Comment: Pathway to privacy - time to take ownership of rebuilding trust with patients

Tim Dunn of FairWarning on who is responsible for taking the NHS into the digital age

In the wake of the Government’s response to the Caldicott2 report, TIM DUNN, general manager at FairWarning UK, examines who owns taking NHS services into the digital age and expanding trust with patients around the use of electronic health records

The Government has finally published its long-awaited response to the Caldicott2 Review of information sharing in the NHS and, as many of us had hoped, has accepted all of its recommendations.

After years of analysis and consultation about the merits of electronic healthcare, the time for debate is over

It’s a landmark moment that could see the NHS turn an important corner and stride progressively towards building transformational models of care.

After years of analysis and consultation about the merits of electronic healthcare, the time for debate is over.

There are key elements within Caldicott2 I believe will be essential in assuring the confidence and trust of patients and healthcare professionals. They include the duty of candor and notification of data breaches, how they happened and what remediation steps are being taken; a patient’s right to know of ‘everyone and anyone’ who has accessed their record; a robust audit and enforcement framework agreed between the Information Commissioners Office (ICO) and Care Quality Commission (CQC) and electronic health records (HER) vendors supporting audit and logs on access activity.

The Government response reaffirms the belief that better information sharing can help the NHS meet many of its strategic goals, and lead to more-effective and efficient healthcare services, enhanced care pathways and improved patient outcomes. But a critical success factor for sharing health information will be ensuring that it is done in such a way that it reassures patients that their privacy will be protected.

The Caldicott2 recommendation that patients should have availability to ‘details on everyone and anyone who has accessed their record’, along with the requirement ‘to notify patients when their records have been breached’, represents a huge step towards transparent healthcare. But, to deliver it, the NHS needs to foster a culture of collective responsibility for patient privacy, and drive accountability across local organisations.

At a local level, ownership for driving change and leading NHS organisations towards secure electronic healthcare largely rests with a triumvirate of key stakeholders; chief executives, senior information risk officers (SIRO) and Caldicott Guardians.

Responsibilities

A critical success factor for sharing health information will be ensuring that it is done in such a way that it reassures patients that their privacy will be protected

As trusts grapple with strategic challenges to ensure they are financially robust and competitive within the new commissioning environment, hospitals are increasingly recognising the role that digital healthcare can play in meeting their objectives. As a result, the development of EHR systems, in line with the government timetable for electronic patient records, has become a major priority. Although the chief executive is ultimately accountable for data control on behalf of a trust, responsibility for overall ownership of the organisation’s Information Risk Policy is delegated to the SIRO.

SIROs have been in existence within trusts for a number of years, but the significance of the role has been reinforced by the Department of Health (DH) response to Caldicott2. The function, performed in addition to individuals’ existing NHS roles is defined as an executive director or senior management board member who is formally responsible for the organisation’s standards of practice for information governance.

The SIRO acts as the board’s ‘champion’ for information risk, advising the chief executive on the organisation’s information governance strategy and capabilities. As a prominent board member, the SIRO is naturally familiar with a trust’s wider strategic goals. But the challenge is to understand how those goals may be impacted by information risks and how, in turn, those risks should be managed.

The SIRO’s key purpose is to lead and implement Information Governance risk assessment and management processes, and provide assurance to the chief executive and board of the effectiveness of the trust’s information risk management. It is a significant responsibility and, since trusts commonly have high volumes of information assets, is not something that can be managed alone. The SIRO must work collaboratively with internal and external stakeholders to reinforce a culture of privacy and drive accountability and responsibility across an NHS organisation.

Patient privacy monitoring solutions provide SIROs with greater assurance that data access is appropriate and can protect a trust’s reputation by mitigating the risk of confidentiality breach

Alongside SIROs, Caldicott Guardians are also growing in influence. Originally introduced to provide trust boards with advice on how patient information should be shared – acting as the ‘conscience of the organisation’ – the Caldicott Guardian’s role is now being extended to take a greater lead on information governance, Its primary purposes are to ensure information governance is effective and to provide oversight of information sharing amongst clinicians.

But distinct from SIROs – whose remit is to look at risks across all information systems – Caldicott Guardians are solely focused on patient-identifiable information. Their rationale is to safeguard and govern uses of patient information within a trust, as well as data flows to other NHS and non-NHS organisations.

In this context, there is now the opportunity and indeed the expectation that Caldicott Guardians will take ownership of the implementation of Caldicott2 for their organisation and, as a fellow board member, they must work closely with the SIRO to ensure a trust’s information risk strategy protects patient confidentiality.

Where next?

So armed with a robust framework to underpin the secure and effective implementation of information sharing, how can NHS organisations make the move from ideology to delivery? Trusts that make the greatest strides towards protecting patient confidentiality will be those where the SIRO and the Caldicott Guardian work closely together.

Best practice examples show that the most pro-active trusts have embraced the need to ensure organisation-wide understanding of the importance of data sharing and patient confidentiality – and, championed by both SIROs and Caldicott Guardians, have facilitated sustained engagement with Information Asset Owners and trust staff to develop a culture of privacy.

The effective use of technology has also proved a critical success factor. The requirement to report privacy breaches has placed SIROs under increased pressure to ensure trusts are maintaining the highest standards of information governance – indeed DH training for SIROs states that any privacy breach could be a ‘career-ending event’. But innovative solutions are there to support them.

Technology is readily available that can provide increased transparency regarding who is accessing patient records and enable trusts to monitor access pro-actively. In fact, the Government’s response to Caldicott2 highlighted the effective use of privacy breach detection tools (or patient privacy monitoring solutions as they are often called) in NHS Scotland as a good example of best practice.

The secure, timely and effective sharing of patient information can transform healthcare services in the UK. But it will only succeed if patients’ personal data is treated with propriety and respect

Use of such technology can significantly help SIROs underpin their responsibilities for information assurance and, in the process, facilitate the optimal use of patient data to support the strategic goals outlined by the chief executive and board. Patient privacy monitoring solutions provide SIROs with greater assurance that data access is appropriate and can protect a trust’s reputation by mitigating the risk of confidentiality breaches. Furthermore, the use of technology can help trusts reinforce a culture of privacy.

Caldicott2 represents a significant milestone in the UK’s ambitions to harness the power of information. To seize the opportunity, SIROs should redouble their efforts to drive collective responsibility across the organisation, and set up an appropriate information risk framework that focuses the trust on the importance of data transparency. And, as an increasing number of UK trusts are beginning to do, they should consider putting in place the appropriate technology that underpins the Caldicott2 recommendations.

The secure, timely and effective sharing of patient information can transform healthcare services in the UK. But it will only succeed if patients’ personal data is treated with propriety and respect. As Jeremy Hunt said in his endorsement of the <> Caldicott2 recommendations, ‘the prize for achieving this is very great indeed’.

Companies