ࡱ> VXU @ H,bjbjFF 4L,,:$ TTTTTTTh8$Lp,hr5+Do$4444444$X7R95T///5TT,5aaa/pTT4a/4aao.TT;0 0YQ/4B50r5)/:3:,;0hhTTTT;0:T%1a5n55hh  XhhConfidentiality and Choose and Book Response to LMC concerns Jan 07 Question /Lines of enquiry "In a nutshell, we have three concerns about the confidentiality of CAB. If these concerns are confirmed, then it is hard to see how an LMC could endorse the use of CAB. Indeed, we will probably suggest practices must stop doing so whilst inquiries are made of the Information Commissioner." 1. It appears that any health worker with CAB access can find the demographic details of anyone on the system so long as they have a name and date of birth. If they have an approximate date of birth then a trial and error search is possible. Levels of access to Choose and Book information Access to Choose and Book is restricted to staff that have been issued with a Smartcard and Passcode, and have been associated with an organisation and assigned the appropriate privileges within Choose and Book. Privileges are assigned based on a persons role. For example, a GP will be assigned the role of referring clinician as they need the privileges of someone who is able to make referrals through Choose and Book. These privileges determine the level of access to Choose and Book and the type of information which can be accessed. Information available through Choose and Book is classed in three levels as either level one (demographic), level two (referral) or level three (clinical) as follows: Level one - Demographic information: Name, address, date of birth, preferred communication language, patient password (which is only available to GPs, unless there is an active UBRN in that practice), consent information, contact telephone number(s), and patient needs such as braille (header is preferred contact method) Level two - Referral information: Contains the details of a referral such as date and time of appointment, priority, service name, service location and referral status. Level Three - Clinical information: Contents of the actual referral letter or associated attachments and the reason for referral The levels are hierarchical in that a user given level 3 access automatically can access level 1 and 2 information. Identifying (tracing) patients on Personal Demographic Service (PDS) through Choose and Book To enable the PDS to become the single authoritative source of demographic data there needs to be a reliable mechanism for identifying the patient i.e. establishing the patients NHS Number. In terms of the controls on the access to patient demographic data, it is possible for staff in a referring organisation to access demographic details for any patient whose details are held on the PDS, provided that the user has certain specific information to perform the trace. There are two trace facilities on the PDS available through Choose and Book: Simple Trace and Advanced Trace. In the first instance NHS healthcare professionals are guided through Choose and Book to use a simple trace to establish the patients NHS Number. A typical simple trace will use: Name, i.e. forename and surname; Administrative gender; Date of birth. If a user performs a Simple Trace, the PDS will only return the demographics records if an exact match is found against all fields. If a Simple Trace is inconclusive the user will need to use the Advanced Trace facility to trace the patient. It is not unusual for a patient not to know their date of birth. The spelling of a persons name could be ambiguous e.g. Phillip instead of Philip. Without the Advanced Trace facility there is a higher risk of patient records being duplicated or confused with another patient. As a result there is a potential risk to patient safety. An advance trace will provide a single match or a controlled list of potential matches. Additional controls on access to demographic data Using the PDS without a legitimate reason constitutes a breach of the NHS Code of Practice for Confidentiality, which is a disciplinary offence and could lead to dismissal and/or sanctions by a professional body like the General Medical Council. Patient rights are also protected through data protection and human rights legislation. The confidentiality of patient records is well understood by healthcare professionals. Healthcare professionals have a duty of confidentiality to the patient, and a contractual obligation to comply with the NHS Code ofPractice for Confidentiality, which governs the use of patient information. Whenever information is actioned or changed via Choose and Book it is logged in the system and provides a robust audit trail that records users actions. For further information please see question 3 below. All decisions regarding the design of Choose and Book, including who has access to what information and the rationale behind such decisions, have involved the Choose and Book National Clinical Reference Panel. The approach has been assured by the NHS CFH Information Governance Team 2. Once identified, we believe that a list of all previous CAB referrals is visible to the searcher (though not the correspondence attached to these). This question relates to level two access i.e. to Referral Information. It is only possible for staff in a referring organisation to access previous Choose and Book referral information if the referral was initiated within that practice or it is the patients registered practice. For example, if a patient has been referred through Choose and Book three times but by three different referrers at three different practices, then users at each practice will only see information relating to their referral , but the patients registered practice will view all the referrals The only exception to this is content sensitive referrals which can only be viewed by the initial referrer within the practice, rather than by all eligible practice staff. Referring clinicians and referring clinical admin roles will have access to level three (clinical information). Referring admin roles will have access to patient demographic and referral information only. Hospital consultants and supporting staff, again, can only access past Choose and Book referral information if the patient had previously been referred specifically to a clinic that they have access to via workgroup permissions. Service provider clinicians and service provider clinical admin roles will have access to clinical information (including correspondence). Service provider admin and Booking Manager roles will have access to patient demographic information and appointment information only. 3. We have been informed that access to a CAB record or the database is only logged for audit purposes if a change is made to the record. This would imply that anyone with a CAB card can look at any CAB record anonymously. Whenever information is actioned or changed via Choose and Book it is logged in the system and provides a robust audit trail that records users actions. In terms of viewing data only, where no action or change is made, the following apply: Level one - Demographic information- Access to any users viewing this data is actively logged. The one exception to this is where a demographics search is repeated for the same patient, the previous results are cached centrally and therefore a message isnt generated this only applies for searches within 60 minutes of the original search. Level two - Referral information and Level Three - Clinical information- Although not recording viewing data only, the controls described in the responses to questions 1. and 2. are sufficient to only allow appropriate access to these levels of data such that only authorised users can access this type of data in the first place. This position has been assured by the NHS CFH Information Governance Team. In the context of the above, there are four mechanisms within Choose and Book that assist in monitoring unauthorised access and providing clear audit trails. These are: A log of all messages in and out of Choose and Book which identifies when messages were sent, from whom and to where; A report, which can be run by Atos Origin (the contractor providing the Choose and Book software) to audit the actions taken by any given user; A View history option for each Unique Booking Reference Number (UBRN). A UBRN is assigned each time a patient is referred to a specialist and is used to manage the patients booking and referral. The View history identifies activity on the system undertaken against the patients URBN and the date that such activity took place; A report, which can be run by Atos Origin, to satisfy Subject Access Requests i.e. requests from patients to view the content of their records. Choose and Book meets the strictest national and international standards for holding and transferring information electronically, including ISO 17799; 2000, BS7799-2; 2002 and the eGovernment Interoperability Framework (eGIF). Choose and Book also meets the conditions of the 1988 Data Protection Act. This security far exceeds that used for on-line banking, because personal health data is much more sensitive. Additionally, external expert hacking services have been commissioned to attempt to penetrate this security, and they have failed to do so. Choose and Book Team NHS CFH 11 January 2007     >EFGbc y z { ǵyi]M>1h_^hlCJ^JaJh^ghu0JOJQJ^Jhuhu0J5OJQJ^Jh^g0JOJQJ^Jh_^h_10J5OJQJ^Jh_^hL$CJ^JaJh_^h_^0J5OJQJ^Jh_^hL$0J5OJQJ^Jh_^hL$0JOJQJ^J"h_^h0J5>*OJQJ^Jh_^h0J5OJQJ^J'hL Nh_^0J5CJOJQJ^JaJ'hL NhL$0J5CJOJQJ^JaJFGbcz { Y Z w x h $]^gd'E & F $]gdm $]gdm $]^gd'E & F $]gdO]gdOgd'EgdO@&gd :,G,  # . 9 Q T a i j x /@AĶϬ٢لzobhmhmCJ^JaJhE(5CJ^JaJhUCJ^JaJhuCJ^JaJh'ECJ^JaJhCJ^JaJhj^ CJ^JaJh~GCJ^JaJh_^hU5CJ^JaJhm5CJ^JaJhmCJ^JaJh_^hUCJ^JaJh_^hlCJ^JaJh_^hTdCJ^JaJ#fghixcxγܦܜxxxmcVcLh`yCJ^JaJhuhuCJ^JaJhuCJ^JaJh4 5CJ^JaJha5CJ^JaJhuhu5CJ^JaJh345CJ^JaJh'ECJ^JaJh_^hUCJ^JaJh_^h~GCJ^JaJh'EhU5CJ^JaJh'Ehm5CJ^JaJhmCJ^JaJh_^hmCJ^JaJh'EhmCJ^JaJhibc  & FgdugdugdO $]^gd'E & F $]gdm $]gd'E?d9DxS 氢捀rdO> hE?!k"l"\#]#$$ $h]^hgd ; & F $]gd}? 7$8$H$gdOgd3ZjgdE?@ !շ˭p`SFSFSFShFhFCJ^JaJhFhb&CJ^JaJh_^h?0J5OJQJ^Jh_^hl0J5OJQJ^Jh_^h0J5OJQJ^Jh_^hL$0J5OJQJ^Jh_^hL$CJ^JaJhCJ^JaJhb&CJ^JaJhDmCJ^JaJh3ZjCJ^JaJh3Zjh3ZjCJ^JaJh_^hlCJ^JaJ hEGHQW12v!!j"k"l"#]#j#µ¨~qg\h}?5CJ^JaJh}?CJ^JaJh uh}?CJ^JaJhr`0J5OJQJ^Jh0J5OJQJ^Jh_^hL$0J5OJQJ^Jh_^hL$CJ^JaJh_^hy_CJ^JaJh_^h|CJ^JaJhCJ^JaJhFh7^CJ^JaJhFhb&CJ^JaJhFh|CJ^JaJ$j##########$$9$C$^$_$k$l$m$$$$$$%*%+%,%sf[Qh^CJ^JaJh^5CJ^JaJh^h^CJ^JaJh'Eh]I5CJ^JaJh]I5CJ^JaJh}?h ;CJ^JaJh}?0JOJQJ^Jh3bh]I0JOJQJ^Jh]I0JOJQJ^Jhr`h}?0JOJQJ^Jh}?CJ^JaJh}?h}?CJ^JaJh}?5CJ^JaJh_^h}?5CJ^JaJ,%.%/%|%%%&)&M&O&w&&&&&&&&&p'''''()))޽xxxk^xQh_^h3bdCJ^JaJh_^h_^CJ^JaJh_^hiRCJ^JaJh_^hCJ^JaJh2CJ^JaJh_^hOCJ^JaJh_^hdzCJ^JaJh@CJ^JaJh}?CJ^JaJh h CJ^JaJh#CJ^JaJhDmCJ^JaJh CJ^JaJh 5CJ^JaJh^h CJ^JaJ$N&O&&&p'(P))++ , ,",*,:,<,=,?,@,gd3bdgd= 7$8$H$gd3bd & F x^ `gd & F x^ `gdO & FxgdOgdO & F $]gd]I))**+ , , ,:,;,=,>,@,A,C,D,G,H,кh;sjh;sUhRhRCJaJhkHh_^h=0JOJQJ^J+h=B*CJOJQJ^JaJmH phsH +h3bdB*CJOJQJ^JaJmH phsH 1h ?h3bdB*CJOJQJ^JaJmH phsH @,B,C,E,F,G,H,gd3bd21h:px/ =!"#$% H@H }?Normal CJOJQJ_HaJmH sH tH PA@P Default Paragraph Font, CharRiR  Table Normal4 l4a (k(No ListNg@N L$HTML TypewriterCJOJPJQJ^JaJ4U@4 l Hyperlink >*phJJ l Footnote TextCJOJQJaJtH @&!@ lFootnote ReferenceH*H2H j^ Balloon TextCJOJQJ^JaJB'AB Y8Comment ReferenceCJaJ<R< Y8 Comment TextCJaJ@jQR@ Y8Comment Subject5\ZYrZ  Document Map-D M CJOJQJ^JaJN^@N Normal (Web)dd[$\$ OJQJtH >O> u dCJOJQJaJmH sH H$LFGbcz{YZwxhibc  ,S!>?kl\]NOp P!!## $ $"$*$:$<$=$?$@$B$C$E$F$I$ ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;0 ;00 0x 0x 0x0x0x0x00x000x000x00 00 0x000 0000x0x0x 0x0x 0x00x0x 0x 0 0 0x0 0x0000x0x {00@00 {00@00 {00@00 {00@00@00    !j#,%)H, !"$h$@,H,#%G,8@0(  B S  ? OLE_LINK7 OLE_LINK8 OLE_LINK5 OLE_LINK6 OLE_LINK9 OLE_LINK10 OLE_LINK1 OLE_LINK2@@@@!!I$OO $ $I$5N|-5N#5N,5N5NL.5Nl-5N$ 5Nn#5N 5Ni#5Nt/5N,l,5ND05N| 5N05NĶ55Nl~#oFH Gm%!*$I$     ~UK V|4-#!9$I$ 8*urn:schemas-microsoft-com:office:smarttagsdate>*urn:schemas-microsoft-com:office:smarttags PersonName? *urn:schemas-microsoft-com:office:smarttags stockticker 1112007DayMonthYear  """"9$:$:$<$<$=$=$?$@$B$C$E$F$I$BIR_cfjm9$:$:$<$<$=$=$?$@$B$C$E$F$I$33333cxSS  !! <<??| $9$I$9$:$:$<$<$=$=$?$@$B$C$E$F$I$ :N@[p .g&)s7e9]2*[a HKjpq(w*,h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`B*OJQJo(phhHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`B*OJQJo(phhHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`B*OJQJo(phhHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh  ^ `B*OJQJo(phhHh^`OJQJ^Jo(hHoh^`OJQJo(hHh| | ^| `OJQJo(hHhLL^L`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh  ^ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh| | ^| `OJQJo(hHhLL^L`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hH[p(wHKj*[as7 .ge9]         Ś                          Ś        Ś                 t;}lFAy!0<>*#1os,809y!0#1{809cal;FAZ;l;#@t/9Q<>* Vos,caZ;;}lds#@{ds`y,EDR[[,- )[TdDm-n{ ]ISrJ0'W^^aaE( ;4j^ "!T1!#t!#G$L$fT$U$ '?'%$,5v,Z-c.?//0+H1_1~3h5S67 8Y8h8O29VR9W;;?@G]@97A'EE$O~P PFPKQ-Confidentiality and Choose and Book  Response to LMC concernsNHS Connecting For Health Jenny Delaney,        Oh+'0$0@ Xd    @Confidentiality and Choose and Book Response to LMC concernsNHS Connecting For HealthNormalJenny Delaney2Microsoft Word 10.0@F#@Ҿ5@PQ@PQh՜.+,0@ hp  NHS Connecting for HealthA($ ?Confidentiality and Choose and Book Response to LMC concerns Title  !"#$%&()*+,-./0123456789:;<=>?@ABCDFGHIJKLNOPQRSTWRoot Entry F g QY1Table':WordDocument4LSummaryInformation(EDocumentSummaryInformation8MCompObjj  FMicrosoft Word Document MSWordDocWord.Document.89q