Practices need to take precautions to protect the physical security of their electronic patient records and non-clinical information systems
Primary healthcare teams increasingly deliver an integrated approach to the delivery of healthcare services facilitated by the use of technology. The ‘New GMS Contract 2003: Investing in General Practice’ (the ‘Blue Book’) set out the agreement reached between the NHS Confederation and the General Practitioners Committee of the British Medical Association (BMA) on a new practice-based contract in General Medical Services (GMS). Chapter four of the Blue Book made provision for the modernisation of practice infrastructure, including detailed provisions relating to the modernisation of information management and technology (IM&T) in general practice.
This agreement introduced the concept of a managed information technology (IT) service for GMS practices. The current health and social care informatics agenda requires the capture, generation, use and continuous monitoring of high quality information spanning two critical areas; the effectiveness of treatment and care and the clinical performance of those delivering services within the NHS. The key to using information is to balance and integrate it in an interactive process of care systems, putting it in context within a local health improvement plan, people and technology.1
The reliability of information derived will depend on the consistency and completeness of the patient records. The true benefit of electronic health records can only be delivered if the record plays an active role in the delivery of quality health and social care.2 According to NHS England: “Data and information are at the heart of improvement for our patients. Put to good use – openly and transparently – high quality data will support our focus on the individual, improve productivity and empower patients and clinicians to transform local services. To achieve this we need world-class IT and technology systems right across the NHS, but especially in primary care, where there are millions of interactions with patients every week. And we need to connect data and information across pathways, seamlessly integrating across organisations and systems.”
NHS England became accountable for the delivery of primary care information services on 1 April 2013; it delegated responsibility for local operational management of GP IT and associated funding to clinical commissioning groups (CCGs) to include: provision of clinical systems and associated hardware and network services; and provision of support services to GP practices.
The principal objectives of an IT support service are to:
– Appropriately support patient care and help support practices in meeting their obligations under the contract.
– Help practices support the IT needs of their businesses.
– Be easily understood and facilitate engagement with practices.
– Have reliable systems for measuring and monitoring.
– Clarify appropriate obligations for all the parties to the contract, for example the practice, CCG, NHS England and supplier(s).
– Support practices’ integration with local and national informatics initiatives.
– Provide best value for money.
System management – storage and backup
There are a number of precautions to be taken to protect the physical security of electronic patient records. Firstly ensure a documented procedure, with named responsibilities for action. For regular backup of the server/network backup facility, consider real-time backups. Test the back-up procedure regularly, restore the verification service that may be available via system suppliers, and include auto-power-down software.
There is also a need for practices to consider non-clinical information system arrangements, such as finance systems and office administration systems. CCGs, in conjunction with practices, need to ensure that clinical system servers (and administrative/network servers where appropriate) equipment is fit for purpose to support appropriate, efficient and effective access to clinical information and supporting applications. Memory and storage capacity should be sufficient to meet the immediate and foreseeable requirements of the practice.
Practices are expected to take reasonable precautions to ensure that equipment is secure and protected from theft. In particular, there is a risk of breach of confidentiality where a computer is stolen or data otherwise falls into unauthorised hands. Any data stored on a computer hard drive is vulnerable and includes the following:
– Physical loss or damage of the computer.
– Theft.
– Water damage.
– Fire or physical destruction.
– Faulty components.
– Software.
Servers should be sited away from risk of accidental knocking, spillage of drinks, leaking pipes, overheating due to radiators and be inaccessible to the public.
The Health & Social Care Information Centre (HSCIC) advises NHS organisations and its partners review the Information Commissioners Office guidance on the use of cloud computing. It provides useful information on considerations which should be taken when determining whether to store or process personal or sensitive personal data ‘in the cloud’ together with any legal obligations.3
Dr Clare Gerada, immediate past chair of the Royal College of General Practitioners (RCGP) suggests: “GPs and their practice teams are operating in an increasingly complex world and guidance which helps us to do our job more efficiently and deliver safer care to our patients is very welcome.”4
Table 1 provides details of sources of information.
References
Roper W, Cutler C. Health plan accountability and reporting. Issues and Challenges Health Affairs 1998;17(17):152-5.
Department of Health/Royal College of General Practitioners/BMA. The Good Practice Guidelines for GP electronic patient records v4. 2011.
