Good Practice Guidelines for General Practice Electronic Patient Records

2. Maintaining coherence over time: Just as in paper records it is deemed good practice to maintain an up-to-date view of the record as a "summary" or "problem page" which is itself internally coherent and accurate, so are there equivalent aspects in electronic patient records. They include:

* Maintenance of accurate episode/problem titles: Where a developing clinical situation means that, for instance, a problem that presents as "polydipsia" is subsequently confirmed to be due to "Diabetes Mellitus", that change should be reflected in the title of the problem and all subsequent entries that are made relating to it. This should preferably be done by changing linkage priority within a record rather than changing original record entries (and hence altering the original apparent perceptions of the author).

* Maintaining appropriate currency of problems: Similarly, where a system has the ability to denote problems as having currency or otherwise (i.e as being current or active), regular review and changing of inappropriate status should be performed.

* Maintaining appropriate links between episodes and problems: where record entries are made over time for what amounts to a similar problem, that linkage should be maintained.

* Maintaining appropriate links between problem/diagnostic codes and related therapeutic events: where it is possible to link medication or other interventions to the relevant diagnosis or problem code, that link should be included at the time of data entry.

3. Major modification/qualification: When coded information is entered into an EPR, it is possible to alter the apparent meaning of that code either by entering qualifying text against its rubric, or by adding some qualifying code which specifically exists either on that system or within the coding scheme used.

In the latter case, provided that the system appropriately represents the changed meaning both in human display and in any subsequent query, no danger arises. However, if one considers examples such as

"F25.. Epilepsy" qualified by the text: "excluded by AV/EEG monitoring", or "7AH.. Hysterectomy" qualified by the text: "not performed", it is not difficult to see the problems that might arise for the patients in whose records such entries exist. If those records are then passed to a different system which recognises the codes but not the qualifying text, then the potential danger becomes magnified. In short, while it is entirely acceptable to use free text to amplify the concept represented by a code, it is never acceptable to use free text to modify the fundamental meaning of a coded entry.

4. Free text and auditability: Another danger of free text entry is the potential "loss" of information that might otherwise have been separately codified. If a coded entry for a Faint is chosen and the patients blood pressure is typed in as free text this may present a visually acceptable record but that blood pressure will not be recalled by any subsequent search of that patients EPR that looks (logically) for all coded blood pressure entries. Thus not only should free text not materially modify the meaning of the coded entry neither should data that has its own significance be recorded as free text.

5. Validity of record entries: The issue of retention of records is dealt with elsewhere. Practices need to ensure EPRs are correctly constructed and this is a dynamic process. There may be occasions where entries might be considered for deletion, but this is generally unacceptable unless required by Court Order or legislation (e.g the Data Protection Act 1998). If an entry is or becomes invalid ideal practice would be to make that fact apparent by invalidating but not removing the entry - with appropriate comment as necessary. It is not possible to do this on most current systems within the visible EPR, although it is a requirement that all record modifications should be recorded in an audit trail. For the moment, this means that any records that are archived within the practice must include their own audit trail within the archive. Future system design will need to allow visible invalidation of record entries also.

If a practice decides that it will use its computerised records as the primary source for all information on a patient, then it will need to address how it will capture record information arising from outside the practice.

In most of these cases, the electronic transfer of that information has the potential to obviate this difficulty. However, such facilities do not yet exist except for a relatively small number of information flows. Consequently, the practice will need to develop a policy as to how this information will be captured and identify resource to enable it.

In the case of primary care consultations happening outside the practice, the essential details of those should be transcribed into the EPR as soon as is reasonably possible thereafter so that no crucial element of the patient's recent medical history is missing at a subsequent consultation.

Discharge and out-patient letters, investigation results and the like should also have their details entered into the EPR. In the case of investigation results, these should be entered directly into the EPR in a form as close to the original as possible. Information from letters may be summarised in its essentials according to protocol and transcribed, it may be scanned as an image file, or it may be optically character read to produce an equivalent text representation. In the latter case, practices should be aware that OCR technology is fallible and that consequent errors - particularly in numeric information - may have adverse consequences. Where text based communications are scanned or manually entered into the EPR any substantive investigations or results that are reported or referenced within the text of the communication should be entered under a separate and appropriate coded entry. For instance a discharge summary for a day case angiogram might be entered as a scanned document but in addition an entry should be made in the EPR using the appropriate angiography code.

Previous G.P. records are usually too bulky to efficiently transcribe in their entirety and, accordingly, they will need to be summarised and, where appropriate, coded by a competent person or persons under instruction by protocol. It would also be wise to enter the fact of their having been summarised into the record (and to keep the full record available for more detail when appropriate).

Whether a practice should destroy documents that have been transcribed into a computer system remains unanswered. The decision rests with the individual practice but they should bear in mind that medical defence organisations advise that original material should not be removed from records.

No mention is made in these good practice guidelines of specific software requirements for EPRs (beyond those described generically such as word-processors, virus checkers etc.). The reason for this is that, where there are particular technical requirements necessary for the support of general practice, these would be expected to be defined in the current version of the Requirements for Accreditation for G.P. systems. This mechanism does not

to the safe and reliable processes necessary for patient care on general practice electronic systems. The regulatory framework which underpins the change from paper to electronic records specifies that GPs must use clinical systems which are accredited as meeting the Requirements for Accreditation (RFA99) standards as a precondition of moving away from paper records.

The practice should draw up and follow a security policy that takes full account of the need for confidentiality (see next section), authentication and integrity of the computerised patient record system. The practice security policy should take account of local circumstances and risks but should specifically address the points under the headings below.

The practice will already have a Caldicott Guardian as part of its parent PCG/PCT, but that person's role is confined to a local determination of good practice as far as access to patient-identifiable information is concerned. The issues relating to security of computerised records go further than that and it is important that this should be recognised as part of the policy.

The newly formed National Body on Confidentiality will play a significant role in advising and setting of standards in the future.

The practice security policy should recognise the need for data entry to be restricted to properly trained and authorised people. It must take full account of the need for entries to be accurate, complete and attributed to the person responsible for the observations or interventions recorded.

When considering the issue of authentication, health professionals should be aware that they may be held liable for the content and accuracy of information that appears to have been entered by them or on their behalf. It is therefore important that the security features of the system and procedures followed by the practice combine to minimise the risk of a record entry being accidentally or fraudulently attributed to the wrong user. Practices should be aware that it may be necessary to prove that an entry was or was not made by the person to whom it is attributed. This means that, since most record entries are logged as being the responsibility of the individual whose password is currently entered, it should never be acceptable for an entry to be made into a record when someone else has logged into the system. More generally, it is essential that all users:

The practice policy on data entry may allow another person to make entries in the patient records on behalf of the responsible healthcare professional. The information on which such entries are based may be a written note, a dictated message or a verbal report by the healthcare professional responsible for the observations orinterventions recorded. Entries made in this way must be:

* Transcribed to the computerised record by an authorised trained person who ascribes the entries to the healthcare professional who wrote or dictated the notes;

* Monitored in accordance with the practice policy on data entry to ensure the accuracy and correct attribution of the entries made.

The practice system should record details of who, what and when was recorded in an audit trail according to the current version of the Requirements for Accreditation (see Regulatory Requirements).

If reports and correspondence are received electronically from outside the practice, the practice policy should include procedures to ensure that:

* All information received is seen by the person responsible for the original request or by another doctor acting on his or her behalf;

It is also likely that authentication measures for electronic medical records and their products will be supported by electronic signatures in the medium term future. These guidelines would then need to be updated.

The practice should protect the patient record system from physical and operational threats to its integrity. Some of the equipment necessary to protect the record system is mentioned above under Hardware Requirements. More generally, physical security measures should be applied to prevent loss or failure of the systems due to:

* Exposure to environmental factors outside the limits recommended by the manufacturer (e.g. excessive heat, cold, humidity or dust);

- Illness, death or disaffection of the only person who knows the password that grants access to system maintenance facilities.

In addition, the practice should have an insurance policy sufficient to cover total system loss and its consequent effects upon the practice organisation.

The normal operation of the computer hardware and software should be protected by maintenance agreements that guarantee a rapid response to faults caused by component failures and faulty software. The service levels specified in the Requirements for Accreditation of General Practice Computer Systems (RFA99) are a minimum applicable to practice management systems. Higher levels of service are desirable for a computerised patient record system. It is also highly desirable that one or more staff within the practice have sufficient I.T. competence both to deal with relatively minor operating problems when they arise, and effectively to liaise with support staff if more major difficulties are present.

The practice should have a clearly laid out disaster recovery plan. This will need to address the temporary replacement of the practice's electronic functions with paper based alternatives, the retention and subsequent entry of these temporary records into the electronic record system when it becomes available again and the extraction of essential information from ancillary systems such as any electronic appointment book's backup.

Whenever and wherever an entry is made into a computerised patient record, the information entered must be retained by that practice in the form in which it was entered for an appropriate period of time. This information must be retained even if a copy of the computerised patient record is transferred to another practice. There are, as yet, no absolute rules as to what is "an appropriate period of time". The period for which records may be retained depends on the purposes for which they are to be used. Current recommendations from the Department of Health 2 are that medical records should be retained for the following periods:

2 (HSC 1998/217: Preservation, Retention, and Destruction of GP General Medical Services records relating to patients)

* Records relating to children and young people (including paediatric, vaccination and community child health service records);

Until the patient's 25th birthday or 26th if an entry was made when the young person was 17; or 10 years after death of a patient if sooner.

* Records relating to persons receiving treatment for a mental disorder within the meaning of the Mental Health Act 1983;

10 years after conclusion of treatment, the patient's death or after the patient has permanently left the country.

The Data Protection Act can be interpreted to suggest that computerised records should not be kept once the individual concerned is no longer receiving services from the organisation concerned. This is clearly unacceptable from a medicolegal standpoint both as far as patient and clinician are concerned. The Data Protection Commissioner has accepted the BMA's advice that until such time as a patients electronic record (with its associated audit trail) can be reliably transferred between practices a practical interim solution is required. If the patient is no longer receiving services from the practice their record should be made "inactive" or archived.

Inactive records should not be accessible in routine use of the system. They should only be accessed in response to a new request for service or some other valid reason. Whenever an inactive record is accessed a record of why that access was made must be kept. It follows that in the meantime practices should never delete any EPR they have created or been responsible for.

Ultimately an EPR from one practice should be transferable to another with no loss or corruption of its content and functionality. Work on such systems has begun with the Department and initial text based transfers should be possible by early summer of 2001. This will be followed by further work over a period of about two years to develop a system which will transfer the EPR with full functionality being retained. If in the interim a computer supplier delivers this functionality for use where the sending and receiving practices have a common computer system, its use by practices with electronic records will be subject to the agreement of both the sending and receiving practice and adequate security procedures. When transferring a patient's record, the origin of the transfer must be authenticated in the transfer message and the transfer must be logged in the audit trail of the sending and receiving systems.

When transferring a patient's record, each entry within the transfer must contain sufficient information to identify the practice from which it originated. If it is necessary to verify the authenticity of an individual entry or group of entries, this can then be done by reference back to that practice.

When entries are received from another practice, these should be added to the patient record but should not overwrite any existing entries. This is particularly important if some of the entries were originally made in the receiving practice and have been copied to the sender in an earlier transfer.

When a patient registers with a GP in another practice the information in his or her "current" computerised patient record must be sent to the practice at which the patient is now registered. When appropriate facilities are available for electronic record transfer, the information should be sent in that form. Otherwise a printed copy of all the electronic record must be sent.

If a GP leaves a practice partnership while retaining his list of patients, the information in the "current" computerised patient records of all patients on his or her list must be made available to the GP who is leaving the

A GP from a practice with whom the patient is not registered may be consulted by a patient for several types of service. In these cases the GP should make an "interim" computerised patient record in which to make entries related to the services provided. For the purposes of determining the way in which entries made during these consultations should be handled the services are divided into two categories:

When a short-term service is completed, a copy of the information in the "interim" record must be sent to the authorised holder of that patient's "current" record.

When a stand-alone service is provided, a copy of the information in the "interim" record must only be sent to the authorised holder of that patient's "current" record with the patient's explicit consent.

The practice security policy must recognise the rights of patients to insist on the privacy of their medical records and should take account of:

* The provisions of the Data Protection Act 1998 relating to the confidentiality of personal information stored in computerised systems and in particular the requirements for processing to be both fair and lawful;

The practice should prevent accidental or deliberate access to the records it holds by unauthorised people or organisations. The practice should use physical security measures to prevent unauthorised access to:

The practice should make use of technical restrictions on access to the patient record system provided by their system. Technical restrictions on access to the patient record system should include:

If these features can be configured, this must only be undertaken by a person authorised by the practice. The configuration must be set in accord with the practice security policy.

Additional restrictions should be applied to remote access to the computerised patient record system. The measures that should be applied include:

* Regular disconnection of the modem (or use of facilities for disabling modem auto-answer) when remote access is not required;

* Ensuring that the numbers associated with any dialup access lines are ex-directory, known only by those who are authorised to access the system and cannot be easily deduced from published practice phone numbers (i.e. not an adjacent number);

* An automatic log recording attempts to access the system from outside the practice. This log must be regularly reviewed to detect unusual patterns of access.

* Installation of a firewall between the clinical system and any outside network which may be accessed from a common terminal (this is to be undertaken as part of the connection of GPs to NHSNet). The practice should apply organisational and procedural measures to prevent unauthorised disclosure of information. These measures should include:

* Ensure that restrictions imposed by patients on the disclosure of confidential information are effectively recorded and respected unless there are overriding legal or ethical considerations;

* Use an appropriate secure method to transfer the information while minimising the risk that any sensitive information will reach or be intercepted by a party other than the intended recipient;

* Maintain a log of all transfers of information, including a record of the information transferred and the identities of the requester, the destination and the person authorising the transfer;

* Training all staff with access to the record system to ensure that they are aware of their responsibilities for confidentiality of patient records;

* Appropriate provisions in staff contracts specifying disciplinary rules in respect of breaches of the Data Protection Act and/or other specified guidelines on patient confidentiality;

* Positioning of screens and printers to ensure that printed or displayed information is not visible to unauthorised people during normal operation of the system;

* Secure filing of printouts from the computer system while they are in use and destruction of printouts when they are no longer required;

* Ensuring where practical that all patient-identifiable information (whether by e-mail or as an electronic message) sent across a wide area network is encrypted.

Training for health professionals and practice staff is essential to ensure that they will all have the requisite generic and system-specific skills to use primary care EPR systems safely and effectively. This training needs to start before practices go paperless, so that they can fully understand and implement the changes in their own practices in a strategic way. Poor quality data accumulated early in the transition to an EPR will create a legacy not only for the originating practice but also for every practice that subsequently handles that record.

There should be a consensus that underpins an agreed strategy for the practice. Moving from paper-based records to an EPR is not an all or nothing phenomenon. Practices will inevitably migrate from low levels of "Paperlessness" to higher levels. The practices strategy will need to take account of the timescale of their chosen migration. For the foreseeable future, practices will still have to process paper, extracting meaning from various letters, forms and reports whilst building their EPRs. Practices will have to develop the skills to add, edit and process computerised information for individual patients and practice populations linked to individual care, population surveillance, audit, teaching and clinical governance tasks. Clinical computer systems rely upon high quality data entry and traditional practice staff skills will not be sufficient.

When clinical records are computerised there is an inevitable progression for allied systems to be computerised (referral letters, appointments, scanning, internal and external e-mail, accounts, etc.) These systems also have their own training requirements.

* Talk to other practices that are already using electronic records. Learn from their experience. Your PCG/T, HA, system supplier or local user group may be able to help with advice, training and support.

* Using the Local Implementation Strategy processes may help to ensure that appropriate resource support is made available at the appropriate stages in the practices migration to electronic records.

* Where are you now? Poor quality paper records might need to be brought up to a level that then enables them to be transferred to electronic form see 3.2.2 .

* Develop a practice training and implementation plan for moving to EPRs. Involve all the staff and health professionals who will have access to the system (including attached staff, locums and any others). Consider the skills mix your practice will need to maintain EPR systems.

* Agree with your Health Authority a staged migration to becoming "Paperless". Different components of the practice's activity that could be recognised as being part of such a migration pathway might be:

* During this transition the practice must understand the importance of the clinicians having access to the entirety of the patients record, paper and electronic. Clinicians may need to have both paper and electronic records available during consultations for as much as two years.

* How do you transfer information from the paper records, letters, reports etc to the EPR? How can you best do this on an ongoing basis for all the paper you will still have to process? Will this be done by staff or doctors? How do you ensure you capture all the relevant information? What technologies will we use to assist us? (e.g. scanner, OCR software, voice recognition software).

At some point in the migration process the revised regulations will require a general practice to formally obtain their health authority's approval to move away from paper based medical records. The GP "terms of service" have never been specific as to what constitutes an adequate record of the illnesses and treatment of a patient.

Without such clarity it is difficult to be precise about the point in a migration pathway where formal approval to maintain electronic records would be required. Pragmatically the use of GP/HA LINKS messages has never been seen as being contrary to the old "terms of service" provision and there is no reason for this to change. Equally items such as electronic appointment registers or repeat prescribing should not require formal approval.

However, once a practice plans to retain significant clinical information only in an electronic form GPs should discuss the formal approval mechanisms with their health authority.

These good practice guidelines are an attempt to distil elements of existing ethical principle, the day-to-day experience of modern general practice, and relevant legislation. That legislation covers subject areas which include:

  Home Health links Internet directory 
 Subscribe to newsletter
Send any website enquiries to Feedback@wansford.co.uk
Site design - Dr Amrit Takhar
Last modified: July 06, 2003