Clinical Dashboards Pilot - Information Governance Guide

Clinical Dashboards Pilot - Information Governance Guide

CD-PILOT-01 12 May 2009/V1

Clinical Dashboards Pilot Programme

Information Governance Guide

Amendment History:

Version / Date / Amendment History
01A / February 2009 / First draft created.
01B / February 2009 / Informal review and input from Mark Cain (IG Team) and Danny Solomon (ESP Team).
01E / March 2009 / Review by programme team and Spine team IG architect
01F / March 2009 / Review by IG Team ( Steve Davison and Peter Singleton )
01G / March 2009 / Updated version after further review with Peter Singleton
01H / March 2009 / Addition of reviewer
01I / May 2009 / Update to Sec 3.2.1 after review by Philip Brown
01 Approved / 12th May 2009 / Document approved at the Programme Board.

Reviewers:

This document must be reviewed by the following. Indicate any delegation for sign off.

Name / Signature / Title / Responsibility / Date / Version
Dermot Ryan / Dashboards Programme Manager
Tom Davison / Dashboards team
IG Team/Peter Singleton/Anne Cooper / IG Team
Infrastructure Security Team/James Wood/ Jason Alexander / Infrastructure Security Team
Dave Atherton / Programme Manager
Sally Getgood / Dashboards clinical lead
Roy McNamara / Spine team IG Architect
Philip Brown / Head, Access Control

Approvals:

This document requires the following approvals:

Name / Signature / Title / Responsibility / Date / Version
Clinical Dashboard Programme Board / 12th May 2009 / 1

Document Status:

This is a controlled document.

This document version is only valid at the time it is retrieved from controlled filestore, after which a new approved version will replace it.

On receipt of a new issue, please destroy all previous issues (unless a specified earlier issue is base-lined for use throughout the programme).

Glossary of Terms:

Term / Acronym / Definition
Clinical Dashboard / A 'clinical dashboard' is a toolset developed to provide clinicians with the relevant and timely information they need to inform daily decisions that improve quality of patient care.
Clinical Dashboard Pilot / Pilot phase to further evaluate the benefits of Clinical Dashboards in a number of additional NHS organisations and clinical specialties.
Extract, Transform & Load / ETL / The processes of Extracting, Transforming (or Transporting), and Loading data from source systems into a data warehouse.
Implementation / To put the agreed dashboards in to effect.
Information Technology / IT / The study, design, development, Implementation, support or management of computer-based information systems, particularly software applications and computer hardware.
Memorandum of Understanding / MoU / A document a bilateral or multilateral agreement between parties.
Potential National Roll-out / The Clinical Dashboards Pilot will inform the potential national roll-out of Clinical Dashboards.
NHS Connecting for Health / NHS CFH / NHS Connecting for Health supports the NHS in providing better, safer care, by delivering computer systems and services that improve how patient information is stored and accessed.
Other Service Recipient / Responsible for overall ownership of the local Implementation, metrics definition, day to day project management, benefits tracking and benefits realisation.
Patient Administration System / PAS / A hospital computer system which records the details including the patient’s name, home address, date of birth and each contact with the outpatient department or admission and discharge.
Secondary Uses Service / SUS / The single source of comprehensive data to enable a range of reporting and analysis.
Services Agreement / The terms and conditions to be entered into by the Supplier and NHS CFH which shall govern the supply of the Clinical Dashboard services.
Site / Responsible for overall ownership of the local Implementation, metrics definition, day to day project management, benefits tracking and benefits realisation.
Specialty / A branch of medical science.
Strategic Health Authority / SHA / Responsible for enacting the directives and Implementing fiscal policy as dictated by the Department of Health at a regional level.
Supplier / Responsible for design, development, Implementation and handover to Site of the clinical dashboards and supporting local Implementation planning.

Contents

1 About this Document 6

1.1 Purpose 6

1.2 Background 6

1.3 Objective 7

2 Local Process for Information Governance 8

2.1 Introduction 8

2.2 Information Governance Process 8

3 Clinical Dashboard Solution Access 9

3.1 Introduction 9

3.2 Pilot Phase 9

3.2.1 Rationale for Pilot Phase Authentication 10

3.3 Trial of Smartcard Access during Pilot 10

4 Access to Patient Identifiable Data 12

4.1 Introduction 12

4.2 Data Access Use Cases 13

4.3 Supporting Details & References 20

4.3.1 Inferred Legitimate Relationship 20

4.3.2 Dissent 20

4.3.3 Information Sharing Agreements 20

4.3.4 Sealed Data 21

4.3.5 References 21

5 Other IG Controls 22

5.1 Introduction 22

5.2 Full Summary of IG Controls 22

© Crown Copyright 2011 Page 9 of 26

Clinical Dashboards Pilot - Information Governance Guide

CD-PILOT-01 12 May 2009/V1

1  About this Document

1.1  Purpose

The document provides a guide to the Information Governance approach for the Clinical Dashboard pilot. The pilot will inform the potential approaches for a wider rollout and further guidance will be developed in due course to support the selected approach.

This guide draws out relevant IG requirements and sets them in the context of clinical dashboards. In cases of any potential conflict between guidance provided in this document and national policy the latter must take precedence.

Local organisations have their own Information Governance policies and processes and as such the intent of this document is to guide the risk assessment process and help to ensure appropriate risk management decisions are made by the local organisation. The primary decision making body for risk acceptance on access, data sharing, and other controls is the local organisation that deploys and operates clinical dashboards during the pilot phase.

1.2  Background

A 'clinical dashboard' is a toolset developed to provide clinicians with the relevant and timely information they need to inform daily decisions that improve quality of patient care. It gives clinicians easy access to data being captured locally, in a visual and usable format.

From an Information Governance perspective there are a number of key business uses that the Clinical Dashboard solution will provide and these are summarised in the table below.

Dashboard Type / Data Access Provided / Illustrative Example /
Public Dashboard
( Display provided in public area, no ability for public to interact with the dashboard ) / ·  Aggregated data
·  No statistical or anonymised data
·  No patient identifiable data
·  No patient specific clinical data / A&E Public Dashboard with details of waiting times and patient satisfaction levels.
Team Dashboard
( Dashboard application provided for individual users or for access on a team workstation in a restricted area. Any drill down will provide consistent levels of data access e.g. no Patient Identifiable data ) / ·  Aggregated data
·  Statistical data
·  Anonymised data
·  No patient identifiable data
·  No patient specific clinical data / Nurses station dashboard with summary of bed occupancy. Drill through chart is available to show summary of occupancy over the last month.
Individual Dashboard
( Dashboard application only available to an authorised user who is explicitly authenticated ) / ·  Aggregated data
·  Statistical data
·  Patient identifiable data
·  Clinical data / Clinician dashboard with gauge for blood test waiting times which also provides access to a drill down report of all patients awaiting test results.

The development of Clinical Dashboards was a key recommendation from both Lord Darzi's Next Stage Review and the Health Informatics Review.

Following the encouraging success of the first Clinical Dashboard prototypes in summer 2008, the Clinical Dashboards Programme has now been established within NHS Connecting for Health to deliver a pilot programme, extending the reach of Clinical Dashboards to a broader community of clinical teams across multiple strategic health authorities.

1.3  Objective

The objective of the Clinical Dashboards Pilot phase is to understand the cost and benefits of Clinical Dashboards in a range of specialty and site settings with the differing underlying technologies already in place. It will support the strategy and design of the national roll-out.

The intended outputs are to inform the Business Case for Clinical Dashboards and to develop an Implementation Toolkit. Importantly, it will leave the site with sustainable and functioning Clinical Dashboards which can be further developed by the recipient site following project completion.

The objective of this document is to guide the local organisations in their analysis and agreement of the Information Governance controls that are required for their own specific Clinical Dashboard Pilot implementation.

2  Local Process for Information Governance

2.1  Introduction

The primary decision making body for data sharing, access, and other information governance controls is the local organisation that deploys and operates clinical dashboards during the pilot phase. This document aims to guide the review and risk assessment process that is conducted as part of each Clinical Dashboard pilot project. The next section provides an indicative process to guide the project team, although it is expected that this will be tailored to fit with existing local IG processes and procedures.

2.2  Information Governance Process

The following steps should be conducted during the project scoping phase.

1.  Ensure the project team have identified and engaged the required local Information Governance staff.

2.  Familiarisation with this document and other supporting materials.

3.  Map the specific implementation data use cases against the generic set provided in this guide.

4.  Determine the specific controls that are required to support each implementation specific use case.

5.  Determine where Information Sharing Agreement should be in place to control the sharing of data between organisations.

6.  Review each of the Information Governance controls that are listed in section 5 of this document.

7.  Document the full set of controls that are required for the specific implementation including details of the rationale and risk assessment that has been conducted.

8.  Review and sign-off the controls document by the local organisation IG manager and/or IG board.

3  Clinical Dashboard Solution Access

3.1  Introduction

This section sets out the planned access control and authentication mechanisms that will be required for the Clinical Dashboard Solution.

3.2  Pilot Phase

The following table sets out guidance for the core access controls that will be applied during the Pilot phase. This guidance table is based on a review of the existing Information Governance policy, toolkit and requirements documents, see below for more details.

Dashboard/
User Type / Activity/Functionality
(Note – It assumed that all solutions will take data feeds with Patient Identifiable Data even if this is never visible to end users.) / Access Security controls
Administrator / May initiate/start system, create/remove users, configure dashboard displays, and allocate end-user privileges / At least eGIF-2 *
Individual Dashboard / Can drill down to Patient Identifiable Data to directly support patient care. (Further IG Rules apply – see following section for more details). / At least eGIF-2 *
Team Dashboard / Clinician/Other Team Member- not authorised to view Patient Identifiable Data / At least eGIF-1 **
Public Dashboard / Used to control start up and close down the public display dashboard.
The measures/metrics will be locally approved for public display. / At least eGIF-1 **

*eGIF-2: User name and strong password must be used to secure access as no Public Key Infrastructure is available and where the dashboard is only providing ‘local’ data. (Preferably using single sign on via login to the trust domain.) If serving data from NHS Care Record Service systems, then eGIF-3 (Certificate based authentication using Smartcards) would be required.

**eGIF-1: User name and strong password must be used to secure access. The workstation controlling the display will receive only aggregated statistical data, so risk is reduced.

3.2.1  Rationale for Pilot Phase Authentication

There are a chain of Information Governance documents ranging from the NHS Code of Practice for Information Security Management, through to the IG toolkit and then specific requirements documents that have been developed by Connecting for Health for the National Programme.

The National Programme requirements which have been used to inform the approach for this programme do specify use of Smartcard authentication for NHS Care Record Service systems that are directly connected to Spine services. There is no plan to integrate the clinical dashboard with Spine messaging services during the pilot, rather it will be deployed locally and integrated with local systems. Most, if not all, of the local systems for the pilot organisations are not Spine-connected and do not use Smartcards.

The policy and IG toolkit documents are not prescriptive about authentication solutions rather rely on the local organisation to ensure appropriate risk assessment has been conducted and controls proportionate to the access provided are in place. The relevant requirement from the IG Toolkit states - “Does the Organisation ensure that operating and application information systems under its control, support appropriate access control functionality?”.

Given that the dashboards will only provide patient identifiable data to staff who have a legitimate need to see that data, and given that the source systems which also provide access to a much bigger set of patient identifiable data are secured through username and password access then the dashboards will provide at least as secure an authentication mechanism as that of the local source systems. Further details are provided on the use of patient identifiable data and data sharing between organisations later in this document.

The use of non IT controls also play a very important role in protecting patient confidentiality and it is expected that all organisations and users of Clinical Dashboard solutions will have professional and local codes of conduct in place to govern individual user behaviour.

3.3  Trial of Smartcard Access during Pilot

User name and strong passwords are planned to be used to secure access for the pilot deployments. The intention is to test Smartcard and Spine security integration as an additional strand of one of the pilot projects to:

·  provide detailed information on the additional steps required to deliver Smartcard secured dashboard solutions including the added integration and national assurance activities;

·  inform the plans (timings, costs and business case) for a potential wider rollout;