Further Supplementary evidence submitted
by the Department of Health (EPR 01E)
Note from Department of Health to the House
of Commons Health Select Committee commenting on the evidence
provided by various witnesses.
1. The Health Select Committee is conducting
an enquiry into the NHS electronic patient record, which is the
cornerstone of the NHS National Programme for IT (the Programme).
The Department of Health submitted written evidence in March 2007
and again on 12 June 2007. Departmental officials also gave oral
evidence on 26 April 2007 and, with the then Minister of State
Lord Hunt, on Thursday 14 June 2007.
2. The Committee has also taken or received
evidence from a wide range of other witnesses. It is noted that
this evidence contains a number of inaccuracies and a number of
flawed conclusions. It is also clear that there has been some
collaboration between witnesses who have made the same point without
any supporting evidence whatsoever. To assist the Committee in
reaching conclusions, this note comments on that evidence.
3. Where appropriate, specific witness statements
are cited or reference is made to the relevant paragraph numbers
from the transcripts of the oral hearings.
4. The comments are divided into the following
1. Data standards, IT system security, system
performance and general IT issues.
3. Local NHS costs and affordability.
4. The summary care record and patient confidentiality.
5. Consultation and professional engagement
on the system specification.
6. Evaluation and benefits.
7. Public information and patient safety.
SECTION 1: DATA
INTEROPERABILITY, IT SYSTEM
SECURITY, IT SERVICES
Section 1.1: Issues Relating to Data Standards
5. A number of witnesses raised issues relating
to the adoption of common standards:
5.1 In EPR 29 the UK Computing Research
Committee says (at paragraph 25) that:
" ... many of the technologies are new and
have not been tested. In particular, at the heart of the EPR are
two standardsHL7 v3 and SNOMED-CT. We understand that neither
has ever been implemented anywhere on a large scale on their own,
let alone together. Both have been criticised as seriously flawed.
It is imprudent to base the Electronic Patient Record, which will
be part of the UK's national critical infrastructure, on a technology
5.2 This statement needs to be read in context.
Currently the formally approved European (CEN TC251) and International
(ISO 215) Standards' Bodies in health informatics do not require
standards to be tested formally before approval. As many of the
UK computing research community contribute to them, it is hoped
they can improve the current situation, which is not peculiar
to the National Programme but is a global issue. It is surprising
that the UK Computer Research Committee has not acknowledged the
substance and extent of the standards being used within the National
Programme for IT, and particularly the prevalence and authenticity
of SNOMED-CT and HL7v3.
5.3 At the heart of the National Programme
is a range of standards that are both international and national.
Many of these standards are pan-government like the e-government
interoperability framework (e-GIF) and many have a long history
(for example the Data Dictionary data standards, which arose from
the Körner Report in 1981).
There are a range of special standards in the Electronic Patient
Record which involve information governance and "health record
and communication practice standards" which by definition
are relatively new and rapidly emerging technologies.
5.4 SNOMED-CT is the most widely used, most
comprehensive, and most extensively tested clinical terminology
in the world. It builds upon the successful use of its component
Read Codes (1983) in the UK and the successful use of its component
SNOMED codes (since 1965) in a variety of settings worldwide.
For example Kaiser Permanente is a fully integrated health-care
delivery system in the United States that cares for 8.5 million
people. Kaiser Permanente HealthConnect is their electronic health
record and information system. Deployment began in 2003 and is
now almost complete, with over 13,000 physicians and 150,000 staff
using it for nearly all daily duties and more than two million
of their members logging-on to use their health data (with more
every day). SNOMED-CT is also a foundational element of secondary
data use for research and health services' planning in Kaiser
Permanente. It is one of the critical factors in helping them
produce value from the system by measuring and improving health.
5.5 The most important characteristic of
a coding system for clinical care is comprehensiveness, that is,
the ability to provide a coding solution for the vast breadth
of health care. In independent evaluations of content coverage,
SNOMED-CT is uniformly found to be the most comprehensive of all
extant clinical coding systems, usually by a fairly large margin.
SNOMED-CT is now owned by nine countries globally through an open
International Health Terminology Standards Development Organisation
based in Denmark. They have made quality improvement at the heart
of its operation so SNOMED CT will become even better to meet
the needs of clinicians and citizens worldwide.
5.6 Within health informatics HL7 is the
international standard for messaging. HL7 V2 is a widely adopted
standard within the NHS and V3 updates that standard using XML
formats for interchange (XML is the underpinning formatting standard
for modern internet communications).
5.7 HL7 V3 allows for rich interchange of
clinical information, embedding modern clinical terminologies
such as SNOMED-CT. HL7 is supported by a wide international community,
with working group meetings three times a year. In particular,
the Programme is using Clinical Document Architecture (CDA) for
key parts of the Summary Care Record, which allows for blending
of rich semantic information using SNOMED-CT with textual clinical
information. CDA is a key HL7 V3 standard that is being widely
5.8 The National Programme is leading the
way in the implementation of interoperable healthcare solutions.
Hence, we are implementing requirements which stretch the international
standards. Where standards are found lacking for our use we endeavour
to incorporate our work back into the international standard,
taking a leadership role where possible.
5.9 We have engaged with HL7 in a number
of ways, through the co-chairs appointed to key committees. We
have initiated a number of projects in this arena for the benefit
of the National Programme and the wider supplier community. Current
ones include message format improvements (known as an Implementation
Technology Specification or ITS) and clinical content modelling
(known as HL7 Templates).
5.10 The standards arena is developing for
clinical communications. HL7 V3 is a leading standard, and is
working towards harmonisation with other standards such as CEN13606.
We are monitoring these standards, and working with the standards'
organisations, to ensure that our messaging strategy is reflected
in the development of those standards.
5.11 HL7 has a working group known as TermInfo
that provides standard guidelines on the embedding of terminologies
in HL7 messages. In addition, NHS Connecting for Health's message
development team provides a variety of additional and detailed
constraints on the use of SNOMED-CT inside messages, distributed
to suppliers in the Message Implementation Manual (MIM). This
ensures a consistent and interoperable exchange of coded clinical
5.12 In case Dr Thomas' comments (Q108)
should be interpreted as casting doubt on the matter, NHS Connecting
for Health has ensured that the many systems and services that
have been delivered, and continue to be delivered, through the
Programme are compliant with HL7 version 3 and the Dicom digital
imaging international standards. NHS Connecting for Health is,
in fact, the global leader in the implementation of HL7 V3 messaging
and is also the host organisation of the International Health
Terminology Standards Development Organisation National Release
Centre in the UK, which will provide a central point for managing,
distributing, supporting and controlling the use of SNOMED-CT
terminology and related assets throughout the UK. Adoption of
these standards will ensure interoperability, so that confidential
patient information will be more readily and securely transferable
across the NHS.
5.13 It is noted that a number of members
of the UK Computer Research Committee have contributed to evidence
from other sources. In particular, Professor Randell and Dr Thomas,
along with Ross Anderson, are among the 23 academics who called
for an independent review of the National Programme.
5.14 It would be helpful to expand on some
of the evidence on system interoperability. There have been a
number of assurance / accreditation / compliance schemes for existing
systems' providers in the NHS. including the Requirements for
Accreditation (RFA) scheme commonly referred to as RFA99.
5.15 RFA99 was a technical aid for suppliers
to develop systems for testing and accreditation. It was also
used by Health Authorities and purchasers of GP systems in providing
guaranteed levels of functionality. It included an accreditation
process that focussed on a set of test scripts.
5.16 The Common Assurance Process (CAP)
is the replacement for all of the existing schemes. RFA99 requirements
have been superseded by the CAP-GP Core Requirements, which have
been updated to include the Programme's standards and policies,
including the use of the international standard HL7V3 and the
5.17 CAP-GP supports the GP Systems of Choice
(GPSoC) programme. GPSoC provides six levels of system compliance,
each of which provides increased functionality in line with the
strategic objectives of the National Programme. Each level comprises
a detailed set of requirements and standards that a supplier must
meet. These include the interoperability requirements defined
in the Message Implementation Manual using HL7V3, including the
use of the Personal Demographics Service, Choose and Book, Electronic
Prescriptions and GP2GP messages. This approach is driving interoperability
across the GP-provider environment.
NHS number as the unique identifier
5.18 The evidence relating to the use of
the NHS number (Q617) would also benefit from expansion.
5.19 The work on the NHS number in the 1990s
provided a set of basic enabling tools, such as the NHS Tracing
Service. However, there were initially few incentives for the
NHS to use the number, mainly because the concentration was on
systems within individual organisations. After the NHS Plan
was published in 2000, it became increasingly clear that this
work was not sufficient, and three major steps were taken:
the commissioning of the NHS Numbers
for Babies Programme;
the investigation of groups of individuals
without NHS numbers (eg service personnel);
reviewing the mechanisms to encourage
NHS organisations to use the NHS number.
5.20 The Building the Information Core
statement in 2001 outlined targets for trusts to use the NHS number
in communications such as requests for tests and results.
5.21 The National Programme then considered
recommendations from the Information Standards Board (ISB) that
the NHS number should be adopted as a key identifier for use by
the Programme's systems and by associated existing IT systems
that do or will interface with those of the Programme. Whilst
the benefits of using the NHS number were recognised, the issues
for organisations migrating from local numbers and the consequential
need for the transition to be managed carefully, were also recognised.
The Programme accepted the recommendations and asked that the
ISB adopt the NHS number as a fundamental national standard as
soon as possible. However, given the recognition that the work
involved in adopting the NHS number was not a trivial task, it
was agreed that a project-based, incremental, approach should
be adopted to undertake the co-ordination, communication, steering
and issue resolution that would be required.
5.22 The establishing of the National Programme
provided the opportunity to rationalise the demographics systems
in use across the NHS to provide an operational, up-to-date record
(the Personal Demographics Service (PDS)) which could be accessed
by authorised users across the country. This was critical to ensuring
the delivery of care records which were intended for individual
patients, rather than for separate institutions. The Personal
Demographics Service (PDS) is an essential element of the NHS
Care Records Service, underpinning the creation of an electronic
care record for every registered NHS patient in England. It serves
as a gateway to the clinical record, enabling authorised healthcare
professionals to locate quickly the clinical record that is uniquely
associated with each demographic record.
Unlike the previous services, this single authoritative
source of demographics is accessible throughout the NHS and is
integrated fully with the other applications and services delivered
as part of the National Programme for IT. These include Choose
and Book, Electronic Prescription Service (EPS), GP to GP and
HealthSpace. It provides more convenience for patients as they
need only notify one authorised healthcare organisation of a change
of address and this change will be available to all healthcare
organisations as and when the patient records are accessed.
5.23 Progress made with the PDS since the
NHS numbers programme includes:
Integration with LSP SystemsLocal
Service Provider systems integrate with the PDS to allow nationally
held patient demographics to be used at the point of care. This
means that it is possible to use the NHS number reliably as soon
as the patients presents themselves.
Immediate Birth Notifications to
PDSthe NHS Numbers for Babies System (NN4B) issues NHS
numbers on new births. From 1 June 2006, a link between NN4B and
the PDS made information on new births available immediately in
the NHS Care Record Service. As a result, 93% of babies are now
allocated an NHS number within 12 hours of being born. Prior to
this, it could take up to eight weeks for a baby's demographic
information to be available to the NHS outside the unit in which
the baby was born.
All Primary Care Back Offices in
England can immediately identify a patient's NHS number from the
PDS. Where the patient is not present on the PDS, 53% of Primary
Care Back Offices can allocate a NHS Number immediately. This
will be extended to all sites by the end of September 2007. Subsequently,
it will be made available through the Local Service Provider solutions
across the NHS as a whole.
5.24 Finally on this topic, at Q523 Dr Markham
"we have no unique identifier in England,
and ... ..this is one of the reasons why at the moment we cannot
share images across the borders" and that "the technicalities
of issuing them (NHS numbers) are too challenging at the moment."
5.25 On the contrary, a standard format
NHS number has been introduced across the NHS in England and is
used as the primary record key for the NHS Care Record Service.
The NHS number is issued at birth to all babies born in England
and Wales, and to adults and children not born in the UK when
they register with a GP practice. From later this year the NHS
Care Record Service will be able to assign NHS numbers for adults
presenting for care in emergency scenarios. Although Scotland
(which has a separate healthcare administration) uses a different
numbering system, there is close coordination and cooperation
between the two health services, and the numbering schemes are
designed to be compatible with each other. It is not the use of
different numbering schemes which prevents the sharing of digital
images or other information between the two countries, but rather
the legacy of locally-commissioned systems that are not interoperable
and hence do not support the transfer of information across the
NHS. In a typical week 6.5 million HL7v3 messages are processed
by the demographics service and 5.3 million messages by the central
database, which is accessed on a typical NHS day by 50,000 authenticated
5.26 Work underway currently with the authority
of the National Programme Board is aiming to ensure that the NHS
number is mandated by the Information Standards Board and subsequently
adopted incrementally for use within IT systems across the NHS
within a reasonable period.
Section 1.2: Issues Relating to IT System
6. Many of the witnesses raised issues relating
to the security of the systems that the National Programme will
6.1 The Department's evidence to the Committee
in paragraphs 30-39 of EPR1 and in paragraphs 31-32 of the further
written evidence provided on 12 June 2007 demonstrate that the
new systems will be protected by state of the art security measures
of the highest standards, well in advance of what has been the
case previously. As such, the fears expressed by some witnesses
6.2 In paragraph 7 of EPR 37, Symantec implies
that presently there are no access controls on NHS electronic
records. This is not true. Existing systems have a range of access
controls and the Programme's systems use a proven information
governance framework including role-based access control, auditing
actions by individual user account and checks for established
legitimate relationships between a clinician's work group and
the patient. These mechanisms, which are already in place, ensure
that only appropriately authorised NHS personnel with an appropriate
role and an established legitimate relationship with the patient
can access patient confidential information in the NHS. Access
rights given to NHS personnel are already monitored and audited
and alerts are generated automatically when attempts to transgress
these controls are made.
6.3 The Programme has therefore already
introduced all the controls Symantec assert are needed. A national
NHS data store is not necessary to enforce these controls, merely
that a national identity is used within a common information security
framework with consistent information security functions applied
across applications. This exists for all the Programme's applications.
Paragraph 6 of the Symantec evidence relates to the same issue
but actually illustrates something that the National Programme
for IT in the NHS is already providing, ie a data management solution
that enables patient information to be held securely and only
made available to appropriately authorised NHS professionals.
However, existing NHS procedures mean that, from time to time,
patient information (eg demographic information) will need to
be accessed by non-medical staff, so it is not true to assert
that only medical staff will need access to patient information
and also not true to assert therefore that only medical staff
are able to keep patient information confidential. It is surprising
that Symantec are so ill informed.
Security of email and instant messaging
6.4 Paragraph 8 of Symantec's evidence concerns
the security of email and Instant Messaging within the NHS. NHSmail,
the email service operated by Cable and Wireless on behalf of
NHS Connecting for Health, is designed and operates as a secure
email service for the transmission of patient confidential data.
NHSmail is open to all NHS employees, regardless of whether their
employing trust has taken the opportunity to eliminate the cost
of their local email service. Again, information was provided
as part of the Department of Health's written evidence submission
EPR01. Guidelines exist for local NHS trusts to understand the
risks associated with Instant Messaging (in the Information Governance
Toolkit and in the Information Governance Good Practice Guides).
Use of Instant Messaging and the guidance given to users locally
on appropriate use are matters for the local trust, which must
ensure they also comply with related data protection legislation.
NHS Connecting for Health secured an Enterprise Agreement with
Microsoft in 2004 that made secure Instant Messaging technologies
available to the NHS. Implementation of these technologies according
to existing "good practice" guidelines is the responsibility
of each NHS organisation. The policies that Symantec assert should
be given "serious consideration" already exist, either
at local or national level. They do not need to be uniform across
the NHS in order to comply with the legislation.
Security of mobile devices
6.5 Symantec then continues (in paragraphs
11 and 12 of EPR 37) to question the security of mobile devices
used by the NHS. In practice, the Enterprise Agreement with Microsoft
that began in 2004 gives access to technologies that allow NHS
organisations to protect information held on mobile devices that
are adequate for the display or use of Programme applications.
All clinical applications within the Programme use either Transmission
Layer Security (TLS) or Socket Layer Security (SSL) or Internet
Protocol Security (IPSec) to protect patient confidential data
in transit across data communications' networks, regardless of
whether these are across private (within N3) or public (the Internet)
networks. Additionally, on Microsoft Windows XP, the use of Microsoft's
Encrypting File System, according to guidelines published through
the NHS Common User Interface Programme, enables trusts to secure
any information stored on mobile computer hard disks.
6.6 Whilst NHS Connecting for Health has
been providing guidance to NHS organisations on the use and security
of mobile devices used in the NHS, these devices remain the responsibility
of local NHS organisations. NHS Connecting for Health has been
providing guidance to trusts on appropriate techniques to manage
and secure all devices connected to their networks and used to
access patient confidential information. Guidance exists that,
if followed ensures trusts can secure communications over wireless
networks. NHS Connecting for Health entered into a Corporate License
Agreement with Novell in 2005 that made Identity Management and
Electronic Software Distribution software available to all NHS
organisations. It remains a local trust responsibility to implement
these technologies. The assertion (in paragraph 13 of EPR 37)
of the need for common policies is rendered redundant by the existence
of a central single sign-on capability in the Spine and the use
of this Public Key Infrastructure (PKI) across all Programme clinical
applications, regardless of local supplier. In other words, what
Symantec suggest is needed already exists.
6.7 The above paragraphs also respond to
the points made by Dr Sarah Dilks in her evidence (EPR 10) relating
to the security of data in mobile devices. Other issues that she
raises are dealt with elsewhere in this note.
Testing system security
6.8 Andrew Hawker told the Committee, in
response to Q160:
"I did suggest that there should be ...
some testing that showed that you were actually operating in line
with internationally approved information security standards,
and, in the end, the simplest way is to have people have a go
at getting into it and use other objective measures of whether
it is easy or not to get across the security barriers that you
have laid down."
6.9 It is easy to make such statements that
imply a lack of attention to security testing but nothing could
be further from the truth. The Committee will wish to be aware
that NHS Connecting for Health places security testing as a fundamental
requirement on all suppliers. NHS Connecting for Health incorporates
security penetration testing requirements into its compliance
process, including the requirement for compliance with ISO-27001.
Guy Hains' evidence to the Committee (Q280) outlined just how
all-embracing this was.
6.10 It is a NHS Connecting for Health standard
that security testing of National Application products or services
is performed by "CHECK" approved security teams. This
provides assurance that all primary and secondary suppliers to
the National Programme will conduct testing to an agreed standard.
The CHECK standard is managed by the Communications Electronic
Security Group (CESG), which is the information assurance arm
of the Government Communications Headquarters (GCHQ). The CHECK
Teams are commissioned by the supplier of the product or service
to be placed under test, both at the "Ready for Operations
(RFO)" phase, and annually thereafter.
6.11 The CHECK Teams work with suppliers
and NHS Connecting for Health to provide the following service:
(a) Devise the scope of the security testing.
This may be any (or a combination) of:
external network penetration test;
internal infrastructure test (weak
passwords, systems unpatched etc);
an "Ethical Hacker" test
of the actual application or database.
(b) With the scope set, the CHECK team then
produces a test plan which is agreed by both the supplier and
NHS Connecting for Health as valid and fit for purpose.
(c) The security test is performed by the
(d) The output of the test comprises a list
of vulnerabilities. These are rated as "High", "Medium"
or "Low" by the CHECK Team, which identifies any vulnerabilities
in the product or service which may compromise the confidentiality,
integrity or availability of information processed. The test output
is considered extremely sensitive and is made available only to
NHS Connecting for Health's Infrastructure Security Team, via
(e) A Corrective Action Plan (CAP) is produced
by the supplier detailing how, and within what timescale, each
vulnerability will be fixed. This must be agreed by NHS Connecting
6.12 Mr Hains also confirmed (Q315) that:
"there is not a statement which says 10
breaches over a period are acceptable; it is a zero tolerance
The Programme's contracts in fact contain obligations
on suppliers to comply with comprehensive and detailed security
requirements. Suppliers are obligated to report any breach of
the security requirements and to make recommendations for the
remedy of any such breaches. NHS Connecting for Health may call
in a third party to monitor its suppliers and make reasonable
recommendations in the event of any such breach and/or escalate
the matter for dispute resolution if the remedy proposed by the
supplier is not acceptable. In the event of a breach of security
incapable of remedy or which is not remedied, NHS Connecting for
Health ultimately has a right to terminate the relevant contract
immediately without paying any compensation to the supplier.
Public access to the data
6.13 Many industries now use the Internet
to allow the public to access their data. The National Programme
is developing HealthSpace to deliver this facility for the Summary
Care Record. Healthspace is being developed with security integral
to its design and undergoes security penetration testing from
external experts prior to being deployed.
6.14 Patients have the choice of having
a Summary Care Record or not and of having a HealthSpace account
or not. Where a HealthSpace account is required, strict criteria
are applied for the registration of the patient. Once registered
the patient is provided with a card containing a unique set of
numbers. These are required to allow access to their record and
avoid the weaknesses of simple username/password access approaches.
This provides a more secure approach than adopted by most financial
organisations. This approach will be evaluated during the early
adopter programme. Other "token" technologies to manage
access are also being considered.
6.15 Evidence from Joyce Robins (Q190)
stated that no website was secure and cited the MTAS site as demonstrating
the fact. MTAS was not delivered by NHS Connecting for Health
and did not meet the standards that NHS Connecting for Health
operates for the National Programme. There are no grounds for
linking MTAS with NHS Connecting for Health.
Security of the NHS Smartcard
6.16 The NHS Smartcard is a "chip and
pin" type of card. The "chip" contains an electronic
certificate. The NHS Smartcard uses a passcode which can be alphanumeric
and longer than the four digit bank pin. Chip and pin cards are
in use for UK retail banking and issues have been raised about
the cloning of these cards. The cloning of chip and pin bank cards
relies on the fact that most bank chip and pin cards also have
a magnetic strip. The magnetic strip is maintained to allow for
backwards compatibility with older payment systems and ATM access
abroad. It is the magnetic strip that is copied and manipulated
in the cloning activity.
6.17 NHS Smartcards are not susceptible
to cloning. They do not have a magnetic strip used for authentication
and so are not vulnerable to this attack (some do have a magnetic
strip if local Trusts wish to use the strip for access to buildings/car
parks etc but not for logon to computer systems). The "chip"
part cannot be cloned and it is the chip that NHS Smartcards use
Security of centralised/distributed databases
6.18 In paragraph 12 of EPR 03, Dr Smith
"a distributed database, with file servers
in each practice, is less vulnerable to massive data loss through
equipment failure or power outages and malicious interceptions
than area-wide or National databases."
This is simply untrue, as recent events evidence.
In the recent flooding at Sheffield, 12 GP practices were without
power on the Tuesday morning. Nine of these were on shared servers.
The PCT was able to facilitate authorised access to information
to the affected practices that operated with hosted servers to
enable safe effective care until their power was restored. This,
of course was not possible for the practices without hosted servers.
6.19 At the same time two practices had
to be abandoned due to flooding of the premises. In the first,
a practice of four GPs in Louth, with a list of over 10,000 patients,
relocated to the local hospital emergency department. The practice
was operational within 30 minutes of arrival due to their clinical
system being hosted in a data centre. All that was required was
their own NHS Connecting for Health security smart cards to allow
the staff to access the system. Equipment at the practice was
replaced and they returned within 48 hours. A similar success
was achieved in North Lincolnshire, where a 1500-patient practice
had to vacate its premises.
6.20 The security measures in place on the
national system are far in advance of any implemented on file
servers at individual practices. There is also a considerable
degree of maintenance and monitoring of malicious activity, which
we know from experience is simply not undertaken on practice-based
Security of facsimile machines
6.21 Dr Peter Smith also claims (paragraph
11 of EPR 03) that a facsimile machine cannot be hacked. This
is a bold statement and not borne out by the evidence.
6.22 Due to the unauthenticated nature of
facsimile transmissions, devices are susceptible to Denial of
Service (DoS) attacks such as the sending of large documents or
documents with large areas of black colouring. It may be possible
within certain devices to limit the size of incoming documents
although this may not prevent smaller documents being sent many
times. Published facsimile device vulnerabilities include:
Pollinga feature that permits
a facsimile machine to call another machine and request it to
6.23 Many modern facsimile devices include
remote diagnostic facilities which allow hackers to monitor and
amend the following:
Details of incoming calls.
Copies of faxes stored in the device
6.24 Many modern multi-function devices
include facsimile capability and may operate using a compact operating
system such as Windows CE. These devices are therefore susceptible
to all attacks against the operating system and the proprietary
software which runs on them. The use and physical security of
machines also raises security issues and, if procedures are not
in place to ensure that devices which receive sensitive information
are secured, and paper copies of faxes are not exposed to unauthorised
users, then significant security breaches can occur. Good practice
includes the use of:
Logging and audit of fax use.
Storage of fax machines in manned
Access control to devices handling
Authorisation of faxes to prevent
forgery and masquerade.
6.25 Fundamentally, the modern facsimile
is a computer with a hard drive. It stores information and sits
on a network. It presents vulnerability because it is considered
low-tech when that is not the case, and therefore is not appropriately
patched and managed.
6.26 As with all technology the risks identified
above can be mitigated, but to pretend they do not exist is quite
wrong. The technology also, of course, carries with it the inherent
security risks of a paper environment and of sensitive material
being accessible on an indiscriminate basis where, for example,
machines are left unattended.
Illegitimate use of databases
6.27 At paragraph 15 of EPR 08, Dr Gooderham
refers to the illegitimate use of a database by those with legitimate
access being an important potential threat to confidentiality.
Whilst this is undoubtedly the case, the only alternative to safeguards
and controls is to fail to take advantage of the significant benefits
for patients that result from ensuring that those who need access
to data have that access. Our position on the misuse of data was
made clear in a statement published, jointly with the General
Medical Council and the Information Commissioner, on 25 April
6.28 Dr Gooderham also refers to the sharing
of usernames and passwords in a busy A&E setting in Warwickshire
as a cause for concern. Whilst this concern is right, in this
often-quoted example the sharing was limited to a small number
of A&E clinicians and there was no breach of patient confidentiality.
The A&E Department has recognised that they were acting in
breach of NHS Connecting for Health's smartcard policy and the
poor practice has now ceased. The time taken for authentication
and to start the application was the key reason cited for the
need to share cards. These have been reduced significantly through
improvements in the technology and process over the past 12 months.
NHS Connecting for Health is working with SHAs and PCTs on reviewing
smartcard usage across the NPfIT with the aim of ensuring smartcards
are not shared and that organisations enforce the no smartcard
Security of locally-owned desktop computers
6.29 NHS Connecting for Health does not
own or manage the desktop computers through which users access
the Programme's applications. This is the responsibility of the
local organisation and as such comes under the organisation's
security policy. The local organisation is responsible for ensuring
that local applications are suitably protected against unauthorised
access through the implementation of solutions such as desktop
6.30 NHS Connecting for Health ensures that
National Programme applications provide functionality to protect
against unauthorised access to patient information from unattended
sessions. This functionality ensures that the application is terminated
after a set period of inactivity. The applications are protected
by NHS Connecting for Health's Spine Idle Timeout solution. NHS
Connecting for Health is working with the health professional
bodies to provide national guidance on the appropriate values
of inactivity timeouts across different care settings.
6.31 Access to NPfIT applications can be
protected further through the ability to disable access for users
reporting lost or stolen smartcards.
Reliability and security documentation
6.32 Finally on system security, Professor
Randell was not told (Q316) that NHS Connecting for Health did
not have reliability and security documentation. He was told that
this existed but that, for reasons of confidential and commercially
sensitive content, they could not be disclosed to third parties
without reference to the suppliers.
Section 1.3: Issues Relating to System Performance
7 A number of issues were raised relating
to the capacity, reliability and performance of the Programme's
7.1 The Department supplied a note on system
performance and resilience to the Committee. In respect of Symantec's
evidence (paragraph 9 of EPR 37), relating to ensuring critical
information, applications and systems are available continuously,
all Programme systems have the levels of protection Symantec assert
to be vital; and all the assertions made in Symantec's evidence
are therefore without foundation. Professor Randell also commented
on NPfIT systems' resilience and the likelihood of failure (Q325).
It should be noted that Professor Randell is one of the 23 academics
who called for an independent review of the National Programme
in April/May 2006. At that time, this group foretold of catastrophic
failures with the systems being implemented. Whilst no new problems
have emerged, many more systems have been implemented and system
reliability and resilience continue to be high, as evidenced by
the system availability figures published on NHS Connecting for
Health's website. The group of academics has not produced any
evidence to warrant a review but merely produced newspaper articles
and a series of Parliamentary Questionshardly the "evidence"
one would expect from computer scientists. However, in view of
the comments from these two sources, a further note of evidence
is enclosed as Annex 1 of this note.
Professionally run data centres
7.2 It is also worth adding some information
in support of the points made about the merits of professionally
run data centres (Q594). The TPP primary care application is a
data centre hosted application provided by CSC to NHS providers
in the North, Midlands and East of England. Whilst the service
is well regarded in its own right, recent flooding in the UK has
demonstrated very clearly the additional benefits of the National
Programme's approach at GP surgeries in flood affected areas:
data is held securely in a remote
data centre, not locally, and therefore no loss of data occurred
and no re-creation of records was required;
no data loss was experienced, where
a locally hosted system could have endured a hard service shut
down due to sudden electricity power failure;
local Business Continuity Plans are
enhanced because GPs can connect to the service from any N3 connected
site (eg in an alternative GP surgery or local hospital) with
there is minimal disruption to re-establish
service once the local GP premises and infrastructure are restoredno
locally hosted servers to be rebuilt to enable access to system.
As explained above, these benefits have been
demonstrated at GP surgeries in Grimsby and Louth in the last
Response times of IT applications
7.3 In respect of Q598, which related to
the speed of IT Applications and/or networks in GP surgeries,
a lot of support has in fact been provided by NHS Connecting for
Health to PCTs and GP practices to ensure that local configuration
of legacy systems provides a good end user experience. Local PCT
IT teams have a key role to play in this. For example a study
of over 900 PCs at one PCT showed that poor user experience relating
to 71% of the PCs was because the PCs themselves required remedial
action, or were under the minimum specification.
7.4 The N3 broadband network service provider
(BT) and the principal legacy system supplier (EMIS) have also
worked together to investigate reported performance issues of
the EMIS LV application, when operating over the N3 "Main
to Branch" Network, and to provide a fix to the issue. The
results from the trials have been very encouraging with the joint
team witnessing significant improvements to how the application
is now running over N3.
Dependency on the systems of Choose and Book
7.5 Returning to the evidence of Dr Peter
Smith, he says, in paragraph 18 of EPR 03, that access to services
such as Choose and Book should not be dependent upon the medical
record upload. It is important to note that with respect to the
data around individual patients, it is not. It does, however,
depend on the infrastructure, namely, the N3 network, the security
framework, the demographics service and the messaging infrastructure.
Capacity of the bandwidth
7.6 In EPR 37, paragraph 3, Symantec said
" ... due to the lack of bandwidth allocated
to the database, the Spine will not be able to hold all the medical
information relevant to each patient. The lack of bandwidth means
the amount of data able to be stored on the database will be limited
and the ability to download the data in any meaningful timeframe
7.7 This statement is not only untrue, but
also makes little sense. The term "bandwidth", as commonly
used in the context of Information Technology, is a measure of
the capacity of a data communications network to transmit a volume
of data over a period of time (usually expressed in millions of
bits (binary digits) per second). The NHS New National Network
(N3) has sufficient capacity to provide adequate bandwidth between
any two locations in the NHS that need to exchange data. As evidence
of this, NHS organisations routinely transfer diagnostic images
in digital format of several tens of megabytes (there are eight
bits per byte and a megabyte is over one million bytes) across
this network, throughout the day, using the Picture Archiving
and Communications Service (PACS). The N3 network transmits seven
terabytes (millions of megabytes) of data each day. Further information
has already been provided as part of the Department of Health's
written evidence EPR01.
7.8 Clinical records, in comparison to diagnostic
images (X-ray or MRI scan images), are relatively small amounts
of data; perhaps a few megabytes at maximum, once coded using
appropriate clinical terminology. To suggest that there is insufficient
bandwidth for the Spine and that this limits its ability to hold
all medical information is clearly wrong. Even if the assertion
related only to the database capacity necessary to store all detailed
patient records, this is still wrong, since the database products
that store Spine data are already used for other databases many
times the size of that needed to store 50 million detailed patient
7.9 To exemplify the point with more specific
detail, the data centres hosting the Spine are provisioned with
resilient (dual) network links. These links have recorded 99.99%
availability over the last 12 months (against a 99.9% Service
Level Agreement (SLA)). The availability of the Spine Data Centre
and its services has been 99.97% over the last 12 months (against
a 99.7% SLA). All Data Centres in this infrastructure are architected
to have fault tolerant network connections featuring assured end-to-end
separation of the two physical cables entering the Data Centre.
This means that at no point in their journey between the Data
Centre and the rest of the network are they close enough to fail
or be damaged in a single action. Within the Data Centre, this
separation continues, with separate local area network links,
separate power supplies, separate network adapters in the separated
pairs (or clusters) of servers providing this service.
7.10 Presently, the average size of a detailed
medical record sent over the National Programme's GP2GP service
between GP EHR systems is approximately 547 kilobytes (indeed,
less than 1% of detailed medical records so far transferred are
larger than 5 Megabytes). Even if these detailed records were
to be transferred to the Spine it would not cause problems for
the links in the N3 network or to the Spine Data Centres. The
N3 network has a range of capacities available for site connection,
each installed appropriate to the site's individual needs. The
"core" of the N3 network has a capacity of 4.5Gbps.
Such a network is able to transmit an average detailed medical
record in less than one millisecond. The links into the Spine
Data Centres can transmit the average detailed record in just
over 56 milliseconds (a twentieth of a second). This means that
even if all detailed records did need to be transmitted to the
Spine in one go (a highly unlikely situation, but useful as a
"worst case scenario") with the network links upgraded
to their maximum capacity, it would take less than 5 days to transfer
50 million records. This highly unrealistic "worst case scenario"
illustrates that the capacity available in the network to deal
with detailed medical records, even if they were to be sent to
the Spine, is easily adequate for the job.
Section 1.4: General Programme Related IT
8. A number of more general issues were
raised in respect of the Programme's IT products and services:
Cerner Millennium Release 0
8.1 To clarify Q389/90, Cerner Millennium
Release 0 (R0) is the clinical application implemented at both
the Newham and the Homerton Hospitals. 15 NHS hospital trusts
to date across London and the South have elected to implement
Release 0 as a precursor to the full clinical suite of Cerner
Millennium Release 1. This incorporates a fully anglicised Patient
Administrative System, together with the clinical applications
that support Ordering and Results Reporting of diagnostic tests
and care pathways.
Maintenance of the vision of integrated records
8.2 In response to Q398, where it is suggested
that the focus has been on hospitals rather than primary care
and that the vision of an integrated system has been lost, it
should be noted that In London 42% of all PCTs and half of all
mental health trusts have implemented the Local Service Provider
(LSP) Rio application. This solution will be integrated fully
with the Cerner Millennium solution to provide a patient centric
integrated solution, working across organisational and professional
boundaries. In the North, Midlands and East, the LSPs have implemented
nine GP systems and over 1,200 applications to Primary Care Trusts
to support the delivery of Community Services.
Would the same progress have been made without
8.3 Dr Cundy observed (Q81) that:
"we have now recently developed technology,
through a project which was begun before the national programme,
to exchange GP records wholesale from one practice to another.
Six hundred practices in the country have that, and it is almost
getting on for 10%, and that exchange can occur in a matter of
It is a matter of speculation as to how far
forward this process would have moved without the involvement
of NHS Connecting for Health, bearing in mind that enabling it
depends on the existence of a reliable network with suitable bandwidth
and the definition of adequate standardisation and messaging structures.
None of these would have been in place without the Programme.
When NHS Connecting for Health announced on 19 March 2007 the
first interoperable transfers of Electronic Health Records in
Croydon PCT, Dr Cundy was widely quoted as saying:
"These first transfers of GP electronic
patient records between different practices using different computer
systems is a watershed for patients, practices, the Programme
and the NHS. It represents a significant and tangible leap forwards
in the modernisation of the NHS and is a tribute to close collaborative
and clinician led working. I would like to personally congratulate
the entire team and look forward to the next stages of widened
supplier involvement and national rollout."
8.4 To make it happen on the ground NHS
Connecting for Health has driven GP2GP forward within a structured
project management framework and ensured that the solutions developed,
and being developed, by the clinical system suppliers are subject
to a rigorous compliance process. This ensures that clinical and
patient safety is at the fore and that Spine interactions are
carried out safely. Clinical systems which do not comply in these
areas cannot be accredited as GP2GP-compliant.
8.5 Dr Cundy also stated (Q96) that many
of the PACS systems being installed now are the PACS systems that
were on order books in 2001-2004 but were put on hold:
Of the 122 Trusts that no had form
of PACS in 2003, only 31 had live PACS projects.
Ten of these 31 Trusts went on to
implement these projects outside of the Programme. They were therefore
not "put on hold".
The other 21 have implemented, or
are implementing, NHS Connecting for Health's PACS solution. In
many cases delays were experienced because of trusts' failure
to write business cases. They could hardly be described as ready
to procure their systems.
8.6 In a similar vein, Dr Markham told the
Committee (Q508) that:
"the Southern Cluster, as is now, was almost
ready to roll out (PACS)."
This is not so. The Southern cluster was in
fact purely a consequence of co-operation between the newly-created
National Programme and the Broadband Britain initiative, to segment
the NHS into regional groupings suitable for the maintenance of
a contestable framework.
8.7 Finally, Dr Cundy stated (Q99) that
it was "not a good thing" that general practitioners
will be offered a choice of suppliers for their electronic record
system. This is in direct conflict with a quote by him in the
13 February edition of "e-health Insider" magazine that:
"this (The GP Systems of Choice initiative)
is great news for GPs and great news for the programme. I am reassured
that this is finally going to happen."
Sealed envelope functionality
8.8 Guy Hains commented (Q305) that he would
need to see a more detailed specification than that contained
in the spine functionality plan to implement sealed envelopes
within his Local Service Provider (LSP) environment. Sealed Envelope
functionality will be delivered in the Spine in 2008. LSP solutions
will deliver Sealed Envelope functionality in two phases:
in the detailed care record;
in the messages that the LSPs exchange
with the Spine.
The Sealed Envelope integration with the Spine
can occur only post 2008 after the Spine functionality is delivered.
The major sub-contractors (iSoft and Cerner) have committed to
delivering Sealed Envelope functionality in 2009.
Direction of information flow
8.9 Professor Korff was wrong to suggest
(Q198/99) that there will be only one direction to the flow of
information from local to central records. Right now local NHS
records are deriving their demographic information from the centrally
held Personal Demographics Service. We envisage that local records
will pull through elements of the national record to ensure patients
enjoy continuity of information. Medications and allergies are
an obvious example. At the very least local records should compare
themselves to the national Summary Care Record and highlight to
the responsible clinician when they are different.
Purpose of the secondary uses service
8.10 Dr Walport was not well informed when
he said (Q336) that the initial aim of the Secondary Uses Service
(SUS) was about management. Misgivings about the name should not
be taken as implying that the need to support research was not
designed into the care record specification at the outset. The
published specification in July 2002, the contract specification
in May 2003 and the first SUS consultation document in February
2004 were all explicit in identifying the requirement to support
Structure of the electronic health record
8.11 Dr Sarah Dilks (in paragraph 3 of EPR
10) seems to assume that the electronic health record is a single
unstructured document. That is not the case. The electronic health
record is structured in a number of ways, and access to information
is "partitioned" in a number of ways. Additional evidence
was provided to the Committee on this subject on 12 June 2007.
To be clear:
For the Summary Care Record held on the Spine:
Each entry is held separately with
a set of data to identify it including author and organisation.
Within each entry Care Record Elements
categorize the data, eg, Medications, Allergies, etc.
Entries to the Summary Care Record
are submitted using structured HL7v3 messages so the structure
can be maintained.
If an entry contains sensitive information
the patient may place it in a Sealed Envelope.
Role based access ensures that people
can access only the information about a patient which is relevant
for them in their role, so a doctor can access clinical information,
but a receptionist may access only booking data.
Legitimate relationships ensure that
in all instances access to patient information held in the NHS
Care Records Service creates an audit trail of who accessed what
information and when. Inappropriate access generates an alert
to a Caldicott Guardian who may investigate the matter further.
For the Detailed Care Record held on local systems:
Data is stored in a structured data
store (typically a relation database) with each element identified
within that structure.
The principles of Legitimate Relationships
and Role Based Access Controls referenced above are also applicable
to accessing detailed records.
SECTION 2: TIMING
9. Delays to the Programme were cited by
a number of witnesses. The Department's evidence accepted that
delays have occurred though some of the evidence of individuals
is worth commenting on:
Priority of electronic prescribing
9.1 Frank Burns said (Q544) that electronic
"is not a priority of NPfIT, and it should
be one of the first things that are rolled out across the hospital
In fact, ePrescribing is a priority but the
specification was not available at the commencement of the National
Programme and NHS Connecting for Health has worked hard to get
it in place. This has involved wide consultation.
9.2 The functionality to be provided by
ePrescribing systems is now extensively detailed in the ePrescribing
Functional System. It will include:
computerised entry and management
knowledge support, with immediate
access to medicines information;
decision support, aiding the choice
of medicines and other therapies with alerts such as drug interactions;
computerised links between hospital
wards/departments and pharmacies;
ultimately, links to other elements
of patients' individual care records.
9.3 The programme will also focus on supporting
the new working processes and cultural changes needed to make
the introduction of ePrescribing systems a success.
9.4 LSPs are currently developing the basic
and advanced ePrescribing components of their strategic solutions
and are currently contracted to deliver ePrescribing between 2008
and 2010. Separately, £11.5 million capital funding has been
made available to acute trusts via SHAs to purchase interim oncology
ePrescribing systems, to treat oncology ePrescribing as a priority,
in support of the National Cancer Plan. It was a condition of
the funding that procurements should commence by 31 March 31 2007.
Problems with legacy data
9.5 In general, the extent to which the
time required for the implementation of Patient Administration
Systems (PASs) is affected by data quality is determined by the
priority given, and the resources made available, in individual
organisations to cleanse data prior to migration. In total this
can easily amount to several man years of specialist input. Indeed
the scale of the task, exemplified by Mr Hains (Q276), to eliminate
duplicate and corrupt data when replacing existing computerised
records cannot be overstated. NHS organisations have an accumulation
of current and historic data held within their patient indices
on their PASs and other electronic systems, or on paper records.
Duplicate records exist in all PAS systems, mostly created when
patients use different names or addresses to records already held,
or when NHS numbers are not used. Duplicates also exist when hospitals
merge and continue to operate two or more PASs simultaneously.
It is estimated that most existing/legacy systems operate with
a duplicate rate in excess of 9%.
9.6 The introduction of the NHS Care Record
Service will result in closer integration of national and local
records (both demographic and clinical) and the opportunity to
build an individual's summary of key clinical events, diagnostic
results and current medication. It is important therefore that
the quality of the information recorded is high and that the number
of duplicate records on the system is minimised, as any level
of duplication will increase clinical risk.
Progress on interoperability
9.7 The reference by Dr Paul Cundy (Q102)
to "moving towards" interoperability does not adequately
reflect the level of progress achieved. Some 115 systems have
now been through the compliance programmes for the new IT systems.
This has created a level of systems' interoperability that was
unimaginable three years ago, as a result of which, in a typical
week 6.5 million HL7v3 messages are processed by the demographics
service and 5.3 million messages by the central database, which
is accessed on a typical NHS day by 50,000 authenticated unique
Delays to PACS in the North West
9.8 Dr Markham told the Committee (Q551)
"the North West and the West Midlands [PACS]
is delayed, because there were some contractual problems initially."
In fact, the subcontracted PACS' provider to
the main supplier missed a number of key milestones. Their contract
was terminated and another vendor was selected by CSC. A proven
alternative solution was subsequently delivered to the NHS within
three months. This is an example of the procurement arrangements
working as designed.
SECTION 3: LOCAL
NHS COSTS AND
10. There has been much misinformation about
the costs and affordability of the Programme, most of which can
be dismissed following the publication of the NAO's study of the
Programme last year.
10.1 Frank Burns told the Committee (Q556)
"the resources are all locked up in NPfIT,
and ... . nobody can do anything because NPfIT has the money."
The figures simply do not bear out this assertion.
Whilst there has been significant investment centrally in the
National Programme through NHS Connecting for Health it is also
the case that local IT spending in the NHS is significantly greater
than that on the central programme and NHS IT spendind is also
continuing to increase. This is demonstrated in the table below:
Table: Local NHS spending on Information
Management and Technologyincreases on previous year:
||2006-07 (planned) |
|Total IM&T spend (£'000s)||1,251,814
|£'000s increase over previous year
|% increase over previous year||8.99%
10.2 There is further evidence that local costs are reduced
significantly as the systems are supplied through the Programme.
Annex 2 contains illustrative examples of affordability comparisons
between NPfIT solutions and local procurements.
10.3 The central PACS' procurement also demonstrated
significant advantages over local procurements; with many commodity
items costing 70% less than previous procurements. The significant
delays in rolling out the PACS applications were due to NHS trusts'
inability to get business cases approved by their Boards and the
subsequent raising of Purchase Orders. There would have been considerable
additional delay had Trusts attempted to justify business cases
where the cost of ownership was considerably more expensive than
was achieved by the Programme.
10.4 Dr. Markham implied (Q512) that the lack of availability
of resourcessubsequently provided through the National
Programmewas the key obstacle to the rapid deployment of
PACS. When the National Programme took on board acceleration of
the procurement and deployment of PACS, one difficulty was that
many radiologists wished to specify a local system, which would
have driven up costs and delayed implementation. However, deployment
of PACS under the Programme is not necessarily the same product
as the earlier deployments. The National Programme systems offer
Radiology Information System integrated fully
with the PAS and PACS
PACS in A&E, theatres and on wards
Cross site access to images
Access from outpatient clinics and outreach clinics
The support of specialisms such as orthopaedics.
The installations prior to the National Programme did not
all have this scope and it is this broadening of scope and widening
of availability that has led to the delivery of benefits.
10.5 Frank Burns stated (Q516/7) that he had had a very
sophisticated, fully functioning clinical system for 17 years.
The Wirral Hospital NHS Trust elected to undertake independent
procurement in 2004 for the replacement of the system that had
a very high cost of ownership. The procurement was based on the
NPfIT specification for clinical applications for an NHS acute
hospital. The Trust, at considerable cost to the NHS and to the
supplier community, got to "preferred bidder" stage
in 2006. However, the cost of the solution was over twice that
already achieved by NHS Connecting for Health for the Cerner Millennium
Solution. Minded of the advanced functionality already enjoyed
by Wirral Hospitals NHS Trust, and that their solution would "expire"
at the end of 2007-08, putting patients and staff at risk, NHS
Connecting for Health agreed with Fujitsu Services (the LSP for
the South) to make available the Trust's preferred supplier's
application at the NPfIT contracted rates. Subject to satisfactory
conclusion of commercial discussions, the Wirral Hospital NHS
Trust is planning to take the Cerner Millennium PAS in the first
quarter 2008. Of course the substantial cost of procurement incurred
by the NHS could not be recovered.
10.6 Contrary to Dr Taylor's evidence (Q546) the Shires
Consortium did not include early delivery of the PACS applications.
The consortium was a loosely federated purchasing consortium that
demanded different applications and approaches to implementation,
but that agreed to procure services locally. The cost of the Shires'
procurement as determined in the business case was at least double
that obtained during the NPfIT procurement. The NPfIT procurement
further enjoyed more beneficial terms and conditions, greater
levels of integration and significantly improved service availability
for the NHS.
SECTION 4: THE
11. Many witnesses commented on the summary care record
and the confidentiality issues. Most of the witnesses support
the concept. The Department of Health gave extensive oral evidence
on this issue, as well as making the case for the record in its
initial written evidence (EPR 01) and in its further note dated
12 June 2007, which aimed to clarify some of the issues that had
arisen at the oral hearings.
The summary care record
11.1 The Summary Care Record will be populated initially
from the patient's computerised GP notes (unless a patient dissents
from storing or sharing their record with the Summary Care Record
system). It will be made available to authorised clinicians within
the Out-of-Hours setting. As the Department indicated in its original
written evidence to the Committee, the initial summary upload
(1) Patient demographic details:
Current and other address details (eg contact
address when different).
Contact details (telephone numbers, email address
Contact preferences including preferred language.
(2) Medications (Repeat prescriptions in last six months,
acute prescriptions in previous six months, discontinued in last
(3) Allergies and adverse reactions.
11.2 Subsequent uploads can include other information
that the GP and the patient think would be useful in the Summary
Care Record, including:
Clinical observations and findings.
Social and personal circumstances.
Provision of advice and information to patients
11.3 In areas where hosted GP systems are being rolled
out by Local Service Providers, out-of-hours services will be
able to access shared GP systems directly from the LSP data centre.
Specific Out-of-Hours functionality is being developed to ensure
that appropriate controls and functions are available to the out-of-hours'
community. This will provide data and facilities to ensure far
greater continuity of care than that currently generally available.
Consultation on the summary care record
11.4 The answers given by witnesses to questions 177-186
do not reflect the extensive consideration and consultation that
has taken place on the consent issue. The issue has been considered
by seven separate groups, all of which concluded that opt-out
was the most appropriate policy.
11.5 The policy that patients should opt out of having
a Summary Care Record was proposed in 2003 by the NPfIT National
Programme Board based on recommendations from the NPfIT Patient
Advisory Group and the National Clinical Advisory Group, the membership
of which included the Medical Royal Colleges and other clinical
bodies. The recommendation from the National Programme Board was
approved by a Ministerial Taskforce on NHS Information Technology
in November 2003 and was subsequently endorsed by Ministers. The
Ministerial Taskforce included members from the patient community,
the NHS, the Department of Health, the Academy of Medical Royal
Colleges, the BMA, the Royal College of Psychiatrists and the
Government e-Envoy. Information has already been provided as part
of the Committee's evidence session on 26 April 2007.
11.6 The Care Record Development Board (CRDB), established
in 2004 and chaired by Harry Cayton, asked its Ethics Advisory
Group, chaired by Professor Dame Joan Higgins, who also chairs
the statutory Patient Information Advisory Group, to revisit the
opt-out policy. The Ethics Advisory Group recommended that the
previous decision that patients should opt out was appropriate.
The CRDB considered the evidence and accepted the advice of the
Ethics Advisory Group.
11.7 In September 2006 a Ministerial Taskforce on the
Summary Care Record was established, chaired by Harry Cayton.
The membership of the Taskforce included the NHS, patient representation,
the BMA, the Royal College of General Practitioners, the Royal
College of Nursing, the Professor of Bio-ethics from Oxford University
and the College of Emergency Medicine. The Taskforce considered
the opt-out policy and, having recommended an appropriate period
to allow patients to opt out, supported it unanimously. The Taskforce
set out clearly the arguments for and against both the opt-out
and opt-in positions in paragraphs 4.3-4.5 of its report. They
concluded that it was more ethical to allow patients to opt out.
11.8 All the information published makes it clear that
patients have a choice and that the NHS will continue to provide
the best care that it can irrespective of whether patients have
a Summary Care Record.
11.9 In paragraph 6 of its written evidence to the Committee
(EPR 11) Patient Concern expressed the view that the explicit
consent of patients should be gained prior to uploading data into
the Summary Care Record. The Ministerial Taskforce did not support
this approach. Concerns over an explicit consent approach have
been that it would:
take considerable time to implement and therefore
delay the delivery of the benefits associated with having a Summary
disadvantage the most vulnerable members of society
who may benefit most from the new record but may not be provided
with one for a considerable period, or who may be difficult to
contact to gain consent. Patient Concern's suggestion that vulnerable
people could be contacted in writing to obtain consent is misleading
as the very nature of their vulnerability would exclude many such
require everyone to take action when, based on
the experience of other countries who have implemented similar
electronic records, only a very small minority will request not
to have a Summary Care Record at all. In Canada a legal requirement
for explicit consent was swiftly amended when health professionals
complained about the time taken away from patient care when more
than 99% of patients were not concerned about appropriately managed
electronic health records.
11.10 Patient Concern also suggested that developments
in France and Greece had demonstrated that explicit consent can
be gained for the upload of records. No specific evidence was
provided about the relative scale of developments in those countries,
though it is accepted that in some circumstances it would be practicable
to gain explicit consent. However, there are no true comparisons
between the creation of the Summary Care Record and developments
in these other countries. The cost of an explicit consent process
for 50 million people, in terms of NHS staff time and the associated
opportunity cost of patients not seen, particularly in the light
of the position adopted by the Ministerial Taskforce, is not sustainable.
11.11 Professor Korff told the Committee (Q195) that:
"provisions about sealed envelopes that cannot be opened
without the consent of the data subject; and the right of every
patient regularly to receive a log of every person in the NHS
who has had access to his data, including, I daresay, any researcher
who has access to his data and who can be identified. Those are
safeguards that can be built in; they are not envisaged here now."
11.12 Professor Korff also stated (Q218) that he understands
"all the data in the sealed envelope will be available
for research with minimal anonymisation and pseudonymisation."
He said that the
"envelopes are not sealed very well" and that "It
is fairly easy for practitioners to break them open."
11.13 Professor Korff's understanding is flawed and the
statements he made are incorrect. Patients will have the choice
of two types of sealed envelope:
The first, which we refer to as sealed and locked,
prevents data from being available outside of the clinical team
that recorded the information, whether for research or any other
purpose. The data will remain available to those who recorded
it whilst they are caring for the patients.
The second, the ordinary sealed envelope, does
permit data to be extracted, in a fully anonymised form for research
purposes, and it will also be available for clinical staff in
emergencies when the patient is unconscious or with the patient's
consent. The mechanism for breaking the seal in these circumstances
is simple, though there are strong managerial controls to prevent
misuse, as it is expected the seal will need only to be broken
without consent at times when the patient concerned is in desperate
need for urgent care. Whenever the seal is broken the circumstances
will be investigated and the patient will be informed.
11.14 The NHS Alliance presented written evidence to
the Committee on this topic (EPR 19). In their paragraph 3.1.4
"Again, the NHS Alliance would recommend that ... patients
should also be informed when their sealed envelopes have been
opened. This is not planned at present and is a SERIOUS omission;
11.15 In due course patients will be notified, through
HealthSpace, whenever there is activity on the record involving
a change in the sealed record status. This includes creating a
seal, breaking a seal, and any action to override dissent. In
addition, a NHS Caldicott Guardian/Privacy Officer will receive
an alert when a seal is broken (with or without consent from the
patient). Virtually any action, including changes to sealed record
status and clinicians self-claiming legitimate relationships so
they can break the seal, creates an audit trail. Patients cannot
access their audit trail directly (through HealthSpace or any
other route); though Data Protection Act Subject Access Request
provisions will provide this information on application.
Safeguarding confidentiality for patients with mental and sexual
11.16 Joyce Robins expressed her concerns on confidentiality
for patients with mental and sexual health issues to the Committee
on 10 May 2007 (Q204). On 15 March 2007, over a hundred clinicians,
information governance staff and representatives of patient groups
in Reproductive and Sexual Health Medicine came together to debate
whether the safeguards being offered by the National Programme
were enough for the specific confidentiality needs of this community.
Throughout the day, delegates were asked to discuss a range of
issues and provide answers using tablet PCs on their tables; some
were repeated at the end to see whether opinions had changed.
11.17 One question that showed a shift in views was:
How do you feel the National Programme for IT will affect the
confidentiality of information (including test results) in your
| Will improve
| May improve||23%||51%
| Unlikely to impact||15%
| May worsen||37%||16%
| Will worsen||19%||11%
11.18 A very clear steer on what delegates wanted was
provided by questions such as: Who should decide how far information
Clinicians (Genito-Urinary Medicine clinic, reproductive
health service or GP): 0%
Patient and clinician together: 77%
NHS Connecting for Health: 0%.
Section 10 of the Data Protection Act
11.19 In paragraphs 5-11 of his written evidence (EPR
08), Dr Peter Gooderham refers to and quotes Section 10 of the
Data Protection Act 1998, which provides patients with the right
to require a Data Controller, in this case, the Department of
Health, to cease processing personal data where this is causing,
or may cause, substantial damage or substantial distress where
that damage or distress are unwarranted. He suggests that breach
of confidentiality may be regarded as "substantial damage",
but recognises that there are exceptions to Section 10 and quotes
one such exception where the processing is in the vital interests
of the data subject.
11.20 The Department of Health accepts that this may
be the case, but any consideration of the application of Section
10 must be conducted on a case by case basis. This would need
the content of the record and the damage or distress
that might be caused by unauthorised disclosure;
the circumstances of the data subjectkeeping
records of an individual who puts others at significant risk may
be warranted even where this causes the individual concerned substantial
damage or distress;
the importance of the record to the data controller
or othersthe need to maintain evidence against future complaint
or litigation may require the record to be kept even where a patient
the safeguards and controls that are in place,
as, if there is no risk of breach of confidence, then the Section
10 notice may be rejected.
11.21 In paragraph 10 of his submission, Dr Gooderham
suggests that if prominent individuals such as MPs are allowed
to object, but others are not, then such a distinction may be
discriminatory. Whilst, at the direction of Ministers, all adult
patients may choose not to have a Summary Care Record, there is
no other automatic right to prevent processing. Any request, regardless
of the celebrity of an individual, will need to be considered
on a case by case basis.
How many will opt-out of the summary care record?
11.22 Experience from the early adopter primary care
trust areas in England where the summary care record is being
trialled shows that the number of people who wish to opt out of
the Summary Care Record has been very significantly exaggerated
on the strength of the views of a small minority. Only just over
a thousand people out of a total of over 350,000less than
one third of one percenthave to date requested not to have
a summary care record. The following statistics provide the latest
information from the Early Adopter Programme:
9,952 clinical records have been uploaded to the
350,759 letters detailing the NHS CRS options
available have been sent to patients, resulting in a total of628
calls to the NHS CRS Helpline;
939 consultations have taken place at public events
and at the practices that have so far contacted their patients;
the number of patients choosing not to have a
summary care record is 1,068 (0.29%).
Incremental approach to developing the summary care record
11.23 Joyce Robbins, apparently on the strength of attending
a single presentation, misrepresents (Q203) as ill-considered
and ad hoc what is in fact a planned incremental design and consultation
process for developing the Summary Care Record. Our Care Records
Service National Clinical Reference Panel (Chaired by Dr Simon
Eccles, NHS Connecting for Health) is actively considering further
content and enhancements of the Summary Care Record. The Reference
Panel includes representative clinicians from a wide range of
nursing, medical and allied health backgrounds and many different
care settings. It also includes patient and patient advocate representatives.
Information was provided as part of the oral evidence session
on 14 June 2007.
11.24 The Panel is taking a very broad look at the future
of the Summary Care Record, taking care to balance any possible
future addition against the need to keep the summary record as
a clinically useful and accessible record which does not swamp
the user with information. It will be looking at suggested future
content with specific regard to enhancing patient safety; increasing
clinical and patient utility; and the benefits of the additions
compared to the technical difficulty of achieving them. As ever,
the intention is to consult with the widest possible range of
clinical and patient stakeholders.
Early adopter sites
11.25 As explained in the Department's written evidence
EPR01, the deployment of the Summary Care Record (SCR) has started
in the Early Adopter PCTs. The Early Adopter Programme will run
to April 2008 and is subject to an independent evaluation by University
College London. The Early Adopter Programme will refine the implementation
approach and facilitate preparation for the subsequent National
roll-out that is expected to commence in financial year 2008-2009.
SCR implementation has started in two PCTs (Bolton
So far, the two PCTs have sent letters to over
350,000 patients (100% Bolton patients and 59% Bury patients)
initiating the process.
Both PCTs have launched significant public information
programmes to inform their patients.
The SCR upload process has begun in Bolton and
the local out-of-hours provider is preparing to begin access (to
commence in August).
Bury PCT will follow shortly (there is a 16 week
period between the patients being informed through letters and
the commencement of access to their records).
Shortly following access for out-of-hours in Bolton
and Bury, access will be made available in other unscheduled care
settings (eg Accident and Emergency, NHS Walk-in Centres, Minor
Injuries Units and Ambulance Services).
11.26 The other Early Adopter PCTs have plans in place
and are currently in the advance stages of preparation for launching
Electronic records for children
11.27 On 10 May 2007 the Committee considered some issues
relating to electronic health records for children (Q206 onwards).
The Care Record Development Board has established a working group
to examine the issues around electronic records for children.
The group is chaired by the DH National Clinical Director for
Children, Young People and Maternity Services and its members
represent the National Children's Bureau, the Royal College of
Nursing, the General Medical Council, Safeguarding Children, Sure
Start and Information Sharing and Assessment Units of the Department
for Education and Skills, the Royal College of General Practitioners,
the Royal College of Midwives, the Royal College of Paediatrics
and Child Health, the Royal College of Obstetricians and Gynaecologists,
the Office of the Children's Commissioner, the Royal College of
Psychiatrists, the Community Practitioners' and Health Visitors'
Association, the Department of Health and the NHS.
11.28 The group has considered the issues surrounding
electronic records for children, including discussing them with
a group of children, and has produced a new section for parents
and older children in the 2007 revision of the Care Record Guarantee
(already submitted to the Committee by Harry Cayton). This describes
the rights of parents and children around access to children's
records. The group is also producing an appropriately targeted
version of the Care Record Guarantee for younger children. The
children and young people's section of the Guarantee stresses
the importance of developing autonomy for young people.
11.29 It seems that in responding to these questions
Ms Robins and Prof. Korff have confused detailed care records
and the Summary Care Record. The question asked whether it should
be mandatory for children's detailed care records to be stored
electronically. The position is that detailed records of treatment
have to be kept and it is the responsibility of the clinician
providing the treatment not only to keep the record but also to
decide the medium on which the record will be kept. Patients,
or in this case possibly their parents, can request that records
are not kept electronically but they cannot demand it. The merits
of electronic records in terms of security, legibility and transferability
via the GP to GP transfer functionality are well documented.
11.30 Professor Korff raised the issue of parents consenting
to a detailed record for a child. His example was one of a child
with leukaemia where the child requested not to have a record
at an age when they were considered competent. As far as detailed
records are concerned, paper records have a minimum retention
period and it is right that electronic ones do too. We are currently
consulting with the regulatory bodies and the medical insurers
what the retention period for electronic records should be. The
Committee might wish to note the reduced storage requirements
of electronic records.
11.31 It has always been made clear that, having initially
said that they wanted a Summary Care Record, patients can change
their minds and this applies equally if a parent has decided that
a child should have a Summary Care Record and when they become
competent the child disagrees. As the Summary Care Record may
have been used as part of treatment it cannot be deleted and so
is archived and can only be accessed if needed for medico-legal
11.32 The National Programme's Child Health Programme
is also exploring the potential for information sharing to the
benefit of the child. This includes consideration of issues relating
to children's records in terms of accessibility and sharing. They
will be taken fully into account when drawing conclusions, with
specific attention to:
the current and emerging policy position and initiatives,
including the obligations currently placed on NHS bodies to provide
certain information about children to other public agencies;
guidance from the joint work of the Care Record
Development Board, under the chairmanship of Harry Cayton, and
the Director for Children, Young People and Maternity (Sheila
the outcome of legal advice that has been sought.
11.33 The Child Health Programme is also looking to build
on the existing (paper-based) Personal Child Health Record (the
"Red Book"), issued for all children, as an exemplar
of the potential content of a shared record and also of the issues
involved in access and sharing of this record for health professionals
with the consent of the parent.
11.34 The Child Health Programme sees its remit as to
identify solutions to implement current policy for children as
it relates to information sharing, taking account of professional
and legal perspectives as well as policy drivers.
11.35 Professor Korff's assertion that the NHS will attempt
in a divisive way to incorrectly infer the competence of children
is wrong. Neither the NHS, nor the Programme, is developing or
seeking to assert its own policies regarding information sharing.
11.36 In addition, NHS Connecting for Health has been
working very closely with the previous Department for Education
and Skills to implement the policy "Every Child Matters."
This work aims to ensure that healthcare practitioners and other
care professionals working with children can be identified to
share information when vulnerable children are at risk.
Availability of HealthSpace
11.37 Joyce Robins also said (Q191):
"I do not know when [Healthspace] will be available."
Basic HealthSpace functionality to act as a personal health
organiser is already available to all patients aged 16 or over
in England. Patients are currently able to record and manipulate
information such as their weight, smoking habit or alcohol consumption
to help them manage their health. Calendar and diary functions
are also available and Healthspace also gives patients access
to the Choose and Book on-line booking service. It is therefore
wrong to assert that HealthSpace does not exist.
11.38 Recently, HealthSpace has added the capability
for patients to view their Summary Care Record (SCR) once they
have been uploaded to the Spine. This capability is being rolled
out to a number of Early Adopter PCTs during the remainder of
the year in line with the roll-out of the SCR itself. A national
roll-out of this functionality is intended from 2008 onwards.
Detailed planning to achieve this will be undertaken once the
lessons learned and feedback from the Early Adopters is available.
11.39 It is expected that from some point in 2008, HealthSpace
will allow patients to add information to their SCR. The items
that can potentially be added to the SCR are:
Religionthe religion of the patient
Spiritual supportwhether the patient would
like to see a representative of their faith during a stay in hospital
Religious customsdetails of any religious
customs that the patient would like to observe during a stay in
hospital that may require special facilities or considerations
(eg prayer facilities, Ramadan etc)
Dietary requirementspatient's dietary preferences
eg Vegetarian, vegan, etc
Access requirementswhat special access
needs does the patient have?
Transportationdoes the patient require
hospital transport to get to their appointment?
Wheelchair userIs the patient a wheelchair
Hearing aid userdoes the patient have a
Patient commentmulti-purpose free text
comment entered by the patient.
11.40 The Care Record Service Design Steering Group is
considering these options and HealthSpace will implement those
items which are considered to be suitable by the appropriate HealthSpace
11.41 Separately from the SCR, future options for HealthSpace
to become a utility provider of personalised health information
are being considered. This is likely to include more facilities
to help patients manage long term conditions and chronic diseases.
NHS use of identifiable and non-identifiable patient data for
care and for secondary uses
11.42 The oral evidence provided by certain witnesses
to the Committee on the distinction between identifiable data
and non-identifiable data, how these may be used and shared, and
how they are protected in the National Programme's systems, was
poorly informed and at times misleading. To provide clarification,
a note has been included as Annex 3.
SECTION 5: CONSULTATION
12. One recurrent criticism is that there has been insufficient
consultation, especially with clinicians, around the overall design
and operational aspects of the National Programme. This was examined
extensively by the Committee on 14 June 2007, when the Department
gave evidence of just how much had been done, whilst agreeing
that there is always a case for doing more.
12.1 Attached for information (at Annex 4) is a copy
of a response to a Parliamentary Question given on 21 June 2007
to Stephen O'Brien MP by the Department's then Minister of State,
Caroline Flint, on this matter. This demonstrates the depth of
consultation on the specification of the NHS Care Records Service.
12.2 Dr Hale told the Committee (Q273 and Q312) that:
"speaking from the point of view of my own trust and
the Royal College of Psychiatrists, we have not been able to make
a great deal of input."
In fact clinicians from across the spectrum of clinical specialties
were given the opportunity to contribute to the specification
of the requirements. The extent to which this opportunity was
taken up in each case is not something the Department could necessarily
influence. The specification itself was built on years of experience
across the NHS, and many clinicians were involved in the draftingin
particular the Academy of Colleges Information Group contributed
the first module of the specification for the NHS Care Record
Service. During 2003, a group of clinical advisors worked with
the National Programme; this included Martin Elphick, a consultant
psychiatrist from Oxford. The nature of the contracts (using the
OGC-approved method of producing an Output-Based Specification)
means that the specific design is the responsibility of suppliers,
but with users involved in the review of supplier proposals. The
later consultation activities, covering areas such as consent
and sealed envelopes, have been led by the National Clinical Leads
within NHS Connecting for Health, in conjunction with representative
professional bodies. The principle is to ensure full user engagement
in the definition of requirements rather than the technical design
of the solution.
12.3 Engagement with the Royal Colleges has been an ongoing
process throughout the life of the Programme. In 2002, the representative
body was the Academy of Colleges Information Group (ACIG), which
brought together input from all the Royal Colleges. This group
commented on the July 2002 specification and contributed an entire
module to the 2003 specification. From the earliest days of the
Programme meetings were held with leaders of the colleges. Peter
Hutton then set up the National Clinical Advisory Board is 2003,
and this took over the responsibility for bringing input from
the Royal Colleges. Professor Michael Thick, as the Chief Clinical
Officer of the Programme, with his team, has now taken on this
SECTION 6: EVALUATION
13. The Programme will be subject to evaluation. In 2006
NHS Connecting for Health commissioned Birmingham University to
run an overall programme of evaluation on its behalfthe
"NHS Connecting for Health Evaluation Programme." This
programme of work is headed by Professor Richard Lilford.
Evaluation of the NHS Summary Care Record Early Adopter Programme
13.1 Subsequently, University College London (UCL) was
awarded the contract to conduct a year-long independent evaluation
of the NHS Summary Care Record Early Adopter Programme, to fall
within the wider programme. UCL were selected following a competitive
tendering exercise run by Birmingham University which saw seven
applicants submit bids to conduct the evaluation. The year-long
evaluation commenced formally on 1 May 2007 and a final report
is due to be published in the summer of 2008.
13.2 The primary aims of the evaluation can be summarised
as: to assess usability, usage, functionality and impact of the
Summary Care Record in Early Adopter sites, and place this in
context; to set the stage for the step-wise inclusion of further
sites and further data sources; to provide timely feedback to
stakeholders; and to contribute to the generation of an evaluation
culture within NHS Connecting for Health and the National Programme
13.3 The evaluation will inform the national rollout
of the SCR from 2008 onwards although any emerging findings will
of course feed into the ongoing implementation of the Summary
Care Record within Early Adopter communities.
Benefits of PACS
13.4 In her evidence (Q217), Joyce Robins cast doubt
on the benefits of having digital X-rays automatically uploaded
to detailed care records. At the end of June 2007 benefits analysis
for the first year of PACS implementation had been completed for
65 Trusts. The total financial benefit in the first year of service
was approximately £18.5m, with £9.9m of this total saving
being projected by 48 trusts from data recorded 3 months after
the implementation of PACS. Additionally some Trusts have reported
reductions in the incidence of repeat X-Rays by over 75%. Reporting
times and the percentage of reports completed in 48 hours have
also improved significantly, and this has been shown to be influenced
by the deployment of digital dictation and voice recognition.
Loss of benefits if patients have the right to remove their
NHS electronic record
13.5 Returning to the evidence from Symantec in EPR 37,
paragraphs 4 and 5 effectively support the objectives and case
for the National Programme, although the assertion that full benefits
will not be realised if patients have the right to remove their
NHS electronic record is a gross oversimplification. Benefits
of storing medical data electronically accrue largely to the patients
themselves; hence lack of an electronic medical record mostly
impairs the patient's ability to receive safe and efficient medical
care. The reduction of NHS benefits is largely a consequence of
lowering the efficiency of processes to deal with patients when
they have no electronic record and these inefficiencies scale
with the number of patients electing this option. These inefficiencies
are largely operational (it will take more time to treat a patient
without an electronic record) and are only indirectly related
to the inability to benefit from the change in technology.
Benefits of mobile clinical records
13.6 The recently reported evidence emerging from the
early implementations of mobile clinical records is precisely
the opposite of what Dr Dilks suggests at paragraph 8 of EPR 10.
In the community staff-based trial in Nottingham
where laptop computers were connected through encrypted wireless
links to the NHS network (N3), the results of the trial showed
that on average staff had 38 minutes additional productive time
per person per day with the potential to save 60 minutes a day.
The trust saw a reduction in travel times of 32% and realistic
additional potential to reduce commuting by 50%, with the potential
for a 25% increase in productivity.
Nationally, in broad terms the number of front line staff
who have access under the National Programme for IT to shared
electronic health records is as follows
13.7 On average 96% of patient notes were completed on
the day, rather than a typical delay of up to 48 hours previously.
Users perceived an average of 70% improvement in facilities to
do their job. The success was not limited to one particular group
of clinicians. The trial included community matrons, paediatric
physiotherapists, paediatric occupational therapists, and paediatric
speech and language therapists. A video of the clinicians talking
about their experiences is available.
Security and staff training were included within the trial.
13.8 Emerging evidence of savings and efficiencies on
this scale are extremely compelling. When the new hardware (discussed
below) becomes available at the end of the year we expect to see
rapid take-up and deployment of clinical systems in the community-based
13.9 Trials of mobile computing platforms are currently
in progress in several acute trusts, including Salford Royal NHS
Foundation Trust and University Hospitals Coventry and Warwickshire
NHS Trust. Evidence from the Salford trial with the phlebotomy
service showed very rapid changes and improvements in clinical
workflow. This has led to Phlebotomists being able to:
start new orders whilst mobile. This enabled laboratory
processing to begin soonerpotentially speeding result-reporting,
as well as treatment plan adjustments;
resolve questions quickly. The portability made
it easy for phlebotomists to locate requesting clinicians, address
questions, and capture corresponding order-updates;
chart each blood draw at, or close to, the time
of the event. This gave phlebotomists a sense of completion, minimising
the chance of forgetting important information, and making information
available more quickly to other clinicians;
ensure positive patient identification. The built-in
radio frequency identification (RFID) reader enabled phlebotomists
to positively identify those patients wearing RFID wristbands;
eliminate the need to wait for access to a hospital
ward's personal computers to enter patient data;
avoid unnecessary blood draws resulting from previously
unrecognized discontinued orders. Needle sticks are painful and
stressful for patients. Avoiding these unnecessary draws has benefited
patients and enhanced overall service efficiency.
13.10 A larger business benefits analysis is currently
underway in Salford but early results show patient discharge being
accelerated by a half day.
13.11 As part of the wider picture NHS Connecting for
Health's Technology office has been working closely with Intel
to catalyse and define a new category of mobile computer ("mobile
clinical assistant") designed specifically with the clinician
in mind. Four suppliers (with more to follow) have announced that
they are working on the delivery of units to this specification.
Without the input from NHS Connecting for Health it is unlikely
that these units would have been built. The work was done by Intel
and the suppliers at their own risk. No NHS monies were spent
on the development or prototyping of the devices.
SECTION 7: PUBLIC
Section 7.1 Issues Relating to Public Information
Use of the postal service
14.1 Also in her evidence (Q187), Joyce Robins said that
"we suggest is that when this bit of rubbish goes out
to patients with it should go a copy of the record that is going
to go in. Connecting for Health very quickly jumped on me and
said that the postal system was not nearly secure enough for that."
This point needs further explanation.
14.2 The letter had, in fact, been trialled with patients
during its development and discussed with the Information Commissioner.
Sending letters and leaflets to patients in the post is one of
several strands of the Public Information Programme that supports
the introduction of the Summary Care Record. Alongside the letters
and leaflets are road-shows in prominent local locations, support
centres (Information Booths) within PCT premises, posters and
leaflets in GP surgeries and advertising campaigns in local media.
The independent evaluation of the Early Adopter Programme will
examine the effectiveness of each strand of public information
14.3 Whilst sending letters and leaflets is an effective
part of a wider information programme, it is not a suitable mechanism
for sending print-outs of patient records to large numbers of
patients. Information from the University Hospital Birmingham
suggests that 3% of mail was misdirected prior to the introduction
of the Personal Demographics Service and 0.44% after its introduction.
For a PCT with 300,000 patients, a 0.44% misdirection rate would
lead to over 1000 misdirected patient records. In addition, there
are further concerns and risks posed by shared addresses and potential
risks in the postal service itself (for example, Postcomm's £9.62
million fine applied to Royal Mail in August 2006 for failing
to secure mail).
14.4 Instead, through the Public Information Campaign,
the patients will be told where they can go to view their record
(the location is arranged by the PCT). This way, a patient's identity
can be checked prior to revealing sensitive patient data.
The public information campaign
14.5 In her response to Q196, Joyce Robins either seems
to believe the Hampshire project was a part of the National Programme,
or seeks to make direct comparison between the two. Both are a
misconception. The public information programme supporting Summary
Care Record Early Adopters is not the same as the information
campaign implemented in Hampshire and the Isle of Wight. NHS Connecting
for Health held a workshop with the team from Hampshire and the
Isle of Wight specifically to learn the lessons from the information
campaign that had been implemented there. These were:
that patients need to be told a specific date
by which they need to make their decision on whether to opt-out
or not. As a result, the letter sent to patients in Early Adopter
PCTs tells them by which date they need to tell their GP surgery
if they wish to opt-out;
that not enough information was available to patients
who wished to opt-out. Additional information is available to
patients who wish to opt-out of having a Summary Care Record.
This includes information on the implications of choosing to not
have a Summary Care Record;
that more information was needed about where the
information came from and who would have access to it. The information
available at Early Adopter PCTs tells patients where the information
comes from and who can access it;
that there weren't enough sources of information
for patients other than by phone or email. NHS Connecting for
Health has made additional materials available to patients including
a detailed leaflet about confidentiality and patient records and
the Care Record Guarantee Drop-in sessions are also available
for face-to-face conversations for those people who would prefer
to discuss their options;
more could have been done to reach foreign language
speakers and ethnic minority groups. The leaflet about the Summary
Care Record is available in twelve languages, the leaflet about
confidentiality in six and the Care Record Guarantee in thirteen.
Leaflets are also available in Braille and large print. Audio
support is also available. Leaflets can be ordered by phone, post
or email. As a result, NHS Connecting for Health supports the
Early Adopter PCTs to engage and reach hard-to-reach groups within
their local areas;
Hampshire and Isle of Wight used Royal Mail's
household drop service which means one un-personalised letter
or information pack per household. This was thought ineffective.
The NHS Connecting for Health Public Information Programme includes
sending a personalised information pack to all registered patients
aged 16 and over.
Section 7.2: Issues Relating to Patient Safety
15.1 In response to Q246, Joyce Robins presents a partial
interpretation of patient safety statistics. The figures she quotes
imply a level of significant (if non-fatal) incidents resulting
from lost records of roughly equivalent numbers to those of MRSA-related
deaths annually. But this is only a small piece of the greater
issue. A study of adverse drug reactions as a cause of hospital
admission published in the British Medical Journal in 200416
one in 16 hospital admissions are the result of
an adverse drug reaction (ADR)72% of which are avoidable;
this equates to 4% of hospital bed capacity;
at any one time the equivalent of 7 x 800 bed
hospitals are occupied by patients admitted with ADRs;
ADRs causing hospital admissions are responsible
for the death of 5,700 patients every year;
the annual cost to the NHS is £466 million.
15.2 This and other powerful evidence of the very significant
patient safety benefits to be achieved from electronic patient
records is provided in the paper attached as Annex 5.
15.3 To suggest that:
"medical records ... ..can be provided by GPs within
48 hours, or shorter"
is a disingenuous comfort to patients who present for treatment,
ever increasingly, out-of-hours or for unscheduled care. To cite
one tragic recently-reported case, that of Penny Campbell, who
contacted the out-of-hours service eight times over four days,
the doctors working for the out-of-hours service treated each
contact as a "one off" because none of them had access
to her clinical record; and none of the doctors after the first
had been aware of the earlier contacts. One of the criticisms
of the circumstances was that the patient had been required to
describe her symptoms on eight separate occasions. The inquiry
concluded that the paper-based system of record keeping used by
the out-of-hours service was a direct factor in the patient's
SECTION 8: OTHER
Accountability for delivery of the Programme
16.1 In his oral evidence (Q519/20) Frank Burns suggested
that accountability for delivering the Programme has been and
remains too centralised. This issue has in fact been addressed.
The NHS Chief Executive, David Nicholson, initiated the NPfIT
Local Ownership Programme (NLOP) in October 2006, in line with
the recommendations of the National Audit Office report, to re-position
the Programme as part of mainstream NHS business, and to ensure
that the products and services being delivered under NPfIT were
meeting the current priorities of the NHS.
16.2 On 1 April 2007 formal accountability for implementation
and the realisation of benefits moved to the Strategic Health
Authorities. SHAs are now responsible for the local prioritisation
of NPfIT systems, establishing and overseeing local implementation
plans and local product and service requirements.
16.3 NHS Connecting for Health continues to be responsible,
within the Department, for the NPfIT commercial strategy, contractual
negotiations with suppliers, management of NPfIT funds, national
services and products, the provision of the Programme Office and
the development, maintenance and enforcement of the national NPfIT
architecture. To ensure relationships with Local Service Providers
continue effectively, three local Programmes for IT have been
established, for London; the South; and the North, Midland and
East. The Programmes for IT will work alongside the SHAs to facilitate
a joined-up approach in implementing NPfIT across constituent
16.4 In respect of the response given to question 501,
whilst the National Programme has been in existence since 2002,
NHS Connecting for Health was established on 1 April 2005.
16.5 Nicholas Beale (in EPR 14) suggests that the creation
of NHS Connecting for Health was simply a re-branding exercise.
This is not the case. The NHS National Programme for IT has retained
the same name since its inception. The Programme is delivered
by NHS Connecting for Health which, as an agency of the Department
of Health, delivers all the national IT requirements of the NHS,
including the legacy services. The Agency was set up in April
2005 following the closure of the NHS Information Authority. This
was done for administrative and efficiency reasons, taking account
of a separate decision to establish the NHS Information Centre.
It had nothing to do with re-branding the Programme and no action
was taken to suggest that it was.
16.6 Whilst dealing with Nicholas Beale's evidence, it
is not right to suggest that the Programme's origins are at arms'
length from the front line of the NHS. The Chief Executive of
the NHS is the Senior Responsible Owner of the Programme.
Evidence submitted by Stalis Ltd (EPR 05)
16.7 The evidence from Stalis makes a number of inaccurate
claims and appears to reflect the fact that the company failed
in its bid to be a National Programme contractor and wishes to
continue to market its existing systems.
16.8 Their remarks about the "haste" in getting
the contracts in place contrasts with the NAO's conclusion of
"commendable speed." The NAO also reported on the strength
of the contracts. Although Stalis complain of haste, it should
be noted that most successful suppliers complain that multi-year
government procurement arrangements are unsatisfactory.
16.9 Annex 6 of this note shows that 115 existing systems'
suppliers have obtained work under the Programme, which refutes
Stalis' allegations in their paragraphs 6-11. Stalis inaccurately
quotes remarks made by Richard Granger regarding the very poor
level of interoperability of systems, including those provided
by Stalis Ltd. These remarks were made some five years ago, expressly
about systems which were unable to move data on the same software
between sites. It is assumed that this is a failing in functionality
which Stalis would not continue to support.
16.10 In respect of paragraph 8 of Stalis' evidence,
the very considerable number of NHS existing systems' suppliers
that have obtained work under the National Programme (Annex 6)
provides substantial contradiction of the selective marshalling
of information on this matter. Some 60% of the hospital-based
systems were procured from a UK listed entity; the major central
infrastructure components of the Programme (the Spine and N3)
were also procured from a UK listed company; and a UK entity,
ConMedica, was selected originally for 20% of PACS business.
16.11 Contrary to the assertion made in paragraph 9,
relevant experience of comparable projects and subcontractor mix
was evaluated alongside the resource arrangements that the suppliers
had in place. For example, the selection of IDX from the USA,
though not an LSP, as the main subcontractor for the London and
the South Cluster areas was on the basis of their successful deployment
at the Chelsea and Westminster NHS Trust, which remains far in
advance of the product marketed by Stalis Ltd.
16.12 The assertion at paragraph 10 regarding experience
of the NHS on the Programme in 2002 through to 2005 is also untrue.
In 2002 the Programme was led by Professor Sir John Pattison,
the former Dean of a medical school, the Director of Research,
Analysis and Information at the Department of Health. Subsequently,
the Programme was co-led by the Deputy Chief Medical Officer,
a distinguished gynaecologist and obstetrician, Professor Aidan
Halligan and a substantial number of senior NHS personnel have
been involved continuously in the Programme both as clinicians
and senior managers. Similarly, the assertion that the suppliers
had had no NHS involvement is also untrue. BT was, in 2002, the
largest supplier of services to NHS trusts with an annual turnover
in excess of £200 million.
16.13 Contrary to paragraph 11, it is not true that funding
was unavailable for migration and cleansing of data. Funding for
this is provided in two ways. Firstly, the trusts get to keep
the savings from their existing contracts with organisations such
as Stalis Ltd, following the implementation of national systems.
In addition, £166 million has been provided over the period
2004-5 and 2005-6 for this express purpose. It should not go without
comment that the cleansing of data within existing systems, such
as those supplied by Stalis, is something which the company assumes
it is right should funded by the National Programme.
16.14 Paragraph 12 alleges that:
"the LSPs commenced the programme with little or no experience
in UK healthcare and little experience anywhere of the systems
required by the NHS. Although this has improved with some LSPs
it is not consistent across the NHS and remains an issue today."
In fact, assessment of prime contractor capacity and capability
at the pre-qualification stage of the NPfIT procurements required
evaluation of relevant similar services. The prime contractors
who subsequently became LSPs provided examples of their experience.
These are contained in Annex 7 of this note.
16.15 Contrary to paragraph 14, the substantial cost
of ownership of legacy systems was very well understood. This
cost remains a driving force for reducing the number of configurable
components within the Programme, since the cost of acquiring interoperability
is above and beyond the NHS funding envelope.
16.16 Paragraphs 20 and 21 contain some broad-brush assertions
that are not borne out by the facts. The involvement of, for example,
System C, Hedra, Tribal and others are examples of pre-existing
NHS expertise being used to the greatest extent possible, but,
unlike previously, within contracts which now provide adequate
protection to the taxpayer.
16.17 The National Programme is a transformation programme
for the NHS that will underpin the Government's system reform
programme. It is supporting delivery of key reforms such as patient
choice, the 18 weeks referral to treatment patient pathway, the
GP contract, and practice-based commissioning, but at the same
time is designed and is being engineered to retain flexibility
to adapt to, and adopt, future policy. The risks suggested in
paragraph 23 are therefore being managed.
16.18 Far from being a "counterproductive"
task as suggested in paragraph 26, replacement of some long-standing
PASs is essential. Many are facing hardware obsolescence and software
which is unsupported. Not to replace them will put the care of
patients in those hospitals at unacceptable levels of risk and
it would be irresponsible not to proceed with replacement, simply
because some software suppliers would like to see continuity of
16.19 In paragraph 27 Stalis fails to acknowledge that
the devolved approach had not made acceptable progress across
the NHS as a whole. The NHS Care Records Service will provide
an integrated national service for all NHS clinical applications.
This is being delivered as part of an overarching information
strategy that allows the portfolio of systems from the Local Service
Providers and the existing systems' providers to be integrated
into a coherent service. The clear evidence that this approach
is proving effective is that 115 systems have been through the
compliance programmes, creating a level of systems interoperability
that was unimaginable three years ago.
16.20 The statement in paragraph 34 that the UK supplier
industry was ruled out is fundamentally wrong. That they were
uncompetitive in part, undercapitalised and unable to contract
with well-capitalised global players, is not something which could
be blamed on the Department of Health. Further, the corporate
failures or frailties of Torex, iSoft, and ConMedica all validate
arrangements which avoided direct contracting with small and mid-sized
entities that were unable to bear payment on completion risk for
a programme of this scale. Preferential treatment for domestic
suppliers, on this criterion alone, would have been unlawful under
the EU Procurement Directive and WTO arrangements.
16.21 The final specific comment on the Stalis evidence
relates to their paragraph 43. The policy of self-determination
advocated by Stalis is largely incompatible with the objective
of safer patient carerecognised as important at their paragraph
39which is supported and enhanced by the interoperability
of systems and Spine compliance provided under the National Programme.
16.22 More generally, Stalis clearly believes that it
is possible to integrate multiple different systems to common
standards to allow joined up care. However, they fail to acknowledge
that prior to the inception of the National Programme for IT there
was little evidence of this being done. The NPfIT has created
the environment which will allow this multi-system approach to
become a reality through the central architecture (that has been
successfully delivered) and by the Local Service Providers acting
to coordinate multiple suppliers in the overall delivery. The
LSPs have become more plural over time (eg BT using Rio and InPractice
Systems as well as Cerner; CSC using The Phoenix Partnership and
HSW as well as iSOFT). This trend is increasing and will become
more apparent in the coming months.
16.23 The criticisms levelled by Stalis are of an already
past world from which NHS Connecting for Health has moved on in
order to serve the NHS better. The LSP actions to diversify their
portfolio of systems, the Existing Systems Programme, GPSoC and
more recently the procurement exercise to increase the number
of suppliers to the Programme are all clear evidence of this.
16.24 Stalis' reference to statements made by Richard
Granger to the UK supplier community at the outset of the Programme
seem not to appreciate that this was in effect part of a negotiation
which has led to a much better deal for the NHS both in the short
term and for years to come. Many UK suppliers have benefited from
this process. Contrary to what Stalis imply, many UK NHS expert
IT suppliers are part of NPfIT. These include for example:
The Phoenix Partnership, providing GP/Primary
Care/Child Health/Community solutions across the North, Midlands
CSE Servelec, providing Mental Health/Community
solutions in London;
HSS providing Radiology Information Systems in
all areas other than London;
In Practice Systems providing GP Systems in London;
Liquid Logic and CSW providing Single Assessment
Process (SAP) solutions to link with Social Care;
Health Solutions Wales (HSW) providing Child Health
Systems in the North-West;
Clinisys providing Pathology Systems in London;
PICIS providing Theatre Systems in London;
SystemC providing implementation support services
16.25 All of these organisations are peers to Stalis
in terms of size and expertise in the NHS and all of them are
UK companies. Stalis was not offered the opportunity to become
Choose and Book/Spine Compliant because they had only one EPR
installation within the NHS at the time (2005). All investment
made by the NHS would have been just for that one site. In choosing
Silverlink as the replacement PAS, Moorfields chose a system from
a company that had successfully replicated and grown its business,
working with iSOFT (Silverlink Patient Care System (PCS) was sold
as iSOFT iCS). Silverlink was also amongst the first Acute suppliers
to achieve Choose and Book compliance (it is installed at Harrogate
and Mid Cheshire, both early Choose and Book adopters).
16.26 The current list of Choose and Book compliant Acute
PAS systems (non-LSP ie equivalent to Stalis) is as follows:
|iSOFT||iCS (Silverlink PCS)
16.27 Stalis also fails to recognise that the required
expertise in programme management necessary to implement the programme
was non-existent within the NHS, which had never previously managed
programmes of anywhere near the same size. The appointment of
Richard Granger and that of other IT professionals brought large-scale
programme management expertise and included NHS expertise in the
team from the outset.
Evidence submitted by Symantec (EPR 37)
16.28 Comments on Symantec's evidence are included in
relevant parts of this note. On a general point, their generally
critical stance with regard to the National Programme needs to
be understood in the context of its own commercial interests.
In early 2005 Symantec approached the National Programme for IT
with a proposition to procure licenses centrally, on behalf of
the NHS, for Symantec's Ghost Solution Suite product. Symantec
presented NPfIT with anecdotal information it had gathered about
the use of Ghost within the NHS. Symantec had performed a survey
of NHS trusts in the months leading up to contact with NPfIT,
ostensibly to gauge demand for their anti-virus products, but
had also asked how trusts had installed "images" of
their standard desktop software onto new computers. Without validating
their responses, several trusts had replied that they used Ghost.
Symantec took this anecdotal information from the trusts they
spoke to and extrapolated it across the whole of the NHS in England.
When compared with their sales records from their resellers and
direct channels, this information suggested a significant under-licensing
of the Ghost product across the NHS. NPfIT were presented with
an offer to agree an enterprise wide agreement on behalf of the
NHS or Symantec would start legal action. The scale of the NHS
and the relative immaturity of its local IT asset management capabilities
in 2005 meant that to prove whether Symantec's claims were accurate
or not would have cost the NHS several millions of pounds in largely
manual surveys. It was known that other technologies had been
used to create these desktop "images", but to prove
the relative use of these versus Symantec's Ghost product would
still have necessitated a full survey. As the least cost and least
risk option for the NHS, NPfIT robustly negotiated an agreement
with Symantec to cover the NHS with an Enterprise Wide Agreement
for Ghost Solution Suite at a cost approaching £1.8 million
for perpetual licenses and time-limited support, which was duly
put in place in July 2005. Symantec did not then pursue any legal
Evidence submitted Tom Brookes (EPR 70)
16.29 The evidence submitted by Tom Brookes contains
some significant inaccuracies which is surprising since he claims
to have been involved in the early stages of the programme and
continues to operate as a management consultant in the NHS. He
declares other connections that link him with evidence submitted
by other groups. The NHS Numbers project that he claims to have
led in the mid-1990s installed a 1970s batch system that, whilst
improving the allocation of NHS numbers from manual processes
at the time, has significant drawbacks through the time taken
for batch processes to operate in the effective allocation of
NHS numbers when babies are born to ensure accurate identification.
The on-line Personal Demographic Service that provides a much
needed replacement for Mr Brookes' project under the Spine contract
will enable immediate access from over 7,000 locations with over
70,000 users to 50 million records to immediately allocate a NHS
number on-line and enable improved and accurate identification
of babies in the first hours and days when attention is needed
by multiple clinicians and midwives.
16.30 Mr Brookes maintains that Newham and Homerton hospitals
procured IT systems outside of NPfIT. This is because the contracts
were awarded in 2003 following a procurement that preceded NPfIT.
The Trust has since assigned their contracts to BT within NPfIT
and took disaster recovery and affordability issues into account
in coming to that decision. The Chief Executive of Homerton has
taken a leading role on the Programme Board of the London Programme
for IT as part of the National Programme which demonstrates evidence
of commitment that Mr Brookes overlooks. Similarly, Wirral hospital
initially investigated a separate procurement route but chose
to continue within NPfIT with a Cerner product. The same is true
of Bradford, Shires and University College London who decided
that NPfIT offered the greatest value.
16.31 The references to the detailed care record are
simply inaccurate. It has never been the intention to make a detailed
care record available nationally and evidence was submitted on
12 June 2007 to clarify the difference between the summary and
the detailed record. All published documentation refers to a summary
care record being made available at the point of need and this
will bring real benefits for patients requiring unscheduled care.
In contradiction with the allegation that this is too complicated
and unachievable, the summary care record is already live in the
early adopter sites in Bolton. The witness casts doubt on the
delivery of the Spine functionality. However, the performance
of BT in meeting Spine release delivery dates has delivered the
last 14 of 14 releases on or ahead of time.
16.32 The allegations about the architecture and the
Spine being unable to cope are unfounded. The Spine has been sized
and tested to accommodate the needs of the NHS and the performance
in supporting over 350,000 registered users who have accessed
Spine records over 350 million times to date is regularly meeting
or exceeding service levels. The publication of the Message Implementation
Manual (MIM) to all suppliers working with NPfIT demonstrates
a robust approach to standards and architecture that enables on-line
interoperability between multiple systems that transfer patient
information for the benefit of the patient. This was not possible
with the NHS Number system that is lauded by this witness.
16.33 The references to a monopoly situation with suppliers
are also untrue. The replacement of ComMedica as a PACS supplier
for poor performance and the replacement of Accenture and IDX
demonstrate that there is a competitive marketplace. The inclusion
of existing system suppliers having achieved over 100 compliant
releases of software also bears testimony against this incorrect
16.34 This witness is in collaboration with the other
groups that have called for an independent review but have, as
yet, produced no evidence that would warrant such a review.
16.35 Ms Robins stated incorrectly (Q247) that Helen
Wilkinson has been denied registration with a doctor. The fact
is that Ms Wilkinson refuses to be registered with a doctor because
the consequence of registration is that a record is kept centrally
of that registration as a matter of law. Ms Wilkinson continues
to claim that she is being denied NHS care. Again, that is absolutely
not the case. Ms Wilkinson refuses to present for NHS care because
of the consequential record keeping that would result. The care
is there and available to her, but not on her terms. The architecture
of NHS IT and NHS business processes must respect the legal rights
of individuals, but it must also be as efficient and cost effective
as possible and cannot be tailored to provide individuals with
costly bespoke arrangements. Ms Wilkinson continues to pursue
her claim for financial compensation from the Department of Health
and the NHS and to actively campaign against the NHS IT modernisation
Department of Health
16 July 2007
Annex 1: System resilience and the likelihood of failure
Note: Detailed information about system performance and
resilience has been provided previously by the Department in a
note to the Committee. However, further information is provided
In evidence submitted by Prof Randell, he quotes a friend's
guesstimate that the NPfIT system would be likely to fail every
four days. This assertion is not supported by any evidence and
does not concur with the live service availability consistently
being demonstrated by the Programme's systems. Service availability
statistics are published weekly on the NHS Connecting for Health
It appears that Prof Randell is making the assumption that
the NPfIT is delivering a single computer system. The NPfIT in
fact consists of a large number of discrete computer systems or
"Services" built and delivered by many different suppliers.
Each Service interoperates with other NPfIT Services by utilising
mandated clinical coding and messaging standards with the common
objective of providing patient data at the point of need. Each
Service is built to satisfy a particular set of functional and
non-functional demands to support a particular clinical usage.
Each service is itself made up of a number of components,
eg, application software, hardware, network and storage. It is
inevitable that some of these components will fail, and, given
the scale of the NHS, failures can be expected to occur frequentlya
natural consequence of operating any large, complex, interconnected
system. The idea is thus to implement a system that minimises
the impact of failureswhat is termed "resilience.
This was recognised by the NPfIT from the beginning and the solution
has therefore been architected and designed to be resilient to
component failures. There are two fundamental architectural approaches
that have been used to provide the required resilience:
(1) The component systems are loosely coupled, that is
to say a system should be able to continue operation even if it
cannot access the other services (for example, should the central
demographic service be unavailable, the hospital PAS will continue
(2) The component systems are delivered without single
points of failure, so, should a component fail, the system automatically
fails over to "spare" (backup) components.
The failover requirement is taken extremely seriously. As
an example, the BT data centre has three generators and sufficient
fuel to provide weeks of independent power, so, should there be
a power failure to the site, the dedicated generators can be deployed
to provide power. There are three generators so that should the
site be running off their power and maintenance is needed on a
generator; there is still a backup generator in case of failure.
And of course BT has two geographically separated data centres
both of which are equipped in this way should a catastrophic event
happen at one of them.
It is NHS Connecting for Health's preference to host centrally
as many services as is practical, because:
It is difficult to offer a resilient service on
locally owned and deployed infrastructures.
Hosted services offer increased resilience options
and controlled environments for backup and maintenance operations.
Hosted environments are easier to physically secure
and keep up-to-date with the latest security countermeasures.
It is much more cost effective to deliver centrally
hosted hardware resilience than equivalent resilience at multiple
NHS Connecting for Health does not own all of the services
deployed as part of the National Programmeso, for example,
external organisations transmitting electronic prescriptions do
so from their own networks, using their own infrastructure and
using NPfIT accredited software of their choice. As such, there
are many failure conditions outside of the direct control of the
Programme. However, every service that can be deployed within
the NPfIT goes through extensive clinical safety reviews and compliance
testing before it can be connected and utilised as part of the
Those services that are procured directly by the NPfIT are
typically operated by external suppliers in highly resilient data
centre environments which offer industry-leading levels of resiliency
and disaster recovery. This typically includes:
An Active/Active Primary Data Centre configuration
and a secondary data centre that is either an active (Spine) or
passive (London) replica of the Primary data centre:
There is Active/Active resilience built into the
Primary Data Centres, and, should a disaster occur, the backup
data centre is available to support the operations within the
availability requirements for the System (currently 99.999% at
the Spine, and 99.9% with improved performance objectives over
time in London17)
Interrupted connections will resume according
to the agreed SLA.
Multiple network connections, so should one connection
be lost, another is available automatically.
Hardware redundancy at all levels:
Protects against disk and hardware failure
Redundant processing power is available should
a machine fail.
Zero data loss architectures :
Data is written simultaneously to the two Spine
data centres, thus ensuring that no patient data is lost (there
are effectively ten copies of each database across the two Spine
The Primary Data Centre at the London LSP shares
a Storage Area Network (SAN) across the Active/Active configuration,
and the SAN at the backup site is synchronously updated with the
End-to-end system monitoring against specific
Service level agreements:
Automatic real-time alerting occurs in case services
degrade or become unavailable for any reason.
Rigorous data security standards:
The System is designed, developed, tested and
operated according to BS7799-2 Security Standards.
The Data Centres are secured physically at a level
similar to Ministry of Defence systems (secure premises, guarded
and badge access control, etc.)
Patient data confidentiality is protected via
Role Based Access Control.
All authorised users are required to have Smart
Cards issued by a central Registration Authority for Single Sign-on
to the system via access rights granted through Spine Security
Availability, failover and recovery of each Service have
been designed to match clinical need. Dependencies between Services
have been clearly identified and consideration given to various
failure scenarios. Guidance has thus been given to all suppliers
regarding how to construct their applications to limit the impact
should a failure occur.
This decoupling approach is pervasive through all of the
NPfIT and supplier-proposed solutions are evaluated against this
as part of the NHS Connecting for Health assurance process. Such
decoupling allows Services to continue to offer a range of capabilities
regardless of whether a dependant service (eg, the National Summary
Record) is available. The NPfIT end-to-end architecture supports
the local queuing of messages for onward transmission to the failed
service when it becomes available.
NHS Connecting for Health services currently deployed have
proven to be highly resilient in live service. But regardless
of this, NHS Connecting for Health continues to work with suppliers
and NHS Organisations to help maintain coordinated Business Continuity
Plans in the event of a catastrophic failure. Each plan is tailored
to which service could be affected and is highly specific to the
clinical function it supports and the way it is integrated within
a particular organisation's business and technical infrastructure.
All NHS Connecting for Health Services have been designed
with high availability, and SLAs and performance statistics are
made public. It is expected that the Trust Organisation will select
and deploy any NPfIT services that are appropriate and update
their Business Continuity Plan accordingly, based upon the Services
they use and the clinical usage for which they are employed.
Annex 2: Savings by Local NHS Organisations
||Mental Health Trusts
|University Hospital Birmingham Hospitals NHS Trust
||North Sheffield PCT
1. Cost of current level PAS: (over term)
Implementation costs for new system
Net saving to Trust by transfer to CfH Solution
|1. Cost of System renewal with no additional functionality: (over term)
Implementation cost for new system
Net saving to Trust by transfer to CfH Solution
|1. Cost of GP Implementations:|
Cost of operating existing contracts
Implementation cost for new system
Net saving to Trust of transfer to CfH Solution
||2. Cost of Trust Procurement: (over term)
Cost of local purchase of more sophisticated PAS Operating Costs
Net saving to Trust of CfH solution
|2.Cost of System renewal with additional functionality: (over term)
Implementation cost for new system
Net saving to Trust of transfer to
|Bradford and Airedale PCT
(Bradford City, North Bradford, Bradford West)
2. Estimated savings case study
Net Savings to Trusts over term
|Wirral Hospitals NHS Trust:
|3. Cost of NHS CRS Level 6 PAS etc procured independently of Programme (over term)
Implementation Costs (based on UHB Business Case)
Net saving to Trust by transfer to CfH solution
|SW Manchester Community PAS Project:|
3. Community PAS Projects:
Cost of operating existing contracts (Avg NHS stocktake)
Implementation cost for new system
Net saving to Trust of transfer to CfH Solution
||West Yorkshire Community
4. The Trust identified that it will cost £10k per practice to implement the NHS CRS solution. Savings to date have been in the region of £5k pa. The Trust will recover all implementation costs within two years of "Go Live".
|National Equivalent Value
||Net savings to NHS of implementing nationally procured NHS CRS Acute solution with additional functionality
(excludes local procurement costs)
|(£4.008bn)||Net cost of savings for Mental Health Trusts of implementing CfH procured solution
|1. Net savings to GPs
2. Net savings for PCTs implementations
3. Net saving for Community PAS implementation
Annex 3: NHS use of identifiable and non-identifiable
patient data for care and for secondary uses
1. The oral evidence provided by certain witnesses to
the Committee on the distinction between identifiable data and
non-identifiable data, how these may be used and shared, and how
they are protected in NHS Connecting for Health systems, was poorly
informed and at times misleading. This note aims to provide clarification.
2. Joint working between the Department of Health, the
General Medical Council, the British Medical Association, the
Information Commissioner and a range of patient groups, followed
by extensive formal consultation, resulted in the publication
of a confidentiality code of practice for the NHS in November
2003. This represented, for the first time, an agreed interpretation
of how confidentiality law, and key aspects of Data Protection
law, should apply in the NHS.
3. Clinical patient information is confidential and classed
as sensitive in the Data Protection Act 1998 when it is held in
a form that would enable the patient to be identified, as is the
case with clinical records. The Data Protection Act regulates
how this information is used, but does not prevent it being used
for legitimate NHS purposes. Confidentiality law goes further
and prevents information from being shared without consent except
in exceptional circumstances (statutory provisions, court orders
or significant public interest justification).
4. The confidentiality code of practice clarified the
circumstances where consent could be implied (opt-out) and those
where a stronger evidentiary basis (opt-in) was required. Essentially
implied consent was deemed appropriate for care purposes and work
to assure the quality of care provided, but not for secondary
uses of data, eg research and management.
5. Patient contact, or demographic, details are subject
to Data Protection Act provisions but are generally not confidential
and so do not require consent for processing. Exceptions exist
however and many people regard their address details as private,
so it is Department of Health policy to safeguard contact details
to the extent that NHS business requirements permit. NHS Connecting
for Health will also make available controls that prevent NHS
staff from viewing these details when a patient requests that
this be the case.
6. The Courts
have determined that when effective steps have been taken to prevent
the individual from being identified, the information is no longer
confidential and patient consent is no longer required. Where
the process used to anonymise the information is reversible, the
information, whilst exempt from consent requirements, may remain
subject to the Data Protection Act provisionsthis has not
been tested in Court, but Department of Health policy is to accept
that this is the case. Where it is irreversibly anonymised it
is not subject to either consent requirements or the Data Protection
7. The NHS Connecting for Health Secondary Uses Service
is being introduced to make anonymised and pseudonymised data
available to appropriate users so that essential research and
other work can be conducted without breaching confidentiality
or privacy. Although information disclosed for secondary uses
in a pseudonymised or anonymised form cannot identify individuals
and doesn't require consent management controls, it is still subject
to a range of safeguards.
8. There is considerable evidence however, that some
purposes cannot be satisfied through use of anonymised information
and that it may not be practicable to gain consent for these purposes
either. In these cases, a statutory basis is required. A key statutory
provision in respect of research and other secondary uses of patient
data is Section 251 of the NHS Consolidation Act 2006 (previously
known as Section 60 of the Health and Social Care Act 2001) which
allows obligations of confidentiality to be set aside in limited
circumstances under the supervision of the statutory Patient Information
Advisory Group (PIAG). Key conditions for use of information under
these provisions are that it must be impracticable to gain consent
or to anonymise the information concerned.
9. Professor Korff suggested in his evidence that PIAG
is "quite easy about giving access" to data but it is
evident that the research community would not support this view.
In its January 2006 report on Personal data for public good: using
health information in medical research the Academy of Medical
Sciences stated that "Although admirable, this [PIAG's] approach
creates difficulties for research because PIAG has set a policy
direction that appears to ratchet up existing legal standards.
Rather than assess whether applications involve proportionate
interference in privacy, PIAG applies a stricter standard of absolute
and proven necessity."
10. The application of law, requirements for consent
and the safeguards that are being developed and deployed for data
held within the NHS Care Records Service and the Secondary Uses
Service are set out in table 1. This illustrates the strong safeguards
that are in place for all types of data.
Table 1 (to Annex 3)
|Non-clinical personal data
||Personal clinical data for care
||Personal clinical data for secondary uses
||Pseudonymised data for
|Anonymised data for secondary uses
|Confidentiality law applies?
|Data Protection Act applies?
||Yes||Yesthe legal position is unclear but accepted as a matter of policy
|Patient consent required for creating a record?
||No||No, but patients given choice around the Summary Care Record as a matter of policy
|Patient consent required for sharing?
||Yes, unless there is a statutory basis
|Implied consent sufficient?
|E-GIF level 3 registration of staff ?
|E-GIF level 3 authentication of users via smartcard?
|Audit Trail of user actions?
|Audit Trail available to patients on request?
|Role Based Access Controls?
|Legitimate Relationship Access Controls?
|Patient dissent to information sharing recorded and acted upon?
|Sealed envelope prevents sharing of identifiable data?
|Locked envelope prevents sharing of any data?
|System alerts generated when users change their own access rights eg to break a seal?
|Patient may request that contact details are hidden from NHS staff?
Annex 4: Reply to Parliamentary Question given on 21 June
to Stephen O'Brien MP by the Department's then Minister of State,
21 Jun 2006 : Column 1946W
Caroline Flint: A list of names of all the organisations
and individuals that responded at one or other stage of the consultation
process around the national specification for integrated care
records service is not held centrally. Some of the responses were
provided by organisations which are no longer active.
The original "National Specification for Integrated
Care Records Service (Consultation Draft)" was issued in
July 2002 by the NHS Information Authority. Some 190 responses
to the document were received from suppliers, clinicians, chief
information officers (CIOs) information technology (IT) departments
of national health service bodies and others, commenting on such
aspects as architecture, functional omissions and the realisation
of benefits that such a system would produce. These comments were
included and formed the base document for the early draft of the
output based specification (OBS). This draft was then refined.
The clinical input was provided by almost three hundred individuals
and the IT community (IT managers and CIOs) numbered a further
one hundred. A broad spectrum of NHS stakeholders was then engaged
to review the draft OBS. The review group encompassed leading
clinicians, practitioners, policy advisors, health informaticians
and managers and included representatives from the Department,
the NHS Information Authority, strategic health authorities, NHS
trusts, primary care trusts, general practitioners, academic groups
and other Government Departments.
It is known that many of these people also sought input from
colleagues and we estimate that this cascade has resulted in many
thousands of individuals having had a material input to the content
and quality of the product.
A final list of 239 people was invited to review the OBS,
from which a total of 105 formal review documents were received.
From the 900 pages reviewed there were 1,175 comments of substance.
These comments resulted in a further refined version of the OBS
which was then distributed for any final comment. A response to
every individual comment was returned to the reviewer in question.
Reflecting a level of transparency unprecedented for major
projects within Government, the OBS was published to the public
domain in July 2003 and is available on the Department's website
at www.dh.gov .uk/PublicationsAndStatistics/.
In addition to many hundreds of internal meetings, there
were 44 meetings held by the clinicians from the national programme
with important stakeholders and stakeholder groups. These included
several chairs of the Royal Colleges, and presentations to many
hundreds of clinicians at various locations around the country.
Data on those consulted on ways of managing the confidentiality
of patient health information have been placed in the Library
[see list below].
23 meetings were carried out as part of the research phase
in addition to eight focus groups and 56 face-to-face interviews,
involving patients, researchers, suppliers, senior care service
managers, and NHS information governance professionals.
Association for Improvements in the Maternity Services (AIMS)
Aintree Hospitals NHS Trust
Airedale Primary Care Trust
Ashford & St Peters NHS Trust
Association of Community Health Councils for England &
Association of Directors of Social Services (ADSS)
Avon Gloucestershire & Wiltshire Health Authority
Avon Information Management & Technology Consortium
Barnet Enfield & Haringey Mental Health Trust
Barnsley Community Health Council
Barnsley District General Hospital NHS Trust
Barts & the London NHS Trust
Basildon & Thurrock General Hospitals NHS Trust
Bebington and West Wirral Primary Care Trust
Bed & Herts Local Medical Committee
Birkenhead and Wallasey Primary Care Trust
Birmingham Children's Hospital
Birmingham Heartlands Hospital
Black Country Mental Health NHS Trust
Blackpool Primary Care Trust
Blackpool Victoria Hospital
Bolton Asian Elders drop-in Centre
Brain and Spine Foundation
Brain Injury Rehabilitation Trust
Bridgend Local Health Group
Brighton & Sussex University Hospitals
British Medical Association (BMA)
British Paediatric Surveillance Unit
Bromsgrove & Redditch Community Health Council
Buckinghamshire Mental Health NHS Trust
BUPA Hospital Southampton
Burnley, Pendle & Rossendale Community Health Council
Burton Hospitals NHS Trust
Bury & Knowle Health Centre
Calderdale & Huddersfield NHS Trust
Cambridge Community Health Council
Cambridgeshire & Peterborough Mental Health Partnership
Canterbury & Thanet Community Health Council
Central Cornwall Primary Care Trust
Central Derby Primary Care Trust
Central Lancashire & Fylde Coast Hospital Information
Central Manchester and Manchester
Children's University Hospitals
Central North West London Mental Health Trust
Central Suffolk Primary Care Trust
Centre for Health Services Studies (CHSS)
Charlotte Keel Health Centre
Cheltenham General Hospital
Cherwell Vale Primary Care Trust
Cheshire Central Community Health Council
Chichester Community Health Council
Child & Family Service (Wellington)
Child Health Informatics Consortium
Children's Heart Foundation
Chorley & South Ribble Primary Care Trust
Christie Hospital NHS Trust
Churches Together in England
Citizens Advice Bureaux (CAB)
City & Hackney Community Health Council
Clinical Trials Service Unit
Colchester General Hospital
College for Health in London
College of Occupational Therapists
Commission for Healthcare Audit and Inspection (CHAI)
Communicable Disease Surveillance Centre
Community Health Council Pensioners' Forum
Conwy Federation of Community Health Council's
Cornwall Information Services
Countess of Chester Hospital NHS Trust
County Durham Health Authority
Coventry & Warwickshire NHS Trust
Coventry Community Council
Coventry Primary Care Trust
Darlington Memorial Hospital
Darlington Primary Care Trust
Department of Health (DH)
Derby City General Hospital
Derbyshire Royal Infirmary
Dewsbury District Community Health Council
District Hospital (Roehampton)
Doncaster Central Primary Care Trust
Doncaster Community Health Council
Doncaster Royal Infirmary
Dudley Beacon & Castle Primary Care Trust
Dudley Group of Hospitals
Dudley South Primary Care Trust
Durham & Chester-le-street Primary Care Trust
Durham Dales Primary Care Trust
Dyfed & Powys Health Authority
East Dorset Community Health Council
East Hertfordshire Community Health Council
East Kent Hospitals NHS Trust
East Kent Primary Care Trust
East Staffs Primary Care Trust
East Surrey Community Health Council
East Sussex Hospitals NHS Trust
East Yorkshire Community Health Council
Eastern Cheshire Primary Care Trust
Eastern Leicester Primary Care Trust
Federation of Irish Societies
Fellowship of Depressives Anonymous
Ferndown Primary Care Trust
Fertilization and Embryo Authority
Foundation of Information Policy Research(FIPR)
Frimley Children's Centre
Frimley Park Hospital NHS Trust
George Eliot Hospital NHS Trust
Gloucester Local Implementation Strategy
Gloucester Partnership NHS Trust
Gloucestershire Royal Hospital
Grantham and District Hospital
Great Ormond Street Hospital for Children NHS Trust
Greenwich Community Health Council
Gwent Community Health Council
Hampshire and Isle of Wight Strategic
Harrow Primary Care Trust
Health Data Protection Ltd
Heatherwood and Wexham Park Hospitals NHS Trust
Hertfordshire County Council
Hillingdon Hospital NHS Trust
Hillingdon Primary Care Trust
Hounslow Community Health Council
Hull Community Health Council
Humberstone Grange Clinic
IMECE Turkish Speaking Women's Group
Independent Complaints Advocacy Service
Independent Healthcare Association
Institute for Quality Assurance
Institute of Health Sciences
Intellect (UK system supplier trade body)
Ipswich Hospital NHS Trust
Island & Portsmouth Health ICT Service
Isle of Wight Healthcare NHS Trust
Islington Bangladeshi Association
Islington Community Health Council
Islington Health and Race Forum Group
Islington Primary Care Trust
Islington Zairean Refugee Group
Kennet and North Wiltshire Primary Care Trust
Kent and Medway Hospital Information Systems
Kettering General Hospital NHS Trust
Kidderminster Community Health Council
Kingston Hospital NHS Trust
Kokai Supplementary School
Leeds Community Health Council
Leeds North West Primary Care Trust
Leeds Teaching Hospitals NHS Trust
Leicester City West PCTChild Health Services
Leicester General Hospital
Lincolnshire Shared Services
Liverpool Central & Southern Community Health Council
Liverpool Eastern Community Health Council
London School Hygiene and Tropical Medicine
Macclesfield District General Hospital
Manchester Mental Health and Social Care Trust
Manchester Royal Infirmary
Manor Gardens Advocacy Project
Medical Protection Society
Medical Research Council Consumer Liaison Group
Mendip Primary Care Trust
Mentis Management Consultants Ltd
Mid Downs Community Health Council
Mid Surrey Community Health Council
Mid Surrey Wheelchair Service
Milton Keynes Community Health Council
National Audit Governance
National Care Standards Commission
National Confidential Enquiry into Perioperative Deaths
National Council of Women
National Patient Safety Agency
National Pharmaceutical Association
National Programme for Information Technology (work stream
Newcastle General Hospital
NHS Information Authority
Nightingale Macmillan Unit
Health & Social Care Community of North & East Devon
(previously N&E Devon Health Authority)
North & Mid Hants Health Authority
North East Yorkshire & North Lincolnshire Strategic Health
North Manchester General Hospital
North Staffordshire Community Health Council
North Staffordshire Hospital Information Systems
North Staffordshire Hospital NHS Trust
North Tees & Hartlepool NHS Trust
North Tyneside Community Health Council
North Warwickshire Primary Care Trust
North West Lincolnshire Community Health Council
North West London Hospitals NHS Trust
North West London Strategic Health Authority
Northallerton & District Community Health Council
Northampton General Hospital NHS Trust
Northern General Hospital
Northrop Grumman Missions Systems
Norwich Primary Care Trust
Nottingham Acute Hospitals Partnership
Nottingham City Hospital NHS Trust
Nottingham Health Informatics Service
Nuffield Orthopaedic Centre NHS Trust
Nurses of British Computer Society
Oxford City Primary Care Trust
Oxford Radcliffe Hospital
Parkinsons Disease Society
Partnership with Older People
Peninsular Medical School
Pennine Acute Hospitals NHS Trust
Perinatal and Epidemiology, Oxford
Peterborough District Hospital
Pilot Patient Project Lewisham
Plymouth Primary Care Trust
Pontypridd & Rhonda NHS Trust
Portsmouth City Council Social Services
Portsmouth City Primary Care Trust
Prescription Pricing Authority (PPA)
Prison Health Department (DH)
Psychological Support Service
Public Health Laboratory Service
Queen Victoria Memorial Hospital
Queen's Hospital (Burton upon Trent)
Queens Park Medical Centre
Redbridge Assertive Outreach Team
Richmond & Twickenham Primary Care Trust
Robert Jones/Agnes Hunt Orthopaedic and District Hospital
Rotherham District General Hospital
Royal Albert Edward Infirmary
Royal Bournemouth Hospital
Royal College of Anaesthetists
Royal College of General Practitioners
Royal College of Paediatrics and Child Health
Royal College of Physicians
Royal College of Speech and Language Therapists
Royal College of Surgeons of Edinburgh
Royal College of Surgeons of England
Royal Devon & Exeter Health Care NHS Trust
Royal Free Hampstead NHS Trust
Royal Hallamshire Hospital
Royal Leamington Spa Rehabilitation Hospital
Royal Manchester Children's hospital
Royal National Institute for the Blind (RNID)
Royal National Orthopaedic Hospital NHS Trust
Royal Pharmaceutical Society
Royal Surrey County Hospital NHS Trust
Royal West Sussex NHS Trust
Royston, Buntingford & Bishops Stortford Primary Care
Salford Royal Hospitals NHS Trust
Salisbury Healthcare NHS Trust
Salters Meadow Health Centre
Sedgefield Primary Care Trust
Selby & York Primary Care Trust
Sexually Transmitted Disease Clinic
Sheffield South West Primary Care Trust
Sheffield Teaching Hospital NHS Trust
Sisters of St Joseph of Peave
Social and Community Services
Social Care Information Policy Unit
Society & College of Radiographers
Society of Chiropodists & Podiatrists
Somerset Coast Primary Care Trust
Somerset Local Medical Committee
Somerset Partnership NHS and Social Care Trust
Somerville Medical Centre
South Birmingham Mental Health Trust
South Brooks Community Health Council
South Bucks Community Health Council
South Devon Healthcare Trust
South Downs Health NHS Trust
South East Oxon Primary Care Trust
South Staffordshire Healthcare
South Tees Acute Hospitals
South Tees Community Health Council
South Tees Hospitals NHS Trust
South Tyneside Community Health Council
South Warwickshire Community Health Council
South West Dorset Primary Care Trust
South West Kent Primary Care Trust
South West Surrey Community Health Council
Southampton General Hospital
Southend Community Health Council
Southend Hospital NHS Trust
Southend Patients' Public Voice
Southern Derbyshire Acute Hospitals NHS Trust
Southern Derbyshire Community Health Council
Southport & Formby Community Health Council
Southport District General Hospital
Southward Primary Care Trust
St Bartholomew's Hospital
St Helens & Knowsley Community Health Council
St Helens & Knowsley Hospitals Trust
St James' University Hospital
Stafford General Hospital
Staffordshire Moorlands Primary Care Trust
Stockport Primary Care Trust
Stoke Mandeville Hospital NHS Trust
Sunderland Community Health Council
Sunderland Royal Hospital
Sunderland Teaching Primary Care Trust
Surrey Ambulance NHS Trust
Surrey Oaklands NHS Trust
Sutton & Merton Primary Care Trust
SW Surrey Community Health Council
Swindon & Marlborough NHS Trust
Tameside & Glossop Acute Trust
Tameside & Glossop Primary Care Trust
Taunton and Somerset Hospital
Taunton Deane Primary Care Trust
Teddington Memorial Hospital
Tees and North East Yorkshire NHS Trust
Telford & Wrekin Primary Care Trust
The British Polio Fellowship
The Hospice of St Francis
The Walton Centre for Neurology & Neurosurgery
Tower Hamlets Community Health Council
Trafford General Hospital
Tunbridge Wells Community Health Council
UK National Screening Committee
UK Newborn Screening programme Centre
United Bristol Healthcare NHS Trust
University College Hospital London
University Hospital Aintree
University Hospital of Hartlepool
University Hospitals of Coventry & Warwickshire NHS Trust
University Hospitals of Leicester
University of Central England
University of LeedsSchool of Healthcare
Vale of Aylesbury Primary Care Trust
Wakefield West Primary Care Trust
Walsall Community Health Council
Walsall Primary Care Trust
Wandsworth Community Health Council
Wandsworth Contact a Family
Wandsworth Pilot Patients Forum
Warrington Community Health Council
Watch Tower (Jehovah's Witnesses)
Watercress Medical Centre
Watford & Three Rivers Primary Care Trust
Welsh Assembly Government
Wessex Local Medical Committee's
West Hertfordshire Hospitals NHS Trust
West Kent NHS & Social Care Trust
West Lancashire Primary Care Trust
West Lincolnshire Primary Care Trust
West London Mental Health NHS Trust
West Middlesex University Hospital
West Midland Strategic Health Authority
West Midlands Ambulance NHS Trust
West Midlands Perinatal Institute
West Suffolk Community Health Council
West Suffolk Hospitals NHS Trust
West Surrey Health Community
West Sussex Health and Social Care
Whittingdon Hospital NHS Trust
Winchester and Central Hampshire Community Health Council
Winchester and Eastleigh NHS Trust
Wolfson Institute of Preventive Medicine
Wolverhampton City Council
Worcestershire Mental Health Partnership NHS Trust
Worthing and Southlands NHS Trust
Wyre Forest Primary Care Trust
Annex 5: Patient safety benefits to be achieved from electronic
Key to understanding how the systems being developed by NHS
Connecting for Health can play a part in reducing adverse events,
particularly medication errors, is an appreciation of:
the scale of the problem,
the root causes of any avoidable errors,
the evidence supporting the role of IT in reducing
some of the root causes, and
an explanation of the new systems themselves.
Scale of the Problem:
There is evidence from international literature that medication
errors occur in all health care settings, with some errors occurring
repeatedly not just within one healthcare system, but across healthcare
systems worldwide. Whilst the UK evidence base is not as strong
as it is in other countries, particularly the United States, this
does not mean that the NHS in England is immune from this problem.
As such, the study by Charles Vincent et al is particularly
helpful in demonstrating the reality of this global phenomenon
within the context of the health service in England.
Whilst the authors do indeed state that "we can not
extrapolate with any precision" it is nevertheless the authors
themselves who do extrapolate the findings to the whole of the
NHS with the conclusion:
"Our findings strongly suggest that adverse events are
a serious problem in the NHS, as they are in the United States
and Australia. We estimate that around 5% of the 8.5 million patients
admitted to hospitals in England and Wales each year experience
preventable adverse events, leading to an additional three million
bed days. The total cost to the NHS of these adverse events in
extra beds days alone would be around £1billion a year".
Of course, this study only looks at adverse events occurring
within hospitals. It is important not to overlook adverse events
occurring outside the hospital setting. In this respect you may
be interested in another UK based study which looked specifically
into adverse drug reactions as a cause of hospital admission.
This study, published in the British Medical Journal in 2004
One in 16 hospital admissions are the result of
an adverse drug reaction (ADR)72% of which are avoidable.
This equates to 4% of hospital bed capacity.
At any one time the equivalent of 7 x 800 bed
hospitals are occupied by patients admitted with ADRs.
ADRs causing hospital admissions are responsible
for the death of 5,700 patients every year.
Cost to the NHS = £466 million.
Whilst neither of these studies is without its limitations,
they nevertheless are extremely important in helping to quantifying
the scale of the actual problem we face, and indeed are facing
up to in England. Academic studies such as these do not become
irrelevant just because they were conducted a number of years
ago or because the situation may have improved since the study
was conducted. Having acknowledged the scale of the problem, our
focus now is on tackling the root causes of avoidable patient
safety incidents rather than simply engaging in further studies
to re-confirm that there is indeed a problem.
Although patient safety incidents are diverse in nature,
a study carried out by National Audit Office in 2003-04 and reported
in "A Safer Place for Patients"
revealed that the most common patient safety incidents in hospitals
after patient falls related to medication errors, record documentation
error and communication failure.
This is supported by the Audit Commission in their report
"A Spoonful of Sugar"
which made the following conclusions:
Complications arising from medicines treatment
are the most common cause of adverse events in hospital patients.
Errors may occur from the initial decision to
prescribe to the final administration of the medicine, and these
include choice of the wrong medicine, dose, route, form, and frequency.
Most errors are caused by the prescriber not having
immediate access to accurate information about either the medicine
(its indications, contraindications, interactions, therapeutic
dose, or side effects); or the patient (allergies, other medical
conditions, or the latest laboratory results).
Hand-written prescriptions or patients' notes
also contribute to errors as they may be illegible, incomplete,
subject to transcription errors or make use of inappropriate shorthand.
Prescription sheets themselves may also be temporarily
unavailable or lost.
Safe, effective clinical care also depends on reliable, error-free
communication between different providers of care. Communication
breakdowns between healthcare providers are a common feature in
episodes of avoidable patient harm. This was highlighted in the
Department of Health publication "Building a Safer NHS
for Patients: Improving Medication Safety":
"Effective communications are critically important when
patients move from one care setting to another; many medication
errors occur at such `handover points'. Serious errors have occurred
because of poor communication between primary and secondary care.
Accurate information about current treatment is essential when
patients are admitted to hospital to enable an accurate clinical
assessment and to plan future treatment. And on discharge, the
patient's drug regimen and treatment plan need to be communicated
in a timely and reliable way to ensure safe and seamless transfer
of care back to the primary care team".
Information Technology & Patient SafetyThe Evidence
Research sources provide ample evidence that information
technology can improve patient safety through eliminating many
of the root causes described above. The enclosure to this Annex
provides a summary of just some of the available evidence. NHS
Connecting for Health has taken account of this research evidence
in framing the scope of the Programme to ensure the delivery of
better care and improved safety for patients.
National Programme for IT in the NHS- Supporting Patient Safety
The following is a brief explanation of how some of the elements
of the overall NHS Care Record Service will contribute to reducing
incidents of patient harm. In places this includes data obtained
from the National Patient Safety Agency's, National Reporting
& Learning System (NRLS) to help highlight the potential patient
safety benefits. However, it should be noted that whilst the reporting
of patient safety incidents to the NRLS is becoming more established
practice, and is now a core standard the NHS is expected to adhere
to, the figures are still likely to underestimate the full scale
of such patient safety incidents.
Personal Demographics ServiceRight Patient, Right Care:
Use of the NHS number as the unique identifier in all healthcare
interactions in England will, when fully achieved, make a major
contribution to patient safety.
Currently, an individual patient has different identifying
numbers in different NHS organisations and sometimes even within
the same NHS organisation.
The dangers of this are well illustrated by information extracted
from the NRLS which shows that between November 2003 and May 2006
there were 600 patient safety incidents reported which related
directly to patients' identifying numbers. Furthermore, the NRLS
also reveals that between January 2006 and December 2006 alone
there were 7,984 patient safety incidents reported where the incident
type was "Patient Incorrectly Identified".
In this respect, the Personal Demographic Service (PDS)which
allows authorised NHS health and social care practitioners accurately
and efficiently to trace patients against the patient's most up
to date demographic details; thus identifying the patient's unique
NHS number will make a key contribution to patients' safety benefits.
PDS underpins all current and future NHS Connecting for Health
products and, with approximately 50 million demographic records
for everyone in England stored on the database, it is already
supporting the delivery of the Choose and Book Service (potentially
benefiting over 45 million patients with in excess of 17,500 bookings
daily) and the Electronic Prescription Service (potentially benefiting
about 15 million patients with in excess of 185,000 prescription
The PDS is of course central to realising the ultimate goal
of delivering high quality and safe care across different health
care organisations through the NHS Care Record Service. But even
now, over 1.5 million patient records are successfully retrieved
from the PDS every day, helping to correctly identify patients.
NHS Summary Care Record:
The Summary Care Record (SCR) forms the national element
of the NHS Care Record Service and will provide authorised health
care professionals with access to key clinical information about
a patient anywhere, at any time.
The record will grow over time but will go live from this
year under the Early Adopter Programme before moving to full national
roll out. In the initial stages, the record (subject to patient
consent) will contain the following information held on the GPs
Known adverse reactions
Medicationsacute prescriptions in past
6mths and repeat prescriptions in past 18mths
Significant diagnoses and problems (+ any other
significant issues, treatments, operative procedures etc)
This information was provided as part of the HSC oral evidence
session on 26 April 2007.
Future phases of the SCR will see it hooking up with the
Electronic Prescription Service to provide a richer view of medications,
and the Choose and Book service to provide referral information
as well as capturing information from secondary care such as discharge
information, outpatient letters and emergency care reports.
The importance of having access to this basic patient information
is highlighted by the following information obtained from the
NRLS (England only) between January and December 2006:
1,678 reported patient safety incidents where
the patient was allergic to the treatment given.
916 patient safety incidents where the patient
suffered an adverse drug reaction (when the drug was used as intended).
1,147 reported patient safety incidents where
the treatment given was contraindicated in relation to drugs or
821 patient safety incidents reported where the
primary cause given for the incident was "missing / inadequate
/ illegible referral letter".
28,875 patient safety incidents reported relating
to "documentation" eg missing / illegible / misfiled
(See footnote for specific search filters)
Electronic Prescription Service (EPS):
With around 1.3 million prescriptions now being issued every
working day in England, and this figure expected to rise by 5%
each year, the development of the EPS (which replaces a paper
based system with an electronic one which is more efficient and
consistently accurate) is absolutely critical to providing health
care professionals with up to date and accurate information about
the range of medications a patient might be taking at any point
In a study of older people at the University Hospital of
North Durham, a structured review of patients' medication was
conducted after admission. An average of almost one drug per patient
was found to be inappropriate and stopped and an average of approximately
one drug per two patients was started following identification
of omissions in the drug history.
The importance of having up to date medication information
for older patients is further illustrated as follows:
As people get older, their use of medication tends
to increase. Four in five people over 75 take at least one prescribed
medicine, with 36% taking four or more medicines.
Adverse reactions are implicated in 5%-17% of
hospital admissions for older people.
While in hospital, 6%-17% of older inpatients
experience adverse drug reactions.
Older people who are taking four or more medicines
have increased risk of suffering an adverse reaction to a medicine
and being readmitted to hospital as a result.
The EPS has been designed to provide medication data to the
NHS Care Record. The NHS Care Record, populated by data from the
EPS will, over time, provide a single, authoritative point of
reference for the medication a patient has been prescribed and
dispensed and has the potential to lead to a significant reduction
in medication errors caused by a lack of instantly available medication
Already, over 4,825 pharmacies and 5,778 GP practices have
EPS technology benefiting a potential 9.1 million patients. To
date, over 26.5 million prescription messages have been issued
electronically, with the weekly count exceeding 900,0000.
Details of the status of Pharmacy Systems Suppliers can be
found on the NHS CFH web site at
Whereas the patient safety benefits of the Electronic Prescription
Service lie principally in providing clinicians with up to date
information about a patient's medications through links to the
NHS Care Record, the benefits of e-Prescribing systems lie in
reducing actual prescribing errors and administration errors often
associated with prescribing.
A study into
the incidence of adverse drug events and potential adverse drug
events reviewed 4,031 patient records and found an incidence of
6.5% actual and 5.5% potential errors. Of these:
56% related to errors at the ordering stage
34% related to administrative errors
6% were transcription errors
4% were dispensing errors
The Agency for Health Care Policy and Research (USA) published
a research in action paper claiming that computerised medication
order entry (also known as e-Prescribing systems) has the potential
to prevent an estimated 84% of dose, frequency and route errors
in prescribing. This report cites numerous other research studies,
which claim safety benefits from computerised medication order
entry systems or e-prescribing systems.
NHS Connecting for Heath is providing the functional specification
to be incorporated into the local detailed record solutions being
developed by the Local Service Providers and will allow for:
Computerised entry and management of prescriptions.
Decision support, aiding the choice of medicine
and other therapies, with alerts covering, for example, drug interactions,
contra-indications, allergic reactions and other safety-related
Knowledge support, giving users immediate access
to up-to-date drug information such as the British National Formulary.
Electronic links between hospital wards/departments
A robust audit trail for the entire medicines
E-Prescribing systems will be underpinned by the Dictionary
of Medicines and Devices (dm+d), a dictionary containing agreed
unique identifiers and associated textual descriptions for medicines
and medical devices. The dm+d will help make e-Prescribing systems
interoperable with other NHS IT systems, enabling safe and reliable
exchanges of information on medicines and devices and effective
decision support through linkages of data.
Of course, others of the many products and initiatives being
developed and deployed by NHS Connecting for Health will also
contribute to improving patient safety.
Enclosure to Annex 5
Bates and Gawande 2003. The conclusions of the work by Bates,
et al. reports the following benefits:
Information technology can substantially improve
the safety of medical care by structuring actions, catching errors,
and bringing evidence-based, patient-centred decision support
to the point of care to allow necessary customisation.
The use of decision support for clinical decisions
can also result in major reductions in the rate of complications
associated with antibiotics, and can decrease costs and the rate
of nosocomial infections.
53%-83% reduction in serious medication errors.
Bates, D W and Gawande, A A, Improving Safety with Information
Technology. New England Journal of Medicine 2003, 348:2526-34
The Agency for Health Care Policy and Research (USA) published
a research in action paper claiming that computerised medication
order entry has the potential to prevent an estimated 84% of dose,
frequency and route errors. This report cites numerous other research
studies, which claim safety benefits from computerised medication
order entry systems.
Reducing and Preventing Adverse Drug Events to Decrease
Hospital Costs. Research in Action, Issue1 AHRQ Publication
Number 01-0020 March 2001. Agency for Healthcare Research and
Quality, Rockville .MD.
The LEAPFROG Group for patient safety Rewarding Higher Standards
(USA) quotes the following examples of safety benefits from physician
order entry systems:
(i) A study by David Bates, MD, Chief of General Medicine
at Boston's Brigham and Women's Hospital, demonstrated that their
Computer Physician Order Entry (CPOE) system reduced error rates
by 55% from 10.7 to 4.9 per 1,000 patient days.
Bates DW, Leape LL, Cullen DJ, Laird N, et al. Effect
of computerized physician order entry and team intervention on
prevention of serious medication errors JAMA. 1998;280:1311-6.
(ii) Rates of serious medication errors fell by 86% in
a subsequent study by the same group. The prevention of errors
was attributed to the CPOE system's structured orders and medication
Bates DW, Teich JM Lee J Seger D, Kuperman GJ, Ma'Luf N,
Boyle D, Leape L The impact of computerized physician order
entry on medication error prevention JAMIA. 1999;6:313-21
(iii) John Birkmeyer, MD, a surgeon and health services
researcher at Dartmouth Medical School, estimates that implementation
of CPOE systems at all non-rural US hospitals could prevent over
500,000 serious medication errors each year.
Birkmeyer JD, Birkmeyer CM, Wennberg DE, Young MP. Leapfrog
safety standards: potential benefits of universal adoption.
The Laepfrog Group. Washington DC: 2000
E-prescribing report prepared by First Consulting Group for
California Healthcare Foundation claims patient safety benefits
from e-prescribing and references a Movement championed by the
Institute for Safe Medication Practices, calling for the universal
adoption of e-prescribing and the abandonment of hand written
prescriptions by 2004, for the improvement of prescribing safety.
Kilbridge Peter, MDE & Gladysheva Katy, First Consulting
Group, E-Prescribing prepared for California Healthcare Foundation
A report on the prevention of medical errors by First Consulting
asserts that it is through understanding and altering the processes
by which complex systems operate that quality is best achieved
and improved. Healthcare quality requires, perhaps more than anything
does, access to reliable information at the point of medical decision-making.
As such, the provision of clinical care is an information-dependent
Two principal kinds of information management support care
quality. The first is collection of and access to real-time clinical
data at the point of care. What did this patient's X-ray reveal?
What medications is she receiving? Access to point-of-care information
assists the clinician in treating the patient "here and now."
A second kind of information is aggregate data on populations
of patients. This data can be retrospectively examined to identify
practice patterns, incidence of disease or complications, and
the like. It can also be used to target specific practitioner
behaviours for improvement.
Both types of information management are required as part
of any coherent strategy to measure and improve the quality of
healthcare delivered. Implementing evidence-based medicine in
a healthcare delivery organization requires a substantial investment
in rethinking and fine-tuning clinical processes across the continuum
of care. Moreover, creating more reliable and effective clinical
processes and practices necessitates introducing information technology
into the hands of physicians and other caregivers.
Classen D and Kilbridge PHealth quality and the
prevention of medical errors, First Consulting Group June
Smart tags and packaging are already saving lives, preventing
illnesses and sharply reducing costs in healthcare. The Protti
World Review Report 14 cites examples of radio frequency identification
technology and its benefits in healthcare.
Radio-frequency identification: Its potential in Healthcare.
Health Devices 34(5), May 2005:149-60 (no Authors listed)
Right patient, right blood new advice for safer transfusionsNHS
Connecting for Health has supported the National Patient Safety
Agency in the development of new measures to improve the safety
of blood transfusions, including photo ID cards and electronic
tracking systems for patients and blood.
Protti World View Report 8 is the first of two reports providing
an overview of clinical information technologies that are helping
to save lives and improve the quality of life for patients. This
report includes references to the benefits of Picture Archiving
and Communications Systems (PACS) such as improved speed and accuracy
Protti World View Report 3 shows how the value of computers
in healthcare can be about improving decision-making. This report
includes references to the benefits of computerised electronic
patient record systems. It suggests that electronic systems enable
physicians and nurses to make better, quicker decisions with the
aid of on-line access to evidence-based results, assistance in
placing orders, detecting drug interactions, and receiving alerts
after abnormal test results. This delivers more efficiency with
Protti World View Report 2 specifically focuses on how the
use of computers in healthcare can reduce errors, improve patient
safety and enhance the quality of care. Incomplete information
in records and the difficulty that clinicians have in keeping
up with the rapidly growing clinical evidence base are significant
problems that can be mediated by IT. The US Institute of MedicineQuality
Chasm report 2001 is quoted "The current care systems cannot
do the job. Trying harder will not work. If we want safer, higher-quality
care, we will need to have redesigned systems of care, including
the use of IT to support clinical and administrative processes.
The Audit Commission report "a spoonful of sugarmedicines
management in NHS hospitals2001" reported that:
Electronic prescribing reduces medicine errors
significantly by providing timely, legible information. One study
concluded that improved information systems could contribute to
the prevention of 78% of transcription errors leading to adverse
Computerised systems containing rules to prevent
incorrect or inappropriate prescribing have also reduced the incidence
of errors and increased the appropriateness of medicine treatment.
Computerised prescribing linked with electronic
health records will radically alter the way in which care is provided
and will deliver significant improvements in the quality of patient
care (Ref. 86). The introduction of these systems, which ultimately
need to be accessible by primary care and other hospitals, is
vital to provide access to common clinical data. It is one of
the biggest challenges currently facing the NHS.
Annex 6: NHS existing systems suppliers that have obtained
work under the National Programme
Existing Systems Compliance Programme (Technical Authority
to Deploy at 13 June 2007).
Patient Administration Systems
C&Bv1IMS Maxims BLKHEARTS
C&Bv1York Trust ICE/In house PAS
C&Bv1Ascribe (HEIS) eCamis
C&Bv1IMS Maxims Hammersmith
C&Bv2ATOS Origin SemaHelix
C&Bv2Royal Marsden Anglia/In house
C&Bv2Royal Devon&Exeter SWIFT
C&Bv2UCLH (GE Healthcare)
Community Pharmacy Systems
ETPv1Hadley Healthcare Eclipse (Local/FDB)
ETPv1Cegedim Pharmacy Manager
ETPv1 -System Sol QicScript
ETPv1Positive Solutions PSL ETP
ETPv1RX System Proscript
ETPv1Boots Smartscript EPS
ETPv1Hadley Healthcare Eclipse (Local/HHPD)
ETPv1Cegedim Central Message Broker
General Practice Systems
ETPv1The Phoenix Partnership SystmOne
C&Bv1The Phoenix Partnership SystmOne
C&Bv1MicrotestEvolution Practice Manager
ETPv1Microtest Practice Manager
Independent Sector Treatment Centre
C&Bv2iQ System Serv iQUTopia
C&Bv2Streets Heaver Compucare
QMAS & RFA (Level 0 GPSoC)
QMAS v7Ascribe Protechnic Exeter
QMAS v7The Computer Room
QMAS v7The Phoenix Partnership
QMAS v8.5 (R10)Microtest
QMAS v8.5 (R10)The Phoenix Partnership
QMAS v8.5 (R10)Healthy Systems
QMAS v8.5 (R10)InPS Vision 4
QMAS v8.5 (R10)In Practice
QMAS v8.5 (R10)Ascribe Protechnic Exeter
QMAS v8.5 (R10)iSOFT Synergy Enterprise
QMAS v9Ascribe Protechnic Exeter
QMAS v9The Phoenix Partnership
Secondary User Service
Summary Care Record
Annex 7: LSPs provided the following examples of their
experience in delivering systems and services as those required
under the National Programme
Fujitsu:Usha Mullapudi Cardiac Centre (UMCC), Hyderabad
Implementation of a Hospital Management System to a 150-bed
cardiac hospital equipped with four operating theatres, three
catheterisation labs, a blood bank, a modern pathology lab, a
spiral CT scanner and a pharmacy unit.
The EPR maintained the overall patient medical history including
past and present clinical findings, treatment details, medication
details and progress notes. In-patient EPRs contained chart monitoring,
test results, ward movement, discharge summary and visit details.
The workflows generated by patient activities were mapped to modules
for different hospital departments and functions: Reception; Wards;
Billing; Pharmacy; Laboratory; Operation Theatre; Blood Bank;
Electronic Patient Records; Financial; Accounting and Payroll;
Stores; Duty Roster; Security and Administration; House Keeping
and Laundry; Diet and Kitchen; Equipment Interface; Fixed Assets
and Pathology Lab.
Fujitsu: The Southern Derbyshire Acute Hospitals NHS Trust
Development of a Trust Workforce Plan making effective use
of information technology, suitable for internal and external
purposes, to be integrated with service and financial planning
and able to accommodate future changes.
The Trust has a total of 1,147 beds across 44 wards and serves
a population of over half a million people through Southern Derbyshire.
The Trust employs approximately 5,500 staff from medical and nursing
staff to ancillary staff within an annual budget of around £200
Accenture:Andalusian Heath Care Service, Spain
Design, build and run of a System and Technology Management
centre serving the region and the management of the infrastructure
to support "smart card" based electronic patient records
as part of an ambitious modernization programme. The Andalusian
Healthcare service is the largest public healthcare service in
Spain with 75,000 employees including 14,000 physicians serving
7.3 million citizens. It has a complex health network made of
32 hospitals, 1300 primary health centres and over 100 specialized
In November 1997 Accenture won a public offering to carry
out the project, which consisted of building an Information Technology
Management Centre in six months. This centre would assume the
management of the health centres environment for the next three
years, starting as of July 1st 1998.
Accenture:The Milwaukee County Medical Centre
The Milwaukee County Medical Centre is a 450-bed acute care
hospital with a Level 1 trauma centre for the region. Its integrated
delivery system includes 30 outpatient clinics, an eye institute
and links to the Medical College of Wisconsin, Curative Rehab
Hospital and Milwaukee County Behavioural Health Facility, a 600-bed
psych, alcohol and drug treatment facility.
Accenture served as the total outsourcing provider (all IT
functions, including computer operations, technical services,
help desk, WAN / LAN, desktop support and applications support,
and all strategic planning, budgeting, etc.) since 1991. In 1996,
the County sold the acute care facility. From 1996 to present,
Accenture has provided Applications Management services to the
remaining County-owned facility, Behavioural Health.
CSC: 40 Danish Counties
CSC Scandihealth is the largest supplier of healthcare IT
software and services in Denmark and Scandinavia and the leading
provider of electronic patient records systems to Danish hospitals.
CSC: St Vincent's Catholic Medical Center, New York
The St. Vincent's Catholic Medical Centers (SVCMC) comprises
seven facilities including acute centres and ambulatory clinics.
In 2001, CSC has been awarded two contracts within the health
system. The first outsourcing contract calls for supplying all
aspects of the IT management for the duration of five years; the
second, calls for creation of an integrated software and hardware
platform for the Patient Management, Patient Accounting, Hospital
Procurement and Accounting functions.
CSC: Children's Hospital Los Angeles (CHLA)
Management of business and clinical information systems,
including mainframe and midrange computers, desktop computers,
helpdesk operations, voice and data communications, and applications
maintenance and development.
BT: NHS Information Authority, NHSNet Broadband Upgrade
BT is delivering 256Kbps NHS Net upgrades to 6,536 GP surgeries.
BT is delivering 2Mbps NHS Net upgrades to 223 Hospitals.
BT is providing the intensive programme management to upgrade
30 GP sites per day.
The upgrade process takes 40 days, therefore BT is concurrently
managing delivery to 1,200 sites at any one time.
Contract value is in the region of £168 million, with
rollout having commenced in December 2002. BT is currently rolling
out 600 sites per month, and committed to complete by March 2004.
BT: Salford & Trafford Health Authority
This health authority serves around one million patients.
It includes 113 GP practices, two major hospitals and a community
BT partnered with the customer to assess current levels of
equipment at its 113 sites and then developed an appropriate and
cost-effective solution, which would meet the individual needs
of the GP Primary Care Groups.
BT implemented reliable electronic communication between
all GP practices through a standard communications network.
BT delivered, trained and supported 250 desktop PCs (and
84 network connected printers, with access to BT managed email
services and web browsing of the NHSnet and Internet, for users
at GP practices.
BT ensured that all existing GP System software (from the
3 clinical application suppliers) could be used on the desktop
BT provides end-to-end service ownership, helpdesk and Service
Level Guarantees for the end-to-end service.
BT remotely accesses PCs to ensure maximum availability,
optimum problem fix time and software downloads.
Walsall Hospitals NHS Trust is responsible for the Manor
Hospitala 600-bed full acute hospital with A&E, maternity,
dermatology, oncology, etcand the nearby 120-bed non-surgical
BT was prime contractor for the delivery of the Clinical
Image Management Service 2000-01. The initial scope was for PACS
storage for new CR in A&E Imaging. This included diagnostic
and referential workstations for the Imaging and A&E Department,
with potential to have web referential views across the extended
CSC's EMEA public sector business was initially focused in
the Nordic region, where CSC acquired Datacentralen, a state-owned
IT service firm, and Scandinavian Healthcare Informatics.
The Scandihealth business (with 300 professionals provides
healthcare solutions to 70% of hospital beds in Denmark) was the
starting point of CSC growth in healthcare in Europe. Nowadays
the portfolio includes the full range of system integration, application
development, consulting and operations management services, as
well as vertical specific solutions, such as hospital information
systems, laboratory systems and home care systems based on various
partner platforms; for instance Oracle HTB is the key development
and integration platform used in Denmark and CSC intends to leverage
it in other countries too (eg Norway, Sweden, and Italy).
National Switch Point (LSP) for the Dutch healthcare sector
The National Switching Point enables healthcare players throughout
the country to exchange patient information in a fast and safe
way. With this initiative, CSC has built the foundations for the
countrywide roll-out of a reliable Electronic Patient Record.
The LSP is at the heart of the National Information Infrastructure
(called Aorta) for the healthcare sector and enables parties in
the sector to exchange patient information safely and quickly.
This `mission critical control' handles the access to patient
information. Through the LSP, healthcare providers can ask for
up-to-date patient information from systems of other hospitals,
pharmacies and general practitioners.
CSC's Healthcare Experience outside the NHS NPfIT contract
The Department of Health's aim is to improve the health and
wellbeing of the people of England. Its work includes setting
national standards and shaping the direction of the NHS and social
care services, and promoting healthier living. Health and social
care services are delivered through the NHS, local authorities,
arm's length bodies and other public and private sector organisations.
In 2002 CSC was awarded a seven-year IT outsourcing contract.
The contract has since been extended for a further two2 years,
the agreement will now run until 2011 and now includes an innovative
new Managed Print Service. CSC's service to DH comprises provision
of a full infrastructure outsource, a number of areas of application
support and development, as well as targeted consultancy provision.
CSC and the Department have created an IT partnership which
will support and enhance the Department of Health's information
and communications investments. Since the beginning of the relationship
CSC has been involved in many projects to deliver new and improved
services to the Department of Health, examples range from technology
refresh programmes, to provision of flexible hosting services
and innovative managed service solutions.
First Report of the Steering Group on Health Services Information
(The Korner Report), HMSO, London. Back
Pirmohamed, M. et al: Adverse drug reactions as a cause
of admission to hospital: prospective analysis of 18,820 patients:
BMJ 2004; 329: 15-19. Back
99.9% availability equates to approximately 45 minutes of outage
per month for the System. Back
R v Department of Health, ex parte Source Informatics
Pirmohamed, M et al: Adverse drug reactions as a cause
of admission to hospital: prospective analysis of 18,820 patients:
BMJ 2004; 329: 15-19. Back
A Safer Place for Patients: National Audit Office, HC 456
Session 2005-06. Back
A Spoonful of Sugar: medicine management in NHS hospitals:
Audit Commission 2001. Back
Building a Safer NHS for Patients: Improving Medication Safety-Department
of Health 2004. Back
NRLS Search Filters = "Documentation- no access to"
+ "Documentation- missing / inadequate / illegible referral
letter or healthcare record / card" + "Documentation-
delay in obtaining healthcare record / card" + "Documentation-
Building a Safer NHS for Patients: Improving Medication Safety-Department
of Health 2004. Back
A Spoonful of Sugar: medicine management in NHS hospitals:
Audit Commission 2001. Back
Bates DW, Cullen DJ, Laird N, Petersen LA, Small SD, Servi D,
et al. Incidence of adverse drug events and potential
adverse drug events. JAMA 1995; 274: 29-34. Back
Reducing and Preventing Adverse Drug Events to Decrease Hospital
Costs. Research in Action, Issue1 AHRQ Publication Number
01-0020 March 2001. Agency for Healthcare Research and Quality,
Rockville .MD. http://www.ahrq.gov/qual/aderia/aderia.htm Back