Draft-for comments
Cross-Organizational Data Sharing and
Data Privacy-A Pragmatic Approach
The UK PACS and Teleradiology Group
Clinical Data sharing –a Clinical/Patient Perspective
Clinical Data sharing is not new to the NHS.We have always shared data with other NHS organizations based on patients’ clinical needs.Data Sharing between NHS organizations is important to improve patient care. GPs, clinicians and radiologists are well aware of the importance of having access to the pertinent clinical/imaging history in order to reach a correct diagnosis, and thus provide optimum patient care. The move towards more and more digital systems for Clinical Data Storage(in local Trust/GP Repositories/Cluster Repositories/National Repositories) will see improved and more timely data sharing, which will actually contribute to better and informed clinical decision making and improved patient care.
These are the 3Clinical Criteriacurrently used for Cross-Organizational Clinical Data Sharing within the NHS:
- When a patient gets transferred to another NHS organization we send relevant documents/letter/images to the other NHS organization – ie, legitimate data sharing-(although this is maybe non-electronic).(in a good robust future NHS data sharing model, this information should be automatically accessible to the organization—rather than this organizationhaving to request/send it)
- Ifapatient attends an NHSorganization, the organization can request images/letters/documentsfrom other NHS organizations which the patient may have visited in the past(in a good robust future NHS data sharing model, this information should be automatically accessible to the treating NHS organization—rather than them having to request it).
- Tertiary Centre Opinions/2nd opinions/Central MDT opinions:Individual patients’ clinical data/images often get transferred to another organization like a tertiary referral centre (neuro/cancer centre)—for advice on management, and whether the patient needs to be refered to the tertiary centre or not: e.g for a neurosurgical emergency. 2ndopinionsare sought by clinicians from national/regional experts to allow for better management of the NHS patient.Patients are often refered to a central MDT for discussion. In all these instances clinical data cross Trust boundaries (although the patient may not have visited the tertiary centre for treatment). However, this is clearly for clinical reasons and for improved patient care for individual patients within organizations.(In a good robust future NHS data sharing model, this information should be automatically accessible to the tertiary centre/cancer center/expert providing 2nd opinions—rather than them having to request it).
Clinical Data Storage and Access:
When a patient attends for treatment in an NHS Trust/GP surgery, currently clinical and demographic data about patient arestored withinindividual NHS Trusts (PAS,RIS, PACS, films, paper records etc etc). Individual NHS organizations/GP surgeries hold the responsibility for protecting patient confidentiality and data privacy through RBAC.
- They have password controlled access to their electronic data.
- Passwords are provided to individual clinical systems based on roles performed by individual members of staff. (Role Based Access Control)
- Sharing of clinical data with other NHS organizations is based on the above 3 clinical criteria. Other NHS organizations do not have unrestricted access to individual Trust patient database and patients’ data are not available to them unless one of the 3 clinical criteria for data sharing is satisfied.
- Software applications taken up by Trusts should allowcertain data to be classed as sensitive with very stringent access restrictions (eg. staff data, unwanted pregnancy etc)
- Trusts are responsible for ensuring that clinical software applications used by them allow a full audit trail of data access.
- Individual Trusts are responsible for educating clinical/non-clinical users about data privacy/patient confidentiality on a regular basis.
Data Privacy of Patients especiallyHealthcare workers---High Risk Group
- Digital data access is very easy and straightforward—only a click away, and this improves efficiency and better informed patient management for those of us involved in patient care. However, it also carries with it the risk of “illegal” access to data out ofcuriosity.
- This is particularly true for healthcare workers whose digitally stored data, including PACS images, may become easily available to line mangers and prying/malicious co-workers.
- Healthcare workers are often advised to seek treatment at an institution other than their own for this very reason.
- However, with Central Data Stores for PACS/National EHR, there is potential for individual Trust data/GP surgery datato be viewed by other Trusts/GP surgeries (who may not be involved in the individual patient’s care). Patient data maythus be accessible throughout a cluster or nationally without a robust national data sharing protocol which protects patient data privacy.
- Concerns aboutlack of data privacy may lead to healthcare workers delaying seeking treatment, which could be detrimental to their health.
- Such access or the fear of such access, to their health data potentially poses a risk to other individuals, i.e. patients, when healthcare workers themselves are reluctant to get help when ill.
Organizational Legitimate Relationship to Individual Patients’ Data
Irrespective of where the patient data are stored,individual NHS organizations should only have access to an individual patient’s clinical data (wherever they maybe held/stored)
- Patientsregistered in the local PAS (for patients who attend/get transferred to an NHS organization for treatment)
- 2nd opinions/tertiary-cancer centre opinions/central MDT opinions are sought by clinicians who are responsible for treating the NHS patient in their host organization (these patients will not be registered on the PAS of the organization from which an opinion is sought).Clinicians involved in an individual patient’s care should have the ability to provide temporary legitimate rights to another organization for Clinical Data Access for that individual patient.
Staff (based on RBAC) within an individual NHS organization will have access to an individual patient’s clinical data (whether stored locally, regionally or nationally) only if one of the above criteria is met.
Improving patient confidentiality within NHS Organizations
- Local NHS Institutions should have a regular targeted audit on access to healthcare staff’s electronic data, and also other patients’ data. It is important for people to know there is targeted audit on access to healthcare staff’s images/reports/EPRetc, and that there is a real risk of being caught and severely disciplined. This will improve patient confidentiality.
- Continuous and real-time audit of use/abuse of patient data access by the team caring for the patient: this requires asoftware application to display alog of the last series of users to access a patient record, at each access. This will help to identify any 'rogue' accessother than by the team caring for the patient. This will act as a deterrent to unjustified access to patients’ electronic records for fear of being caught.
- Although Cross–Organizational Data Sharing is fairly easy in the digital data world, organizations should resist the temptation to move to solutions which do not ensure proper legitimate relationship measures for their patients. One must take seriously the need for maintaining anonymity of patients especiallyhealthcare workers who seek help in neighboring NHS organizations (rather than attending their workplace for health care needs)
- Buy/upgrade/replace existing clinical IT systems with systems that fulfill the technical specifications for patient confidentiality as defined below.
Technical Specifications for Patient Confidentiality
In order to improve patient confidentiality and data privacy, software applications used within the NHS should fulfill the following criteria:
- The ability to display a log of the last series of users to access a record at each PACS access, ie, rolling real-time audit. This will encourage users to use their own passwords/smartcards and reduce log-on sharing. This will also act as a deterrent to unjustified access to patients’ electronic records for fear of being caught by the clinical team looking after the patient.
- Software applications to move to the use of smart-cards for accesstotheir systems. This too will reduce password sharing and improve the validity of audits.
- Software applications should allow for certain data to be classed as sensitive with very stringent access restrictions (eg. staff data, unwanted pregnancy etc)
- Clinical software applications used should provide a full audit trail of clinical data access when requested.
- Log-on and log-off tohealthcare systems should be quick and slick, and also users should be able to return to the page being browsed on subsequent log-on. This will reduce password/access sharing in high throughput clinical areas like A&E/MAU, and thus improve the validity of the audit processes, and improve user compliance with use of smart-cards.
Independent Sector Providing Teleradiology/Radiology Reporting Service to NHS
In order for IS to provide a good service to NHS patients,independent sector radiologists/clinicians should also have full access to patients imaging history held in national/cluster archives.
- Access to NHS clinical data should be controlled via legitimate relationships. The clinicians/radiologists within the independent sector, should only have access to those patients clinical history, who have been refered to them for treatment/reporting of radiology (a web access to entire cluster/national archive should not be permitted)
- NHS organizations who are contracting NHS patient work to the IS (whether DOH or Individual Trusts) need to ensure that IS fulfils the following criteria for maintaining clinical data privacy/confidentiality similar to local NHS organizations:
- For regular targeted data access on their patients especially on records of healthcare workers.
- Regular staff education about appropriate access to patient clinical data
- Buy/upgrade/replace clinical IT systems with systems that fulfill the technical specifications for patient confidentiality as defined above, in broad principles.
Organizational Responsibilities
- Local NHS Institutions :
- For regular targeted data access on their patients especially on records of healthcare workers.
- Regular staff educationabout appropriate access to patient clinical data
- Ensuring cross-organizational data sharing practices are based on legitimate relationships for the patient, as described as the 3 clinical criteria.
- Buy/upgrade/replaceclinical IT systems with systems that fulfill the technicalspecifications for patient confidentiality as defined above.
- If contracting work to the Independent Sector, individual NHS Trusts need to ensure that:
- Data sharingprinciples are based only on the above 3 clinical criteria.
- Systems used by the Independent Sector support the above technical requirements for maintainingdata privacy.
- Wider NHS/CFH responsibilities
- Ensuring cross-organizational data sharing practices via national/regional archives are based upon legitimate relationships for individual patients with individual NHS organizations as described above
- Policy making to encourage/mandate use of Trust/LSP/national systems/Independent Sectorto fulfill the above technical requirements that improve patient confidentiality
- If Independent Sector contracts are done at DOH level, then CFH/DOH need to ensure
- data sharing are based only on the above 3 clinical criteria.
- systems used by the Independent Sector support the above technical requirements for maintaining data privacy.
- NHS Healthcare Supplier responsibility
- Suppliers must provide electronic systems to the NHS to develop/upgrade their clinical IT systems to meet the above technical specifications for data privacy/patient confidentiality.
Author: Dr. Neelam Dugar
Chair of The UK PACS and Teleradiology Group
09/05/08