1 Health Service Executive Healthcare Records Management Programme Wednesday 16 th November 2011 Irish Computer Society Data Protection Workshop
1
Health Service Executive Healthcare Records Management Programme
Wednesday 16th November 2011
Irish Computer Society Data Protection Workshop
2
Introduction
• Name
• Background
• Current role
• Healthcare records
3
Overview
• Context
• Aims of the programme
• What have we done?
• The challenges
• Practical steps to prevent a Data
Protection Breach
4
• Patient Safety
• Litigation
• Legislation
• Electronic Patient Record
Context
5
Eight rules of Data Protection
1. Obtain and process data fairly2. Keep it only for one or more specified, explicit and
lawful purposes3. Use and disclose it only in ways compatible with these
purposes4. Keep it safe and secure5. Keep it accurate, complete and up-to-date6. Ensure that it is adequate, relevant and not excessive7. Retain it for no longer than is necessary for the
purpose or purposes for which it was obtained8. Give a copy of his/her personal data to an individual,
on request
6
Aims of the programme
• To provide a framework for consistent, coherent healthcare records management in the HSE which in turn supports a high quality service
• To develop and implement initiatives to improve healthcare records management and promote patient safety
7
What have we done?
• Developed Standards & Recommended Practices
• Standardised national healthcare record
• Developed in the context of the acute services but currently extending the work of the programme to all Community Services including Mental Health
8
Types of records
• Patient records (electronic or paper based)
• Emergency department, birth, theatre and other related registers
• X-ray images and reports• Photographs and slides• Microfiche/microfilm• Audio and video tapes etc.• Computerised records• Scanned records
9
What are medical records?
Adequate medical records enable you or
somebody else to reconstruct the
essential parts of each patient contact
without reference to memory.
Medical Protection Society, 2010
10
Importance of the healthcare record
• The healthcare record plays a crucial role in the provision of care
• It supports continuity of care and facilitates communication between all members of the multidisciplinary team
• It is a legal document that provides an overview of the service user’s state of health before, during and after a particular therapy/treatment
11
• The HSE is the largest controller of health and personal information in the state and we have a duty to ensure that we’re fully compliant with the Data Protection Acts of 1988 and 2003
• Data Protection is the responsibility of all staff
• However, healthcare records can be complex and the needs within a healthcare setting diverse so there are many challenges
Data Protection
12
Complexity of the service - storage
• Current records stored in the healthcare record library
• Healthcare records no longer in everyday use that still need to be retained. Such records are often stored in secondary storage which may be on or off-site
• Healthcare records that have been transferred to an alternative medium, e.g. microfilm
The challenges
13
The challenges cont’d
Complexity of the service – access
Healthcare records are required in variouslocations throughout the hospital and off-site
• Emergency Department• The wards• Day Care Unit• Outpatient Department• Clinical Nurse Specialists• Health & social care professionals • Outreach Clinics
14
Not only HSE staff we have to consider:
• Students from all healthcare professions
• Work experience
• External contractors
• Volunteers
• Service user representatives
The challenges cont’d
15
Practical steps to prevent a Data Protection Breach
• Care should be taken to ensure that healthcare records are not deliberately or inadvertently viewed by uninvolved parties (e.g. files left on a desk, computer screens on view)
• Healthcare records should be stored in a secure/supervised area with restricted access
16
Practical steps cont’d
• Files not in secure/supervised area with restricted access should be kept locked away when not being used
• A ‘clear desk’ policy should be operated at the end of each working day or when long periods of absence are taken away from the desk/office
• Where healthcare records are kept in offices, whenever the office is left unattended it should be securely locked
17
Practical steps cont’dTransporting Healthcare records (Rec. Practice 30)
• Healthcare records:– should only be transported by authorised staff – should be transported in such a way that patient names
are not visible– should never be left unattended in the course of their
delivery
• Where healthcare records are transferred outside of the organisation they should be carried in a storage case, box file or in a sealed confidential pouch where the name on the record(s) cannot be identified
• If the situation arises that healthcare records must be left in an individual’s car, a taxi or ambulance (even for a very short time) they should be placed out of sight in the boot and the vehicle kept locked at all times
18
Practical steps cont’d
• It is preferable that post rather than fax or e-mail is used for client related correspondence
• When it is necessary to use either fax or e-mail the HSE’s Electronic Communication Policy must be adhered to
• Fax numbers which are used on a regular basis should be pre-programmed to help avoid dialling the incorrect number
19
Practical steps cont’d
• When posting personal information, ensure the correct size envelope is used to prevent the envelope from tearing and ensure the envelope is well sealed
• Ensure you have the correct postal address
• When posting sensitive personal information always use registered post
20
Practical steps cont’d
• When sending e-mail, double check the details to ensure you are sending the information to the correct address. Problems have been encountered by selecting the wrong recipient from an address list or using a similar (but incorrect) address
• When sending an attachment via e-mail, double check to ensure the correct attachment is sent
21
Practical steps cont’d
• When sending attachments that contain sensitive personal data via e-mail outside of ‘@hse.ie’ ensure the attachment is password protected (ICT will provide assistance)
• The HSE’s Encryption Policy must be strictly adhered to regarding desktop computers, mobile computer devices and removable storage devices
• Each staff member is responsible for ensuring that their electronic devices are encrypted
22
Practical steps cont’d
• Passwords:– must not be shared amongst colleagues– must not be written down and left in convenient
places (on or near your desktop/laptop)– should be changed at regular intervals
• Remember your password determines your level of access
• For further information on passwords please check the HSE’s Password Standards Policy
23
Good practice
• PPPG’s in place that encompass all the principles of the Standards & Recommended Practices
• Recommended Practices that are particularly relevant:– 12 Service user information requests (page 106)– 13 Requests for the healthcare record for research purposes
(page 121)– 16 Confidentiality & Security of service user healthcare
information (page 130)– 18 Service user registration (page 138)– 21 Storage of the healthcare record (page 149)– 29 Transfer of healthcare information (page 172)– 30 Transporting the healthcare record (page 174)
• NHO Code of Practice for HCRM (part 5) Retention and Disposal Schedule
24
What to do in the event of a breach
• The HSE’s Data Protection Breach Management Policy must be adhered to
• All information breaches must be reported to the Consumer Affairs or ICT Directorate immediately
• Members of staff and their line manager must complete a Data Breach Incident Report and forward (via fax or e-mail a scanned copy) to their local Consumer Affairs Area Office (manual) or ICT Office (electronic)
• Consumer Affairs will notify the Data Protection Commissioners office, if required
25
Conclusion
• Managing healthcare records is vital whether resources are adequate or scarce
• We face many challenges, but we have a duty of care to our patients and a legal responsibility
• In recent times the medical sector has found itself in the midst of what could be described as a storm of Data Protection breaches
• We cannot ignore things and hope the storm passes
26
Conclusion
• We must raise awareness
• We must do the right thing
• We must make our staff aware of their responsibilities:
– Training– E-mail blitz– Reminder at all staff meetings– Sign a declaration
27
Useful links
• Electronic Communications Policy http://www.hse.ie/eng/services/Publications/pp/ict/Electronic_Communications_Policy.pdf
• Encryption Policy http://www.hse.ie/eng/services/Publications/pp/ict/Encryption_Policy.pdf
• Password Standards Policy http://www.hse.ie/eng/services/Publications/pp/ict/Password_Standards_Policy.pdf
• Data Protection Breach Management Policy http://www.hse.ie/eng/services/Publications/pp/ict/Data_Protection_Breach_Management_Policy.pdf
Thank you