Information Governance - Supporting National Systems

ASSIST North West Branch EventWrightington Conference Centre, Wigan

24th June 2008

Charles YeomansonActing Director of ITcharles.yeomanson@uhcw.nhs.uk

Agenda

Information Governance requirements

NPfIT Information Governance controls

Systems/products • Review of IG controls• Future implementations

Q & A

NPfIT Information Governance Requirements

OBS

NPfIT Contract Schedule 1.7 (730.)

Care Record Guarantee (CRG)

(www.connectingforhealth.nhs.uk/crdb/docs/crs_guarantee )

Statutory/legal – DPA, Access to Health records

NPfIT IG controls

• Registration and Authentication • Role-Based Access Control (RBAC)• Legitimate Relationships and Workgroups

• Patient Consent/Dissent• Sealed Envelopes

• Audit• Alerts

NPfIT IG controls – in contextAm I who I say I am? Registration and Authentication

(Smartcard)

What types of clinical data may I access and can I update it?

RBAC

Can I access Mrs Smith’s clinical data? Legitimate Relationships and Workgroups

Can Mrs Smith prevent her clinical data being shared outside her local GP?

Consent and Dissent to data sharing

Can Mrs Smith not have a Summary Care Record?

Consent to Store (have a Summary Care Record)

Can Mrs Smith protect parts of her clinical data?

Patient “sealed envelope”

Can I find out if someone has accessed Mrs Smith’s records inappropriately?

Audit and Alerts

RBAC

• NHS Care Record Guarantee:“Show only those parts of your record needed for your care”

• Governs which functions are accessible and indirectly what type of data can be accessed

• 3 attributesJob Roles, Areas of Work, Activities

• Users must be granted relevant attributes by a trust nominated Sponsor

• Activities may be granted automatically as a result of a user’s Job Role (and Area of Work)

• Issue: Over-complexity

RBAC vision

• RBAC rationalisation (V.23, V24)• Post-based allocation of access rights • Integration of HR/RA processes/technology

Further info:-http://nww.connectingforhealth.nhs.uk/implementation/

registrationauthorities/access-control/rbac

RBAC rationalisation

Before After Reduction

Activities 340 104 236

Areas of Work 290 7 283

Job Roles 175 15 160

Patient Consent/Dissent to Share

Information sharing across organisational boundaries

NHS Care Record Guarantee: “allow you to control whether the information recorded about you by an

organisation providing you with NHS care can be seen by other organisations that are also providing you with care”

The patient consent status can have 3 values:- Consented- Dissented (implied dissent, if no NHS No.)- Not stated (implied consent)

Patient Consent/Dissent to Store

• Following promises made by Lord Warner, and the recommendations of the Ministerial Taskforce a patient may choose not to have a Summary Care record

• NHS Care Record Guarantee: “Before we create your Summary Care Record, you can decide not to have a

Summary Care Record at all.”

• If there already was one, it will no longer be visible using the CSA • Further information:

http://www.nhscarerecords.nhs.uk/patients/what-do-i-need-to-do-now/how-can-i-find-out-more/nhs-crs-summary-leaflets/summary_leaflet_online.pdf

Legitimate Relationships

• Control who has access to a patient’s clinical record • NHS Care Record Guarantee:

“allow only those involved in your care to have access torecords about you from which you can be identified, unlessyou give your permission or the law allows”

• A user cannot access a patient's clinical record without an LR• There can be more than one LR per patient• LRs have lifecycles

(creation -> status change -> expiry)• Determined by Workgroup membership• Mostly “under the bonnet”

Legitimate Relationships

Types:-• patient referral• patient self-referral• patient registration• subject access request• patient complaint or litigation• expressed Patient Consent to access • Court Order or other legal demand• GP registration

Two types of LR enable a user working in a specific context(defined by their profile) to gain access to a patient clinical record:

• Self-Claimed• Colleague-Granted.

Work Groups and LRs

Clinician permitted access as has valid LR via the

Workgroup to the patient

Patient has “Self-referral” LR with Workgroup

Clinicians may also self-claim a direct relationship not related to any Workgroups but raising an alert

WorkgroupClinician is a member of Workgroup

Receptionist may also be member of Workgroup

Parent WG

WG-2 WG-3WG-1

‘Child’ Workgroups

User permitted access as has a valid LR inherited via the Parent

Workgroup to the patient

Patient has LR with WG-1

User is member of Parent WG

Workgroup Hierarchies

• LR granularity is a local Information Governance policy issue• Keep simple initially and expand with experience

Seal and Seal and Lock

• NHS Care Record Guarantee:“Usually you can choose to limit how we share theinformation in your electronic care record which identifiesyou.”

• Enable patient to restrict access to sensitive information• Access controlled by Workgroups• A patient has two levels of dissent to share:

- Seal- Seal and Lock

• Exceptional use• Alert sent to privacy officer, if someone accesses information that

has been sealed by another Workgroup

Seal and Seal and Lock

Seal and Seal and Lock

• Smallest unit that can be sealed is - a Clinical Statement- a document (Summary Care Record)- PACS study

• Can be done at the time, or retrospectively• Acknowledged in Clinical Decision Support (CDS) and transfers

between systems• RBAC controls are required for the management of sealing • Sealed data can be accessed with patient consent or with legal

justification • Refusals carry a reason and a free text note (sent to PSIS)

Clinician Sealing

• A clinician may feel that there is some information that they should seal from the patient

• On sealing, information - is visible to all clinicians- should not be passed to PSIS- is not included in Subject Access Request/HealthSpace

• Clinician seals do not expire on the death of a patient

Use of Clinician Sealing

Clinician seals can be used when:-• the disclosure of information is likely to cause serious harm• a child or person lacking competence has requested that the

information is not disclosed to their guardian• confidential 3rd party information is present• a patient has explicitly asks not to know about it• Information needs to be temporarily withheld, which might

otherwise alarm the patientTest results will be automatically withheld for a standard period of

time

Audit

• NHS Care Record Guarantee:“keep a note of everyone who accesses the records about you”“Every time someone accesses your record, we keep a record of who they

were and what entries they may have made.”

• Who has done what, when and to whose record• Audit of creation, viewing, updates and soft deletions of records• Outputs and configuration changes• Contractual requirement, but different degrees of implementation• Current systems mainly lack user reporting capability • Comprehensive audit functionality in Lorenzo Rel. 1 • Currently work being undertaken with suppliers on national audit

Alerts• NHS Care Record Guarantee:

- “There may be times when someone will need to look at- information about you without having been given- permission to do so beforehand. This may be justifiable, for- example, if you need emergency care. We will tell you if the- action cannot be justified.”

• Privacy Officer alerted when anyone accesses sealed information without (electronic) permission, with or without patient consent

• Patients must be alerted (via HealthSpace) of any:- change in sealing status- access that triggers an alert

• Alerts are through TES (Transaction Event Service)• Generated now for Self-claimed LRs with Clinical Spine Application (for

accessing PSIS with Spine release 2006-B)

IG Controls – Some NW SystemsSystem RBAC Consent to

ShareConsent to

StoreLegitimate

RelationshipsSealing

iPM √ √ - - -

LE2.2 √ √ - √(local - Trust level)

-

Lorenzo Release 1

√ √ * - √(National)

-

Lorenzo Release 2

√ √ √ √(National)

√

Theatres(ORMIS)

√(local)

- - - -

Maternity (Evolution)

√(local)

- - - -

Child Health (CH2000)

√(National from

Q3 08)

-(local, not

shared)

- √(local – Q1 09)

-

PACS/RIS R1 (GE/HSS)

√(Local)

- - - -

PACS/RIS R2/3

√ √ ? √(Security Rel – 09)

-

Data Sharing with Lorenzo

• NME single database instance• Data sharing from Release 2 onwards• Require LRs to control access• LRs require PDS-traced NHS number• Must acknowledge Consent to Share• Access to untraced patients in the MPI restricted

to the organisation that created them

Lorenzo Releases – Functional Summary

Releae 4

GP

Mobility

Commissioning

Device Integration

Protocols

Integrated Care Pathways

Interactive Charting

Tray/Instrument Management

Surveillance & Screening

Document Mgmnt Integration

Stock Management

Non -Patient Requests

Requests & Results

Task Management

EPR Views

Clinical Documentation

Clinical Coding (inc SNOMED)

Core LORENZO Framework

LRS

Multi -Campus

Inbound ADT Messages

Emergency Care

Daycare Management

Patient Confidentiality

Referrals

Access Planning

Inpatients

Coding and Grouping

Contact Management

Patient Identity including PDS

Outpatients

Contract Management

Document Tracking

Caseload Management

Care Plans

TTO/OPD Prescribing

Mental Health Administration Act

Mental Health Reviews & Tribunals

PSIS View & Initial PoC

Consent to Treatment

Inpatient Prescribing

Theatres

Maternity

Medication Administration

Multi -Resource Scheduling

Advanced Bed Management

Social Care Messaging

Enhanced PSIS

Inbound ADT Messages

Release 1

Release 2

Release 3

Release 4

GP

Mobility

Commissioning

Device Integration

Protocols

Integrated Care Pathways

Interactive Charting

Tray/Instrument Management

Surveillance & Screening

Document Mgt Integration

Stock Management

Non -Patient Requests

Requests & Results

Task Management

EPR Views

Clinical Documentation

Clinical Coding (inc. SNOMED)

Core LORENZO Framework

LRs

Multi -Campus

Inbound ADT Messages

Emergency Care

Daycare Management

Patient Confidentiality

Referrals

Access Planning

Inpatients

Coding and Grouping

Contact Management

Patient Identity including PDS

Outpatients

Contract Management

Document Tracking

Caseload Management

Care Plans

TTO/OPD Prescribing

Mental Health Administration Act

Mental Health Reviews & Tribunals

PSIS View & Initial PoC

Consent to Treatment

Inpatient Prescribing

Theatres

Maternity

Medication Administration

Multi -Resource Scheduling

Advanced Bed Management

Social Care Messaging

Enhanced PSIS

Inbound ADT Messages

SystmOne Integration

Workgroups and LRC Artefacts

NHS Trust

NHS Trust

Clinics

Specialties

Oncology

Antenatal

Dermatology

Seafield

LandscaleOncology

Cardiology

Dermatology

SF1

SF2

SF3

SDS Workgroup Hierarchy

NT1

NT2

NT3

OncologyNT1

SeafieldOncology

ClinicSF3CL1

Oncology

Oncology

Clinics

Registered Users

1st Wednesday Team

3rd Wednesday Team

Users can be grouped into teams and associated with

artefacts

LorenzoOperational

Artefact

Associating an Artefact with a Workgroup

enables record access control in the

application workflow

SF3 SF3

Deployment of Legitimate Relationships

• Can be enabled on a Trust by Trust basis subject to the consent of each individual Trust.

• The design of LORENZO allows a CSC administrator to turn on LR creation and update separately to

• Turning on LR confirmation for each NHS Trust that is going to support use of legitimate Relationships at Release 1.

Q&A ?

Update on SHA-Hosted PCT Events

• Pilot consultation January• 10 events February• Follow-up March

Attendees:-Heads of IG, IM&T, Information Security, Compliance & Governance, Performance & Information, RA Managers, Auditors, Data Quality, Primary Care Facilitators, … and a Caldicott Guardian

Update on SHA-Hosted PCT Events

SHA No. of PCTsNo. of PCTs

attendedNo. of

delegates

East Midlands 9 8 12

East of England 15 14 22

London 31 19 30

North East 12 12 8

North West 24 21 39

South Central 9 9 17

South East Coast 7 6 16

South West 14 13 14

West Midlands 17 14 28

Yorkshire and the Humber 13 13 21

TOTAL 151 129 207

SHA-Hosted PCT Events – Issues Raised

Operating Model/Implementation Support:• Mis-alignment of IM&T DES and IGT

• Lack of resources• Lack of skills/vacancies• Lack of importance given to IG • Variety of job roles/fragmentation of IG• Lack of national direction• Inaccuracy/lack of clarity around IGT• Lack of IG training• Lack of Tracking Database training

SHA-Hosted PCT Events – Issues Raised

Communications:• Lack of internal comm’s to PCT and via SHA• Lack of mandate to communicate to GPs

SHA-Hosted PCT Events – Suggestions

Materials:• SoC in a Box• Checklist of actions for PCTs• Timeline of activities for PCTs

SHA-Hosted PCT Events – Suggestions

Events:• IGSoC team to attend IG forums • Hold National IG forum• IGSoC team to attend regional PRIMIS forums to make

facilitators aware of latest developments • Include rep from DIPU in future events • Include someone who has successfully tested things out to share

lessons learnt in future events• Hold workshops for PCTs to share best practice

SHA-Hosted PCT Events – Suggestions

Communications:• More regular comms (mailing lists)• Sharepoint site for SHA• Membership and contribution to eSpace• Be more interactive with GPs / give them more info of IGSoC

requirements• Contact IGT administrators directly • Establish communication links with PCTs

SHA-Hosted PCT Events – Contacts

David Stone – Communications Managerdavid.stone@nhs.net

Jan Birley - Migration Managerjan.birley@nhs.net

IGSoC Team0113 397 3646IGSoC@nhs.net