Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1 of 28

Review of Caldicott report-2 2013 by Dr Saurabh Bhatia



Download to read offline

Review of Caldicott report-2 2013 by Dr Saurabh Bhatia

  1. 1. Patient Information Exchange The Recent Recommendations A Review of Caldicott2 Report 2013 about Information Governance Review Dr Saurabh Bhatia, MBBS, MS, FCR Medical Informatician
  2. 2. This presentatio n is a review of (c) Dr S Bhatia 2013 For IGR(Caldicott2) …aim has been to ensure that there is an appropriate balance between the protection of the patient or user’s information, and the use and sharing of such information to improve care
  3. 3. A Preamble In 1996-7, Dame Fiona Caldicott, a psychiatrist from UK, led a committee to prepare a set of recommendations for patient data sharing principles and its confidentiality. The report was widely appreciated and implemented in UK and adapted in various forms across Europe It contained certain principles called Caldicott principles and Hospitals had „Caldicott Guardians‟ to oversee the implementation of Caldicott principles. In 2013, Caldicott commission has improved their recommendations in view of the technological advancements, which will be reviewed here. (c) Dr S Bhatia 2013Review of Caldicott2
  4. 4. Original Caldicott commission recommendations for managing medical information (1996-7): F Formally justify the purpose for which the information is used I Identifiable information only when absolutely necessary O Only the minimum required should be used N Need to know access A All must understand their responsibilities C Comply with and understand the law Dame Fiona Caldicott Review of Caldicott2 (c) Dr S Bhatia 2013Original Extract
  5. 5. The 2013 Caldicott2 report The report is released in Apr 2013 It has 25 recommendations, most of which have been reviewed here It has re-emphasised some terms which remove ambiguity from the minds of healthcare industry. Some of them have been mentioned here. You may download this report from secretary-to-strengthen-patient-privacy-on- confidential-data-use (c) Dr S Bhatia 2013
  6. 6. Recommendation 1 People must have the fullest possible access to all the electronic care records about them, across the whole health and social care system, without charge. An audit trail that details anyone and everyone who has accessed a patient‟s record should be made available in a suitable form to patients via their personal health and social care records. (c) Dr S Bhatia 2013 The Keyword here is “Without Charge” How will hospitals cater to the cost of maintaining these IT records and audit trails? At the same time, this emphasises the patient right on her records without being arm-twisted to get them.Review of Caldicott2Original Extract Author‟s Note
  7. 7. Recommendation 2 For the purposes of direct care, relevant personal confidential data should be shared among the registered and regulated health and social care professionals who have a legitimate relationship with the individual. Health and social care providers should audit their services against NICE Clinical Guideline 138, specifically against those quality statements concerned with sharing information for direct care. (c) Dr S Bhatia 2013 Note the inclusion of Social Care. Should patient authenticate who all have a „legitimate relationship‟ with the patient? Review of Caldicott2Original Extract Author‟s Note
  8. 8. Recommendation 3 The health and social care professional regulators must agree upon and publish the conditions under which regulated and registered professionals can rely on implied consent to share personal confidential data for direct care. Where appropriate, this should be done in consultation with the relevant Royal College. This process should be commissioned from the Professional Standards Authority. (c) Dr S Bhatia 2013 This defines the autonomy of healthcare organisations to make sharing decisions, where they can share info as a matter of process and not keep taking consents all the time Review of Caldicott2Original Extract Author‟s Note
  9. 9. Recommendation 4 Direct care is provided by health and social care staff working in multi-disciplinary „care teams‟. The Review Panel recommends that registered and regulated social workers be considered a part of the care team. Relevant information should be shared with members of the care team, when they have a legitimate relationship with the patient or service user. Providers must ensure that sharing is effective and safe. Commissioners must assure themselves on providers‟ performance. Care teams may also contain staff that are not registered with a regulatory authority and yet undertake direct care. Health and social care provider organisations must ensure that robust combinations of safeguards are put in for these staff with regard to the processing of personal confidential data. (c) Dr S Bhatia 2013 A Mixed Bag. While social care orgs are being included, they need to have „safeguards‟ which kind of puts a cost on their accessing info. Good in spirit, difficult to implement. Review of Caldicott2Original Extract Author‟s Note
  10. 10. Recommendation 5 The Review Panel also concluded that individuals must be informed of any breach of their personal confidential data as part of maintaining public trust and supporting transparency. Recommendation 5 In cases when there is a breach of personal confidential data, the data controller, the individual or organisation legally responsible for the data, must give a full explanation of the cause of the breach with the remedial action being undertaken and an apology to the person whose confidentiality has been breached. (c) Dr S Bhatia 2013 I feel this apology thing is counter- productive. It will spur the departments to hush things up instead of acknowledging public shame. Review of Caldicott2Original Extract Author‟s Note
  11. 11. Recommendation 6 The processing of data without a legal basis, where one is required, must be reported to the board, or equivalent body of the health or social care organisation involved and dealt with as a data breach. There should be a standard severity scale for breaches agreed across the whole of the health and social care system. The board or equivalent body of each organisation in the health and social care system must publish all such data breaches. This should be in the quality report of NHS organisations, or as part of the annual report or performance report for non-NHS organisations. (c) Dr S Bhatia 2013 Another counter productive recommendation. Whenever the sharing of information will be linked to quality audit of an organisation, there will be personal or commercial motives to simply deny sharing or hush up the breach Review of Caldicott2Original Extract Author‟s Note
  12. 12. Recommendation 7 All organisations in the health and social care system should clearly explain to patients and the public how the personal information they collect could be used in de-identified form for research, audit, public health and other purposes. All organisations must also make clear what rights the individual has open to them, including any ability to actively dissent (i.e. withhold their consent). (c) Dr S Bhatia 2013 A very good rec. This also ensures that somewhere, we can look forward to Big Data and its utilisation in future. Review of Caldicott2Original Extract Author‟s Note
  13. 13. Recommendation 8 Consent is one way in which personal confidential data can be legally shared. In such situations people are entitled to have their consent decisions reliably recorded and available to be shared whenever appropriate, so their wishes can be respected. In this context, the Informatics Services Commissioning Group must develop or commission: guidance for the reliable recording in the care record of any consent decision an individual makes in relation to sharing their personal confidential data; and a strategy to ensure these consent decisions can be shared and provide assurance that the individual‟s wishes are respected. (c) Dr S Bhatia 2013 Again, this rec will safeguard both patients as well as providers. This will also pave way for future of collective decision making and understanding the patterns of individual reticence to data sharing and help in social medicine and policy making, too. Review of Caldicott2Original Extract Author‟s Note
  14. 14. Recommendation 9 The rights, pledges and duties relating to patient information set out in the NHS Constitution should be extended to cover the whole health and social care system. (c) Dr S Bhatia 2013 The rights, pledges and duties should be read directly from the report. They are embodiment of the basic principles and spirit of this entire exercise. Pg 59-60 of original report Review of Caldicott2Original Extract Author‟s Note
  15. 15. Recommendation 10 The linkage of personal confidential data, which requires a legal basis, or data that has been de-identified, but still carries a high risk that it could be re- identified with reasonable effort, from more than one organisation for any purpose other than direct care should only be done in specialist, well- governed, independently scrutinised and accredited environments called ‘accredited safe havens’. (c) Dr S Bhatia 2013 Once again, this is a safe-than-sorry approach which needs more eleboration by other bodies like The Informatics Services Commissioning Group and The Informatics Services Commissioning Group. Unless handled carefully, can be the new excuse to deny sharing.Review of Caldicott2Original Extract Author‟s Note
  16. 16. Recommendation 11 The Information Centre‟s code of practice should establish that an individual‟s existing right to object to their personal confidential data being shared, and to have that objection considered, applies to both current and future disclosures irrespective of whether they are mandated or permitted by statute. Both the criteria used to assess reasonable objections and the consistent application of those criteria should be reviewed on an ongoing basis. (c) Dr S Bhatia 2013 A double edged sword. What constitutes a „reasonable‟ objection can be reviewed over a period of time. Review of Caldicott2Original Extract Author‟s Note
  17. 17. Recommendation 14 Regulatory, professional and educational bodies should ensure that: information governance, and especially best practice on appropriate sharing, is a core competency of undergraduate training; and information governance, appropriate sharing, sound record keeping and the importance of data quality are part of continuous professional development and are assessed as part of any professional revalidation process. (c) Dr S Bhatia 2013 An excellent rec. This will ensure that informatics, its intricacies and its application becomes a part of nursing and medical education. This will also mean that the new crop of professionals will not see computers as overheads/ nuisance. Review of Caldicott2Original Extract Author‟s Note
  18. 18. Recommendation 15 The Department of Health should recommend that all organisations within the health and social care system which process personal confidential data, including but not limited to local authorities and social care providers as well as telephony and other virtual service providers, appoint a Caldicott Guardian and any information governance leaders required, and assure themselves of their continuous professional development. (c) Dr S Bhatia 2013 This is equivalent to having an ethics committee or auditor or quality assessor on board and in various countries, can be adapted in appropriate forms. Review of Caldicott2Original Extract Author‟s Note
  19. 19. Recommendation 16 Given the number of social welfare initiatives involving the creation or use of family records, the Review Panel recommends that such initiatives should be examined in detail from the perspective of Article 8 of the Human Rights Act. The Law Commission should consider including this in its forthcoming review of the data sharing between public bodies (c) Dr S Bhatia 2013 This is the first step towards acknowledging the role of family in a person‟s health record. This will pave the way for a better socially structured form of record sharing. Early initiative and will take time but on right lines. Review of Caldicott2Original Extract Author‟s Note Please note that asian countries, where families are closer and individual existence is usually not as paramount as west, family records are a „must-have‟ and people can get offended and violent if denied access to the records of their near and dear ones.
  20. 20. Recommendation 17The NHS Commissioning Board, clinical commissioning groups and local authorities must ensure that health and social care services that offer virtual consultations and/ or are dependent on medical devices for biometric monitoring are conforming to best practice with regard to information governance and will do so in the future. The Review Panel concluded that providers of direct care services using virtual consultations should offer patients access to their record and a copy of all ongoing communications from that record. …any provider offering virtual consultation services should be able to share, when appropriate, relevant digital information from the patient, with registered and regulated health or social care professionals responsible for the patient‟s care. This includes both written text or numbers and images, such as photographs. (c) Dr S Bhatia 2013 This is a strong boost to telemedicine in all forms. It is a very tentative step, and allows other bodies to define best practices, but at least a formal acknowledgement of virtual services and a step towards reducing the legal paranoia around them in the mind of doctors. Review of Caldicott2Original Extract Author‟s Note
  21. 21. Recommendation 20The Department of Health should lead the development and implementation of a standard template that all health and social care organisations can use when creating data controller to data controller data sharing agreements. The template should ensure that agreements meet legal requirements and require minimum resources to implement. (c) Dr S Bhatia 2013 This is a step in the direction of system agnostic healthcare information exchange. Templates, once defined, can be included as part of various systems by vendors thus providing HIE without the technological barriers. Review of Caldicott2Original Extract Author‟s Note
  22. 22. Revised list of Caldicott principles 1. Justify the purpose(s) 2. Don’t use personal confidential data unless it is absolutely necessary 3. Use the minimum necessary personal confidential data 4. Access to personal confidential data should be on a strict need-to-know basis 5. Everyone with access to personal confidential data should be aware of their responsibilities 6. Comply with the law 7. The duty to share information can be as important as the duty to protect patient confidentiality (c) Dr S Bhatia 2013Review of Caldicott2Original Extract Author‟s Note
  23. 23. Other interesting changes …obligation to prevent information seeping outside the health and social care system should not stop it being shared appropriately within it. The term used to describe how organisations manage the way information is handled within the health and social care system in England is „information governance‟. Information governance applies to the balance between privacy and sharing of personal confidential data and is therefore fundamental to the health and social care system, providing both the necessary safeguards to protect patient information, and an effective framework to guide those working in the health and social care system to decide when to share, or not to share. (c) Dr S Bhatia 2013 This is a direct effect of hospitals (mis)using the data protection principles to refuse to share information or charge hefty fees for this. Review of Caldicott2Original Extract Author‟s Note
  24. 24. Key definitions People often talk about „data‟ and „information‟ as if they mean much the same thing. However the terms have a precise meaning and the words are not interchangeable. Readers may understand this report more easily by grasping the distinction from the outset: Data is used to describe „qualitative or quantitative statements or numbers that are assumed to be factual, and not the product of analysis or interpretation.‟ Information is the „output of some process that summarises interprets or otherwise represents data to convey meaning.‟ This report also uses the phrase „personal confidential data‟ throughout. This term describes personal information about identified or identifiable individuals, which should be kept private or secret. (c) Dr S Bhatia 2013 The 1997 report did not consider the issue of whether professionals shared information well, in the interests of patients, because that was not regarded as a problem at the time. That omission became increasingly noticeable as the need for closer integration between health and social care became ever more apparent Review of Caldicott2Original Extract Author‟s Note
  25. 25. People’s right to access information about themselves…give people better access to their care records… people who are allowed to share their own records can be empowered to take part in decisions about their own care... …patients‟ attempts to become involved in decision making were thwarted by “information governance rules” …even if they explicitly consented … because of „data protection policies‟; The Review Panel concludes that personal confidential data can be shared with individuals via email when the individual has explicitly consented and they have been informed of any potential risk. (c) Dr S Bhatia 2013 This is a major shift from earlier policies and when implemented, will necessitate emailing of hospital record to a patient in commonly readable formats. Review of Caldicott2Original Extract Author‟s Note
  26. 26. Definition: two types of recordsHealth and social care records These are the commonest type and are supported by the information strategy. A professional creates an electronic patient record, which is then shared with the patient and their relevant care teams. The health or social care professional is responsible and accountable for that record when it is for the purpose of direct care. Patients may get right of access, the ability to see, interact and request corrections but not the right to change the content because that might be clinically unsafe. This access is sometimes referred to as „patient online access‟ or „record access‟. Patient-owned records These are less common forms of record that individuals create and manage themselves. They are kept separate from any electronic patient record and the individual has total control and responsibility for the content. Patient-owned records may include extracts from electronic patient records, but may also contain information added by the individual such as exercise monitoring data, weight etc; commercial contributions e.g. from over the counter drug purchases or from supermarket alcohol purchases; and contributions from personally acquired „medical devices‟. (c) Dr S Bhatia 2013 For the first time, there is official differentiation equalling an EMR vs PHR debate/ status of records. This will impact the way patients access their records research/practice-management- resources/health-informatics- group/patient-online.aspx Review of Caldicott2Original Extract Author‟s Note
  27. 27. Implied Consent There is in effect an unwritten agreement between the individual and the professionals who provide the care that allows this [data] sharing to take place. Implied consent is applicable only within the context of direct care of individuals. It refers to instances where the consent of the individual patient can be implied without having to make any positive action, such as giving their verbal agreement for a specific aspect of sharing information to proceed. Examples of the use of implied consent include doctors and nurses sharing personal confidential data during handovers without asking for the patient‟s consent. The Review Panel concluded that across the health and social care system, implied consent is only applicable in instances of direct care (c) Dr S Bhatia 2013 For the first time, we are seeing some sanity prevailing over the paranoia of data protection. Info- governance is finally recognizing the importance of implied consent, which has been the basis of most of our clinical practices historically GMC guidance on confidentiality, http://www.gmc- onfidentiality_24_35_disclosing_inf ormation_with_ consent.asp Review of Caldicott2Original Extract Author‟s Note
  28. 28. Full Report I have covered only those recommendations which can have an impact internationally. For other recs, please read the full report This ppt will also be available, along with the full report from our website All views are personal views of the author Comments can be sent at (c) Dr S Bhatia 2013