Caldicott Report

Last updated

The Caldicott Committee's Report on the Review of Patient-Identifiable Information, usually referred to as the Caldicott Report, was a review commissioned in 1997 by the Chief Medical Officer of England due to increasing worries concerning the use of patient information in the National Health Service (NHS) in England and Wales and the need to avoid the undermining of confidentiality because of the development of information technology in the NHS, and its ability to propagate information concerning patients in a rapid and extensive way.

Contents

A committee was established under the chairmanship of Dame Fiona Caldicott, Principal of Somerville College, Oxford, and previously President of the Royal College of Psychiatrists. Its findings were published in December 1997.

The Caldicott Report [1] highlighted six key principles, and made 16 specific recommendations.

In 2012 Dame Fiona produced a follow-up report [2] which made 26 further recommendations including the addition of a seventh principle which is included in the list below.

In 2016 a further follow-up report was produced [3] following controversy over the care.data initiative from HSCIC.

Caldicott principles

  1. Justify the purpose(s)
    Every single proposed use or transfer of patient identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed, by an appropriate guardian.
  2. Don't use patient identifiable information unless it is necessary
    Patient identifiable information items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).
  3. Use the minimum necessary patient-identifiable information
    Where use of patient identifiable information is considered to be essential, the inclusion of each individual item of information should be considered and justified so that the minimum amount of identifiable information is transferred or accessible as is necessary for a given function to be carried out.
  4. Access to patient identifiable information should be on a strict need-to-know basis
    Only those individuals who need access to patient identifiable information should have access to it, and they should only have access to the information items that they need to see. This may mean introducing access controls or splitting information flows where one information flow is used for several purposes.
  5. Everyone with access to patient identifiable information should be aware of their responsibilities
    Action should be taken to ensure that those handling patient identifiable information - both clinical and non-clinical staff - are made fully aware of their responsibilities and obligations to respect patient confidentiality.
  6. Understand and comply with the law
    Every use of patient identifiable information must be lawful. Someone in each organisation handling patient information should be responsible for ensuring that the organisation complies with legal requirements.
  7. The duty to share information can be as important as the duty to protect patient confidentiality
    Professionals should in the patient's interest share information within this framework. Official policies should support them doing so.

These principles have been subsumed into the NHS confidentiality code of practice. [4]

Summary of recommendations in original report

  1. Every dataflow, current or proposed, should be tested against basic principles of good practice. Continuing flows should be re-tested regularly.
  2. A programme of work should be established to reinforce awareness of confidentiality and information security requirements amongst all staff within the NHS.
  3. A senior person, preferably a health professional, should be nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information.
  4. Clear guidance should be provided for those individuals/bodies responsible for approving uses of patient-identifiable information.
  5. Protocols should be developed to protect the exchange of patient-identifiable information between NHS and non-NHS bodies.
  6. The identity of those responsible for monitoring the sharing and transfer of information within agreed local protocols should be clearly communicated.
  7. An accreditation system which recognises those organisations following good practice with respect to confidentiality should be considered.
  8. The NHS number should replace other identifiers wherever practicable, taking account of the consequences of errors and particular requirements for other specific identifiers.
  9. Strict protocols should define who is authorised to gain access to patient identity where the NHS number or other coded identifier is used.
  10. Where particularly sensitive information is transferred, privacy enhancing technologies (e.g. encrypting identifiers or "patient identifying information") must be explored.
  11. Those involved in developing health information systems should ensure that best practice principles are incorporated during the design stage.
  12. Where practicable, the internal structure and administration of databases holding patient-identifiable information should reflect the principles developed in this report.
  13. The NHS number should replace the patient's name on Items of Service Claims made by General Practitioners as soon as practically possible.
  14. The design of new systems for the transfer of prescription data should incorporate the principles developed in this report.
  15. Future negotiations on pay and conditions for General Practitioners should, where possible, avoid systems of payment which require patient identifying details to be transmitted.
  16. Consideration should be given to procedures for General Practice claims and payments which do not require patient-identifying information to be transferred, which can then be piloted.

Related Research Articles

Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access to or places restrictions on distribution of certain types of information.

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

<span class="mw-page-title-main">Medical record</span> Medical term

The terms medical record, health record and medical chart are used somewhat interchangeably to describe the systematic documentation of a single patient's medical history and care across time within one particular health care provider's jurisdiction. A medical record includes a variety of types of "notes" entered over time by healthcare professionals, recording observations and administration of drugs and therapies, orders for the administration of drugs and therapies, test results, X-rays, reports, etc. The maintenance of complete and accurate medical records is a requirement of health care providers and is generally enforced as a licensing or certification prerequisite.

Clinical governance is a systematic approach to maintaining and improving the quality of patient care within the National Health Service (NHS) and private sector health care. Clinical governance became important in health care after the Bristol heart scandal in 1995, during which an anaesthetist, Dr Stephen Bolsin, exposed the high mortality rate for paediatric cardiac surgery at the Bristol Royal Infirmary. It was originally elaborated within the United Kingdom National Health Service (NHS), and its most widely cited formal definition describes it as:

A framework through which NHS organisations are accountable for continually improving the quality of their services and safeguarding high standards of care by creating an environment in which excellence in clinical care will flourish.

Clinical audit is a process that has been defined as a quality improvement process that seeks to improve patient care and outcomes through systematic review of care against explicit criteria and the implementation of change

A consultant pharmacist is a pharmacist who works as a consultant providing expert advice on clinical pharmacy, academic pharmacy or practice, public health pharmacy, industrial pharmacy, community pharmacy or practice, pharmaceutical analysis etc., regarding the safe use and production of medications or on the provision of pharmaceutical services to medical institutions, hospitals, universities, research institutions, medical practices and individual patients.

<span class="mw-page-title-main">Fiona Caldicott</span> British psychiatrist (1941–2021)

Dame Fiona Caldicott, was a British psychiatrist and psychotherapist who also served as Principal of Somerville College, Oxford. She was the National Data Guardian for Health and Social Care in England until her death.

The NHS Connecting for Health (CFH) agency was part of the UK Department of Health and was formed on 1 April 2005, having replaced the former NHS Information Authority. It was part of the Department of Health Informatics Directorate, with the role to maintain and develop the NHS national IT infrastructure. It adopted the responsibility of delivering the NHS National Programme for IT (NPfIT), an initiative by the Department of Health to move the National Health Service (NHS) in England towards a single, centrally-mandated electronic care record for patients and to connect 30,000 general practitioners to 300 hospitals, providing secure and audited access to these records by authorised health professionals.

The Patient Information Advisory Group (PIAG) was established in the United Kingdom under section 61 of the Health and Social Care Act 2001 and the Patient Information Advisory Group (Establishment) Regulations 2001 to provide advice on issues of national significance involving the use of patient information and to oversee arrangements created under section 60 of the Act. Its membership was drawn from patient groups, health care professionals and regulatory bodies. Following the implementation of the Health and Social Care Act 2008, PIAG was abolished and its responsibilities transferred to a new body, the National Information Governance Board for Health and Social Care, with effect from January 2009.

The Caldicott Committee's December 1997 Report on the Review of Patient-Identifiable Information, usually referred to as the Caldicott Report, identified weaknesses in the way parts of NHS handled confidential patient data. The report made several recommendations, one of which was the appointment of Caldicott guardians, members of staff with a responsibility to ensure that patient data are kept secure:

Recommendation 3: A senior person should be nominated in each NHS organisation, including the Department of Health and associated agencies, to act as a "guardian". The "guardian" should normally be a senior health professional or be closely supported by such a person. The NHS IM&T Security Manual requires each organisation to designate a senior medical officer to oversee all procedures affecting access to person-identifiable health data. This role and that of the "guardian" may be combined, providing there is no conflict of interest. The Department of Health should take the development of this role forward in partnership with interested parties.

<span class="mw-page-title-main">National Health Service (England)</span> Publicly-funded healthcare system in England

The National Health Service (NHS) is the publicly funded healthcare system in England, and one of the four National Health Service systems in the United Kingdom. It is the second largest single-payer healthcare system in the world after the Brazilian Sistema Único de Saúde. Primarily funded by the government from general taxation, and overseen by the Department of Health and Social Care, the NHS provides healthcare to all legal English residents and residents from other regions of the UK, with most services free at the point of use for most people. The NHS also conducts research through the National Institute for Health and Care Research (NIHR).

SystmOne is a centrally hosted clinical computer system developed by Horsforth-based The Phoenix Partnership (TPP). It is used by healthcare professionals in the UK predominantly in primary care. The system is being deployed as one of the accredited systems in the government's programme of modernising IT in the NHS.

Healthcare in England is mainly provided by the National Health Service (NHS), a public body that provides healthcare to all permanent residents in England, that is free at the point of use. The body is one of four forming the UK National Health Service as health is a devolved matter; there are differences with the provisions for healthcare elsewhere in the United Kingdom, and in England it is overseen by NHS England. Though the public system dominates healthcare provision in England, private health care and a wide variety of alternative and complementary treatments are available for those willing and able to pay.

<span class="mw-page-title-main">National Health Service</span> Publicly-funded healthcare systems in the United Kingdom

The National Health Service (NHS) is the umbrella term for the publicly funded healthcare systems of the United Kingdom, comprising the NHS in England, NHS Scotland and NHS Wales. Health and Social Care in Northern Ireland was created separately and is often locally referred to as "the NHS". The original three systems were established in 1948 as part of major social reforms following the Second World War. The founding principles were that services should be comprehensive, universal and free at the point of delivery—a health service based on clinical need, not ability to pay. Each service provides a comprehensive range of health services, provided without charge for people ordinarily resident in the United Kingdom apart from dental treatment and optical care. In England, NHS patients have to pay prescription charges; some, such as those aged over 60, or those on certain state benefits, are exempt.

The National Information Governance Board for Health and Social Care (NIGB) advised the United Kingdom government on information governance between 2008 and 2013.

care.data was a programme announced by the then Health and Social Care Information Centre in spring 2013. It aimed to extract data from GP surgeries into a central database through the General Practice Extraction Service (GPES). Members of the English population who were registered with GP practices were informed that data on their health would be uploaded to HSCIC unless they exercised their rights to object by informing their GP.

Patient record access in the United Kingdom has developed most fully in respect of the GP record, because computerisation in that field is almost universal. British hospitals were slower to move into electronic records. From 1 April 2015 all GP practices in England have to provide online services to patients, including access to summary electronic medical records.

Direct care is the care of an identified patient by an identified clinical professional, used throughout the National Health Service in the United Kingdom.

The National Data Guardian for Health and Social Care is an independent, non-regulatory, advice giving body in England sponsored by the Department of Health and Social Care. Dame Fiona Caldicott had held the position on a non-statutory basis since its inception in November 2014. She was appointed the first statutory National Data Guardian in March 2019 following the introduction of the Health and Social Care Act 2018, and remained in post until her death in February 2021. Dr Nicola Byrne was appointed to the role in March 2021 by the Secretary of State for Health and Social Care.

In 2005 the National Health Service (NHS) in the United Kingdom began deployment of electronic health record systems in NHS Trusts. The goal was to have all patients with a centralized electronic health record by 2010. Lorenzo patient record systems were adopted in a number of NHS trusts. While many hospitals acquired electronic patient records systems in this process, there was no national healthcare information exchange. Ultimately, the program was dismantled after a cost to the UK taxpayer was over $24 billion, and is considered one of the most expensive healthcare IT failures.

References

  1. The Caldicott Committee (December 1997). "Report on the Review of Patient-Identifiable Information" (PDF). Department of Health. Archived from the original (PDF) on 24 January 2013. Retrieved 28 September 2017.
  2. "The Information Governance Review: To Share or Not to Share" (PDF). Department of Health. 21 March 2013. Retrieved 14 May 2015.
  3. "Review of Data Security, Consent and Opt-outs". The National Data Guardian. 6 July 2016. Retrieved 12 July 2016.
  4. "NHS confidentiality code of practice". Department of Health. 7 November 2003. Archived from the original on 7 January 2013.

See also