CITIZEN AUTOMATIC ACCESS TO GP RECORDS - 1st November 2022
The LMC continues to receive concerns from practices about this programme.
I fully support the benefit that patients accessing their own records can have, but I am disappointed that at a very late hour there remain many concerns about implementation of this project. As a background I listed the same issues that still need to be resolved over a decade ago when I chaired the GPC IT Subcommittee and Co-Chaired the national Joint GP IT Committee.
The only advice they have taken on board is to make the access prospective in line with the 1990 Act and manual records, rather than the governments’ proposal to make it to the whole record.
Implementation was confirmation in a letter dated 21st July see this link.
The remaining concerns include that:
- Training and work needed to implement is unfunded
- Flags hiding online data is not transferred via GP2GP so the process has to start from anew every time a patient moves practice (the patient will only have access from date moved to new practice).
- It is impossible to ensure that all patients vulnerable to potential abuse of their record are identified in the time scale, but the practice will remain legally accountable as the Data Controller.
- At present it is not readily clear within the patient record which entries have been hidden.
- Hospitals are unaware of this change so have not changed their processes appropriately (eg ensuring patients have been informed about a significant diagnosis before sending a letter to the GP record).
- The provided software does not redact just the appropriate information, but the whole entry (so does not meet the UK GDPR requirements for redaction).
These concerns are shared by the GPC and the RCGP, and I understand that discussions are continuing this week so there may be further changes.
This change is contractual so the LMC cannot advise practices not to engage.
Practices should identify patients who may be vulnerable including those with safeguarding concerns and apply the SNOMED CT exemption code: “1364731000000104 Enhanced review indicated before granting access to own health record.” This has to be done prior to 1 November 2022.
There has been a suggestion that practices could bulk add this code to all records. Whilst the LMC cannot advocate this as a blanket approach, if a practice, as Data Controller, has a specific reason why they have not been able to identify and flag records in time, then they could make a decision to do this, recognising that they will need to be able to justify their decision.
The most important action a practice needs to make is to ensure that everyone within the practice is aware of the requirement to hide appropriate entries, including attachments from other organisations, from online access, and how to do this.
The ICB has sent emails with local and nationally provided guidance, but practices should work through the readiness checklist which also includes links to the various national guidance.
Please see attached a short flow chart to help staff decide whether an entry needs to be hidden from online access or not, as well as the guidance in full.
The BMA has now published a press release concerning access to records:
https://www.bma.org.uk/bma-media-centre/gp-practices-not-ready-to-safely-roll-out-citizens-access-programme-should-delay-it-says-bma
and it links to a guidance document and template letter that can be found here:
https://www.bma.org.uk/advice-and-support/ethics/confidentiality-and-health-records/accelerated-access-to-gp-held-patient-records-guidance?domain=bma.org.uk
The main additional factor they have included is that the GPC has stated that the legal basis for NHS E to require system suppliers to turn on the access is ‘unclear.’
This is due to a requirement under the Data Protection Act 2018 that Data Processors (SystmOne or EMIS) cannot be instructed by anyone other than their Data Controller (the practice) to change record access settings.
The GPC further advises that an option for practices is to “Write to your system supplier (the Data Processor) before 31 October 2022 using its preferred contact email address (recordaccess@tpp-uk.com for TPP (SystmOne) practices and aapostpone@emishealth.com for EMIS practices) requesting, as Data Controller, that automatic access not be switched on.”
The GPC provides a template letter to allow practices to do this.
We would encourage any practice who do not believe that they can safely provide the automatic widespread access of patients at this time to their records to consider this option.
The GPC guidance notes “A delay at practice level would allow practices to undertake the necessary preparation and training to facilitate a safe implementation of the programme with practices able to work through the GP readiness checklist at a pace that fits with business continuity whilst maintaining delivery of essential services. It is for practices to decide the best course of action for themselves and their patients, being ever mindful of their responsibilities as Controllers. It remains a contractual requirement to offer and promote online access, and this offer will continue, with access being granted on request subject to practices being confident there will be no adverse impact on their provision of essential services.