To help GP practices to make an informed decision, this is a checklist of considerations and the safety, governance, legal and regulatory requirements expected of online consultation systems.
Know the risks
Many practices and CCGs procure online consultation systems without an IT lead. Suppliers often sell door-to-door, and it is usually the GP who signs off the procurement, without necessarily knowing what to be aware of.
Many practices have adopted online consultation systems to help manage workload, triage patients using symptom checkers, and redirect patients to self-care advice or other services.
While they may be more convenient for some patients, there is no high-quality evidence of their efficacy in reducing workload or improving clinical outcomes, and the affect of online triage on other parts of the healthcare system – such as emergency departments or walk-in centres – has not yet been evaluated.
Security and governance
Online systems require significant assurances over security and governance to ensure their quality and safety, for both the patient and the clinician. Inadequate checks and poor quality products could make practices vulnerable and accountable, with the potential to cause harm to patients.
An evaluation by the Joint GP IT Committee of systems currently being used by CCGs and practices revealed significant shortcomings in compliance with basic safety and governance requirements. The CQC’s regime for inspecting online health services revealed that nearly half – 16 of the 33 services inspected – do not provide a safe service for patients.
The BMA GPs committee has concerns about system suppliers who consent patients to using their personal and clinical data for commercial purposes. Where this is done through an NHS provided service, it can be both misleading and dangerous. Our concerns have been flagged to both NHS Digital and NHS England.
Checklist: safety and quality assurance
- Conformance with DCB0129 (Clinical risk management: its application in the manufacture of health IT systems, NHS Digital)
- Suppliers maintain adequate risk management processes.
- Suppliers must have a clinical safety officer who is accountable for quality standards, and conduct regular risk analyses, maintain a hazard log, and evaluate the system’s deployment and delivery.
- They must ensure any third-party products used in their system have adequate risk management checks.
- Conformance with DCB0160 (Clinical risk management: its application in the deployment and use of health IT systems, NHS Digital)
This standard complements DCB0129; it requires those in health organisations who are responsible for health IT systems to carry out effective clinical risk management prior to deploying, using, maintaining or decommissioning health IT systems.
- Registration with the Medicines and Healthcare Products Regulatory Agency
Apps and software that qualify as a medical device must be CE marked, in line with the EU medical devices directive. This covers software and monitoring tools as well as hardware and devices. ‘Medical purpose’ can include:
- prevention of disease
- diagnosis of disease, injury or handicap (including percentage risk scores)
- monitoring of disease, injury or handicap.
For example, CE marking should be sought for triage tools, symptom checkers and algorithmic decision trees.
Upon registering with the MHRA, systems are subject to the Yellow Card scheme for adverse incidents, unexpected results, inaccuracies or safety concerns.
Where systems use a third-party symptom checker or similar, it is important to clarify the compliance with CE marking, governance and risk management.
Checklist: data management
- Compliance with the NHS data security and protection toolkit, covering information governance, GDPR and cyber security.
- All suppliers should have a government-approved cyber essentials certificate. Protecting against malware, hacking and cyberattacks means maintaining up-to-date operating systems, devices and software; using antivirus software, firewalls and security settings; downloading only from approved sites; and controlling access to data and services.
- Practices have a legal obligation to provide a secure and confidential service; they must have processes to adequately authenticate and verify patients’ identity, ensuring no one else can access their account.
The patient’s date of birth, name and address is not sufficient, however, as the information could be available to friends or family members. If patients have consented to a carer or relative communicating on their behalf, they should have a separate verification process.
Where data breaches occur, practices may be at risk of financial penalties.
- Within GDPR, practices are the data controllers and suppliers the data processors. In a data breach, system suppliers should help practices to report and investigate, and comply with the requirement to notify the Information Commissioner’s Office within 72 hours.
Data disclosure requests from patients may include information processed by the online consultation system, so the supplier’s records must be detailed and accurate, securely held in the UK, and easily accessible to the practice.
- Intergration with existing GP operating systems enables data to be electronically transferred directly to the patient’s clinical records. Online consultation systems should use recognised clinical coding systems to do this (eg SNOMED CT).
Manually transferring clinical information from one system to another can increase workload and the risk of errors, and negatively affect continuity of care. Where systems use artificial intelligence or symptom checkers to point patients to other services, this information must be captured, relayed to the GP and integrated into the patient’s record.
Checklist: risk management
Consent is obtained via a two-way dialogue, with the amount of information shared tailored to the patient and guided by their individual circumstances.General Medical Council
- When using online systems to communicate, it is important to ensure consent is obtained, such as when ordering investigations or referring the patient remotely.
The appropriateness of online consultations should be reviewed for patients whose capacity is of concern, and capacity should be assessed when a patient declines an investigation or treatment. The completion of an online form does not mean the patient has capacity. Capacity is decision-specific and can change.
When a carer or relative uses online consultations on a patient’s behalf, practices must ensure consent was obtained.
- Safeguarding: Online consultations are not appropriate for all patients. For example, practices should consider face-to-face consultations for patients who:
- are aged under 16
- require a physical examination
- suffer from complex medical problems
- lack capacity
- are at higher risk of deterioration
- require poly-pharmacy and controlled drugs
- have complex psychosocial issues
- have mental health concerns
- have intimate issues, such as miscarriage
- or when there are complex ethical issues or a need to break bad news.
For patients who are recognised as vulnerable adults or children in need, or on the child protection register, consider the balance between face-to-face and online consultations and a process to flag these patients.
Compared to face-to-face consultations, online consultations limit the scope of the information collated and continuity of care, and can present a safety risk.
- Liability and risk: inappropriate triaging, wrong decisions from symptom checkers, or failures in the digital transfer of clinical data could all result in harm to the patient. Suppliers should be accountable for the system’s performance and continue to improve its quality.
Systems that rely solely on transferring data via the HSCN to an nhs.net account, without a back-up server, can pose a significant risk. Server downtime or issues with network connectivity can result in a failure of data transmission. Without an audit trail, root cause analysis and risk reduction are challenging.
When suppliers rely on practice websites to host their systems, they are unlikely to take responsibility for the site’s security and protection. Practices should check that their websites are secure.
Many suppliers consent patients to disclaimers and terms and conditions to waive any accountability associated with using their systems, and with any subsequent harm. This is unacceptable and could be subject to legal challenge.
We believe some suppliers may seek to introduce terms in their contract to exclude liability for loss or damage caused by their products. Such broad waivers of liability are likely to be regarded as ineffective at law. Eg the Unfair Contract Terms Act 1977 renders any attempt to exclude liability for death or personal injury caused by negligence as being ineffective at law.
Take specific legal advice before deciding how to proceed. BMA members are entitled to discounted rates from BMA Law.
NHS England’s £45m fund for online consultations is allocated to CCGs on a weighted capitation basis. This is a one-off transformation fund as part of the General Practice Forward View – where a commitment was made to increase the use of online consultation systems.
CCGs procure licences for systems on behalf of their practices, and in most areas procurement will be undertaken at scale.