Special Report: Interoperability
With just six short months until the General Data Protection Regulation (GDPR) comes into force, much of the NHS’s attention remains fixed on the huge penalties that could be levied for organisations found in breach of it. But with its commitment to data portability, could it also serve as an opportunity to finally crack the old chestnut of a problem that is interoperability in healthcare? Jennifer Trueland investigates.
Interoperability remains a major challenge for healthcare IT. Despite efforts to make systems talk to each other – and some pockets of good practice – for most, it remains a pipe dream.
Next year, however, new European regulations come into force to update data protection laws, encouraging greater transparency and putting more control in the hands of citizens.
The General Data Protection Regulation (GDPR) is a big change, and it will happen, regardless of Brexit. But will it be the push that is needed to make interoperability in healthcare an imperative?
History suggests the need for some caution: back in January when the year was still young and full of possibilities, various experts in the field predicted that interoperability would be a big priority for the NHS in 2017.
A Digital Health News review of leaders found a strong expectation that linking existing IT systems together would take precedence over deploying new technology.
The hope was that work done in previous years to develop shared coding and operating standards would bear fruit, directly improving the care of the patient (by, for example, making it possible to easily share electronic records between different providers). It was also hoped that interoperability would help unlock the possibilities of using big data and analytics to inform system-wide transformation.
There’s nothing wrong with a bit of ambition but, in the dying weeks of 2017, it’s probably fair to say this year hasn’t seen a huge leap forward in the interoperability space. That’s despite the best efforts of NHS Digital and others to develop and implement shared standards, and calls from the likes of Matthew Swindells for NHS bodies to choose vendors who help to drive openness and data sharing into the system.
David Roots, executive director for health and care with Civica, says many vendors are keen to engage with efforts to improve interoperability, but he warns that it is not an easy process.
Interoperability has been on the agenda for the 35 years that Roots has been working in this area – and his judgement is that it has been moving at “a snail’s pace”.
Part of this has been a failure to come up with standards that everyone has been prepared to sign up to. “The old joke is that standards are great, so that is why there are so many of them,” he says. “Many in the industry would actually welcome something they could really latch on to, but not every supplier is willing to play ball.”
Looking forward to next year, however, and there might be a new driver on the scene. In May 2018, the EU General Data Protection Regulation (GDPR) comes into force, changing the law governing the management and use of data – including data in healthcare. According to the Information Governance Alliance, the changes will mean “greater focus on evidence-based compliance, with specified requirements for transparency, more extensive rights for data subjects and considerably harsher penalties for non-compliance”.
Among the provisions are a right to data portability, which, in a healthcare context, could mean that patients have a right to take their data with them between different organisations – meaning that these health bodies will have to make sure that they can a) find the information, and b) make it available in a transparent format.
Roots believes that in general, the public sector is not paying as much attention to GDPR as it should be, in stark contrast to the private sector. “I think there has been so much stuff [around data protection] in the NHS that many see this as just a variation on an existing theme,” he says. “There will be some trusts where the CIOs will have it on their agenda, but they have so much else going on – they don’t have the funding or the resources to deal with everything on their agenda.”
It could be partly a fiscal issue – while a fine of four per cent of annual turnover would obviously hit any NHS body hard, for a private organisation it could mean the difference between being viable and going out of business.
According to Rob Dixon, capture products manager with Silverlink, GDPR should be making organisations think generally about how they provide and receive data, potentially assisting interoperability, as well as how they would deal with more specific provisions, such as the “right to be forgotten”.
“There’s still debate about it – it might be even if the patient makes the request [for erasure], that there’s a clinical safety issue with removing the information [from the patient record]. Guidance from the centre has been quite lacking.”
Dixon says that the requirements of GDPR are beginning to “filter down” through procurement. “We’re starting to see them in a new tenders,” he says. But whether it will be transformative on the interoperability front remains to be seen. “People are starting to think about it [GDPR], and the portability aspect might help with interoperability, but I don’t think GDPR on its own will do it. It will have to be associated with some sort of standard or diktat from NHS England or NHS Digital.”
Over the years there have been several attempts to set standards to ensure that information can be passed between different systems. For example, this summer NHS Digital said it was moving to Fast Healthcare Interoperability Resources (FIHR) standards to improve communications between hospitals and GP practices.
Some suppliers have worked hard to ensure they comply with standards, says Dixon, but they have to ensure they also meet the individual needs of clients – meaning they have to be rigid enough to satisfy the standard, while flexing to meet customer demand.
David Hancock, client engagement director with InterSystems, also has concerns. “Healthcare standards are not well enough defined,” he says. “Standards are just guides – they are like toothbrushes: everybody’s got them, but nobody’s prepared to share.”
One of the issues for the NHS is that IT systems are typically long-lived, says Hancock. “It can be difficult to retrofit standards; sometimes you’re working with systems that are 20-25 years old.”
Despite these challenges, he believes that GDPR will be positive for interoperability because it will “raise the bar” on data protection. “The bottom line is that if it makes the public trust what you’re going to do with their data, and they buy into that, they will be prepared to share data so there will be more participation. GDPR is about putting in more safeguards – we have to look at it positively.”
Steve Johnson, information security manager with Orion Health, is also an advocate of promoting the positives of GDPR, rather than focusing on the vast fines that can be levied if organisations get it wrong. “I don’t think the punitive aspects are the driver for change,” he says. “The opportunities that GDPR brings to focus on things like information governance are positive, but there’s been a lot of focus on the ‘stick’ rather than the ‘carrot’.”
Again, he would like to see more guidance from the centre, pointing out that while the IGA has published some, much more is needed. “There’s no one size fits all, and there are points that still need clarification, even within the UK,” he says.
He believes that NHS bodies are in varying stages of preparedness, with some approaching it in an isolated and siloed way, while others are taking a more open and inclusive approach, recognising that it’s an issue for the whole organisation. “This isn’t just an IT thing,” he cautions.
Civica’s financial systems director James Kilmister says it’s difficult to predict the impact of GDPR on interoperability. But he says: “I think it will sharpen people’s minds. I think it’s a good thing – I think it will bring discipline to record-keeping and will mean that people will have to think about why they are keeping data. Too much data is saved because people are lazy and don’t empty out their filing cabinets. Inertia means there are electric cupboards stuffed with dead data – I think GDPR will change that.”
He says that organisations should be focusing on the bigger data picture at an organisational level – what he calls a master data policy – rather than in a siloed, department-by-department kind of way. “It’s about understanding how data enters and leaves the organisation, what’s the reason for keeping it, the legal basis, what it’s for, what third parties can see it – it’s all these things and more.”
At the very least, having this information defined, documented and accounted for – in the one place – will save an administrative headache if a patient exercises their GDPR right to ask for the information to be removed.
This is in everyone’s interests, he says. “GDPR is an organisational issue; IT is a part of that, but it shouldn’t be the responsibility of IT alone; it’s much wider than that.”