Andy Evans Programme Director, Connected Nottinghamshire Information sharing – the complete picture • Why share? Content • How can we share? Technology Roadmap • “To share or not to share” – Information Governance • Results so far • A balance of risk • Questions Why share? Why share? • There is a legal and professional duty to do so: – Health and Social Care (Safety and Quality) Act 2015 – Caldicott Principle 7 “The duty to share information can be as important as the duty to protect patient confidentiality” – Health and Social Care Act 2012 (direct care not the secondary uses element!) Why share? Feedback from the pilot areas in Nottinghamshire: • Nobody thought that it wasted more time than it saved in using it. • 92 % of Clinicians thought that the MIG had enabled them to improve their overall care for patients. • 60% thought that it had saved approx. 2 minutes out of a 15 minute appointment slot • One clinician estimated that the sharing had helped him prevent at least one hospital admission a month since the service started • Reduced the number of calls/faxes • Improves the quality of 7 day week working (the information is always there) How can we share? Technology Roadmap • There isn’t a single or perfect solution (at the minute) • The abilities come through the NHSE Commissioned GP Systems of Choice Contract (for now at least) • You already receive several “feeds” from providers • More information will flow in to GP systems over time • It is a developing landscape How can we share? Technology Roadmap • Local Roadmap: Medical Interoperability Gateway GP System shares e.g. eDSM (TPP) “Portal” – technologies Data flowing in as well as out of GP Systems Priority pathway data sets; Comprehensive Geriatric Assessment, EPaCCS, Urgent & Emergency Care How can we share? Technology Roadmap How can we share? Technology Roadmap • NHS England looking at changes to the GPSoC Contract to make it simpler/more effective for sharing • HSCIC creating a set of new standards for messaging and information exchange • Social Care now have access to NHS numbers (in law now that they should have a “share identifier” • Personalised records are going to be at the heart to the changes “To share or not to share” Information Governance has been made complicated! “To share or not to share” ..but it doesn’t need to be that difficult. • There is lots of guidance – possibly too much • Historically we have done a great job in frightening people into not sharing (since the original Caldicott review 1997) • If you lose a memory stick or laptop with accessible data on it then you will attract the attention of the Information Commissioner • If you share information with other care professionals for direct care in accordance with the ICO data sharing checklist then you will be fine • If you don’t share there is a risk of significant penalties • Trust your judgement – you do it already every day “To share or not to share” What is the risk of sharing? Examples of Information Commissioner’s Office actions up to December 2014 • June 2013. A monetary penalty (£55,000) notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error. • July 2013, A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health. • In January 2012, a former health worker was prosecuted and pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers. • In December 2011, a receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking was found guilty of an offence under section 55 of the Data Protection Act. • In June 2012, a personal injury claims company employee was prosecuted for illegally obtaining NHS patients’ information. • In August 2012, a monetary penalty of £175,000 was issued to Torbay Care Trust after personal confidential data relating to 1,373 employees was published on the Trust’s website. • In May 2012, a monetary penalty notice for £90,000 was served on Central London Community Healthcare NHS Trust for a serious contravention of the DPA, which occurred when personal confidential data was faxed to an incorrect and unidentified number. The contravention was repeated on 45 occasions over a number of weeks and compromised 59 data subjects’ personal data. • In April 2012, an undertaking to comply with the seventh data protection principle was signed by Leicestershire County Council, following the theft of a briefcase containing personal confidential data from a social worker’s home. • In February 2012, a monetary penalty of £100,000 was issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. “To share or not to share” “The ICO told the Review Panel that no civil monetary penalties have been served for a breach of the Data Protection Act due to formal data sharing between data controllers in any organisation for any purpose. It says breaches of the Data Protection Act are usually the result of lack of due consideration. Yet it finds that organisations frequently shy away from data sharing and cite data protection as a reason. The data sharing code produced by the ICO in May 2011 helps organisations to share data in a secure and proper way. They should use it.” Dame Caldicott, 2013 “To share or not to share” “ In the absence of evidence to the contrary, patients are normally considered to have given implied consent for the use of their information by health professionals for the purpose of the care they receive.” British Medical Association, Confidentiality Toolkit 2015 “To share or not to share” British Medical Association Guidance Patient agreement can also be implied, signalled by the behaviour of an informed patient. Implied consent is not a lesser form of consent but in order for it to be valid it is important that patients are made aware that information about them will be shared, with whom it will be shared, and of their right to refuse. Health professionals bear responsibility for the disclosures they make, so when consent is taken to be implied, they must be able to demonstrate that the assumption of consent was made in good faith and based on good information. If not, it is no consent at all and some other justification will be needed for its Confidentiality and disclosure of health information tool kit General information British Medical Association 11 disclosure. In addition to information provided face to face in the course of a consultation, leaflets, posters and information included with an appointment letter from a hospital or clinic can play a part in conveying to patients the reality and necessity of information sharing. Clearly, a combination of methods provides greater security that patients have understood. It should be noted that the more sensitive and detailed the data, the more likely it is that explicit consent will be required, eg sexual health information. “To share or not to share” • In the foreword to the ICO data sharing code of practice, the Information Commissioner said: “Organisations that don’t understand what can and cannot be done legally are as likely to disadvantage their clients through excessive caution as they are by carelessness.” • The Review Panel concludes that individuals should not be discouraged from sharing simply through fear of doing this incorrectly. With the help of the ICO’s data sharing code, and tools such as privacy impact assessments, data sharing can be achieved, where appropriate, in a secure and proper way. • “Just because something is private, does not mean young people are not willing to share the information with particular groups, provided the information is not disseminated more widely.” “To share or not to share” • The Review Panel is clear that the remit for the Data Protection Act remains with the Information Commissioner, but individual breaches or failures to share information by registered and regulated health and social care professionals may be a failure of professional duty. • The Review Panel concluded that the professional regulators should be involved more often in both serious breaches and instances of poor information sharing when it is clear it has hampered direct care. “To share or not to share” ICO Data sharing checklist – systematic data sharing Is the sharing justified? Have you assessed the potential benefits and risks to individuals and/or society of sharing or not sharing? Do you have the power to share? Any legal obligation to share information (for example a statutory requirement or a court order). YES – a legal and Professional Duty for Direct Care If you decide to share What information needs to be shared. The organisations that will be involved. What you need to tell people about the data sharing and how you will communicate that information. Measures to ensure adequate security is in place to protect the data. What arrangements need to be in place to provide individuals with access to their personal data if they request it. Agreed common retention periods for the data. Processes to ensure secure deletion takes place. “To share or not to share” What is happening to safeguard sharing? • Records and Information Group have produced a set of agreed principles to form the Nottinghamshire Consent Model (especially with things like eDSM) • eDSM and MIG is the starting point to support sharing and has been reviewed by the RIG (and other groups locally and nationally) • Privacy Impact Assessment(s) has been completed on your behalf • Information Sharing Agreements have been created where required • Information Access Agreements are in place with the users of the shared data/records • A legal Contract is in place with software service providers (Healthcare Gateway/TPP GPSoC) • Audit processes are in place • The Nottinghamshire Consent Model is an Explicit consent model for anyone accessing the information (but we all have to make the records available) • For MIG it is only Coded Data (no free text or letters) • The Data STAYS WHERE IT IS (it is not stored anywhere else) Feedback so far Local Evidence on sharing • In one organisation ~3,000 records have been made available and 0 patients have dissented when presented with a consent choice (eDSM) • In another organisation 27,000+ consultations and 9 patients said they didn’t want their GP record to be viewed • 92 % of Clinicians thought that the MIG had enabled them to improve their overall care for patients. • 67% thought that they had been able to clinically assess patients more quickly than before they had MIG access ( the reminder neither agreed or disagreed) • 92% were satisfied with the amount of information that they had available to them via the MIG to treat patients out of hours. • 75% perceived that MIG access had helped with prescribing decisions • 75% perceived that MIG access had helped them to make better informed decisions around referring and planning patients’ care • 50% that the access had prevented new or review appointments. • 33.3% thought that it had prevented new or review appointments • 50% thought that MIG access had reduced the time for Medicines reconciliation. Feedback so far Local Evidence on sharing • Practice federations accessing each others records (TPP eDSM) • Sherwood Hospital’s – now using the records more and more (TPP eDSM) • CNCS starting to access records (MIG) Feedback so far • Scenario A: Patient had been referred to the Out of Hours service. The patient presented with bad back pain and requested strong pain killer (Tramadol) noting that he had run out of his current medication. This was not a regular prescribed drug or acute prescription according to his medication history. The Nurse Practitioner was able to establish from viewing the elements of the record that the patient had been prescribed the Tramadol from an outpatient appointment until the patient could attend for an operation. (Previous prescribing from the GP had been at a Paracetamol and Ibuprofen level). The operation had been cancelled – therefore the medication had run out. Hence the requested OOH appointment. Feedback so far • Scenario B Child with ear problems, parents came with child who had ear infection, on viewing the record and history of the patient Liz was able to see this was not an isolated visit. It appears the child had been prescribed antibiotics on numerous occasions and therefore after consulting a colleague tasked the GP and recommended referral to ENT for full assessment. • Scenario C Care home called regarding a resident and as the GP was able to view the patients’ medical record via the MIG they were able to prescribe the relevant medication. In doing so this prevented the patient being admitted to hospital. Feedback so far Number of incidents to date: Zero A Balance of risk A patient not understanding your sharing and taking offence/incur upset and distress Patient suffering preventable harm, injury or death through not making the information available Data protection act breach Coroners notice Caldicott principles (1-6) CQC inspections Legal/Professional Duty to share Professional body investigation Caldicott 7th principle Questions? http://www.hscic.gov.uk/media/12822/Guide-to-confidentiality-in-health-and-socialcare/pdf/HSCIC-guide-to-confidentiality.pdf https://ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/192572/290077 4_InfoGovernance_accv2.pdf http://bma.org.uk/practical-support-at-work/ethics/confidentiality-and-healthrecords/confidentiality-tool-kit To Share or Not To Share The Future of Data Sharing Michael Wright July 2015 Contents • • • • • • Where are we going? LMC/GP Engagement GMC Good Medical Practice 8 Principles of the Data Protection Act (DPA) Rights of Data Subjects under DPA Right to object to processing that is likely to cause or is causing damage or distress • Can you defend a claim for compensation? • Points to consider Where are we going? • • • • • Inevitability of full data sharing and access to records Drip feed of initiatives to move towards this Contractual levers making this happen Culture of openness and interconnectivity Whose record is it anyway? LMC/GP Engagement • LMC representation on Patient Online Access Project • LMC representation on MIG Project Board • LMC representation on GPRCC (GP Repository for Clinical Care) • LMC representation on eDSM Project Board • GP leadership (Dr Mike O’Neil) on MIG and GPRCC • Guidance on the future landscape for General Practice regards use of patient data GMC Good Medical Practice Circumstances in which patients may give implied consent to disclosure Sharing information within the healthcare team or with others providing care • • 25. Most patients understand and accept that information must be shared within the healthcare team in order to provide their care. You should make sure information is readily available to patients explaining that, unless they object, personal information about them will be shared within the healthcare team, including administrative and other staff who support the provision of their care. 26. This information can be provided in leaflets, posters, on websites, and face to face and should be tailored to patients’ identified needs as far as practicable. 8 Principles DPA 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 6. Rights of Data Subjects under DPA •a right of access to a copy of the information comprised in their personal data; •a right to object to processing that is likely to cause or is causing damage or distress; •a right to prevent processing for direct marketing; •a right to object to decisions being taken by automated means; •a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and •a right to claim compensation for damages caused by a breach of the Act Right to object to processing that is likely to cause or is causing damage or distress What is meant by “damage or distress”? The Act does not define what is meant by unwarranted and substantial damage or distress. However, in most cases: •substantial damage would be financial loss or physical harm; and •substantial distress would be a level of upset, or emotional or mental pain, that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent. Can you defend a claim for compensation You can obviously defend a claim if you have not breached the Act. If there has been a breach, you can still defend a claim for compensation, but only if you can show that you took such care as was reasonably required in the circumstances to comply with the Act. What you will have to prove will depend on the nature of the breach in question. What is reasonable will depend on the circumstances. In data protection terms, this means that you have looked at the way you process and protect personal data and that you put in place appropriate checks to prevent any problems occurring. Your defence may rely on describing these checks. Some form of positive action is often necessary and, if a reasonable step or precaution has not been taken, then the defence is likely to fail. Points to Consider •What is our belief on data sharing in our Practice as data controllers? •Is it right/desirable to share patient data with other healthcare providers? •Should we ask our Medical Indemnity Organisations? •How far can we consider Pragmatism versus legal repercussions? •Should we look at different ways of collecting explicit consent? Are we pushing for explicit consent? •What is the likelihood of us being sued by a patient? Case law??? •LMC are here to support you! Any Questions?