Patient identifiable information policy
advertisement
Document name: Service User access to Person identifiable information Document type: Policy What does this policy replace Review and update on previous version of policy All staff within the Trust Staff group to whom it applies: Distribution: The whole of the Trust How to access: Intranet and internet / ward folder Issue date: October 2006 Reviewed March 2013 Next review: March 2016 (extension to September 2016 agreed by EMT 25.02.16) Approved by: Executive Management Team Developed by: Portfolio Manager : Information Governance & Health Records Director leads: Deputy Chief Executive/Director of Nursing, Clinical Governance and Safety Contact for advice: Portfolio Manager : Information Governance & Health Records Page 1 of 31 Contents 1 Introduction 4 2 Purpose 4 3 Legislative Framework & definitions 4 4 Principles 5 4.1 Confidentiality 5 4.2 Third party data 5 4.3 Lead Health Professional 5 4.4 Viewing the record 6 4.5 Access to Children’s Health records 7 4.6 Prevention of Harm 8 4.7 Requests for amendments by service users 8 4.8 Release of copies to third parties 8 4.9 Where the service user lacks capacity 9 4.10 Where the service user is deceased 9 4.11 Where the most appropriate LHP is no longer available to review the records. Where the person who is most appropriate to review the records is not a Health professional Service user access to records in relation to a tribunal 4.12 4.13 4.14 9 10 10 4.15 Service user access to information which does not form part of the health record Proof of Identity 4.16 Advocates 10 4.17 Third party information supplied by a non health professional 11 4.18 Requests for access where joint services exist 11 4.19 Consent 11 4.20 Communications 11 4.21 Mental Health Review tribunals 12 4.22 Where access is refused 12 4.23 Patients living abroad requiring access to their health records 12 5 Fees and timescales 13 5.1 Waiver of fees 13 Page 2 of 31 10 10 5.2 Cost reduction 13 5.3 Re-application 13 6 Service user information which is not held on Clinical records 14 6.1 CCTV 14 7 Legal Proceedings 14 8 Duties 14 8.1 Lead Health Professional 14 8.2 Subject Access Officer 15 8.3 Data Protection Officer 16 8.4 All Staff 16 9 None service user access to request 16 9.1 Police requests 16 9.2 Court Orders and witness summons and Coroners requests 16 10 Complaints 17 11 Audit and monitoring 18 12 Training 18 13 Implementation 19 14 Review 19 15 Development 19 16 References 19 Appendix A – Access to Health Records Procedure 21 Appendix B - Lead health professional guidance when asked to review a record for release 23 Appendix C- Equality Impact Assessment Tool 25 Appendix D - Checklist for the Review and Approval of Procedural Document 27 Appendix E - Version Control Sheet 29 Appendix F - Impact of Implementation 30 Appendix G- Legislation excluding access relevant to health records 31 Page 3 of 31 Trust-wide Service User Access to Person Identifiable Information Policy 1.Introduction This policy sets out the arrangements in place for service users, carers and other non staff to access information held about them by this Trust. 2. Purpose The purpose of this policy is to specify the Trusts arrangements for service users to access their own health records and any other records held by SWYPFT relating to them as individuals in accordance with the right of subject access specified in the Data Protection Act (1998). Where the Access to Records Act applies (deceased service users only) rights of access to deceased service user records are also covered. The policy sets out the process which will be followed on receipt of a request, the criteria which will be taken into account on deciding whether all or part of the request can be met, the criteria for requests made on behalf of children and service users who are incapacitated and the fees which will be charged. For the purposes of this policy the data controller is SWYPFT. This Policy should be read in conjunction with the Trust’s Information sharing, Confidentiality and Data Protection Policy. 3. Legislative framework and definitions. Data Protection Act 1998 Service User access to their own records is one of the rights included in the Data Protection Act and means that on written request and provision of a fee and appropriate information to the Data Controller (SWYPFT) the service user is entitled to view and/or receive a copy of any information held about them within 40 days. Except in certain circumstances,(children and service users who are incapacitated) only the service user is entitled to apply for access to his or her record although this can be done via a third party such as a solicitor Access to Records 1990 (applies to deceased service users) Any person with a claim arising from the death of a patient has a right of access to information covered by the Act (manual records created since November 1991 and directly relevant to that claim), may apply for access. Page 4 of 31 Data controller – the organisation with responsibility for the information held and processed. Data subject – the person that the data relates to, usually the service user but may be any individual about whom we hold information such as a carer. Record – A collection of information relating to an individual or a specific event or task held in either electronic or paper format – or both. Not all personal data is held in a record for example CCTV footage. For the purpose of this policy a record is usually a medical record, but could be an incident log or complaint file or other information. Subject access request – request made by a data subject to see records held about them by the data controller. 4. Principles 4.1 Confidentiality Health information is collected from patients in confidence and attracts a legal duty of confidence until it has been effectively anonymised. This legal duty (established under common law) prohibits information use and disclosure without consent –effectively providing individuals with a degree of control over who sees information they provide in confidence. 4.2 Third party data Most service user records will contain some information relating to a third party. A third party could be a relative or acquaintance of the service user or an interested party representing a separate organisation such as a teacher or social worker. Health Professionals who are involved in a professional capacity with the service user would not be regarded as third parties in this context. The Trust has a duty of care to protect any information which is provided by or about the third party but may be recorded in the service users record. Release of third party information to the service user may constitute a breach of confidence. As such third party information will only be released at the discretion of the Lead Health Professional. The following circumstances are likely to apply: The third party has consented to the release of the information The consent of the third party has been sought but not given and there is an over-riding reason for supplying the information Where consent has not been obtained it may be possible to anonymise the third party information by removing identifying details. It is important to ensure that the information is truly anonymised however. 4.3 Lead Health Professional The Lead Health Professional (LHP) is the lead clinician, of any health care profession, responsible for the co-ordination or provision of the health care package to the patient. In general the lead health professional is the care co-ordinator responsible for the care of the patient and decisions regarding service user access to their records will be Page 5 of 31 made in the context of the multi-disciplinary care team. However there may be circumstances where the lead health professional is a psychologist or one of the other professions allied to medicine or a CPN. The lead health professional is responsible for deciding whether any parts of the records must be withheld in the event of a subject access request on the basis that they may cause harm to the service user or to another person. As such the lead professional will also decide whether any third party information should be with-held. In most cases the lead health professional will be the one currently or most recently responsible for the care of the service user. It is desirable that the LHP reviewing the records is aware of the context in which third party information was given, so that a judgement can be made as to whether it should be withheld. Where the most appropriate lead health professional is not available (due to long term sickness, sabbatical or having left the Trust) the responsibility for assessing the record for release will pass to another qualified member of the care team which dealt with the service user. Where this is not possible (for example psychology, where MDT are not involved) a more senior member of the service will review the record. The reviewer must be a qualified health care professional from the approved list (SI2000/413). 4.4 Viewing the Record Where a request is made to view the record suitable arrangements will need to be made to supervise the viewing. This is to ensure that the record is not altered or damaged or has information removed by the viewer. Where paper records are to be viewed an administrator should attend the viewing. It is most appropriate that a consulting room or meeting room is used for this purpose. If this is not possible the viewing should not be arranged for an office where confidential business is being conducted or where confidential material may be on view, and the viewing should take place in a private place. The administrator should not attempt to answer any questions about the content of the record and if the service user or representative has questions about this an appointment should be made with the lead health professional. The viewer is entitled to receive an explanation of any codes or abbreviations used. In some instances it may be appropriate for the viewing to take place with the lead health professional present, so that they can explain the contents and address any questions the viewer may have. Where a decision has been made to with-hold parts of the record it may be more appropriate to provide a copy of the record with the redacted parts removed for viewing purposes. It is not possible to redact third party information or withhold information which may cause harm when viewing a record on the Trusts clinical information system. As such in most circumstances it will be appropriate for the information to be viewed to be printed off and then redacted. Where viewing of the record on the computer cannot be avoided, this must be supervised at all times and care must be taken to ensure that no other service user names are visible. Page 6 of 31 4.5 Access to a child’s health record As a general rule a person with parental responsibility will have the right to apply for access to a child’s health record. Parental responsibility for a child is defined under the Children’s Act 1989 (section 3(1)) as “all the rights, duties, powers, responsibilities and authority which by law a parent of a child has in relation to the child and his property”. Although not defined specifically, case law has subsequently provided some interpretation which would include: safeguarding and promoting a child’s health, development and welfare; financially supporting the child; maintaining direct and regular contact with the child. Included in the parental rights, which would fulfil the parental responsibilities above, are: having the child live with the person with responsibility or having a say in where the child lives; if the child is not living with her/him, having a personal relationship and regular contact with the child; controlling, guiding and directing the child’s upbringing. A parent not living with the child, but having parental responsibility for the child, e.g. separated/divorced, may have access to the child’s health record. As the child grows older and gains sufficient understanding, he/she will be able to make decisions about his/her own life. Where a child is considered capable of making decisions about his/her own medical treatment, the consent of the child must be sought before a person with parental responsibility can be given access. Where, in the view of the appropriate health professional, the child patient is not capable of understanding the nature of the application, the holder of the record is entitled to deny access if it were not felt to be in the patient’s best interests. The law regards young people aged 16 or 17 to be adults for the purposes of consent to treatment and right to confidentiality. Therefore if a 16 year old wishes a medical practitioner to keep the treatment confidential then that wish should be respected. Children under the age of 16 who have the capacity and understanding to take decisions about their own treatment are also entitled to decide whether personal information may be passed on and generally to have their confidence respected, for example if they were receiving counselling or treatment about something they did not wish their parents to know. Case law has established that such a child is known as ‘Gillick competent’, i.e. where a child is under 16 but has sufficient understanding in relation to the proposed treatment to give or withhold consent, then that consent or refusal should be respected. However, good practice dictates that the child should be encouraged to involve parents or other legal guardians in any treatment. Page 7 of 31 4.6 Prevention of harm An amendment to the Act (SI2000/413) which was specific to health care states that information should not be released if it could cause serious harm to the physical or mental health of the service user or another person. The decision as to whether release of the information could cause serious harm must be taken by the appropriate health professional. Care must be taken in the exercise of this judgement to ensure that only these reasons are used to justify the with-holding of the record or parts of the record. 4.7 Requests for amendments, by service users Service Users who view their own records may discover discrepancies in the content of the record in relation to themselves in which case they are entitled to request that any mistake is rectified. It is not usually possible or desirable to permanently erase or delete a part of the record. This is because the disputed information may have informed the actions of a health care professional. However a note explaining the reasons that the information is disputed or considered unsafe should be placed on file. Any amendments should clearly be shown on the record along with the date, time and the details of the person making the amendment. Evidence should be provided for any amendments of facts, such as admission dates or address details and the request for amendment should be in writing from the service user or person acting on their behalf. Where the service user disagrees with a statement made by a health professional the statement may only be amended with the agreement of the health professional. Where the health professional is not available to agree the amendment or where the amendment is not agreed with the health professional a note should be placed in the record that the service user disputes that part of the record and any reasons given for this. In most circumstances it will be appropriate for a member of the care team to place the note on the file. This should be done using a sheet of A4 and the presence of the notes should be indicated on the front sheet of the paper record. For electronic records, progress notes can be used with the entry dated to the date of the disputed entry, advice should be sought from the Portfolio Manager : Information governance & health records. The note should reflect the fact that the service user disputes the section of the record. 4.8 Release of copies to a third party Where a request has been made for release of information to a third party such as a solicitor, every effort will be made to ensure that the service user understands what will be released to the solicitor and that they have given informed consent. A signed consent form may be rejected if it was signed more than 3 months before the request is received by the Trust. Page 8 of 31 4.9 Where the service user lacks capacity. Where a service user lacks capacity and is incapable of managing their own affairs a person appointed by the court to manage those affairs would be able to request access under the Act. Under the Mental Capacity Act from April 2007, Independent Mental Capacity Advocates (IMCAs) appointed by the local authority to a specific case will have a right to see the record on a need to know basis. The decision to release the records would need to take into account along with the third party protection and the potential for the data released to cause serious harm to the physical and mental wellbeing of anyone, the following: The expectation of the service user when providing the information that it would not be disclosed to the person requesting the information. Any information obtained as a result of an examination or test that the service user consented to in the expectation that it would not be disclosed. Any information that the service user has expressly indicated should not be disclosed. IMHAs are allowed access to all records where they are acting on behalf of a service user. However before release records will be checked for third party and harm. If the IMHA wishes to see these parts they will be provided and will be clearly marked. 4.10 Where the Service User is deceased The Data Protection Act does not apply to deceased persons. The information commissioner has ruled that there is a duty of confidence which exists in relation to health records after death and so records will not be released under the Freedom of Information Act. The only right of access to a deceased persons records are via the Access to Medical records Act 1990 where it applies to deceased persons. This gives a right of access to the personal representative or others, to relevant information in relation to any claim to be made in relation to the deceased person. Where any access is allowed the records will be reviewed by the lead LHP taking into account: Any wishes expressed by the deceased person in relation to information sharing. Any harm which could come from release of the records. Any third party information held in the records. Any information protected by law from release Where a relative or friend of the deceased requests access to the records not in relation to a claim, consideration will be given as to what information may be shared with the applicant without breaching the Trusts duty of confidence. 4.11 Where the most appropriate LHP is no longer available to review the records. The next best person is a member of staff from the health professions listed in the Act who worked with the service user. Where there is no-one who knew the service user Page 9 of 31 available the responsibility will pass to the line manager of the person who would have been the most appropriate, if they are a health professional listed in the Act. 4.12 Where the person who is most appropriate to view the records is not a Health professional On some occasions the person who has worked most closely with the service user and recorded information in the records is a social worker. A social worker is not on the list of health professionals who can apply the harm provision. The social worker should review the records for third party information and flag up any areas of concern to another member of the multidisciplinary care team, preferably one who has had some involvement with the service user. There are very few instances where withholding the record or part of the record on the basis that it will cause harm, will occur. It is likely that such a decision would benefit from a multidisciplinary approach in most instances. 4.13 Service User access to records in relation to the MH tribunal Section papers which are included in the clinical record are not subject to any extra restriction of access. Where tribunal reports are held within the record they should be with-held on the basis that they are provided in confidence and cannot be released without seeking the writers consent. 4.14 Service User access to records which do not form part of the health record. The Data Protection Act applies to all personally identifiable information held by the Trust, not just that which is held in a clinical record. Staff records are covered by a separate procedure (see employers guide to managers). Where personally identifiable information is requested by a service user which is not held in the clinical record the same procedures and principles will apply to decisions to release the information and the fees and arrangements which will be made. (NB the harm provision only replies to health records) All such requests should be notified to the Portfolio manager : information governance and health records so that they can be included in the monitoring statistics. 4.15 Proof of identity The Trust must be satisfied that the person requesting to view or receive a copy of the records is the service user to whom the records relate or their authorised representative, or where the service user lacks capacity a person appointed by the court to act on the service users behalf. Where the service user is known to the Subject Access Officer, or the request is made via a solicitor, proof of ID will not be required. (see page 23 for acceptable proof of ID) 4.16 Advocates Where the SU has capacity and has consented to the record being accessed by the advocate, they are acting in the same context as any other representative appointed by the service user. Where the SU lacks capacity the advocate is entitled to see relevant health, social services and care home records. (SI2006 1832) Page 10 of 31 Where an advocate has been appointed under IMHAs/IMCA arrangements, they are entitled to see the whole of the record, relevant to the decisions being taken. However no time limit is specified in the act and therefore the 40 day requirement under the data protection act applies. However where it is obvious that the support to be given by the advocate requires access in a shorter time period, best efforts will be made to respond in the required time period. An advocate is entitled, to see all of the record, but in practice the same process of checking for third party and harm information will be applied. This information will be withheld unless the advocate decides that they need to see it. If so it will then be clearly indicated that this information would not be available to the service user. 4.17 Third party information supplied by a non Health Professional Where information has been supplied by a third party who is not a health professional acting in accordance with their duties in relation to a service user the information held in the record will not be provided as part of a subject access request unless consent has been obtained. However the Trust has a responsibility to obtain consent if at all possible and where there are overriding reasons for providing the information without consent a decision will be taken based on individual circumstances. 4.18 Requests for access where joint services exist Where a record has been made by a member of the care team who is employed by the local authority but working under NHS management as part of the care team, no separate arrangements will be made to inform that member of staff and their interests will be covered by the Lead Health Professional. Where SWYPFT staff have contributed to social services record keeping the service users request will be referred to the appropriate service. 4.19 Consent The service user may consent to release of their record to anyone they like and they usually do this by signing a form agreeing to release the records. In general the consent will be valid for 3 months from the date that the form is signed. Where there is any concern that the service user did not sign the consent or did not understand what they were signing, the consent should be confirmed with the service user before the release of the record. Where a carer or family member has requested access to records and has consent from a service user with capacity, care should be taken to ensure that the service users wishes are being followed by reference back to the service user. 4.20 Communications Service users are informed of their right of access to their own information via the leaflet ‘Confidentiality of your information’ All staff should be able to direct service users wanting access to their information to write to the local subject access officer. In Barnsley this is: The subject access officer. South West Yorkshire Partnership Foundation Trust Page 11 of 31 Oaks Building Kendray Hospital Doncaster Road Barnsley S70 3RD In Wakefield, Kirklees and Calderdale it is The subject access officer. South West Yorkshire Partnership Foundation Trust Block 9, Fieldhead hospital Ouchthorpe Lane Wakefield WF1 3SP 4.21 Mental Health Review Tribunals Tribunal doctors and SOADs (second opinion doctors) are required under the mental health act to review the records of service users who are detained under the mental health act. There access to the records will usually be managed by the ward where the service user is detained. Solicitors seek access to the records of service users whom they are representing at tribunals. There is no automatic right of access to the solicitor so the access comes under the service users rights under the data protection act . As such the service user must consent to release of the record, the record must be checked for harm and third party information and in the case of a viewing access must be supervised. There is no requirement to meet a particular deadline, other than the 40 day requirement under the act however this rarely fits in with the timetable of the MHRT. As such every effort will be made to provide the records within a reasonable timeframe. In order to do this, records for the current period of care only will be prepared. If on viewing the record, further information is required, it will be made available subject to the above provisos as soon as possible. As such solicitors should request access as soon as they know that it is required and arrange to see the record in a timescale which takes this into account. 4.22 Where access is refused In most cases the record will be made available for the service user, as a result of a request. However there are very rare occasions where a LHP will consider the patient too unwell to see the record. This is usually a temporary situation. In such a case a letter explaining the refusal and inviting the service user to apply again for access when well will be provided. This will generally be provided to the service user in a face to face meeting with an appropriate explanation. 4.23 Patients living abroad requiring access to their health records Under the DP Act former patients now living outside of the UK still have the same right to apply for access to their UK health records. Such a request will be dealt with as for someone making an access request from within the UK. Page 12 of 31 When a patient moves abroad their health records remain the property of SWYPFT and are subject to the applicable retention period. 5. Fees & Timescales The fees that the Trust can charge in relation to a request for a copy of the record or to view the record only are detailed below. 1. Computer held records £10 2. Mixture of computer and manually held records – up to £50 including postage and packaging costs but all costs must be justified in relation to the volume of pages in the copy and postage costs. 3. Manually held records – up to £50 including postage and packaging costs but all costs must be justified 4. Records which are viewed only whether manual or computer held but where no amendment/addition has been made in the last 40 days but no copy is required £10 5. Where records are viewed but a copy of part or all of the record is subsequently requested, total fee must not exceed £50 including the £10 initial fee 6. Records which are viewed only whether manual or computer held where an amendment/ addition has been made in the 40 days prior to the date of the request – no fee. In accordance with the Data Protection Act the records must be produced within 40 days of receipt of the request, fee and any further details which are required to help identify the correct record. However because the Access to Records Act gave a time period of 21 days to respond the NHS is requested to respond within 21 days where possible. Where this is not possible the service user or their representative should be notified of when the records will be available. 5.1 Waiver of fees Where a request for access has been received directly from the service user the Trust may decide not to charge for access. 5.2 Cost Reduction In the interests of reducing costs where the whole of the record is requested and this is a significant volume the service user or their representative will be asked whether a specific time period in the records could be provided. However where the whole record is required this must be provided. The service user does not have to justify this or explain why they want access to the record. In the first instance correspondence, risk assessments, and clinical notes will be provided. 5.3 Re-application The Trust is not required to comply with a repeated request until a reasonable time has elapsed after fulfilling the first request. A reasonable time would be judged in relation to the additions and amendments made to the record in the time since the original request was fulfilled. Page 13 of 31 6. Service User Information which is not held in Clinical Records Most information held about service users is held in clinical records and is covered by the above process. However there are certain circumstances where service user information may be held elsewhere and the Data Protection Act applies to these records. Recent changes to the Data Protection Act brought about by the introduction of the Freedom of Information Act mean that information held by SWYPFT which is not in the Health Record or in a relevant filing system (where the record can be found by searching with reference to the individuals name, date of birth, identifier such as NHS number), but which is unstructured may be requested by the individual concerned. Complaints and incident reports fall into the latter two categories. Requests for complaints and incident information by service users or their representatives should be dealt with in the same way as those for clinical records taking into account all the factors relating to third parties etc. However requests for this information should be directed towards the Complaints or Risk departments respectively. A log should be kept of any such requests and the response times monitored. 6.1 CCTV Where a request has been made for access to CCTV believed to be held by the Trust , the request will be logged by the subject access officer and then passed to the Security management system lead in order to follow up the request and the viewing. The subject access officer will record, when and how the request is met and charge any fee agreed. 7. Legal Proceedings Where records are requested in order to provide the basis for the Trust defence the SU’s consent should be sought for their release in order to support the Trusts case. Prior to seeking the SUs consent the LHP should be asked whether it is likely to cause serious harm to the health of the SU if an approach for consent is made and whether the SU has capacity to consent. Where SUs records are required for any other purpose a court order will be required. 8. Duties 8.1 Lead Health Professional The Lead Health Professional has several responsibilities on being notified by the Subject Access Officer of a service users request to view or have copies of their records. Review the records and consider whether there is any information which if released could cause serious harm to the physical or mental health of the service user or any other person. State the case for with-holding these records on the form provided clearly indicating all parts of the record which you are recommending with-holding. Page 14 of 31 Review the records considering whether any duty of confidence is owed to a third party who is not a health professional. State the case for with-holding any third party information on the form provided clearly indicating all parts of the record which you are recommending with-holding. Consider whether any other health professional should be consulted about decisions to with-hold any of the information. Where the information is to be released to a third party either because the service user is deceased or incapable consider the following: o The expectation of the service user when providing the information that it would not be disclosed to the person requesting the information. o Any information obtained as a result of an examination or test that the service user consented to in the expectation that it would not be disclosed. o Any information that the service user had expressly indicated should not be disclosed. State the case for with-holding any information on the form provided clearly indicating all parts of the record which you are recommending with-holding. 8.2 Subject Access Officer The subject access officer is a designated person in each locality to whom all requests should be directed. The subject access officer has responsibility for receiving and processing service user requests for clinical records. In particular they are responsible for acknowledging the request, establishing the identity of the requestor and their requirements and ensuring that a timely response is made. The following actions will be required. Receive and log requests. Send out acknowledging letter requesting the fee, proof of ID, and completion of the form specifying the information requested and whether a copy was required or viewing arrangements. Where the requestor is acting on behalf of the service user or the service user is deceased check that they have the appropriate authorisation. In joint services ensure that where appropriate the lead social care professional is consulted. When the above documents are received locate the records which are required, identify the lead health professional(s) and send the form and the records (where appropriate) on specifying a deadline for their return On receipt of the LHP instruction arrange either for accompanied viewing of the record or for a copy to be made. Liaise with the service user or representative about how they would like to receive their copy if appropriate. Page 15 of 31 Agree a date and time for viewing and arrange an appropriate venue. On completion of the request return the original record to its location and log the request. Where the record has been redacted ( prohibited information removed) a copy should be kept of the version of the documents provided for the request. 8.3 Data Protection Officer The Data Protection Officer is responsible for the Trusts annual notification and is the first point of contact for communications with the Information Commissioner. The Data Protection Officer should be referred to over any issues to do with the process and any points about consent or third party access which are not straightforward. 8.4 All staff Staff should be aware of service users right to access any personally identifiable information which is held about them and be able to direct them to the appropriate part of the service to help with their request for access. Staff should ensure that service users are aware of their right of access by providing the leaflet ‘Confidentiality of your information’ at or as soon as appropriate after first contact. 8.5 Health records sub-group The health records sub-group is responsible for monitoring the volume and type of requests and the timeliness of responses and providing reports and recommendations to the Information Governance TAG. The health records sub group will maintain an agreed set of proforma letters and forms to support the process and ensure that they are applied trust-wide. 8.6 Information governance Trust-wide action group The IG TAG will review reports from the health record sub-group and take action where necessary 9. None SU Requests for access Where a request for access is made for a service users record or part of the service users record by somebody who is not the service user and who is not acting on behalf of the service user the Trust will in principle require the consent of the service user before providing access. It is not the responsibility of the Trust to obtain the SUs consent, but it will often be appropriate for it to do so. For example it may be in the SUs best interests if the Trust assesses their capacity to consent and the likelihood of any serious harm to the physical or mental health of the SU as a result of such a request. In any other circumstance SWYPFT will not release the record unless a court order has been made or a non disclosure exemption can be applied. Page 16 of 31 Police requests The Trust will respond to requests for access to records where the police can show that provision of the information will lead to the prevention or detection of a serious arrestible offence. Consent of the service user will be required unless the police can show that getting the consent of the SU would defeat the purpose of the investigation, allow a potential criminal to escape or put staff or others at risk.. A section 29 form should be completed and signed by an inspector or somebody of equivalent rank. Only those parts of the record relevant to the inquiry will be released and the form should provide enough detail to justify the access and indicate which parts would be relevant. Further detail is provided in the Information Sharing, Confidentiality and Data Protection policy. Court Orders and witness summons and Coroners requests Where a court order has been made for the release of the records the LHP will review whether there is any information which it would be harmful to release to the court. If this is a case then a case will be made by the Trust for the release of a limited part of the record only. [Recent case suggest that the court should ask the SU to make the case for not releasing all or part of the record] However there may be circumstances where the Trust must advise the court as to the risks involved to the SU or any other person in releasing the information. A copy of the records will be provided as the original may still be required for clinical purposes. Where a witness summons has been received the Trust will consider whether consent has been sought and if so whether there is a valid consent, the service user lacks capacity to consent or has capacity but has refused consent. If there is consent the records will be checked for third party and harm before release. If there is no consent the Trust will advise the court that it cannot release the record without a court order. A copy will be provided where it is decided to release the record. Where the coroner has requested the records of a deceased individual, they have a right to take the records. The Trust will aim to provide a copy of the record and will inform the coroner of any harm which may arise from release of information at the inquest, and any concerns/expectations of confidence the deceased person had about the sharing of their record with family and friends 10. Complaints Complaints should be addressed in the first instance to the Trust complaints department, where the complaint will follow the normal NHS complaints procedure. Service Users or their representatives will be advised that should this prove unsatisfactory they have the option to complain to the Information Commissioner and be provided with appropriate contact details. Page 17 of 31 11. Audit and Monitoring The Information Governance TAG will monitor the number of requests received and the timeliness of response and any particular issues with requests, via a quarterly report. 1. 2. Standard This document is reviewed and updated in accordance with Trust policy. Relevant staff will be made aware of the policy and offered support and training Monitoring process - evidence: The document on the intranet is upto-date 3. 4. 5. Document is on the intranet Reference in team brief Record of meetings where implementation discussed Content of and attendance at relevant training Audit of staff awareness IG TAG will use the number of requests and any breaches to monitor the effectiveness of the policy. IG TAG will monitor incidents recorded on Datix and complaints to the complaints department and to the ICO. Health records subgroup to monitor quarterly requests, sources and breaches and report to IG TAG Number of incidents related to subject access requests Number, severity, location and type of complaints, relating to service user access requests Review of action plans IG TAG to review recommendations and action plans where appropriate. 12. Training The training requirements for this policy are as follows: All staff How to inform a service user of their rights How to to direct a service user to make a request Page 18 of 31 Team brief, cribsheets, induction, Team leaders Lead health Professional Subject access officers Responsibilities and processes under this policy Access to and printing from RiO Understanding of Data Protection Act and Access to records Act Responsibilities and processes under this policy Summary sheet, Access to records elearning, CfH. Completion of Access to records and Introduction to IG modules on CfH IG training tool. One off session to review processes. 13. Implementation An overarching implementation plan for this policy has been developed (Appendix H). The Health records sub group, which reports to the IG TAG, will develop further processes 14. Review The policy will be reviewed every 3 years. 15. Development This policy has been developed in consultation with: IG TAG Health records sub-group Claims and legal advisor, MHA manager Complaints manager Barnsley Care Records Management Group 16. References Internal Information Sharing, Confidentiality and Data Protection Policy Clinical records management policy External IG toolkit standard 8-205 DH Guidance for access to Health records requests NIGB Requesting amendments to health and social care records. Data Protection Act 1998 Disclosure of information that may harm someone’s health – Statutory Instrument 2000 No. 413 ICO technical guidance note: Freedom of information and access to information about the deceased. Page 19 of 31 ICO technical guidance note: Subject access to health records by members of the public Page 20 of 31 APPENDIX A ACCESS TO HEALTH RECORDS PROCEDURE 1. Applications/Requests for access to records will be addressed to the Subject Access Officer, at the site where the service user was seen Fieldhead Hospital, Wakefield. Priestley Unit Dewsbury District Hospital Folly Hall, Huddersfield The Dales, Calderdale RI, Kendray Hospital Barnsley 2. If requiring access under the Data Protection Act 1998 (formerly the Access to Health Records Act (1990) then a standard request form containing appropriate details will be forwarded to the applicant for completion. This will ask for the fee and proof of identity. Where the applicant is not the service user proof of entitlement to view the records will also be required. This may be in the form of a signed consent form. If this is the case then the consent form must be the original and not a fax or photocopy (which may have been tampered with) 3. The Subject Access Officer will acknowledge receipt of an official application within three working days, using a standard letter. The request will be logged with the SAO, at Fieldhead hospital or Barnsley as appropriate. 4. The Subject Access Officer or nominated officer will identify the appropriate record/s, including paper held records and records kept on the Trusts clinical information system. 5. The Subject access Officer will print off the relevant progress notes from the Trust clinical information system 6. The Subject Access Officer will discuss the request with the health professional/s involved. At this stage the health professional/s will be asked to complete the Form “Advice from Health Professional”. Where further advice is required the Data Protection Officer should be contacted and legal advice may be sought in exceptional cases. 7. If the health professional feels it would be appropriate to withhold all or part of the records because they might cause serious harm to the physical or mental health of the service user or another person, or identify a third party, the Subject Access Officer would be informed via the form ‘Advice from a health professional’. N.B.1 entries in the casenotes made by a health professional are not regarded as third party information. Letters written between health professionals in relation to the Service Users would be regarded as part of the record. 8. The Subject Access Officer will make appropriate arrangements for the applicant to view or receive a copy of the record. Where the record is to be viewed a suitable private room will be required (e.g Consulting room or meeting room). Page 21 of 31 The viewing must be accompanied in order to ensure that the record is not damaged or altered or has parts removed. The person accompanying the applicant may explain any terms/ codes used if qualified to do so but must not attempt to explain the content of the record. In some instances it will be more appropriate for the clinician to discuss and explain the record to the patient. 8. Where the applicant considers that information contained in the health record to which access has been obtained is inaccurate, the applicant may apply for an amendment to be made. If the amendment is agreed, the applicant should receive a copy of the amendment. If the amendment is not made, a note should be attached to the relevant part of the record, which is alleged to be inaccurate. 9. If the applicant is unhappy about any aspects of the procedure followed they should raise this with the Subject Access Officer, and if still dissatisfied they can complain through the Complaints Procedure. 10. If the applicant is unhappy about the denial of access, part denial or compliance with the Act they can complain via the Complaints Procedure and if still dissatisfied to the Information Commissioner, for which details will be given. The Subject Access Officer will keep a log of all requests made for access for 3 years after the request has been dealt with. 11. 12. Where a copy is to be provided the subject access officer, will arrange for copying of the record, redacting any information as identified by the LHP. A copy must be kept of any sheets where information has been redacted unless it is able to be clearly described on the form (appendix D) This is to ensure that any later dispute about what was provided, may be resolved. Where it is known that the request is because the applicant is considering a claim against the Trust , a full copy should be retained by the SAO in case it is later required by the claims manager. 13. Where a copy is to be posted special delivery must be used due to the sensitivity of the information contained in health records. It is preferable to arrange for a copy to be collected by the applicant or if appropriate passed to the applicant during a planned visit or appointment, as face to face transfer is less likely to result in loss on non arrival of the copy. Page 22 of 31 APPENDIX B Lead health professional guidance when asked to review a record for release. 1. Responsibilities 1.1 To confirm that to the best of your knowledge the service user is well enough to a) have capacity to consent to the release of the records b) if the service user is requesting to see the records, that they are well enough to do so at this time 1.2 To check the records requested for any items which should not be released on the basis of harm. Harm as defined in law is serious physical or mental damage to an individual, who may be the service user or may be another person. This task can only be done legally by a listed health care professional. Where the care co-ordinator is a social worker, confirmation of the need to withhold all or part of a record must be made by a health professional who is involved in the case. This is likely to be another member of the multidisciplinary care team. 1.3 To check the record for third party information and indicate where it should be removed (redacted) In making a decision to withhold some information you should consider who has requested the information and the purpose of the request. 2. What is third party information? Third party information can have different presentations. It may be information given to you by the service user about somebody else, for instance a family member. The third party may not know that you have this information. Care is required in releasing this information to anyone other than the service user and in some instances it should not be released to the service user. It may be information about the service user which was given to you by a third party. This may be in an official capacity such as a letter from a housing association or as a friend, relative or neighbour of the service user. The service user may be aware of the information and that you have it in which case there may be no need to redact it. Information provided by another health professional or a social worker who is acting as part of the multidisciplinary care team, is part of the record and should not be redacted. 3. Respecting the service users wishes There may be some parts of the records where a service user has shared information on the basis that it will not be shared with anyone else or with specific individuals. For instance a service user may have said that they ‘don’t want their children/partner/carer to know’ in relation to some aspect of their history or care. Page 23 of 31 If the service user has subsequently signed to release their records to this person, consider their capacity and if possible discuss the situation with them. If there is any doubt the information should be redacted. If the service user no longer has capacity or is deceased the information should be redacted. 4. What is Redaction? Redaction is a term describing the removal of information which the recipient is not entitled to see. The minimum information necessary should be removed. For instance if there is something in a letter which must be redacted consideration should be given as to whether the whole letter, the paragraph it is in or the sentence containing the information must be redacted. Items to be redacted should be clearly indicated to the subject access officer who will ensure that they are removed from the copy provided to the intended recipient. Redacted information may be challenged so you should be prepared to justify the redaction. 5. Further legal requirements to be aware of Requests by the courts/coroner or police (with a court order) In some instances, where there is a legal right or a court order specifying such the whole record may be legally supplied. However it should be reviewed for the above factors, particularly where there is a possible risk to the service user or other individuals. It is possible, although not usual, to make a case to the judge that certain information should not be released. In particular information which is not relevant to the request made should be requested to be withheld. STDs Any information about STDs in the service users records should be redacted. Human Fertilisation & Embryology Act 1990, as amended by the Human Fertilisation & Embryology (disclosure of information) Act 1992 Any information revealing the identity of either a recipient or a donor should be redacted. The majority of records supplied to third parties or to service users on request, by the trust are not required to be redacted. However all records must be checked with the LHP most closely involved with the service user as this is the person in the best position to make the judgement. Page 24 of 31 Appendix C Equality Impact Assessment Tool Equality Impact Assessment Questions: Evidence based Answers & Actions: 1 Name of the policy that you are Equality Impact Assessing Information sharing, confidentiality and data protection policy 2 Describe the overall aim of your policy and context? To set out the principles and arrangements to ensure that person identifiable information is kept confidential and information can be shared appropriately. All staff Who will benefit from this policy? 3 Who is the overall lead for this assessment? 4 Who else was involved in conducting this assessment? Portfolio Manager: information governance and health records 5 Have you involved and consulted service users, carers, and staff in developing this policy? The information governance TAG and specialist advisers were consulted on this policy. N/A What did you find out and how have you used this information? 6 7 8 What equality data have you used to inform this equality impact assessment? N/A What does this data say? N/A Taking into account the Where Negative impact has been identified information gathered. please explain what action you will take to Does this policy affect one remove or mitigate this impact. group less or more favourably than another on the basis of: If no action is to be taken please explain your reasoning. YES Race NO N Page 25 of 31 9 Disability N Gender N Age N Sexual Orientation N Religion or Belief N Transgender N Carers N What monitoring arrangements are you N/A implementing or already have in place to ensure that this policy: promotes equality of opportunity who share the above protected characteristics eliminates discrimination, harassment and bullying for people who share the above protected characteristics promotes good relations between different equality groups, 10 Have you developed an N/A Action Plan arising from this assessment? 11 Who will approve this Executive Management Team will approve the policy assessment and when will you and the assessment will be published to the intranet publish this assessment. when the policy is placed on the intranet. 12 Once approved, please forward a copy of this assessment to the Equality & Inclusion Team: inclusion@swyt.nhs.uk Page 26 of 31 Appendix D Checklist for the Review and Approval of Procedural Document Title of document being reviewed: 1. 2. Title Is the title clear and unambiguous? YES Is it clear whether the document is a guideline, policy, protocol or standard? YES Is it clear in the introduction whether this document replaces or supersedes a previous document? YES Rationale Are reasons for development of the document stated? 3. 4. 5. Yes/No/ Unsure YES Development Process Is the method described in brief? YES Are people involved in the development identified? YES Do you feel a reasonable attempt has been made to ensure relevant expertise has been used? YES Is there evidence of consultation with stakeholders and users? EMT Content Is the objective of the document clear? YES Is the target population clear and unambiguous? YES Are the intended outcomes described? YES Are the statements clear and unambiguous? YES Evidence Base Is the type of evidence to support the document identified explicitly? YES Are key references cited? YES Are the references cited in full? YES Are supporting documents referenced? YES Page 27 of 31 Comments Title of document being reviewed: 6. 7. 8. 9. 10 . 11 . Yes/No/ Unsure Approval Does the document identify which committee/group will approve it? YES If appropriate have the joint Human Resources/staff side committee (or equivalent) approved the document? N/A Dissemination and Implementation Is there an outline/plan to identify how this will be done? YES Does the plan include the necessary training/support to ensure compliance? N/A Document Control Does the document identify where it will be held? YES Have archiving arrangements for superseded documents been addressed? YES Process to Monitor Compliance and Effectiveness Are there measurable standards or KPIs to support the monitoring of compliance with and effectiveness of the document? YES Is there a plan to review or audit compliance with the document? YES Review Date Is the review date identified? YES Is the frequency of review identified? If so is it acceptable? YES Overall Responsibility for the Document Is it clear who will be responsible implementation and review of the document? YES Page 28 of 31 Comments APPENDIX E Version Control Sheet Versio n Date Author Status Comment / changes 1.3 October 2006 Nicola Smith Final 2.3 November Nicola Smith 2010 Draft Review 2.4 Septembe Nicola Smith r 2011 Draft Review 3.0 December John Hodson 2011 Draft Merge with Barnsley Policy 3.1 January 2012 John Hodson Draft Comments from Barnsley Care Records Group 3.2 February 2013 Nicola Smith Final Service User Access to PII SWYPFT Page 29 of 31 November 2010 Appendix F Impact of Implementation Description of Impact Staff /Dept affected 1 Change of LHP arrangements to make this the care co-ordinator in most circumstances 2 Health care records sub-group 3 Dissemination and training to all staff Service User Access to PII SWYPFT Page 30 of 31 BDUs To review letters and agree procedures BDUs/ departmental managers November 2010 Cost implication APPENDIX G Legislation excluding access relevant to health records The NHS Trusts and Primary Care Trusts (Sexually transmitted Diseases) Directions 2000 Existing regulations require that every NHS trust and Primary Care Trust shall take all necessary steps to secure that any information capable of identifying an individual obtained by any of their members or employees with respect to persons examined or treated for any sexually transmitted disease (including HIV and AIDS) shall not be disclosed except: a. for the purpose of communicating that information to a medical practitioner, or to a person employed under the direction of a medical practitioner in connection with the treatment of persons suffering from such disease or the prevention of the spread thereof; and b. for the purpose of such treatment or prevention. Human Fertilisation & Embryology Act 1990, as amended by the Human Fertilisation & Embryology (disclosure of information) Act 1992 This act is under review. Information given in confidence by donors or recepients must not be made available other than for the provision of care and for audit purposes, without the consent of the individual. Service User Access to PII SWYPFT Page 31 of 31 November 2010
