Risk: Scan, shred, repeat

CONSIDER this recent case dealt with at MDDUS.

A patient made a complaint against a GP for failing to accurately communicate outcomes in a letter from the pathology lab. The system in place within the practice was for all incoming letters to be date-stamped on the reverse on receipt, and the doctor reviewing the letter would handwrite there any required actions. By the time this complaint was raised, the patient had moved to another practice and the original doctor involved could not recall from memory what had happened on receipt of the letter.

The patient’s new practice, on receipt of paper records from the old practice, scanned them onto their electronic files and then shredded the originals. Unfortunately, they did not scan the reverse of correspondence and so critical information regarding how the original letter had been actioned was lost.

The circumstances in this case raise some interesting questions for all primary health care providers about the robustness of arrangements for accurately scanning and shredding incoming clinical correspondence and ensuring that important clinical information is not lost to follow up. For example, should information be retained in its original form rather than (or as well as) scanned electronically and then the original shredded?

The Records Management Code of Practicefor Health and Social Care (2016) is a useful source of reference and guidance. It applies in England to all patient health records – electronic or paper-based – within general practice and hospital specialties. In regard to scanning records it states: “Where scanning is used, the main consideration is that the information can perform the same function as the paper counterpart did and like any evidence, scanned records can be challenged in a court. The legal admissibility of scanned records, as with any digital information, is determined by how it can be shown that it is an authentic record.”

The key message here is that it is essential that practice procedures on the processing and scanning of paper records are adequate and applied consistently in order to be relied upon both clinically and in a legal context.

Another helpful document produced by the Department of Health, the BMA and the Royal College of General Practitioners is TheGood Practice Guidelines for GP electronicpatient records. It stipulates that following scanning and “once backed up, the original documents may then be shredded, within some safety and legal constraints, saving space and removing the need to file the paper into a patient record”. The guidelines also offer advice to “paper-light practices” on establishing safe processes for the scanning and destruction of original documents.

Adequate paper-light working normally requires the practice to utilise a document management system (DMS) to handle correspondence. This will consist of a document scanner and associated software. Clerical staff must obviously be aware of the basics of document handling, filing items accurately and chronologically and complying with folder structures.

Staff should ensure scanned documents are legible and complete and know what to do when a document has failed to properly scan. Documents are normally scanned in black and white or greyscale, but colour can sometimes be important to the meaning so staff should know how to override default settings to create a colour scan.

The guidelines recomment a crosscut shredder for use in destroying paper records, although there is no NHS required standard. Some local primary care organisations may provide a document destruction service and there are commercial operators offering secure disposal.

Provided that such policies and procedures are in place it would be difficult to criticise a practice in relation to document capture. Evidence of having followed appropriate guidance should be sufficient enough to demonstrate that an electronic copy is a true copy of the original.

There are, of course, risks whenever information is ‘copied’, with the potential for data loss. Where significant clinical data has been lost, practices will have to give serious consideration to reporting a “data security breach”, both to the ICO (Information Commissioner’s Office) and the patient concerned. This would be particularly important if the loss of clinical data impacted on the “rights and freedoms” of the individual as defined by the new General Data Protection Regulation (GDPR; coming into effect on 25 May) or placed the patient at risk due to missing clinical information.

The patient in our scenario above should have been made aware of the missing pathology results at the time as this could have had an adverse impact on their planned care and treatment. Even if a decision is made not to report an incident, practices will have to maintain a log of data security breaches together with any insight and learning from such incidents.

MDDUS has produced guidance notes for data controllers on preparing for GDPR and one specifically on reporting data security breaches. These can be accessed under the Training & CPD tab at www.mddus.com.

Alan Frame is a risk adviser at MDDUS