PACS/RIS Computing Information Sharing Protocol

Kent & Medway NHS

Kent & Medway

Protocol for Confidentiality & Information Sharing for Organisations Utilising the Connecting for Health PACS/RIS Solutions withinKent & Medway

Title: / Information Sharing Protocol between organisations in
Kent & Medway utilising the RIS/PACS systems
Synopsis: / This document is the Information Sharing Protocol for ensuring confidentiality whilst permitting the transfer and sharing of information between organisations utilising the Connecting for Health RIS/PACS systems in Kent & Medway. This is a Tier Three level document (of the 3 Tier Model of Information Sharing - see Appendix B for more detail). It provides guidance on the processes by which information will be exchanged, monitored and managed and describes who has the authority to access what information for what purposes.
Version no.: / 1.0
Status: / Final
Date issued: / December 2005
Next review: / September 2006
Owned by: / Kent & Medway PACS Programme Board
Originator: / Miles Saunders
Change History: / V0.1 July 05
V0.2 August 05 / Changes following review
V0.3 September 05 / Changes following National Guidance
V0.4 September 05 / Changes following review
V1.0 December 05 / Final

Table of Contents

1Introduction

1.1Purpose

1.2Background to the PACS/RIS Solutions

1.3Scope

1.4Objectives of the Protocol

1.4.1To safeguard the patient’s rights to confidentiality

1.4.2To safeguard professional staff

1.5Parties to the agreement

2Strategic Context

2.1Kent & Medway Diagnostic Services

2.2Associated Documents

3Protocol Development

3.1Development process

3.2Consultation Arrangements

3.3Approval Process

3.4Public Awareness

4Principles

5Clarification of RIS/PACS Data

5.1What information is recorded

5.2How it will be used

5.3How it is stored

5.4Who it is shared with

5.5How patients can access information

6Purposes for which Person identifiable information may be shared

6.1Anonymised and Pseudonymised Information

7CONSENT

7.1Establishing the need for consent

7.2When will the patient be informed about the uses of the information?

7.3How will patients be informed?

7.4How will consent be gained?

7.5How will consent be kept up-to-date?

7.6How will this process be audited?

7.7What if consent can not be obtained?

7.8Dissent

7.9Proposed Approach to the Management of Patient Dissent

7.9.1Partial/Restricted Access to RIS/PACS

7.9.2Paper Based Process

7.10Deceased persons

7.11Providing operational guidance to staff

7.12Staff Training and Awareness

7.13Staff Information Sharing Agreement

8Security measures

8.1Internal access controls

9Management Issues

9.1Roles and Responsibilities

9.2Monitoring procedures

9.3Review process

10Agreements

11Appendices

11.1Appendix A: Example of PACS/RIS patient information leaflet

11.2Appendix B

12Annex A Determining Access to information

12.1Step1: Categories of Information

12.2Step 2: Identifying which staff groups may have a legitimate interest in personal information

12.3Step 3: Reasons Which Justify Access to a Particular Category of Information

12.4Step 5: Joint Procedures

13ANNEX B Participating Organisations

GLOSSARY

Term / Meaning
LSP / Local Service Provider
SHA / Strategic Health Authority
FJA / Fujitsu Alliance, the LSP for the Southern Cluster
PMI / Patient Master Index
RIS / Radiology Information System
HSS / Healthcare Software Systems
The RIS supplier that has been sub-contracted by the LSP
CRIS / The name of the RIS product
PACS / Picture and Archiving Communications System
NPfIT / National Programme for IT: the programme is intended to support the objectives of the NHS Plan by utilising IT as an enabler for improvements in the health and care of the patient.
CfH / Connecting for Health: the name of the new Department of Health agency which is delivering the NPfIT
Southern Cluster / The delivery of the NPfIT is managed by five regional units called clusters. Kent & Medway SHA is located in the southern cluster which is a federation of seven SHAs; Southwest Peninsula; Avon, Gloucester and Wilts; Dorset and Somerset; Hampshire and the Isle of Wight; Thames Valley; Surrey and Sussex and Kent and Medway. The implementation is overseen by a Cluster Programme Board on which the Chief Executives of each of the SHAssits.

1Introduction

1.1Purpose

The purpose of this document is to provide a framework for the secure and confidential sharing of information between NHS organisations utilising the Connecting for Health (CfH) PACS and RIS systems within the Kent & Medway Strategic Health Authority geographic boundaries. Such a framework is necessary to ensurethat personal information about the patient is not divulged to anyone not directly involved in their care without adherence to very clear safeguards and responsibilities, whilst at the same time ensuring that relevant information is readily available to those providing treatment or services to the individual.

This is a Tier Three level document (of the 3 Tier Model of Information Sharing - see Appendix B for more detail). However during this transitional stage the document has additional information for purposes of clarity.

This document sets out the principles and procedures that must be adopted by any signatory to this Protocol in order for staff concerned to be confident that personal information can be safely and legally shared with partner organisations.

This document:

  • Sets out the principles which underpin the exchange of information between signatory organisations
  • Defines the specific purposes for which these organisations have agreed to share information
  • Describes the roles which support the exchange of information between organisations
  • Describes the procedures and arrangements which will ensure that information is disclosed in line with statutory responsibilities
  • Sets out the responsibilities of organisations to implement internal arrangements to meet the requirements of the Protocol
  • Describes how this Protocol will be implemented, monitored, and reviewed.
  • Describes the approach to raising public awareness and to enable patients to make an informed decision on their consent to share their data and how this will be audited.
  • Describes the processes thatwill be put in placefor patient dissent to sharing information
  • Describes how the awareness of the issues around information sharing and governance will be addressed with staff using the systems.
  • Describes how this protocol will be monitored and audited.

1.2Background to the PACS/RIS Solutions

The National Programme for IT, which is being delivered by the new Department of Health agency NHS Connecting for Health (CfH), is bringing modern computer systems into the NHS to improve patient care and services. Over the next ten years, the National Programme for IT will connect over 30,000 GPs in England to almost 300 hospitals and give patients access to their personal health and care information, transforming the way the NHS works.

One of the first deliverables of CfH is Picture Archiving and Communications Systems (PACS) which enables the capture, storage, distribution and display of static or moving digital images such as electronic X-rays or scans.

The availability of electronic images takes away the need to print on film and to file or distribute images manually and means that as images are created they can be immediately sent and viewed across several NHS locations, which brings benefitsfor patients, clinicians and the wider National Health Service.

By April 2006PACS will be available across all acute trusts in the SHA, and has the scope to make images available across care-settings, in order to support the provision of care at the most appropriate and convenient location for the patient

In order to drive the maximum benefits from PACS, the trust radiology information systems (RIS) must be capable of providing seamless integration with the PACS to ensure that the optimum process flow can be achieved. Therefore, the implementation of the LSP RIS solution, HSS, is also included in the PACS implementations for trusts in Kent & Medway.

The overall objective of CfH is to deliver better information for health and patient care, where and when it's needed. Through the provision of a range of new computer systems across the country, the key deliverable is to develop a seamless National Care Record Service, which will improve information sharing across the NHS. This will ensure that relevant data is accessible to authorised health care professionals whenever they need it to make health or care decisions.

In line with this approach all images stored on the PACS will be made available to an archive which stretches from Cornwall to Kent; enabling clinicians with appropriate access controls to view the full diagnostic images related to a patient they are treating wherever the patient has been treated.

Similarly there will be a single RIS system across the SHA area which will be used collectively by those organisations running radiology and potentially other imaging services. This will ensure that seamless and informed care can be provided to patients who are treated in multiple organisations.

1.3Scope

This Protocol must be read in conjunction with the respective Overarching Policy for Sharing Personal Information Between Organisations for Kent & Medway[1]and in particular is in line with Appendix C1 – ‘Consent Guidance’ of the Overarching Protocols, which establishes that the proposed process of sharing information is appropriate and lawful.

This Protocol sets out the specific measures and requirements that must apply to information sharing between signatory organisations to utilising the CfH PACS/RIS solutions.

The Protocol applies to patients who come into contact with NHS organisations in Kent & Medway.

1.4Objectives of the Protocol

1.4.1 To safeguard the patient’s rights to confidentiality

To safeguard the patient’s rights to confidentiality in the exchange of their personal information by providing clarity about:

  • What information is needed
  • How it will be used
  • How it is stored
  • Who it is shared with
  • How patients can access information (about the service and/or their own information)
  • How consent to sharing information will be managed

1.4.2 To safeguard professional staff

To safeguard professional staff by providing guidelines that will allow unequivocal access to information within given parameters to:

  • Ensure they have enough information to make a judgement about how to proceed
  • Ensure they are informed about known and potential risks
  • Enable professional staff to work within a legal and professional framework.

1.5Parties to the agreement

The organisations that have formally undertaken to share information in accordance with this Protocol are listed in Annex B Participating Organisations

2Strategic Context

The Overarching Policy sets out the legal and ethical requirements for information sharing protocols to be put in place. This section identifies the specific issues that have an impact on the requirement for safe information sharing between signatory organisations.

2.1Kent & Medway Diagnostic Services

Increasingly the organisations in Kent & Medway are working together to provide joined-up diagnostic services to patients. As service provision adapts to provide services at the location most appropriate to the needs of the patient, the need for clinical information to be available in a variety of different locations and organisations is becoming increasingly important.

Currently, paper-based systems are generally used to transfer diagnostic information and images between clinical teams. This level of joint working, however, has been achieved to date without a clear framework for sharing information, and this Protocol will underpin current cross-organisational working, and will provide the framework for future developments in case recording and information systems.

2.2Associated Documents

The following material supports the exchange of information between agencies:

  • Professional Codes of Conduct (e.g. GMC, NMC, CoR, HPC)
  • Policies and operational procedures for the handling of complaints
  • Overarching Policies for Sharing Personal Information (both for Kent & Medway)
  • Department of HealthBuilding a Safer NHS for Patients [Ref. 23720 April 2001]
  • Department of HealthConfidentiality: NHS Code of Practice [November 2003]
  • Department of Health Seeking consent: working with children [Ref 25752 Nov 2001]
  • NHS Connecting for Health: PACS and RIS Data Sharing Protocols

The above list is not exhaustive.

3Protocol Development

3.1Development process

This protocol is based on the similar protocols for common healthcare computerised systems and is in line with the draft guidance on Mental Health Information Sharing Protocol. It was based on a template for information sharing protocols developed as part of the Caldicott guidance to NHS organisations, and examples of good practice from across the country.

3.2Consultation Arrangements

Members of the following groups are in the process of being consulted on the protocol:

  • All Caldicott Guardians in Kent & Medway (of acute trusts and PCTs)
  • Trust PACS Project Boards
  • PACS SHA PACS ProgrammeBoard
  • Kent & Medway HIS InformationGovernance Leads
  • Patient Groups

3.3Approval Process

The final draft of this Protocol will require the approval of all Acute and PCT Caldicott Guardians

3.4Public Awareness

Kent and Medway are actively engaging with local Patient Groups on the principles of information sharing. Patient groups are already aware of PACS and the National Programme for IT. They have invited to and attended public demonstrations. In October of this year a presentation will be given on the subject of information sharing. This will be ongoing as more systems are deployed across Kent and Medway.

4Principles

The principles on which this Protocol is based, are as follows:

  • Staff are regarded as authorised, on a ‘need to know’ basis, to access confidential information held by their own or another signatory organisation
  • All competent patients have the right to make informed choices in relation to consent to share their person identifiable information
  • Information will only be accessed for specified and lawful purposes, and only where it is justifiable to do so

5Clarification of RIS/PACS Data

5.1What information is recorded

Information held on the RIS will include the details of patients who have utilised radiology services from the date of implementation of the CfH RIS including:

  • Demographics details (name, address, registered GP, etc)
  • Hospital identifiers,
  • NHS Number,
  • Administrative details such as a patient’s referrals for radiology examinations, examination appointments and waiting-list data
  • Information relating to the examination(s) undertaken on the patient since the CfH has been implemented at that trust
  • Health professional’s diagnostic report on the examination undertaken

Information held on the cluster-wide PACS:

  • Patient NHS Number
  • Patient demographic details
  • Examination identification number
  • Electronic version of the diagnostic image(s) recorded during an examination
  • Examination reports captured electronically from the RIS

For the purposes of this protocol radiology services are taken to mean diagnostic imaging services including the following types of examination (this list is not exhaustive):

  • CT
  • MRI
  • Plain film
  • Ultrasound
  • Nuclear Medicine
  • Fluoroscopy
  • Mobile Image Intensifier
  • Angiography

5.2How it will be used

Data is recorded on the RIS in order to be able to manage and administer the provision of diagnostic imaging services in support of the patient’s treatment, including:

  • Recording referrals and scheduling appointments for examinations
  • Providing waiting times for patients to support monitoring of national waiting targets
  • Providing a record of the details of the exam performed for clinical audit purposes
  • A clinical diagnostic report of the examination which is used to plan and manage the subsequent treatment of the patient

Data is recorded on the cluster-wide PACS archive so that it can be accessed on a need to know basis by health professionals treating the patient. This will provide them with full details of the patient’s previous examinations, even if the patient was not treated previously by that health organisation, to ensure that the health professional has the data available to offer the best treatment for the patient.

5.3How it is stored

RIS data will be stored on a single database covering all organisations within an SHA area, managed on behalf of the NHS by Fujitsu Alliance the LSP for the Southern Cluster.. The database is located within a secure data-centre facility, which is fully resilient as patient data is copied to a second location so the risk of data-loss is minimised.

All patient identifiable data that is sent from the health organisation to the data-centre will be encrypted in line with NHS information security policy and will be transmitted across the NHS’s New National Network, N3.

Images are stored on a secure PACS server again managed by the LSP and located at both the trust and the secure data-centre.

Access is available only to registered users who require access to PACS and RIS to carry out the duties of their role.

5.4Who it is shared with

RIS: Data is available to other registered users only of the RIS database which covers all trusts within the geographical area covered by the Kent and Medway Strategic Health Authority, initially:

  • Dartford and GraveshamHospital Trust
  • EastKentHospitals Trust
  • Maidstone and Tunbridge Wells Hospitals Trust
  • Medway and Maritime Hospital Trust
  • The QueenVictoriaHospital NHS Foundation Trust*

* The QueenVictoriaHospital actually resides within the Surrey and Sussex SHA however due to the geographical closeness, historical ties and shared services (and patients) with Kent and Medway it has been agreed that the Trust will use the Kent and Medway SHA RIS database.

RIS data will, in specific cases, where patients are transferred to other trusts outside of the Kent and Medway SHA be transferred to their new provider in line with guidance within this document.

PACS: images that are stored on the LSP PACS Archive are available to registered PACS users on a “need to know” basis in organisations located within the organisational boundaries of the following Strategic Health Authorities (SHAs):

  • Kent and Medway SHA
  • Surrey and Sussex SHA
  • Hampshire and the Isle of Wight SHA
  • Thames Valley SHA
  • Dorset and Somerset SHA
  • Avon, Gloucester and Wiltshire SHA
  • South-WestPeninsula SHA

The purposes for which data can be shared are covered in subsequent sections of this protocol.

5.5How patients can access information

Patients have a right to access and view information held about them. Such requests for access should be put in writing to the NHS trust treating the patient at that time.

6Purposes for which Person identifiable information may be shared

It is a requirement of the principles of the Data Protection Act (1998) and Caldicott Report (1997), that person identifiable information must only be shared for specified purposes, and only when it is justifiable to do so