Information should be shared across health and social care when it is in patients’ best interests, but patients should be able to see an audit trail of everyone who has accessed their personal data.
These are the key recommendations of the Caldicott2 review, which reported this morning. 'Information: to share or not to share', was launched today at the ICO Conference Centre in London, and sets out 26 recommendations for the NHS.
The review, led by Dame Fiona Caldicott, who also led the Caldicott Committee that put in place most of the NHS’ existing information governance structures in the mid-1990s, also says patients should also have better access to their own information, including their records and correspondence about them.
“The review panel thinks this right of access should cover hospital records, community records and personal confidential data held by all organisations within the health and social care system,” says the report.
“It recommends that all communications between different health and social care teams should be copied to the patient or service user. There should be ‘no surprises’ for the patient about who has had access.”
The Caldicott2 review was set up in response to a recommendation in a 2011 NHS Future Forum report looking at the government’s plans to reorganise and reform the health service.
It noted that as the NHS moves towards a paperless future, the increased use of technology has led to concerns about the security of information and breaches of confidentiality.
On the other hand, it asked whether concerns about confidentiality have stifled information sharing, even when this can make services more accessible and efficient for patients.
The Caldicott review recognises that patient’s should be allowed to ‘opt out’ of their information being shared, but says it is important to strike a balance between patient confidentiality and information sharing.
Although education on information governance is a requirement for healthcare professionals, it says many are ‘insecure’ about the rules, which sometimes leads to data, which should be shared, not being shared.
“The review panel discovered that the mandatory training is often a ‘tick-box exercise’. Health and social care professionals should be educated and not simply trained in effective policies and processes for sharing of information.
“This education should include a professional component explaining why there may be a duty to share information in the interests of the patient, as well as the legal aspects of the common law of confidentiality, the Data Protection Act and Human Rights Act.”
The final recommendation adds that health secretary Jeremy Hunt should oversee the use of the recommendations in practice.
“The Secretary of State for Health should maintain oversight of the recommendations from the Information Governance Review and should publish an assessment of the implementation of those recommendations within 12 months of the publication of the review’s final report,” it says.
As EHI reported earlier this month, the review also adds a new Caldicott principle:”The duty to share information can be as important as the duty to protect patient confidentiality.”
“Our overarching aim has been to ensure that there is an appropriate balance between the protection of the patient or user’s information, and the use and sharing of such information to improve care,” says Dame Fiona Caldicott in the foreword of the report.
Mark Davies, medical director at the Health and Social Care Information Centre, told EHI: "The HSCIC welcomes the report and sees it as a significant step towards more appropriate data sharing which will have real impact on patient care."
© 2013 EHealth Media.
The balance is between security of life and security of "privacy"Richard Fitton 112 weeks ago
There is a balance between staying alive and staying known. If you want no one to know any thing about you you will stay at home and never go outside. If you want to see a specialist about infertility, breast augmentation, venereal disease, psychiatric problem, there is a chance that some one you know will see you there. If you wear a bag over your head so that some one will not notice you - it will not work.
If you have kidney failure, haemophilia, recurring strokes, cancer, you want as many people to have the required information as possible and the chances of anonymity decrease. Patients holding access to their records and watchig who has seen them are two very powerful tools to aid privacy and safety of life.
Can people look at audit trails? Yes we look at Tesco's receipts, TV guides, on line shopping, bank statements, football results, and we spend 20 hours a week watching tv. Life is important to and important for most humans and they should spend a little more time workiong on and being interested in their own health and health records - and in that of their dependants and when requested - friends.
Here are the fundamental human right issues. Modern society is favouring more citizen rights but that incurs responsibility and work too!
chiiudesiyxbhttp://www.echr.coe.int/ECHR/EN/Header/Basic Texts/The Convention and additional protocols/The European Convention on Human Rights/
RIGHTS AND FREEDOMS
Right to life
1. Everyone%u219s right to life shall be protected by law.
Right to respect for private and family life
1. Everyone has the right to respect for his private and family
life, his home and his correspondence.
2. There shall be no interference by a public authority with the
exercise of this right except such as is in accordance with the
law and is necessary in a democratic society in the interests of
national security, public safety or the economic well-being of the
country, for the prevention of disorder or crime, for the protection
of health or morals, or for the protection of the rights and freedoms
Freedom of expression
1. Everyone has the right to freedom of expression. This right
shall include freedom to hold opinions and to receive and impart
information and ideas without interference by public authority
and regardless of frontiers. This Article shall not prevent States
from requiring the licensing of broadcasting, television or cinema
pARAnoiD GuARdiAnInfoman 112 weeks ago
I've read the report and being paranoid about my org will be sued refer all my staff to section 3.3 and recomendation 2.
After some contemplation and a few hours spent with the legal team I've confirmed that we can no longer allow complete case notes (whether paper or electronic) to be passed from dept to dept because there's no way to decide which bits are "relevent" when they are relevent or to whom they might be relevent.
I've decided we need to create mutliple case notes / records. One for each medical / health event.
The road to sharing is unbroken tarmac not crazy pavingJacquesOuze 113 weeks ago
The findings and recommendations of the review are very welcome and the report contains plenty that is good and sensible. But I still read it with a sense of disappointment and frustration.
Although there has been an attempt to rebalance the rules in a way that gives greater emphasis to sharing information for the benefit of patients, the top-level message is still the same: information sharing is risky and severe punishment awaits those that get it wrong.
As you might expect from a review conducted by highly intelligent people, capable of handling complexity and nuance, they recommend that staff just need more education in understanding the complexity and nuance of the rules, rather than any simplification of those rules. I think that's the wrong approach.
What is required more than anything else, is a very clear, loud, simple statement to staff, that if they share information for the benefit of patients, they will be OK. Even if they get it wrong; even if the recipient didn't strictly need to know, even if somebody subsequently misuses that information. So long as it can't be proved that there was malice, negligence or other nefarious motivations behind the decision to share, then there should be a guarantee of safety.
It's not that I think that front line staff are too dim to engage with the complex detail of the rules, although a few undoubtedly will be. But they need to be free to get on with their job to the best of their ability without having to undertake a legalistic analysis every time they make sharing decisions.
It might be that any follow-on guidance that comes from professional bodies can achieve this clarity, although I seriously doubt it. But without a very clear high level message of safety, staff will still tend to play it safe and not take the risk of sharing, because that's easier than trying to apply complex rules to each specific case.
Excellent commenttimbenson 113 weeks ago
This comment is spot on (including the headline). Problem with IG is that following due Process was made to appear more important than useful Outputs for patients, so diligent completion of an onerous Process, undertaken by specially trained personnel that prevented patients seeing their own digital data was treated as a success.
Spot onvon Bismark 113 weeks ago
I think we have a big blind spot about the role the previous report played in medical/care failures since it came out.
Its sacrificing the many (99.9%) for the specialist interest groups / clinically paranoid few (0.1%)... (%s for illustration only).
The road to hell is paved with good intentionsvon Bismark 113 weeks ago
Appendix 5, and the backing US web site need close attention for here one seems to find a list of what's now considered PID, 18 items, any one of which would appear to make a record PID, ON ITS OWN according to the US notes <Quote>:
"De-identifying Protected Health Information Under the Privacy Rule
Covered entities may use or disclose health information that is de-identified without restriction under the Privacy Rule. Covered entities seeking to release this health information must determine that the information has been de-identified using either statistical verification of de-identification or by removing certain pieces of information from each record as specified in the Rule.
The Privacy Rule allows a covered entity to de-identify data by removing *****all**** 18 elements that could be used to identify the individual or the individual's relatives, employers, or household members; these elements are enumerated in the Privacy Rule. The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information."
Audit Logs should be manditory for EHR vendorstimdunnfw 113 weeks ago
In a Survey we undertook of IG professionals across the NHS, 100% said Audit logs trails would help their role and 95.4% said that government should mandate vendors provide Audit logs