review of caldicott report-2 2013 by dr saurabh bhatia
Post on 11-Jun-2015
1.043 Views
Preview:
TRANSCRIPT
Patient Information Exchange
The Recent Recommendations
A Review of
Caldicott2 Report 2013 about
Information Governance Review
Dr Saurabh Bhatia, MBBS, MS, FCRMedical Informatician
www.SaurabhBhatia.com
(c) Dr S Bhatia 20132
This presentation is a
review of
For IGR(Caldicott2) …aim has been to ensure that there is an appropriate balance between the protection of the patient or user’s information, and the use and sharing of such information to improve care
(c) Dr S Bhatia 20133
A Preamble
In 1996-7, Dame Fiona Caldicott, a psychiatrist from UK, led a committee to prepare a set of recommendations for patient data sharing principles and its confidentiality.
The report was widely appreciated and implemented in UK and adapted in various forms across Europe
It contained certain principles called Caldicott principles and Hospitals had ‘Caldicott Guardians’ to oversee the implementation of Caldicott principles.
In 2013, Caldicott commission has improved their recommendations in view of the technological advancements, which will be reviewed here.
Review of Caldicott2
(c) Dr S Bhatia 20134
Original Caldicott commission recommendations
for managing medical information (1996-7):
F Formally justify the purpose for which the information is used
I Identifiable information only when absolutely necessary
O Only the minimum required should be used
N Need to know access
A All must understand their responsibilities
C Comply with and understand the law
Dame Fiona Caldicott
Review of Caldicott2Original Extract
(c) Dr S Bhatia 20135
The 2013 Caldicott2 report
The report is released in Apr 2013
It has 25 recommendations, most of which have been reviewed here
It has re-emphasised some terms which remove ambiguity from the minds of healthcare industry. Some of them have been mentioned here.
You may download this report from https://www.gov.uk/government/news/health-secretary-to-strengthen-patient-privacy-on-confidential-data-use
(c) Dr S Bhatia 20136
Recommendation 1People must have the fullest possible access to all the electronic care records about them, across the whole health and social care system, without charge.
An audit trail that details anyone and everyone who has accessed a patient’s record should be made available in a suitable form to patients via their personal health and social care records.
The Keyword here is “Without
Charge”
How will hospitals cater to the cost of maintaining
these IT records and audit trails?
At the same time, this emphasises the patient right on her records without being arm-twisted to
get them.Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 20137
Recommendation 2For the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual.
Health and social care providers should audit their services against NICE Clinical Guideline 138, specifically against those quality statements concerned with sharing information for direct care.
Note the inclusion of Social Care.Should patient
authenticate who all have a ‘legitimate
relationship’ with the patient?
Review of Caldicott2Original ExtractAuthor’s Note
http://www.nice.org.uk/nicemedia/live/13668/58284/58284.pdf
(c) Dr S Bhatia 20138
Recommendation 3The health and social care professional regulators must agree upon and publish the conditions under which regulated and registered professionals can rely on implied consent to share personal confidential data for direct care.
Where appropriate, this should be done in consultation with the relevant Royal College. This process should be commissioned from the Professional Standards Authority.
This defines the autonomy of healthcare
organisations to make sharing
decisions, where they can share info
as a matter of process and not
keep taking consents all the
time
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 20139
Recommendation 4Direct care is provided by health and social care staff working in multi-disciplinary ‘care teams’. The Review Panel recommends that registered and regulated social workers be considered a part of the care team. Relevant information should be shared with members of the care team, when they have a legitimate relationship with the patient or service user. Providers must ensure that sharing is effective and safe. Commissioners must assure themselves on providers’ performance.
Care teams may also contain staff that are not registered with a regulatory authority and yet undertake direct care. Health and social care provider organisations must ensure that robust combinations of safeguards are put in for these staff with regard to the processing of personal confidential data.
A Mixed Bag.While social care orgs are being
included, they need to have
‘safeguards’ which kind of puts a cost on their accessing
info.Good in spirit,
difficult to implement.
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201310
Recommendation 5The Review Panel also concluded that individuals must be informed of any breach of their personal confidential data as part of maintaining public trust and supporting transparency.
Recommendation 5
In cases when there is a breach of personal confidential data, the data controller, the individual or organisation legally responsible for the data, must give a full explanation of the cause of the breach with the remedial action being undertaken and an apology to the person whose confidentiality has been breached.
I feel this apology thing is counter-
productive.It will spur the departments to hush things up
instead of acknowledging public shame.
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201311
Recommendation 6The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach.
There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This should be in the quality report of NHS organisations, or as part of the annual report or performance report for non-NHS organisations.
Another counter productive
recommendation. Whenever the
sharing of information will be linked to quality
audit of an organisation, there will be personal or
commercial motives to simply deny sharing or
hush up the breachReview of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201312
Recommendation 7All organisations in the health and social care system should clearly explain to patients and the public how the personal information they collect could be used in de-identified form for research, audit, public health and other purposes. All organisations must also make clear what rights the individual has open to them, including any ability to actively dissent (i.e. withhold their consent).
A very good rec.This also ensures that somewhere,
we can look forward to Big Data and its utilisation in
future.
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201313
Recommendation 8Consent is one way in which personal confidential data can be legally shared. In such situations people are entitled to have their consent decisions reliably recorded and available to be shared whenever appropriate, so their wishes can be respected. In this context, the Informatics Services Commissioning Group must develop or commission:
guidance for the reliable recording in the care record of any consent decision an individual makes in relation to sharing their personal confidential data; and
a strategy to ensure these consent decisions can be shared and provide assurance that the individual’s wishes are respected.
Again, this rec will safeguard both
patients as well as providers. This will also pave way for future of collective decision making
and understanding the patterns of
individual reticence to data sharing and
help in social medicine and
policy making, too.Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201314
Recommendation 9The rights, pledges and duties relating to patient information set out in the NHS Constitution should be extended to cover the whole health and social care system.
The rights, pledges and duties should be read directly from the report.
They are embodiment of the basic principles and spirit of this entire
exercise.
Pg 59-60 of original report
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201315
Recommendation 10The linkage of personal confidential data, which requires a legal basis, or data that has been de-identified, but still carries a high risk that it could be re- identified with reasonable effort, from more than one organisation for any purpose other than direct care should only be done in specialist, well-governed, independently scrutinised and accredited environments called ‘accredited safe havens’.
Once again, this is a safe-than-sorry approach which
needs more eleboration by
other bodies like The Informatics
Services Commissioning
Group and The
Informatics Services
Commissioning Group. Unless
handled carefully, can be the new excuse
to deny sharing.
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201316
Recommendation 11The Information Centre’s code of practice should establish that an individual’s existing right to object to their personal confidential data being shared, and to have that objection considered, applies to both current and future disclosures irrespective of whether they are mandated or permitted by statute.
Both the criteria used to assess reasonable objections and the consistent application of those criteria should be reviewed on an ongoing basis.
A double edged sword. What constitutes a ‘reasonable’
objection can be reviewed over a period of time.
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201317
Recommendation 14Regulatory, professional and educational bodies should ensure that:
information governance, and especially best practice on appropriate sharing, is a core competency of undergraduate training; and
information governance, appropriate sharing, sound record keeping and the importance of data quality are part of continuous professional development and are assessed as part of any professional revalidation process.
An excellent rec. This will ensure
that informatics, its intricacies and its
application becomes a part of
nursing and medical education. This will also mean that the new crop
of professionals will not see computers
as overheads/ nuisance.
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201318
Recommendation 15The Department of Health should recommend that all organisations within the health and social care system which process personal confidential data, including but not limited to local authorities and social care providers as well as telephony and other virtual service providers, appoint a Caldicott Guardian and any information governance leaders required, and assure themselves of their continuous professional development.
This is equivalent to having an ethics
committee or auditor or quality assessor on board
and in various countries, can be
adapted in appropriate forms.
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201319
Recommendation 16Given the number of social welfare initiatives involving the creation or use of family records, the Review Panel recommends that such initiatives should be examined in detail from the perspective of Article 8 of the Human Rights Act. The Law Commission should consider including this in its forthcoming review of the data sharing between public bodies
This is the first step towards
acknowledging the role of family in a person’s health record. This will
pave the way for a better socially
structured form of record sharing.
Early initiative and will take time but
on right lines. Review of Caldicott2Original ExtractAuthor’s Note
Please note that asian countries, where families are closer and
individual existence is usually not as paramount as west, family records
are a ‘must-have’ and people can get offended and violent if denied access to the records of their near and dear
ones.
(c) Dr S Bhatia 201320
Recommendation 17The NHS Commissioning Board, clinical commissioning groups and local authorities must ensure that health and social care services that offer virtual consultations and/ or are dependent on medical devices for biometric monitoring are conforming to best practice with regard to information governance and will do so in the future.
The Review Panel concluded that providers of direct care services using virtual consultations should offer patients access to their record and a copy of all ongoing communications from that record. …any provider offering virtual consultation services should be able to share, when appropriate, relevant digital information from the patient, with registered and regulated health or social care professionals responsible for the patient’s care. This includes both written text or numbers and images, such as photographs.
This is a strong boost to
telemedicine in all forms. It is a very
tentative step, and allows other bodies
to define best practices, but at
least a formal acknowledgement of virtual services
and a step towards reducing the legal paranoia around
them in the mind of doctors.Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201321
Recommendation 20The Department of Health should lead the development and implementation ofa standard template that all health and social care organisations can use when creating data controller to data controller data sharing agreements. The template should ensure that agreements meet legal requirements and require minimum resources to implement.
This is a step in the direction of system agnostic healthcare
information exchange.
Templates, once defined, can be
included as part of various systems by
vendors thus providing HIE without the
technological barriers.
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201322
Revised list of Caldicott principles
1. Justify the purpose(s)
2. Don’t use personal confidential data unless it is absolutely necessary
3. Use the minimum necessary personal confidential data
4. Access to personal confidential data should be on a strict need-to-know basis
5. Everyone with access to personal confidential data should be aware of their responsibilities
6. Comply with the law
7. The duty to share information can be as important as the duty to protect patient confidentiality
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201323
Other interesting changes
…obligation to prevent information seeping outside the health and social care system should not stop it being shared appropriately within it.
The term used to describe how organisations manage the way information is handled within the health and social care system in England is ‘information governance’.
Information governance applies to the balance between privacy and sharing of personal confidential data and is therefore fundamental to the health and social care system, providing both the necessary safeguards to protect patient information, and an effective framework to guide those working in the health and social care system to decide when to share, or not to share.
This is a direct effect of hospitals
(mis)using the data protection
principles to refuse to share information or
charge hefty fees for this.
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201324
Key definitions People often talk about ‘data’ and ‘information’ as if they mean much the same thing. However the terms have a precise meaning and the words are not interchangeable. Readers may understand this report more easily by grasping the distinction from the outset:
Data is used to describe ‘qualitative or quantitative statements or numbers that are assumed to be factual, and not the product of analysis or interpretation.’
Information is the ‘output of some process that summarises interprets or otherwise represents data to convey meaning.’
This report also uses the phrase ‘personal confidential data’ throughout. This term describes personal information about identified or identifiable individuals, which should be kept private or secret.
The 1997 report did
not consider the issue
of whether
professionals shared
information well, in
the interests of
patients, because that
was not regarded as a
problem at the time.
That omission
became increasingly
noticeable as the
need for closer
integration
between health and
social care became
ever more apparent
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201325
People’s right to access information about themselves
…give people better access to their care records… people who are allowed to share their own records can be empowered to take part in decisions about their own care...
…patients’ attempts to become involved in decision making were thwarted by “information governance rules” …even if they explicitly consented … because of ‘data protection policies’;
The Review Panel concludes that personal confidential data can be shared with individuals via email when the individual has explicitly consented and they have been informed of any potential risk.
This is a major shift from earlier
policies and when implemented, will
necessitate emailing of
hospital record to a patient in commonly
readable formats.Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201326
Definition: two types of records Health and social care records
These are the commonest type and are supported by the information strategy.A professional creates an electronic patient record, which is then shared with the patient and their relevant care teams. The health or social care professional is responsible and accountable for that record when it is for the purpose of direct care. Patients may get right of access, the ability to see, interact and request corrections but not the right to change the content because that might be clinically unsafe. This access is sometimes referred to as ‘patient online access’ or ‘record access’.
Patient-owned recordsThese are less common forms of record that individuals create and manage themselves. They are kept separate from any electronic patient record and the individual has total control and responsibility for the content. Patient-owned records may include extracts from electronic patient records, but may also contain information added by the individual such as exercise monitoring data, weight etc; commercial contributions e.g. from over the counter drug purchases or from supermarket alcohol purchases; and contributions from personally acquired ‘medical devices’.
For the first time, there is official differentiation
equalling an EMR vs PHR debate/
status of records. This will impact the way patients
access their records
http://www.rcgp.org.uk/clinical-and-research/practice-management-resources/health-informatics-group/patient-online.aspx
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201327
Implied ConsentThere is in effect an unwritten agreement between the individual and the professionals who provide the care that allows this [data] sharing to take place.
Implied consent is applicable only within the context of direct care of individuals.It refers to instances where the consent of the individual patient can be implied without having to make any positive action, such as giving their verbal agreement for a specific aspect of sharing information to proceed. Examples of the use of implied consent include doctors and nurses sharing personal confidential data during handovers without asking for the patient’s consent.
The Review Panel concluded that across the health and social care system, implied consent is only applicable in instances of direct care
For the first time, we are seeing some
sanity prevailing over the paranoia of data
protection. Info-governance is finally
recognizing the importance of
implied consent, which has been the basis of most of our
clinical practices historically
GMC guidance on confidentiality, http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality_24_35_disclosing_information_with_ consent.asp
Review of Caldicott2Original ExtractAuthor’s Note
(c) Dr S Bhatia 201328
Full Report
I have covered only those recommendations which can have an impact internationally.
For other recs, please read the full report
This ppt will also be available, along with the full report from our website www.tsmls.org/publications
All views are personal views of the author
Comments can be sent at i@saurabhbhatia.com
top related