Patient records: Too much information?

According to Dame Fiona Caldicott, every citizen should feel confident that information about their health is securely safeguarded and shared appropriately when it is in their best interest.

In the introduction to the 2013 Information Governance Review (often dubbed “Caldicott2”, recognising her original 1997 review of the topic), she says that “everyone working in the health and social care system should see information governance as part of their responsibility”.

‘There’s polarisation between those who think they can use pseudonymised data to meet all their obligations and those who say, equally vehemently, that it’s impossible’

The new review was intended to ensure, primarily, that there is an “appropriate balance” between the protection of patient information, and the use and sharing of such information to improve care.

Thus a seventh Caldicott principle was born, stating that: “The duty to share information can be as important as the duty to protect patient confidentiality.”

According to Matthew Smith, a partner specialising in information law at legal firm Capsticks, the recent changes have, to an extent, turned some previously well held beliefs on their head.

“The legal framework hasn’t changed - information is still governed principally by the Data Protection Act,” he says. “But Caldicott2 has really shaken things up for the health sector.”

The new principle means, for example, that if someone’s health or life will be endangered without certain information, then the failure to disclose it may have bigger implications, whether legally or otherwise.

“It’s a shift in balance between the need to protect information and the benefits of disclosure,” explains Mr Smith. “Previously the default position was often ‘if in doubt, hold on to the information’ because it would mean you wouldn’t get into trouble. Caldicott2 spins that on its head, and you could get into trouble if you don’t share the information.”

Information access

But who should get access to information? Caldicott2 is, on the face of it, quite clear about that: if you’re a regulated professional involved in direct care of a patient then there is a presumption of implied consent and it is likely you will receive the information. If you’re involved in indirect care, however, the chances are you won’t without explicit consent, and there’s some debate over where the line should be.

This new information governance environment is particularly challenging for commissioners. For one thing, clinical commissioning groups do not receive the same level of personal confidential data as primary care trusts.

Although CCGs can apply for accredited safe haven (ASH) status, which means they can receive weakly pseudonymised data, there are some who say this isn’t enough.

“They are asking themselves if they can do what they are obliged to do without the same level of patient information,” says Mr Smith.

“There’s actually polarisation in the commissioning world, between those who think they can use pseudonymised data to meet all their obligations and those who say, equally vehemently, that it’s impossible.”

‘People are realising that they can’t adopt a defensive position in every situation; they’re looking for guidance on how to navigate the landscape’

At the moment it’s difficult to say with certainty which of these two opposing views will hold sway, but the greater the number of CCGs applying for ASH status, the less likely it is that the naysayers will have their way and gain access instead to the patient information previously available to PCTs.

At the time of writing, some 57 organisations have registered their intention to become ASHs, according to the Health and Social Care Information Centre (HSCIC), and around 45 have been approved, 21 of them CCGs.

An HSCIC spokeswoman says that the information government toolkit delivery team provides assistance with the application, and registered applicants are then asked to complete the IG toolkit which comprises 28 governance requirements.

“On registration, CCGs are provided with advice and guidance in completing the assessment. On completion the CCG publishes the assessment and each published assessment is reviewed,” she adds.

Each CCG is notified of the review findings regardless of whether their assessment is approved. CCGs that are not approved are provided with additional guidance and actions that they need to complete before resubmitting the assessment. Resubmitted assessments are reviewed again by the HSCIC.

NHS England, the secretary of state and the HSCIC have shown they are alive to the challenges, and have reacted to mitigate some concerns. “For example, there were difficulties with invoice validation,” explains Mr Smith. “That’s really important for commissioners because they have to make sure that the right people are being paid at the right time for providing the right services.”

Controlled environments for finance

The decision to allow ASHs to set up “controlled environments for finance” (CEfF) is a “short term fix” allowing commissioners to use personal confidential data for this purpose. Again, there are people who think this is the solution and those who don’t.

“It’s a raging debate and we don’t yet know the truth of it,” says Mr Smith. “But it’s something that people have to think about. The section 251 approval for invoice validation only runs until October of this year, so we don’t yet know what will happen after that.”

Commissioners are looking for guidance on how to manage their new responsibilities under Caldicott2, he says and, as is so often the case, it’s about changing habits and culture. “People are realising that they can’t adopt a defensive position in every situation; they’re looking for guidance on how to navigate the landscape.”

And there are other questions too. “Do people see the NHS as one big organisation, or as a number of small organisations working together? Where are the limits?” asks Mr Smith. “Do we need to be thinking of a wider care service rather than a health service?”

As well as addressing public perceptions of the health service, there is a job of work to be done to communicate the benefits and risks of sharing patient data more widely.

As last month’s decision to postpone the care.data project shows, there’s a long way to go before concerns about sharing of data are alleviated. “The care.data issue flagged up the need for a debate,” says Mr Smith. “But it needs to be quite a sophisticated debate, otherwise the default position for the public will be ‘you can’t have my data’.”

Mr Smith says the HSCIC is working constructively with NHS bodies to help them through. “They’re being helpful and proactive - they’re not waiting until someone does something wrong and then punishing them. Ultimately it’s all about using information to improve care, and that’s really everyone’s goal here.”