Skip to content

Ch 11 e business

Chapter 11 Working in an e-business environment

11.1 Introduction

General practices do not work in isolation from the rest of the world, and the business culture in the UK and internationally is becoming increasingly dependent on the internet and internet technologies. This chapter will discuss where the business of General Practice fits in the broader electronic world and how the use of computerised and internet based tools and services can enhance patient care and improve efficiency.

We will include advice on;

  • NHS Internet connectivity and NHS Net based services

  • Practice web sites and internet accessible practice services for patients

  • Non-practice internet services for patients e.g. patient owned records

  • On line services for clinicians; peer support, reference and education

  • Supporting the management of the practice with computers

  • Remote working and communicating with patients electronically

  • Maintaining and improving internal practice communications

  • Guidance on assessing the validity and quality of health information from the internet

  • Protecting your privacy and security online

11.2 Working in an e-business environment

11.2.1 Wired World

When an earlier version of the Good Practice Guidelines was published in 2003, only 47% of UK households had access to the internet. In 2009 this figure is 70%. Today broadband connections account for over 95% of all domestic connections, compared to only 11% in 2003. High bandwidth connectivity to NHS services via N3 is now ubiquitous in general practice in England and Scotland, and Wales and Northern Ireland have similar high bandwidth private networks.

In 2009 analysis over a three month period showed that 76% of the UK population accessed the internet with 73% using it every day. Whilst communication in the form of e-mail or social networking use comprised the majority of accesses, 42% used the internet for health information purposes[^1].

General practice information systems and the users of these systems do not sit in isolation from the changes that the information technologies are making at every level of our society. In this chapter we discuss managing your practice, its records and electronic systems in the wider world of an on line society.

11.3 NHS connectivity

11.3.1 The NHS National Network (N3)

The NHS National Network (N3) is a broadband, virtual private network serving around 1.3 million users in the NHS in England and Scotland^2. This network is contracted for by the NHS and for General Practices the connection is provided at no cost.

Access to N3 from the internet is controlled via a 'gateway' that allows users on N3 to access the internet and, with appropriate controls, may allow a user on an external network such as the internet to access N3 services. Gateways are also provided between NHS networks in Wales and Northern Ireland.

To receive an N3 service practices must agree to the "Information Governance Statement of Compliance"^3.

This is a set of rules and guidance around security of and appropriate use of the N3 network.

N3 is used to support NHS online services such as Choose and Book, Electronic Transmission of Prescriptions, NHS Mail and the NHS 'Spine' in England. In addition, N3 can be used to support other network dependent services such as telemedicine and voice communicating over the internet (VOIP).

In Wales, Informing Health Care^4 has provided the Public Sector Broadband Aggregation Network (PSBA Network) which provides a single communications network for health, education, local government and other local services.

11.3.2 The NHS 'Spine'

This is a core part of the NHS Care Records Service to support the NHS in England. While commonly referred to as the 'Spine' it may also be usefully thought of as a set of national services that underpin other NHS electronic functions. The Spine provides, for example, the Patient Demographics Service (PDS) which is used as a source of patient demographic information such as name, address, date of birth. To access other NHS Services such as Choose and Book, practices in England must use PDS details either directly or via a synchronisation process with local systems.

The spine also provides directory services -- lists of NHS organisations -- and, at a more technical level, services for managing messaging transactions between NHS organisations for purposes such as GP2GP and ETP.

11.3.2.1 Smart Cards

NHS England access to spine services requires a role based logon supported by a 'smart card' and a user pass code or PIN. This identifies the user to the spine as having particular roles which, in turn, determines the level of access to functions and data that that user is allowed.

11.3.2.2 Choose and Book

Choose and Book is an online service in England that is intended to allow practices to refer patients to secondary care and book them an appointment from the GP surgery.

11.3.2.3 Electronic Prescribing

The Electronic Prescribing Service in England is supported by the spine, which acts as the message broker for the exchange of electronic prescription messages, and uses the directory service to identify community pharmacies eligible for the service.

11.3.3 Scottish Care Information (SCI)

SCI^5 provides two main services for practices in Scotland -- SCI Store and SCI Gateway.

11.3.3.1 SCI Store

SCI Store is an information repository primarily used for pathology results and radiology. Clinicians are able to log on to this service via an N3 connected web browser and view results for patients with whom their organisation has had a care relationship.

Interfaces with SCI store are used to provide laboratory messaging into GP systems in Scotland. However, where agreed locally (e.g. Grampian region) laboratory reports are sent by structured (EDIFACT) message using a bounded set of Read-codes, so the results may be filed directly into the patient's EPR (as for EDI in England -- see chapter 8d).

11.3.3.2 SCI Gateway

SCI Gateway is an implementation of an electronic referrals service although on line booking of the appointment is not routinely available. It provides directories, referral forms and protocols for local NHS services and, via integration with primary care information systems, allows merged data from the GP record to be used in generating the referral letter. Implementations may also allow for the generated referral letter to be stored as an attachment to the patient's GP record.

SCI Gateway technology is also being adopted in Wales and Northern Ireland.

11.3.4 NHS Mail

NHS Mail^6 is a secure e-mail and directory service for NHS users in England and Scotland. This has been approved for sending confidential patient information, but users should be aware that confidentiality only works when sending e-mails between two 'nhs.net' addresses.

NHS Mail also provides NHS Directory services using a standard protocol (LDAP) compliant with most e-mail clients. NHS Mail works with a variety of clients and platforms, including most mobile devices.

11.4 Practice web sites and on-line services

11.4.1 Web sites

Although there is no contractual obligation for practices to provide a web site many practices use a web site to inform patients and others about practice services.

Methods of creating a web site for your practice range from 'do it yourself', which requires some technical competencies, to contracting with a specialist web site company for a bespoke site. There are companies that specialise in providing GP web sites, many of which use a design template with common content structure for all practices, such as 'Practice Team' and 'Opening Hours', that can be customised to meet individual customer's needs.

Practices should consider which information they wish the web site to provide; what the web site address or 'domain' will be and how to protect their domain names; how to maintain and update the site; whether the site will contain advertising and if so, how this will be regulated.

Maintenance of content should be possible in house unless you can guarantee the responsiveness of your web site provider to update changes. Normally this will require at least one member of staff trained in using the web site content editor.

Web sites have become increasingly interactive and practices may wish to think about how the site can be more than a simple information repository. (For example, provision of an electronic subscription to a practice newsletter or allowing e-mail inquiries to the practice manager).

11.4.1.1 Registering a domain

Whilst it may be possible to use the inclusive web space often provided with domestic internet accounts or perhaps a free web hosting service for this purpose, practices should consider registering an internet domain name for their practice and contracting with a commercial provider for web site hosting. This should provide better reliability, safer backups and makes it easier to transfer the domain hosting in the future if required.

When registering a domain name it is useful to register as many variations on the practice name as possible: consider abbreviated forms of the practice name, as well as more than one domain suffix. Practices should register the '.nhs' domain. To register a domain with the '.nhs' suffix refer to this website^7.

Registering a domain name with commercial companies is relatively easy and can be achieved using one of many providers, most of which also provide hosting.

If allowing a web site design company to register domains for you, make sure ownership of the domain rests with the practice, and not the design company.

Some PCOs provide practice template web sites hosted from their own web sites. Ask your PCO if they provide this service.

11.4.1.2 Requirements for a General Practice web site;

  • Accessible - For users with partial sight or other disability, consider trying to ensure the site is accessible. The Royal National Institute for the Blind (RNIB) has useful guidance on this subject^8.

  • Accurate - Ensure the information provided is correct and up to date

  • Cross Platform - Ensure the site works across all commonly used web browsers and also consider how the site will look to users using mobile devices such as smart phones.

  • Privacy Statement - With respect to what data, if any, your practice will use from visitor statistics, and especially if any interactive services are provided

  • Contact Details - Ensure a contact e-mail, phone number and postal address is provided for queries concerning the web site.

  • Not exclusive - Information provided on line should reasonably be able to be provided in another format for users without internet connections. Similarly, the delivery of contractual services to patients should never be exclusively provided via an on-line service.

  • Appropriate external links - Links to external sites should be tested and considered appropriate by the practice, including any advertising. Practices may include a disclaimer to indicate the extent of their liability if referring patients to external sites.

11.4.1.3 On Line Appointments

Some GP system suppliers provide on-line booking services to practice appointment systems. This is most commonly achieved via a web interface linked to the practice's own website. Methods of implementation include practices reserving some appointments for web booking, or live booking of appointments in real time using the practice appointments software. Automated telephone booking of appointments is also provided by some companies.

11.4.1.4 On Line Prescriptions

Repeat prescription ordering services can also be implemented using a practice web site. Again, there are a variety of methods of implementation ranging from simple DIY services using e-mail or 'form to e-mail', to services integrated with the GP clinical systems.

11.4.1.5 Access to records (See also Ch 5)

Some services provide for patients to access all or part of their GP record on line. This is a complex area, and requires careful implementation by the practice with respect to data quality, consent, security controls and workflow safety. See Chapter 5 of these guidelines.

11.4.1.6 Patient Confidentiality

Practices must be careful to ensure that on line access to services for patients meets requirements for consent and confidentiality. Patients need to be provided with information about the risks associated with sending prescription requests by un-encrypted e-mail, and similarly understand that they have responsibility to ensure their e-mail accounts and logins are kept secure.

11.5 'Consumer' oriented Internet health services

By providing patients with easy access to health information the internet has changed the doctor patient relationship -- patients are no longer solely reliant on their doctors to provide all advice and guidance about their health. Research shows that the majority patients with internet access will use it to research their symptoms or conditions[^9]^,^[^10] yet the quality of health information on the internet is very variable, and patients often require some guidance in interpreting information they find.

Use of discussion forums and special interest sites for specific conditions can mean that patients are more abreast of current developments than their doctors, and the doctor's role becomes one of placing the patient's expectations and understanding in a context that is practical to currently available practice and services. Patients attending their GPs with information from the internet are often a cause of anxiety for the clinician, challenging their knowledge and understanding of the condition, their role in managing care and leading to increased patient expectations.

On line personal health records provide a patient controlled store of their medical history, and may be useful for the patient when travelling or consulting with other care providers who may not have access to their general practice record. NHS HealthSpace^11 is an NHS England implementation of this that will also use the Summary Care Record, in part, to populate it.

11.5.1 What makes a good Health web site?

Evaluating the quality and usefulness of Health Web sites for patients has been attempted formally, and we can identify a number of criteria to examine, which can help in assessing such sites. Some schemes for certification of consumer and professional web sites have been made, such as the "Health on the Net Foundation"^12 and "The Information Standard Scheme"^13. While reassuring when present, there is no legal requirement for sites to meet these standards.

11.5.1.1 Criteria to evaluate a web site

Evaluating a consumer based health website is similar to evaluating one aimed at medical professionals, although the emphasis and language may necessarily differ.

Users should consider:

  • *Domain - The address of the website may be helpful it itself. The URL should reflect that of the organisation publishing the site. '.uk' domains generally mean the site will be aimed at a UK audience. '.co.uk' and '.com' suffixes suggest a commercial site, whilst '.org' and '.org.uk' are normally used for non commercial purposes. *

  • Ease of use - Is the site easy to navigate and easy to read? Is the user in control of navigation through the site, or does the site open pages without warning, use misleading links or demand payment before allowing evaluation of any content?

  • Commercial purposes - Many useful sites are commercial in nature, and others may be funded through advertising. Any adverts should be appropriate to the content of the site, inoffensive and, ideally, passive requiring the user to follow the link rather than forcing the user's attention through popup windows or misleading controls and buttons. The funding for the site, and its intended purposes, should be clearly stated.

  • Accessible - Is the site accessible to all users? Are the colours, contrasts, fonts and images easy to read and view? Do they provide accessibility controls such as font changers or high contrast schemes? Providing the site in multiple languages may be appropriate where the intended audience may include non English speakers.

  • Language - The level of trust granted to a website will increase if the language, grammar and punctuation is largely correct, in keeping with the intended audience. Frequent miss-spellings or grammatical errors should give rise to caution in the reader.

  • Contact details - Organisations providing health web sites should always provide contact details, including a telephone number and postal address in addition to any e-mail address.

  • References - Information provided should be justified with direct or indirect references to the source of that information. Where references are not provided from the site, an inquiry to the contact address should result in the attribution of the information being provided.

  • Privacy - Sites should state their privacy policy and, if they collect personal information, should advise users the purposes to which this will be put. Users should expect to have control over any account with the website, including how much personal information is collected, how it will be used and the ability to delete the account and associated data if desired.

  • Transparency - No attempt should be made to conceal the ownership or authors of the site's content.

  • *Complementary - The site should provide information and support that works with the patient's other health care providers, and does not aim to replace them. *

  • Useful - Is the information the site provides of real and practical benefit?

  • Authoritative - Is the providing organisation known to the user, and are they known to be a trustworthy source of information. For example, users would expect a site provided by the NHS to provide authoritative information, but information from an anonymous blog publisher would be treated with less trust.

  • Source - Consider how the site was discovered? References from trusted sites would raise the trust level for the viewed site. Discovery through a search engine or via an unsolicited e-mail should be treated with more caution.

HoN provides a list of certified web sites, and sites that have passed HoN accreditation will display the 'HoNcode certification seal' -- a small image that will link to the HoN site confirming the web site's status.

The 'Information Standard' scheme is a certification scheme for health and social care information, currently funded by the Department of Health. Certified organisations can display the Information Standard's Quality Mark on their web pages or printed material.

11.5.2 Internet Based Personal Health Records

A 'Personal Health Record' (PHR) is a record used and maintained by the individual to whom it pertains, or by their nominated representative. The term PHR is not new, but in today's environment generally refers to an electronic, normally web based, repository for health information. This differs from the 'Electronic Health Record', a term commonly used to refer to health care professionals' records for a patient. The PHR is distinguished from an EHR by the focus of control for access and editing residing primarily with the patient, not the professional. This definition becomes less precise as records for patients increasingly become distributed with the boundaries between EHRs and PHRs, and other forms of medical record, blurring and intersecting.

Several companies provide PHR services, most notably Google^14 and Microsoft^15. These services are aimed at the US market, and some US health insurers now require the use of PHRs by patients as part of the policy. Such services are clearly commercial, with the providers using contracts with Health Insurance companies and health related products to profit from the venture. To do so they must retain the trust of their consumer market, and thus need to find a balance between health care requirements and commercial requirements that meets the market's needs. Health Vault is not available to UK users. Google health allows access to UK users, but the services it provides are largely US based.

In the UK the NHS in England provides a service called 'HealthSpace', available to anyone resident in England over 16 years of age^16. Described as a 'free, secure online personal health organiser', HealthSpace can be used by patients to store important medical information, manage appointments and obtain advice on lifestyle issues. The service offers an 'Advanced Account' which will allow the user to view their 'Summary Care Record' details.

How these services will in the longer term impact upon general practitioners is unclear, although the change in culture that it may catalyse will again challenge the nature of the doctor patient relationship.

11.5.4 Support Groups and Forums

The internet has allowed the development of communities of users who may share a health interest or condition. Such forums or support groups are often accessed via health related web sites^17 and similar rules to assessing their validity apply. Many patients may find using a condition specific health community a useful support to managing their condition, but there are also risks associated with this. Patients should ask if the forum they are using is 'moderated', that is: has an administrator who can edit or remove inappropriate or misleading messages and manage the forum's subscribers. It may not be easy to identify posters to a forum, and whilst this 'anonymity' is often part of the appeal it also makes it easier for those providing misleading information or products to target sometimes vulnerable people. Informal associations of people with similar health conditions or concerns can also be enabled on generic social networking sites such as Facebook.

11.5.5 The expert patient

This provision of health care information on the internet with peer support and health care communities can be very empowering for patients, but challenging for clinicians who may not have the same level of expertise in a specific condition, nor the time to acquire it. Similarly, this leads to conflicts between the scientific, clinical model of medicine, which underpins most medical training with the patient's health model, which may be significantly different.

Organisations such as the Expert Patient Programme (EPP)^18, aim to assist patients to self manage their conditions, allow them to make informed choices and work in a complementary way with the clinicians.

GPs may feel anxious when presented with a patient who presents information about their condition that they have found on the internet. Suggested reasons for this include fears of being seen as incompetent, of losing control of the consultation and of feeling devalued. [^19] Adapting consulting styles to accommodate this, by respecting the patient's views and providing time to listen to their opinions, can be useful strategies but the emergence of the expert patient will prove challenging to conventional models of care delivery in primary care.

The internet provides opportunities for clinicians to direct patients to appropriate, trusted resources to encourage them to educate themselves on the management of their condition. An educated patient who is able and willing to work in partnership with a general practitioner should benefit the doctor patient relationship and improve care. It is perhaps part of a GP's role today to educate and inform patients on using health information from the internet.

Areas to consider and discuss with a patient who provides internet researched health information include;

  • What was the source and how was it discovered?

  • Is the information correct, accurate and scientifically valid?

  • Is the information concise and readable within the time constraints of the professional?

  • Is any recommended or requested treatment appropriate for the care context? That is: for primary care; for the contract of care; for the UK?

  • Is the treatment licensed and available?

  • What does the patient think of the information? Do they trust it?

  • How does this information fit with the patient's health model?

  • Where there is a previous doctor-patient relationship with the patient, how does this new information affect this and can it be used within it.

  • Are there alternative sources of information that can contradict or support the provided views?

  • Is the patient willing to listen to alternative viewpoints?

  • The information provided may be new to the clinician, valid and appropriate. It is important to acknowledge when the patient is correct.

In many ways the challenges provided to doctors dealing with patients who have sourced information from elsewhere are not new - just more frequent. The opportunities that arise from being able to educate and inform patients through internet resources probably outweigh the disadvantages, but this does demand of clinicians that they accept their role as the elite custodians of health knowledge has been usurped and patients are rightly becoming more equal partners in their care.

11.6 Using the Internet for consulting

Internet technologies should provide new methods for patients to consult with their doctors. E-mail, video conferencing and instant messaging are all relatively new services for communication, which are now widely used in both business and by the public, but their penetration into health care service delivery in the UK has been limited.

11.6.1 E-mail consulting

Consulting with patients by e-mail has not been widely adopted in UK general practice to date. The reasons for this are complex, and at first glance it would seem that e-mail was well suited to the task of improving communication between patients and clinicians, but several significant barriers stand in the way of this.[^20]

Practices that are considering using e-mail to allow patients to communicate with the practice need to consider the risks and benefits this may incur. Potential benefits arise from the asynchronous nature of e-mail -- the sender does not require the receiver of the message to be on line, nor would they expect an instant response; and the messages can be sent outside of normal working hours. Other proposed benefits include:

  • Improving access to those who may be housebound or live in remote areas

  • The opportunity to include additional information in replies, attachments or clickable links to supporting web sites

  • A more 'anonymous' medium that may make some patients more confident about addressing difficult issues

  • Potential efficiencies in time.

The drawbacks arise from the lack of personal contact and cues -- clinicians are often experienced in consulting in real time using verbal and non verbal cues, but asynchronous consulting requires a new set of skills and carries a new set of risks; carries risks to privacy for patient and clinician; and may result in additional work rather than changed work.

Practices wishing to use e-mail for patient communication may wish to consider using it only for clearly defined purposes of limited scope, such as repeat prescription ordering or the provision of a practice newsletter. Using e-mail for clinical consulting will require the practice to address patient authentication to ensure the e-mail address used belongs to that patient; patient education to improve their understanding of the risks of sending confidential medical details unencrypted, and their responsibilities to ensure only they (or trusted others) have access to the messages. Practices will need to address how e-mails with patients will be integrated into their clinical record system, and when. Time must be made available to clinicians to respond to e-mail queries, and practices must decide if this is to be an additional service to patients or will replace other methods of consulting to some degree.

A policy statement should be provided to patients explaining the limits of the service, such as 'not to be used for emergencies', and this can be re-iterated using auto-responders from the practice to incoming e-mails as well as in standard texts sent in replies. Incoming practice emails should be to a default practice email address rather than named individuals to cover leave and other absences. Patients should also be advised that they should be careful of their own privacy for email and other electronic communications they send and receive about health matters.

Practices should develop protocols for dealing with unsolicited e-mail inquiries, which may be from patients or purport to be so. Remember unless a process has been used to confirm the ownership of an e-mail address to a specific patient it is impossible to guarantee that the inquiry is indeed coming from the stated author. A judgement needs to be made depending on the specific circumstances as to how such inquiries may be dealt with, but where doubt exists or the information requested is potentially sensitive caution should be used.

Practices should be aware that all e-mail communications pertaining to a patient form part of the medical record and, as such, can be requested for release under the terms of the Data Protection Act.

NHS HealthSpace in England is planning a secure and verified e-mail channel for patients to communicate with health professionals, thus managing some of the risks associated with this medium.

11.6.2 Voice over Internet Protocol (VOIP) and Video Conferencing

VOIP supports internet telephony services such as Skype^21. These services often also support video conferencing, provided both parties have 'webcams'.

There is theoretically no reason why practices could not use VOIP services for telephone communications with patients, but practically it will be harder to manage and implement. Constraints in bandwidth of the N3 network would be unlikely to support large numbers of users of VOIP applications simultaneously, and would have to be negotiated with the support of a PCO and the N3 provider.

The specific configuration of using VOIP services for practice telephony is beyond the scope of this document.

Using Video Conferencing technologies to communicate with patients presents interesting possibilities, but again actual implementations in the NHS primary care environment will, at this stage, be largely experimental and may require specific support for network configurations.

11.6.3 Text Messaging

It is possible to use SMS text messaging for some GP services, such as appointment reminders and results advice. NHS Mail includes an e-mail to SMS text service and using either bespoke integration, where technical competencies are available in house, or by purchasing commercial software it is possible to integrate practice demographic data to use the NHS Mail SMS gateway for such purposes.

11.7 Supporting general practice

11.7.1 Education

Revalidation, GP appraisal and re-licensing have increased the requirements for general practitioners to be able to plan, undertake and log their learning activities. Various services are available to support these processes, such as 'Scottish Online Appraisal Resource^22 the NHS England Appraisal Toolkit^23 and information services such as GP Notebook^24 provide tracking services to log learning activities.

11.7.2 Peer Support

A number of on-line communities for doctors exist in the UK, where electronic discussion can take place between clinicians. 'Doctors.net.uk' (DNUK) is one of the best known, and is a password secured site, which requires the user to have a GMC number and matching name to register. It provides on line forums for discussion across a wide variety of topics, as well as educational material, job vacancies and an e-mail service. DNUK is funded through commercial arrangements with groups and companies "who need to communicate with doctors" and as such it contains some commercial material such as advertising. Other mailing lists include 'GP-UK', an ostensibly academic list for GPs running since 1994^25, as well as specific mailing lists to support users of various clinical information systems.

11.7.3 Other Software applications

General practices can find benefit it using general commercial software packages for a variety of purposes in their organisation. Most commonly used include an 'Office' suite, typically Microsoft Office, which provides at least a word processer and spreadsheet application for document writing and data analysis respectively.

Accounts packages can simplify and ease managing the practice's accounts and specific GP accounting packages are available. Some accountants require the use of such a package, or will provide a discount to those practices that do.

11.7.4 Intranets

An 'Intranet' is a local information service that uses internet technologies -- that is, a web browser and web pages -- to provide information for the local organisation only. Some practices have created local intranets for storing local protocols and guidance, contact information, referral forms, calendars and so forth. The NHS provides a product called 'Digerati', which is an intranet management system that can be employed in practices at no licensing cost^26.

11.7.5 Messaging

Information technology can be used to support messaging around the practice, providing for group alerts, informal discussions, clinical discussions and notifications. Two principle methods are commonly used: e-mail and instant messaging.

11.7.5.1 E-mail

Unless practices have the technical expertise to set up and maintain a local mail server, and ensure that it is secure within the practice network boundaries, the recommended approach is to use NHSMail for this purpose. NHSMail is available in Scotland and England. In Wales the NHS is rolling out a National e-mail service based on local servers. This will in due course provide e-mail addresses for NHS Wales staff and directory services. Plans are also in place to introduce an e-mail to SMS gateway. Practices should consult with the PCO IM&T department for advice regarding using their e-mail systems for confidential patient data prior to employing them for this purpose.

11.7.5.2 Instant Messaging

Popup or instant messaging is provided by a variety of companies, some of which specialise in the primary health care market. This type of messaging allows for 'chat' client software to receive messages in real time from other users, may provide an on-line status indication for that user and other functions such as emergency broadcast messages and message of the day. Functions to support scheduling, rotas and home visit management may also be provided.

The use of third party applications for instant messaging, such as MSN Messenger or Google Talk for internal practice communications carries risks with respect to confidentiality and the physical location of any stored data, which may be outside of the UK. Instant messages are commonly transmitted unencrypted and thus are at risk of 'snooping' attacks.

11.7.5.3 Messages about patients

Every record about a patient in any format, including those used for messaging in the practice or between NHS organisations is considered part of the medical record. Practices should ensure that all such communications are linked to or recorded in the patient's main electronic record on the clinical information system. Messages and documents which refer to a patient are legally part of that patient's medical record and thus liable to disclosure if requested, even if the document was only intended for internal use or exists only in a draft format.

11.7.6 Teleconferencing

This can be very useful, especially in remote and rural settings for education CPD; sharing clinical situations, local practice/NHS business and case conferencing.

11.8 Privacy and security in the online world

11.8.1 Managing your privacy and protecting your identity

As clinicians increasingly work using electronic records and online tools and services they have a responsibility to understand how to manage their online security and identity.

11.8.1.1 Logins

Password and username policies vary with different applications and services. It is tempting to use a single password for all applications to which users need access, but this policy puts your data at greater risk if this password is compromised. Aim to have a number of passwords for different purposes, and a method of changing these when prompted. Forgetting your password is also a security risk, and for some services, where the data is of limited use and not patient related, keeping the password written down, or in a secured or encrypted file may not be unreasonable.

Do not share passwords with others, and always ensure when using any system that you log out of it when you are finished. Never use another person's login name and password for work, which should be attributable to you. Do not share smart cards.

If leaving your computer terminal for a short period of time, users should 'lock' the screen and ensure a password is required to regain access.

11.8.1.2 Secure browsing

Modern web browsers have implemented tools to help keep users safe from fraud by making it clear when the site you are using is 'secure', by indicating when the site name may be misleading, by controlling software installation and preventing access to known scam sites. It is important, therefore, that your web browser is kept up to date and is, ideally, the most recent version. Constraints on the technology and sometimes operational requirements have resulted in some desktops provided to practices by the NHS being restricted to older browsers, or preventing users installing the browser of their choice.

Users should be aware that they may not be receiving the same level of protection from fraudulent or deceptive sites at the surgery as they would normally have elsewhere -- a degree of caution is recommended.

Do not use the facilities on your web browser to store form data or passwords, especially on shared workstations or use a 'master password' facility in the browser, if one exists. Ensure you can identify when a secure connection has been established on the browser (typically the site will be prefixed with 'https://', but on its own this can be misleading) before entering any confidential details such as credit card numbers.

Never follow links in un-solicited e-mails (spam), nor open electronic attachments from unknown sources.

The PCO should ensure that your workstations are provided with anti-virus software, and that this is updated and maintained.

If you consider your machine may have been compromised in some way, turn it off and contact IT support.

11.8.1.3 Social networks

Care should be taken when using social networking sites. It is always inappropriate to use these to discuss identifiable patients and caution should be used when discussing clinical details in an open forum where the patient could be identified. Similarly, posts to social networks may be accessible to all and persistent and users should consider carefully if they are the best place to discuss system or operational issues, particularly if they pertain to individuals. Inappropriate posts can result in disciplinary action by professional or contractual bodies and threaten careers. Although a social network site or peer support forum may appear to be a friendly place, always consider who else can read the messages and the implications this may have if taken out of context.

11.8.2 Protecting Electronic Information

Guidance is available from the NHS CFH website^27 on this topic.

11.8.3 Educate users on their responsibilities

The changed nature of the health record as it has migrated to electronic formats, with a number of different services providing some details about patients, has blurred the lines between what constitutes maintaining confidences for today's doctors. It is important when new electronic record services are introduced and made available to clinicians that they are educated in their rights of access to these services and the records they contain, their responsibilities to these records, the monitoring of compliance that will be employed and the consequences of failing to meet them.

Maintaining confidence for doctors twenty years ago could be summed up as 'Don't tell'. Today, given the exposure of records across internet services clinicians should also remember that 'Don't look' is of equal importance.

11.9 Data extracts

There are a number of services that use extracts from GP system records to support areas such as unscheduled care, shared care of conditions such as diabetes, medical and pharmaceutical research and health care planning (see also Chapter 4.8)

11.9.2 What do they do?

Extracts from GP systems have some common features. Generally they all require some 'middleware', or an implementation that allows the GP clinical information system to extract the required data in a suitable format for the receiving service. Normally, they extract a subset of data on the system, rather than all data. The exact specification of the subset varies depending on the service and the structure of data in the GP system. They may have controls for the practice as a whole, and for individuals or groups of patients to consent, or otherwise, to the data extraction and for inclusion or exclusion of specific data items. Free text may be included or excluded. Extractions are often automated, and scheduled by the software to occur at particular times. The data extracts may be 'incremental', sending only data which has changed or been added since the last upload or 'full', always sending the complete data set.

Once the data has left the practice it is no longer within the bounds of the practice's data controller to maintain it or control its subsequent usage, so practices must ensure they understand the uses the data will be put to, the consent model in use, the functional controls available in the practice, and have reassurances in the contract or service agreement with the data extractor that the uses will always be appropriate to the intended purpose and that the data will be handled securely.

Some examples include;

  • General Practice Research Database (GPRD)

GPRD^28 is a not for profit research database owned and operated by the Medicines & Healthcare products Regulatory Agency (MHRA). This uses 'anonymised' data from records extracted from GP systems for research by various public and commercial organisations.

GPRD provides funding for practices to support the data extraction process, and material for informing patients of the processes and purposes to which the data is put. Practices receive data quality advice and reports from GPRD based on their analysis of the received practice data.

  • The Health Improvement Network (THIN)

THIN^29 is similar to GPRD but only accepts data from users of INPS Vision. It is operated by a private company, Cegedim Strategic Data.

  • Practice Team Information (PTI)

PTI^30 extracts GP Records from clinical systems in Scotland and specifically examines workload by analysing face to face consultations.

[^1]: Office for National Statistics, Internet Connectivity December 2008\ http://www.statistics.gov.uk/pdfdir/intc0209.pdf

[^9]: Using the Internet for Health-Related Activities: Findings From a National Probability Sample\ Nancy L Atkinson et al\ J Med Internet Res 2009;11(1):e4

[^10]: F amily Medicine Patients' Use of the Internet for Health Information: A MetroNet Study\ Kendra L. Schwartz et al\ The Journal of the American Board of Family Medicine 19:39-45 (2006)

[^19]: Br J Gen Pract. 2010 Feb;60(571):88-94. \'A heartbeat moment\': qualitative study of GP views of patients bringing health information from the internet to a consultation. Ahluwalia S, Murray E, Stevenson F, Kerr C, Burns J.

[^20]: INFORMATION IN PRACTICE: Josip Car and Aziz Sheikh. Email consultations in health care: 1---scope and effectiveness. BMJ, Aug 2004; 329: 435 - 438

Back to top