Embed Size (px)
Citation preview
Security and Confidentiality in Integrated Care Records
Peter Singleton
Senior Associate, Judge Institute
Research Fellow, UCL
The Goal: Integrating care between agencies
Gain operational efficiencies (lower costs)• Minimise replication of data entry and data
storage (& better validation?)• Share development costs across agenciesImprove quality of service• Avoid clients slipping through cracks (e.g.
Victoria Climbié)• Better management of process & resourcesGive better/faster service to client• Support process redesign,
improvement in care pathways
Moving from paper to computer
• Accessibility– Audit Commission (1996) – 35% of hospital records missing– Multi-location, easily reproduced – security?
• Accuracy/reliability– 19% of GP records have errors (ERDIP 2002)– Active validation and cross-checking– Issues of context and local practice
• Consistency– Elimination of duplicates– Problems of ‘ownership’
• Confidentiality– All data may be available – how to protect?– How can patients choose to ‘hide’ data?
Moving from silos of care to integrated care
• Currently individual actors (hospital clinician, GP, Social worker) passing messages (referral letters)
• Industrial model: master craftsman – guilds and professional silos
• Trying integrated teams and joint working• We need integrated processes across teams
and organisations – this is the change ICRS can offer if done properly
Building Quality into the system
• Early feedback to minimise errors– Decision-support systems: pertinent information
and quality checks
• New systems to support new ways of working– Automating current practice is not enough– Need to focus on patient experience– Have planned pathway which is clear to all
(including patient/client)
• Quality will bring effectiveness and efficiency gains
Information Governance
• HORUS model:– Holding/Obtaining/Recording/Using/Sharing
• Integrating Initiatives:– Caldicott/Confidentiality Code of Practice– Data Protection/Freedom of Information– Data Quality/Controls Assurance– Records Management– Information Security
• Missing ‘Stewardship’
Issues to consider
• Sharing between NHS agencies• Sharing with Social Services• Sharing with other agencies• Public Expectations• Managing consent• Effective security• Accessing real data• Implementation
Sharing between NHS agencies
• Barriers– Concerns over legal position– Inconsistent use of NHS Number– Different coding systems– Supporting consent/dissent
• Drivers– PCTs & StHAs– National Programme (NPfIT)– Waiting Times/eBooking
Sharing with Social Services
• Barriers– [Lack of] concern over legal position– Identifiers: use of NHS Number?– Different domains - coding systems– Supporting consent/dissent for different purposes
• Drivers– Shared Services/ SAP requirements– National Programme (NPfIT)– Waiting Times/Bed-blocking
Sharing with other agencies
• Education, Police, Home Office
• Supporting immigrants
• Managing poverty/health/crime
Public Expectations
• What do the public currently think happens?– Generally assume records are shared, and
surprised that they are not– Do not realise that most GP Receptionists can see
their records
• What do we tell the public so that they know what to expect?
• How do we need to change so that they have a reasonable chance of knowing?
• Do they have a choice? What can/could/ should they choose?
Managing consent
• How much informing?
• When/how to inform?
• How much consent? Opt-in vs. opt-out
• Children/Cognitively impaired/elderly/ seriously injured?
• Consent to what? Direct care/planning/ clinical audit/ financial audit/ research?
Effective Security
• There is no 100% security – focus on weakest areas first
• Involve users otherwise they will defeat the system (or worse not adopt it!)
• Be proportionate• Monitor and improve rather than
seeking illusion of 100% safety• Remember we are seeking to improve
healthcare!
Accessing real data
• Research Ethics Committees
• Other bodies: SCAG & PIAG
• Data-sharing agreements
• Respecting restrictions
• Minimum data usage
Implementation
• Clear process for change (NPfIT not clear at present)• Clear information for public on how data will be used• Mechanism to support choice• Design for flexibility• Do not underestimate need for culture change –
people need to recognise need for change and embrace it
• Do not forget dynamics of change and need to align incentives to create context for change
• Do not forget why we are doing this – to improve healthcare
Managing Risk
• You cannot eliminate all risk - you may plan to avoid certain risks, or take actions to minimise the impact of an event, or plan actions to recover quickly
• This risk of not providing good healthcare is almost certain if we don’t seek to improve
• All actors must be aware of risks and what should be done to minimise them
CLEF Project
• Clinical eScience Framework (CLEF)• Seeking to deliver ‘near anonymised’ medical
data repository via GRID• S&C outputs:
– Accepted policies, protocols, and procedures– Proof of ‘pseudonymised’ route to protect patients’
interests and preserve usefulness of data– Separating ‘wheat from chaff’ to improve data
value and improve confidentiality– Establish mechanisms for monitoring queries for
inferential attack
Thank you
Abstract
Peter Singleton reviews the reasons for Integrated Care Records and how Security and Confidentiality issues affect the approach to, design of, and implementation of ICR systems.
There are plenty of technical issues to be addressed, but a number of policy and cultural aspects also need to be addressed, so that any ICRS can be implemented effectively.
Trade-offs have to be made between the benefits that ICRS can potentially bring and the requirements for 100% water-tight security & confidentiality.
These issues are not insurmountable, but require clear direction from the centre and flexibility in the approach used in order to support a transition to better ways of working.
Biography
Peter Singleton is a Senior Associate at the Judge Institute of Management at the University of Cambridge, a Research Fellow at University College London, and a Director of Cambridge Health Informatics.
He has specialised in electronic health record systems and, in particular, security and confidentiality issues, since attempting to deliver a prototype EHR system in 2000. He has written a number of papers on confidentiality issues.
He is currently supporting the DoH and NHS Information Authority on Information Governance, working on the Clinical eScience Framework (CLEF) project on confidentiality issues, as well as leading the European ‘The Informed Patient’ initiative.
He has an MA in Mathematics and an MBA from Cambridge
