Clinical systems can allow healthcare professionals in different organisations to access patient records.
We believe the following principles are best practice in allowing records to be shared to aid patient care whilst protecting confidentiality.
Making patients aware
Patients must be made aware of the new arrangements for managing their health information. Doctors should have confidence that these communications have been effective.
This should include:
- discussion with the patient during a consultation
- an information leaflet being made available
- posters in the practice
- information on the practice website
- use of local media
- communication with patient participation group.
Different suppliers of shared records stream/store data in different ways. For GP practices using EMIS Web and SystmOne, patient records are held in a data centre. Patients cannot opt out. This does not automatically mean that other organisations can view them.
With Vision 360, a copy of the GP practice records is streamed to a database for sharing. Patients can opt out of their data being streamed by using read codes.
If a patient opts out, their data is not streamed into Vision 360, but will continue to reside within the Vision dataset at the practice, which could be held on a server at the practice or hosted in a data centre.
Establishing the organisations involved
As data controllers, GPs should make decisions about which organisations access their patient records. GP practices should consider whether information sharing would improve the delivery of care, and if it is necessary for direct care.
It is good practice to establish formal sharing agreements between the different organisations and practices involved.
The DHSC (Department of Health and Social Care) guidance on shared records explains that participating organisations will become joint data controllers under the GDPR. We recommend that practices complete the checklist within the DHSC guidance of issues for inclusion in local agreements.
With SystmOne, this involves accepting or rejecting a ‘share request’ for a particular patient from another organisation, such as the local care home.
With EMISweb and Vision 360 this involves establishing a local sharing agreement with the organisation. This states the type of information to be shared e.g. demographics, consultations, medication and the job roles which can view the shared data.
Addressing patients' concerns
If patients are concerned about shared records systems then options for restricting sharing should be explained.
- Patients must be able to apply a blanket dissent ie I do not want my record to be shared with other organisations.
- If patients decide to have a shared record they should be able to make decisions about which organisations can access their records.
- If patients decide to have a shared record, their explicit consent to view must be obtained e.g. where a practice other than the patient’s is seeking to view the record for of out-of-hours care.
- Patients must be able to mark specific items as sensitive/private which means they will not be visible in another care setting – this is not possible on all systems.
Sharing records without consent
In exceptional circumstances, for example if the patient is unconscious and immediate access to the record is needed, it may be appropriate to access the record without consent.
Healthcare professionals must indicate on the system a reason for this. An override may not be possible if a patient has dissented from a shared record.
Healthcare professionals should only view the information relevant to their care setting, unless the patient has given their explicit consent for the full record to be viewed. In the BMA’s view, it is unnecessary for a physiotherapist treating ligament damage to access the entire medical history, for example.
Traditional referrals result in relevant information being shared with the treating clinician. This occurs under implied consent. Systems that disclose the entire patient record to the treating clinician require explicit consent.
If a patient agrees to a shared record with Vision 360, they can specify which organisations can view their record. Only the information that is set out in the sharing agreements, described in the second box, is shared; an OOH GP may have access to more enriched information compared to a diabetes nurse. If the patient opts out of streaming then their record is not available.
With EMISweb, the patient can either share or not share across organisational boundaries.
If a patient selects the ‘share’ option then they can tailor which organisation can see their records. In addition, as with Vision 360, the information available is set out in the sharing agreement and tailored to the particular healthcare professional.
A share in/share out model is used for SystmOne. A healthcare professional in a multi-disciplinary team treating a patient may ask the patient for their consent to see their record. This is ’share in’. They may then ask if the patient consents for that record to be shared with the rest of the multi disciplinary team, this is ’share out’.
Who should view a patient's record
Healthcare teams should only be able to view the records of patients with whom they have a direct clinical relationship. This means that the patient must be registered on the system of the organisation which wishes to view their record, for example as a result of referral. It should not be possible for one organisation to view all of the records of another organisation.
It is appropriate for GPs to view information recorded by other healthcare professionals when caring for their patients, unless the patient dissents. There may be exceptions for example, some sexual health information.
Systems must be designed to include audit trails. Ideally, these should allow patients to view details of who has accessed and edited their records and when. If a record is accessed without the consent of the patient there must be a mechanism to notify a trusted third party such as a privacy officer.
GP practices should ensure that audit logs are reviewed so that any inappropriate access can be identified and acted on.