Derbyshire Medical Interoperability Gateway Information Sharing Agreement
- List of Partners to the Agreement
- All Derbyshire GP practices.
- East Midlands Ambulance Service (EMAS)
- Derbyshire Health United (111 services)
- Derbyshire Community Health Services NHS FT
- Derbyshire Teaching Hospitals NHS FT
- Chesterfield Royal Hospital NHS FT
- Nottingham University Hospitals NHS FT
- Derbyshire Healthcare NHS FT
- Derbyshire County Council
- Derby City Council
- Information to be shared
Data from the GP record are grouped based upon how the data was recorded and coded. The data is presented for viewing via the MIG in a series of ten ‘tabs’. The data shared is as follows:
- Patient demographics
- Summary, including current problems, current medication, allergies, and recent tests
- Problem view
- Diagnosis view
- Medication including current, past and issues
- Risks and warnings
- Examination (blood pressure only)
- Events consisting of encounters, admissions and referrals
This data (Above) is based on the minimum requirements of what is necessary for patients receiving care in an urgent, out-of-hours setting. This data does not include free text.
End of life care/ supportive care datasets, outlined in the supporting document, does include freetext which has no character limit.
- Purpose of Information sharing
The purpose of the Information Sharing Agreement (ISA) is to provide a view of some key elements of the GP record for other stakeholders in the local health and social care system to use.
This is particularly to support improvements in the delivery of unplanned and emergency care as well as in the delivery of care in the community aimed at preventing admissions.
In order to provide quality, safe care, it is necessary for clinical and professional colleagues from both Health and Social Care to be able to view elements of a patient’s record during a consultation. This access is for the purposes of direct care by those who have a legitimate relationship with the patient, and who are seeing the patient in a face-to-face consultation via a smart card.
- Basis for information sharing
Information will be shared under an implied share out, consent to view model (appendix 7 of the Derbyshire Information Sharing Protocol). Patient consent to view information must be obtained at the point of consultation as this provides the legal basis for sharing information. Health and social care providers accessing aspects of the healthcare record will be required to sign an agreement at an organisational level to ensure that appropriate confidentiality procedures are in place and adhered to. All organisations with access to the MIG are IG toolkit compliant and have confidentiality clauses in their employees’ contracts. Their clinicians and professionals have regulatory bodies who place emphasis on confidentiality.
Each GP Practice will assess all opt-out requests via the Practice’s internal opt-out review process, discuss with the patient or a representative with legal powers of responsibility (such as parental responsibility, Power of Attorney for Health and Welfare) as appropriate and update the patient record accordingly.
Where a patient changes their mind about their opt-out status, the GP Practice will action all change requests promptly and within a maximum of 48 hours of receipt of the request.
Where a patient objects to their data being enabled for viewing via the MIG (even though it is subject to explicit consent at the point of care), the GP Practice should activate the opt out in their clinical system.
- Exchange of information
This information sharing will be facilitated by a software solution called the MIG (Medical Interoperability Gateway). Implementing MIG will enable information sharing between all clinical and professional stakeholders in the local health and social care system. The partners to the agreement are listed in section 1
MIG allows clinicians and professionals to view a subset of clinically-coded information from SystmOne and EMIS clinical information systems. MIG does not store data, but enables this information to be ’viewed’ in real time. No data will be stored by signatories as part of this ISA.
Only healthcare clinicians and social care professionals will have sight of patient information and, in line with legal Caldicott principles, this will be at the minimum level required. In the event that a record needs to be amended or updated following a consultation, the data controller responsible for that record – in this case the GP practice that the patient belongs to – should be alerted.
Viewing the record
Where a record is available via the MIG and it is necessary for a clinician or professional with a legitimate relationship with the patient to view the record for the direct care of the patient, explicit consent must be sought and recorded at the point of care, on every occasion unless. This is the responsibility of the viewing organisation.
Explicit consent is specific permission to view the GP record in response to a direct question to the patient. The answer must be clear and unmistakable. The consent must be voluntary and informed, and the person consenting must have the capacity to make the decision.
For consent to be informed, the patient must be provided with details of what information will be viewed, why it is necessary and that they have the option to decline. The significance of dissent should be explained to the patient.
Only a qualified clinician or professional (i.e. a qualified person responsible for assessment, diagnosis, prescribing, treatment and discharge of a patient or the provision of care and support) who has a legitimate relationship with the patient can view the GP record via the MIG, when they need to do so for the direct care of the patient.
Where a person with capacity (in accordance with the Mental Capacity Act 2005) does not give consent for their GP record to be viewed via the MIG, even after an explanation of the possible consequences, their decision should be respected.
Where a GP record is available to view via the MIG and it is necessary to view it for the direct care of the patient, in exceptional circumstances, a qualified clinician or professional may override the requirement to obtain explicit consent to view, that is, where a patient is unable to give informed consent because they are unconscious or in a life-threatening emergency.
In such circumstances where it is necessary to override standard consent requirements, the qualified professional must record the reason for doing so.
Each organisation signed up to this agreement is responsible for ensuring full compliance of all staff within their organisation to the terms and conditions of this agreement. Any identified areas of non-compliance must be forwarded to the appropriate lead for security breaches within the relevant organisation for resolution. All organisations will need to update their fair processing notice to include this ISA as part of their data protection responsibilities.
Data controllers must ensure that appropriate audit procedures are in place and followed.
Inappropriate viewing of the GP record will be regarded as a disciplinary offence and subject to disciplinary proceedings by the employing organisation.
The GP practice is the ‘data controller’ and manages access to all GP records; therefore no data is shared via MIG unless the practice has agreed to do so by signing the required information sharing agreement. Signing the ISA details the GP practices authority to share GP patient data with other organisations seeing the patient for purposes of providing direct health care or supporting care delivery.
All staff within the practice are made aware of their responsibilities and comply with the law and demonstrate compliance with the Data Protection Act 1998 and the Department of Health Code of Confidentiality.
Commit to sharing data via the MIG between different GP practices operating on different GP systems if this is in the patient’s best interests. At practice level and sharing between different GP practices, MIG allows SystmOne and EMIS systems to interact. SystmOne practices can be grouped together in order to centrally co-ordinate information, for example appointment bookings.
Other care provider/consumer responsibilities
All staff are made aware of their responsibilities and comply with the law and demonstrate compliance with the Data Protection Act 1998 and the Department of Health Code of Confidentiality.
Once data is accessed via MIG and further used the organisations accepts that they then become a ‘data controller’ in their own right for this data and therefore are responsible for ensuring use in accordance with the Data Protection Act 1998.
In addition ensure all staff who are granted access to data via the MIG are fully aware of their responsibilities for maintaining patient confidentiality and security of data. Each staff member must ensure, as with access to any other clinical system/information, access to data via the MIG adheres to the same standards and policies governing access to other organisational systems.
Ensure that there is a defined process to monitor staff access to patient data via the MIG and other clinical systems. In the event a GP practice requests justification for access to data via the MIG the provider should ensure a timely response is given.
The provider organisations should not make the GP information available to any third parties without seeking consent to do so.
If a patient sends a ‘subject access request’ to the provider no information viewed via the MIG must be disclosed. The patient must be directed to make the request for GP information directly to their own GP. Obviously where data has been recorded in the providers own clinical records as part of a consultation or other health intervention, from a Data Protection Act 1998 perspective you may be deemed to hold this information and can thus make a decision about disclosure.
In the event that information shared by MIG needs to be amended or updated following a clinical consultation, the GP, as per usual practice, should be contacted by the professional using the MIG to update the SystmOne or EMIS GP record accordingly.
Viewing data via the MIG to inform your clinical decision making does not remove your duty to update the patients GP (where appropriate and in the normal course of events), the MIG does not provide a two way information sharing mechanism and thus you may have to share data back to the GP via secure e-mail, telephone or letter.
If there are any data quality or accuracy issues the GP practice should be alerted, particularly where this presents a patient safety/clinical risk.
- Access and security
The GP Practice is the data controller and manages access to the records, therefore no data is shared unless the practice has agreed to do so via the data sharing agreement. This details the data to be shared. Each organisation must agree to the sharing agreement before the data can be shared or viewed. Crucially, patient consent will be sought at the point of consultation.
No data is ‘sent’ anywhere with data sharing through the MIG, it remains within the organisation and the ‘sharing’ only enables others to view the data. Data cannot be changed or amended in any way by the viewing organisation.
Organisations party to this agreement must have a nominated individual to manage administration rights locally.
Privacy officers within the practice will be responsible monitoring access to the native system and reporting any potential breaches and unauthorised access in line with their internal policy.
- Management of the Agreement
New organisations that provide NHS and Local Authority health and care may wish to join the MIG information sharing programme. All such applications must be processed via the Derbyshire Informatics Delivery Board (DIDB).
All current signatories of the MIG Information Sharing Agreement will be notified of the intention to add a new organisation and given an opportunity to raise an objection. Final approval to participate will be given by the Derbyshire Informatics Delivery Board (DIDB). It will not be necessary to re-sign this Agreement if a new organisation is approved provided this process is followed.
Responsibility for the management of this agreement will be provided by NHS Erewash CCG.
This agreement will be reviewed bi-annually unless required sooner.
It is required that this Agreement is signed by the Caldicott Guardian or other executive member of each participating organisation (GP Practice and Viewing Provider organisation).
I, the undersigned, have read this Information Sharing Agreement and on behalf of my organisation, I agree to implement and abide by the terms and conditions outlined within it.
All fields are required.