Information Governancein the UK’s National

Health Service

Alexander BeisserInformation Governance Consultant

Email: alex@beisser.infoWeb: www.beisser.info

2

Introduction

• The idea of this presentation is to give the reader an insight into setting up an Information Governance function in a diverse healthcare environment at times of cost savings, service re-configurations and the need to make efficiency gains.

3

Experience

• The author gained experience in developing the IG agenda for a commissioning organisation, a provider organisation (community based health services) and improving the data protection programme for a district hospital all based in a culturally very diverse area of London, UK.

• He provides confidentiality, data protection, information assurance and audit consulting services across the whole healthcare provider spectrum

4

Organisations involved

Hospitals

MentalHealth Trusts

General Practitioners

Dentists

Pharmacists

Opticians

Ambulance Trusts

Com

mercial

3rd P

arties

Department of Health

National Commissioning

Board

Other Commissioners

Social Care

Voluntary Sector

Clinical Commissioner

Groups

Providers Commissioners

5

Information Governance defined

• Information Governance (IG) is using defined standards to protect the confidentiality of Person Identifiable Data

• Standards are aligned with ISO27001, ISO 9001 and BS 25999

• Best practice guidelines for staff to ensure that data protection is maintained from the point when data is received until it is ultimately destroyed.

• Information Governance is often also known as Information Assurance and supports the secure sharing of medical and other sensitive data

Key concepts are Confidentiality – Integrity – Accuracy

6

Person Identifiable Data

• Data relating to living (or deceased) individuals from which they can be identified (such as Name, Date of Birth, Social Security Number, etc.)

• Sensitive Personal Data relates to an individual where the release could negatively affect the data subject (such as medical and mental health, sexual orientation, criminal convictions etc.)

• Information Governance provides best practice guidelines on keeping this kind of information safe.

7

How to implement Information Governance

• Start with the development of a basic Information Governance Framework (IGF) that includes relevant policies

• Engage with clinicians and assure them that confidentiality is everyone's responsibility and IG will support them in providing safe and efficient care for their patients.

• Involve corporate and shared services from the outset as you require their support in setting up an IG function.

• Keep your stakeholders updated

• Develop IG training tailored for different staff groups

• Setup shared IG function across healthcare organisations (sharing costs and responsibilities)

8

How to measure the success

• IG integrated into business processes (especially around IT systems and projects)

• Number of queries raised by staff, stakeholders and patients (expect to be busy)

• Uptake of training

• Number of IG related incidents (expect them to rise at the start, but they will fall with better education and awareness)

• Responses to education, awareness and communication campaigns

• Completing self assessment to understand your strength and weaknesses

9

Self assessment (I)

• All organisations who (want to) have access to the NHS Network (N3 network) in the UK are required to complete an Information Governance Toolkit (IGT) assessment.

• This is an annual process which is now in its 10th year.

• System is centrally managed by the Department of Health with some administration undertaken locally by IGT Administrator

10

Self assessment (II)

• The assessment is based on the type of organisation

– Hospitals

– General Practitioners

– Other Primary Care providers (dentists, opticians etc.)

– Ambulance Services

– Pharmacies

– Commissioners (PCTs, SHAs, Clinical Commissioning Groups etc.)

– Social Care Providers

– Voluntary Organisations

– Commercial Third Parties / NHS Business Partners

11

Information Governance Management

Comprises of

• Policy Framework

• Contract Management

• Training

• Human Resources procedures and policies

Information Governance Policy Framework

• Data Protection Policy

• Confidentiality Policy

• Information Security Policy

• Email and Internet Policy

• Records Management Policy

• Access to Information Policy

12

Confidentiality and Data Protection Assurance

Includes

• Information Risk Management

• Caldicott and Data Protection Principles

• Data Flow mapping and management

• Information Sharing

• Access to clinical information and HR records

Key staff:

• Senior Information Risk Owner

• Caldicott Guardian

• Data Protection Officer

13

Information Security Assurance

Focuses on

• IT Security

• User and access control management

• Incident Management and mitigating reoccurrences

• IT Asset Management

• De-identification / annonymisation

14

Clinical Information AssuranceCare Records Assurance

Concentrates on

• Use of clinical data

• Patient identifiers

• Data Quality

• Records Management

• Verification of accuracy and integrity

Key staff:

• Records Manager

• Data Quality Team

• Information Analysts and Managers

15

Secondary Use Assurance

• Use of clinical data for non-medical purposes

• Clinical coding

• Billing and reporting on service lines (commissioned clinical services)

• Use of clinical data in research and audit

• Planning of services by commissioners

• Public Health

16

Corporate Information Assurance

Incorporates

• Describing, categorising, recording, management and sharing of corporate data across organisation(s)

• Access to corporate information by public, public and governmental organisations

• Management of electronic corporate information; including audit use of such information

17

Services provided

The author provides the following services

• Development of IG Policy Framework

• Tailored Information Governance, Records Management and Data Quality Training

• Privacy Impact Assessments

• Information Assurance, Audits and Improvement Programmes

• Business continuity and disaster recovery

• Supporting tender projects

• IG Gap Analysis