Evidence submitted by the British Computer
Society (EPR 66)
The BCS is delighted to have been invited by
the House of Commons Select Committee to comment on its Inquiry
into Electronic Patient Record and it's use.
The British Computer Society (BCS) is the industry
body for IT professionals and a chartered engineering institution
for information technology (IT). With members in over 100 countries,
the BCS is the leading professional and learned society in the
field of computers and information systems.
In the limited time available we have consulted
members of our Health Informatics Forum (BCSHIF). Members of the
Forum are from a wide range of interested parties, representing
clinicians, managers and informatics experts. We are therefore
confident that the views expressed represent those from a much
larger body of IT professionals in the health sector.
1.1 BCSHIF comprises groups containing clinicians,
managers and informatics experts working directly and indirectly
for the NHS: in the design, development, implementation and use
of current and future NHS information systems. For their credentials,
see www.bcshif.org. . Supplementary evidence is attached in the
form of the BCSHIF Statement of the Way Forward for NHS Health
Informatics, available also from www.bcshif.org .
1.2 BCSHIF supports the concept that successful
implementation of appropriate electronic patient records systems
is essential to providing safer and more appropriate patient care
and to the viability of the NHS and its constituent organisations.
1.3 Patient information held must be fit
for purpose, be only held for as long as necessary and for use
by authorised professionals with a need to know as required by
the Data Protection Act and other relevant legal requirements.
1.4 Access should be for explicit purposes
agreed by the individual record subject; both for direct patient
care and for secondary uses, except where there is an emergency
requirement or an over-riding need to know for the public good.
1.5 We suggest that patient confidentiality
can be best ensured with three levels of patient data confidentiality
deployed within a distributed record with access mechanisms that
balance patient rights with wider public benefits. Informed patient
consent to access should be paramount.
1.6 Patient data can and should be used
for other purposes beyond personal care and treatment, predominantly
in anonymised/pseudoanonymised form. Secondary uses requiring
personally-identifiable information should continue to require
explicit patient consent for information use. No other uses of
the patient record should be permitted.
1.7 Progress in developing the National
Care Records Service (NCRS) varies depending on the mix of application
solutions in each geographic area, the current state of readiness
of the organisations and the fitness for purpose of those solutions.
There are fundamental questions of structure, content, confidentiality
and security that require resolution before further implementation
of the NCRS.
1.8 BCSHIF seeks to work with the relevant
agencies in resolving the issues it has identified. We would be
pleased to expand on analysis and recommendations contained in
this report if the Health Select Committee so wishes.
1.9 Sharing patient information with those
making decisions about the care of the patient (professional and
non-professional) is vital to ensure safe and appropriate care.
Patient information may be shared by "push" (where someone
gives unsolicited information to someone else, as in a referral
or discharge message or email containing a test result), or "pull"
(where someone makes an enquiry of a person or Electronic Patient
Record (EPR). Previously, sharing between care providers has predominantly
been via messaging and personal enquiry. Sharing record(s) per
se has largely been restricted to staff caring for the patient
within a care provider organisation acting as the EPR(s) "owner".
1.10 NHS Connecting for Health (NHS CFH)
is proposing to change the balance between the various methods,
so that sharing the patient's EPR(s) assumes a more important
role. This change is non-trivial. Ensuring that the author's meaning
is transferred to the enquirer is a real challenge. Enquirers
will also need to selectively filter EPR contents to suit their
needs and avoid information overload. There is therefore an onus
on content authors to make their record entries as comprehensive,
contemporaneous and consistently understandable as is practicable.
It is also relevant to note here that NHS EPRs exist outside NHS
2. What patient information will be held
on the new local and national electronic record systems, including
whether patients may prevent their personal data being placed
2.1 The information held must meet legal
requirements and tried and tested standards. The primary purpose
of the EPR is to support direct patient care and treatment. For
this, extensive detailed personal and clinical data about the
patient is necessary. These include demographic details (name
address date of birth, ethnicity, etc), details of the past and
current state of the patient (including diagnoses), investigation
results, treatments, family history, and relevant social details
(including information about third parties). Only the patient
and those involved in their care and treatment should have access
to this personally-identifiable data and this access should be
governed by their role in that care.
2.2 Patients' requirements are central to
any EPR records developments. Patients' reluctance to opt in to
having their information stored and shared have led to delays
which will not be resolved until their concerns are addressed
(see "Big Opt Out", http://www.nhsconfidentiality.org/).
2.3 Unless patients are confident that their
data is secure and only used for health-related purposes, they
will not allow selected significant information to be recorded
or may withhold their entire record. In either case, their care
may suffer. We support a patient's right to withhold personally-identifiable
data, given that they are informed of any possible effect on their
care. Patient withholding of data will be minimized by restricting
uses of personally-identified information and ensuring security,
and respecting their concerns about confidentiality.
2.4 Most sharing of personally-identifiable
patient data, takes place during episodes of care in a local health
economy, and the data should be retained for legal and clinical
purposes at that level. There are other legitimate needs to share
patient data more widely during treatment. These include patients
moving between the UK home countries, or NHS and private care,
or choosing to use alternative facilities, or accessing national
specialist units or receiving shared care with social services.
In such circumstances appropriate patient information needs to
accompany the patient on their journey through care. What is shared
and how it is shared depends on the intended use, and requires
further consultation to confirm.
2.5 There is a case for a simple EPR summary
to support emergency care, similar to Scottish Emergency Care
Summary (ECS). It currently contains safety-related patient data.
Scottish patients must provide consent before it is used (if possible),
and may opt out of having an ECS. The BMA has approved these arrangements,
unlike those for the NHS CFH Summary Care Record.
2.6 If a distributed (virtual) record architecture
is adopted for the NHS Care Record Service (NCRS), then minimal
patient information needs to be held at national level (see 5.5)
3. Who will have access to locally and nationally
held information and under what circumstances
3.1 Who has access to a specific record
depends on the agreed purposes for using that data. In line with
current practice and guidance, use of patient-identifiable information
for anything other than direct patient care should only be with
the explicit informed consent of the patient; unless there is
an over-riding public interest or legal requirement. See 6 for
more on secondary uses.
3.2 Those involved in the direct care and
treatment of a patient should have access to all information necessary
to provide those services effectively, subject to their role and
any patient-derived restrictions (see 5.2). Accessors should include
the patient, and if they so wish, their non-professional carers.
3.3 Delivery of care increasingly requires
cross-organisational, multi-disciplinary team working (eg in clinical
pathway management, mental health care programmes, single assessment
processes and complex multi-agency scheduling) and related information
sharing. Sound interoperable systems must reflect the complex
supply chains involved in delivering healthcare, and securely
and sensitively handle information linkage across organisational
3.4 Future extensions to remote patient
record sharing means that increasingly substantial patient-identifiable
data will be in the custody of organisations other than those
that collected it and that are not clinical in nature. Patient
trust in such organisations is significantly less than in the
clinical professions, and such organisations should not be the
data controllers. Confidentiality procedures that meet concerns
already expressed by patients will be challenging, but must be
put in place in addition to consent given at or prior to time
3.5 Nationally, data quality is critical
to realising benefits from raised investment in IT and to ensuring
patient confidence in the sharing of their data (reference the
Helen Wilkinson case, http://society.guardian.co.uk/e-public/story/0,,1937302,00.html).
Enabling patients to access their records, add to them and initiate
corrections will significantly assist this. It will also encourage
patients &/or their carers to become "primus inter pares"
of their care teams, and to assume greater responsibility for
their health and healthcare, a key element of current healthcare
policy (for current work see http://recordaccess.icmcc.org/).
Patient custodianship of their EPR(s) should be seriously considered.
3.6 Information governance requires establishing
generic requirements for information sharing; to improve the quality
of individual patient care and the efficiency of care provision.
.Any arrangements to use EPR content, at local or national level,
must support the trust that is crucial to clinician-patient relationship,
and technical issues should not be allowed to unduly dominate
the discussions. This work goes beyond the boundaries of NHS CFH,
but the results will form the foundation for revisiting the National
Care Records Service (see 7).
3.7 Transferring EPR data between systems
where the user does not explicitly initiate that transfer, raises
difficult technical issues and concepts such as "role-based
access controls", "legitimate relationships" and
"sealed envelope" mechanisms. These are not yet acceptable
to clinicians and the public.
4. Whether patient confidentiality can be
4.1 Privacy issues will escalate as multi-agency
sharing of careand therefore patient databecomes
more prevalent. The nature of the EPR requires a high degree of
confidentiality and other privacy mechanisms to restrict access
only for agreed purposes and to authorised professionals with
a recognised need to know, subject to any restrictions that the
patient wishes to place on the sharing of their data (in whole
4.2 Research, suggests that patients see
their data as having one of three levels of confidentiality:
(a) available wherever required by those
providing personal care to the patient (the vast majority of patient
records and their contents). Such data could be shared as need
for the purpose of personal care;
(b) available to all clinicians caring for
the patient within a specific provider organisation, eg hospital
or practice (common now where individual provider organisations
hold their own EPRs). Such data would not leave the custody of
the organisation without explicit patient consent; and
(c) availability restricted to the original
recipient only (applying to very limited parts of EPR for a small
minority of patients). Such data would not be viewable by any
other person without explicit patient consent.
There are also information environments, such
as community pharmacies, with which patients feel less comfortable
sharing their information. However implementation of these constraints
is feasible, and offer a more acceptable alternative to the "sealed
envelope" mechanism proposed by NHSCFH.
4.3 From the record user's point of view,
NHSCFH assume that the complex technological and policy challenges
are answered by restricting access to patient records to those
having an appropriate role (eg NHS hospital consultant) and relationship
with the patient (eg GP registered with). In practice these mechanisms
have sometimes proved cumbersome to use, and manual workarounds
have been deployed which enable inappropriate access to patient
data. Accessors can also override the software's controls, although
this is reported after the event to the organisation's information
governance monitorthe Caldicott guardian. The mechanisms
also depend on near real-time updating of roles and legitimate
relationships as they change. Such evidence as exists suggests
that patients prefer clinicians as data custodians rather than
algorithms driven by accessor properties.
4.4 The NCRS can develop structurally in
a number of ways:
(a) a comprehensive patient record held in
its entirety in one or more national/central databases;
(b) a distributed virtual record pulled together
in whole or in part when required, from disparate patient record
databases, and presented for a single instant for a specific user;
4.5 The different structures have different
risks and therefore need to be protected in different ways. For
example, a higher risk is posed to a celebrity's EPR from a central
database presenting "one place to look" to those with
malicious intent; whereas a distributed database makes lower demands.
There are unresolved questions about data duplication, and data
that has been changed and copied to several locations. Ensuring
the consistency and timeliness of centrally-held patient data
and local records is a concern.
4.6 BCSHIF believe a distributed, (virtual)
record approach is the most sensible way forward and most easily
secured. It can make use of heterogeneous records from multiple
agencies (including those outside NHSCFH), offers a basis for
information privacy and confidentiality, and can interact with
different informatics solutions proposed in other UK home countries.
It would also encourage the convergence of record architectures
and semantics over time. This approach seems more in keeping with
web-enabled 21st century than a central record.
5. How data held on the new systems can and
should be used for purposes other than the delivery of care eg
5.1 Valid acceptable secondary uses (those
other than for care delivery) include audit, research and development
of clinical services, population health management, financial
management, performance monitoring and development of healthcare
facilities and services. No other uses of the patient record should
5.2 Patient consent is still necessary to
use patient-identifiable data for secondary purposes, for example
for disease registers, clinical trials or research. Where patient
data is anonymised/pseudo-anonymised before use, patient consent
is not required. However the onus is on those who anonymise/pseudoanonymise
data to ensure that patients' identities cannot be inferred from
other patient data present. Given that linkage of anonymised/pseudoanonymised
fragments of patient data is possible, ongoing use of the Health
& Social Care Act 2001 to permit the use of patient-identifiable
data for secondary purposes should be greatly reduced. Proposals
for secondary uses should be made clear to patients and care providers
at the earliest possible time to obtain agreement and allay ongoing
5.3 In future, analysis of the "cradle
to grave" record will improve the way care is delivered and
change clinical practice. Currently, little prepares clinicians
for the ensuing changes in the way they work. Clinical professions
and informaticians should provide clear and comprehensive guidance
on good clinical record keeping and sensitive data management
in all care sectors during systems implementation. Clinical (and
health management) education should include these concepts.
5.4 Patient demographics services, spine
directory services and a transaction and messaging service present
new challenges. New secondary data sources based on the Secondary
Uses Service will require management/administrative staff to have
improved management skills and education for handling that data.
5.5 Data quality is critical to realising the
benefits of IT investment. Access to comprehensive, accessible
and accurate record data, in whatever form, is crucial to appropriate
clinical and health management decision making. Work to monitor
and improve data quality are key to achieving this.
6. Current progress on the development of
the NHS Care Records Service and the National Data Spine, and
why delivery of the new systems is up to two years behind schedule
6.1 Major reasons for delay are the information
governance issues raised in section 5. The Ministerial Taskforce
Report on the NHS Summary Care Record,
is a small step in the right direction, but not enough.
6.2 Work on the technical standards to allow
EPR interoperability are now under way, but should have been pursued
vigorously from the start of NPfIT to enable greater EPR product
6.3 The problems outlined in 2.2 are still
unresolved. These are particularly apparent in secondary care
and mental health providers, where EPRs are a rarity, and coded
content in them rarer still. The cultural and information management
issues require serious investment to ensure the effective use
of the EPR systems being provided. The consequent changes in business
processes will take time and resources to introduce. Funding and
planning for these activities is not earmarked nationally, and
have to compete with other more pressing local priorities.
6.4 Whatever form it takes, the NCRS depends
upon comprehensively implementing local EPR systems. Relatively
few local systems are operational outside general medical practice,
though the number is growing. The readiness of NHS organisations
to adopt EPRs varies widely, as does acceptance of the business
case for them by local management and would-be users.
6.5 Recent implementations of CBS (Choose
& Book) and PACS (Picture Archiving & Communications Systems)
demonstrate the need for firm foundations to avoid delay. PACS
implementations are relatively trouble free. The systems are tried
and tested, have a clear business case and benefits and have clinical
support. CBS on the other hand is developing as it is being implemented,
and the business case and benefits to those who use it are unclear.
Significant delays are being observed.
6.6 Secondary care EPR solutions that are
a good fit with local needs are frequently not yet supplied, causing
some organisations to take interim non-NHSCFH systems to avoid
risks to patient safety. Local Service Provider (LSP) contracts
have sometimes meant replacing satisfactory operational systems
with NHSCFH-compliant systems that are functionally poorer. Advanced
users of existing systems have been understandably reluctant to
move to LSP applications that offer little significant benefit
to them. This may be answered by increasing the NHSCFH EPR system
portfolio from which Trusts and practices can select.
6.7 Better communication/consultation with
those with informed domain knowledge and experience will engage
health professionals more effectively; and maximize the likelihood
of successful deployments that really benefit patient outcomes
and NHS efficiency. BCSHIF recommends that NHSCFH is transformed
into an open partnership with NHS management, users, the informatics
community, suppliers, patients and their carers, grounded in understanding,
trust and respect.
6.8 BCSHIF recommends that the Personal
Spine Information System (PSIS) element of NCRS be put on hold
until its purpose, and overall requirements for, and design of,
the NCRS are agreed.
6.9 The NCRS requires realignment with a
more realistic business-based informatics strategy and with patient
confidentiality requirements to ensure that solutions are fit
for purpose and acceptable to users, costs are contained and delays
minimized. A framework is required in which a wider range of heterogeneous
systems can share information and workflows, and in which existing
systems and existing solution suppliers play a greater part.
Dr M G Rodd
Director, External Relations of the British Computer