Presentation on theme: "Quick Guide to Undertaking an Information Governance Compliant Clinical Audit Project Wendy Harrison and Heather Sharp NHS Bradford and Airedale."— Presentation transcript:
1Quick Guide to Undertaking an Information Governance Compliant Clinical Audit Project Wendy Harrison and Heather Sharp NHS Bradford and Airedale
2Contents 1 Aims of the guide 2 Laws affecting the use of confidential information in clinical audit3 Informing patients4 Justifying the use of patient information in clinical audit5 The use of patient identifiable information for clinical audit6 Access to information for clinical audit7 Transferring clinical audit data8 Information security do’s, don’ts and how to’s9 Storage/retention/disposal of clinical audit data10 Secondary uses of clinical audit data11 Information Governance checklist
31 Aim of this GuideThis guide is a condensed version of key messages from the HQIP Clinical Audit and Information Governance GuideThis ‘quick guide’ is designed to be a pocket-sized reminder of the key areas of information governance which apply to clinical audit projects
4What is information governance? What is information governance all about?Information Governance is a framework for handlingpersonal information in a confidential and secure mannerto appropriate ethical and quality standards,in a modern health servicesoIt’s basically common sense – think of any informationyou handle as if it were your own.How would you expect your informationto be handled or accessed?
52 What laws affect the use of information? There are laws protecting how we handle information and these include:The Data Protection Act 1998Criminal Justice and Immigration Act 2008The Freedom of Information Act 2000Access to Health Records Act 1990 (Deceased records)Human Rights Act 1998Computer Misuse Act 1990Section 251 of the NHS Act 2006 specifically relates tothe use of information (with strict controls) for clinicalaudit purposes
6Always bear in mind the eight Data Protection Act principles which require that personal data must — Be processed fairly and lawfullyBe obtained or processed for specific lawful purposesBe adequate, relevant and not excessiveBe accurate and kept up to dateNot be kept for longer than necessaryBe processed in accordance with rights of data subjectsBe kept secureNot be transferred outside the European Economic Area(EEA) unless there is adequate protection
73 Informing patients about clinical audits Although explicit consent is not required patients should be informed about how their information could be used in the NHS including the potential use of their information for clinical audit.In order to assist with this, an example patient information leaflet is available on the HQIP website.The leaflet aims to help patients understand why we mightneed to use their information for clinical auditThere may be some occasions where although consentis not a requirement it may be good practicee.g. the involvement of children, palliative care,mental health topics
84 Justifying your use of patient data To help ensure that you have justified the use of the datafor your clinical audit project, consider:Has the project been prioritised as part of an annualclinical audit programme? (more guidance isavailable in the HQIP Clinical Audit Guidance Tools)Have the key stakeholders been agreed and theproject lead or sponsor identified?Have all staff involved had appropriate informationgovernance training and have confidentialityclauses written into their contracts?
94 Justifying your use of patient data Always follow the six Caldicott Principles —1 Justify the purpose(s) of using confidential information2 Only use when absolutely necessary3 Use the minimum that is required4 Access should be on a strict need-to-know basis5 Everyone must understand their responsibilities6 Understand and comply with the law
10The use of patient identifiable information for clinical audit Patient identifiable data vs anonymised data —Historically there has been some misunderstanding aroundthe difference between patient identifiable data andanonymised/psuedonymised dataIn general terms, patient identifiable data is data that canbe directly linked back to a living individual. This can bedirectly by including sufficient details such as name,address, sex, date of birth, postcode, phone number,condition, medication etc. or by use of a key such as theNHS number or your own local key. In both cases the datacan be linked back to a single living individual
115 The use of patient identifiable information for clinical audit Patient identifiable data vs anonymised data —Processing of patient identifiable data is subject to theprovisions of the Data Protection ActIt is a common misconception that data isanonymous if the recipient does not have access to the key.it must be noted that ANY data associated with a uniquekey which refers to a single living individual is patientidentifiable data and are subject to the Data Protection Act
126 Access to information for clinical audit When thinking about information governance issues it is important to consider who will require access to the information and what level of access they will require.Consider the following groups of peopleClinical staff – will need access to all dataClinical audit team – could require access to all dataAdministrative staff – should only need access toanonymised dataEnsure that you assess the levels of access for differentstaff groups in the planning stages and ensure appropriateaccess controls are in place i.e. only those who need tohave access to clinical audit data, should have access.A mechanism for removing access to the data shouldalso be in place for staff who leave the organisation.
137 Transferring clinical audit data It is your responsibility to ensure the safety of the data you are using for your clinical audit. You must adhere to your organisation’s procedures for secure data handling and seek assurance that the receiving person/team/organisation is aware of their responsibilities to handle and store data securely.You should also seek assurance that clinical auditdata will not be given to or be accessibleto anyone not involved with the clinical audit project.Consider creating a log to record all transfers of clinical audit data
158 Information security do’s When handling clinical audit information YOU MUST ALWAYS —Protect your team’s/network’s files and folders by ensuring that permissions are up-to-date and only those who need access have accessSeek assurance that those who need access to the clinical audit data are aware of their information governance responsibilitiesGive passwords/access to those members of staff who need it for the clinical auditOperate a clear desk policy — lock paper information awaywhen you’re not using itSecure your workstation when absent from your desk by activating a password protected screen saver or using Ctrl-Alt-Del-Lock workstation if your network supports this
168 Information security do’s When handling clinical audit information YOU MUST ALWAYS —Ensure that databases are password protected, even if the information is anonymised/pseudo-anonymisedEncrypt data so that if information needs to be stored on portable media (i.e. disk, CD, USB) or ed to someone else, you know it is secureLog the retention period for the audit data, so that it can be destroyed when no longer requiredDestroy clinical audit data in line with your organisation’s procedures, i.e. in a confidential manner
178 Information security don'ts When handling clinical audit information YOU MUST NEVER —Leave patient notes/audit data unattended on your deskTransfer data by any method, without ensuring it is beingdone so securelyInclude patient details in your audit proforma unless youhave the patient’s consentSave information to your local ‘c’ drive as if your pc failsyou will lose your dataInput information into a database without anonymising/pseudo-anonymising it
188 Information security don'ts When handling clinical audit information YOU MUST NEVER —Create databases without ensuring they are password protectedaudit data without winzipping and encrypting it firstKeep data forms, databases etc for longer than necessaryBreach legal requirements or be ignorant of the legal requirements that affect youPass any data used in your audit to anyone who does not have a legitimate right to use the information (i.e. third parties inside or outside of your organisation)
19Guidance on creating passwords A secure password should contain a combinationof upper and lower case letters, numbers and characters.It should be random and not be able to be easily guessed by those who do not require access to the information.A good way to create a password is to link it to a phrasei.e. The diabetes clinical audit takes place in March 09- your password would then be TdcatpiM09or you could use your current favourite songYou should always mix your phrases to ensure thatthe logic behind them is not easily identifiableand your passwords easily guessed
209 Storage/retention and disposal of clinical audit data Clinical audit data should be stored securely throughoutthe clinical audit processYou should refer to your organisation’s local procedures for retention timescales on clinical audit data collection sheets (proformas) but the DH Records Management NHS Code of Practice requires that clinical audit records must be kept securely for a minimum period of 5 years after a clinical audit has been completedThe code does not further define records, therefore, you should always follow your own organisation’s retention policy regarding the documentation created and collated throughout your clinical audit project. The data should be kept for no longer than the agreed period and should be destroyed confidentially after this time
219 Storage/retention and disposal of clinical audit data TIP: Create a log of all projects undertaken by yourteam/office/department, which shows who hasguardianship of the clinical audit data and reports, theircontact details, location of the data, retention periodand ultimately when and how it was destroyedEnsure that contact details are updated when guardiansleave or if the clinical audit data is removed to another site.Your organisation may have a central register for clinicalaudit projects, which should incorporate these details
22financial audit and other management activities 10 Secondary uses of clinical audit dataPatient information should not be used for any other purpose than that for which you have collected it. Although you may want to use the summarised, anonymised clinical audit results to support other quality improvement work you must not give or allow anyone access to the raw clinical audit data without checking whether the team/individual has a legitimate right to access itThis includes you; you can not use the raw clinical audit datayou have collected for other projects and especially NOT forresearch purposesHealthcare purposes is defined as all activities that directly contribute to thediagnosis, care and treatment of an individual and the audit/assurance of thequality of the healthcare provided. They do not include research, teaching,financial audit and other management activities
2311 IG checklist — consider the following — Have you registered your clinical audit project with yourorganisation’s clinical audit team?Will you be using patient identifiable information throughout your audit (if yes, you may need patient consent and/or the approval of your Caldicott Guardian/Information Governance Lead)?Will you need to anonymise or pseudonymise your data?Are clinical audit patient information leaflets generally available in your organisation?Are those who have access to the data aware of their IG responsibilities?
2411 IG checklist — consider the following — Have you considered any ethical issues (third partyaccess)?Who has access to the clinical audit data and at what level (identifiable or anonymised)?How will you securely transfer any clinical audit data?Can you consider creating a log of any transfers ofinformation which will be happening throughout theproject?Where will you store the clinical audit data? Is this a secure area?What is the level of security on any electronic/paperrecords of your clinical audit data?
2511 IG checklist — consider the following — Have you created a password to protect any electronic data?Have you informed those staff who need access to the data what the password is?Who will be the named guardian/owner of the clinical audit data?Have you created a log of clinical audit projects containing the ‘guardian/owner’ of the data?Have you identified the retention period and destructiondate for the data?Are you using any of the other HQIP clinical audit products?
26Quick Guide to Undertaking an Information Governance Compliant Clinical Audit Project Wendy Harrison and Heather Sharp NHS Bradford and Airedale