SIXTEEN years ago the chief medical officer of England commissioned a review of NHS information governance to be headed by Dame Fiona Caldicott, a former president of the Royal College of Psychiatrists. It was to address, among other issues, the rapid development of information technology and concerns over data protection and a perceived threat to patient confidentiality.
In December of 1997 the Caldicott review was published and in subsequent years has had a profound effect on medical information governance. It established six key principles of data management and created the role of ‘Caldicott Guardians’ – individuals whose responsibility it is to apply these precepts within healthcare organisations.
Last year the Government asked Dame Fiona Caldicott to revisit the subject as part of the Future Forum’s recommendations on NHS reform. There was an impression that the philosophy surrounding information sharing had changed over the preceding years, with the medical world becoming more nervous and reluctant to share appropriate information. It was also recognised that the nature of data technology had changed along with the public’s expectation of access to their data.
This is the context to Caldicott2, a new 140-page review that was released in April 2013, addressing appropriate sharing of health information in England but with principles widely applicable across the United Kingdom.
In September the Government published its response to Caldicott2. Most of the recommendations were accepted and the document set out how these are to be implemented.
In the Government’s response, Health Secretary Jeremy Hunt said: “In the past, information governance rules have prioritised systems over people. Too often they have been seen as an insurmountable obstacle and an excuse to avoid sharing information. We outline a new approach here.”
It’s good to share
A prime motivation behind Caldicott2 was a growing impression within the NHS that the 1997 review was being used as a reason for not sharing information. To address this concern the emphasis of Caldicott2 is that appropriate sharing of information should be the rule, not the exception.
One area of confusion addressed is the model of implied consent to the sharing of information between healthcare professionals. This principle is not challenged but patients’ understanding of how information is shared is questioned. In order to use the implied consent model on an ongoing and legitimate basis, the review concludes that patients should be better informed as to how their information is used in the healthcare setting. This information might be included in a practice’s ‘new patient’ leaflet, for example.
In its response the Government agrees and proposes that a ‘consent management standard’ should be developed which will be applicable across all NHS and care systems in order to record decisions regarding disclosure consent. How this will work in practice is not yet clear.
The review also recommends that a standard template sharing agreement should be published by the Department of Health in order to reduce duplication of effort within the NHS. However, familiarity with standard consent forms should not result in a lack of consideration of the appropriateness of each request.
A reluctance to share data between public and private organisations and between local authority and healthcare bodies is also addressed within the review. This reluctance is not warranted where data protection principles are appropriately applied by both parties. The Government is quite clear in its intentions to encourage sharing between health and care bodies. So much so that part of the recently announced £3.8 billion Integration Transformation Fund must be used locally to enhance data sharing.
How to handle standard third party AUTUMN 2013 15 information is addressed in detail within the review. This includes information about another individual (e.g. family history) and from another identifiable individual (e.g. a family member giving information about a patient). This information may itself be confidential and should not necessarily be disclosed to the patient, even though it is contained within that patient’s medical records. The review recommends that third parties should be told that their identity may be apparent if notes are disclosed and be given the opportunity to decline to provide information.
The issue of preventing inappropriate disclosure to bodies such as insurance companies is also covered, including safeguards to minimise such disclosure. Current legislation and guidelines require that only the minimum necessary information is sought and that disclosure should be appropriate and relevant. As such, the generation of automated reports would usually include too much information. Doctors should be confident that any consent is properly informed, meaning that the patient knows what information will be provided, to whom and for what purpose.
The review highlights the Health and Social Care Information Centre’s controversial role in patient data analysis. The importance of being able to opt out from this type of data sharing is emphasised, although how this is to be achieved is yet to be seen. A code of practice is currently being developed. Other issues addressed in the report include lack of data sharing as a major factor in child protection failures and the limiting of automatic parental access to the records of children over the age of 12.
Training in information governance is seen as crucial in the review. The issue of ‘tick-box’ training is discussed and the feeling that such training does not involve education. The panel recommend that professionals should be educated in aspects of information governance which are relevant to their clinical focus, with specific focus on appropriate information sharing.
While emphasis is on the sharing of data, the review does consider the issue of inappropriate disclosure and information release. The Information Commissioner’s power to impose civil monetary penalties (fines) on organisations for data protection breaches has been prominently reported in recent months. The review seeks to allay this fear by pointing out that no fine has yet been imposed on an organisation for the “formal” sharing of information between data controllers (as opposed to the inadvertent loss or disclosure of data).
In the period of June 2011 to June 2012, 186 serious data breaches were reported to the Department of Health. Two-thirds of these breaches related to data loss or theft. The review recommends that every organisation publishes details of any breaches on an annual basis. The Government acknowledges in its response that local care providers may be too small to produce annual reports and sets out that commissioners should “deal with data breaches”.
The review highlights the prominent issue of inappropriate data disclosure through “blagging”. This is where information is sought by a third-party, ostensibly acting as another healthcare professional or family member. Despite NHS guidance dating back to 2003, this type of disclosure still occurs. The review recommends that individuals should be informed when a breach has occurred and offered an explanation and apology. Local policies should be put in place in order to avoid inappropriate disclosures, for example including a requirement to confirm a fax number from a second source (such as a practice website) before sending any confidential information.
Confidence to share
In summary the Caldicott2 review panel states that health and social care professionals should have the confidence to share information in the “best interests” of their patients. This is an interesting choice of words as this term is usually associated with patients who lack capacity to make decisions. This is clearly not the intention of the panel but it highlights the importance of careful wording when it comes to making data-sharing decisions.
The ultimate outcome of the review is that the six pre-existing principles have been updated and a new sharing information principle has been incorporated: “The duty to share information can be as important as the duty to protect patient confidentiality”.
Dr Richard Brittain is a medical adviser at MDDUS
From Summons Autumn 2013, pp 14-15
Summons Autumn 2013
Click here for PDF of this issue of Summons
This page was correct at the time of publication. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.