RECORDS MANAGEMENT
POLICY
Document Reference No KIG014
Status Approved
Version Number 3.0
Replacing/Superseded Policy or Documents
Records Management Policy v2.9
Number of Pages 52 (41 pages of appendices)
Target Audience/applicable to All individuals carrying out work on behalf of Kent Community Health NHS Foundation Trust, Public.
Author Information Governance Assurance Lead
Acknowledgements
Contact Point for Queries Information Governance Assurance Lead
Date of Implementation/distribution October 2015
Circulation Policy dissemination process and on-line, Public
Review date November 2017
CONTENTS
PAGE
1 EXECUTIVE SUMMARY 1
2 INTRODUCTION 4
3 EQUALITY, DIVERSITY AND INCLUSION 4
4 ROLES AND RESPONSIBILITY 5
5 AIMS OF THE RECORD MANAGEMENT SYSTEM 7
6 RECORD CREATION AND MAINTENANCE 8
7 NHS NUMBER 8
8 INFORMATION SHARING 9
9 STORAGE AND TRANSPORTATION 9
10 APPRAISAL, ARCHIVING AND DISPOSAL 9
11 ELECTRONIC RECORDS 10
12 SCANNING PAPER RECORDS 10
13 IMPLEMENTATION – INCLUDING TRAINING AND
AWARENESS
10
14 STAKEHOLDER, CARER AND USER INVOLVEMENT 11
15 MONITORING COMPLIANCE AND EFFECTIVENESS OF
THIS POLICY
11
16 EXCEPTIONS TO THIS POLICY 11
APPENDICES
Appendix A Procedure For The Creation, Content And Maintenance Of Records
12
Appendix B Procedure For Clinical Diary Management 18
Appendix C Procedure for Obtaining and Using the NHS Number 19
Appendix D Process for Managing Requests for Access to Records (Subject Access Requests)
21
Appendix E Procedure for information sharing (Caldicott Principles) 23
Appendix F Procedure for Ensuring the Security/Confidentiality of Records 26
Appendix G Procedure for the Transportation of Health and Staff Records 27
Appendix H Procedure for the Appraisal, Retention and Disposal of Records
30
Appendix I Procedure on the Use of E-Mails 37
Appendix J Move Management Process 40
Appendix K Checklist for holding data at a non-KCHFT site 47
1 EXECUTIVE SUMMARY
Information is the lifeblood of Kent Community Health Foundation Trust (KCHFT) and without it the organisation cannot function effectively.
1.1 Scope and Purpose of Policy
1.1.1 In this policy, Records are defined as ‘recorded information, in any form, created or received and maintained by the trust in the transaction of its business or conduct of affairs and kept as evidence of such activity’.
1.1.2 This policy relates to all health and corporate operational records held in any format by KCHFT. These include:
a. all administrative records including databases and emails (e.g. personnel, estates, financial and accounting records, notes associated with complaints); and
b. all patient health records (for all specialties, including x-ray, audio and video files, imaging reports, registers, diaries, team communication books, etc.)
1.1.3 This policy and its appendices is also intended to provide standards against which records management procedures can be audited and monitored to inform risk management and identify areas for improvement.
1.1.4 Its implementation is part of KCHFT’s Information Governance Management Framework, and supports Care Quality Commission Standard 21, MONITOR, Information Governance and NHSLA Risk Management Standards.
1.1.5 Records Management is a discipline which utilises an administrative system to direct and control the creation, version control, distribution, filing, retention, storage and disposal of records, in a way that is administratively and legally sound, whilst at the same time serving the operational needs of KCHFT and preserving an appropriate historical record. The key components of records management are:
a. record creation;
b. record maintenance (including tracking of record movements); c. access and disclosure;
d. appraisal; e. archiving; and f. disposal
1.1.6 The purpose of this policy is to ensure that records management systems and practice throughout KCHFT comply with relevant legislation, professional and Information Governance standards.
1.1.7 Information is a corporate asset. KCHFT records are important sources of administrative, evidential and historical information. They are vital in supporting its current and future operations (including meeting the requirements of Freedom of Information legislation), for the purpose of accountability and for an awareness and understanding of its history and procedures.
1.2 Risks
The process contained within the KCHFT Risk Management Strategy will be followed to manage any risks identified through the implementation of this policy. Risks will be monitored and reviewed through the risk register process.
1.3 Governance Arrangements
1.4 Key References
A guide to confidentiality in health and social care: references: Treating confidential information with respect
Access to Health Records Act 1990
BS ISO / IEC 27001: 2005 Information Security Management
Care Quality Commission Standards for Better Health Outcomes 6 and 21 Common Law Duty of Confidentiality
Computer Misuse Act 1990 Data Protection Act 1998
Department of Health Caldicott Manual: NHS Code of Practice Department of Health Confidentiality: NHS Code of Practice 2003
Department of Health Information Security Management: NHS Code of Practice 2007 Department of Health Records Management: NHS Code of Practice 2006
Freedom of Information Act 2000 Health and Social Care Act 2012 HSCIC Information Governance Toolkit Human Rights Act 1998
ICO website www.ico.gov.uk for codes of practice
Information: To Share Or Not To Share? The Information Governance Review Kent Police and Kent Health Sector Bodies: Joint Working Agreement
NHS Care Record Guarantee 2011 NHS Constitution 2013
NHS Information Governance: Guidance on Legal and Professional Obligations (DH 2007) Public Records Act 1958
Regulation of Investigatory Powers Act 2000
Report on the Review of Patient Identifiable Information (Caldicott Committee 1997)
SBAR Communications Tool http://webarchive.nationalarchives.gov.uk/*/http://institute.nhs.uk 1.5 Related Policies/Procedures
Governance or Function Group responsible for developing document
Information Governance Assurance Group (IGAG)
Circulation group
Information Governance Assurance Group, Records
Management Scrutiny Group, Corporate Assurance and Risk Management Committee, Information Governance team, Clinical Service leads, nominated service ‘records managers’ and all staff through Staffzone – Policies “Have your say”
Authorised/Ratified by Information Governance Assurance Group
Authorised/Ratified On 6 February 2014
Review Date October 2017
Review criteria This document will be reviewed prior to review date if a
legislative change or other event otherwise dictates.
Title Reference
Being Open Policy and Procedure IML004
Confidentiality and Data Protection Policy KIG002
Confidentiality Code of Conduct KCRM005
Data Quality Policy RM008
1.6 Document Tracking Sheet
Incident Reporting, Management and Learning Policy CQS016
Information Risk Policy KIG011
Information Security Policy KIG009
Network Security Policy KIG010
NHS Number Use Policy KIG012
Records Management Policy KIG014
Registration Authority Policy KIT003
Secondary Use Policy KIG018
Transfer of Care Policy QC003
Policy & Procedure Drafting Arrangements
Version Status Date Approved by Comments / summary of changes
0.1 Draft 29/07/11 IG Team Format changes & inclusion of further procedures
0.2 Draft 03/10/11 Risk Manager Changes to meet NHSLA requirements
0.3 Draft 24/10/11 Caldicott
Guardian
Inclusion of further information re SIRO
0.4 Draft 09/11/11 IG Team Inclusion of further information relating to CQC requirements
2.0 Ratified 07/08/12 CARM Additional guidance for staff seconded to multi-agency teams. Additional guidance with regard to photographs and identifying patient
2.1 Draft 24/10/12 All staff consultation
Incorporated NHS Number Policy, clarified the aims and deleted duplicate guidance 2.2 Draft 16/11/12 IGAG Format/minor changes from consultation 2.3 Final 17/01/13 Ratification by
Board
Safeguarding reference – page 14. Changes to ensure NHSLA requirements are met
2.4 Final 03/04/13 Legal Services Information redacted to allow publication on the public website. Changes to archiving flowcharts
2.5 Final 27/06/13 IGAG Move Manager Process added
Checklist for records held at non-KCHFT sites
2.6 Final 14/02/14 IGAG Updated tracer card order code 2.7 Approved 04/04/14 IGAG Updated Caldicott principles, added
section 3, referenced Transfer of Care Policy & other minor changes
2.8 Approved 02/12/14 IGAG SBAR communications tool for safe handover of patient care and updated References/Related Policies
2.9 Approved 30/04/15 IGAG Trust logo updated and updated revised move management process
3.0 Approved 08/10/15 IGAG Record consent to share information Revised archiving flowcharts
2 INTRODUCTION
2.1 All NHS records are public records under the terms of the Public Records Act 1958. Each member of staff is responsible for the records they create or use.
2.2 Records Management is the process by which a trust manages all aspects of records whether internally or externally generated in any format or media type, from their creation to their eventual disposal.
2.3 Proper management of records is fundamental to the business of the organisation. KCHFT records are its corporate memory, providing evidence of actions and supporting decision making whilst supporting its daily functions and operation. Records support consistency, continuity, efficiency and productivity. The organisational benefits of sound records management are:
a. control and availability of valuable information assets b. good utilisation of storage and server space
c. compliance with legislation and standards d. efficient use of staff time
e. reduced costs
2.4 Records and the information they contain are vital to the satisfactory treatment and care of patients. Sound records management and good record-keeping support:
a. the day to day business that underpins delivery of healthcare b. clinical effectiveness and evidence based clinical practice c. continuity of healthcare provision
d. effective and timely communication of care needs e. decision making
f. legal requirements g. monitoring and audit
2.5 KCHFT has a responsibility to ensure that the healthcare each patient receives is recorded appropriately and that records are processed responsibly to support high quality care. There are professional standards for health record-keeping which are part of requirements for professional registration. For further information refer to Appendix A - Procedure for Creation, Content and Maintenance of Records.
3
EQUALITY, DIVERSITY AND INCLUSION
3.1 Communication and the provision of information are essential tools of good quality care. All patients, carers and staff should be given full assistance to ensure understanding. This assistance will take many forms and media. These principles should be enshrined in all formal documents.
3.2 Kent Community Health Foundation Trust is committed to ensuring that patients whose first language is not English receive the information they need and are able to communicate appropriately with healthcare staff. It is not appropriate to use children under the age of 16 to interpret for family members who do not speak English. There is an interpreter service available and staff should be aware of how to access this service.
3.3 The privacy and dignity rights of patients must be observed whilst enforcing any care standards e.g. providing same sex carers for those who request it. (Refer to Privacy and Dignity Policy).
3.4 All forms of communication (e.g. sign language, visual aids or other means) which ensures the patient understands should be considered. Publications in different languages or different formats can be produced through the Communications and Engagement Team and a translation service should be made available where required.
3.5 Staff must be aware of personal responsibilities under Equality legislation, given that there is a corporate and individual responsibility to comply with Equality legislation. This also applies to contractors when engaged by the Trust, for NHS business.
3.6 Kent Community Health NHS Foundation Trust is committed to promoting and championing a culture of diversity, fairness and equality for all our employees, potential employees, service users, as well as members of the public.
3.7 Understanding of how policy decisions and services can impact on ‘protected groups’ under the Equality Act 2010 is key to ensuring quality and productive environments for patient care and also the workforce. ‘Protected groups' are:
• Race • Disability • Sex
• Religion or belief
• Sexual orientation (being lesbian, gay, bisexual or any ) • Age
• Gender Re-assignment • Pregnancy and maternity • Marriage and civil partnership
3.8 All forms of communication (e.g. sign language, visual aids, interpreting and translation or other means) which ensures the patient understands should be considered. (See the Big Word pages for help) http://www.kentcht.nhs.uk/staffzone/resources/helping-you-to-do-your-job/interpreting-and-translation
3.9 The privacy and dignity (human rights) of patients must be considered alongside any care standards and identify the fundamental links between good health care and equality. 3.10 The Equality Analysis for this policy is located on the public website:
http://www.kentcht.nhs.uk/about-us/equality-and-diversity/equality-analysis/
4 ROLES AND RESPONSIBILITY
4.1 Chief Executive
4.1.1 The Chief Executive has overall responsibility for records management in KCHFT. As accountable officer he/she is responsible for the management of KCHFT and for ensuring appropriate mechanisms are in place to support service delivery and continuity. Records management is key to this as it will ensure appropriate, accurate information is readily available as required.
4.2 Information Governance Department
4.2.1 KCHFT has responsibility for ensuring that it meets its legal and corporate responsibilities, and internal and external governance requirements, including the secure transfer of personal confidential data. The Information Governance Department will be responsible for the records management function, assured within the Integrated Governance framework. The Department will report records management and governance arrangements via the Information Governance Assurance Group to the Corporate Assurance and Risk Management Group.
4.3 Caldicott Guardian
4.3.1 The Caldicott Guardian is responsible for reflecting patients’ interests regarding the use of personal confidential data. They are responsible for ensuring personal confidential data is shared in an appropriate manner.
4.4 Senior Information Risk Owner
4.4.1 The Senior Information Risk Owner (SIRO) will ensure that the organisation’s approach to information risk is effective in terms of resource, commitment and execution and that this is communicated to all staff. The SIRO will provide a focal point for the resolution and/or discussion of information risk issues and ensure the Board is adequately briefed on information risk issues.
4.5 Directorate and Department Managers
4.5.1 Directorate and departmental managers have overall responsibility for records generated by their activities and are responsible for ensuring that their staff receive training, are aware of the requirements of this policy and apply the correct procedures and controls. Managers will also be responsible for ensuring the implementation of any agreed audit action plans. 4.6 Team ‘Records Leads’
4.6.1 Members of staff within services identified as ‘Records Leads’ will be responsible for promoting the principles within this Policy and its procedures amongst colleagues across KCHFT.
4.7 Staff members
4.7.1 Each member of staff has individual responsibility for managing the records they create and handle in accordance with this policy and keeping appropriate records of their work. Registered professionals are responsible for complying with their relevant codes and standards of professional practice for record-keeping and for supervision of unqualified members of the team making entries in health records. Record keeping and records management responsibilities will be included in staff job descriptions. Staff must attend any records management training appropriate to their role detailed in KCHFT’s training needs analysis. Health records must be complete and accurate and healthcare staff must adhere to the record keeping standards in Appendix A
4.8 Information Governance Assurance Group
4.8.1 The Information Governance Assurance Group (IGAG) is responsible for ensuring that KCHFT achieves compliance with the Standards in the Information Governance Toolkit as defined by Connecting for Health and any other standards or assessments.
4.9 Clinical Audit Group
4.9.1 The Clinical Audit Group is responsible for the co-ordination and management of clinical audit within KCHFT. The group will oversee an annual audit of record keeping standards. 4.10 Learning and Development Department
4.10.1 The Department will commission and provide record keeping training as defined in the organisation training needs analysis and notify managers of staff who fail to attend mandatory training or any other event.
4.11 Transformation Team
4.11.1 The Transformation team are responsible for the role out of the SBAR (Situation, Background, Assessment and Recommendation) Tool across all clinical services within the
for ensuring standard templates for communicating patient information are available on the shared intranet (Staffzone) and within the community information system (see appendix L). 4.12 Legal and Professional Responsibilities
4.12.1 KCHFT will take actions as necessary to comply with the legal and professional obligations set out in the Record Management Code of Practice.
4.12.2 All NHS records, and those of NHS predecessor bodies, are public records under the terms of the Public Records Act 1958. The Act sets out broad responsibilities for everyone who works with such records, and provides guidance and supervision by the Keeper of Public Records.
4.12.3 The Freedom of Information Act 2000 applies to all public records. Requests for information must be met within 20 days of the receipt of a request. Personal confidential data is exempt from disclosure under Freedom of Information (FoI). For further information refer to the organisations ‘Freedom of Information Policy’.
4.12.4 The Data Protection Act 1998 applies to both computerised and paper records. It requires that records should be kept no longer than necessary for the purpose of the business of KCHFT. It also gives data subjects the right to see or receive a copy of their own information within 40 days of receipt of a request (reduced by Department of Health guidance to 21 days for NHS records) and for factual errors in that information to be corrected. Any requests for access to information must be directed to Legal Services at Trinity House. For further information please refer to the trusts ‘Data Protection and Confidentiality Policy’.
4.12.5 The Common Law Duty of Confidentiality requires that unless there is a statutory requirement to use information that has been provided in confidence, it should only be used for purposes that the subject has been informed about and consented to. The duty is not absolute but should only be overridden if the holder of the information can justify disclosure as being in the public interest i.e. to protect others from harm.
4.12.6 The Access to Health Records Act 1990 gives the legal representative or anyone having a claim resulting from the death of a deceased person the right to apply to see that person’s health records and stipulates the time within which records must be available.
4.12.7 KCHFT will address any new legislation affecting records management as it arises.
4.12.8 Any member of staff in breach of records management contained within this policy, or other Information Governance policies supporting it, may be subject to KCHFT disciplinary procedure and dismissed from employment if deemed necessary.
4.12.9 Advice Standards and Guidance from the various professional bodies/organisations should be read in conjunction with this policy e.g. Nursing & Midwifery Council; General Medical Council; Health Professions Council; Chartered Society of Physiotherapists.
4.12.10It is the duty of all staff to record and report any incidents or ‘near misses’ involving records or data using the KCHFT Incident Reporting procedures.
5 AIMS OF THE RECORD MANAGEMENT SYSTEM
The aims of KCHFT records management system are to ensure:
5.1 Accountability – Records are adequate to account fully and transparently for all actions and decisions, in particular to:
c. provide credible and authoritative evidence
5.2 Availability – KCHFT is able to service its business needs and comply with legislative requirements.
5.3 Accessibility – Those with a legitimate right can access records, and the information within them is located and displayed in a way consistent with its initial use, and the current version is identified where multiple versions exist.
5.4 Interpretation – the context of the record can be interpreted i.e. identification of staff who created or added to the record and when, during which business process, and how the record is related to other records.
5.5 Quality – Records are complete and accurate and reliably represent the information that was actually used in, or created by, the business process, and its integrity and authenticity can be demonstrated. The SBAR tool and standard documentation should be used by all clinical staff for the safe handover of patient care.
5.6 Maintenance through time – so that the qualities of availability, accessibility, interpretation and trustworthiness can be maintained for as long as the record is needed, perhaps permanently, despite changes of format. For records in digital format, maintenance in terms of back-up and planned migration to new platforms must be designed and scheduled to ensure continuing access to readable information.
5.7 Security – from unauthorised or inadvertent alteration or erasure, access and disclosure are properly controlled and there are audit trails to track all use and changes in order to ensure that records are held in a robust format which remains readable for as long as records are required.
5.8 Retention and disposal – using consistent and documented retention and disposal procedures, which include provision for appraisal and the permanent preservations of records with archival value.
5.9 Performance measurement – the application of records management procedures are regularly monitored against agreed indicators and action taken to improve standards as necessary.
5.10 Staff training – all staff are made aware of their responsibilities for records management.
6 RECORD CREATION AND MAINTENANCE
6.1 Records created by KCHFT should be arranged in a record-keeping system that will enable quick and easy retrieval of information to support the business of the organisation, ensure informed care of patients and in order to respond to requests for information under the Freedom of Information Act, Data Protection Act, Access to Health Records Act and Environmental Information Regulations.
6.2 High quality information underpins the delivery of high quality evidence based healthcare. Health records must therefore be complete and accurate and healthcare staff must adhere to the record keeping standards in Appendix A.
6.3 Further guidance can be found in Appendix A - Procedure for Creation, Content and Maintenance of Records and Appendix B - Procedure for Clinical Diary Management.
7.1 The NHS Number is the only national unique patient identifier used to help healthcare staff and service providers match the patient to their healthcare records. Almost everyone registered with the NHS in England and Wales has their own unique NHS Number.
7.2 The NHS Number should be used as the prime identifier for all KCHFT patients. It should be included on electronic records, wristbands, notes, forms, letters, documents, reports and onward referrals which include personal confidential data and are used for that person's care. Sexual Health is an exception since the data is kept separate from other healthcare information.
7.3 The NHS Number should be captured at the earliest point that a patient presents to a KCHFT service; as soon as possible after first contact and before or at the start of an episode of care. Where the NHS Number is not available then tracing should be performed as early as possible in the episode either at point of contact or as a back-office process. The Personal Demographics Service (PDS) or Demographics Batch Services (DBS) should be used to trace NHS Numbers.
7.4 Further guidance can be found in Appendix C - Procedure for Obtaining and Using the NHS Number
8 INFORMATION SHARING
8.1 KCHFT will take all necessary steps to ensure the security of its records. Appropriate physical security measures will be put in place to control access to work areas where records are stored. In areas where health and corporate records are stored, such as wards, departments, clinics and offices, there must be security procedures and working practices in place to safeguard the records (i.e. Offices should be locked when unoccupied).
8.2 Whilst health records and/or staff records are in use, the person using them is responsible for maintaining the security of the record whilst it remains in their custody.
8.3 Further guidance can be found in Appendix D process for managing requests for access to records (subject access requests) and Appendix E procedure for information sharing (Caldicott principles).
9 STORAGE AND TRANSPORTATION
9.1 For legal and practical reasons records must be stored and transported securely. Paper records must be stored and handled securely to maintain confidentiality and integrity.
9.2 Physical storage must also conform to Fire and Health and Safety regulations to protect staff and maintain records in good condition.
9.3 The security of electronic records must also be assured through robust procedures.
9.4 Further guidance can be found in Appendix F - Procedure for ensuring the security/confidentiality of records and Appendix G - procedure for the transportation of health and staff records.
10 APPRAISAL, ARCHIVING AND DISPOSAL
10.1 All records will be reviewed, archived and destroyed in accordance with Appendix H
Procedure for appraisal, retention and disposal of records.
10.2 Archived manual records must be stored in appropriate filing systems and kept clean, dry and free from contaminants, they should be stored so they are easily accessible, in an order to facilitate retrieval and must comply with current security and health and safety requirements.
10.3 Records which have reached their minimum retention period and have not been selected for permanent preservation or transfer to secondary storage should be destroyed in a secure and confidential manner; normally this will involve shredding, pulping, or incineration. If a record due for destruction is known to be the subject of a request for information, or potential legal action, destruction should be delayed until disclosure has taken place.
11 ELECTRONIC RECORDS
11.1 KCHFT will consider electronic records management systems to improve the efficiency and accessibility of its records.
11.2 The principles within this policy apply equally to the lifecycle of an electronic record. However, the qualities of availability, accessibility, interpretation and trustworthiness can be maintained for as long as the record is needed, perhaps permanently, despite changes of format. It is, therefore, crucial that the format of any electronic record is considered in any new record management system to ensure the accessibility of it for as long as it’s required. 11.3 There are essentially two types of electronic records:
a. those that are created electronically e.g. reports, spreadsheet and e-mails b. those that are copied or scanned from paper format
11.4 Documents (or data files) may also be created by an electronic records management system (ERMS) itself, by its users or may be imported into it.
11.5 KCHFT must have a documented and approved operating procedure manual for each ERMS it uses. This manual will provide the evidence that the processes for ensuring authentic documents are robust. If an electronic document is ever challenged this manual will demonstrate that the processes are precise, secure and approved.
12 SCANNING PAPER RECORDS
12.1 The need to reduce costs across KCHFT has seen a move in some teams to consider scanning paper records to both free up valuable storage space and reduce the cost of archiving paper records for years. Before a decision is made to scan records into an electronic medium and destroy the originals, consideration must be given to:
a. the costs of the initial set up, ongoing scanning and then any later media conversion, bearing in mind the relevant retention period for the record;
b. the need to protect the evidential value of the record by copying and storing the record in accordance with British Standard – Code of Practice for Legal Admissibility and evidential weight of information stored electronically (BIP0008); and
c. whether the records are of any archival value and there needs to be consultation prior to destruction.
12.2 In the event that scanning is discussed within your Service, please contact the Information Governance team for details of scanning service options. Advice should also be sought from the Head of IT. All contact details can be found on StaffZone.
13 IMPLEMENTATION – INCLUDING TRAINING AND AWARENESS
13.1 KCHFT will ensure all staff receive regular mandatory Information Governance training. This will cover awareness and personal responsibilities for Information Governance, Data Protection, Confidentiality, Information Security, Freedom of Information, Data Quality and Records Management. Staff will be made aware of all Information Governance policies via their annual mandatory training.
13.2 All health staff will attend mandatory health record-keeping training as defined in the organisation’s Training Needs Analysis.
13.3 Further training needs will be identified through the appraisal process.
13.4 The Information Governance department will ensure that all staff are informed promptly about changes to records management policy and procedures.
13.5 Records of training will be kept by the Learning and Development Department.
13.6 The Transformation team will be responsible for the roll out of the SBAR communications tool and ensure this is incorporated into the record keeping training.
14 STAKEHOLDER, CARER AND USER INVOLVEMENT
14.1 Consultation with the following groups has been undertaken: Information Governance Assurance Group
Records Management Scrutiny Group
Corporate Assurance and Risk Management Committee Information Governance team
Clinical Service leads
Staffzone – Policies ‘Have your say’
15 MONITORING COMPLIANCE AND EFFECTIVENESS OF THIS POLICY What will be
monitored?
How will it be monitored? Who will monitor? Frequency
Creation and
Maintenance (including Health Record Keeping Standards)
Health Record Keeping Documentation Audit Corporate Record Audit
Clinical Audit Dept Clinical Audit Group IG Team IGAG Annual Annual Storage and Transportation of records
IG Audits and Site visits IG Team IGAG
Quarterly Appraisal, Archiving and
Disposal of records
IG Audits and Central Archiving Service
IG Team IGAG
Quarterly Staff awareness and
personal responsibilities
Training statistics Learning & Development Governance Group
Monthly
Records Management incidents
Incident and trend reports Information Governance Assurance Group
Quarterly
16 EXCEPTIONS TO THIS POLICY
APPENDIX A - Procedure For The Creation, Content And Maintenance Of Records Document Control
Version Date Author Status Comment
1.0 Feb 12 Records Manager Ratified
1.1 Nov 12 IG Assurance lead Ratified Simplified What you need to do section The Department of Health (DOH) recommends that records are arranged, created and maintained in a system that will enable the organisation to benefit from the quick and easy retrieval of
information. The record keeping system should include a documented set of rules for referencing, titling, indexing and, if appropriate, the protective marking of records. These should be easily understood to enable the efficient retrieval of accurate information when it is needed.
The DOH also recommends that health records should be complete and accurate. Records are a valuable resource because of the information they contain. High quality information underpins the delivery of high quality evidence based healthcare. (Records management NHS Code of
Practice)
Health records must be indexed using a file referencing system that can be easily understood by staff members with an individual unique identifier e.g. alpha/numeric/alphanumeric so that the patient/client can be identified and their records can be easily retrieved.
What you need to do for both HEALTH records and CORPORATE records:
1. Give each record a unique name that reflects the record’s contents.
2. Use naming convention standards that can be easily understood by staff members. 3. Use a file referencing system that can be easily understood by staff members. The most
common of these is alphanumeric, as it allows letters to be allocated for a business activity, e.g. HR for Human Resources followed by a unique number for each electronic record or document created by the HR function.
4. Group and file records in a logical structure to enable the quick and efficient filing and retrieval of information.
5. Employ version control whereby any changes to a document are logged. This must consist of a version number, author and date. Those coming after you can see what has been done and any decisions made can be justified or reconsidered at a later date.
6. Clearly mark paper confidential records and those containing personal confidential data as “private and confidential”. Confidential electronic records must be password protected. Electronic records must be stored on the shared network drive or relevant clinical system and not on personal drives (H drive) or desktops - this ensures that routine security, disaster recovery and business continuity measures are in place to safeguard the information. The approach also promotes a culture of sharing information as an organisational resource and reduces the
proliferation of duplicate copies of documents. The personal drive should be used for information which should not be shared on the directorate shared drive (such as information relating to individual personnel issues). For further guidance please contact the Head of IT, contact details can be found on StaffZone.
The organisation’s intranet site will become the repository of all documents that are available to the public under the Freedom of Information Act, (subject to the exemptions in the Act) to maintain organisational transparency and to avoid unnecessary formal requests.
What you need to do for HEALTH records
1. Ensure that any previous records for the person/patient are retrieved (including retrievals from archive – see Appendix H) and that any new interaction is linked with any previous records that exist – this must only be done when the service is able to reliably identify the person/patient.
2. Every provider service must have a standard ‘Order of filing’ which provides clear instructions regarding the structure of its health records.
3. The ‘Order of filing’ must be held in every health record. It may also be printed on the inside of the record itself or on any dividers.
4. The documents within the health record must be ordered in such a way that the relevant information is readily accessible for health staff, and follows a logical health order / chronology.
5. Each component of the health record, e.g. contact details (including NHS Number), records of treatment, correspondence, test results, reports, or other types of documentation relevant to that service/patient, must be kept in individual sections and the documents filed in date order within those sections.
6. Labelled dividers must be used for each component. If the divider is labelled with a code, e.g. colour, alphabetical or numerical, then the code and the component to which it relates must be set out in the ‘Order of Filing’.
7. All documents within the health record must be securely fastened, to avoid loss, damage or destruction.
8. Staples should not be used to secure the health record but may be used, for example, to secure two pages of a letter or other document. If holes need to be punched they should be uniformly positioned and care taken to ensure that no information is destroyed.
9. Plastic wallets (sleeves) must not be placed or used within the health record to hold information. All information must be securely fixed. Only identification labels may be contained within the plastic wallet at the back of the health record. Information relating to others acting on behalf of service users should be noted if provided.
10. Any personal confidential data held on other media must be labelled correctly and held securely within the record.
11. Any investigations which have been produced by machines and are in the format of long paper strip recordings e.g. ECG reports should be stored in an A5 manila envelope, with the service user’s name and NHS number clearly recorded on the front of the envelope. It should then be hole punched and filed securely in the health record.
12. Filing service user documents incorrectly potentially creates a clinical risk. It is therefore vital that all staff take particular care in ensuring the ‘order of filing’ is adhered to.
13. If a Health Record is damaged whilst in use, the cover must be repaired or replaced as soon as possible.
14. Where more than one service or professional is involved in a service user’s care and they do not have immediate access to the Health Record due to distance between locations, a temporary record must be made and collated with the patient’s health record as soon as possible.
15. Temporary records must only be used as a last resort and in consultation with the appropriate clinicians.
16. Temporary Records must only be used until the service user’s Health Records have been retrieved, or a set is issued for a newly registered patient, at which point they must be amalgamated.
17. Temporary Records must be clearly identifiable as such and only used for this purpose, otherwise there is a danger of information and clinical details becoming misplaced or lost. 18. When amalgamating the contents of the Temporary Folders, it must be ensured the correct
set of permanent Health Records has been obtained. All the personal details of the service user must correspond, e.g. name, date of birth, address, GP and NHS Number. 19. Amalgamation of Health Records can be particularly problematic where they may be more
than one service user with the same name; for example, with service users from ethnic groups with complex family name structures, careful checking is needed in such instances. 20. Where sets of Health Records become too large, these must be separated into numbered
volumes and marked appropriately on the front of the files, e.g. Volume I, Volume II etc. 21. Only those items from the most recent service user episode and any ongoing concerns
must be retained in the current health record.
22. A supply of tracer cards must be available to all teams transporting paper health or staff records (this does not apply to services that use PAS for tracking the movement of paper health records). Cards can be ordered via: Agresso code WRU341520001.
Health Record Keeping Standards
Standard:
a. All entries must be: i. legible
ii. written in black ink
iii. signed and initialled (the use of rubber stamps is not acceptable) iv. dated
v. timed
b. All entries must be written consecutively.
c. All entries must be written in a way that text cannot be added, altered or erased (i.e. no blank lines between entries.
d. All entries must be written contemporaneously. e. All known allergies must be recorded.
f. All paperwork must be filed in chronological order and securely attached within the record.
g. Only abbreviations on the approved service lists should be used. All other text must be written in full or qualified immediately within the text.
h. Records must include ‘next of kin details’ (NMC standard). N.B Where service users are seen in an out patient setting, Minor Injury Unit (MIU) or Walk In Centre this may be excluded, if appropriate.
i. Records must include service user address and contact details as well as emergency contact details. Information relating to others acting on behalf of service users should be noted if provided.
j. All page headings should include the service user’s full name (surname and first name) and date of birth, NHS number and unique identifier.
k. All new sheets should include the service user’s full name and date of birth, unique identifier and NHS number.
l. A service user’s equality monitoring data should be collected at the first contact. m. All entries must be signed and the author’s name printed.
n. All signatures must be traceable through a signature sheet or with a printed name. o. A signature register of all healthcare professionals who make entries in health records
must be available in each team.
p. All mistakes should be crossed through with a single line and initialled by the author (No correction fluid should be used in any records).
q. Records should not contain any comments which could be interpreted as derogatory – they should only contain clear, factual and accurate information which maintains the dignity and confidentiality of people using the service.
r. All healthcare records must be marked ‘Private and Confidential’.
s. All entries made by unregistered staff (unless deemed competent to make entries) must be countersigned and dated by registered staff.
t. Any health notes contained in a diary/message book must be transferred to the service user’s health record as soon as possible – this includes verbal communications.
u. Patients must be made aware that the information they give may be recorded and shared in order to provide them with care and may be used to support clinical audit and other work to monitor the quality of care provided. Dissent must also be recorded. Please see the Being Open Policy and Procedure which can be found on Staffzone, and the Procedure for obtaining consent to share information – Appendix B to the Data Protection and Confidentiality Policy.
Integration – Patients/Professional Partnership
Standard:
a. All history sheets/admission/initial contact/information and assessments must be completed.
b. All problems/risk assessments must be identified and interventions planned.
c. All care/treatment options should be discussed with the service user (if appropriate) and documented in the service user’s records.
d. All re-assessments and changes in care/treatment must be documented.
e. Care/treatment plans should give a clear picture of the care/treatment that will be given to the service user.
f. Service users must be actively involved in continuously negotiating and influencing their care.
g. Carers must be involved at the request of the service user or if the service user is unable to communicate/participate in planning and negotiating their own care.
h. Service users must consent to treatment/care and this must be documented in the notes.
i. If there are concerns about a person’s capacity to consent, a capacity assessment must be completed.
j. Details of advance decision(s) must be clearly visible in the service user record.
k. At every third visit by a healthcare assistant (HCA) who is providing care to a patient documentation should include confirmation of a joint visit with a registered nurse. l. Copies of letters, referrals and other correspondence sent to or received from the
service user, carer or other professionals involved in the service user’s care must be contained within the record (excluding correspondence regarding complaints).
High Quality – evidence based practice
Standard:
a. Service users’ care must follow evidence based guidance or supporting documents describing best practice.
b. Evidence guidance such as NICE; clinical policies/procedures etc must be available in the department.
c. Staff must have access to the latest information i.e. journals, Internet access, intranet access, research and developmental information, resource information.
d. Staff must be up-to-date with the latest practices.
Integration of Records – across professional and organisational boundaries
Standard:
a. Service users must have a structured multi-professional record which supports integrated care, where applicable.
b. All professionals involved in the patient / service user’s care are identified in the records, where applicable.
c. Where an integrated patient / service user record cannot be created, each organisation must keep their records separately and strict confidentiality and information security measures must apply. If there are any queries please contact a member of the IG team on [email protected].
d. Where care is transferred to another team it is clearly documented and contact details available if required in the future.
Patient / home held notes
Before leaving KCHFT notes in patient homes, patients must be assessed as competent, and made aware that the notes must be kept securely. The following wording can be explained to the patient, and a copy of this wording should be held prominently in the patient notes so that they are aware of the responsibility of keeping them safely:
Kent Community Health NHS Foundation Trust will be leaving this set of notes in your home so that our nursing staff can treat you efficiently and safely.
Having these notes available means that all our staff will have the information that they need to treat you.
These notes are the responsibility of the Kent Community Health NHS Foundation Trust and we ask that you keep these safe whilst they are in your home.
These records are to be returned to our nursing staff when your treatment finishes. Our nurses will normally take them out of your home on their last visit, or may arrange with you to come and pick them up at a later date.
Alternatively, please send them to Kent Community Health NHS Foundation Trust at the address below:
Kent Community Health NHS Foundation Trust Trinity House
110-120 Upper Pemberton Eureka Business Park Ashford, Kent
TN25 4AZ
Safeguarding vulnerable children, young people and adults
KCHFT’s Safeguarding Strategy sets out how all staff will proactively safeguard vulnerable children, young people and adults by effective identification, assessment, holistic care planning and multi agency working/information sharing.
Maintaining accurate, contemporaneous records and other information, in line with organisational policy is key to effective safeguarding decisions.
All staff in the organisation have access to the Kent and Medway Safeguarding Children/Vulnerable Adults multi-agency procedures. In addition to this, internal supporting procedures, protocols and policies relating to safeguarding children/vulnerable adults are in place and updated in line with national guidance.
Attention must be paid to the guidelines relating to the management and follow up of attendances for children and young people at A&E departments.
Recordings and Still Pictures
Photographs (where the photograph refers to a particular service user it should be treated as part of the health record) NB In the context of the Code of Practice a ’photograph’ is a print taken with a camera and retained in the patient record.
Photographs should be identified with the patient by way of a paper strip held next to the wound or area that is being photographed. The paper strip should include:
• The patients NHS number (or if not available the patients name and date of birth) • The date that the photograph was taken
Cameras cannot be encrypted so if the patients name and date of birth are used instead of the NHS number then staff must be aware of the increased risk of unauthorised access if the camera is mislaid before the images are uploaded to the organisational secure network. Therefore, all KCHFT equipment must be transported in a secure container. If KCHFT equipment is being transported by car, it must only be transported in the boot of the car.
Video records/voice recordings relating to patient care/video records/videoconferencing records related to patient care/DVD records related to patient care
Wherever possible still pictures and recordings voice and/or DVD should be stored alongside the health record of the service user and archived with the paper record thus ensuring a complete record.
If it is impracticable to store recordings and still pictures with the paper records they must be stored in appropriate storage areas and an inventory of those records must be made. The existence of these records must be referenced in the paper records.
APPENDIX B - PROCEDURE FOR CLINICAL DIARY (PAPER OR ELECTRONIC) AND PRINTED CASELOAD TOOL MANAGEMENT
Document Control
Version Date Author Status Comment
1.0 Nov 12 IG Assurance Lead Ratified 2.0 Nov 15 IG Compliance
Manager
Ratified
What you need to do:
1. All patient or service user related data is kept safe and secure at all times at the office and in transit.
2. With immediate effect, patient or service user data labels (which include patient’s name, address, date of birth, NHS number and GP details) are not to be used in paper clinical diaries
3. Only patient or service user’s name and address should be recorded in the paper or online diary or on the printed caseload tool. Clinicians need to consider the minimum amount of information to be recorded which allows for continuity of service delivery. For instance, if the service user file is with the member of staff, there is no need to record the name and address in the diary.
4. Key Code numbers should be recorded in a paper or online diary in a way that cannot be related in any way to an address.
5. The paper clinical diary or printed caseload tool must include the words “Private and confidential” with a return address for the team’s work base. This should be placed on the front of the diary and the information is also written on the inside of the diary.
6. All staff have undertaken the mandatory annual Information Governance training.
7. All staff will remind themselves of the contents of the Code of Confidentiality and ensure a signed copy of the back page has been returned to their team lead, for inclusion in their personal file.
8. When transporting personal confidential data, ensure it is kept securely i.e. in a secure bag. In certain circumstances it can be locked in the boot of a car, but never overnight. Under no circumstances leave on the front/back seats or in view to others.
9. Under no circumstances should confidential/personal confidential data be left in a car overnight. For further information see Appendix G. The Procedure for the Transportation of Health and Staff Records.
10. Expired paper diaries must be held securely for 2 years after end of year to which the diary relates, after which they must be disposed of according to the Procedure for Retention, Appraisal and Disposal of Records. Healthcare information should be transferred to the patient record. Any notes made in the diary as an `aide memoire` must also be transferred to the patient record as soon as possible.
APPENDIX C - PROCEDURE FOR OBTAINING AND USING THE NHS NUMBER Document Control
Version Date Author Status Comment
1.0 Feb 12 Records Manager Ratified
1.1 Nov 12 IG Assurance Lead Ratified Combined two NHS Number
procedures into one
Introduced in 1996, the NHS number is a unique 10 character number assigned to help healthcare staff and service providers match the patient to their healthcare records. Almost everyone registered with the NHS in England and Wales has their own unique NHS Number. The Department of Health recommends that use of the NHS number will allow linkage of patient records across systems and organisations. It is envisaged that record linkage will improve effectiveness and efficiency of health care to patients. Use of the NHS number also supports the concept of a lifelong record. (Records Management: NHS Code of Practice). Sexual Health is an exception since the data is kept separate from other healthcare information.
What you need to do
1. The NHS Number should be used as the prime identifier for all KCHFT patients. 2. The NHS Number should be captured at the earliest point that a patient presents to a
KCHFT service; as soon as possible after first contact and before or at the start of an episode of care.
3. Referrals received by KCHFT services should include the NHS Number. Joint working must be established with GPs and other referring NHS organisations to ensure wherever possible NHS Numbers are included in the referral.
4. Where the NHS Number is not available then tracing should be performed as early as possible in the episode either at point of contact or as a back-office process. The Personal Demographics Service (PDS) or Demographics Batch Services (DBS) should be used to trace NHS Numbers.
5. The NHS Number should be included on electronic records, wristbands, notes, forms, letters, documents, reports and onward referrals which include personal confidential data and are used for that person's care.
6. The NHS Number should be used in the first instance to search for an electronic record. 7. Minimum datasets on information systems recording personal confidential data should
include the NHS Number. This includes Excel spreadsheets and access databases. 8. KCHFT services should encourage their patients to know their own NHS Number and raise
awareness by use of patient literature that explains the NHS Number, its uses and advantages and how patients can use it to increase safety.
Patients can find out their NHS Number by asking their GP practice, because it will be written on their medical history notes, or if their GP does not have their NHS Number on file, they can write to the Kent Primary Care Agency at:
11 Station Road Maidstone Kent ME14 1QH
What you need to do to Trace an NHS Number using the Personal Demographics Service (PDS)
1. Team Managers must identify those staff to be trained in on-line tracing of patient NHS Numbers.
2. All staff requiring access to PDS must first register for a smartcard via the Registration Authority Manager, contact details can be found on StaffZone. As part of the registration process staff need to provide proof of identity. Once the smartcard has been registered the access level needs to be authorised by your sponsor (normally your line manager). 3. Once the above process has been completed access to PDS is obtained by first logging on
the NHS CRS (the Spine) using the smartcard and pass code, and then selecting the Launch Summary Care Record option.
4. PDS must only be used for checking patient information. It cannot, under any circumstances, be used to check private information.
5. Passwords must be kept secure and not divulged to anyone else.
6. All personal confidential data must be kept confidential and only disclosed to other members of staff who have a ‘need to know’ in the course of their work.
7. If a patient cannot be found/traced on PDS, then contact should be made with the GP Practice to enquire if they know the NHS Number of the patient. If first contact was made within the last 6 weeks the NHS Number may still be pending.
8. If a PDS user finds data quality issues such as duplicate entries on PDS or incorrect patient information, they are to advise to contact the Head of Applications. They will be able to log the details of the call and pass it to the appropriate team to resolve.
9. There are some patient’s NHS Number which cannot be traced. This may be because: • the person has not changed their GP or address for many years
• the person has been in long term inpatient care • the person has been in prison for a length of time • the person is, or has recently been, in the armed forces
• the person is an asylum seeker, currently in a detention centre • the person is not registered with a GP
PERSON TRACING
There are two options available for patient tracing, basic search and advanced search. The most appropriate function will be determined by the level of information available to check a patient.
Basic Search
If at least the gender, surname and DOB is known, the basic search should be used. Enter as much information onto the basic search screen that is available and click the find button.
The results will be displayed on the screen. By clicking on the patient name (in bold blue lettering) the screen will be expanded to include further information which is split into four tabs; Key demographics, GP & Care providers, Contact & next of kin, Historical information. Click on the relevant tab to obtain the information required.
Advanced Search
If there is limited information available regarding a patient the advanced search will enable wider searches to be carried out using ranges of information rather than specific information. The search results will be displayed in the same way as described for the basic search.
APPENDIX D - PROCESS FOR MANAGING REQUESTS FOR ACCESS TO RECORDS (SUBJECT ACCESS REQUESTS)
Document Control
Version Date Author Status Comment
1.0 Feb 12 Records Manager Ratified
1.1 November
2012
IG Assurance Lead
Ratified New flowchart clarifying service role in SARs
Patients/clients are able to access all their current records if and when they choose to do so. Health care professionals must take account of guidance available relating to the process for managing subject access requests.
“What happens to personal information held about you?” leaflets must be available in each area/ward/department. A copy of the leaflet can be found on Staffzone.
Specified within the Data Protection Act 1998, principle six, are timeframes within which data controllers must comply when dealing with requests for information (subject access request), valid applications must be processed within a maximum of forty calendar days following receipt.
Subject Access Requests Pricing Structure
Please see below for pricing/charging structure which must be applied to all Access to Health Records Requests.
Elements of charging structure 1.Retrieval from Archiving costs 2.Royal Mail ‘Special Delivery’ costs
3.Photocopying costs (incl. paper, toner etc) 4.Processing time (Administration costs) 5.Clinician time (checking)
Elements Included: Cost:
1, 2, 3, 4, 5 (No upper or lower limits on
sheets provided) £50.00 ex VAT
2, 3 (less than 10 sheets), 4, 5 £25.00 ex VAT 2, 3 (more than 10 sheets), 4, 5 £50.00 ex VAT Electronic Records (transferred
electronically) £10.00 ex VAT
Viewing of Records (on site) £10.00 ex VAT Non Health Requests
Viewing of Records No charge
Copy of Records £10.00
What you need to do
Service receives records request
• Service alerts Legal Services by faxing request to 01233 667954 (safe haven) with completed form SAR1.
OR
• Service scans and emails request and completed form SAR1 to
(DAY 1)
Service locates and retrieves relevant records.
If necessary, records are requested from archive via the Information Governance Team in line with the Trust’s procedure by emailing
Records and form SAR3 sent to Legal Services in one of the following two ways:
(1) Copy records and completed form SAR3 sent by internal/special delivery post or scans and emails to [email protected]
OR
(2) Original records and completed form SAR3 sent by internal/special delivery post or by hand
delivery.
Service monitors where the records were sent and if necessary arranges return of box to archive.
SERVICE LEGAL SERVICES
Legal Services considers comments on form SAR3 and redacts harmful and third party information in the records.
Legal Services discloses copy records to requester
Legal Services sends invoice request to Finance Team
(DAYS 7 TO 20)
Upon receipt of original records, service returns the file to original location in accordance with the Trust’s Records Management Policy
Service completes and faxes form SAR4 to Legal Services
(UPON RECEIPT OF RECORDS)
Legal Services returns original records to service (if necessary) by internal/special delivery post with form SAR4.
(WITHIN 5 WORKING DAYS OF RESPONSE)
Handling a request for access to health records (subject access request)
APPENDIX E - PROCEDURE FOR INFORMATION SHARING (CALDICOTT PRINCIPLES) Document control
Version Date Author Status Comment
1.0 Feb 12 Data Protection
Manager
Ratified
1.1 Nov 2012 IG Assurance Lead Ratified Replaced with procedure from DPA Policy for consistency
All employees working for KCHFT are bound by a legal duty of confidence to protect all personal confidential data they may come in contact with during the course of their work. This is not just a requirement of your contractual responsibilities but also a requirement within the Data Protection Act 1998 and, in addition, for health and other professionals through their own professions’ Code/s of Conduct.
Routine disclosure - a routine disclosure of personal confidential data is one that happens as a matter of course and is relevant to the direct care or treatment of the individual. For example: a) a multi-professional ward round or case conference
b) a heath visitor discussing a family’s circumstances with their GP c) a routine referral to another department
Non-routine disclosure - a third party may also request disclosure of personal confidential data for purposes other than direct healthcare, such as from the Nursing and Midwifery Council (NMC), Police, Coroner, Solicitors, Court, researchers (this list is not exhaustive). For example:
a) police requesting information from A&E about injuries sustained by a patient suspected of being involved in an affray (unless under a statutory exemption);
b) a solicitor requesting information in a personal injury claim;
c) the NMC requesting a staff and/or patient file to investigate a possible incident d) Court when prosecuting an offender
The request must be made in writing (for audit purposes) and if you are unsure whether to release the information seek advice from a Senior Manager, the Caldicott Guardian or the Legal Services Department.
What you need to do
Staff are regularly asked to provide information about patients and prior to disclosing any
information staff must ensure that, if necessary, patients are aware that their information may be shared, please see the Procedure for obtaining consent to share information.
When sharing information you must take into account the security of the information being sent, please refer to the Safe Haven Procedures.
Caldicott Principles (to be applied prior to releasing patient identifiable information): 1. Justify the Purpose(s)
Individuals, departments and organisations must justify the purpose(s) for which information is required. This includes being able to justify the purposes to the individual as well as to the Caldicott Guardian within Community Health. Every proposed use or transfer of patient identifiable information within or from Community Health should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate manager within the practice.
2. Don’t use patient identifiable information unless it is absolutely necessary
This means assessing information flows and uses, and ensuring that patient identifiable information is removed unless a genuine case can be made for its inclusion and there is no alternative.
3. Use the minimum necessary patient identifiable information
Where use of patient identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability. This includes the use of the NHS number rather than any other identifier where possible.
4. Access to patient identifiable information should be on a strict need to know basis
Only those individuals who need access to patient identifiable information should have access to it, and they should only have access to the information items that they need to see. Never give out information on patients or staff to persons who do not “need to know” or if it is not to provide healthcare and treatment.
If the information requested is not to provide healthcare and treatment, the requests should be with a justified need and may also need to be agreed by the Caldicott Guardian, Legal Services or the Information Governance team.
5. Everyone should be aware of their responsibilities
Action should be taken to ensure that those handling patient identifiable information – both health and non-health staff are aware of their responsibilities and obligations to respect confidentiality.
6. Understand and comply with the law
See “Other sources of information” below
1. The duty to share information can be as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies
Remember:
You cannot withdraw information once it has been disclosed, so decide carefully and seek advice before providing confidential information to any third party
The fact that an individual has visited a site, or is a patient of the clinic/practice or healthcare professional is confidential. If in doubt, consult with your manager.
Specific statutory restrictions apply to the disclosure of information regarding HIV and AIDS, sexually transmitted disease, assisted conception and abortion.
The Police do not have any automatic right of access to information – see Procedure for information sharing with the Police
If you have any concerns about disclosing or sharing patient identifiable information you must discuss this with your manager or the most senior member of staff available before releasing the information.
APPENDIX F - PROCEDURE FOR ENSURING THE SECURITY/CONFIDENTIALITY OF RECORDS
Document Control
Version Date Author Status Comment
1.0 Feb 12 Records Manager Ratified
1.1 Nov 2012 IG Assurance Lead Ratified Simplified and combined with previous Appendix H
The Department of Health recommends that equipment used to store current records on all types of media should provide storage that is safe and secure from unauthorised access and which meets health and safety and fire regulations, but which also allow maximum accessibility of the information commensurate with its frequency of use. (Records Management: NHS Code of Practice)
What you need to do
1. All patients’ and staff records must be kept in lockable filing cabinets, drawers or cupboards.
2. All records must be stored in a tidy and orderly manner.
3. Records may only be destroyed/disposed of by approved methods outlined in Appendix H.
4. Patients must be made aware that other agencies/professionals may need to share information about them (including written documentation and reports) and that they have the right to exercise choice in that process.
5. Patient and staff records must be transported securely and confidentially as outlined in
Appendix G.
6. Where a record is maintained at a patient’s home the patient must be made aware of their role in maintaining the security and confidentiality of the record.
7. In the event of a patient’s death or at the end of an episode of care/treatment staff must ensure that patient held records are returned to the department/base by a named professional.
8. Health and/or staff records must not be left unattended in areas used by the public. This applies to wards, outpatient departments, offices and also to staff vehicles.
9. Staff must be aware of their role in the Confidentiality Code of Conduct.
10. Desks must be left clear of health and/or staff/corporate records and other confidential information at the end of the working day.
11. Regular risk assessments should be undertaken on all record storage areas to ensure that information security standards are strictly maintained.
12. Electronic Records must be protected at all times from unauthorised disclosure, access or corruption and must have appropriate titles, security markings, and/or confidentiality markings to prevent accidental deletion or access.
