Example Practice Plan

Reviews
Shared by: Pepa Salt
Categories
Tags
Stats
views:
21
rating:
not rated
reviews:
0
posted:
3/16/2009
language:
English
pages:
0
Guidance For Completing A Practice Plan For IM&T DES Produced by: Elaine Green Information Facilitator Date: May 2006 Version: 1.1 Document status: Draft Date effective from: May 2006 Date of review: May 2007 Document version control Number v1.0 V1.1 Date issued 12 April 2006 15 May 2006 Issued to PCT staff for comments Comments 1st draft for comment Summary The IM&T DES requires practices to produce a practice plan which demonstrates their commitment to the DES. The submitted plan will show areas identified by the practice for improvement and the action the practice intends to take. The submitted plan should also provide evidence on how the practice complies with information governance practice. The practice must confirm that they will maintain a training log for each member of practice team, training events undertaken, training for locums and information governance training. Evidence that training has been undertaken will be required at year end. Contents Summary .............................................................................................................. 3 Contents ............................................................................................................... 4 Connecting For Health ................................................................................... 6 Caldicott Guardian ......................................................................................... 6 Training .......................................................................................................... 7 Information Governance ................................................................................ 7 Data Protection Act ........................................................................................ 8 Computer Misuse Act .................................................................................... 9 N3 Network .................................................................................................... 9 Smart Card .................................................................................................... 9 Appendix 1 – Example Staff Training Needs Assessment Form.................. 10 Appendix 2 – Example Confidentiality Statement For Contractors And SubContractors .................................................................................................. 14 Appendix 3 – Principles Of The Data Protection Act.................................... 16 Appendix 4 – Computer Misuse Act 1990 .................................................... 18 Appendix 5 – Caldicott Guardian Principles ................................................. 20 Appendix 6 – N3 Network Test .................................................................... 21 Connecting For Health The practice must nominate a practice lead who will liaise with Connecting for Health. This lead should be IT literate and may also be the practice lead for IM&T DES. The CfH lead may find the information in the CfH practical guide for primary care teams. The leaflet is available via http://www.connectingforhealth.nhs.uk/publications/primary_care_booklet.pdf The CfH lead will be expected to be competent in understanding the following concepts:  Connecting to the N3 network  Smartcards  Choose and Book  Personal Demographic Service  Electronic Prescription Services  GP2GP Electronic Records Transfer  QMAS  NHSmail  Information and concepts behind IM&T DES  Data accreditation  GP Systems of Choice  NHS Care Records Service  Ensure practice staff are all aware of the Good Practice Guidelines For General Practice Electronic Patient Records (v3.1). Document is available via: o http://www.dh.gov.uk/assetRoot/04/11/67/07/04116707.pdf Caldicott Guardian The practice must nominate a Caldicott Guardian. The Caldicott guardian acts as a champion for the protection of patient information. A manual for Caldicott guardians is available from: http://www.connectingforhealth.nhs.uk/nsts/best_prac/dh_protecting%20and%20 using%20patient%20info_caldicott%20guardian%20manual.pdf Further information can be found on: http://www.healthesussex.nhs.uk/protocols/05-02-01%20%20The%20role%20of%20the%20Caldicott%20Guardian%20v0-4.pdf The Caldicott guardian should be either a GP partner or practice manager. They should have the authority and be able to influence practice policy on information security. Training The practice must confirm that they will:  Maintain a log of training undertaken by each member of the practice team who uses the IT systems this must be linked with a training needs assessment form or personal development plan. An example training needs assessment form is included in Appendix 1. Maintain a log of in-house training events undertaken, including induction of new staff, locums and other relieve staff. You must also include signing on and signing off the computer systems, stating disciplinary procedures if these are not adhered to. Undertake training and demonstrate proficiency in information governance standards.   The plan should indicate the likely timescales for completion, where necessary, and the training which may be needed to provide to staff members. Evidence that logs have been maintained and training has been provided will be required by the PCT at year end. Information Governance Practices will need to provide evidence of good information governance practices. An example information governance policy is available on the PCT website and can also be used in your application to hold a part of full electronic patient record. http://www.brightonhovecitypct.nhs.uk/healthprofessionals/generalpractice/policie s/electronicrec/index.asp Practices should include their clauses on confidentiality in their contracts of employment. Practices should also consider asking 3rd parties, e.g. builders, engineers, to sign a confidentiality clause, see Appendix 2. GPs and practice staff should undertake training in information governance. An online training tool is available via: http://www.healthesussex.nhs.uk/is_training/ Evidence of information governance training is required, details of planned training should be included in the plan. Practices are required to provide evidence of their compliance with the:  Data Protection Act (see Appendix 3)  Computer Misuse Act (see Appendix 4)  Caldicott Guardian Principles (see Appendix 5) a toolkit is provided on: http://nww.esussex.nhs.uk/publications/nhsia/caldicott/welcome/index.htm Further information governance advice can be accessed on http://nww.sussexinfogov.nhs.uk/ Data Protection Act It is a legal requirement for practices that hold patient and / or personnel information on computer to register with the Data Protection Agency. It is the practice‟s responsibility to maintain an entry in the register and ensure that on expiry a new register is completed. The cost of registering is £35. If you receive a letter from any company charging you any more this is likely to be a scam. Failure to register can result in prosecution and if found guilty a fine of up to £5,000. Further information is available from: http://www.ico.gov.uk/eventual.aspx The Data Protection Act requires that patients are told that information is held about them in an electronic format, what is held and who will see their personal information and the reasons why. Patients are entitled to access their records both electronic and paper based following a valid written request. Practices are entitled to charge patients a fee, maximum £10 for electronic records and £50 for paper records or a mixture of electronic and paper records. No fee can be charged where a patient inspects a paper record without taking any copies. Patients must be made aware of this information. You might include a statement on a form / letter such as: The information you provide will be used for the following purpose[s]: .......[LIST]............. It will not be used for any other purpose. The data will be used solely by.....[LIST]....… The information you provide will be kept securely and confidentially in accordance with the requirements of the Data Protection Act (1998). Providing a poster in the waiting room is insufficient to meet requirements of the data protection act as not all patients will see the poster or be able to understand its contents. However, a poster can be used in conjunction with other forms of communications e.g. information in the practice leaflet, letters sent to patients or face to face contact. Computer Misuse Act Practices may consider adding a clause in staff contracts regarding the correct use of passwords and the consequence of password sharing. Practices should ensure that this is detailed in their information security policy along with the consequence of password sharing. All staff must read and understand the policy. N3 Network All Brighton & Hove practices are connected to the N3 network. Instruction on how to test to ensure that you are connected to the N3 network are shown in Appendix 6. Smart Card Each member of staff who has access to the computer system must be authenticated and registered with a smart card and know how to use it. Smart cards will be issued and authenticated by a nominated GP partner. Practices must ensure that the partner is aware of new starters so that a smart card can be issued soon after starting employment. Practices must also ensure that partner is aware of staff leaving the practice so that cards can be deactivated and returned. Appendix 1 – Example Staff Training Needs Assessment Form (Developed in conjunction with Sara Taylor, Eastbourne PCT) Staff Member ………………………………………………………………………….… Job Title ………………………………………………………………………………….. 1 2 Do you enter any data onto the computer? If yes, what type of data? Yes No Consultation details including:  Significant diagnoses/ problems  Allergies  Adverse reactions  Telephone consultations  Home visits Clinical data e.g. BP, smoking, obesity, chronic disease monitoring Vaccinations / immunisations Prescriptions/repeat prescriptions New registrations/GPLinks Patient demographic information, updating patient names/addresses Ethnic group Carer Letters from external agencies Lab results, inc cytology/Path Links Referral letters Appointments Scanning Other (please specify) 3 If using computer to enter consultation details are you able to flag problems/diagnoses as „significant‟ or „important‟? Yes No 4 5 6 Do you enter on the computer major diagnoses made by secondary care and other health care professionals and prioritise, if appropriate, in the summary? Do you enter clinical summaries on the computer? If no, why not? Yes No 7 How would you rate your computer/IT skills 8 9 Do you use any computer templates (also called guidelines or SOPHIES) When do you use templates? Yes No Don‟t have time Don‟t know how to use a computer, but would like to Unable to use a computer Not included in duties Excellent Good Average Poor Non-existent Yes No 10 11 12 13 14 15 16 In screening clinic During consultation After consultation / clinic Referral letters Do you find templates easy to Yes, all of them use? Some of them No Not applicable Are you able to amend templates? Yes No Not applicable Have you had any Read Code Yes training No Do you understand how Read Yes Codes are structured? No Are you able to retrieve data using Yes system searches, No MIQUEST/CHART queries or Not applicable other methods? Are you aware of practice Yes information security policies and No procedures? Are you aware of importance of Yes good quality data? No 17 18 19 20 21 22 Do you feel that you would benefit from additional training on your clinical system? Do you feel that you would benefit from additional training on basic IT skills, e.g. using e-mail, Microsoft Word, etc? Do you feel that you would benefit from additional training on information security? Do you feel that you would benefit from additional training on information governance? Do you feel that you would benefit from additional training on data quality? Do you feel that you would benefit from a briefing session on: Yes No Yes No Yes No Yes Yes No Electronic Prescription Service GP to GP Transfers Choose and Book Care Records Service Do you feel that you would benefit from any other IT training? (if so, please specify) Do you have any other comments to add? To Be Filled Out By Line Manager Name of Staff Member: Assessment Completed by: Training Needs Identified: Appropriate Courses: Anticipated Date For Completion: Date Completed: Appendix 2 – Example Confidentiality Statement For Contractors And Sub-Contractors Confidentiality Statement for Contractors and Sub-contractors Appendix 12 of the Information Governance Policy Status of document: Version: Review Date: FINAL 1 (January 2003) January 2005 Responsibility concerning security and confidentiality of information (relating to Brighton & Hove City Primary Care Trust) During the course of your contract you may acquire or have access to confidential information, which must not be disclosed to any other person unless an authorised person on behalf of the Primary Care Trust has given specific permission. This condition applies during your relationship with the Primary Care Trust and after the relationship ceases. Confidential information includes all information relating to the Primary Care Trust; it‟s patients, employees, clinicians and general practices. Such information may relate to patient records, telephone enquiries about patients or staff, electronic databases or methods of communication, use of fax machines, handwritten notes made containing patient information, administrative or financial affairs of the Primary Care Trust and planning of services etc. The Data Protection Act 1998 regulates the use of computerised information and paper records of identifiable individuals, which you may have access to. The Primary Care Trust is registered in accordance with this legislation. If your organisation and/or any of your employees are found to have made an unauthorised disclosure you and/or your employees may face legal action. ---------------------------------I the undersigned understand that this organisation and its employees will be bound by a duty of confidentiality in accordance with the requirements of the Data Protection Act 1998 and that our employees will be given a copy of this confidentiality statement. I understand that knowingly or negligently failing to adhere to these requirements may result in civil or criminal action being taken against the organisation and/or its employees. PRINT NAME: SIGNATURE: DATE: WITNESS/MANAGERS NAME: On behalf of Brighton & Hove City PCT SIGNATURE DATE Appendix 3 – Principles Of The Data Protection Act The Data Protection Act 1998 (Act) came into force on the 1st March 2000 and applies to person-identifiable information that relates to living individuals such as personnel and payroll records, medical records, microfiche/film, pathology results, x-rays, photographs, etc. It covers (a) manual information that forms part of a structured filing system which means information that it is easily accessible either by reference to an individual‟s name or by reference to a year, a subject area or anything which enables you to easily retrieve an individual‟s information or (b) electronic information e.g. held in databases, files, videos etc. The Information Commissioner overseas and enforces the Act. Automated processing (information systems that are processed electronically i.e. computer, handheld device, etc.) and manual processing of information held in structured filing systems that contain personal information must be registered with the Information Commissioner. The process of registering is called „Notification‟. This Notification contains the purpose or purposes for which an organisation is processing personal data e.g. for „Staff Administration‟, „Health Administration and Services‟. A search can be made on any organisation that has „notified‟ the Information Commissioner of their processing at http://www.dpr.gov.uk/search.html or practices can register online, if necessary. Failure to register or an incorrect registration is a criminal offence, which may lead to the prosecution. The Act defines eight principles of good practice for organisations to follow to ensure that their processing of personal data does not contravene the Act. Principle 1 Personal data shall be processed fairly and lawfully. The Act does not provide clear guidance on the meaning of „lawful‟ or „unlawful‟ suffice it to say that the courts broadly described „unlawful‟ as something that is contrary to the law. In other words whatever processing is taking place it must comply with all relevant rules of law e.g. Article 8 of the Human Rights Act, the Common Law Duty of Confidence and any other current relevant legislation. To be processed fairly individuals must be given what is called “fair processing information”. They must know: who the data controller is (the organisation processing data), the purposes for which their data are to be processed and any disclosures of that data Notices should be displayed in surgeries and hospitals to inform individuals how their information will be used and shared. Only those people who need to know in the course of an individual‟s care, for administration or for improving services should be able to see that information. This is the minimum requirement under the Data Protection Act. Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be used for any other purpose. In other words, if you are collecting information about individuals‟ health problems then you may not look at that information to find, say, a friends telephone number or what day their birthday is just because you hold that information on file. Principle 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Do not ask for information that has either nothing to do with the purpose or purposes you are gathering it for or is more than you need for the purpose or purposes. Principle 4 Personal data shall be accurate and, where necessary, kept up to date. It is necessary to keep information correct and up to date. For example if an individual tells you that his name is spelt incorrectly or that they have 3 children and not 2 then this information must be corrected. However, if an individual tells you that he disagrees with the information that has been recorded then you must write a dated note saying so but do not remove the original information or make it illegible. This may be needed in cases of disputes etc. Principle 5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. For all NHS Trusts (Acute, Mental Health, Primary Care and Ambulance) health records consult HSC 1999/053 „For the Record‟ or your local policies or for all GP records consult HSC1998/217 or local policies, which provides you with the minimum length of time that records must be kept and this guidance should be referred to before disposing of any records. If in doubt check with the Records Manager in your Trust or GP Surgery. Principle 6 Personal data shall be processed in accordance with the rights of data subjects under this Act. Individuals have several rights regarding the processing of their data. One of these is a (1) Right to see what has been written about them. This is called a ‘subject access request’. Some information may be withheld, i.e. if it contains third party information or if it is likely to have a detrimental affect on the individual. Record all actions/decisions so that these may be referred to in the future. However, even though you may not wish to give them all their details they do have a right to apply to a court to compel you to disclose them. (2) Right to prevent an organisation from processing their data which is likely to cause damage or distress to the individual (3) Right to prevent their personal details being used for direct marketing (4) Right to ensure, by giving written notice to an organisation, that no decision taken by them, which might significantly affect that individual, is based solely on the processing by automatic means I.e. such as his creditworthiness or his performance at work. Even without a written notice if an organisation has made a decision using automatic processing then the organisation must inform that individual of that decision and how it had been derived. (5) If an organisation processing personal information does so in contravention of the Data Protection Act an individual is entitled to be compensated if he/she suffers damage or distress because of it (6) Right to apply to the courts to have any inaccurate data rectified, blocked, erased or destroyed and may be entitled to compensation if the individual has suffered damage because of it (7) A right to apply to the Information Commissioner for an assessment where he or she feels any of the data protection principles have been contravened Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. This means that anyone holding information about individuals must make sure that they do all they can to prevent this information from ending up in the wrong hands. One barrier to prevent unauthorised access to information is by giving users „usernames and passwords‟, which only permits users access to the information they are allowed to see. Do not share passwords. This will ensures that those who are not authorised to see that information are unable to gain access it. Principle 8 Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of the data subjects in relation to the processing of personal data. This is to ensure that if information is transferred to other countries that it will not get into the wrong hands and be processed inappropriately. Appendix 4 – Computer Misuse Act 1990 This Act makes it a criminal offence to access any part of a computer system, programs and/or data that a user is not entitled to access. Each organisation will issue each user an individual user id and password which will only be known by the individual they relate to and must not be divulged/misused by other staff. This is to protect the employee from the likelihood of their inadvertently contravening this Act. Each organisation will adhere to the requirements of the Computer Misuse Act 1990 by ensuring staff are made aware of their responsibilities regarding the misuse of computers for personal gain or other fraudulent activities. Any member of staff found to have contravened this Act will be considered to have committed a disciplinary offence and be dealt with accordingly. Appendix 5 – Caldicott Guardian Principles Principle 1 - Justify purposes(s) – Individuals, departments and organisations must justify the purpose(s) for which information is required. This includes justifying the purposes to the public for specific patients as well as to the Caldicott Guardians within each organisation. Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate guardian within the practice. Principle 2 - Don’t use patient-Identifiable information unless it is absolutely necessary This means assessing information flows and uses and ensuring that patient identifiable information is removed unless a genuine case can be made for its inclusion and there is no alternative. Principle 3 – Use the minimum necessary patient-identifiable information Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability. This includes the use of the NHS number rather than any other identifier where possible. Principle 4 - Access to patient-identifiable information should be on a strict need to know basis Only those individuals who need access to patientidentifiable information should have access to it, and they should only have access to the information items that they need to see. Principle 5 – Everyone should be aware of their responsibilities Action should be taken to ensure that those handling patient-identifiable information – both clinical and non-clinical staff are aware of their responsibilities and obligations to respect patient confidentiality. Principle 6 - Understand and comply with the law The most relevant and important of which are the Data Protection Act 1998, The Access to Medical Reports Act 1988 and the Police and Criminal Evidence Act 1984. Every use of patient-identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the practice complies with legal requirements – Caldicott Guardian. Appendix 6 – N3 Network Test Dear Colleague, The green coloured icon below, when run from a Windows PC/ workstation connected to a local internal network, will indicate if that local network is connected to the new National N3 Network. All you need to do is double click on it and read the result from the screen that pops up. I have not been able to test this on every operating system, but if you have any problems please give me a call on 02380 725611. Regards, Ashley Double click this green icon/picture to run the test. (You might be asked if you want to run this as it might contain viruses or has not been verified, but it is safe to say yes and to continue to run this)

Related docs
Practice Plan
Views: 2  |  Downloads: 1
Questions for the practice to consider and an example
Views: 5  |  Downloads: 0
ONE HOUR PRACTICE PLAN EXAMPLE Pre Practice Stretching Warm
Views: 0  |  Downloads: 0
Best Practice Example Alphex OÜ
Views: 0  |  Downloads: 0
Mini Travel Plan Example This is an example of a
Views: 56  |  Downloads: 4
EXAMPLE PRACTICE AUDIT PLAN Name of Applicant Name Address
Views: 3  |  Downloads: 0
Example of Good Practice - Club Development Action Plan
Views: 1  |  Downloads: 0
Example of Good Practice - Club Development Action
Views: 1  |  Downloads: 0
Example Action Plan
Views: 8  |  Downloads: 1
Example activity plan
Views: 61  |  Downloads: 3
Example Lesson Plan
Views: 1  |  Downloads: 0
Practice Plan Form
Views: 1  |  Downloads: 0
MANAGEMENT PRACTICE INTERVIEW GUIDE AND EXAMPLE RESPONSES
Views: 2  |  Downloads: 1
Example Costed Operations Plan
Views: 9  |  Downloads: 2
premium docs
Business Plan Presentation Template$4.95
Marketing Plan$29.95
Business Plan$25.00
Letter of Intent for Business Transactions$14.95
Employee Handbook for Company$39.95
Sample Business Case$19.95
Sample Project Closeout Report$14.95
Other docs by Pepa Salt
OSHA QUICK CARD HAND HYGIENE
Views: 283  |  Downloads: 3
THE AGE OF THE FRENCH REVOLUTION AND NAPOLEON
Views: 421  |  Downloads: 3
OSHA THE OCCUPATIONAL HEALTH PROFESSIONALS SERVICES AND QUALIFICATIONS QUESTIONS AND ANSWERS
Views: 237  |  Downloads: 7
SUMMONS AND NOTICE OF TRIAL IN AN ADVERSARY PROCEEDING
Views: 266  |  Downloads: 1
UNITED STATES BANKRUPTCY COURT SUMMONS IN AN ADVERSARY PROCEEDING
Views: 200  |  Downloads: 1
THE FRENCH REVOLUTION AND THE ORGANIZATION OF JUSTICE
Views: 176  |  Downloads: 3
Executive Order 9066 -- Resulting in the Relocation of Japanese _1942_ -2
Views: 140  |  Downloads: 1
UNITED STATES BANKRUPTCY COURT BILL OF COSTS
Views: 129  |  Downloads: 0
Sample Business Plan IAD
Views: 248  |  Downloads: 5
Sample Business Plan NewWave Software
Views: 256  |  Downloads: 9
Sample Business Description Application Technologies Inc
Views: 377  |  Downloads: 14
FORM 8274 CERTIFICATION BY CHURCHES AND QUALIFIED CHURCH CONTROLLED ORGANIZATIONS ELECTING EXEMPTION FROM EMPLOYER SOCIAL SECURITY AND MEDICARE TAXES
Views: 218  |  Downloads: 0
Sample Operations Plan Mindshaker
Views: 363  |  Downloads: 7
Sample Business Plan MinorityVendors
Views: 216  |  Downloads: 2
ORDER CONFIRMING CHAPTER 12 PLAN
Views: 117  |  Downloads: 0