Information Sharing Protocol to Support the Implementation of Risk
advertisement
Information Sharing Protocol to Support the Implementation of Risk Stratification NHS Gloucestershire Clinical Commissioning Group & Gloucestershire General Practices GCCG CES–ISP001 Information Sharing Protocol v0.1 Document Control Date Version Author 01/12/12 2.0 A. Bonfield 07/12/12 0.1 B Cutts 17/06/13 0.1 S. Bishop Comment Initial draft produced with kind permission of South Central PCT Alliance. Modifications made to reflect local Swindon collaboration. made to Modifications reflect local Gloucestershire collaboration. GCCG CES–ISP001 Information Sharing Protocol v0.1 2 . GCCG CES–ISP001 Information Sharing Protocol v0.1 3 1. Introduction & Background Gloucestershire Clinical Commissioning Group (GCCG) has procured from Northgate and Sollis a risk stratification service that provides Gloucestershire practices with the analytical tools required to support identifying patients or groupings likely to be high utilisers of health care resources. The system does this by analysing healthcare data and applying well evidenced predictive modelling techniques developed by Johns Hopkins University. In Gloucestershire the use of a Risk Stratification tool is supporting the offering of a national Risk Profiling DES by NHS England. As part of the introduction of a programme of risk stratification, GCCG will support General Practices to help: • Understand the risk stratified health profile of their registered patients • Predict and therefore anticipate their registered patients’ future healthcare needs • Plan for the clinical resources that might be required to best support them. These improvements will help GCCG, General Practitioners and clinicians to provide better care by more easily identifying patients who will benefit most from timely pre- emptive i.e. preventative intervention, via Case Management. Additionally examples may include the offer of telehealth/ telecare monitoring for patients developing COPD / implementation of earlier medication review for patients identified at increased risk of impaired renal function or falls. To facilitate the required analysis, it is imperative that robust data sharing agreements are put in place to ensure that practices can be confident that the data which they hold in trust is processed securely on their behalf and presented back to the practice for interpretation and action. This Protocol, therefore, is an overarching framework that identifies the guidelines and principles under which sharing of information between the signatories will be undertaken to ensure that data is managed according to currently available best practice guidance on the protection and use of confidential information. This Protocol will be supported by Subject Specific Information Sharing Agreements (SSISAs) namely the: ACG User Request Proforma EMIS Web Apollo Supplier Extraction Consent Form Each of the above detail by dataset the items to be shared and the associated controls around their use and management, also detailed within the body of this document. This document has been developed to be read in its entirety, it should be a publicly available document, accessible from each organisation’s web site. GCCG CES–ISP001 Information Sharing Protocol v0.1 4 2. Purpose of the Protocol The purpose of this Protocol is: To identify the “categories” of information that are covered by this agreement; To set out the principles which underpin the sharing of information. To confirm the legal framework obligations for the secure sharing of confidential information. To identify the process for initiating the sharing of datasets. To set out the responsibilities of all parties involved in this programme. To identify the governance arrangements in place to manage and maintain this Protocol 3. Information covered by this Protocol This Protocol refers to all information, in whatever form that is shared between the GCCG and General Practices. Data provided would constitute use under the “Healthcare Medical” and “NonHealthcare Medical” purposes as defined by the Connecting for Health document NPFIT-FNT-TO- BPR-0023.01, “Pseudonymisation Implementation Project (PIP) Reference Paper 1, Guidance on Terminology” dated 20/11/2009 – see table 1 below; Table 1 – Terminology Term “Healthcare Medical Purpose” “Non-Healthcare Medical Purpose” Description Includes; the uses which directly contribute to the diagnosis, care and treatment of an individual and the Audit/Assurance of the quality of healthcare provided. In these cases person identifiable data can be used, but only the minimum amount of data should be used, and appropriate safeguards should be the in Management of Health Includes; place Care . Services (PbR, World Class Commissioning). In these cases generally “effectively anonymised” data should be used, unless consent has been gained from the patient or there are special circumstances, such as an overriding public interest, or a route such as via Section 251 of the NHS Act 2006 or the Health Service (Control of Patient Information) Regulations 2002. GCCG CES–ISP001 Information Sharing Protocol v0.1 5 “Effectively Anonymised” Data from which the recipient is unable to infer the identity of an individual without the application of unreasonable effort. GCCG CES–ISP001 Information Sharing Protocol v0.1 6 4. Key Principles The parties recognise the importance of sharing information with each other in line with this Protocol and the law and agree to co-operate fully with each other in that respect. The parties agree to share information in accordance with the Data Protection Act 1998 and the Caldicott guidelines on the protection and use of patient information. For ease of reference, these are summarised below: The Data Protection Act 1998 provides that data should be: • • • • • • • • fairly and lawfully processed; processed for specified and compatible; adequate, relevant and not excessive; accurate; not stored for longer than is necessary; processed in line with the relevant individuals' rights; secure; and transferred only to countries with equivalent legal and other protections. The Caldicott Guidelines reflect those key principles: • Justify the purpose(s) of using person-identifiable and confidential information; • Only use it when absolutely necessary; • Use the minimum that is required; • Access should be on a strict need-to-know basis; • Everyone must understand his or her responsibilities; and • Understand and comply with the law GCCG will ensure compliance with these principles and the ESSA agreement in place. 5. The Legal Framework Each signatory to this Protocol undertakes that it will adhere to the legal principles outlined in the ESSA when considering the sharing of information. These are listed here for convenience: • • • • • • • Human Rights Act 1998 Data Protection Act 1998 Access to Health Records Act 1990 The Freedom of Information Act 2000 The Environmental Information Regulations 2004 Caldicott Guardian Manual 2006 Confidentiality NHS Code of Practice 2003 GCCG CES–ISP001 Information Sharing Protocol v0.1 7 • • The Common Law Duty of Confidentiality The NHS Information Governance Toolkit Organisations must amend their Data Protection Act registrations to record the fact that Northgate and Sollis will be acting as Data Processors. Additional legislation may need to be referenced when sharing specific information; this will be set out in the relevant SSISAs as required. 6. Procedure for Sharing Information In so far as possible, information will be pseudonymised before it is processed and care should be taken to ensure that pseudonymised data, whether alone or when read together with any other information in the possession of the recipient, does not identify an individual either directly or indirectly (i.e. to ensure that it is “effectively anonymised”). Where it is not possible to use effectively anonymised information, consent from service users may be required. The parties acknowledge that any disclosure without consent will need to be fully considered to ensure compliance with the law. In order to facilitate the sharing of a specific dataset, a Subject Specific Information Sharing Agreement (SSISA) must be completed and signed by the nominated individuals from the relevant parties – see Appendix 2. This document will identify the data items to be shared and the controls that will be in place to ensure the security and confidentiality of those data items. Once a SSISA has been signed, it must be returned with the necessary DES documentation to the Primary Care Team within the NHS England Area Team, where it will be formally logged and who will notify GCCG. The SSISA documentation must be sent to GCCG who will then forward the SSISA to Northgate/ Sollis who will facilitate the undertaking of the SSISA with the principles set out within this document and the requirements of the SSISA. After the data has been provided to the Northgate Data Centre, the CCG Information Governance Team will monitor the adherence of the details of the SSISA in relation to the use and lifecycle arrangements for the dataset. It should be noted that no data will be shared unless a signed SSISA has been received by the CCG. 7. Responsibilities NHS GCCG and General Practices Confirm that the NHS GCCG Caldicott Guardian will act as the lead signatory in respect of this Protocol. Ensure that Executive Leads, GP Practice Caldicott Guardians, Practice Staff, Information Analysts and the Information Governance Team are aware of this Protocol and the organisation’s responsibilities. Ensure that there is a local procedure in place to expedite approval of GCCG CES–ISP001 Information Sharing Protocol v0.1 8 requests for information sharing under this Protocol. Ensure that where required, queries relating to requests under this Protocol are identified and raised with the NHS GCCG Information Governance Manager within 3 days of receipt of the request. Ensure that appropriate training and information is provided to the relevant members of their staff to ensure their compliance with this Protocol and that compliance is effectively monitored. Ensure that standards and procedures are in place for ensuring that, where required, consent to disclose personal data constitutes informed consent and is given freely. Ensure efficient and effective procedures to address complaints relating to the disclosure or use of personal data are in place. Ensure where patient consent has not been provided to disclose personal data, the relevant read codes should be applied by the GP practice within the patient record, which will ensure the data is not included within the primary care extract. Caldicott Guardian – NHS GCCG Act as the lead signatory on behalf of the GCCG. Ensure that appropriate Information Governance assurances undertaken on behalf of the GCCG and GP Practices; to include; Annual Northgate IG Toolkit Assessment External Audit of Northgate IG infrastructure are Information Governance Team – NHS GCCG Act as the link between Northgate and the GCCG and GP Practices in relation to all SSISA requests. Ensure requests received are logged and monitoring arrangements put in place Co-ordinate the parties SSISA sign-off Monitor the completion of IG Toolkit submission, external audit by Northgate. GCCG CES–ISP001 Information Sharing Protocol v0.1 9 8. Governance and Compliance This Protocol will be reviewed regularly by the Information Governance Group and will include consultation with the GP Practices Caldicott Guardians. The first review will take place 6 months after implementation and annually thereafter. It will also be reviewed in line with updated or newly released legislation. Any of the signatories can request a review outside of this agreed time frame if they think it necessary and reasons are provided. CSCSU will undertake to assess Northgate’s compliance with the Information Governance Toolkit on behalf of the GCCG annually or as reasonably required (including for instances where any breach of confidentiality has occurred in relation to service users' personal data). 9. Toolset obligations Table 2 – Description of Tools Tool ACGS Purpose Evidence Based Support for Risk Profiling, Predictive Modelling, Resource Allocation, Planning Use Healthcare Non-Medical & Healthcare Medical Technical and organisation measures and procedures Northgate is required to ensure that at all times: it has appropriate technical and organisational measures against accidental and unlawful destruction of data and loss, alteration, unauthorised or unlawful disclosure or access to data; it has adequate security programmes and procedures in place to prevent unauthorised access or processing of data; and provide the GCCG Information Governance Team with a written description of these measures and procedures on request. GCCG CES–ISP001 Information Sharing Protocol v0.1 10 Appendix 1 ISP Agreement Signature Page Please complete this form to indicate your acceptance of this Information Sharing Protocol on behalf of your organisation. ISP Reference: Information Sharing Protocol between the NHS Gloucestershire CCG and General Practices for the supply of data to support Risk Stratification. Organisation: Address: Phone: Email Address: Designation: Signature: Name (Please Print) Date: Once completed, please return this page only with the necessary SSISA forms to Gloucestershire CCG (FAO: Sadie Bishop/ Wayne Douglas, Sanger House, 5220 Valiant Court, Gloucester Business Park, GL3 4FE) GCCG CES–ISP001 Information Sharing Protocol v0.1 11 Appendix 2: [Dataset Field Layout] Diagnoses data from practice system Data Items NHS Number Sex Date of Birth Postcode GP Practice Code GP Code Code Type Diagnosis Code Date of Diagnosis Date entered into system Prescribing data from practice system Data Items NHS Number Sex Date of Birth Postcode GP Practice Code GP Code Code Type Pharmacy code Date of Prescription Date entered into system Format an an yyyy-mm-dd hh:mm:ss an an an an an an yyyy-mmdd hh:mm:ss Format an an yyyy-mmdd hh:mm:ss an an an an an yyyy-mm-dd hh:mm:ss yyyy-mmdd hh:mm:ss Format (Identifiable / Pseudonymised / Aggregate) after load into Northgate/Sollis system Pseudonymised Identifiabl e Identifiabl e Identifiabl e Identifiabl e Identifiabl e Identifiabl e Identifiabl e Identifiabl e Identifiabl e Format (Identifiable / Pseudonymised / Aggregate) after load into Northgate/Sollis system Pseudonymised Identifiabl e Identifiabl e Identifiabl e Identifiabl e Identifiabl e Identifiabl e Identifiabl e Identifiabl e Identifiabl e 20 Encounters data from practice system Data Items NHS Number Sex Date of Birth Postcode GP Practice Code Encounter Type Date of Encounter Date entered into system Long Term Conditions data from practice system Data Items NHS Number Sex Date of Birth Postcode GP Practice Code GP Code Code Type Diagnosis Code Date of Diagnosis Date entered into system Format an an yyyy-mm-dd hh:mm:ss an an an yyyy-mmdd hh:mm:ss Format an an yyyy-mmdd hh:mm:ss an an an an an an yyyy-mmdd hh:mm:ss Format (Identifiable / Pseudonymised / Aggregate) after load into Northgate/Sollis system Pseudonymised Identifiable Identifiable Identifiable Identifiable Identifiable Identifiable Identifiable Format (Identifiable / Pseudonymised / Aggregate) after load into Northgate/Sollis system Pseudonymised Identifiable Identifiable Identifiable Identifiable Identifiable Identifiable Identifiable Identifiable Identifiable 21 22
