DIRECTED ENHANCED SERVICE 2007/08
BENCHMARKING INFORMATION GOVERNANCE & DATA QUALITY STANDARDS IN GP PRACTICES: GUIDANCE & SPECIFICATION
1. Aim 1.1 To improve the quality of management of electronic patient records in Scottish
general practices.
2. Objectives
2.1 To benchmark current contractual requirements for information governance
and data quality and to improve both of these by systematic approaches to training,
quality checks on records, and review of current practice.
3. Rationale
3.1 Many Scottish general practices are moving towards the use of electronic
records for patient care. This includes referral letters, hospital letters and lab results
either scanned and filed or incorporated directly into the record.
3.2 This means that new approaches are needed to protect the confidentiality of
patient information, to develop mechanisms to ensure only appropriate staff have
access to the record and to ensure that the electronic data is accurate and up to
date.
3.3 Increasingly, the electronic GP patient record will replace the paper record
and be transferred in this form when the patient moves practice. It is vital that there
is consistency across Scotland in use of coding and standards in order to ensure
compatibility and inter-operability. This is necessary regardless of which clinical IT
system supplier is used by the practice.
1
3.4 The Emergency Care Summary (ECS) is an electronic extract of patient
information from GP systems. It consists of demographics, current repeat and acute
prescribing and allergies and adverse drug reactions. It is available to clinicians in
NHS 24, NHS Board Out of Hours Centres and Accident and Emergency
Departments with explicit consent from the patient. This development has highlighted
the need for this information to be accurate, up to date and as complete as possible
in the GP electronic patient record so that the ECS information is reliable.
4. Summary of DES
4.1 This DES is in 2 parts.
a) The first part brings together information governance standards which are already
covered by the GMS contract (including Quality and Outcomes Framework QOF).
Participating practices must make a declaration that they are conforming to these
requirements in order to move on to the second part of the DES.
b) The second part includes some new work, although again the GMS contractual
requirements reinforce the importance of many of the components, eg conforming to
contractual requirements if all or part of patient records are kept solely in an
electronic form; adhering to standards required for practices to go “paper light”; and
practice endorsement of the Scottish agreed SCIMP codes and the Good Practice
Guidelines for GP Electronic Patient Records (hereafter referred to as “GPG”). In
addition, practices will be required specifically to address accuracy of the ECS
patient data and to ensure that practice staff have training and appropriate clauses in
their contracts as regards information governance.
5. Guidance 5.1 This guidance aims to support practices in meeting the requirements of this
DES. Most of it is derived from guidance already available elsewhere. As
appropriate, the reference to contractual requirements is indicated for the information
of practices. The full specification for this DES is attached at Annex A.
2
5.2 Section 1 should be completed and a report sent to the NHS Board for
agreement before starting Section 2.
5.3 Practices should keep a portfolio of evidence to support compliance with
these standards.
5.4 Throughout this guidance, sections of the specification are highlighted in bold and framed by boxes.
6. Outline of DES Guidance on Section One
1. To ensure contractors are compliant with a basic list of standards for
information governance.
The contractor must comply with the following standards:
a. Be registered and conform to the provisions under the Data Protection Act 1998
6.1 This item is covered in Schedule 5, Part 8, paragraph 115 of the Regulations1,
which require contractors to comply with all relevant legislation.
6.2 Practices must be registered under the Data Protection Act 1998. The
registration should specify what data are held and what you may do with that data.
Anyone wishing to see their personal information has a right to do so within forty
days of the request. However, special rules apply to health records, including
compliance with the eight enforceable principles of good practice.
1 “Regulations” in this document refer to the National Health Service (General Medical Services Contracts)(Scotland) Regulations 2004 (SSI 2004 No 115) and can be found at: http://www.opsi.gov.uk/legislation/scotland/ssi2004/20040115.htm
3
6.3 The Data Protection Act 1998 can be accessed at:
http://www.opsi.gov.uk/acts/acts1998/19980029.htm
6.4 In this context, practices should follow the advice in the check list below:
• Do check that your registration details are correct and make sure you use the
data for the purposes you specified in the registration
• Do only disclose information to the appropriate people
• Do keep the data accurate and up to date
• Do deal with requests for personal data promptly
• Do display a notice and use other additional means such as a leaflet or
paragraph in the practice leaflet to inform patients about other health
professionals who may have access to their records such as researchers,
pharmacists etc and why they may be given access.
• Do not keep information any longer than you need
Evidence of Compliance
6.5 The Practice’s Data Protection Act registration certificate, or its reference
number, and evidence that this registration is up to date should be filed.
6.
wh
2 “Cohtt
b. Where some or all records are kept only in an electronic form, conform tothe requirements for approval by their NHS Board for such storage.
6 This item is covered in Schedule 5, Part 5, paragraph 66 of the Regulations2
ich refers to the requirements for contractors around patient records.
Regulations” in this document refer to the National Health Service (General Medical Services ntracts)(Scotland) Regulations 2004 (SSI 2004 No 115) and can be found at: p://www.opsi.gov.uk/legislation/scotland/ssi2004/20040115.htm
4
6.7 Guidance on migration to electronic record keeping and data transfer can be
found in the GPG, chapters 4 and 5 available at
http://www.scimp.scot.nhs.uk/gpg.html
Evidence of compliance
6.8 The check list at Appendix 4 of the GPG should be filed. This in turn will be
supported by documentation for each item on the checklist, many of which are
covered in the guidance below.
c. Nominate a member of the primary care team to take responsibility forpractices and procedures relating to the confidentiality of personal dataheld by the practice.
6.9 This is specified in Schedule 5, Part 5, paragraph 68 of the Regulations3.
6.10 The practice should agree the responsibilities and remit of this nominated
person. These should include ensuring all people working in the practice, both
permanent and temporary4, are aware of their responsibilities with regard to the
confidentiality of personal data held by the practice and, where appropriate, sign a
confidentiality statement. The nominated person should also be responsible for
dealing with requests for access to records (subject access requests), ensuring they
are dealt with appropriately.
Evidence of compliance
6.11 Practices should file the name of the responsible person and an outline of
their remit and responsibilities. 3 “Regulations” in this document refer to the National Health Service (General Medical Services Contracts)(Scotland) Regulations 2004 (SSI 2004 No 115) and can be found at: http://www.opsi.gov.uk/legislation/scotland/ssi2004/20040115.htm 4 To include partners, salaried and sessional clinical staff, GP registrars and locums, other employed staff, attached staff, visiting clinicians, students, researchers and any other person with access to the premises where records are available.
5
d. Have in place a business continuity plan to deal with loss of IT system (e.g.power failure, flood, theft)
6.12 This is important so that, in a crisis situation, the practice can continue to
function and see patients. It is related to the data recovery process at paragraphs
6.16- 6.20, below.
6.13 Guidance on data recovery and business continuity plans is available in
Chapter 3 of the GPG, paragraphs 3.11.7 and 3.11.8 available at
http://www.scimp.scot.nhs.uk/gpg.html
6.14 Samples of business continuity plans are attached at Annex B. However,
many NHS Boards have developed templates for practice use.
Evidence of compliance
6.15 Practices should file a copy of their business continuity plan.
e. Have in place an effective data recovery process, which is agreed with theirrespective NHS Board
6.16 If the electronic system fails for whatever reason, data could be lost. It is
important that there is a system for data recovery which minimises this loss and
allows practices to regain full functioning as soon as possible. Data recovery is
linked to business continuity as in paragraphs 6.12- 6.14 above.
6.17 This requirement relates to QOF indicator, Management 2, which covers
arrangements for backing up computer data etc. The indicator and guidance is on
pages 161-162 of the Scottish Guidance- Revision to the GMS Contract 2006/7
available at http://www.sehd.scot.nhs.uk/pca/PCA2006(M)13.pdf
6
6.18 Guidance on how to set up and maintain a system to support data recovery is
detailed in the GPG Chapter 3, paragraphs 3.11.4 and 3.11.7
http://www.scimp.scot.nhs.uk/gpg.html
6.19 The GPG gives a useful checklist for practices when developing their data
recovery plan. Where the practice is linked to a managed server, their back up
arrangements will be different and should be agreed with the NHS Board.
6.20 Arrangements in each NHS Board area for the frequency of back up tapes,
storage and frequency of a “system restore” process should be agreed between the
NHS Board and the Local Medical Committee.
Evidence of compliance
6.21 Practices should file a copy of their data recovery plan as agreed with their
NHS Board.
6
R
s
a
6
R
l
H
5
Ch
f. Ensure the practice has a leaflet which includes clear information forpatients about how the contractor uses their personal health information.
.22 Contractors are required under Schedule 5, Part 5, paragraph 69 of the
egulations5 to produce and keep up to date a practice leaflet with minimal content
pecified in Schedule 8 of the same Regulations. Item 25 of Schedule 8 refers to
ccess to and disclosure of patient information.
.23 All NHS Boards should now have made available to practices the Health
ights Information Scotland (HRIS) leaflets for patients. The wording in the practice
eaflet should reflect the standard in the HRIS leaflets. (See box for information on
RIS).
“Regulations” in this document refer to the National Health Service (General Medical Services ontracts)(Scotland) Regulations 2004 (SSI 2004 No 115) and can be found at: ttp://www.opsi.gov.uk/legislation/scotland/ssi2004/20040115.htm
7
Health Rights Information Scotland (HRIS) is a project based within the Scottish
Consumer Council, and funded by the Scottish Executive Directorate of Health and
Wellbeing. It is a joint initiative to raise the quality of information available to patients
in the NHS.
HRIS produce information for patients about their rights, about how to use NHS
services, and about what they can expect from the NHS. As this information is
relevant to all patients in Scotland the information is produced on a national basis for
use throughout the NHS. NHS boards are responsible for distributing the
publications.
The aim of the initiative is to give patients a better understanding of their rights and
choices and to make them more confident making decisions about their health and
interacting with NHS staff.
Further information about HRIS and copies of the patient information leaflets is
available at –
http://www.hris.org.uk/index.aspx?o=1113
Evidence of compliance 6.24 Practices should file a copy of their practice leaflet.
8
Guidance on Section Two
Complete and implement an action plan (agreed with the host NHS Board) on
how the contractor will improve data quality and information governance. The action plan must task the contractor with the following requirements:
g. Develop and implement a protocol for ensuring high quality management of electronic data recording in accordance with the Good Practice Guidelines for
General Practice Electronic Patient Records
6.25 The contractual framework for this item is included in Schedule 5, Part 5, Para
66 of the Regulations6, which outlines the standards for computerised records
approval, in particular in sub paragraph 4.
6.26 Guidance on migration towards paperless record keeping is provided in
Chapter 4 of the GPG with a check list at appendix 4, both available at
http://www.scimp.scot.nhs.uk/gpg.html
Evidence of compliance
6.27 Practices should file a copy of their protocol with supporting evidence for the
check list.
6
Sh
h. Have in place procedures which encourage the use of SCIMP recommendedRead codes across all members of the primary care team.
“Regulations” in this document refer to the National Health Service (General Medical ervices Contracts)(Scotland) Regulations 2004 (SSI 2004 No 115) and can be found at: ttp://www.opsi.gov.uk/legislation/scotland/ssi2004/20040115.htm
9
6.28 The QOF indicators, Records 15, 18, 19 and 20, relate to summaries and the
guidance notes recommend the use of national or locally agreed codes to facilitate
comparison or exchange of data. The indicators and guidance are on page 143
onwards of the Scottish Guidance- Revision to the GMS Contract 2006/7 available at
http://www.sehd.scot.nhs.uk/pca/PCA2006(M)13.pdf
6.29 In Scotland, the recommended codes for use in General Practice electronic
patient records have been compiled by SCIMP and are available and regularly
updated at: http://www.scimp.scot.nhs.uk/coding_readcodes.html
6.30 This link provides guidance on coding as well as links to recommended codes
both for the QOF and for general record keeping.
6.31 Practices should discuss how they will encourage practice team members to
use the recommended codes.
6.32 System specific “national codes” and/or clinical systems should not be used
for clinically important information, as they will not be captured by such systems as
SCI Gateway for referral letters or ECS for adverse drug reactions (see paragraph
6.56 below).
Evidence of compliance 6.33 Practices should keep a report on how they have addressed this item and
how they will maintain this improved coding compliance.
i. Have in place a protocol to ensure access to clinical and other patient identifiable information in the electronic record is controlled, such that only those authorised to access the record can do so.
10
6.34 The NHS Code of confidentiality is available at the following link:
http://www.confidentiality.scot.nhs.uk/publications/6074NHSCode.pdf
6.35 Further guidance on legal aspects of confidentiality and access to patient
records is found in Chapter 3, section 3.6 in the GPG to which can be found at:
http://www.scimp.scot.nhs.uk/gpg.html
6.36 Practices should agree the access needs of their practice staff to their
electronic clinical system. Some will require access to clinical information and some
will only need access to demographic information. The details of access permissions
for each member of staff should be logged and updated as needed. Each member
of staff will need a unique password and should not share passwords or user names.
These access controls should be compiled into a protocol to which all members of
the practice team sign up.
6.37 An example of a protocol is shown in the box below:
All members of staff should be allocated personal user names and passwords. The user
name should be configured so that the password requires to be altered at regular intervals
and at least every 90 days. Each person should have a different user name.
The access level for each member of staff according to their role in the practice has been
agreed. Staff should not access the system through another member of staff’s user name
and password as they may have different permissions.
All PCs should have their screen locked if the user leaves the room and a patient is present,
or the room is left unlocked. PC users should be shown how to do this.
The network, clinical system(s) and many other software programmes monitor attempts at
unauthorised access, and access should be configured so that access is denied if three
attempts fail to gain access.
The Practice is responsible for inactivating access as soon as practicable when personnel
stop working at the practice.
11
Evidence of compliance 6.38 Practices should keep a copy of their access protocol and log of agreed staff
access levels.
j. Ensure that there is a system for identification of breaches or alleged breaches of the access protocol under item i. and that those identified are investigated promptly and efficiently and included in an annual report available to the Board.
6.39 Practices must ensure that all members of the team are alert to, and report
on, any breaches of the protocol as in paragraphs 6.34 and 6.35 above, and that
they have a system for investigating any such breaches with a view to prevention of
future episodes.
6.40 The practice report should include,
1. The access protocol and log as in paragraph 6.38, above,
2. The procedure for reporting and investigating possible breaches
3. A log of any episodes where a breach was reported,
4. The outcome of investigation(s) of any breaches identified
Evidence of compliance
6.41 Practices should keep the report as at paragraph 6.40, above, updated
annually.
k. Set up a process for systematically updating staff contracts to contain clauses that clearly identify staff responsibilities for confidentiality, data protection and security.
6.42 Practices should seek legal advice on the wording of such a clause from such
sources as BMA and medical defence organisations.
12
Evidence of compliance
6.43 A specimen staff contract showing the relevant clause should be filed along
with a list of all staff contracts which comply with the requirement and, for those still
to be changed, a timetable for this action.
l. Describe a plan to ensure appropriate training for all staff on the elements of information governance (e.g. confidentiality, data protection, security) especially when inducting new staff.
6.44 Practice staff, especially new staff, will all need training to enable them to
understand and adhere to the principles of information governance related to their
role in the practice team.
6.45 The GPG, chapters 6 and Appendix 3, provide some guidance on this training
available http://www.scimp.scot.nhs.uk/gpg.html
6.46 Annex C of this guidance contains additional material for practices to use in
making and implementing a plan for training of staff on information governance
issues.
6.47 NHS Boards will give practices help with training staff. Material is also
available through the information governance team at ISD.
Evidence of compliance
6.48 Practices should keep a log of all training activity on information governance
and data quality standards.
m. Have in place a system for updating, verifying and correctly coding for drug allergies and intolerances, and current medication to support data standards for the Emergency Care Summary
13
6.49 The data extracted from the GP clinical record for the Emergency Care
Summary (ECS) is updated twice daily so practices should ensure that they take
every opportunity to ensure this information is correct. The particular items are
current medication (acute and repeats) and allergies/ adverse drug reactions.
6.50 Practices should develop a system to ensure that opportunities for update are
used by all staff as often as possible. These might be when the patient consults,
when reviews are taking place (e.g. long term condition review, medication review),
or when repeat prescriptions are being issued or hospital letters come in (see 6.52
below). Each practice should identify the opportunities they will use and gain
agreement from the whole practice team to maximise these opportunities.
6.51 Practices should ensure that drugs which have been stopped are shown as
inactivated.
6.52 Practices should add any significant drugs that have been prescribed outwith
the practice e.g. by hospitals, clinics, so that the medication record is complete. Such
drugs could include anti-TNF therapy, chemotherapy, community mental health
prescriptions, drug misuse clinic prescriptions and depot injections. It is recognised
that the practice will not be made aware of all of these prescriptions but should
ensure that they are included in the electronic record when the practice is informed
about them.
6.53 These medications may not seem to be important but potentially dangerous
interactions can occur e g methotrexate can have a fatal interaction with
trimethoprim. This is important not only for the ECS but to ensure the patient’s record
is complete and to enable the GP IT system drug alerts system to work optimally.
14
Adding medication without issuing a script
6.54 Medication can be added to the electronic record without issuing a
prescription. Details of how this is done with each of the GP IT clinical systems are
shown in the box below:
Ascribe Add to DM screen as new drug but in instructions write - 'information only -hospital
supply’.
EMIS Open ‘consultation’; add; select ‘drug and dose and quantity’; select ‘acute or
repeat’; issue, select ‘outside’; and then click OK.
GPASS Once you have added a prescription in GPASS, either acute or repeat, it shows up
on the Encounters screen (although you need to toggle between acute and repeat).
If you highlight the prescription that you want to record but not print, and then press
the SPACE bar, it crosses out the pill icon at the left of the prescription and won't
print it when you close the patient record.
INPS In Vision 3 when adding a medication the user should change the 'source of drug'
value to reflect the supplier of the medication. Any value other than 'In Practice'
prevents this from generating a paper prescription.
Users also have the option of de-selecting the 'Print Script' checkbox on the
‘Medication Add’ form.
iSOFT On the medication screen you should change the print option to ‘no prescription’,
‘handwritten’ or ‘outside’.
15
6.55 Practices should therefore verify recorded allergies and ADRs with patients
when the opportunity arises as some may not be true allergies. Details should be
recorded appropriately
6.56 Practices should ensure that allergies and sensitivities are coded
appropriately in the clinical system and not entered as free text. Only national codes
(Read Codes or Multilex) should be used as no local codes will be exported to ECS.
The list of codes currently extracted for ECS can be found on the SCIMP website.
http://www.scimp.scot.nhs.uk/coding_readcodes.html
6.57 Listed here are details of how this is done in each of the GP IT clinical
systems.
16
Ascribe Allergies should always be recorded as Read Codes. It is preferable to enter all allergies on
both the DS priority screen and the DM sensitivities section. If a precise code does not exist
for a particular drug, use the nearest applicable code and add free text details in the right
hand box.
EMIS Medical Record (MR) A-add
3- Allergy
A- Add Adverse reaction
search for drug or medication type
select correct medication from those matching search criteria
enter text as to the reaction, set date of reaction and click OK
GPASS
Allergies in GPASS are always recorded as Read Codes. They can be entered via Care
Management Screens, screening templates or added as clinical codes. If a precise code
does not exist for an adverse drug reaction, clinicians should choose the nearest applicable
code and add details in the free text extension.
GPASS 2007 As above or use the Multilex new ADR entry INPS Drug Allergies in Vision 3 should always be added using the 'Drug Allergy and Intolerances'
Structured Data Area (SDA). Access this from Consultation Manager menus using 'Add'
then 'Drug Allergy/Adverse Reaction'. You can then select an appropriate Read Code from
the drop down list if desired. You must always add the drug name for the item that caused
the adverse reaction. ECS will contain the record of allergy including the Drug Name. iSOFT Allergies and adverse reactions are recorded as Read Codes. Staff adding allergies and
sensitivities should always choose a Read code closest to the drug/allergen with additional
details attached to this in the free text field. This makes sure the data always appears in the
patients’ summary/ECS.
17
6.58 For further information about the use of the ECS, how to access the record
and print out a copy if requested, see http://www.scimp.scot.nhs.uk/documents/GPPracticeAdministratorTrainingGuideV1.3.doc
Evidence of compliance 6.59 A report of the practice’s system for updating, verifying and correctly coding
data for the ECS as agreed with their Board.
18
Annex A Benchmarking Information Governance and Data Quality Standards in GP practices: Specification
Requirements 1. To ensure contractors are compliant with a basic list of standards for information
governance.
The contractor must comply with the following standards:
a. Be registered and conform to the provisions under the Data Protection Act.
b. Where some or all records are kept only in an electronic form, conform to the
requirements for approval by their NHS Board for such storage.
c. Nominate a member of the primary care team to take responsibility for practices
and procedures relating to the confidentiality of personal data held by the
practice.
d. Have in place a business continuity plan to deal with loss of IT system (e.g.
power failure, flood, theft)
e. Have in place an effective data recovery process, which is agreed with their
respective NHS Board
f. Ensure the practice has a leaflet which includes clear information for patients
about how the contractor uses their personal health information.
2. Complete and implement an action plan (agreed with the host NHS Board) on how
the contractor will improve data quality and information governance.
The action plan must task the contractor with the following requirements:
g. Develop and implement a protocol for ensuring high quality management of
electronic data recording in accordance with the Good Practice Guidelines for
General Practice Electronic Patient Records (http://www.scimp.scot.nhs.uk/)
19
h. Have in place procedures which encourage the use of SCIMP recommended
Read codes across all members of the primary care team.
i. Have in place a protocol to ensure access to clinical and other patient identifiable
information in the electronic record is controlled, such that only those authorised
to access the record can do so.
j. Ensure that there is a system for identification of breaches or alleged breaches of
the access protocol under item (i) and that those identified are investigated
promptly and efficiently and included in an annual report available to the Board.
k. Set up a process for systematically updating staff contracts to contain clauses
that clearly identify staff responsibilities for confidentiality, data protection and
security.
l. Describe a plan to ensure appropriate training for all staff on the elements of
information governance (e.g. confidentiality, data protection, security)
especially when inducting new staff.
m. Have in place a system for updating, verifying and correctly coding for drug
allergies and intolerances, and current medication to support data standards for
the Emergency Care Summary.
Outcomes
The contractor must complete a self-assessment against items under section 1. A
report should be shared with the host NHS Board.
Where the self-assessment shows non-compliance then the contractor should give
the Board an undertaking to ensure compliance within an agreed timescale.
The contractor must meet and implement the requirements in the agreed action plan
under section 2.
Templates will be provided for both of these requirements.
20
Payments
The contractor will be paid an engagement payment on the submission of a report
that is consistent with the requirements set out in section 1.
The contractor will be paid a completion payment on meeting and implementing the
requirements in the agreed action plan under section 2.
The engagement payment will be equal to 10 per cent of projected income for each
contractor that successfully completes all the requirements of the DES.
The total payment for a contractor will be made up of a fixed element (£1,200) and a
variable element dependent on the numbers of patients. The average GP practice
would receive approximately £3,800.
Arrangements for Payment Claims
Payment to participating Contractors for the engagement and completion fees will be
made on submission of the appropriate declaration forms. Separate engagement
and completion forms will be produced by PSD. These forms should be returned to
your NHS Board who will authorise PSD to make the necessary payment if the
criteria has been met.
The Contractor should ensure that supporting evidence is available should the
information be requested for post payment verification purposes or should the NHS
Board request this as part of contract monitoring.
Timing
The enhanced service will run from 1st October 2007 to 31st March 2008. It is a one-
off arrangement.
The intention is for payments to be made to contractors by the end of April 2008.
21
22
23
Annex B Two sample business continuity plans in current use are embedded for
information below.
Benchmarking Information Gover...
Benchmarking Information gover...
24
Annex C
Benchmarking Information Governance and Data Quality Standards in GP practice DES - Guidance Notes for Item M, staff training
Rationale It is important that all staff are made aware of the relevant duties and in particular
given clear guidelines about their own individual responsibilities for maintenance of
confidentiality, data protection, information security, records management and
information quality. It is necessary that Practices put in place measures, including
protected training time, to ensure that all their staff members are fully informed of the
procedures implemented to ensure the meeting of standards across the Information
Governance agenda.
Guidance Below are links or embedded documents to a variety of materials which should help
practices in training staff.
Freedom of Information
PDF version of FIA training package:
http://www.scotland.gov.uk/Resource/Doc/47210/0025760.pdf
UK Information Commissioner - Data Protection: “ The Lights are On” (Interactive
Training DVD which can be ordered directly from the Information Commissioners
Office at http://www.ico.gov.uk/tools_and_resources/request_publications.aspx
Brief Guide to Information Governance
http://www.elib.scot.nhs.uk/SharedSpace/ig/Uploads/2007/Jun/20070608170750_V2
%20Info-governance-guide-070122.pdf
25
“Top Ten Tips to Safeguarding Personal information” (embedded below)
Top ten tips.doc (26 KB)
Information Governance e-library http://www.elib.scot.nhs.uk/portal/ig/pages/index.aspx?referer=AAS&un=nousername
NHS Code of Practice on Protecting Patient Confidentiality
http://www.confidentiality.scot.nhs.uk/publications/6074NHSCode.pdf
Appendix 6 of the SCIMP Good Practice Guidelines for General Practice Electronic
Patient Records
http://www.scimp.scot.nhs.uk/gpg/documents/appendix%206.pdf
26