Your SlideShare is downloading. ×
Review of Caldicott report-2 2013 by Dr Saurabh Bhatia
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Review of Caldicott report-2 2013 by Dr Saurabh Bhatia


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Patient Information ExchangeThe RecentRecommendationsA Review ofCaldicott2 Report 2013 aboutInformation Governance ReviewDr Saurabh Bhatia, MBBS, MS, FCRMedical
  • 2. Thispresentation is areview of(c) Dr S Bhatia 2013For IGR(Caldicott2)…aim has been toensure that there is anappropriate balancebetween theprotection of thepatient or user’sinformation, and theuse and sharing ofsuch information toimprove care
  • 3. A PreambleIn 1996-7, Dame Fiona Caldicott, a psychiatrist fromUK, led a committee to prepare a set ofrecommendations for patient data sharing principles andits confidentiality.The report was widely appreciated and implemented inUK and adapted in various forms across EuropeIt contained certain principles called Caldicott principlesand Hospitals had „Caldicott Guardians‟ to oversee theimplementation of Caldicott principles.In 2013, Caldicott commission has improved theirrecommendations in view of the technologicaladvancements, which will be reviewed here.(c) Dr S Bhatia 2013Review of Caldicott2
  • 4. Original Caldicott commissionrecommendationsfor managing medical information (1996-7):F Formally justify the purpose for whichthe information is usedI Identifiable information only whenabsolutely necessaryO Only the minimum required should beusedN Need to know accessA All must understand their responsibilitiesC Comply with and understand the lawDameFiona CaldicottReview of Caldicott2 (c) Dr S Bhatia 2013Original Extract
  • 5. The 2013 Caldicott2 reportThe report is released in Apr 2013It has 25 recommendations, most of which havebeen reviewed hereIt has re-emphasised some terms which removeambiguity from the minds of healthcare industry.Some of them have been mentioned here.You may download this report from Dr S Bhatia 2013
  • 6. Recommendation 1People must have the fullest possible accessto all the electronic care records aboutthem, across the whole health and socialcare system, without charge.An audit trail that details anyone andeveryone who has accessed a patient‟srecord should be made available in a suitableform to patients via their personal health andsocial care records.(c) Dr S Bhatia 2013The Keyword hereis “Without Charge”How will hospitalscater to the cost ofmaintaining these ITrecords and audittrails?At the sametime, thisemphasises thepatient right on herrecords withoutbeing arm-twisted toget them.Review of Caldicott2Original Extract Author‟s Note
  • 7. Recommendation 2For the purposes of direct care, relevantpersonal confidential data should be sharedamong the registered and regulated healthand social care professionals who have alegitimate relationship with the individual.Health and social care providers should audittheir services against NICE Clinical Guideline138, specifically against those qualitystatements concerned with sharinginformation for direct care.(c) Dr S Bhatia 2013Note the inclusion ofSocial Care.Should patientauthenticate who allhave a „legitimaterelationship‟ with thepatient?Review of Caldicott2Original Extract Author‟s Note
  • 8. Recommendation 3The health and social care professionalregulators must agree upon and publish theconditions under which regulated andregistered professionals can rely on impliedconsent to share personal confidential datafor direct care.Where appropriate, this should be done inconsultation with the relevant Royal College.This process should be commissioned fromthe Professional Standards Authority.(c) Dr S Bhatia 2013This defines theautonomy ofhealthcareorganisations to makesharingdecisions, where theycan share info as amatter of process andnot keep takingconsents all the timeReview of Caldicott2Original Extract Author‟s Note
  • 9. Recommendation 4Direct care is provided by health and social carestaff working in multi-disciplinary „care teams‟. TheReview Panel recommends that registered andregulated social workers be considered a part ofthe care team. Relevant information should beshared with members of the care team, when theyhave a legitimate relationship with the patient orservice user. Providers must ensure that sharing iseffective and safe. Commissioners must assurethemselves on providers‟ performance.Care teams may also contain staff that are notregistered with a regulatory authority and yetundertake direct care. Health and social careprovider organisations must ensure that robustcombinations of safeguards are put in for thesestaff with regard to the processing of personalconfidential data.(c) Dr S Bhatia 2013A Mixed Bag.While social care orgsare being included,they need to have„safeguards‟ whichkind of puts a cost ontheir accessing info.Good in spirit, difficultto implement.Review of Caldicott2Original Extract Author‟s Note
  • 10. Recommendation 5The Review Panel also concluded thatindividuals must be informed of any breach oftheir personal confidential data as part ofmaintaining public trust and supportingtransparency.Recommendation 5In cases when there is a breach of personalconfidential data, the data controller, the individualor organisation legally responsible for thedata, must give a full explanation of the cause ofthe breach with the remedial action beingundertaken and an apology to the person whoseconfidentiality has been breached.(c) Dr S Bhatia 2013I feel this apologything is counter-productive.It will spur thedepartments to hushthings up instead ofacknowledging publicshame.Review of Caldicott2Original Extract Author‟s Note
  • 11. Recommendation 6The processing of data without a legalbasis, where one is required, must bereported to the board, or equivalent body ofthe health or social care organisationinvolved and dealt with as a data breach.There should be a standard severity scale forbreaches agreed across the whole of thehealth and social care system. The board orequivalent body of each organisation in thehealth and social care system must publishall such data breaches. This should be in thequality report of NHS organisations, or aspart of the annual report or performancereport for non-NHS organisations.(c) Dr S Bhatia 2013Another counterproductiverecommendation.Whenever the sharingof information will belinked to quality auditof an organisation,there will be personalor commercialmotives to simplydeny sharing or hushup the breachReview of Caldicott2Original Extract Author‟s Note
  • 12. Recommendation 7All organisations in the health andsocial care system should clearlyexplain to patients and the public howthe personal information they collectcould be used in de-identified form forresearch, audit, public health andother purposes. All organisationsmust also make clear what rights theindividual has open to them, includingany ability to actively dissent (i.e.withhold their consent).(c) Dr S Bhatia 2013A very good rec.This also ensures thatsomewhere, we canlook forward to BigData and its utilisationin future.Review of Caldicott2Original Extract Author‟s Note
  • 13. Recommendation 8Consent is one way in which personal confidentialdata can be legally shared. In such situationspeople are entitled to have their consent decisionsreliably recorded and available to be sharedwhenever appropriate, so their wishes can berespected. In this context, the Informatics ServicesCommissioning Group must develop orcommission:guidance for the reliable recording in the carerecord of any consent decision an individualmakes in relation to sharing their personalconfidential data; anda strategy to ensure these consent decisions canbe shared and provide assurance that theindividual‟s wishes are respected.(c) Dr S Bhatia 2013Again, this rec willsafeguard bothpatients as well asproviders. This willalso pave way forfuture of collectivedecision making andunderstanding thepatterns of individualreticence to datasharing and help insocial medicine andpolicy making, too.Review of Caldicott2Original Extract Author‟s Note
  • 14. Recommendation 9The rights, pledges and duties relating to patientinformation set out in the NHS Constitution shouldbe extended to cover the whole health and socialcare system.(c) Dr S Bhatia 2013The rights, pledgesand duties should beread directly from thereport. They areembodiment of thebasic principles andspirit of this entireexercise.Pg 59-60 of originalreportReview of Caldicott2Original Extract Author‟s Note
  • 15. Recommendation 10The linkage of personal confidentialdata, which requires a legal basis, or datathat has been de-identified, but stillcarries a high risk that it could be re-identified with reasonable effort, frommore than one organisation for anypurpose other than direct care shouldonly be done in specialist, well-governed, independently scrutinised andaccredited environments called‘accredited safe havens’.(c) Dr S Bhatia 2013Once again, this is asafe-than-sorryapproach whichneeds moreeleboration by otherbodies like TheInformatics ServicesCommissioning Groupand The InformaticsServicesCommissioningGroup. Unlesshandled carefully,can be the newexcuse to denysharing.Review of Caldicott2Original Extract Author‟s Note
  • 16. Recommendation 11The Information Centre‟s code of practiceshould establish that an individual‟s existingright to object to their personal confidentialdata being shared, and to have that objectionconsidered, applies to both current and futuredisclosures irrespective of whether they aremandated or permitted by statute.Both the criteria used to assess reasonableobjections and the consistent application ofthose criteria should be reviewed on anongoing basis.(c) Dr S Bhatia 2013A double edgedsword. Whatconstitutes a„reasonable‟ objectioncan be reviewed overa period of time.Review of Caldicott2Original Extract Author‟s Note
  • 17. Recommendation 14Regulatory, professional and educationalbodies should ensure that:information governance, and especially bestpractice on appropriate sharing, is a corecompetency of undergraduate training; andinformation governance, appropriatesharing, sound record keeping and theimportance of data quality are part ofcontinuous professional development and areassessed as part of any professionalrevalidation process.(c) Dr S Bhatia 2013An excellent rec. Thiswill ensure thatinformatics, itsintricacies and itsapplication becomes apart of nursing andmedical education.This will also meanthat the new crop ofprofessionals will notsee computers asoverheads/ nuisance.Review of Caldicott2Original Extract Author‟s Note
  • 18. Recommendation 15The Department of Health shouldrecommend that all organisations within thehealth and social care system which processpersonal confidential data, including but notlimited to local authorities and social careproviders as well as telephony and othervirtual service providers, appoint a CaldicottGuardian and any information governanceleaders required, and assure themselves oftheir continuous professional development.(c) Dr S Bhatia 2013This is equivalent tohaving an ethicscommittee or auditoror quality assessor onboard and in variouscountries, can beadapted inappropriate forms.Review of Caldicott2Original Extract Author‟s Note
  • 19. Recommendation 16Given the number of social welfare initiativesinvolving the creation or use of familyrecords, the Review Panel recommends thatsuch initiatives should be examined in detailfrom the perspective of Article 8 of theHuman Rights Act. The Law Commissionshould consider including this in itsforthcoming review of the data sharingbetween public bodies(c) Dr S Bhatia 2013This is the first steptowardsacknowledging therole of family in aperson‟s healthrecord. This will pavethe way for a bettersocially structuredform of recordsharing. Earlyinitiative and will taketime but on right lines.Review of Caldicott2Original Extract Author‟s NotePlease note that asian countries, wherefamilies are closer and individual existenceis usually not as paramount as west, familyrecords are a „must-have‟ and people canget offended and violent if denied accessto the records of their near and dear ones.
  • 20. Recommendation 17The NHS Commissioning Board, clinicalcommissioning groups and local authorities mustensure that health and social care services thatoffer virtual consultations and/ or are dependenton medical devices for biometric monitoring areconforming to best practice with regard toinformation governance and will do so in thefuture.The Review Panel concluded that providers ofdirect care services using virtual consultationsshould offer patients access to their record and acopy of all ongoing communications from thatrecord. …any provider offering virtual consultationservices should be able to share, whenappropriate, relevant digital information from thepatient, with registered and regulated health orsocial care professionals responsible for thepatient‟s care. This includes both written text ornumbers and images, such as photographs.(c) Dr S Bhatia 2013This is a strong boostto telemedicine in allforms. It is a verytentative step, andallows other bodies todefine bestpractices, but at leasta formalacknowledgement ofvirtual services and astep towards reducingthe legal paranoiaaround them in themind of doctors.Review of Caldicott2Original Extract Author‟s Note
  • 21. Recommendation 20The Department of Health should lead thedevelopment and implementation ofa standard template that all health and social careorganisations can use when creating datacontroller to data controller data sharingagreements. The template should ensure thatagreements meet legal requirements and requireminimum resources to implement.(c) Dr S Bhatia 2013This is a step in thedirection of systemagnostic healthcareinformation exchange.Templates, oncedefined, can beincluded as part ofvarious systems byvendors thusproviding HIE withoutthe technologicalbarriers.Review of Caldicott2Original Extract Author‟s Note
  • 22. Revised list of Caldicottprinciples1. Justify the purpose(s)2. Don’t use personal confidential data unless it is absolutely necessary3. Use the minimum necessary personal confidential data4. Access to personal confidential data should be on a strict need-to-knowbasis5. Everyone with access to personal confidential data should be aware oftheir responsibilities6. Comply with the law7. The duty to share information can be as important as the duty to protectpatient confidentiality(c) Dr S Bhatia 2013Review of Caldicott2Original Extract Author‟s Note
  • 23. Other interesting changes…obligation to prevent information seepingoutside the health and social care systemshould not stop it being shared appropriatelywithin it.The term used to describe how organisationsmanage the way information is handled withinthe health and social care system in England is„information governance‟.Information governance applies to the balancebetween privacy and sharing of personalconfidential data and is therefore fundamentalto the health and social care system, providingboth the necessary safeguards to protectpatient information, and an effective frameworkto guide those working in the health and socialcare system to decide when to share, or not toshare. (c) Dr S Bhatia 2013This is a directeffect of hospitals(mis)using the dataprotection principlesto refuse to shareinformation orcharge hefty fees forthis.Review of Caldicott2Original Extract Author‟s Note
  • 24. Key definitionsPeople often talk about „data‟ and „information‟ asif they mean much the same thing. However theterms have a precise meaning and the words arenot interchangeable. Readers may understandthis report more easily by grasping the distinctionfrom the outset:Data is used to describe „qualitative or quantitativestatements or numbers that are assumed to befactual, and not the product of analysis orinterpretation.‟Information is the „output of some process thatsummarises interprets or otherwise representsdata to convey meaning.‟This report also uses the phrase „personalconfidential data‟ throughout. This termdescribes personal information about identified oridentifiable individuals, which should be keptprivate or secret.(c) Dr S Bhatia 2013The 1997 report didnot consider the issueof whetherprofessionals sharedinformation well, inthe interests ofpatients, because thatwas not regarded asa problem at the time.That omissionbecame increasinglynoticeable as theneed for closerintegration betweenhealth and socialcare became evermore apparentReview of Caldicott2Original Extract Author‟s Note
  • 25. People’s right to accessinformation aboutthemselves…give people better access to their carerecords… people who are allowed toshare their own records can beempowered to take part in decisions abouttheir own care...…patients‟ attempts to become involved indecision making were thwarted by“information governance rules” …even ifthey explicitly consented … because of„data protection policies‟;The Review Panel concludes thatpersonal confidential data can beshared with individuals via email whenthe individual has explicitly consentedand they have been informed of anypotential risk. (c) Dr S Bhatia 2013This is a major shiftfrom earlier policiesand whenimplemented, willnecessitate emailingof hospital record toa patient incommonly readableformats.Review of Caldicott2Original Extract Author‟s Note
  • 26. Definition: two types ofrecordsHealth and social care recordsThese are the commonest type and are supported by theinformation strategy.A professional creates an electronic patient record, which is thenshared with the patient and their relevant care teams. The healthor social care professional is responsible and accountable forthat record when it is for the purpose of direct care. Patientsmay get right of access, the ability to see, interact andrequest corrections but not the right to change the contentbecause that might be clinically unsafe. This access issometimes referred to as „patient online access‟ or „recordaccess‟.Patient-owned recordsThese are less common forms of record that individuals createand manage themselves. They are kept separate from anyelectronic patient record and the individual has total controland responsibility for the content. Patient-owned records mayinclude extracts from electronic patient records, but may alsocontain information added by the individual such as exercisemonitoring data, weight etc; commercial contributions e.g. fromover the counter drug purchases or from supermarket alcoholpurchases; and contributions from personally acquired „medicaldevices‟. (c) Dr S Bhatia 2013For the firsttime, there is officialdifferentiationequalling an EMRvs PHR debate/status of records.This will impact theway patients accesstheir records of Caldicott2Original Extract Author‟s Note
  • 27. Implied ConsentThere is in effect an unwritten agreement between theindividual and the professionals who provide the carethat allows this [data] sharing to take place.Implied consent is applicable only within thecontext of direct care of individuals.It refers to instances where the consent of theindividual patient can be implied withouthaving to make any positive action, such asgiving their verbal agreement for a specificaspect of sharing information to proceed.Examples of the use of implied consentinclude doctors and nurses sharing personalconfidential data during handovers withoutasking for the patient‟s consent.The Review Panel concluded that across the healthand social care system, implied consent is onlyapplicable in instances of direct care(c) Dr S Bhatia 2013For the first time, we areseeing some sanityprevailing over theparanoia of dataprotection. Info-governance is finallyrecognizing theimportance of impliedconsent, which hasbeen the basis of mostof our clinical practiceshistoricallyGMC guidance onconfidentiality, consent.aspReview of Caldicott2Original Extract Author‟s Note
  • 28. Full ReportI have covered only those recommendationswhich can have an impact internationally.For other recs, please read the full reportThis ppt will also be available, along with the fullreport from our views are personal views of the authorComments can be sent at Dr S Bhatia 2013