Dr Neil Paul
I recently attended a meeting organised by our IT team and EMIS. The idea was to brief everyone about a project we are running to give A&E and out-of-hours, which are co-located, access to some GP information through EMIS Web. Here are my thoughts so far, should you want to do the same or similar.
Show me the evidence
I’m a bit fed up of seeing loads of slides on the benefits of record sharing that only state that knowing a patient’s allergies might be important.
While I’m fully behind our project, I think that to motivate people we need a series of real life examples in which accessing the record made a huge difference.
Similarly, long slide shows extolling the virtues of two-way sharing of information are great – but that isn’t what we are going to be doing any time soon.
This being the case, I’d advise staying away from calling projects of this kind ‘the shared record project’ because it just confuses people.
I’ve seen a draft document for our area that talks about the national Summary Care Record, the care summary record, and the local shared health record and it confuses me; particularly when the multiple authors mix them up.
Version 1 of our project is to let A&E and out-of-hours staff see a special summary view of the GP record held in EMIS Web. I’d like to call it ‘the viewing of the GP record by authorised third parties project’.
Security issues, real and imagined
I think this would help to answer the commonest misconception that we have had from practices – that there is a copying or transfer of the data to somewhere else. There is not. The project is about viewing the data owned by the practice – which is why the practice is still data controller.
The next misconception and worry is that the ward cleaner will be able to access anything or everything when, in reality, role-based authorisation is well established.
What doesn’t seem to worry people – but should – is the physical security of cards and passwords. This needs to be thought out and a more serious attitude needs to be taken. Don’t tell everyone your password and leave your card on your desk.
At our meeting, another good question was asked that I had already been thinking about. What is there to prove the patient actually consented – or was even there – when a consultant checks the pop-up box on screen that says they consented for their summary to be accessed?
As we can’t take a thumb print or use a PIN like a credit card, the standard answer is that an email or message is sent to the data controller – the patient’s usual GP or a nominated deputy – who will be able to spot problems.
Well, I have some problems with this. For some patients I know well it will indeed provoke alarm bells if they start having their notes accessed by the diabetic clinic that I know they don’t attend. An access in A&E may make me wonder why they went in; and I might even look into it.
However, I almost certainly won’t know all the people about whom I get notified. Also, I already get 30-50 letters a day to read. Am I going to get another 30-50 notifications of consent a day? If I am, this is just going to get ignored.
Consent checks: why not involve patients?
I wonder if there are some clever things you could do to catch any infringements. EMIS provides a service called EMIS QUTE. Well how about comparing the two? If there is a records access in A&E and there is no charge from A&E shouldn’t that flag up an issue? Could we use the billing records as a check?
I also think the computer should produce details for random audit. These might include making sure that the patient was in A&E and that a patient that had been consented for really was unconscious at the time.
This would involve access to hospital records; something we have not always had. So the data sharing agreement needs to be two ways. They need to agree to let us check their records.
I think we can do even better, though, and use people power. When I change my contact details on a website it usually emails both my new and my old details that the change is happening. Why not actually tell the patients who are having their notes accessed that it’s happening?
I think we should have a register of contact details for people. After someone’s notes are accessed they should automatically be emailed or texted to say it happened. If they weren’t there, they can start asking questions.
The database could have knock on benefits. One of the reasons we haven’t instigated an appointment reminder system is we don’t have accurate phone data for our patients.
There are always confidentiality issues about sending out data. So the message should probably be to check their secure message area. This is where EMIS Access comes in, with its medical notes viewer and messaging system.
A patient could log on and see who has accessed their records and when. Now that would be progress.
About the author: Dr Neil Paul is a full time GP working at the Ashfields primary care centre in Sandbach. He sits on his primary care trust’s professional executive committee and has a lead role for IM&T and Payment by Results.