Dr Osman Bhatti, GP and Chief Clinical Information Officer for North East London CCG, joined us at our HTN Digital Primary Care event to discuss patient access to GP records.
Osman set out to explore topics including what patient access means for general practice, what practices need to do to prepare, what patients will be able to see and the role of retrospective data.
“We’ll start off with the timeline of what has actually been happening with patient record access over the last few years,” Osman began. He shared how online access became an available functionality in 2015 and some GP practices began to offer patient access to records on a limited basis. In 2019, a contractual announcement was made that stated that new patients registering with a practice should be offered full online access to their digital record, starting from the date of their registration for online services. In October 2021 NHSX announced that patient access should be mandated. The current date for expected go-live is November 2022.
The 2019 contractual agreement stated that this offer did not just include “the detailed coded record, which is what we are traditionally aware of, where patients get access to coded information like their metrics eg blood pressure and weight,” said Osman. It also included “free text consultations and documents as well. It was also caveated by the fact that there needs to be some safeguarding information requirements, enabling practices to redact or withhold information if they felt it was suitable for that patient.”
It became apparent that some support was needed to help practices implement this. “What we did, locally, was create a general guide for primary care,” Osman said. “We shared information as to what was happening, the contractual commitment from 2019 and some information about proxy access.”
“In North East London, if practices were aware of the contractual requirements and patients requested online access at that time, then there was a process that they could follow. When practices got the request for online access, they would issue the patient with information and an application form; the patient then returned the form and verified their identity and a code was applied to the notes. The patient was then given full access, at that point of verification. For our local process, there was a two week period in which we expected practices to review those patient notes and they could also use the opportunity to tidy up the medical records, marking any confidential data as such.”
Osman noted that this process happened at a time when “demand wasn’t as high and practices could manage” but that the current pressures on GP services means that the historic process “needs to be a bit more clear and we need to have more safeguards in that.” He added: “We’re looking at reviewing the process entirely in light of the new requirements.”
On the topic of safeguarding requirements, Osman shared NHS England’s information on who and what is subject to appropriate safeguards. Access to records must not cause harm to the patient and legal confidentiality obligations for non-disclosure of third-party information must be adhered to. “The other thing to bear in mind is that we can use clinical judgement,” said Osman. “As clinicians and staff within primary care, we know our patients, so we can use our clinical judgement to actually withhold information if we feel that it is appropriate.” In addition, “we should have the opportunity to redact from the patient view but not delete from the record, because it is still worth clinicians having that information as part of a legal record.
“What’s really important with the proposal in November is that patients will get prospective access,” Osman continued. “One of the concerns raised is that if patients gain prospective access, then we need to be really tight from now on to try and make sure that we’re doing due diligence on notes as we write them.”
Another important feature to note is that “we’re talking about prospective access now,” said Osman, “but I’m sure that NHS England are thinking about retrospective access. There are still some concerns around that, particularly when it comes to patients who’ve moved surgery, and, for example, say the other practice has marked some items in the notes as confidential that doesn’t get transferred to the new GP. If the electronic notes come across, the confidentiality flags can reset, and there are various reasons for that – NHS England have said that it’s because the new GP practice is the new data controller and therefore should be going through the notes again, which can be an issue in the process.”
Moving on, Osman highlighted NHS England’s document ‘Update to the GP contract agreement 2020/2021 – 2023/2024’. The document states that GP practices should no longer use fax machines for NHS or patient communications where there is a secure alternative, and practices should offer “all patients online access to all prospective data on their patient record unless exceptional circumstance apply”. It also notes that NHS England will “look at how third-party redaction software could be made available to general practice as a matter of course to further support practices deliver full historic online access to records for their patients”.
Osman also noted that April saw heavy promotion for patients to download the NHS App, which allows them to access their medical record. He shared some of the records available on the App to patients, such as prescription management and access to immunisation information, adding that allowing patients to control this information without needing to phone or visit their GP eases pressure on busy services.
“What we probably want a little more control over is the availability of detailed medical record access,” Osman continued, “which includes things like test results, and access to documents and letters. One of the things that we are doing in our practices is looking at the patients who are contacting the practice to ask about test results – we’re in the process of changing that system so that when patients have a blood test, they are told to look up the results on the NHS App, and then we will put some communication into their results to let them know next steps.”
Next, Osman moved on to discuss the current date for patient access to records going live: November 2022. This date has been pushed back a number of times, with NHS England saying that the current date is set to provide time for teams to prepare and access support, to give them time to identify individuals who may potentially be at risk, and to build staff confidence and embed training.
Osman highlighted a letter sent from NHS England to GP practices in July 2022, which states: “Over the coming months our aim is to build trust and confidence in clinicians and practice teams to provide online access. To prepare for this change we are asking general practices to identify patients who could be at risk of serious harm from having automatic access to their records and ensure the right safeguarding processes are in place to support access to all future data… an individual review may be required to exclude patients from having access.”
It went on to note that further information governance advice is available, including a template Data Protection Impact Assessment (DPIA) for general practice. Going into more depth, he shared information from the NHS App website which states: “As data controller, GP practices should assure themselves that their existing DPIA covers making information available via the NHS App or other existing approved applications. If this is the case, you should not need to conduct a separate DPIA or change your existing one.”
However, Osman commented, “I don’t think many practices already have a DPIA in place for the NHS App, so it’s something that we need to be considering.” Examining ICO guidance around DPIAs, Osman shared some key information: “It is data controllers who ultimately bear responsibility, but ‘you may want to ask a processor to carry out the DPIA if they do the relevant processing operation’. I think that’s where NHS England should provide support, around carrying out the DPIA on behalf of GP practices.
“I suppose one of the other concerns here is the question of whether we need to have some kind of agreement, that if the NHS App is the mode through which we share records, should NHS England be joint controllers and hold joint responsibility for any issues that might arise.”
The letter also went on to add that patients access settings should be reviewed, and where necessary for safeguarding purposes, practices should ensure that they do not receive access to future information by “applying the appropriate Systematised Nomenclature of Medicine (SNOMED CT) code.”
Osman shared some of NHS Digital’s recommendations for best practice regarding the adoption of clinical safety documents DCB 0129 and DCB 0160. “0129 is for the manufacturer to complete a clinical safety case, so here it would be NHS England or the NHS App,” he explained. “Then the practice or the end users would complete an 0160, which is a clinical safety case to say that they are happy with the 0129.”
Osman noted that clinical safety information on the NHS App isn’t widely available to date. “NHS England, through NHS Digital, are saying that they are producing a safety report and documentation for practices. This something that we feel strongly about, locally – we need to be aware of the clinical safety implications before we progress into launching it in November.”
Next, Osman looked at NHS England’s document ‘Securing Excellence in Primary Care (GP) Digital Services: The Primary Care (GP) Digital Services Operating Model 2021-2023’. Osman recommended the document and called it “an operating model that we would all sign up to”, but noted that with resources and funding in short supply, “excellence in digital services is going to be a struggle if budgets continue to be cut.”
Another useful resource is the GP online services toolkit from The Royal College of General Practitioners. “I certainly recommend having a look at it, because it really helps you think about online access. They’ve been updating it, it is a great resource that I often refer to.”
Osman summarised his preparation tips for practices ahead of the November 2022 go-live, noting that some of it is being done already:
- Consider how information should be coded when documents and letters come into the GP practice, making it clear what the information is and where it comes from to make it easy for patients and staff to understand and follow.
- Be aware of safeguarding issues at all times, marking information as confidential and flagging notes as appropriate.
- All staff within the practice should download the NHS App to ensure that they understand it and can communicate clearly with patients.
- Ensure that you know which patients have got online access; check if the system you use has a functionality for marking patients as digitally active or not.
- Make sure that the patient problem list is tidied up; in Osman’s practice, when patients come in for medication reviews or long-term conditions review, this is used as an opportunity to clean up the problem list, for example by making sure that active or minor problems are marked as such, medication lists are reordered and outdated information is marked as ‘past’.
- Ensure that practice teams understand document workflow; when a document comes in, who is going to receive it, who will code it, what happens to the document if it contains third party information?
Osman shared some early adopter site learning, such as knowledge presented by Bath and North East Somerset, Swindon and Wiltshire Integrated Care Board: “They’ve got some really great guidance that basically creates a process and searches of patients who need to be considered for exclusion. They do this for System One and EMIS. I would advocate that we all have a look at that.”
Finally, Osman laid out his seven steps to success that NHS England should consider for patient access to online records:
- There is robust training to ensure all GP practice staff are aware of the changes and have put processes in place to ensure that prospective data is entered in a way that does not contain third party information, and cannot cause harm to the patient.
- All clinical systems have a process of redaction built into the workflow of document and pathology processing.
- Building on the lessons learnt from early adopter sites, published recommendations for redaction should be shared and publicised.
- Create a meaningful dashboard to show the number of patients requesting prospective and retrospective access to online records, to address concerns of increasing workload.
- The third party software promised in 2020 be provided to every GP practice on an ongoing basis, funded centrally and equally, before legislation or directive for retrospective data is made.
- NHS Digital should publish the clinical safety documentation soon, including data flow, hazard log and safety case.
- NHS Digital should support GP practices in developing their own clinical safety document, as per their own best practice guidance.
At this point, Osman took questions from the webinar audience; please visit 41:50 on the video below to watch this section.