communicating with the patients for example via Skype. A secure connection is established between the patient and the doctor who both have cameras and microphones before the consultation can then take place. It’s similar to telephone consultations but the doctor and patient are able to view each other. Security Issues with Media Types There are several security issues around sending information to recipients via the various forms of media. Suggested issues below are not exhaustive. Texting The issues with security around texting is - The message appears on the mobile in full view of anyone who can see the screen. There is no guarantee that the phone is still with the intended recipient. Frequently patients give their mobile phones to other members of their family, exchange their phone or sell it. Email Email also has its potential security issues - - - Email to public email addresses even from a NHS.net account is not secure in anyway. The analogy is similar to writing the content on a postcard with the message sent in clear text so anyone can read the content. It is unlikely that the message will go straight to computer from where it will be read. It occasionally bounces across several mail servers before reaching the receiver. There is a chance that the email might end up in the junk or spam mail so will not be read by the intended individual. The email address is very important and there is a risk of it going to the wrong address or being unsuccessful. - If you use a public computer, information around the content of your email could be obtained and used by others who can look into this computer. Smartphone Apps Smartphone apps potential also have some security issues but they are less than other forms of eMedia. Of note the channel of transfer is secure and processes can be put in to place to ensure appropriate security at the patient’s end. The main issues for security are - Just like a mobile phone, smartphones can go missing, be lost, stolen or passed over to other family members. Voice Messaging Automated voice messaging is a newer form of communicating with patients. Examples are appointment reminders and the Met Office COPD Scheme which reminds patients of stocking up on antibiotics and steroids when there are changes in the weather. Risks are similar to SMS texts. The main security issues are around the following - The phone number given might not be up to date or accurate and the message might go to the wrong individual. The message may not go to the required recipient when the phone number is picked up although steps can be taken to mitigate this by confirming some security question. The patient might have moved address and not updated their details within the GP surgery Televideo conferencing The actual connection between patient and doctor is secure but the big question especially with Skype is if consultations can potentially be recorded by Microsoft for example in cases of national security. The answer is probably yes but it’s not different to a phone being tapped in the same way. Otherwise this is a secure form of communication (256-bit AES). Suggested Proposed Methods and Content of Information With all the above which has been said, it’s important to put everything in context around current processes and be as practical as possible whilst being aware of the risk vs benefit of each type of media to use. Not including eMedia, there are 2 main methods to contact the patient leading to a face to face consultation. - Telephoning the patient and asking them to come into clinic Writing them a letter to communicate content to the patient With both the above methods, there are still risks of having the wrong contact details, the message going to wrong individual, changes of address and so on. However these methods are used as the main form of communicating with patients. Patients too are becoming more aware of the potential real and perceived risk in transferring information to them using electronic methods and consent either verbal or non-verbal should be obtained wherever possible through informed means. Patients need to be aware of the risks for each type of media and make their own choice around the methods to opt out of. Many patients also expect to be contacted using methods more than just phone and post through implied consent. Dental surgeries, hair and beauty salons and opticians all use SMS Texts to communicate with their customers for appointment reminders and EMIS Web plan to have this feature built into their appointments module. Methods Below is a suggested plan of action to implement an eMedia policy for GP Surgeries. It consists of 3 layers. - Where non-identifiable patient appointment data is published (similar to a receptionist ringing a patient for an appointment) implied consent should be offered and Where condition of patient demographic information is released which is potentially more sensitive in nature explicit consent is the only possibility. Explicit verbal consent to be given at the point of contact by the patient who is present. It is important to note that parents or guardians can act on behalf of their children and prior to deemed Fraser competence of the child. Implied Consent with Opt Out Implied consent must only be used where non-identifiable data is published. A reminder to a patient around his appointment date and time with no mention around any personal information for example. Ie “You have an appointment at 4pm on Wednesday 6th June. You cannot reply to this text. Please contact us on 0208 647 4485 for any enquiries” rather than “Dear Mr Bloggs, you have an appointment at 4pm on 6th June with Dr Toosy to discuss your Diabetes”. At the moment this is reserved to appointments only and should start with a campaign to send a message to the contact number to offer the patient to opt out of this form of media if they don’t contact the surgery back by a certain reasonably offered future date. Any opt out request can be taken verbally or in person and the read code for no consent for SMS Text is 9NdQ which should be used to audit this information and prevent further texts. The supplier software may also have provisions for patients to opt out and this should be activated at the patient’s request. Posters and information leaflets will be available to patients in inform them of this method to give them the opportunity to opt out at any time. Also verbal consent should be obtained at all times during consultations and when obtaining mobile numbers during appointments. There after any new patients on the list should be offered to fill in the eMedia Consent Form for all types during their registration process thus adopting an Explicit Consent Model. It should be the patient’s choice if they would like to adopt an implied consent model with non-patient identifiable information vs Explicit Consent with patient identifiable information. The surgery should ensure that mobile numbers and telephones are kept up to date at all times via reminder slips or other methods for example while the patient waits to see his doctor and also with the doctor in clinic. These need to be updated by the receptionists and other practice members. Only SMS Texting and Voice Messaging should offer this model of consent. Explicit Consent Explicit consent should be obtained where the media through which the communication is obtained needs to be consented for so the patient is fully aware of the risks vs benefits (security vs convenience) profile. This method should also always be used there the content of the message contains patient identifiable data or clinical information. Email The patient must come to the surgery and obtain a consent form to sign. At this point the patient must clearly document his preferred email to use and ensure this is updated with the surgery at all times. The patient will be given a contact email address. The surgeries responsibility is to keep this email linked to the practice and to ensure it is checked twice a day. Patient must then email the surgery email first and get a reply back before this level of communication will be accepted. This is to ensure that there is no issue with getting the correct recipient and sender email and to avoid spam filters. Incoming Messages from the Patient Patients need to be aware that (the message) will first be read by an administrator in the surgery. Examples of types of messages could be - Prescription Requests Blood Values requests All appointment requests will be redirected to EMIS Appointment Bookings Non-urgent requests. Email will be in reply to requests Keep requests to a minimum. If request are deemed urgent to please ring surgery and make an appointment. The patient must contact the surgery if they haven’t received a reply within 48 hours. Outgoing Messages from the Surgery Patients need to be aware that the admin will email messages on behalf of clinicians although this is at the discretion of the clinician. Examples of these types of messages could be - Surgery will send appointment requests via Email Simple links to relevant web pages Personalised information regarding patient In reply to Incoming email If thread gets too long, surgery has the right to ask the patient to come in and see a doctor personally. It is also the GP surgery’s responsibility to ensure that all email thread relevant to the patient’s clinical state must be audited and recorded in the patient’s notes for future reference. Current there is no national read code for no consent for email consultations. The email to be used for no consent for email consultations is 9Ndy Texting and Voice Messaging Only if the patient consents to identifiable or information specific information, should this form of contact be uses for this type of content. Consent must be written as outlined in Appendix 1 Smartphone Apps If a patient wishes to send and receive information via apps, they must come to the surgery first and create a new password for themselves which they will use for the app. Patients must come to the surgery personally and be identified by a member of staff They must agree to also obtain an application which can wipe their smartphone if they get it lost or stolen. An example of this is the free app from Apple called Find My iPhone for the iPhone or Lookout for the iPad,iPhone or Android. This ensures that the patient can wipe their smartphone at any time should they suspect loss. There must be robust mechanisms within the app to ensure the secure transfer of information into the smartphone and access to this data through appropriate password protection. Current there is no read code for consent/no consent for Smartphone Apps Explicit Verbal Consent This will occur at the point of contact for example with Skype. The doctor asks the patient to read a section in the web page pertaining to Skype explaining about the method and potential benefits and risk. Once the doctor first contacts the patient, the patient is asked if he/she has read information about Televideo conferencing and obtains explicit consent to conduct the consultation at the point of contact. This is documented in the medical notes using the code. Until a better one comes the closest currently is “Verbal consent for examination – 9Nd0” As such no signature is required for this form of communication as per email or patient identifiable information on SMS texts. Consent Form for eMedia Request for surgery to contact patient via eMedia eMedia is related to the communication to and from your surgery via SMS texts, Voice Messages, emails and smartphone apps. This form can also be used be signed by a relative or carer on behalf of the patient if it is in the patient’s best interest or if the patient has given consent to do so. Park Road Medical Centre (GP Surgery) is committed to open working and efficiency in providing services. To ensure that services are as tailor made as possible to the requirements of its patients the surgery recognises that with advancing technology, current and routine forms of communication may not be convenient or possible with some patients. To this end the Trust will be willing to undertake correspondence using eMedia mentioned above with the patient under the following conditions. This agreement is entered into at the request of the patient The patient understands that the GP Surgery has no responsibility for information that leaves authorised NHS (National Health Service) networks at the request of the patient and as such cannot guarantee the security of such information. The patient will ensure that his contact details eg mobile number or email is correct and will notify the surgery of any changes The patient has satisfied themselves that access to their own system is secure and is aware of shared email accounts, shared computers etc., The surgery reserves the right to terminate this agreement if there are any viruses or other such technical threats to its internal systems as a result of external traffic. By signing below the patient indicates they have read an understood the conditions given above. The patient also understands they are able to review or cancel this arrangement at any time in writing. For emails only. To minimise the risk of ‘human error’ in writing email addresses, for emails the patient will send an email to smpct.correspondenceH85022@nhs.net (Email Address) in the first instance. This will give the Trust their preferred email contact address and will be used to correspond with them. A test email will be returned by the Trust to indicate safe receipt and that the sent address will be the one used to correspond with the patient. For Smartphone apps only. The patient will ensure that he has the ability to wipe the data from the smartphone remotely in case of loss or theft. Please tick the format of Media you would like to send or receive more personalized information to and from Emails SMS Texts Voice Messages Smartphone Apps Name _______________________________________________________ Address ______________________________________________________ Signature _____________________________________________________ Agreed on behalf of Park Road Medical Centre <GP Surgery> Signature _______________________________________________________ Designation _____________________________________________________Date_____________________ Surgery Communication We are changing the way we communicate with each other Texts and Voice message reminders for appointments Contact via emails and smartphones if you give your permission Please ask at the front desk for more information Surgery Communication Information Leaflet Park Road Medical Centre In the future and currently there are several extra ways which we can communication with you Telephone Via an automated voice reminding you of your next appointment or asking you about any conditions you might have. Texting Messages which appear on your mobile which can inform you of your next appointment. We can also put more specific information on these texts about you with your consent. Email Emails are not secure which means that they are similar to writing on a post card about your condition. Anyone within the company you have an email account with and beyond can access and view this information. However if you consent we can communicate with you for non-urgent matters for example prescription requests or blood results. Televideo Consultations Skype is used a lot nowadays to communicate with other around the world. We operate skype consultations as alternatives to telephone consultations at the end of clinic. Simple give you skype username instead of your phone number to the receptionist. SmartPhones In the future we plan to be able to communicate with you through Smartphones. You must ensure you have some software which can wipe your Smartphone if it gets lost or stolen. You also need to come to the front desk to receive information around how to set your Smartphone up. Consent and protecting your confidentiality For appointment reminders we will send you a text or leave a message first to ask if you want to have this service by a certain date. Anyone who does not wish to be contacted this way needs to let us know and we will not contact you this way. For appointment reminders we will only state when your next appointment. It will contain no direct information about you or any conditions you might have. If you would like to receive more detailed messages either through Voice messages, texts, emails or smartphone apps you have to come to the surgery and asked to sign a consent form which you must read first. You will only receive this kind of information if you sign. If you do not, then we will only send you appointment reminders. Detailed messages will contain information about yourself and any conditions you might have, blood test results, information about your conditions and might also ask you to come into a surgery for a review of your conditions. You should also be able to contact us and leave messages with our staff. For Skype you will give consent for this form of communication at the point of contact. We call this verbal consent. Rest assured, we will only message you personal information if you ask for this and have signed a consent form which you can obtain at the front desk.