VELINDRE NHS TRUST IG & IM&T

Transcription

1 VELINDRE NHS TRUST IG & IM&T Committee 1.00pm to 4.00pm, Monday 5 th September 2016 Meeting Room 1 Trust HQ AGENDA ITEM ITEM NO. 09/16/01 STANDARD BUSINESS OWNER 1.1 Apologies HL 1.2 Declarations of Interest HL 1.3 Minutes: meeting held 9 th May 2016 HL Attached 1.4 Action Points: meeting held on the 9 th May 2016 HL Attached 09/16/02 CONSENT ITEMS For Approval 2.1 WG Capital Allocation SM Attached 2.2 IG &IM&T Cycle of Business SM Attached 2.3 Corruption of Radiology Reports AMS Attached For Noting 2.4 General Data Protection Regulations Impact AMS Attached 2.5 Clinical Coding Performance Update AMS Attached 2.6 Data Quality Report AMS Attached 2.7 Clinical Coding Internal Audit AMS Attached

2 ITEM ITEM NO. 09/16/03 GOVERNANCE/AGREEMENTS 3.1 Information Governance Incident Overview Combined report WBS and VCC (Quarterly) & NWSSP Month trend analysis 3.2 C-PIP Reports Assessment 2016 VCC WBS NWIS (not received) NWSSP OWNER NS NS NS Attached Attached Attached 3.3 VCC Information Governance Action Plan NS Attached 3.4 VCC Clinical Correspondence Incident NS Attached 09/16/04 STRATEGY DEVELOPMENT 4.1 Update Progress on Strategy SM Attached 09/16/05 AUDIT 5.1 Audit Action Plan Update (register only) MO Attached 09/16/06 PERFORMANCE/KPI S/ASSURANCE FRAMEWORK 6.1 Delivering Excellence our 3 year plan (IMTP) Progress Report. 09/16/07 PROJECT UPDATES/PROGRAMMES OF WORK 7.1 Programme Updates AP/NS Attached Welsh Blood Service Programme Report AP Attached Velindre Cancer Centre Programme Report NS Attached 7.2 Business Intelligence Programme SM Attached 7.3 Cancer Informatics Systems Project Board (inc Draft Business Case) SM Attached 7.4 e-rostering SM Attached

3 ITEM ITEM OWNER NO. 09/16/08 NATIONAL ISSUES 8.1 PSBA SM Attached 09/16/09 RISK MANAGEMENT ISSUES 9.1 IG and IM&T Risk Register WBS Risk Register AP Attached VCC Risk Register NS Attached 9.2 Missing Radiology Reports NS Attached 9.3 CANISC Risk Assessment (Out of Support) SM Attached 9.4 DATIX ChemoCare Consultants Log NS Attached 09/16/10 POLICIES AND STRATEGIES 10.1 Confidentiality Breach Reporting Policy NS Attached 09/16/11 ANY OTHER BUSINESS 11.1 None identified 09/16/12 DATE AND TIME OF NEXT MEETING Monday 7 November 1.00pm in Trust HQ.

4 INFORMATION GOVERNANCE & IM&T COMMITTEE MINUTES OF A MEETING HELD ON 9 TH MAY 2016, 1.00PM MEETING ROOM 1, TRUST HQ Present: Mr Harry Ludgate Mr Phil Roberts - Independent Member (Chair) - Independent Member In attendance: Mr Steve Ham Mr Mark Osland Ms Jackie Davies Mr David Davies Mrs Ann Marie Stockdale Dr Stephen Field Mr Alan Prosser Mr Stuart Morris Dr Jacob Tanguay Mrs Mary Hopkins Ms Julie Robinson Professor Rosemary Kennedy Mr Stephen Lisle - Chief Executive - Director of Finance and Informatics - Associate Director of Informatics - Director of NHS Engagement, NWIS - Head of IM&T, VCC - Medical Director, Welsh Blood Service - Deputy Director, Welsh Blood Service - Head of Business Systems, WBS - Clinical Consultant, VCC - Head of Business Systems and Informatics NWSSP - Meeting Secretary Apologies: - Chair of Velindre NHS Trust - Wales Audit Office Item No 05/16/01 STANDARD BUSINESS ACTION 1.1 Apologies The above apologies were noted. Page 1 of 8

5 Item No ACTION 1.2 Declarations of Interest There were no declarations of interest received. 05/16/02 CONSENT ITEMS The Chairman moved to approve/note the Consent Agenda and it was agreed that item 2.2 should be considered for further discussion and item 7.2 would be moved to the Consent Agenda. For Approval 2.1 Minutes of meeting held 1 st February 2016 The minutes were approved as a correct record with Mr Griffiths having provided his approval out of Committee. 2.2 Actions of the meeting held 1 st February 2016 In addition to those action points already noted as completed or addressed by items on the current agenda, the following points were noted:- 04/15/ WAO: Radiology Service Private Patient This National report is still outstanding. There is no action for Velindre but Mrs Stockdale to send an and cc Stephen Lisle. AMS 06/15/ Velindre Cancer Centre A meeting took place and a paper to be produced for Management Group and then brought to Committee in September on e-scheduling for Chemocare. AMS/SM 02/16/ Cyber Security This paper was presented to the Management Group but was unable to be approved as the meeting was not quorate therefore it will be resubmitted to the next meeting in August. AMS/SM 2.3 Information Governance Leaflets This was NOTED by the Committee. 7.2 Cutover Plans All Wales Blood Service The Committee expressed their thanks to all those involved in delivering the All Wales Blood Service. Mr Ham stated that he would send out an to all Independent Members informing them that the service in North Wales was now up and running. SH Page 2 of 8

6 Item No ACTION The Committee NOTED the report. 05/16/03 GOVERNANCE AGREEMENTS 3.1 Information Governance Incident Overview (combined Trust report) VCC Mrs Stockdale provided the report for Quarter 4 from 1 st January 2016 to 31 st March There were 53 reported VCC IG related incidents with the majority again relating to records management. This was an increase on the last quarter. Mrs Stockdale provided a high level summary of the incidents as below:- Patient passed away but was not evidenced in CANISC. Inaccurate or no discharge summaries produced following an inpatient stay, the recording of these in Datix is as a result of an ongoing data quality exercise The Committee felt that the reporting of incidents was too high level and should include enough detail to enable an informed discussion. The Committee requested an amended report be developed for the next meeting (to include Datix reference numbers). The Committee also commented that it would be useful to see the recurrent trend of incidents with more detail provided in the form of sub categories in order that areas of activity which are problematic can be pinpointed. Mr Morris was asked to look into how any risks associated with these IG incidents are reported, accepted and approved at Divisional level. WBS Mr Morris presented the WBS section of the report commenting that the incident of most concern was a donation arriving at processing department in WBS without any paperwork with a signature and therefore didn t comply with regulations for the unit of blood. AMS AMS SM/AMS SM This was NOTED by the Committee. 3.2 VCC Clinical Correspondence Incident The Committee received a report which outlined detail behind a data protection breach. This described an incident which was highlighted formally through concerns correspondence received from the data subject. An investigation and subsequent severity scoring, in line with guidelines, has taken place and determined the incident to be reportable to the Information Commissioner s Office. Mrs Stockdale assured the Committee that steps were in place to look at processes to ensure that incidents such as this did not occur again. A report would be brought to Committee detailing the outcome of the internal investigations and the corrective measures to be put in place. AMS Page 3 of 8

7 Item No Due to the sensitivities and detail contained within the report, it was agreed to redact the report from publication on the website and provide a report to the Trust Board Part B meeting on 26 th May This was NOTED by the Committee. Patient Registration RCA Report Mrs Stockdale presented the report which outlined the details of an Information Governance incident involving misdirection of a clinical correspondence. Mrs Stockdale confirmed that the incident was not reportable as no patient data had been disclosed. Training is being provided to Medical Secretaries. The Committee requested that future Executive Summary were more of a summary. ICO IG Training Review Action Plan Update Mrs Stockdale provided an update on the progress being made for the two yellow actions within the report. The following items were commented on specifically by the Committee:- Action Plan Objective: Training Programme (Head of IM&T) the Committee requested that the comments be reviewed to reflect progress against the objective. Monitoring and Reporting of DP Training Provision (Education and Development Manager) re monitoring of staff compliance with M&S training it would be helpful to understand specific actions which have been undertaken to support the status of the objective. The Committee reiterated that the Staff Induction Programme IG training should include examples of incidents/near misses specific to the Trust. National Intelligent Integrated Auditing Solution (NIIAS) The Committee received for information the details of the above system which has the ability to audit access to medical records within the VCC electronic patient record by staff, and that the implementation will be in place by September The Committee discussed the approach, and a future paper was requested to provide more background and information on the approach and implementation of this new system. ACTION JR AMS AMS AMS AMS Page 4 of 8

8 Item No 05/16/04 STRATEGY DEVELOPMENT 4.1 No items were received. ACTION 516/05 AUDIT 5.1 Audit Action Plan The Committee were pleased to note that there was only one action in the plan but queried how the action would be completed. Ms Davies confirmed that a business intelligence review is currently underway, and an initial paper has been presented to the Management Group and as this progresses through an engagement process, it will be possible to complete this action by the Implementation Date. This was NOTED by the Committee. 5.2 Clinical Coding Activity Report The Committee received for information the report on the performance of the Clinical Coders against the Welsh Government s targets. Mrs Stockdale was pleased to confirm that they had exceeded the targets in the months October, November and December, however, she added that the Welsh Government coding targets were set to change from the current 3 month period to within 1 month. Mrs Stockdale stated that, at this stage, she could not see how the new target could be achieved as the coding was done at the end of a treatment period which could be up to six weeks. The Committee asked that an impact paper on the new coding target be developed and discussed initially at the Management Group, but also then escalated to the Committee as necessary. AMS This was NOTED by the Committee. 5.3 Clinical Coding Internal Audit The Committee received for information the report on the Internal Audit of the Clinical Coding. The Committee agreed that the coders should be commended for the quality of their coding as they had mainly level threes for most areas of coding. The Committee confirmed they would send out a note of thanks from the IG&IM&T Committee to all the coders for achieving such a favourable audit report. AMS This was NOTED by the Committee. Page 5 of 8

9 Item No 05/16/06 PERFORMANCE/KPI S/ASSURANCE FRAMEWORK 6.1 Delivering Excellence our 3 year plan (IMTP) Progress Report for 2015/16 ACTION VCC - Mrs Stockdale presented the report and highlighted the following:- The Clinical Coding should be green and not amber. Mrs Stockdale to review and implement changes. The continued delays in the implementation of the Welsh Clinical Portal and the effects and implications this has had, and continues to have, on the clinical service. The Chair requested the NWIS representative to feed back the concerns to the NWIS Directors. It was noted that in some cases there are multiple objectives which are actually part of one solution, and the Committee asked Mrs Stockdale to review this and incorporate these into one objective and put through the IMTP change control process. AMS DD(NWIS) AMS WBS - Mr Prosser presented the report recognising the excellent progress made against the objectives but again noted one area of continued concern; the implementation of the All Wales Laboratory Information Management System (LIMS) for Blood Transfusion and WTAIL. It has been previously reported to the Committee that there was an expectation that a timetable for delivery would be presented for discussion and agreement at the LIMS Implementation Board in January 2016 and therefore the Committee agreed to await the outcome of that meeting and review the situation at its February 2016 meeting. The Committee noted that whilst the plans were moving towards a better place with dates having been circulated and agreed for the implementation of Blood Transfusion in the Health Boards, no dates have yet been agreed for WBS. With regards to the objective for the implementation of WTAIL functionality, the Committee were informed that the approach for this had changed over time and it had been agreed to bring in a third party as opposed to this functionality being available through the All Wales LIMS system. The two phases of the project have suffered significant delays with an end date now estimated circa. September This was NOTED by the Committee. 05/16/07 PROJECT UPDATES/PROGRAMMES OF WORK 7.1 Programme Updates WBS Mr Morris presented the programme update for WBS for information Page 6 of 8

10 Item No highlighting that the main focus had been on the delivery of the AWBS. The report tabled was accurate as at the time of submitting the report, however there had been a change in the IMTP for AWBS re the on line appointment system. This was NOTED by the Committee. VCC Mrs Stockdale presented the programme updates for VCC. It was noted that in some cases the implementation target dates and associated RAG status were not updated, with some dates having passed but the projects remain outstanding. The Committee requested that this be resolved for the next Committee. Cutover Plans All Wales Blood Service This agenda item was covered under the Consent Agenda. Canisc Technology Refresh and Improvement Programme Mr Davies tabled a report on the Canisc Technology Refresh summarising the progress against the three work streams. He confirmed that in future the newly appointed NWIS Programme Lead will be producing and presenting this report. Ms Davies expressed concern at the continued lack of progress, and the Committee requested that Mr Davies speak to colleagues and write back to Steve Ham, Jackie Davies and cc Harry Ludgate. Mr Davies also agreed to speak to Elizabeth Waites to ascertain how best to feedback to this Committee in future. This was NOTED by Committee. Business Intelligence Programme Ms Davies presented the report which provided an overview of the work undertaken by the Senior Information Analyst on the development of the Information Data Warehouse and Business Intelligence. This was NOTED by the Committee. ACTION AMS DD (NWIS) 05/16/08 NATIONAL ISSUES 8.1 Death Data Feed Mrs Stockdale provided a verbal update on the Death Data Feed confirming that the information was up to date for 1 st January 2013 to 14 th January 2015 and that all data for that period was now in Canisc. This was NOTED by the Committee. Page 7 of 8

11 Item No 8.2 Microsoft ACTION Mr Ham confirmed that there had been some discussion about an all Wales Enterprise Agreement for Microsoft at the NIMB meeting. He confirmed that this was an ongoing process. Mr Osland confirmed that it had not as yet been formally discussed by the DoFs. The Committee agreed that due to timing issues this would probably have to be approved out of committee. 05/16/09 RISK MANAGEMENT ISSUES 9.1 IG and IM&T Risk Register WBS Mr Morris presented the Risk Register for WBS noting that risk processes were under review across the Trust. He confirmed that all risk are being entered into DATIX and that one of the key risks had related to the AWBS implementation, however with the successful golive this risk would be closed through the appropriate governance process. This was NOTED by the Committee VCC Mrs Stockdale presented the Risk Register for VCC commenting that the risks had recently been reviewed and reworded in some areas, although this work is ongoing. This was NOTED by the Committee. 05/16/10 CAPITAL PROGRAMME/BUSINESS CASES 10.1 Capital Plan Update Ms Davies presented the report to the Committee. This was NOTED by the Committee. 05/16/11 POLICIES AND STRATEGIES 11.1 National Policies Implementation (Internet, and Social Media) Mrs Stockdale confirmed that the policies had now all been published. This was NOTED by the Committee. 05/16/12 ANY OTHER BUSINESS 05/16/13 DATE AND TIME OF NEXT MEETING 5 th September 1.00pm Meeting room 1, Trust HQ. Page 8 of 8

12 VELINDRE NHS TRUST UPDATE OF ACTION POINTS FROM IG and IMT&T COMMITTEE MEETING HELD ON 9 May 2016 MINUTE ACTION NUMBER Outstanding Actions from 17 April 2015 meeting 4/15/07 AUDIT 7.2 WAO: Radiology Service Private Patients The final report is awaited and will be made available to the Committee. July 2016 Update; Report has been sent directly to the Velindre NHS Trust Audit Committee by the Wales Audit Office. Outstanding Actions from 18 June 2015 meeting 06/15/06 PERFORMANCE/KPI S/ASSURANCE FRAMEWORK Velindre Cancer Centre There was discussion around the development of a benefits register which would capture all the benefits and then be used to monitor and report on their realisation. July 2016 Update: SM requested to provide a presentation on Benefits Realisation. September 2016 Update: Following discussion at August 2016 management group it was agreed that Benefits mapping should be Ongoing Update to be provided in meeting Ongoing Update to be provided in meeting (Ref. Consistent approach across NS SM 1

13 performed consistently across the Trust for all programmes not just IM&T. Recommend action to be closed and new agenda item to be created for SM to update committee on progress re: Trust Benefits mapping. Trust) Actions from 25 August 2015 meeting 08/15/06 PERFORMANCE/KPI S/ASSURANCE FRAMEWORK 6.1 Delivering Excellence Our 3 year plan (IMTP) Progress Report for 2015/16 Although it was agreed this was a much more efficient mechanism for reporting there were still some readability issues regarding the format that require further work. Mr Ham agreed to meet with Jackie Davies and Gary Bullock regarding the Welsh Care Records. March 2016 update: Liz Waites, Ruth Chapman and David Davies attended the planning meeting in February when NWIS presented their programme of work, but it wasn t Trust specific so although discussion was had, no agreement was reached with regards to plans etc. Ongoing - Update to be provided in meeting SH/JD (SM) 6.2 Clinical Coding Performance Update The committee requested whether it could be highlighted that VCC s activity differs to other Health Boards which affects its ability to achieve the targets. July 2016 update: Audit reports include references to the complexity specific to Cancer Centre. This is recognised by the NHS Wales Complete AMS 2

14 Informatics Service Classifications Team. Minutes from 24 November /15/03 GOVERNANCE AGREEMENTS 3.2 IG Incident Report: VCC Data Security Breach Final Report A paper outlining the benefits of clear mail will be presented at the next Management Group. July 2016 update: Update required to Chief Executive Velindre NHS Trust 11/15/06 PERFORMANCE/KPI S/ASSURANCE FRAMEWORK 6.1 Delivering Excellence our 3 year plan (IMTP) Progress Report for 2015/ VCC Further discussions required on how to move forward with mobile phone support. NWIS requested to report back with an update. Minutes from 1 February /16/06 PERFORMANCE/KPI S/ASSURANCE FRAMEWORK 7.3 CANISC Technology Refresh and Improvement Programme Mr Bullock requested to speak with Elizabeth Waites to confirm if completion of Citrix work would be February 2016 and report back to Complete Ongoing Update to be provided in meeting (Ref. MobileIron Pilot) Complete AMS DD (SM) GB (SM) 3

15 Committee with an Assessment of Likelihood. It was queried if the Interim SDS UAT was completed by the January 2016 date provided. Ms Davies agreed to check with the relevant personnel and report back to the next meeting. Complete JD (SM) 7.4 Progress Report on CANISC and National Systems Plans Ms Davies to contact Elizabeth Waites to enquire if NWIS had an appropriate person to temporarily backfill the recently departed Project Manager. 02/16/08 NATIONAL ISSUES 8.1 Cyber Security The Director of ICT at NWIS to be asked to take overall leadership across Wales so that there were no gaps and report back to NIMB meeting in March. It was recognised that there is no dedicated security role within the organisation which needs to be addressed outside of the meeting. Minutes from meeting of 9 May /16/03 GOVERNANCE AGREEMENTS 3.1 Information Governance Incident Review (Combined Trust report) Complete Ongoing update to be provided in meeting (Ref. Role reviews) JD (SM) SM 4

16 In accurate or no discharge summaries produced following an inpatient stay, the recording of these in DATIX is as a result of an ongoing data quality exercise. Reporting of incidents at too high a level and should include enough detail to enable an informed discussion. The Committee requested an amended report to be developed for the next meeting (to include DATIX reference numbers). Complete Complete AMS (NS) AMS (NS) The Committee would like to see the recurrent trend of incidents with more detail provided in the form sub categories in order that areas of activity which are problematic can be pinpointed. Mr Morris was asked to look into how any risks associated with these IG incidents are reported, accepted and approved at Divisional level. Complete Agenda item Ongoing Update to be provided in meeting SM SM 3.2 VCC Clinical Correspondence Incident A report to be brought back to Committee detailing the outcome of the internal investigations and the corrective measures to be put in place. Due to the sensitivities and detail contained within the report, it was agreed to redact the report from publication on the website and provide a report to the Trust Board Part B meeting on 26 th May July 2016 update: Report submitted to the Trust Board. Complete Agenda item 3.4 Complete AMS(NS) JR 5

17 3.3 Patient Registration RCA Report The Executive Summary to be further summarised for future reports Complete AMS 3.4 ICO IG Training Review Action Plan Update Training Programme (Head of IM&T) the committee requested that the comments be reviewed to reflect progress against the objective. Monitoring and Reporting of DP Training Provision (Education and Development Manager) re monitoring of staff compliance with M&S training it would be helpful to understand specific actions which have been undertaken to support the status of the objective. The Committee reiterated that the Staff Induction Programme IG Training should include examples of incidents/near misses specific to the Trust. Action: Action plan to be updated and submitted to the IG&IM&T Management Group and Committee Complete Agenda item 3.3 AMS 3.5 National Intelligent Integrated Auditing Solution (NIIAS) The committee discussed the approach and a further information requested to provide more background and information on the approach and implementation of this new system. July 2016 update: Report to be produced and included on future Committee Agenda. Ongoing Update to be provided in meeting AMS (NS) 6

18 05/16/05 AUDIT 5.2 Clinical Coding Activity Report The Committee asked that an impact paper on the new coding target be developed and discussed, initially, at the Management Group but also then escalated to the Committee as necessary. July update: Impact assessment of the new completion target for clinical coding to be undertaken December This will provide a clear six month period to enable meaningful analysis. Complete AMS 5.3 Clinical Coding Internal Audit The Chair to send out a note of thanks from the IG&IM&T Committee to all the coders for achieving such a favourable audit report. 05/16/06 PERFORMANCE/KPI S/ASSURANCE FRAMEWORK 6.1 Delivering Excellence our 3 year plan (IMTP) Progress Report for 2015/16 Clinical coding to be green and not amber. Mrs Stockdale to review and implement the changes. The NWIS representative (David Davies) to feed back the concerns of the Committee to the NWIS Directors regarding the continued delays in the implementation of the Welsh Clinical Portal. Complete Complete Ongoing Update to be provided in meeting HL AMS DD(NWIS) 7

19 It was noted that in some cases there are multiple objectives which are actually part of one solution, and the Committee asked Mrs Stockdale to review this and incorporate these into one objective and put through IMTP change control process. July 2016 update: Change control underway. 05/16/07 PROJECT UPDATES/PROGRAMMES OF WORK VCC It was noted that in some cases the implementation target dates and associated RAG status were not updated, with some dates having passed but the projects remain outstanding. The committee requested that this be resolved by the next committee. Ongoing Update to be provided in meeting Complete AMS (SM) AMS 7.3 CANISC Technology Refresh and Improvement Programme There had been no representative from NWIS at the recent Business Case meeting and Mr Davies was requested to speak with his NWIS colleagues to agree who should attend from NWIS and write back to Steve Ham, Jackie Davies and cc Harry Ludgate. Mr Davies also agreed to speak to Elizabeth Waites to ascertain how best to feedback to this Committee in future. Complete Ongoing Update to be provided in meeting DD(NWIS) DD(NWIS) 8

20 IG & IM&T COMMITTEE Welsh Government Capital Funding Meeting Date: 5 September 2016 Author: Sponsoring Executive Director: Report Presented by: Committee/Group who have received or considered this paper: Stuart Morris, Deputy Associate Director of Informatics Mark Osland, Executive Director of Finance & Informatics Stuart Morris, Deputy Associate Director of Informatics IG&IM&T Management Group Trust Resolution to: (please tick) Approve: Endorse: Discuss: Note: Recommendation: None This report supports the following Trust objectives as set out in the Integrated Medium Term Plan: (please tick) Equitable and timely services Providing evidence based care and research which is clinically effective Supporting our staff to excel Safe and reliable services First class patient /donor experience Spending every pound well This report supports the following Health & Care Standards: Effective Care Standard 3.4 Information Governance & Communications Technology

21 1. Introduction / Background This paper is informs the IG & IM&T Committee of the funding award from Welsh Government and how this money will be allocated across the Divisions. Velindre NHS Trust have been awarded 789, to be spent on IM&T services during 2016/ Timing: The funding was allocated at the end of June Welsh Government do not require monthly updates against spend, however the Velindre Capital Planning Group will monitor progress. Welsh Government have been clear that it is expected that this capital will be spent by the end of financial year 2016/ Description: Velindre NHS Trust submitted a request to Welsh Government for capital funding to support urgent work that was required during 2016/2017 under the general umbrella of the following: Description Infrastructure replacement programme - reducing cyber security threat and system failure by removing End of Life hardware and software Mobility & Networks - Improving access by adding connectivity infrastructure and client devices - 300, , Meeting rooms, Printer Service, Telephony & corporate services standardisation 143, PCs, laptops & licenses rolling replacements programme 196, Following discussion between the technical teams in Welsh Blood Service and Velindre Cancer Centre, the capital will be allocated as attached identified in Appendix 1. This allocates 751, leaving unallocated. The allocation was performed based on the following: Each item was scored with a Priority (1-4) identifying criticality (1 High, 4 Low) Service capacity and capability to deliver within the financial window An appropriate split between the Divisions based on current service provision / service need Appendix 2 outlines those schemes that need to be funded should additional capital become available. This figure totals 628, Page 2

22 Discussions have taken place with the procurement team and the procurement exercise is planned to commence in September The majority of the purchases will be from preapproved frameworks. 4. Financial Impact: None All Capital will spent by end of financial year 2016/ Quality, Equality, Safety and Patient Experience Impact: All programmes of work are delivered within alignment of Velindre NHS Trust management procedures 6. Considerations for Board / Committee: The Committee are asked to note the contents of this report. 7. Next Steps: Ongoing monitoring of progress against delivery. Page 3

23 Appendix 1 Capital allocation Area Item Qty Cost Total Ex VAT Total Inc VAT Comments Networks (VCC) Networks (VCC) Networks (VCC) Networks (WBS) Networks (WBS) Network Access Switches (Cisco 3850-X Switch Bundle) Network Firewalls (Cisco ASA 5555-X with FirePOWER Services) Security Enhancements (Cisco Integrated Security Engine) Network Access Switches (Cisco 3850 Switch Bundle) Network Storage Switches (Dell Networking N4032F Bundle) 6 7,150 42,900 51,480 Switches needed to complete the network and DR refresh 2 16,000 32,000 38,400 Increased capacity to support new core network speeds and improved detection of cyber-threats 1 25,000 25,000 30,000 Improved overall security and manageability of network, and new detection and containment of Cyber-threats 119, ,150 21,450 25,740 Outstanding network switches to complete the requirements for the 3-year Infrastructure Upgrade project 2 6,000 12,000 14,400 Additional storage switches to increase resilience at TG which support the storage requirements of the Virtualisation Host Servers Networks (WBS) Network Firewalls - Talbot Green Core (Cisco ASA 5555-X with FirePOWER Services) 2 16,000 32,000 38,400 Replacement for Core Firewalls at TG (End-of-Life). Increased capacity to support new core network speeds and improved detection of cyber-threats Networks (WBS) Network Firewalls - PSBA Internet and Dafen (Cisco ASA 5508-X with FirePOWER Services) 3 1,600 4,800 5,760 Replacement of Firewall at Dafen site (x1). Increased capacity to support new PSBA transformation network speeds and improved detection of cyber-threats. New Firewalls to support PSBA Internet services at TG (x2). Protect network and telephone services from cyber-threats (supports SIP Installation, listed below) Networks (WBS) Network Patch Cabling 2 12,000 24,000 28,800 Modernisation of all network patch panel cabling in both Comms Rooms at TG Networks (WBS) Live Connectivity Pilot (Teams) 1 20,000 20,000 24,000 Technical pilot to determine the feasibility of providing Satellite/Mobile broadband to Collection Teams while mobile working. Duration 6-12 months 137,100 Servers (VCC) Replacement SANs 2 22,500 45,000 54,000 To support the replacement of end of life server storage Servers (VCC) Replacement VM hosts 4 12,000 48,000 57,600 To support the replacement of end of life servers 111,600 Servers (WBS) Hyper-V Host Servers 2 8,000 16,000 19,200 Replacement of existing Hyper-V Server Cluster used to host virtual machines that support a variety of critical services Servers (WBS) Hyper-V Host Servers 2 8,000 16,000 19,200 New Hyper-V Server Cluster used to host new virtual machines (for example, LIMS, BECS Semester Patch) 38,400

24 Area Item Qty Cost Total Ex VAT Total Inc VAT Comments New Server Room (VCC) UPS 2 12,000 24,000 28,800 Dual resilient UPS design to support 6x full height fully populated server racks New Server Room (VCC) Network Access Switches (Cisco 3850-X Switch Bundle) 6 7,150 42,900 51,480 1x Switch per (fully populated full height) rack New Server Room (VCC) PDU ,400 17,280 2x PDU's per rack to supply dual power feeds to equipment New Server Room (VCC) Racks 12 1,500 18,000 21,600 Standard Server Racks New Server Room (VCC) Cabling (Fibre & Copper) 1 25,000 25,000 30,000 Fibre interconnects between existing server rooms / network rooms. Copper Cat6 between server cabinets 149,160 Facilities (VCC) Facilities (WBS) Facilities (WBS) Facilities (WBS) Conference Room: MDT Meeting Room Refresh (with VC) TG Lecture Room Upgrade (with VC) TG Conference Room Upgrade (with VC) TG Clinical Services Room Upgrade (with VC) 1 40,000 40,000 48,000 To support the replacement of average 7 year old video conferencing equipment, for MDT 48, ,000 20,000 24,000 Modernise the audio and visual services within this meeting room at TG. Add VC facilities 1 12,500 12,500 15,000 Modernise the audio and visual services within this meeting room at TG. Upgrade VC facilities 1 12,500 12,500 15,000 Modernise the audio and visual services within this meeting room at TG. Add VC facilities 54,000 Telecoms (WBS) SIP Installation and Equipment 2 8,000 16,000 19,200 Modernisation of Telephone Services at TG which will support the additional requirements for the Donor Contact Centre. Will provide significant cost savings in call charges. Supported by 2 Network Firewalls included in the overall list. 19,200 Desktops (WBS) Standard Laptop (Teams - Appointments) ,250 3,900 New laptops to support a Donor Appointment System within Donation Clinics run by the South and West Collection Teams (North Wales teams already have this system as part of the All Wales Blood Service programme) Desktops (WBS) Standard Laptop (Teams - General) ,250 19,500 Replacement of ageing Laptops used by the Collection Teams Desktops (WBS) SAHH Tablets (Teams) ,500 3,000 Additional Tablet devices used to complete the Donor Health Questionnaire within Donation Clinics 26,400 Managed Printers (VCC) Managed Printers - Small Size 25 1,600 40,000 48,000 Clinicians Printers to support WCP design 48,000

25 Appendix 2 Schemes requiring funding Area Item Qty Cost Total Ex VAT Total Inc VAT Comments Servers (Offsite DR) (VCC) VM Servers (DR) 2 12,000 24,000 28,800 Virtual Servers to support offsite DR of essential services Servers (Offsite DR) (VCC) SANs (DR) 1 22,500 22,500 27,000 Server storage to support offsite DR of essential services Servers (VCC) SANs 4 22,500 90, ,000 To support local service growth, satellite site modelling, and radiotherapy virtualisation 55,800 Servers (VCC) VM hosts 6 12,000 72,000 86,400 To support local service growth, satellite site modelling, and radiotherapy virtualisation 194,400 Desktops (WBS) Enhanced Lightweight Laptop and Dock ,000 28,800 Replacement of ageing Laptops 28,800 Desktops (VCC) Standard Desktop PC (including monitor) ,000 57,600 Replacement of ageing Desktop PCs and Monitors Desktops (VCC) Enhanced Lightweight Laptop and Dock ,600 78,720 Replacement of ageing Laptops 136,320 Facilities (VCC) Blue Room: MDT Meeting Room Refresh (with VC) 1 15,000 15,000 18,000 To support the replacement of average 7 year old video conferencing equipment, for MDT Facilities (VCC) Green Room: MDT Meeting Room Refresh (with VC) 1 20,000 20,000 24,000 To support the replacement of average 7 year old video conferencing equipment, for MDT Facilities (VCC) RT Room: MDT Meeting Room Refresh (with VC) 1 15,000 15,000 18,000 To support the replacement of average 7 year old video conferencing equipment, for MDT 60,000 Facilities (WBS) TG Clinical Services Room Upgrade (with VC) 1 12,500 12,500 15,000 Modernise the audio and visual services within this meeting room at TG. Add VC facilities 15,000 Licenses Microsoft Visio ,000 7,200 Licenses Tableau Desktop Professional 2 2,000 4,000 4,800 As with the Office licence upgrade completed over the last 2 years, upgrade Visio licences to supported versions (post Oct-2017) to reduce risk of cyber-threats Design and develop dashboards for Information and Managements Reports. Future stages would require additional licenses to support server host and further users 12,000 Managed Printers Managed Printers - Medium Size 15 7, , ,000 To support the replacement of around 60 mixed device printers which are average 8 year old, and the implementation of 'follow me' secure printing 126,000

26 IG & IM&T COMMITTEE IG & IM&T Committee Work Plan (Cycle of Business) Meeting Date: 5 September 2016 Author: Sponsoring Executive Director: Report Presented by: Committee/Group who have received or considered this paper: Stuart Morris, Deputy Associate Director of Informatics Mark Osland, Executive Director of Finance & Informatics Stuart Morris, Deputy Associate Director of Informatics IG&IM&T Management Group Trust Resolution to: (please tick) Approve: Endorse: Discuss: Note: Recommendation: None This report supports the following Trust objectives as set out in the Integrated Medium Term Plan: (please tick) Equitable and timely services Providing evidence based care and research which is clinically effective Supporting our staff to excel Safe and reliable services First class patient /donor experience Spending every pound well This report supports the following Health & Care Standards: Effective Care Standard 3.4 Information Governance & Communications Technology

27 1. Introduction / Background This paper is to outline the IG & IM&T Work Plan for the next 12 months. 2. Timing: Work Plan contents are to be reviewed annually. 3. Description: Within the Velindre NHS Trust Governance structure, each Committee must have a published work plan. Reference Appendix Financial Impact: N/A 5. Quality, Equality, Safety and Patient Experience Impact: N/A 6. Considerations for Board / Committee: The Committee are asked to note the contents of this report. 7. Next Steps: Ongoing monitoring of progress against delivery. Page 2

28 Information Governance & Information Management & Technology Committee Work Plan Item Frequency September 2016 November 2016 February 2017 May 2017 Governance Development Policy Development and Review All regular meetings Review of Caldicott Audits Annually n/a n/a n/a Healthcare Standards Review Annually n/a n/a n/a Review of IG Incidents & Trends All regular meetings Freedom of Information Requests (?) All regular meetings Audit Action Plan Updates All regular meetings Strategy Development and Implementation Review of Road Map/Strategy Annually n/a n/a n/a Committee Development Approval of Annual Plan Annually n/a n/a n/a Review Terms of Reference Annually n/a n/a n/a Receipt of Annual Report Annually n/a n/a n/a Performance/KPIs/Assurance Risk Register Update (?) All regular meetings Progress on Delivery of all Programmes / Projects All regular meetings National Issues Review of Strategic Outline Programme(s) All regular meetings

29 IG & IM&T COMMITTEE Corruption of Radiology Images Closure Report Meeting Date: 5 September 2016 Author: Sponsoring Executive Director: Report Presented by: Committee/Group who have received or considered this paper: Ann Marie Stockdale, Head of IM&T Mark Osland, Director of Finance & informatics Ann Marie Stockdale, Head of IM&T IG&IM&T Management Group Trust Resolution to: (please tick) Approve: Endorse: Discuss: Note: Recommendation: The Group are requested to NOTE the content of this report This report supports the following Trust objectives as set out in the Integrated Medium Term Plan: (please tick) Equitable and timely services Providing evidence based care and research which is clinically effective Supporting our staff to excel Safe and reliable services First class patient /donor experience Spending every pound well This report supports the following Health & Care Standards: Standard 3.4 Information Governance and Communications Technology Standard 3.5 Record Keeping

30 2 Corruption of Radiology Images Closure Report 1. Introduction / Background Velindre Cancer Centre received notification in August 2014 of an incident whereby it had been identified due to an air conditioning unit failure within a server room back in March 2014 a large number of Radiology images/studies were no longer readily available within patient records. This air conditioning unit failure resulted in an increase in heat within the server room over an extended period of time leading to the corruption of several hard disks held for the General Electric (Medical Services) PACS (Picture Archive and Communication System) system used within VCC at the time. The prolonged increase in temperature caused permanent damage to the discs (double disc failure) leading to the image corruption of a total of 5658 studies, relating to 3444 patients. 2. Timing: On the weekend of the 29 th March 2014 the air conditioning unit located in the GE PACs Archive Room, Radiology Department, Velindre Cancer Centre, failed. The incident affected radiology studies dating back to 2003 and up to 2013 calendar years 3. Description: For the purposes of providing the Management Group with a closure report in relation to the GE PACS system failure incident. 4. Financial Impact: No financial considerations 5. Quality, Equality, Safety and Patient Experience Impact: No patients were harmed as a result of the images not being available with there being minimal impact from a clinical perspective. 6. Considerations for Board / Committee: Once the incident had been identified as significant, due to the number of radiology images involved, an immediate investigation was undertaken. The scope of the investigation covered the period from the 29 th March th September 2014, which included the incident through to all parties being aware of the incident. To ensure a detailed investigation was undertaken a VCC Task and Finish Group was established to act as a forum to discuss, evaluate and investigate the corruption of identified radiology images and any impact this may have had both to the patient and the service. A timeline was established using meeting notes, minutes, activity logs as well as s supplied by the individuals involved. A range of individuals were interviewed to expand on knowledge and provide background information for the investigation. The attached report further highlights the work undertaken in the recovery, where possible, of images/studies off modalities held within VCC and the rationale and impact of this incident from a clinical perspective. After a comprehensive review it has been established that no patients are known to have received inappropriate treatment or been harmed as a direct result of this incident. 7. Next Steps: Assessment of any of the remaining report recommendations as a means to ensure appropriate steps have been undertaken to prevent a recurrence of this incident. Page 2

31 3 Corruption of Radiology Images Closure Report Report on the General Electric (Medical Services) PACS (Picture Archive and Communication System) Failure Incident: Image corruption of a total of 5658 studies, relating to 3444 patients as a result of a failure of an air conditioning unit located in the GE PACs Archive Room, VCC Report Author: Neil Stevens, Information Governance Manager - VCC Date of Report: January 2016 Summary On the weekend of the 29 th March 2014 the air conditioning unit located in the GE PACs Archive Room, Radiology Department, VCC, failed. The temperature in the room became uncontrolled, causing a significant increase in heat. The increased heat over an extended period of time caused catastrophic damage to the discs (double disc failure) leading to the image corruption of a total of 5658 studies, relating to 3444 patients. As a result direct comparative assessment was not possible for some patients. The identified corrupted studies were from investigations undertaken at VCC equating to 2883 (i.e. originals ) and those imported from other Health Boards (i.e. copies equating to 2775 studies). The investigation and subsequent Root Cause Analysis that has been undertaken has identified that of the total number of studies affected a proportion of these were still seen as being available and could subsequently be migrated back into the patients records as a result of them being retrievable from other hospital/health Board sources. Subsequent work also further identified that all the radiology reports were unaffected and still remained within the patient record. An important finding as it was recognised and confirmed that these were the reports that would be subsequently derived and signed off by the VCC Radiology staff and used by Clinicians in the continued treatment of VCC patients. Therefore no patients were and/or would have been harmed as a result of these images not being available with there being minimal impact from a clinical perspective. The report concludes and sets out a number of recommendations as a means to not only prevent a recurrence, but also promote compliance with good recommended Records Management practices and provisions placed upon VCC by legislations such as the Data Protection Act Introduction This report focuses on the findings, recommendations and subsequent steps that have been undertaken since the incident first being reported, and should be read in conjunction with the Root Cause Analysis (RCA) report prepared by the Head of IM&T. The RCA report goes beyond the scope of this report, and describes the cause/s that contributed to the corruption of radiology images stored on the General Electric (Medical Services) Picture Archive Communication System (herein after known as GE PACS) at Velindre Cancer Centre (VCC). Page 3

32 4 Corruption of Radiology Images Closure Report In addition the RCA report identifies; what, how and why this event occurred and any subsequent actions that are required to be undertaken to ensure the organisation mitigates the risk of any recurrence and addresses any perceived gaps in the safe and secure processing of sensitive information within the organisation. Incident Event On the weekend of the 29 th March 2014 the air conditioning unit located in the GE PACs Archive Room, Radiology Department, VCC, failed. The temperature in the room became uncontrolled, causing a significant increase in heat. The increased heat over an extended period of time caused catastrophic damage to the discs (double disc failure) leading to the image corruption of a total of 5658 studies, relating to 3444 patients. As a result direct comparative assessment was not possible for some patients. The identified corrupted studies were from investigations undertaken at VCC equating to 2883 (i.e. originals ) and those imported from other Health Boards (i.e. copies equating to 2775 studies). The incident affected radiology studies dating back to 2003 and up to 2013 calendar years. Investigative Team and Method Once the incident had been identified as significant, due to the number of radiology images involved, the Director of Cancer Services requested an immediate investigation be undertaken. The scope of the investigation covered the period from the 29 th March th September 2014, which includes the incident through to all parties being aware of the impact of said incident. To ensure a detailed investigation was undertaken a VCC Task and Finish Group was established to act as a forum to discuss, evaluate and investigate the corruption of identified radiology images and any impact this may have had both to the patient and the service. The Task and Finish Group was chaired by the VCC Head of IM&T with membership compromising of a number of Trust personnel: Consultant in Clinical Oncology IM&T Principal Project Manager Assistant Director of Nursing/Service Improvement Radiologist Information Governance Manager Radiology RIS/PACS Representative Senior Radiographer Representative IM&T Project Officer A timeline was established using meeting notes, minutes, activity logs as well as s supplied by the individuals involved. A range of individuals were interviewed to expand on knowledge and provide background information for the investigation. Background GE PACs is the legacy system used within the Radiology Department at VCC. In simplistic terms Picture Archive Computer System (PACS) enables x-ray and scan images to be Page 4

33 5 Corruption of Radiology Images Closure Report collected, stored electronically and viewed on screens. It distributes imaging to locations both on and off site and can send imaging to other hospitals and receive from the same. GE Centricity PACS was implemented at VCC on the 4 th July It has had a number of upgrades since this time, both hardware and software, until its recent replacement by Fuji PACS, September It was during this migration and subsequent failure of data to migrate properly that allowed the organisation to identify and quantify the amount of damage and corrupted data that had been incurred: - Some studies had corrupted data so images could not be displayed Some studies were completely lost or their registry location was damaged and so could not be retrieved. Some studies had fewer images than the registry said there should be Corrupted Radiology Images In August 2014, GE HealthCare submitted a report to the VCC Radiology Department detailing the extent of the image corruption. The report provided patient and study level information. The initial position was detailed as below by study type: Radiology Studies VCC Other Health Board In total it was being reported there were 5658 images/studies affected that related to 3444 patients. Time Line Date Event Air conditioning unit failed. The unit was described as frozen, with ice in the room. Escalation to the Estates Department. Engineer came on site, unit fixed CT engineer attends site; accesses the PACs room to obtain parts stored in this area. The engineer notes temperature in the room is at 35 - Head of Radiology contacted Page 5

34 6 Corruption of Radiology Images Closure Report - Head of Radiology attends site. On-call estates engineer contacted. Trust wide portable air conditioning unit put in place The PACs room temperature was still in the 20's GE PACs shuts down - Portable air conditioning unit remains in place Air conditioning unit located in the GE PACs Archive Room, Radiology Department, Velindre Cancer Centre, fails Funding request made to Director of Cancer Services for replacement air conditioning unit Replacement portable air conditioning unit (more powerful to manage room temperature) put in place Room temperature brought under control (onwards) - Unable to bring mammogram, CT, MRI images back on line (random images) - IT department provided remote UPS and temperature monitoring for the PACs room Invoice for replacement air conditioning unit received Consultant Radiologist s Superintendent Radiographer (Radiology) advising of two PACs problems - PACs failed again (new issue) GE HealthCare provided a diagnosis of disc corruption August 2014 September 2014 Report detailing corrupted images provided by GE HealthCare to the Radiology Department Investigation requested by the Director of Cancer Services Discussion, Requirements and Actions Since the receipt and notification of this incident the Task & Finish Group have convened at regular intervals to discuss, investigate and assess the impact of this incident. The Group set out the scale and scope of the incident and also noted during the inaugural meeting that due to the nature of the incident this had also been reported into Welsh Government. The Group began by highlighting and summarising the impact of this incident and indentified through the investigation that of the total number of studies affected a proportion of these were still seen as being available and could subsequently be migrated back into the patients records as a result of them being retrievable from other hospital/health Board sources. Please note: Retrieval of Other Hospital images was not made as these are available at the primary source and can be requested as and when required. For the purposes of this report efforts in image retrieval therefore concentrated on and as agreed by the Group to just those VCC owned studies; that were subsequently further broken down and identified as going as far back as 2003: = 1539 studies 2012 = 373 studies 2011 = 178 studies 2007 = 1 study 2006 = 2 studies 2005 = 1 study Page 6

35 7 Corruption of Radiology Images Closure Report 2003 = 1 study Whilst the largest proportion of the images affected related to those studies between the years of ; the investigation identified that all the radiology reports in relation to the 5658 studies were all still present and available within the patient s records. This was an important finding as the Group concluded that whilst it was not possible for a direct comparative assessment to be undertaken for some patients. The radiology reports were seen as the primary record as opposed to the patient studies. Even more so as it was recognised and confirmed that these were the reports that would be subsequently derived and signed off by the VCC Radiology staff and used by Clinicians in the continued treatment of VCC patients. As such the Group are happy to confirm that no patients were and/or would have been harmed as a result of these images not being available with there being minimal impact from a clinical perspective. Despite this recognition work still progressed and as per the Groups request to explore all retrievable options and expectations from both a legal and records management requirement; that included: - Assessing the feasibility and associated costs of image retrievable from the damaged and corrupted hard discs Liaising with key stakeholders to identify current patient status and identification of associated patient key professional Obtaining of legal advice to ensure and promote compliance with not only good recommended Records Management practices, but also provisions placed upon VCC by legislations such as the Data Protection Act 1998 Investigating and assessing the potential for retrieval of data from locally held VCC modalities All these options have subsequently been explored and work completed to establish necessary considerations moving forward. For the purposes of assessing the feasibility of the recovery of images from the corrupted discs; discussions have been held with GE and it being confirmed: - To attempt any recovery and any appropriate feasibility work the live system in its entirety would have to be externally sent for examination Any work may come at a significant cost to the organisation and it is highly likely the data would be not be retrievable due to the damage caused to the discs Furthermore legal advice has been obtained and based on the mitigation and existence of the radiology reports it be reasonable not to contact each patient - unless there is clear evidence of likely patient harm. Instead it is seen to be more practicable to place an electronic flag on the affected patients notes so that there is no uncertainty around the absence of the x-rays. In addition work taken forward by VCC departments to examine locally held modalities sourcing and looking for any missing studies. This work proved to be a success in some areas and did result in the retrieval of a number of images; in particular a full retrievable of all studies was possible within Nuclear Medicine. The high level final position is detailed in the Chart below:- Page 7

36 8 Corruption of Radiology Images Closure Report Total Other Hospital Images VCC Images VCC Images Retrieved VCC Images Not retrieved Subsequent work was then undertaken within the VCC Radiology Department and specifically in relation to those images that could not be reconciled to further identify the patient status and any potential risk and/or harm of those images not being available within the patient s record. This involved the opening of the patient record in Radis (Radiology Information Systems) and checking the life status of the patient, the nature of the examination (see note1 1 ) then previous and subsequent examinations cross referenced. Where no such studies existed the patients record was opened in Fuji synapse PACS and other hospital studies were checked. Wherever doubt was felt about a study; the study was classed as at risk. Rationale for defining at risk The compromised studies were kept as at risk if they failed to meet any of the following criterions 1. Patient was still alive 2. The examination compromised was one, where a comparative assessment might be made. (See note 1) 3. A subsequent examination could be compared to a complete earlier study. (See note2 2 ) 4. A subsequent examination could be compared to a complete later study. 5. A subsequent examination could be compared to a study from another site held on Fuji Synapse PACs and therefore available for comparison. (See note3 3 ) Note 1 Position of a line (PICC, Hickman, NG Tube etc) would not be compared, as where it was is not important, where it is now is the important part. Doppler ultrasounds where no thrombus was found. CT pulmonary Angiogram where no thrombus was found and no other related chest pathology was commented on. CT or US guided Biopsy examinations. These are all here and now examinations and after the event the images are effectively no longer valid. Where CT and MRI of the same region existed the study compromised had a similar modality to compare it to eg CT for CT and MR for MR. It is not sensible to rely on cross modality comparisons Note 2 Radiologists have reported a subsequent examination so any future exam has a study to compare to. Likewise a study prior to the compromised study can be used for a comparative assessment. Page 8

37 9 Corruption of Radiology Images Closure Report 6. The compromised study was one from another site and ours was just a copy This exercise gave a final list of 191 studies seen to be at risk. From these 191 studies it was identified 55 were available on other hospital systems. The identified studies are either our compromised study but an uncompromised copy, or a subsequent or previous other hospital study, being retrieved. The number at risk is now 144 Conclusion The Task & Finish Group concludes that whilst the 144 studies pose a risk to Velindre NHS Trust. This is limited to being a reputational risk and one that has the potential to cause embarrassment to the Radiology department and the Trust. It is not a clinical risk as by not having these studies available within the patient records does not impact with their ongoing care and treatment. As comparison and reports of disease progression or remission can still be made, as all written radiology reports that VCC Radiology staff sign off and Clinicians use in the continued treatment of patients still exist. In addition and based on legal advice and that all written radiology reports still exist patients can be reassured that even though images have been compromised the radiology reports that still remain would be the primary information used to inform and assist in comparative assessments on any subsequent examinations. There is no harm or likely evidence that harm would be caused to any patient as a result of this incident therefore the Group is of the view that patients affected are not contacted as this could cause unnecessary distress and alarm. Furthermore there still remains the possibility to forensically examine the damaged and corrupted discs as a means to explore and retrieve any images that may still exist. Whilst considered the expense in doing may be considerable and does not offer any guarantees that data can and/or will be retrieved. The Group is of the view that such work requires further scrutiny and assessment whilst taking account of the work undertaken and findings of the investigation; that include: - Studies that have already been successfully retrieved from local modalities, other archives and other sites The engagement and collaborative working that has already taken place and that no more data can be retrieved from the old GE PACS system The expense per disk has the potential to be considerable and may achieve very little Any information potentially recovered may still not relate to those 144 studies that are seen to pose a risk Comparative assessments on any subsequent examinations is still possible as all written radiology reports are unaffected and remain within the patient record After a comprehensive review into this incident it has been established and can be confirmed that no patients are known to have received inappropriate treatment or been harmed as a direct result of this incident. Note 3 Some patients have had imaging from other sites imported into Fuji synapse PACS. Either for uses as a comparative study or for MDT purposes Page 9

38 10 Corruption of Radiology Images Closure Report Recommendations Based on the findings and subsequent investigation the following recommendations have been determined as a means to not only prevent a recurrence of this incident, but also promote compliance with good recommended Records Management practices and provisions placed upon VCC by legislations such as the Data Protection Act 1998: - Appropriate steps instigated to address any potential uncertainty around the absence of images from within an affected patient record (i.e. electronic flag included within notes) Decommission of the old GE PACS server following the migration work that has now been completed from the GE PACS system to Fuji Synapse PACS END REPORT Page 10

39 IG & IM&T COMMITTEE General Data Protection Regulations Meeting Date: 5 September 2016 Author: Sponsoring Executive Director: Report Presented by: Committee/Group who have received or considered this paper: Neil Stevens, Information Governance Manager Mark Osland, Director of Finance & informatics Stuart Morris, Deputy Associate Director of Informatics IG&IM&T Management Group Trust Resolution to: (please tick) Approve: Endorse: Discuss: Note: Recommendation: The Group are requested to NOTE the content of this report This report supports the following Trust objectives as set out in the Integrated Medium Term Plan: (please tick) Equitable and timely services Providing evidence based care and research which is clinically effective Supporting our staff to excel Safe and reliable services First class patient /donor experience Spending every pound well This report supports the following Health & Care Standards: Standard 3.4 Information Governance and Communications Technology Standard 3.5 Record Keeping

40 2 General Data Protection Regulation 1. Introduction / Background After over four years of discussion and as existing European Union (EU) Member States data protection laws were widely seen as being outdated, a new EU data protection framework has been approved. It takes the form of a Regulation the General Data Protection Regulation (GDPR) and will replace the current Directive (i.e. Data Protection Act 1998) and directly apply to all EU Member States without the need for implementing national legislation. On 25 May 2018, the new GDPR will come into effect, bringing with it a raft of changes to current data protection regimes including increased territorial scope, new obligations for processors, enhanced accountability requirements, and the threat of significant fines (up to 4% annual worldwide turnover) for those that get it wrong. 2. Timing: Whilst compliance with the GDPR will not come into force until May 2018 the proposed changes, many of which will take time to prepare for, will have an immediate impact that the Trust will need to consider; in addition to any impact of the UK referendum and the vote to leave the EU. 3. Description: For the purposes of providing the Committee with awareness of the new data protection regulation, its impact and the potential consequences of the recent referendum vote on the enforcement of the GDPR. 4. Financial Impact: The new GDPR establishes a tiered/level of potential fines that can be imposed on organisations for breaches in personal data. The levels of fines are further discussed within this report. 5. Quality, Equality, Safety and Patient Experience Impact: Need for consideration of the impact of the GDPR, and associated changes and/or any changes in future data protection laws in light of any UK requirements to implement equivalent level of protection to personal data. 6. Considerations for Board / Committee: It is recognised the existing UK Data Protection Act (DPA) 1998 schemes goes much further than current EU law requires and the UK was a leader in terms of the originator of the GDPR. Therefore by ensuring the Trusts continued compliance with existing UK DPA legislation would already give effect to many of the GDPR s requirements. Due to continuity between the current UK DPA and the new GDPR around key definitions (i.e. such as personal data, controller, processor, and data subject all being retained) However whilst continuity remains the new GDPR does introduce some further underlying key concepts that the Trust will need to consider and prepare for in light of future changes and how the organisation maintains compliance with appropriate data protection laws. Key points such as: - I. Raise Awareness Key decision makers in the Trust need to know that data protection law is changing and how those changes will affect how the Trust is run. Page 2

41 3 General Data Protection Regulation Key decision makers will therefore need to familiarise themselves with the GDPR and identify areas where the Trust will need to make changes in order to be compliant. II. III. Accountability and Data Governance One of the main features of the GDPR is that compliance alone is not enough; the Trust will also have to demonstrate their compliance and prove that they are taking data protection seriously by implementing a range of accountability measures. These measures include Privacy Impact Assessments, data protection audits, policy reviews, activity records, staff training and the mandatory appointment of a Data Protection Officer. Communicating Data Protection/Privacy Information GDPR will require much more meaningful information to individuals about how we use their data. Under the current DPA, the Trust are already legally required to provide certain minimum information to individuals (including patient) about how their personal data is processed. This is commonly provided through a Fair Processing Notice. Under GDPR, the list of information which has to be provided to individuals will increase significantly: - Here is some of the information that will be expected to be provided: Trust identity and contact details The Purpose of processing their data and the legal basis for the processing of that data. (This later requirement is new and will require significant thought in some cases.) Who you share the personal data with Transfers outside EU and how data is protected Retention period or criteria used to set this Tell individuals all their legal rights e.g. the right to withdraw their consent to their data being used for marketing or for school fundraising Right to complain IV. Legal Grounds for Processing Personal Data GDPR sets out conditions (or Grounds) that must be met for the processing of personal data to be lawful. These grounds broadly replicate those in the current DPA. For example, personal data may be processed with consent or where the processing is necessary for a contract or where the processing is necessary for compliance with a legal obligation. V. Consent The Trust should review how it seeks and records consent for the processing of personal data and consider if any changes are required under the GDPR. Just as with the current DPA, the Trust can still rely on consent as a legal ground to process personal data; however, satisfying the criteria for valid legal consent will be harder under GDPR than under current law. Under GDPR, consent of a data subject means any freely given, specific, informed and unambiguous indication of the data subject s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed. VI. Individuals Rights Page 3

42 4 General Data Protection Regulation The legal rights that individuals have under GDPR are very similar to those they currently enjoy under the DPA. However, there are some significant enhancements and amendments which the Trust should be aware of. The main legal rights under the GDPR include: The right of subject access To have inaccuracies corrected To have information erased (the so called right to be forgotten ) To prevent direct marketing (i.e. where marketing is directed to specific individuals) To prevent automated decision-making and profiling, and Data portability (This is a new enhancement to the right of subject access. In brief the Trust will have to provide requested information electronically and in a commonly used machine readable format) VII. Right of Subject Access As under current data protection law, the GDPR will continue to allow individuals to ask the Trust to give them a copy of their personal data together with other information about how it s being processed by the Trust. (This is known as a Subject Access Request or SAR for short). However, under GDPR the rules for handling SARs will change and the Trust will need to consider updating procedures accordingly and plan for how it will meet the new deadlines and other new requirements. Under GDPR, the main changes are: Now free in most (but not all) cases (used to be 10) Manifestly unfounded or excessive requests can now be charged for or refused Deadline reduced from 40 calendar days to within 1 month. This deadline can be extended in certain cases. Additional information to be supplied e.g. Trust data retention periods and the right to have inaccurate data corrected. If you want to refuse a SAR, you will need to have policies and procedures in place to demonstrate why refusal of a request meets these criteria. VIII. Personal Data Breaches The Trust should adopt internal procedures for detecting, reporting and investigating a personal data breach. The reason for this is that the GDPR introduces mandatory breach notification to the Data Protection Authority (i.e. the ICO) and in some cases also to affected individuals. Only those breaches which are likely to result in an individual suffering damage will need to be reported e.g. breaches that could result in identity theft or where an individual s confidentiality has been breached. However, even though not all breaches will be subject to mandatory notification, there will still be an obligation to have systems in place to detect and investigate all breaches. Where the Trust detects a breach which is subject to the mandatory reporting rules then it must report the breach to the supervisory authority without undue delay and not later than 72 hours after becoming aware of it. This in itself could pose significant challenges given that it can take organisations several hours or even days to identify where the breach took place, which individuals have been affected and the data that has been compromised. Page 4

43 5 General Data Protection Regulation Where a breach has to be reported to affected individuals this will have to be done without undue delay. Non-compliance can lead to administrative fines of up to 10,000,000 or in the case of an undertaking, up to 2% of the total worldwide annual turnover or the preceding financial year, whichever is higher. We ve voted to leave: What now for Information Governance? Whist the above key points are reflective of the steps necessary to ensure compliance with the new regulation come May But will the UK still be an EU Member State in 2018? Will the GDPR apply to UK-based data controllers? Are still answers we don t yet know at the time of writing this report. Nevertheless, there are good reasons to believe that UK organisations will need to comply with the GDPR, or at least something like it, from May Especially given the UK may need to enact legislation giving an equivalent level of protection to personal data in order to continue trade with the EU. With the ICO issuing a short statement on the implications of the referendum that states: - If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to provide adequacy in other words UK data protection standards would have to be equivalent to the EU s General Data protection Regulation framework starting in The Group are requested to NOTE the content of this report. 7. Next Steps: To consider the implications of the GDPR, and the requirements needed to ensure the Trust maintains compliance with existing DPA requirements and moving forward future changes to data protection laws. Page 5

44 1 Clinical Coding Performance Up-Date VELINDRE CANCER CENTRE IG & IM&T COMMITTEE Clinical Coding Performance Update Meeting Date: 5 September 2016 Author: Sponsoring Executive Director: Report Presented by: Committee/Group who have received or considered this paper: Ann Marie Stockdale, Clinical Coding Manager Mark Osland, Executive Director of Finance and IT Ann Marie Stockdale, Head of IM&T IG IM&T Management Group Trust Resolution to: (please tick) Approve: Endorse: Discuss: Note: Recommendation: This report supports the following Trust objectives as set out in the Integrated Medium Term Plan: (please tick) Equitable and timely services Providing evidence based care and research which is clinically effective Supporting our staff to excel Safe and reliable services First class patient /donor experience Spending every pound well This report supports the following Health & Care Standards: Standard 3.3 Quality Improvement, Research and Innovation Standard 3.4 Information Governance and Communication Technology Data and information are accurate, valid, reliable, timely, relevant, comprehensible and complete. Standard 3.5 Record Keeping Page 1

45 2 Clinical Coding Performance Up-Date 1. Introduction / Background 1.1 The Clinical Coding Department at Velindre NHS Trust is responsible for the assignment of International Classification of Diseases (ICD) and Office of Population Consensus Survey (OPCS) classification codes to all admitted patient care (APC) activity within the Trust. 2. Timing: 2.2 Clinical Coding performance is measured against the following WG targets: Monthly target of 95% complete within 1 month of episode end; Rolling 12 month target of 98 % complete within 3 months of episode end. Please note, these targets have been changed for data from April 2016 previously completion was required within 3 months. 3. Description: 3.1. The performance of activity against locally assigned classification codes is monitored on a monthly basis. 4. Results: 4.1 The current position for VCC against Welsh Targets is as follows:- Apr- 16 May- 16 Jun- 16 Number of episodes Number of episodes coded within target % within target 96% 96% 98% Target 95% 95% 95% May- 15 to Apr- 16 Jun- 15 to May-- 16 Jul-15 to Jun- 16 Number of episodes Number of episodes coded within target % within target 99% 99% 99% Target 98% 98% 98% The New Welsh Government productivity targets were achieved for April 2016 onwards. July data will be submitted at the end of August. 5. Quality, Equality, Safety and Patient Experience Impact: N/A 6. Considerations for Board / Committee: Page 2

46 3 Clinical Coding Performance Up-Date 6.1. Welsh government Clinical Coding productivity targets have been achieved for April June Two of the trainee clinical coders have passed the clinical coding theory examination but need to re-sit the practical paper to achieve accreditation Workload allocation to the Clinical Coding Trainees has been established and productivity has improved as a result The Clinical coding department is still coping with long term sickness but workload is being managed via the Team Leaders and covered with overtime where necessary The department is currently conducting an audit into the accuracy of data contained in Canisc and Chemocare for day case chemotherapy attendances. This may allow the clinical coders to assign codes from electronic records and streamline future processes Levels of activity are set to increase due to proposed changes in treatments and adoption of new systemic anticancer treatments. A business case has been submitted requesting addition clinical coding resource to support this. 7. Next Steps: 7.1. Establish regular internal training sessions for clinical coders Continue overtime to work towards improving productivity in line with tightened Welsh Government targets. Page 3

47 IG & IM&T COMMITTEE Data Quality Report Meeting Date: 5 September 2016 Author: Sponsoring Executive Director: Report Presented by: Committee/Group who have received or considered this paper: Ann Marie Stockdale, Head of IM&T Mark Osland, Director of Finance & Informatics Ann Marie Stockdale, Head of IM&T IG&IM&T Management Group Trust Resolution to: (please tick) Approve: Endorse: Discuss: Note: Recommendation: The Group are requested to NOTE the content of this report This report supports the following Trust objectives as set out in the Integrated Medium Term Plan: (please tick) Equitable and timely services Providing evidence based care and research which is clinically effective Supporting our staff to excel Safe and reliable services First class patient /donor experience Spending every pound well This report supports the following Health & Care Standards: Standard 3.4 Information Governance and Communications Technology Standard 3.5 Record Keeping

48 2 Data Quality Review Report 1. Introduction / Background The quality of data collected in the healthcare environment is one of the most important factors in ensuring the care offered to patients is of the highest standard possible. In line with all Welsh NHS Organisations, Velindre Cancer Centre (VCC) submits a wide range of data to a number of national databases. The data contained within each is used for a variety of purposes. Most importantly, at a national level it is used to support the management and planning of healthcare and patient services. It is also used in the evaluation of NHS performance trends and, in some cases, is a vital source of epidemiological data. 2. Timing: This paper has been written to update the Group on VCC s Data Quality performance against national data standards and local issues throughout 2015/ Description: Data quality standards exist to ensure that nationally submitted data is monitored and improved so it can be used for secondary uses. 4. Financial Impact: There are no financial considerations. 5. Quality, Equality, Safety and Patient Experience Impact: The timeliness, completeness, validity, consistency, precision and accuracy of Health Board/Trust data directly affects the reliability of the information used to support these processes. Poor quality data has a significant impact on how the service is managed and affects the quality of care on offer to patients and their families. 6. Considerations for Board / Committee: In line with the Corporate Health Information Programme (CHIP) recommendations (2008), all Welsh Health Boards and Trusts are mandated to submit monthly patient level datasets from Patient Administration and Accident and Emergency Systems (where applicable) to the NHS Wales Informatics Service (NWIS), to scheduled timetables. The conformance of the content of these datasets is then measured against national data standard targets for compliance. In recent years, VCC has achieved the highest level of quality against these national standards and continued to do so throughout 2015/2016. The attached report provides further details on the levels achieved and the data quality standards that are mandated within NHS Wales. 7. Next Steps: To progress with the identified action plan 2016/17 to further improve data quality within VCC. Page 2

49 3 Data Quality Review Report VELINDRE CANCER CENTRE Review of Data Quality 2015/2016 Document ID DQ001 Department IM&T Type of Document Review Page 3

50 4 Data Quality Review Report Revision History Version Number Revision date Previous revision date July 2016 Initial Draft July 2016 Final Summary of Changes Distribution Group Date Version VCC IM&T Strategy Group 1 st August VCC Quality and Safety Committee September VCC Strategic Management Group 1 St August 2016 Trust IG IM&T Management Group 16 th August Page 4

51 5 Data Quality Review Report TABLE OF CONTENTS 1. Introduction Page 4 2. Background Page 5 3. Mandated Datasets Page Data Quality Standards and Data Validity Page 7 4. Demographic Information Page Local Data Quality Issues Page Action Plan 2016/17 Page 15 Page 5

52 6 Data Quality Review Report 1 Introduction - Data Quality 1.1 Health Information The quality of data collected in the healthcare environment is one of the most important factors in ensuring the care offered to patients is of the highest standard possible. Whether it is the clinical information a consultant or GP writes in a casenote record or the administrative data entered onto a hospital's computer system by a ward clerk, it is essential that the documented information is as accurate as possible. Failure to collect, report and communicate the correct information can, potentially, have a drastic impact on patient care. Furthermore, accurate and timely data on the activity undertaken in the NHS can be pro-actively used to inform and develop the services it has to offer in line with the healthcare needs of the nation. In line with all Welsh NHS Organisations, Velindre Cancer Centre submits a wide range of data to a number of national databases. The data contained within each is used for a variety of purposes. Most importantly, at a national level it is used to support the management and planning of healthcare and patient services. It is also used in the evaluation of NHS performance trends and, in some cases, is a vital source of epidemiological data. 1.2 Data Quality Jigsaw Data quality can be considered as having six dimensions and these dimensions can be visualised as individual pieces of a data quality jigsaw. Only by fitting all six pieces together and completing the jigsaw can a complete picture of the quality of an organisation s data be obtained. Source: NHS Wales Informatics Service Information Standards August 2015 The timeliness, completeness, validity, consistency, precision and accuracy of Health Board/Trust data directly affects the reliability of the information used to support these processes. Poor quality data has a significant impact on how the service is managed and affects the quality of care on offer to patients and their families. In the case of some national Page 6

53 7 Data Quality Review Report data sets, the quality of the data also has a direct impact on the reported Health Board/Trust performance against the nationally-agreed targets issued by Welsh Government. 1.3 The Data Quality Improvement Programme for NHS Wales When the Corporate Health Information Programme (CHIP) was established in 2005, one of its objectives was 'to improve confidence in healthcare information leading to it being actively used to inform service improvement', as detailed in the Data Quality Accountability Framework (20 th September 2006). A number of projects were established, which included but not limited to: Standards: Developing data quality validity and consistency standards for a number of national databases E-Master Patient Index (e-mpi): To address the disparate nature in which demographic information is held in both IT and paper records within the NHS in Wales. This technical solution was viewed as essential to improving patient safety by ensuring the correct identification of patients. During 2010/11, CHIP staff and functions were integrated into the structures of the newly formed NHS Wales Informatics Service (NWIS). The Data Quality Improvement Programme was subsequently taken forward by the Data Quality Team within NWIS, who are continuing with this work. This paper has been written to update the Velindre Cancer Centre Strategic Management Group, IG and IM&T Management Group and the Velindre NHS Trust IG and IM&T Committee on the Cancer Centre s Data Quality performance against national data standards and local issues throughout 2015/ Background Information is used at Velindre Cancer Centre (VCC) to support the management and delivery of healthcare in the form of non-surgical cancer services to the population of South East Wales. The approach to clinical information is centred on Canisc, which was developed with a high level of clinical involvement. Canisc is a national solution under the responsibility of NHS Wales Informatics Service, a hosted organisation of Velindre NHS Trust, and serves as both a patient administration system (PAS) and as an electronic patient record (EPR). Although VCC is the main focus for service delivery, the non-surgical management of cancer patients across South- East Wales is complemented by peripheral outpatient clinics and by outreach chemotherapy clinics. Demand for services delivered by VCC continues to increase on an annually this is reviewed on a regular basis. A governance structure to manage data quality (below) is in place, and includes the Information Governance and IM&T Committee, and the Velindre Cancer Centre Health Records Group, which meets on a regular basis, with representation from all relevant departments. Governance Structure Page 7

54 8 Data Quality Review Report Velindre NHS Trust Board Velindre NHS Trust Executive Management Board Velindre NHS Trust Information Governance and IM&T Committee Velindre NHS Trust Information Governance and IM&T Management Group Velindre Cancer Centre Strategic Management Group Velindre Cancer Centre IM&T Strategy Group Velindre Cancer Centre Health Records Group 3. Mandated Datasets In line with the CHIP recommendations (2008), all Welsh Health Boards and Trusts are mandated to submit monthly patient level datasets from Patient Administration and Accident and Emergency Systems (where applicable) to the NHS Wales Informatics Service (NWIS), to scheduled timetables. The conformance of the content of these datasets is then measured against national data standard targets for compliance. In recent years, Velindre Cancer Centre has achieved the highest level of quality against these national standards and continued to do so throughout 2015/2016. All Admitted Patient Care (APC) episodes, relating to the Velindre Cancer Centre activity, are coded by the Clinical Coding Team in line with Welsh Government Targets. Medicode is the encoding software, produced and supplied by 3M, used by all clinical coders throughout Wales. It allows coders to electronically look up clinical terms and helps them to accurately assign the International Classification of Diseases (ICD) and Office of Population Censuses and Surveys (OPCS) classification codes. It uses the coded data and other administrative data from CANISC such as age, length of stay etc. to calculate a real time Healthcare Resource Group (HRGs). The software is linked to CANISC via an in-house interface, requiring input from the NWIS Hospital Application Team to ensure regular, successful Medicode up-grades. 3.1 Data Quality Standards and Data Validity Page 8

55 9 Data Quality Review Report Data quality standards exist to ensure that nationally submitted data is monitored and improved so it can be used for secondary uses. The following data quality standards are mandated within NHS Wales: Standards Applicable to Velindre Cancer Centre Admitted Patient Care (APC) Data Validity Standards Admitted Patient Care (APC) Data Consistency Standards Outpatient Activity Data Validity Standards Outpatient Activity Data Consistency Standards Outpatient Referrals (OPR) Data Validity Standards Standards Not Applicable to Velindre Cancer Centre Emergency Department Data Set (EDDS) Data Validity Standards Emergency Department Data Set (EDDS) Data Consistency Standards Critical Care Data Validity Standards Critical Care Data Consistency Standards Standard to be issued Outpatient Referrals (OPR) Data Consistency Standards The Tables below indicate the Cancer Centre s annual achievement across these datasets, along with the latest national compliance. Within the tables, ticks indicate the target has been met and where the target has not been met, the actual performance is indicated. In the context of this report, the term data validity refers to whether the submitted data is provided in the agreed format and is populated with a nationally agreed value, as defined in the NHS Wales Data Dictionary. Admitted Patient Care (APC) Data Validity (2015/16) Data Item DATA VALIDITY STANDARD All Welsh Providers Abertawe Bro Morgannwg University LHB APC submission received by the 17th - - Number of Records Loaded Administrative Category 98% Admission Date 98% Admission Method 98% Aneurin Bevan University LHB Betsi Cadwaladr University LHB Cardiff & Vale University LHB Cwm Taf University LHB Hywel Dda University LHB Powys Teaching LHB Velindre NHS Trust Page 9

56 10 Data Quality Review Report Consultant Code 98% 97.5% 93.4% 97.0% 97.6% 94.4% Date of Birth 98% Decision to Admit Date 98% 93.6% Discharge Date 98% Discharge Destination 98% Discharge Method 98% Duration of Elective Wait 98% Episode Start Date 98% Ethnic Group 98% HRG Code 95% Intended Management 98% Last Episode in Spell Indicator 98% Legal Status 98% Local Health Board of Residence 95% Main Specialty (consultant) 98% 66.9% NHS Number 95% NHS Number Status Indicator 95% NHS Number Valid & Traced 95% 93.2% Patient Classification 95% Postcode 98% Principal Diagnosis 95% / Principal Procedure Code 95% 94.7% Principal Procedure Date 95% Referrer Code 98% 97.0% 96.5% 93.6% Registered GP Practice Code 98% Sex 98% Site Code (of Treatment) 98% Source of Admission 98% Specialty of Treatment Code 98% Source: NHS Wales Informatics Service 1 April March 15 Note: Admitted patient care department data set includes 32 separate indicators and a target is given for each indicator. This table shows the extent to which the organisations have achieve these targets for the period 1 st April 2015 to 31 st March Admitted Patient Care Data Consistency (2015/2016) Data Consistency Check DATA CONSISTENCY STANDARD All Welsh Providers Abertawe Bro Morgannwg University LHB Aneurin Bevan University LHB Betsi Cadwaladr University LHB Cardiff & Vale University LHB Cwm Taf University LHB Hywel Dda University LHB Powys Teaching LHB Velindre NHS Trust Admission Date vs. Date of Birth 98% Admission Method vs. Duration of Elective 98% Wait* 93.0% Admission Method vs. Intended 98% Management 97.4% Admission Method vs. Patient Classification 95% Admission Method vs. Source of Admission* 98% 93.2% 96.7% Discharge Method vs. Discharge Date & 98% Date of Birth [i.e. Age]* 0.0% n/a n/a 0.0% n/a n/a n/a n/a n/a Discharge Method vs. Discharge 98% Destination* Discharge Method vs. Specialty (of 98% Treatment)* 41.2% 4.8% n/a n/a n/a n/a Episode End Date vs. Admission Date 98% Page 10

57 11 Data Quality Review Report Episode End Date vs. Discharge Date 98% Episode End Date vs. Date of Birth 98% Episode End Date vs. Episode Start Date 98% Episode Start Date vs. Admission Date 98% Episode Start Date vs. Discharge Date 98% Episode Start Date vs. Date of Birth 98% HRG Code vs. Sex * 95% n/a n/a n/a n/a n/a n/a n/a n/a n/a Last Episode in Spell vs. Episode End Date 98% & Discharge Date* Legal Status vs. Specialty (of Treatment)*** 98% 93.1% 67.7% 95.8% n/a Patient Classification vs. Discharge Date & 95% Admission Date [i.e. Length of Stay]* Postcode vs. Local Health Board of 95% Residence** Primary Diagnosis Code vs. Admission Date & Birth Date [i.e. Age] * 95% n/a 84.5% 90.7% n/a n/a Primary Diagnosis Code vs. Sex * 95% Primary Procedure Code vs. Sex * 95% Primary Procedure Date vs. Episode Start 95% Date & Episode End Date Referrer Code vs. Referring Organisation 98% Code Specialty (of Treatment) vs. Sex* 98% Source: NHS Wales Informatics Service 1 April March 15 Out-Patient Data (OP) Validity Performance Report (2015/16) Data Item DATA VALIDITY STANDARD All Welsh Providers Abertawe Bro Morgannwg University LHB OP submission received by the 20th - - Number of Records Loaded Administrative Category 98% Attended or Did Not Attend 98% Attendance Category 98% Clinical Referral Date 98% Code of Registered GP Practice 98% Consultant Code 98% 90.9% 82.9% 87.6% 97.5% 83.8% 97.3% Date of Birth 98% Date of Patient Referral 98% 93.6% 67.8% Location Type Code 98% Main Specialty (Consultant) 95% 92.7% Medical Staff Type Seeing Patient 98% NHS Number 98% NHS Number Status Indicator 95% NHS Number Valid & Traced 95% Organisation Code (LHB Area of Residence) 95% Outcome of Attendance 95% Postcode of Usual Address 98% Primary Procedure Code 98% 96.9% n/a Priority Type (New Patients) 95% Referrer Code 98% 95.3% 91.9% 96.5% 96.7% 93.4% 97.3% 97.6% 97.1% Referring Organisation Code 98% 94.8% 74.5% 95.0% 95.3% Sex 98% Aneurin Bevan University LHB Betsi Cadwaladr University LHB Cardiff & Vale University LHB Cwm Taf University LHB Hywel Dda University LHB Powys Teaching LHB Velindre NHS Trust Page 11

58 12 Data Quality Review Report Site Code (of Treatment) 98% Source of Referral: Outpatients 98% Treatment Function Code 98% Source: NHS Wales Informatics Service 1 April March 2016 Note: Out-patient referral data set includes 15 separate indicators and a target is given for each indicator. This table shows the extent to which organisations have achieved these targets for the period 1 April 2015 to 31 March 2016 Out-Patient Activity Data Consistency (2015/2016) Data Item DATA CONSISTENCY STANDARD All Welsh Providers Abertawe Bro Morgannwg University LHB Aneurin Bevan University LHB Betsi Cadwaladr University LHB Cardiff & Vale University LHB Cwm Taf University LHB Hywel Dda University LHB Powys Teaching LHB Velindre NHS Trust Number of Records Loaded Clinical Referral Date vs Attendance Date 98% Date of Birth vs Attendance Date 98% Date Of Patient Referral vs Attendance Date 98% Date of Birth vs Clinical Referral Date 98% Date of Patient Referral vs Clinical Referral Date 98% Date of Birth vs Date of Patient Referral 98% Attendance Category vs Priority Type (New Patients) 98% Location Type Code vs Site Code (of Treatment) 98% Postcode of Usual Address vs Organisation Code (LHB Area of Residence) 95% Primary Procedure Code (OPCS) vs Sex 95% n/a Referrer Code vs Referring Organisation Code 98% 97.3% Referrer Code vs Source of Referral: Outpatients 98% 91.4% 94.6% 90.5% 85.0% 92.4% 95.2% 91.3% 97.4% Source of Referral: Outpatients vs Referring Organisation Code 98% 93.2% 96.8% Source: NHS Wales Informatics Service 1 April March 15 Outpatient Referral (OPR) Data Validity (2015/16) Data Item OPR submission received by the 14th Number of Records Loaded DATA VALIDITY STANDARD All Welsh Providers Abertawe Bro Morgannwg University LHB Aneurin Bevan University LHB Betsi Cadwaladr University LHB Cardiff & Vale University LHB Cwm Taf University LHB Hywel Dda University LHB Powys LHB Velindre NHS Trust Page 12

59 13 Data Quality Review Report Administrative Category 98% Date of Birth 98% Date of Patient Referral 98% GP Practice Code 98% Local Health Board of Residence 95% Main Specialty (consultant) 98% 89.6 NHS Number 95% NHS Number Status Indicator 95% NHS Number Valid & Traced 95% Postcode of Usual Address 98% Referrer Code 98% Referring Organisation Code 98% Referrer Priority Type 98% Sex 98% Source of Referral: Outpatients 98% Source: NHS Wales Informatics Service 1 April March 2016 Note: Out-patient referral data set includes 15 separate indicators and a target is given for each indicator. This table shows the extent to which the organisations have achieved these targets for the period 1 April March Demographic Information A key building block of good quality data in the NHS is patient demographic information, for example NHS number, name, address and date of birth. Separate patient information systems are often in use across different hospitals and within departments such as Radiology and Medical Physics. This means that a patient who has received care in a number of different settings may have multiple records and identifiers. In such a scenario, all the clinical information about that patient is unlikely to be held in one place creating potential clinical governance risks and making it more difficult to locate the right records for the right patient. Low levels of both multiple registration, where more than one record relates to the same patient, and missing NHS Numbers would be the ideal, but do not by themselves guarantee a high level of data quality. However, they are a pre-requisite for it. High incidences of these two factors would mean that patients are not being clearly and unambiguously identified in an organisation s systems, and so it follows that overall data quality would be compromised. A Data Standard Change Notice (DSCN 2015/06) was issued on the 6 th November 2015 providing the specification for the use of the NHS Number by NHS bodies and by other organisations providing health and care services in Wales to ensure that all systems which integrate with NHS Wales Informatics Service (NWIS) products are using the NHS Page 13

60 14 Data Quality Review Report number appropriately and that a common identifier will be in place across all systems. Implementation will be in three phases for completion by April The patient demographic data held on Canisc has shown no multiple registrations (individual patients with more than one electronic record) when viewed by NHS Number. This is an ideal result and the Trust can take significant assurance from this finding. 5. Local Data Quality Issues The local issues identified below are raised and fed back to the service via the various mechanism. In addition, regular liaison with representatives across all areas to improve quality is undertaken. With the large numbers of staff involved in data entry / data capture, ensuring quality is difficult but regular monitoring and reporting is assisting the organisation maintain standards and continuously improve. 5.1 Core Minimum Data Set (CMDS) The clinical minimum cancer dataset (CMCDS) provides a nationally agreed and consistently defined set of data items which are pertinent to cancer management. It combines the standard registration dataset with a richer clinical dataset and includes the minimum amount of information needed to: Define the patient pathway for each cancer episode Identify specific sub-groups of patients Describe the management of each cancer Capture important outcomes Generate survival information. A core cancer registration service requires data to be collected in the following areas: Hospital Details Hospital Consultant Patient unit number Personal Details NHS number Forenames Surname Name at birth (previous surname) Address at time of diagnosis Postcode Sex Page 14

61 15 Data Quality Review Report Ethnic origin Date of birth Diagnostic, Tumour and Treatment Details Presentation Site of primary neoplasm (or main presenting secondary when primary site is not known) Morphology (type of neoplasm) Grade of tumour (degree of differentiation) Laterality (side) for paired organs Date of diagnosis Basis of diagnosis (histology, cytology, haematology, clinical opinion, other tests) Treatment indicators - intent and method - (surgery, radiotherapy, chemotherapy, hormone therapy, other) Stage Death Details Date of death Cause and place of death The CMDS compliance target for VCC is 80% with a reported completion rate for 2015/16 being 63%. The graph below shows year on year improvements accumulatively over a 10 year period. Source: Clinical Coding Department, Velindre Cancer Centre The Clinical Audit Department routinely circulate monthly reports to each individual consultant requesting completion of missing data, sent two months post patient registration. In addition, a quality assurance report is sent to Medical Secretaries. Page 15

62 16 Data Quality Review Report The Clinical Audit Department continue to produce reports and monitor data quality on a monthly basis. A report is sent to the Clinical Director and the Senior Medical Staff Committee, where compliance is discussed and actions agreed. As previously reported, proposal has been put forward to move to one for Wales to address any potential issues arising from one per organisation. NHS Wales Informatics Service are in the process of developing a Single Core Minimum Data Set, which will include a staging engine. Testing and delivery dates are awaited. 5.2 Paper-Lite Environment The Cancer Centre has implemented a paper-lite environment in the out-patient setting, placing significant reliance on the availability and reliability of the electronic patient record (Canisc). The processing of activity is reported on a monthly basis to ensure compliance against completion. In addition to this, a review of processes, as part as the transition from paper to electronic, continues with actions being taken forward to improve information standards and quality within the health record. 6. Action Plan 2016/2017 The following actions to improve data quality are planned for financial year 2016/2017:- Establish a process to enhance engagement on data quality issues with colleagues, within their existing fora; Undertake an external audit of Clinical Coding to measure quality, performance, capacity, maximise efficient use of current resource and identify shortfall; Develop closer links with the Nursing Department to enhance the accuracy of admission and discharge data; Explore the option of using the electronic patient record to support the Clinical Coding function for SACT activity; Data cleansing to continue with the aim of reducing the incidence of records without a recorded NHS Number, and regular uploads to the empi to identify incomplete/incorrect demographic information. Page 16

63 IG IM&T COMMITTEE Clinical Coding Audit Report Meeting Date: 5 September 2016 Author: Sponsoring Executive Director: Report Presented by: Committee/Group who have received or considered this paper: Ann Marie Stockdale, Head of IM&T, VCC Mark Osland, Executive Director of Finance and IT Ann Marie Stockdale, Head of IM&T, VCC Trust Audit Committee, IG IM&T Group (VCC), Strategic Management Group (VCC) IG&IM&T Management Group Trust Resolution to: (please tick) Approve: Endorse: Discuss: Note: Recommendation: This report supports the following Trust objectives as set out in the Integrated Medium Term Plan: (please tick) Equitable and timely services Providing evidence based care and research which is clinically effective Supporting our staff to excel Safe and reliable services First class patient /donor experience Spending every pound well

64 2 Clinical Coding Audit Report 1. Introduction / Background: The Admitted Patient Care data set (APC), and the clinically coded data contained within, is arguably the single most important source of management information in use within NHS Wales. The availability of timely, complete, accurate-coded APC data are an essential pre-requisite for numerous current and emerging decision support processes. Welsh Local Health Boards (LHBs) and Velindre NHS Trust are mandated to clinically code the finished consultant episodes (FCEs) for every patient admitted to a Welsh NHS hospital. Organisations are required to accurately code information relating to all diagnoses and procedures relevant to each individual episode of care experienced by a patient. A Clinical Coding Audit at Velindre Cancer Centre was completed by the NHS Wales Informatics Service Classification Team on the 9 th May This represents part of an ongoing series of clinical coding accuracy audit reports, produced as part of the National Clinical Coding Audit Programme. 2. Timing The sample audit consisted of 105 Finished Consultant Episodes (FCEs), which were randomly generated from the activity data held within the Patient Episode Database for Wales (PEDW). The audit period covered episodes with an end date of 1st December 2014 and 31st March 2015 inclusive. 3. Findings The percentage of correct codes assigned were above the recommended level for all four code types, namely primary diagnosis, secondary diagnosis, primary procedures and secondary procedures. Below is a breakdown of the error rates: Code Type Total number of Codes Reviewed Total Number of Correct Codes Percentage Correct Primary Diagnosis % Secondary Diagnosis % Primary Procedure % Secondary Procedure % Levels of attainment Level 2 Level 3 Primary diagnosis: >=90% >=95% Secondary diagnosis: >=80% >=90% Primary procedure: >=90% >=95% Secondary procedure: >=80% >=90% Page 2

65 3 Clinical Coding Audit Report 4. Financial Impact: Clinical Coded Data and the Health Resource Groups (HRGs) are derived directly from coded data and have a number of financial uses across NHS Wales including: Financial costing and resource utilisation mapping; The monitoring of (often high cost) services provided by the Welsh Health Specialised Services Committee (WHSSC); and Clinical coding data is central to a range of national information initiatives, such as the annual financial costing process and patient-level costing. 5. Quality, Safety and Patient Experience Impact: It is essential that clinical coded data is accurate, consistent and completed in a timely manner as it has a wide variety of uses within NHS Wales which impacts on quality, safety and patient experience. These uses include, but not limited to:- Healthcare planning (including service reconfiguration); Performance management (notably the production of Tier 1 and other Welsh Government performance indicators and measures); Providing the basis of the Risk Adjusted Mortality Index (RAMI), a current WG priority area. Health needs assessment; Evaluation of treatment and outcome analysis; Benchmarking; Chronic disease management (and the linkage of datasets); Provision of information for research; The production of official statistics and ad-hoc requests; Ad hoc requests (be they Ministerial, AQs, media/public and so on); Identification of at risk populations; Identification of frequency and occurrence of disease; It is current WG policy for healthcare data to be made more readily available to the general public, media etc. under its transparency agenda. Where clinical coding information is being shared, this will further raise the importance of that data being accurate and the need for the Service to be assured that this is the case. 6. Considerations for Board / Committee Based on the findings of the Audit, the accuracy of clinical coding within Velindre Cancer Centre exceeds the minimum standards recommended for NHS Wales. The full Conclusion is available in the attached Final Report. The Audit listed a total of five recommendations:- 1. The clinical coding staff at the Velindre NHS Trust should be congratulated on the improvements made since the previous audit 2. The clinical coding staff at Velindre NHS Trust should continue to attend regular training sessions in order to maintain and enhance their skills. Page 3

66 4 Clinical Coding Audit Report 3. In order to lessen the impact on the coding process caused by the use of CANISC to store patient information the auditors recommend the following: The possibility of an amendment to the CANISC system that would allow coding staff to order information on a patient by date or consultant episode needs to be explored with the aim of ensuring accurate and consistent recording and retrieval of relevant clinical information in a way that is useful for both clinical staff and coding staff. The amalgamating of the physical case notes into the electronic patient record held on CANISC in order to remove the need for coding staff to abstract data from two systems when dealing with one patient should be considered. If neither of these options are deemed feasible (for example, if CANISC is unable to increase capacity to store e-correspondence and documentation) alternative solutions (possibly as part of any CANISC replacement or systems roadmap), could be considered. 4. The amalgamating of the physical case notes into the electronic patient record held on CANISC in order to remove the need for coding staff to abstract data from two systems when dealing with one patient should be considered. 5. Velindre NHS Trust should continue to support, encourage and fund the clinical coding staff to sit the National Clinical Coding Qualification (ACC). 4. Next Steps Changes to Welsh Government productivity targets for clinical coding completion have been tightened to a 1 month period (previously 3 months) for data from 1 st April The Welsh Government are closely monitoring compliance against this target to ascertain the impact on resource for each Health Board/Trust. Take forward the recommendations made within the audit report Page 4

67 ` Clinical Coding Audit Report Velindre Cancer Centre Velindre NHS Trust Mrs Helen Anne Dennis ACC NCS Approved Clinical Coding Auditor NHS Wales Informatics Service Mrs Sarah Norman ACC NCS Approved Clinical Coding Auditor Velindre NHS Trust

68 Clinical Coding Audit Velindre NHS Trust CONTENTS Velindre NHS Trust Clinical Coding Audit Report... 3 Executive Summary Introduction Aims Objectives Background Methodology Findings Conclusions Recommendations Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 2 of 40

69 Clinical Coding Audit Velindre NHS Trust Velindre NHS Trust Clinical Coding Audit Report Executive Summary 1.1 Introduction This audit represents part of an ongoing series of clinical coding accuracy audit reports, produced as part of the NHS Wales Informatics Services national clinical coding audit programme. This programme was established following the completion of an initial all-wales audit of clinical coding accuracy that was undertaken in collaboration with the Wales Audit Office (WAO) in 2013/ The programme intends to identify areas of improvement or non-improvement following the recommendations given in those (and subsequent) audits This programme is being taken forward by the Informatics Service s Clinical Classifications Team and will ensure a continual ongoing programme of clinical coding accuracy audit across all Welsh Health Boards and NHS Trusts This report outlines the findings and recommendations of the Informatics Service s Clinical Classifications Team audit of clinical coding accuracy at Velindre NHS Trust. 1.2 Methodology The sample audited was 105 Finished Consultant Episodes (FCEs), which were randomly generated from the activity data held within the Patient Episode Database for Wales (PEDW). The period audited covered episodes with an end date of 1 st December 2014 and 31 st March 2015 inclusive This audit was carried out in adherence with the Clinical Classifications Service Clinical Coding Audit Methodology Version The locally assigned classification codes were audited against national clinical coding standards using the information available in the patients case notes and relevant electronic systems (e.g. CANISC, Chemocare) Attention was also paid to the patient case notes being used by the coders and auditors in order to assess their impact on the assignment of codes The episodes audited were limited to an episode length of ten days or less. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 3 of 40

70 Clinical Coding Audit Velindre NHS Trust 1.3 Findings The percentage of codes that were correct was above the recommended level in primary diagnosis, secondary diagnosis, primary procedures and secondary procedures. Below is a breakdown of the error rates: Code Type Primary Diagnosis Secondary Diagnosis Primary Procedure Secondary Procedure Total Number of Codes Reviewed Total Number of Correct Codes Percentage Correct % % % % It should be noted that of the 105 episodes examined 82 (78.1%) contained no errors in any position The above figures represent an increase in the overall accuracy of clinical coded data at Velindre NHS Trust since the previous audit in November 2013 (See Appendix 2) Case Note Findings: CANISC is used as a storage system for a significant portion of the clinical information regarding each patient who presents to Velindre Cancer Centre. However, the organisation of clinical data stored within CANISC does not currently facilitate easy retrieval and analysis by clinical coding staff. These issues were highlighted in the previous audit from November 2013, and continue to affect the coding department. It must be noted that the development of the CANISC system is overseen by the NHS Wales Informatics Service, not Velindre NHS Trust. Specific issues identified are: o o o o Information is put into the system in various formats by users, with no search facility for accurate retrieval of data provided by the system. Information added to the system may or may not be dated. When it is dated it is often dated by the user to the time of entry on CANISC, not the date when the clinical observation, diagnosis etc. was made. Data is not ordered into the consultant episode it belongs to as CANISC does not contain this functionality. Due to the structure of CANISC much of the clinical information is simply added to the Other tab as annotations in an unstructured way. The result of this is that clinical coders looking for information have to search each individual entry (of which there are often a great many that do not relate to the episode being coded) for the information they require to code. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 4 of 40

71 Clinical Coding Audit Velindre NHS Trust There is a lack of documentation for day cases and regular day attenders contained in the case notes. Often only a front sheet giving summary details of the patient s disease and sheets giving details of the chemotherapy the patient has received are recorded in the case notes. The documentation recording much of the detail of these episodes required for clinical coding purposes is often only found on CANISC. The case notes for inpatient episodes contained more information on a patient s episode than day case episodes. However the notes very rarely contained all the information used to assign codes; a proportion of the information was still held on CANISC. Following assignment of codes to an inpatient episode, clinical coding staff are required to complete a blue sheet, which outlines the codes they have assigned and the date. This acts as a record of the patients coding and shows that the case notes were used as the source document for code assignment. 1.4 Conclusions Based on the findings of this audit, the accuracy of clinical coding within Velindre Cancer Centre exceeds the minimum standards recommended for NHS Wales and the organisation is to be commended for its commitment to clinical coding accuracy All clinical coding staff meet the recommended training requirements and display a good general knowledge of the clinical coding standards, as evidenced by their accuracy scores in all four coding areas Clinical coding staff have difficulty in identifying relevant information from the CANISC system from which to assign codes. The structure of the data content within CANISC makes it difficult for clinical coders to interrogate and extract the relevant clinical information they require. The continued use of CANISC in its current form as a source of information makes the accurate assignment of clinical classification codes difficult The requirement for clinical coders to abstract relevant clinical information from both hand written and electronic patient records for a single episode of care makes the accurate assignment of classification codes difficult The clinical coding manager and staff at Velindre NHS Trust have addressed many of the issues contributing to the errors found in the previous audit. This has resulted in an improvement in the overall quality of the clinical coded data at the Velindre NHS Trust Although this audit demonstrated that the rates of clinical coding accuracy at Velindre NHS Trust are excellent, it is still of concern that only the clinical coding manager and supervisors hold the National Clinical Coding Qualification (ACC). However it is encouraging that all three clinical coding trainees are planning to sit the NCCQ examination in March Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 5 of 40

72 Clinical Coding Audit Velindre NHS Trust 1.5 Recommendations The clinical coding staff at the Velindre NHS Trust should be congratulated on the improvements made since the previous audit The clinical coding staff at Velindre NHS Trust should continue to attend regular training sessions in order to maintain and enhance their skills In order to lessen the impact on the coding process caused by the use of CANISC to store patient information the auditors recommend the following: The possibility of an amendment to the CANISC system that would allow coding staff to order information on a patient by date or consultant episode needs to be explored with the aim of ensuring accurate and consistent recording and retrieval of relevant clinical information in a way that is useful for both clinical staff and coding staff. The amalgamating of the physical case notes into the electronic patient record held on CANISC in order to remove the need for coding staff to abstract data from two systems when dealing with one patient should be considered. If neither of these options are deemed feasible (for example, if CANISC is unable to increase capacity to store e-correspondence and documentation) alternative solutions (possibly as part of any CANISC replacement or systems roadmap), could be considered The amalgamating of the physical case notes into the electronic patient record held on CANISC in order to remove the need for coding staff to abstract data from two systems when dealing with one patient should be considered Velindre NHS Trust should continue to support, encourage and fund the clinical coding staff to sit the National Clinical Coding Qualification (ACC). 1 Following the audit, this recommendation has been raised with the NHS Wales informatics service, and their CANISC team have advised that is not on their current workplan. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 6 of 40

73 Clinical Coding Audit Velindre NHS Trust 2 Introduction 2.1 The Admitted Patient Care data set (APC ds), and the clinically coded data contained within, is arguably the single most important source of management information in use within NHS Wales. The availability of timely, complete, accurate-coded APC data are an essential pre-requisite for numerous current and emerging decision support processes. 2.2 Welsh LHBs and Velindre NHS Trust are mandated to clinically code the finished consultant episodes (FCEs) for every patient admitted to a Welsh NHS hospital. Organisations are required to accurately code information relating to all diagnoses and procedures relevant to each individual episode of care experienced by a patient. 2.3 Welsh LHBs and Velindre Trust are currently monitored against two national performance measures of clinical coding completeness. These are: 95% of all FCEs are clinically coded within 3 months of the episode end date; 98% of all FCEs are clinically coded for any given rolling 12 month period. 2.4 There are currently no national performance indicators or measures for clinical coding accuracy. 2.5 Clinical coded data are used for a variety of uses and it impacts on a number of areas including: Healthcare planning (including service reconfiguration); Performance management (notably the production of Tier 1 and other Welsh Government performance indicators and measures); Providing the basis of the Risk Adjusted Mortality Index (RAMI), a current WG priority area. Health needs assessment; Evaluation of treatment and outcome analysis; Benchmarking; Chronic disease management (and the linkage of datasets); Provision of information for research; The production of official statistics and ad-hoc requests; Financial costing and resource utilisation mapping; Ad hoc requests (be they Ministerial, AQs, media/public and so on); Identification of at risk populations; Identification of frequency and occurrence of disease; The monitoring of (often high cost) services provided by the Welsh Health Specialised Services Committee (WHSSC); Clinical coding data is central to a range of national information initiatives, such as the annual financial costing process and patient-level costing It is current WG policy for healthcare data to be made more readily available to the general public, media etc. under its transparency agenda. Where clinical coding information is being shared, this will further raise the importance of that data being accurate and the need for the Service to be assured that this is the case. 2.6 It is a therefore a requirement that clinical coded data are accurate, consistent, complete and coded in a timely fashion. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 7 of 40

74 Clinical Coding Audit Velindre NHS Trust 2.7 Clinical coding audit is currently the only means by which it is possible to assure the accuracy of clinical coded data. 2.8 This is the second round of audits and will complete this first audit cycle. The NHS Wales Informatics Service (NWIS) Clinical Classifications Team is carrying out a programme of audit of clinical coding accuracy (i.e. the assignment of ICD-10 and OPCS-4 classifications codes by Welsh clinical coding staff) across Wales. 2.9 This report outlines the findings and recommendations of the NHS Wales Informatics Service (NWIS) Clinical Classifications Team audit of clinical coding accuracy at Velindre NHS Trust. The audit was carried out between the 7 th and 10 th September 2015 and was undertaken by an NCS Approved Clinical Coding Auditor from NHS Wales Informatics Service and an NCS Approved Clinical Coding Auditor from Velindre NHS Trust. 3 Aims 3.1 The aim of this audit was to assess the accuracy of the clinically coded data produced by Velindre NHS Trust by comparing the codes assigned by the clinical coding department against national clinical coding standards. 3.2 This report aims to provide a benchmark that can be used by the clinical coding department within Velindre NHS Trust, to identify areas for improvement within the organisation and aid in the identification and planning of future training needs. Conclusions and recommendations based on areas of both good and poor practice found are provided to achieve this. 3.3 It also aims to evaluate the quality of the source documentation used by the coders and the local policies and procedures used at Velindre NHS Trust. 4 Objectives 4.1 The objectives for the audit were: To assess the clinical coding data against national clinical coding standards; To identify and report areas of good and bad practice; To review and assess the accuracy of the source documentation used for clinical coding; To assess the level of clinical involvement with the coding department and to what degree this impacts on the coding process and coding accuracy; To make recommendations designed to support future improve in the accuracy of clinically coded data within the hospital; To highlight training issues within the department. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 8 of 40

75 Clinical Coding Audit Velindre NHS Trust 5 Background 5.1 The Velindre Cancer Centre is the only site within Velindre NHS Trust at which clinical coding staff are based. The clinical coders are split between four different offices at the site. 5.2 The clinical coding department sits under the Information Management and Technology Directorate at the Velindre NHS Trust The clinical coding department has got a Clinical Coding Policy Document which was last updated in February The clinical coding department has no local clinical coding policies at present. 5.4 Demographics & Staffing Velindre Cancer Centre generated a total of 80,853 Finished Consultant Episodes (FCEs) in the 2014/15 financial year Clinical coding staff at Velindre NHS Trust assigns codes to episodes for all inpatient and day case episodes within the Trust Clinical coders at Velindre Cancer Centre do not assign codes to any outpatient episodes Velindre NHS Trust achieved 98.2% completeness for clinical coding as of the submission date at the end of July There are nine clinical coding staff, one clinical coding manager and two clinical coding supervisors at Velindre NHS Trust-a total of WTE. New unqualified coders enter the department as trainees (band 3) before progressing to being full clinical coders (band 4) by passing the NCCQ qualification. Band Whole Time Equivalents (WTE) Velindre Cancer Centre During the period being audited there were no WTE vacancies within the coding department of Velindre NHS Trust Coders range in experience in the coding department from less than twelve months to twenty five years as coders The Velindre Cancer Centre has coders based in four different offices all located in the main hospital building During the period of time examined by this audit the coding department had a backlog of around 746 FCE s (0.92%) of total FCE s. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 9 of 40

76 Clinical Coding Audit Velindre NHS Trust 5.5 Workloads The clinical coding staff at Velindre Cancer Centre has no recommendation of an expected number of episodes to code per year Overtime is used as necessary at Velindre NHS Trust in order to reduce any backlogs of uncoded episodes but no use made of clinical coding contractors The clinical coders at Velindre NHS Trust do not code outpatient activity Clinical coding staff are not assigned a set amount of episodes that they are expected to code annually. The amounts coded are detailed in the chart below. These figures include episodes coded during overtime which is worked by some staff. WTE Expected FCE per year (pro-rata) FCE coded: July 14 June 15 Notes 0.64 Not set 14,722 Coded alongside managing staff and auditing coded data 1.00 Not set 1, % WTE spent supervising 0.92 Not set 8, % WTE spent supervising 0.66 Not set 3, Not set 5, Not set 5, Not set 21, Not set 3, Not set 10, Not set n/a Trainee 1.00 Not set n/a Trainee 1.00 Not set n/a Trainee Total N/A 74, Training The clinical coding manager and both the clinical coding supervisors hold the ACC qualification. The three trainee clinical coding staff at Velindre NHS Trust are at present studying for the NCCQ (ACC) and are planning to sit the examination in March At the time of auditing all clinical coding staff met the minimum training requirements of having completed the Clinical Coding Foundation Training Course and a Clinical Coding Refresher Training Course within the last 3 years The Clinical Coding Manager is an NCS approved clinical coding auditor. There is no NCS approved clinical coding trainer within the department. All the department s training needs are currently met by D&A Consulting; a commercial company supplying clinical coding training that provides all training services to NHS Wales via a national training contract agreed with NHS Wales Informatics Service. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 10 of 40

77 Clinical Coding Audit Velindre NHS Trust 5.7 Assignment of codes Clinical coding is carried out using the Medicode encoder software. The version of Medicode in use by the Velindre NHS Trust also includes the integrity+ auditing software. Codes are assigned to episodes using both the ICD-10 4 th Edition and OPCS 4.7 classifications The Medicode clinical coding validation module used to identify any basic errors in the codes assigned is not used at Velindre NHS Trust. Validation queries are currently run using basic tools available within the encoder software Velindre NHS Trust uses CANISC as its primary Patient Administration System (PAS). This system holds a variety of data on the patient including demographics, appointment, clinical data and clinical information. CANISC is managed and developed by the Hospital Applications Team, part of the Software Development Division of NWIS The clinical coding staff have access to three sources of documentation; the individual patient s case notes, information recorded on the CANISC system and information recorded on the Chemocare system (a chemotherapy prescribing and management IT system). The clinical coders at Velindre NHS Trust also have access to a number of pieces of software created and maintained by other Health Boards which hold information relevant to their episode of care in Velindre Cancer Centre in order to assist in the assignment of classification codes. These systems are the Cardiff & Vale clinical portal, Cwm Taff clinical portal, and the ABMU Clinical Workstation and Avalon Case notes are retrieved from the wards on a daily basis by the coders themselves The clinical coding staff does not make use of read codes, clinical terms or SNOMED-CT Patients case notes contain a blue clinical coding sheet on which the clinical coding staff record the assigned codes for each episodes. This acts as a validity check of the coded data as well as an indication that the episode has been coded using the case notes as a source documentation. It is of particular importance for inpatient episodes where the expectation is that the majority of the information will be found in the physical case note for each episode. 5.8 Previous Audits and Recommendations The last external audit was carried out in April 2014 by the Richard Burdon ACC, NCS Approved Clinical Coding Auditor from NHS Wales Informatics Service and Sarah Norman ACC, NCS Approved Clinical Coding Auditor from Velindre NHS Trust, they presented a formal audit report to the Trust and a copy was also sent to the Wales Audit Office and the Welsh Government, which recommended that: A further audit should be undertaken within 6-12 months focusing on the data contained within the CANISC system as this is the primary source of much of the information used by the clinical coders. An investigation of the structure, staffing level and workload balancing of the department should be carried out immediately. In particular: Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 11 of 40

78 Clinical Coding Audit Velindre NHS Trust o It is advised that no clinical coder should be assigning codes to more than 30 episodes per day given the complexity of the patient case mix and the difficulties encountered in abstracting relevant information from the case notes and CANISC. o A band five Supervisor position should be created within the next 6 months to support the Clinical Coding Manager in ensuring accuracy by regularly auditing episodes and monitoring workloads. o It is recommended that the staffing levels within the coding department are increased to meet these needs. Due to the difficulties inherent in using CANISC as a source of information for clinical coding, work should be undertaken immediately to ascertain a method of ensuring that all relevant information on episodes is contained within the patients physical case notes. All clinical coders should be reminded of the importance of using the full patient record to assign codes. This is of particular importance with regards to inpatient episodes. The practice of copying up episodes must stop immediately. All clinical coding staff must ensure that they are using the most up-to-date chemotherapy regimens and high cost drugs lists for assigning codes. Immediate training time should be given to the clinical coders to allow them to ensure they are familiar with Welsh Clinical Coding Standards and guidance. Clinical coding staff should continue to maintain their standard of training, and attend further specialist training where available. Adequate time should be given to allow clinical coders to ensure that their classifications are updated and annotated correctly The clinical coding manager at Velindre NHS Trust carries out local ad hoc audits. In addition regular individual audits are carried out as part of the clinical coding staff s annual PDR requirement. 6 Methodology 6.1 A pre-audit questionnaire regarding details of the organisation of clinical coding services in the LHB was completed by the Clinical Coding Manager. 6.2 A list of 500 FCEs was randomly generated from the Patient Episode Database for Wales (PEDW) the national database of APC ds activity data. PEDW is managed and maintained by NWIS. 6.3 The planned number of episodes audited was The episodes audited were limited to those with an episode end date of 1 st November 2014 and 28 th February 2015 inclusive. 6.5 The episodes audited were limited to those with an episode length of ten days or less. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 12 of 40

79 Clinical Coding Audit Velindre NHS Trust 6.6 The audit was carried out in adherence with the Clinical Classification Service Clinical Coding Audit Methodology Version Staff at Velindre Cancer Centre were required to provide the auditors with access to the written case note records associated with the requested FCEs. 6.8 The clinical coding record for each episode was generated from the hospital s clinical coding encoder software and a copy attached to the relevant set of case notes. 6.9 The auditors then assessed the locally coded data against the National Clinical Coding Standards (see Appendix 1) and the Welsh Clinical Coding Standards (see Appendix 2) using ICD-10 and OPCS 4.6 classifications Codes were audited as one of 4 types: Primary Diagnosis codes (i.e. the main condition treated); Secondary Diagnosis codes (including External Cause Codes and Morphology Codes); Primary Procedure codes; Secondary Procedure codes (including Chapter Z site codes) Any errors were assigned to an Error Type (see Appendix 3), which specified the exact nature of the error. This information was then tabulated to calculate the statistical information required (see Appendix 2) 6.12 The errors are of two general types non-coder errors and coder errors. Non-coder errors are those errors identified as being due to a factor external to the individual coder, such as an encoder system which automatically re-sequences codes, or a local coding policy which instructs the coder to assign codes in a way which contravenes national standards. Coder errors are errors in the coding made by the coder themselves For statistical reasons and due to the judgemental nature of a code being relevant to an episode, those error types where coding staff have assigned more codes than the auditor deems relevant (i.e. overcoding ) are not counted as errors when calculating the error percentages. However, the numbers of these errors are reported and examples given for information and training purposes An analysis of the errors is given in Appendix The recommended minimum percentage of correct codes are: 90% for Primary Diagnosis and Primary Procedure 80% for Secondary Diagnosis and Secondary Procedures The Accredited Clinical Coding (ACC) exam also stipulates a minimum requirement of 90% accuracy for all clinical coding staff sitting the National Clinical Coding Qualification (NCCQ) exam. Furthermore, the above targets are consistent with the requirements set out in the NHS England Information Governance Toolkit requirement 505 (attainment level 2) and audits of coded data carried out by NCS auditors on English Coders. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 13 of 40

80 Clinical Coding Audit Velindre NHS Trust 6.16 Case notes which did not contain the episode to be audited were marked as Unsafe To Audit (UTA) and removed from the sample and replaced A total of 105 episodes were examined. 7 Findings 7.1 The percentages of correctly assigned codes are given below: Code Type Primary Diagnosis Secondary Diagnosis Primary Procedure Secondary Procedure Total Number of Codes Reviewed Total Number of Correct Codes Percentage Correct % % % % The percentage of codes that were correct was above the recommended level in primary diagnosis, secondary diagnosis, primary procedure and secondary procedures. 7.2 It should be noted that of the 105 episodes examined 82 (78.1%) contained no errors in any position. 7.3 The above figures represent an increase in the overall accuracy of clinical coded data at Velindre NHS Trust since the previous audit in November 2013(See appendix 2). 7.4 Unsafe to Audit (UTA) There were no episodes which were marked as UTA. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 14 of 40

81 Clinical Coding Audit Velindre NHS Trust 7.5 Primary Diagnosis Codes The primary diagnosis was correct in 94.29% of the episodes audited (99 of the 105 primary diagnoses). A breakdown of the errors in primary diagnoses by their associated error types is given below (see Appendix 3 for a detailed explanation of the error keys): Error Type Number of Errors Percentage of FCEs with Error PDIS % PDO % PDD 1.95% Primary Diagnosis Documentation Issue (PDD)) There was one primary diagnosis error (.95%) due to a documentation issue. Example: LHB Coding Auditor Coding C18.6 Malignant neoplasm of colon Descending colon C18.9 Malignant neoplasm of colon Colon, unspecified M8140/3 Adenocarcinoma Primary M8140/3 Adenocarcinoma Primary Z51.1 Chemotherapy session for neoplasm Z51.1 Chemotherapy session for neoplasm Z85.4 Personal history of malignant neoplasm of genital organs Z85.4 Personal history of malignant neoplasm of genital organs There was conflicting information within this patient s medical record. The clinical information stated that the site of the neoplasm was descending colon, sigmoid colon and was occasionally documented only as colon. Due to this inconsistency in the information the correct code assignment would be C18.9. Ref: Uniformity National Clinical Coding Standards ICD-10 4 th Edition (2014), Page 5. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 15 of 40

82 Clinical Coding Audit Velindre NHS Trust Primary Diagnosis Incorrectly Sequenced (PDIS) There were three primary diagnosis errors (2.86%) incorrectly sequenced. Example: LHB Coding Auditor Coding R50.9 Fever, unspecified N39.0 Urinary tract infection, site not specified C20.X Malignant neoplasm of rectum B96.4 Proteus (mirabilis)(morganii) as the cause of diseases classified to other chapters M8140/3 Adenocarcinoma Primary C20.X Malignant neoplasm of rectum C77.5 Secondary and unspecified malignant M8140/3 Adenocarcinoma Primary neoplasm of lymph nodes Intrapelvic lymph nodes M8140/3 Adenocarcinoma Metastatic C77.5 Secondary and unspecified malignant neoplasm of lymph nodes Intrapelvic lymph nodes N39.0 Urinary tract infection, site not M8140/3 Adenocarcinoma Metastatic specified K52.1 Toxic gastroenteritis and colitis A09.9 Gastroenteritis and colitis of unspecified origin I10.X Essential (primary) hypertension I10.X Essential (primary) hypertension Z93.3 Colostomy status Z93.3 Colostomy status The clinical information in the medical record did state that the patient was pyrexic. However the main condition treated and the confirmed primary diagnosis was a urinary tract infection. The fever (pyrexia) is a symptom of the urinary tract infection. The correct primary diagnosis should therefore be N39.0. The clinical coding standards states the first diagnostic field of the clinical coded record will contain the main condition treated during an episode of care. In addition since the fever is a symptom of the urinary tract infection this would only require the assignment of a secondary code if it was significant enough to require treatment in its own right, which in this case it did not.. Ref: Primary Diagnosis National Clinical Coding Standards ICD-10 4 th Edition (April 2014) Page 9. Ref: Symptoms National Clinical Coding Standards ICD-10 4 th Edition (April 2014) Page XVIII-1 Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 16 of 40

83 Clinical Coding Audit Velindre NHS Trust Primary Diagnosis Omitted There were two (1.90%) primary diagnoses omitted. Example: LHB Coding Auditor Coding G83.4 Cauda equina syndrome G55.0* Nerve root and plexus compressions in neoplastic disease (C00-D48 ) C79.5 Secondary malignant neoplasm of bone C79.5 Secondary malignant neoplasm of bone and bone marrow and bone marrow M8000/6 Neoplasm metastatic M8000/6 Neoplasm metastatic C50.9 Malignant neoplasm of breast, Breast, G83.4 Cauda equina syndrome unspecified M8000/3 Neoplasm malignant Primary C50.9 Malignant neoplasm of breast, Breast, unspecified C77.3 Secondary and unspecified malignant M8500/3 neoplasm of lymph nodes M8000/6 Neoplasm metastatic C77.3 Secondary and unspecified malignant neoplasm of lymph nodes C78.6 Secondary malignant neoplasm of M8500/3 retroperitoneum and peritoneum M8000/6 Neoplasm metastatic C78.6 Secondary malignant neoplasm of retroperitoneum and peritoneum C79.8 Secondary malignant neoplasm of other M8000/6 Neoplasm metastatic specified sites M8000/6 Neoplasm metastatic C79.8 Secondary malignant neoplasm of other specified sites D64.9 Anaemia, unspecified M8000/6 Neoplasm metastatic D64.9 Anaemia, unspecified The information in the medical record did state that the patient had cauda equina syndrome. However there was also information in the patient notes stating that the patient had nerve root compression due to the metastatic disease in the spinal vertebra. So although the Cauda equina syndrome must be coded the main condition treated was the cord compression therefore the most appropriate primary diagnosis code is G55.0*. The clinical coding standards states the first diagnostic field of the clinical coded record will contain the main condition treated during an episode of care. Ref: Primary Diagnosis National Clinical Coding Standards ICD-10 4 th Edition (April 2014), Page 9. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 17 of 40

84 Clinical Coding Audit Velindre NHS Trust 7.6 Secondary Diagnosis Codes Including External Cause and Morphology Codes The secondary diagnoses codes were 97.23% correct (983 out of the total 1011 secondary diagnoses). A breakdown of the errors by their associated error types is given below (see Appendix 3 for detailed explanation of error keys): Error Key Number of Errors Percentage of Secondary Diag with Error SD % SD % SDO % SDNR 9 SDD % Secondary Diagnosis Incorrect at 3 rd Character Level (SD3) There were two secondary diagnoses assigned (0.20%) incorrect at 3 rd character level. Example: LHB Coding Auditor Coding R50.9 Fever, unspecified N39.0 Urinary tract infection, site not specified C20.X Malignant neoplasm of rectum B96.4 Proteus (mirabilis)(morganii) as the cause of diseases classified to other chapters M8140/3 Adenocarcinoma Primary C20.X Malignant neoplasm of rectum C77.5 Secondary and unspecified malignant M8140/3 Adenocarcinoma Primary neoplasm of lymph nodes Intrapelvic lymph nodes M8140/3 Adenocarcinoma Metastatic C77.5 Secondary and unspecified malignant neoplasm of lymph nodes Intrapelvic lymph nodes N39.0 Urinary tract infection, site not M8140/3 Adenocarcinoma Metastatic specified K52.1 Toxic gastroenteritis and colitis A09.9 Gastroenteritis and colitis of unspecified origin I10.X Essential (primary) hypertension I10.X Essential (primary) hypertension Z93.3 Colostomy status Z93.3 Colostomy status A diagnosis of diarrhoea was documented in the medical record however there was no documentation to indicate that the diarrhoea was due to a drug reaction. Therefore using the four step coding process, since the modifier toxic was not present the most appropriate code assignment is A09.9. Ref: The four step coding process. National Clinical Coding Standards ICD-10 4 th Edition (April 2014), Page 6. Ref: Modifiers. National Clinical Coding Standards ICD-10 4 th Edition (April 2014), Page 24. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 18 of 40

85 Clinical Coding Audit Velindre NHS Trust Secondary Diagnosis Incorrect at 5 th Character level (SD5) There was one secondary diagnoses assigned (0.10%) which was incorrect at fifth character level. Example: LHB Coding Auditor Coding C78.6 Secondary malignant neoplasm of retroperitoneum and peritoneum C78.6 Secondary malignant neoplasm of retroperitoneum and peritoneum M8140/6 Adenocarcinoma Metastatic M8140/6 Adenocarcinoma Metastatic Z53.8 Procedure not carried out for other Z53.8 Procedure not carried out for other reasons reasons C16.0 Malignant neoplasm of stomach Cardia C16.0 Malignant neoplasm of stomach Cardia M8140/3 Adenocarcinoma Primary M8140/3 Adenocarcinoma Primary C77.2 Secondary and unspecified malignant neoplasm of lymph nodes Intra-abdominal lymph nodes C77.2 Secondary and unspecified malignant neoplasm of lymph nodes Intra-abdominal lymph nodes M8140/6 Adenocarcinoma Metastatic M8140/6 Adenocarcinoma Metastatic E11.9 Non-insulin-dependent diabetes mellitus Without complications E11.9 Non-insulin-dependent diabetes mellitus Without complications I38.X Endocarditis, valve unspecified I38.X Endocarditis, valve unspecified M21.3 Wrist of foot drop (acquired) M21.37 Wrist of foot drop (acquired) Foot F17.1 Mental and behavioural disorders due to use of tobacco Harmful use F17.1 Mental and behavioural disorders due to use of tobacco Harmful use The information within the medical record stated that the patient was suffering from foot drop. The clinical coder failed to record the fifth character which identifies the site. The clinical coding standards state that in Chapter XIII Diseases of the Musculoskeletal System and Connective Tissue M00-M99 the use of fifth characters is mandatory where data is present in the medical record and where doing so adds further information. Ref: Fifth Characters National Clinical Coding Standards ICD-10 4 th Edition (April 2014) Page 20. Ref: Supplementary characters National Clinical Coding Standards ICD-10 4 th Edition (April 2014) Page XIII-2. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 19 of 40

86 Clinical Coding Audit Velindre NHS Trust Secondary Diagnosis Omitted (SDO) There were twenty one secondary diagnoses (2.08%) omitted. Example: LHB Coding Auditor Coding R50.9 Fever, unspecified N39.0 Urinary tract infection, site not specified C20.X Malignant neoplasm of rectum B96.4 Proteus (mirabilis)(morganii) as the cause of diseases classified to other chapters M8140/3 Adenocarcinoma Primary C20.X Malignant neoplasm of rectum C77.5 Secondary and unspecified malignant M8140/3 Adenocarcinoma Primary neoplasm of lymph nodes Intrapelvic lymph nodes M8140/3 Adenocarcinoma Metastatic C77.5 Secondary and unspecified malignant neoplasm of lymph nodes Intrapelvic lymph nodes N39.0 Urinary tract infection, site not M8140/3 Adenocarcinoma Metastatic specified K52.1 Toxic gastroenteritis and colitis A09.9 Gastroenteritis and colitis of unspecified origin I10.X Essential (primary) hypertension I10.X Essential (primary) hypertension Z93.3 Colostomy status Z93.3 Colostomy status There was documented evidence in the medical record to show that the patient had a urinary tract infection due to the Proteus bacteria. The clinical coding standards state that codes from the range B95 to B97 should be assigned as a secondary code to indicate the infectious agent if this information is available in the medical record. Ref: Instructional notes. Status of if desired codes. National Clinical Coding Standards ICD-10 4 th Edition (April 2014) Page 19. Ref: Bacterial, viral and other infectious agents (B95-B98) National Clinical Coding Standards ICD-10 4 th Edition (April 2014) Page I-12. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 20 of 40

87 Clinical Coding Audit Velindre NHS Trust Secondary Diagnosis Not Relevant (SDNR) There were nine secondary diagnosis assigned which were not relevant. Example: LHB Coding Auditor Coding C17.8 Overlapping lesion of small intestine C17.8 Overlapping lesion of small intestine M8140/3 Adenoma NOS M8140/3 Adenoma NOS C77.2 Secondary and unspecified malignant neoplasm of lymph nodes Intra-abdominal lymph nodes C77.2 Secondary and unspecified malignant neoplasm of lymph nodes Intra-abdominal lymph nodes M8140/3 Adenoma NOS M8140/3 Adenoma NOS Z51.1 Chemotherapy session for neoplasm Z51.1 Chemotherapy session for neoplasm Z90.4 Acquired absence of other parts of digestive tract Z90.4 Acquired absence of other parts of digestive tract Z93.3 Colostomy status Z93.3 Colostomy status Z90.7 Acquired absence of genital organ(s) Z90.7 Acquired absence of genital organ(s) Z96.0 Presence of urogenital implants F41.9 Anxiety disorder, unspecified F41.9 Anxiety disorder, unspecified Z86.4 Personal history of psychoactive substance abuse Z86.4 Personal history of psychoactive substance abuse The information within the medical record showed that the ureteric stents were no longer present having been removed prior to this episode. The clinical coding standards state that you should not code background information or chronic problems which are no longer active. Ref: Uniformity. National Clinical Coding Standards ICD-10 4 th Edition (April 2014) Page 5. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 21 of 40

88 Clinical Coding Audit Velindre NHS Trust Secondary Diagnosis Documentation Issue (SDD) There were four secondary diagnosis assigned (0.40%) due documentation issue Example: LHB Coding Auditor Coding G83.4 Cauda equine syndrome G55.0* Nerve root and plexus compression in neoplastic disease (C00-D48 ) C79.5 Secondary malignant neoplasm of bone C79.5 Secondary malignant neoplasm of bone and bone marrow and bone marrow M8000/6 Neoplasm, metastatic M8000/6 Neoplasm, metastatic C50.9 Malignant neoplasm of breast, G83.4 Cauda equine syndrome unspecified M8000/3 Neoplasm, malignant C50.9 Malignant neoplasm of breast, unspecified C77.3 Secondary and unspecified malignant M8500/3 Infiltrating duct carcinoma Primary neoplasm of lymph nodes Axillary and upper malignant limb lymph nodes M0000/6 Neoplasm, metastatic C77.3 Secondary and unspecified malignant neoplasm of lymph nodes Axillary and upper limb lymph nodes C78.6 Secondary malignant neoplasm of M8500/6 Infiltrating duct carcinoma Metastatic retroperitoneum and peritoneum M0000/6 Neoplasm, metastatic C78.6 Secondary malignant neoplasm of retroperitoneum and peritoneum C79.8 Secondary malignant neoplasm of other M0000/6 Neoplasm, metastatic specified sites M8000/6 Neoplasm, metastatic C79.8 Secondary malignant neoplasm of other specified sites D64.9 Anaemia, unspecified M8000/6 Neoplasm, metastatic D64.9 Anaemia, unspecified There was information within the medical record (follow up clinic letter) that confirmed that the breast neoplasm and the metastasis in the axillary lymph nodes was infiltrating ductal carcinoma. However this information would not have been available to the coder at the time of coding. The Welsh clinical coding standards state that Clinical Coders must assign morphology codes in addition to the Chapter II body site codes (C00-D48) for all neoplasms coded on a Finished Consultant Episode (FCE) within the Admitted Patient Care data set (APC ds), with the exception of those codes classifying lymphoid, haematopoietic and related tissue neoplasms (C81-C96 and D45-D47). Ref: WCS01: ICD-10 Classification Neoplasm Morphology Coding Welsh Clinical Coding Standards Ref: Uniformity. National Clinical Coding Standards ICD-10 4 th Edition (April 2014) Page 5. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 22 of 40

89 Clinical Coding Audit Velindre NHS Trust 7.7 Primary Procedure Codes There were 95 primary procedure codes assigned. The primary procedure was correct in 96.84% of the episodes audited (92 of the 95 primary procedures). A breakdown of the errors by their associated error types are shown below (see Appendix 3 for detailed explanation of the error keys): Error Key Number of Errors Percentage of Primary Procedures with Error PP % PPO % Primary Procedure Incorrect at 3 rd Character Level (PP3) There were two primary procedures (2.11%) incorrect at 3 rd character level. Example: LHB Coding X29.2 Continuous intravenous infusion of therapeutic substance NEC Auditor Coding X38.4 Subcutaneous chemotherapy This procedure was the administration of a trial drug but the drug was administered by subcutaneous injection not by continuous infusion. The clinical coding standards state that each procedure should have the correct code assignment and should be coded to the furthest level of specificity. Ref: Uniformity National Clinical Coding Standards OPCS-4 April 2014, Page 8 Ref: Three dimensions of coding accuracy National Clinical Coding Standards OPCS-4 April 2014, Page 9 Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 23 of 40

90 Clinical Coding Audit Velindre NHS Trust Primary Procedure Omitted (1.05%) There was one primary procedure (1.05%) omitted. Example: LHB Coding X29.2 Continuous intravenous infusion of therapeutic substance NEC Auditor Coding T46.1 Paracentesis abdominis for ascites Y82.2 Injection of local anaesthetic Paracentesis was clearly documented in the patient s medical notes but the coder failed to assign a classification code for the procedure. The clinical coding standards state that each procedure should have the correct code assignment and should be coded to the furthest level of specificity. Ref: Uniformity National Clinical Coding Standards OPCS-4 April 2014, Page 8 Ref: Three dimensions of coding accuracy National Clinical Coding Standards OPCS-4 April 2014, Page Secondary Procedure Codes There were 118 secondary procedures codes assigned. These secondary procedure codes were 98.31% correct (116 out of the 118 secondary procedures). A breakdown of the errors by their associated error types are shown below (see Appendix 3 for detailed explanation of error keys): Error Key Number of Errors Percentage of Secondary Procedures with Error SP % SPO % Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 24 of 40

91 Clinical Coding Audit Velindre NHS Trust Secondary Procedure Incorrect at 4th Character Level (SP4) There was one secondary procedures (0.85%) assigned incorrect at 4 th character level. Example: LHB Coding X70.8 Procurement of drugs for chemotherapy in Bands 1-5, other specified X72.9 Delivery of chemotherapy for neoplasm, unspecified Auditor Coding X71.5 Procurement of drugs for chemotherapy for neoplasm for regimens in Band 10 X72.1 Delivery of complex chemotherapy for neoplasm including prolonged infusional treatment at first attendance The information within the patient s medical record stated that the chemotherapy regimen given as a day case was Cisplatin and Pemetrexed. The clinical coder assigned the wrong codes for this regimen. When indexed using the National Tariff Chemotherapy List the correct code assignment for this regimen was X71.5 together with the secondary code X72.1. Ref: Rule 11: National Tariff Chemotherapy Regimen List National Clinical Coding Standards OPCS-4 April 2014, Page 20 Ref: CSX21: Procurement and delivery of drugs for chemotherapy for neoplasm (X70- X74) National Clinical Coding Standards OPCS-4 April 2014, Page 114 Ref: Clinical Coding Standard CRCS1: Coding Chemotherapy regimens Chemotherapy Regimens Clinical Coding Standards and Guidance OPCS-4 March 2014, Page Secondary Procedure Omitted There was one secondary procedure (0.85%) omitted. Example: LHB Coding X29.2 Continuous intravenous infusion of therapeutic substance NEC Auditor Coding T46.1 Paracentesis abdominis for ascites Y82.2 Injection of local anaesthetic NEC There was information within the medical notes stating that Paracentesis for ascites was carried out under local anaesthetic. The coder failed to assign a classification code for this procedure and also failed to assign the code for injection of local anaesthetic. The Welsh clinical coding standards state that when the patient record includes information stating that an anaesthetic has been given with a procedure, the appropriate code from Y80-Y84 or C90 must be assigned to record this. Ref: WCS03: Coding of Anaesthetics Welsh Clinical Coding Standards Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 25 of 40

92 Clinical Coding Audit Velindre NHS Trust 7.9 Case Note Findings CANISC is used as a storage system for a significant portion of the clinical information regarding each patient who presents to Velindre Cancer Centre. However, the organisation of clinical data stored within CANISC does not currently facilitate easy retrieval and analysis by clinical coding staff. These issues were highlighted in the previous audit from November 2013, and continue to affect the coding department. It must be noted that the development of the CANISC system is overseen by the NHS Wales Informatics Service, not Velindre NHS Trust. Specific issues identified are: o o o o Information is put into the system in various formats by users, with no search facility for accurate retrieval of data provided by the system. Information added to the system may or may not be dated. When it is dated it is often dated by the user to the time of entry on CANISC, not the date when the clinical observation, diagnosis etc. was made. Data is not ordered into the consultant episode it belongs to as CANISC does not contain this functionality. Due to the structure of CANISC much of the clinical information is simply added to the Other tab as annotations in an unstructured way. The result of this is that clinical coders looking for information have to search each individual entry (of which there are often a great many that do not relate to the episode being coded) for the information they require to code There is a lack of documentation for day cases and regular day attenders contained in the case notes. Often only a front sheet giving summary details of the patient s disease and sheets giving details of the chemotherapy the patient has received are recorded in the case notes. The documentation recording much of the detail of these episodes required for clinical coding purposes is often only found on CANISC The case notes for inpatient episodes contained more information on a patient s episode than day case episodes. However the notes very rarely contained all the information used to assign codes; a proportion of the information was still held on CANISC Following assignment of codes to an inpatient episode, clinical coding staff are required to complete a blue sheet, which outlines the codes they have assigned and the date. This acts as a record of the patients coding and shows that the case notes were used as the source document for code assignment. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 26 of 40

93 Clinical Coding Audit Velindre NHS Trust 8 Conclusions 8.1 Based on the findings of this audit, the accuracy of clinical coding within Velindre Cancer Centre exceeds the minimum standards recommended for NHS Wales and the organisation is to be commended for its commitment to clinical coding accuracy. 8.2 All clinical coding staff meet the recommended training requirements and display a good general knowledge of the clinical coding standards, as evidenced by their accuracy scores in all four coding areas. 8.3 Clinical coding staff have difficulty in identifying relevant information from the CANISC system from which to assign codes. The structure of the data content within CANISC makes it difficult for clinical coders to interrogate and extract the relevant clinical information they require. The continued use of CANISC in its current form as a source of information makes the accurate assignment of clinical classification codes difficult. 8.4 The requirement for clinical coders to abstract relevant clinical information from both hand written and electronic patient records for a single episode of care makes the accurate assignment of classification codes difficult. 8.5 The clinical coding manager and staff at Velindre NHS Trust have addressed many of the issues contributing to the errors found in the previous audit. This has resulted in an improvement in the overall quality of the clinical coded data at the Velindre NHS Trust. 8.6 Although this audit demonstrated that the rates of clinical coding accuracy at Velindre NHS Trust are excellent, it is still of concern that only the clinical coding manager and supervisors hold the National Clinical Coding Qualification (ACC). However it is encouraging that all three clinical coding trainees are planning to sit the NCCQ examination in March Recommendations 9.1 The clinical coding staff at the Velindre NHS Trust should be congratulated on the improvements made since the previous audit 9.2 The clinical coding staff at Velindre NHS Trust should continue to attend regular training sessions in order to maintain and enhance their skills. 9.3 In order to lessen the impact on the coding process caused by the use of CANISC to store patient information the auditors recommend the following: The possibility of an amendment to the CANISC system that would allow coding staff to order information on a patient by date or consultant episode needs to be explored with the aim of ensuring accurate and consistent recording and retrieval of relevant clinical information in a way that is useful for both clinical staff and coding staff. The amalgamating of the physical case notes into the electronic patient record held on CANISC in order to remove the need for Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 27 of 40

94 Clinical Coding Audit Velindre NHS Trust coding staff to abstract data from two systems when dealing with one patient should be considered. If neither of these options are deemed feasible (for example, if CANISC is unable to increase capacity to store e-correspondence and documentation) alternative solutions (possibly as part of any CANISC replacement or systems roadmap), could be considered. 9.4 The amalgamating of the physical case notes into the electronic patient record held on CANISC in order to remove the need for coding staff to abstract data from two systems when dealing with one patient should be considered Velindre NHS Trust should continue to support, encourage and fund the clinical coding staff to sit the National Clinical Coding Qualification (ACC). 2 Following the audit, this recommendation has been raised with the NHS Wales informatics service, and their CANISC team have advised that is not on their current workplan. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 28 of 40

95 Clinical Coding Audit Velindre NHS Trust Appendix 1: National Standards for Clinical Coding Information on Clinical Coding Standards When clinically coding healthcare activity, it is vital that coders adhere to national standards so as to ensure that clinically coded data is comparable across Wales (and beyond) and is of the highest quality. The two classifications used to record clinical coding data in Wales are: International Statistical classification of Diseases and related Health Problems 10 th Revision (ICD-10) Currently on its 4 th Edition, this classification is used to record Diagnoses and morbid conditions affecting a patient during a hospital stay. Office of Population, Census and Surveys Classification of Interventions and Procedures version 4.6 (OPCS-4.6) This classification is used to record interventions and procedures used in the treatment of patient during a hospital stay. At an international level, the overarching principles and standards associated with the coding of diagnostic information (ICD-10) are determined by the World Health Organisation (WHO). At a UK level, interpretation and any amendments to these standards is overseen by the NHS Classifications Service (NCS) as part of the Health & Social Care Information Centre (HSCIC) within NHS England. NCS are also responsible for maintain and developing the standards associated with the coding of procedures (OPCS-4). In their national role, NCS develop and maintain a range of standards, reference, instruction manuals and training materials for clinical coders in relation to the ICD-10 and OPCS-4 classifications. The principal documents containing the national standards for Welsh coders are: The National Clinical Coding Standards ICD-10 4th Edition Reference Manual; ICD-10 Volumes I to III; The Clinical Coding Instruction Manual OPCS-4.6; OPCS-4.6 Volumes I and II; The Coding Clinic; The Welsh Standards; NHS Wales Clinical Coding Change Notifications (CCCNs). In addition to formal standards and change notices, the NHS Wales Informatics Service Clinical Classifications Team also provide Welsh coders with a range of additional documentation that are intended to be sources of guidance and clarification, but do NOT constitute national standards: NHS Wales Clinical Coding Communications (CCCs); The NHS Wales Clinical Coding Helpline; The NCS Data Standards Helpline; Welsh Clinical Coding Standards: As described above, Welsh clinical coders follow the UK national standards for clinical coding. However, there are a small number of differences in the clinical coding standards Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 29 of 40

96 Clinical Coding Audit Velindre NHS Trust applied in Wales, which are designed to reflect the differences in business requirements for clinically coded data between NHS Wales and the rest of the UK. These Wales-specific standards are known as the Welsh Clinical Coding Standards, which are introduced and updated via Clinical Coding Change Notices (CCNs). CCCNs were introduced in 2009 and are used to communicate a new or changed Welsh standard to the Service. They are approved by the Welsh Information Standards Board (WISB) and published by the NWIS Clinical Classifications Team. Details of the Welsh Clinical Coding Standards can be found online in the NHS Wales Clinical Classifications Standards Dictionary at Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 30 of 40

97 Clinical Coding Audit Velindre NHS Trust Appendix 1: Analysis of Errors Analysis of Errors: Overall, Velindre Number % Total number of episodes examined 105 UTA Unsafe to audit 0 Actual number of episodes examined 105 Primary Diagnosis Number of primary diagnoses correct % Non Coder Error PDI Information not available at time of coding 0.00% PDD Primary Diagnosis Documentation issue % PDM Primary diagnosis coded to Management Specification 0.00% PDC Primary diagnosis coded to Clinician Specification 0.00% PDSC Primary Diagnosis coded due to System Constraint 0.00% Coder Error PD3 Primary Diagnosis Incorrect - 3-character level % PD4 Primary Diagnosis Incorrect - 4-character level % PD5 Primary Diagnosis Incorrect - 5-character level % PDIS Primary Diagnosis Incorrectly Sequenced % PDO Primary Diagnosis Omitted % Total Errors % Secondary Diagnosis Number of secondary diagnoses 1011 Number of Secondary diagnoses correct % Non Coder Error SDI Information not available at the time of coding % SDD Secondary Diagnosis Documentation issue % SDM Secondary Diagnosis Coded to Management Specification % Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 31 of 40

98 Clinical Coding Audit Velindre NHS Trust SDC Secondary Diagnosis Coded to Clinician Specification % SDSC Secondary Diagnosis Coded due to System Constraint % Coder Error SD3 Secondary Diagnosis Incorrect - 3-character level % SD4 Secondary Diagnosis Incorrect - 4-character level % SD5 Secondary Diagnosis Incorrect - 5-character level % SDIS Secondary Diagnosis Sequencing % SDO Secondary Diagnosis Omitted % SDNR Secondary Diagnosis not relevant 9 ECI External Cause Code Incorrect % ECO External Cause Code Omitted % ECNR External Cause Code Not Relevant 0 MCI Morphology Code Incorrect % MCO Morphology Code Omitted % MCNR Morphology Code Not Relevant % Total Errors 28 Primary Procedures Number of Primary Procedures 95 Number of primary procedures correct % Non Coder Error PPI Information not available at the time of coding % PPD Primary Procedure Documentation issue % PPM Primary Procedure Coded to Management Specification % PPC Primary Procedure Coded to Clinician Specification % PPSC Primary Procedure Coded due to System Constraint % Coder Error PP3 Primary Procedure Incorrect - 3-character level % PP4 Primary Procedure Incorrect - 4-character level % PPIS Primary Procedure Incorrectly Sequenced % PPO Primary Procedure Omitted % PPNR Primary Procedure Not Relevant % Total Errors 3 Secondary Procedures Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 32 of 40

99 Clinical Coding Audit Velindre NHS Trust Number of Secondary Procedures 118 Number of Secondary procedures correct % Non Coder Error SPI Information not available at the time of coding % SPD Secondary Procedure Documentation issue % SPM Secondary Procedure Coded to Management Specification % SPC Secondary Procedure Coded to Clinician Specification % SPSC Secondary Procedure Coded due to System Constraint % Coder Error SP3 Secondary Procedure Incorrect - 3-character level % SP4 Secondary Procedure Incorrect - 4-character level % SPIS Secondary Procedure Incorrectly Sequenced % SPO Secondary Procedure Omitted % SPNR Secondary Procedure Not Relevant % Total Errors 2 Not counted as errors - included for reference only Field is automatically calculated - no need to insert figure Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 33 of 40

100 Clinical Coding Audit Velindre NHS Trust Appendix 3: Results of the previous audit of the Velindre Cancer Centre The percentages of correctly assigned codes were: Code Type Total Number of Total Number of Percentage Correct Codes Reviewed Correct Codes Primary Diagnosis % Secondary Diagnosis % Primary Procedure % Secondary Procedure % The percentage of codes that were correct was below the recommended level in all 4 areas. When looked at by whether the episode was an Inpatient Episode or a Regular Day Attender (RDA), the percentage of correct codes was: Code Type Percent Correct: Inpatients Percent Correct: Day cases/rda Primary Diagnosis 76.92% 96.88% Secondary Diagnosis 76.64% 90.77% Primary Procedure 85.71% 95.31% Secondary Procedure 94.44% 91.04% It should be noted that of the 90 episodes examined 36 (40.00%) contained no errors in any position. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 34 of 40

101 Clinical Coding Audit Velindre NHS Trust Appendix 4: Error Key Descriptions Unsafe to Audit Error Key UTA UNSAFE TO AUDIT The auditor is unable to audit the coded clinical data against the source documentation. For example: There is no clinical information regarding the episode in the auditor s source documentation to support the auditor s code assignment. Primary Diagnosis Error Keys Coder Error PD3 PRIMARY DIAGNOSIS INCORRECT AT THREE CHARACTER LEVEL The primary diagnosis code has been allocated to an incorrect three character code. Or, where it is clear the code allocated to classify the disease or health related problem is incorrect at third character level and incorrectly sequenced within a secondary field. PD4 PRIMARY DIAGNOSIS INCORRECT AT FOUR CHARACTER LEVEL The primary diagnosis code has been allocated to an incorrect fourth character. Or, where it is clear the code allocated to classify the disease or health related problem is incorrect at fourth character level and incorrectly sequenced within a secondary field. PD5 PRIMARY DIAGNOSIS INCORRECT AT FIVE CHARACTER LEVEL The primary diagnosis code has been allocated to an incorrect fifth character. Or, where it is clear the code allocated to classify the disease or health related problem is incorrect at fifth character level and incorrectly sequenced within a secondary field. PDIS PRIMARY DIAGNOSIS INCORRECTLY SEQUENCED The primary diagnosis code recorded by the auditor has been accurately coded but not sequenced as the primary diagnosis by the coder. PDO PRIMARY DIAGNOSIS OMITTED The primary diagnosis recorded by the auditor has not been recorded by the coder in any diagnosis field. This error key should not be assigned when it is clear that the coder has attempted to record the correct primary diagnosis. In such instances the error key PD3 Primary diagnosis incorrect at three character level should be assigned. Non-Coder Error PDI INFORMATION AVAILABLE AT THE TIME OF AUDIT NOT AVAILABLE AT THE TIME OF CODING Information available to the auditors was not available at the time of coding. This is where information regarding the episode became available after the episode was coded. This error key is not to be used if the information was available, but not accessed by the clinical coder at the point of coding, for example, with histopathology reports. This error key would also be assigned by the auditor when the source documentation used at the time of coding did not contain all pertinent information required for accurate and complete coding and the coder did not have access to this information, for example, coding from proforma with no access to the full medical record. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 35 of 40

102 Clinical Coding Audit Velindre NHS Trust PDD PRIMARY DIAGNOSIS DOCUMENTATION ISSUE The auditor s code allocated from the source documentation differs from that of the Trusts due to unclear or inconsistent information. For example: Inconsistency between information recorded by clinical staff contained on source documentation and it is not clear which is correct The source documentation is illegible. PDM PRIMARY DIAGNOSIS CODED TO MANAGEMENT SPECIFICATION There is a clear and documented directive from management to contravene coding to national standards. For example: By adding or optimising the coded clinical data to alter the derived HRG. PDC PRIMARY DIAGNOSIS CODED TO CLINICIAN SPECIFICATION There is a clear and documented directive from clinicians to contravene coding to national standards or capture those instances where a clinician has requested that coding be done in a particular way as it more accurately captures the diagnosis. For example: By recording codes that suit individual preference. PDSC PRIMARY DIAGNOSIS CODED DUE TO SYSTEM CONSTRAINT Due to the system that the Organisation uses the primary diagnosis codes is technically incorrect at some level, omitted or sequenced incorrectly. Secondary diagnosis error key descriptions Coder Error SD3 SECONDARY DIAGNOSIS INCORRECT AT THREE CHARACTER LEVEL The secondary diagnosis code has been allocated to an incorrect three character code. Or, where it is clear the code allocated to classify the disease or health related problem is incorrect at third character level and incorrectly sequenced. SD4 SECONDARY DIAGNOSIS INCORRECT AT FOUR CHARACTER LEVEL The secondary diagnosis code has been allocated to an incorrect four character code. Or, where it is clear the code allocated to classify the disease or health related problem is incorrect at fourth character level and incorrectly sequenced. SD5 SECONDARY DIAGNOSIS INCORRECT AT FIVE CHARACTER LEVEL The secondary diagnosis code has been allocated to an incorrect five character code. Or, where it is clear the code allocated to classify the disease or health related problem is incorrect at fifth character level and incorrectly sequenced. SDNR SECONDARY DIAGNOSIS NOT RELEVANT The secondary diagnosis code recorded by the coder is not relevant to the episode of care. SDO SECONDARY DIAGNOSIS OMITTED Diagnosis that has been recorded by the auditor as relevant but is missing from the Organisation s recorded episode. This error key should not be assigned when it is clear that the coder has Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 36 of 40

103 Clinical Coding Audit Velindre NHS Trust attempted to record the correct secondary diagnosis. In such instances the error key SD3 Secondary diagnosis incorrect at three character level should be assigned. SDIS SECONDARY DIAGNOSIS INCORRECT SEQUENCING The sequencing of the secondary codes contravenes national standards. This error key can only be assigned for error in the following national standards: Outcome of delivery (Z37 and Z38 if not well baby) Specific coding conventions in ICD-10 i.e. use additional code Extent of body surface in burns (T31, T32) Where an external cause of injury code is incorrectly sequenced ECI EXTERNAL CAUSE CODE INCORRECT The external cause code recorded by the Organisation is incorrect at any character level. If the external cause code is incorrect due to a documentation issue, then the appropriate non coder error key must be assigned instead - i.e. SDD or SDI. ECO EXTERNAL CAUSE CODE OMITTED The external cause code has been omitted from the Organisation s recorded episode. ECNR EXTERNAL CAUSE CODE NOT RELEVANT The external cause code recorded by the coder is not relevant to the episode of care. If the external cause has recorded due to a system constraint then SDSC must be assigned. Non-Coder Error SDI See PDI. INFORMATION AVAILABLE AT THE TIME OF AUDIT NOT AVAILABLE AT THE TIME OF CODING SDD SECONDARY DIAGNOSIS DOCUMENTATION ISSUE The auditor s code allocated from the source documentation differs from that of the Trusts due to unclear or inconsistent information. For example: Inconsistency between information recorded by clinical staff contained on source documentation and it is not clear which is correct The source documentation is illegible. SDM SECONDARY DIAGNOSIS CODED TO MANAGEMENT SPECIFICATION There is a clear and documented directive from management to contravene coding to national standards. For example: By adding or optimising the coded clinical data to alter the derived HRG. SDC SECONDARY DIAGNOSIS CODED TO CLINICIAN SPECIFICATION There is a clear and documented directive from clinicians to contravene coding to national standards or capture those instances where a clinician has requested that coding be done in a particular way as it more accurately captures the diagnosis. For example: By recording codes that suit individual preference. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 37 of 40

104 Clinical Coding Audit Velindre NHS Trust SDSC SECONDARY DIAGNOSIS CODED DUE TO SYSTEM CONSTRAINT Due to the system that the Organisation uses, codes are technically incorrect at some level, omitted or sequenced incorrectly. This includes external cause codes that are not relevant to the episode of care, but have been recorded due to system constraint. Primary procedure error key descriptions Coder Error PP3 PRIMARY PROCEDURE INCORRECT AT THREE CHARACTER LEVEL The primary procedure code has been allocated to an incorrect three character code. Or, where it is clear the code allocated to classify the procedure or intervention is incorrect at third character level and incorrectly sequenced within a secondary field. Where the procedure code has been incorrectly assigned to an OPCS-4 principal category instead of the principal category s associated extended category, the error key PP4 Primary procedure incorrect at four character level should be assigned PP4 PRIMARY PROCEDURE INCORRECT AT FOUR CHARACTER LEVEL The primary procedure code has been allocated to an incorrect four character code. Or, where it is clear the code allocated to classify the procedure or intervention is incorrect at fourth character level and incorrectly sequenced within a secondary field. PPIS PRIMARY PROCEDURE INCORRECTLY SEQUENCED The primary procedure or intervention code recorded by the auditor has been accurately coded but not sequenced as the primary procedure by the coder. PPO PRIMARY PROCEDURE OMITTED The primary procedure recorded by the auditor has not been recorded by the coder in any procedure field. This error key should not be assigned when it is clear that the coder has attempted to record the correct primary procedure. In such instances the error key PP3 Primary procedure incorrect at three character level should be assigned. PPNR PRIMARY PROCEDURE NOT RELEVANT The primary procedure recorded by the coder is not relevant to the episode of care. Non-Coder Error PPI See PDI. PPD INFORMATION AVAILABLE AT THE TIME OF AUDIT NOT AVAILABLE AT THE TIME OF CODING PRIMARY PROCEDURE DOCUMENTATION ISSUE The auditor is unable to code the clinical data from the source documentation and compare against that of the Trusts due to unclear or inconsistent information. For example: Inconsistency between information recorded by clinical staff contained on the source documentation and it is not clear which is correct The source documentation is illegible. PPM PRIMARY PROCEDURE CODED TO MANAGEMENT SPECIFICATION There is a clear and documented directive from management to contravene coding to national standards. For example: Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 38 of 40

105 Clinical Coding Audit Velindre NHS Trust By adding or optimising the coded clinical data to alter the derived HRG. PPC PRIMARY PROCEDURE CODED TO CLINICIAN SPECIFICATION There is a clear and documented directive from clinicians to contravene coding to national standards or capture those instances where a clinician has requested that coding be done in a particular way as it more accurately captures the intervention that occurred. For example: By recording codes that suit individual preference. PPSC PRIMARY PROCEDURE CODED DUE TO SYSTEM CONSTRAINT Due to the system that the Organisation uses codes are technically incorrect at any level, omitted or sequenced incorrectly. Secondary Procedure error key descriptions Coder Error SP3 SECONDARY PROCEDURE INCORRECT AT THREE CHARACTER LEVEL The secondary procedure code has been allocated to an incorrect three character code. Or, where it is clear the code allocated to classify the procedure or intervention is incorrect at third character level and incorrectly sequenced. Where the procedure code has been incorrectly assigned to an OPCS-4 principal category instead of the principal category s associated extended category, the error key SP4 Primary procedure incorrect at four character level should be assigned SP4 SECONDARY PROCEDURE INCORRECT AT FOUR CHARACTER LEVEL The secondary procedure code has been allocated to an incorrect four character code. Or, where it is clear the code allocated to classify the procedure or intervention is incorrect at fourth character level and incorrectly sequenced. SPIS SECONDARY PROCEDURE INCORRECTLY SEQUENCED The Organisation has not sequenced the procedure coding according to the rules and conventions of the classification. For example: See use as secondary code when associated with SPO SECONDARY PROCEDURE OMITTED Secondary procedure that has been recorded by the auditor as relevant but is missing from the Organisation s recorded episode. This error key should not be assigned when it is clear that the coder has attempted to record the correct secondary procedure. In such instances the error key SP3 Primary procedure incorrect at three character level should be assigned. SPNR SECONDARY PROCEDURE NOT RELEVANT The secondary procedure code recorded by the coder is not relevant to the episode of care. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 39 of 40

106 Clinical Coding Audit Velindre NHS Trust Non-Coder Error SPI INFORMATION AVAILABLE AT THE TIME OF AUDIT NOT AVAILABLE AT THE TIME OF CODING See PDI. SPD SECONDARY PROCEDURE DOCUMENTATION ISSUE The auditor is unable to code the clinical data from the source documentation and compare against that of the Trusts due to unclear or inconsistent information. For example: Inconsistency between information recorded by clinical staff contained on the source documentation and it is not clear which is correct The source documentation is illegible. SPM SECONDARY PROCEDURE CODED TO MANAGEMENT SPECIFICATION There is a clear and documented directive from management to contravene coding to national standards. For example: By adding or optimising the coded clinical data to alter the derived HRG. SPC SECONDARY PROCEDURE CODED TO CLINICIAN SPECIFICATION There is a clear and documented directive from clinicians to contravene coding to national standards or capture those instances where a clinician has requested that coding be done in a particular way as it more accurately captures the intervention that occurred. For example: By recording codes that suit individual preference. SPSC SECONDARY PROCEDURE CODED DUE TO SYSTEM CONSTRAINT Due to the system that the Organisation uses codes are technically incorrect at any level, omitted or sequenced incorrectly. Document: Velindre NHS Trust Audit Report v1.0 Date: 9 th May 2016 Authors: Mrs. Helen Dennis ACC, Mrs. Sarah Norman ACC Version: 1.0 (Final) Page 40 of 40

107 IG & IM&T COMMITTEE VCC Information Governance Incidents Trend Analysis Meeting Date: 5 September 2016 Author: Sponsoring Executive Director: Report Presented by: Committee/Group who have received or considered this paper: Neil Stevens, Information Governance Manager Mark Osland, Director of Finance & Informatics Ann Marie Stockdale, Head of IM&T VCC IG & IM&T Group IG & IM&T Management Group Trust Resolution to: (please tick) Approve: Endorse: Discuss: Note: Recommendation: The Group are requested to NOTE the content of this report This report supports the following Trust objectives as set out in the Integrated Medium Term Plan: (please tick) Equitable and timely services Providing evidence based care and research which is clinically effective Supporting our staff to excel Safe and reliable services First class patient /donor experience Spending every pound well This report supports the following Health & Care Standards: Standard 3.4 Information Governance and Communications Technology Standard 3.5 Record Keeping

108 2 VCC IG Incidents Trend Analysis 1. Introduction / Background All incidents (to incl. IG) are currently reported via the Trust s Datix system. All staff are made aware of the need and importance of reporting all divisional incidents to ensure appropriate investigation can be undertaken and any lessons learnt are implemented.. 2. Timing: This report highlights and presents to the Committee an awareness of the increased number of IG reported incidents within the organisation over the past 12 months and the level of reported IG incidents year on year. 3. Description: For the purposes of providing the Committee with an analysis around the trend and increase in the number of IG reported incidents reported within Velindre Cancer Centre. Welsh Blood Service are not included at present, as the information has only been collated in a consistent manner within the last 12 months following a redefining of IG and Records Management issues. 4. Financial Impact: In recent years the Information Commissioners Office powers have been strengthened including the power to impose financial penalties (fine of up to 500,000) and issuing enforcement action. The number of public bodies fined and the size of fines has continued to increase, and health organisations still rank as the highest number of reported incidents to the Information Commissioners Office in any one year. 5. Quality, Equality, Safety and Patient Experience Impact: The loss or disclosure of personal information should be an important consideration for all staff on a day to day basis as it can seriously damage the Trust s reputation and undermine patients and/or service user s trust. 6. Considerations for Board / Committee: Over the last twelve months there have been a total of 182 IG incidents reported via Datix; broken down further into the following quarter reporting periods: Jul to Sept '15 Oct to Dec '15 Jan to Mar '16 Apr to Jun '16 Page 2

109 3 VCC IG Incidents Trend Analysis A subsequent trend analysis of the data has indentified a common number of types of incidents to have been reported: Apr to Jun 16 (Qtr 1) Jan to Mar 16 (Qtr 4) Oct to Dec 15 (Qtr 3) Jul to Sept 15 (Qtr 2) 5 0 Misdirection Incomplete Discharge Summaries Misfiling/Loose Papers Blue Admission Sheets Scanning These incidents equate to approximately 50% (93 separate incidents) of all reported incidents over the four reporting periods in question. Whilst steps are continually undertaken to raise staff awareness, policies and procedures exist and targeted staff engagement to include staff IG training, communication techniques such as Trust Talk Magazine, IG alerts, etc. There remains a high level of incidents; in particular a continued trend in the type of incidents being reported. The report highlights a potential impact and risk of miscommunication, use and/or loss of information not only from an Information Governance perspective, but also from a clinical perspective. In addition the below chart further provides the Group with an analysis of the level of reported IG incidents year on year (data amalgamated by calendar years) Reported Incidents Jan to Dec '14, 129 Jan to Dec '15, 117 Jan to Jun '16, 121 The Group are requested to discuss the content of this report as whilst recognised the increase may be as a direct consequence of areas of the organisation reporting more due to existing techniques in place and the staff engagement that is undertaken. There still remains to be an increased number of these types of incidents being reported as such the risk of miscommunication, use, etc is increasing. For example information being disclosed Page 3

110 4 VCC IG Incidents Trend Analysis about one patient to another/third party by the release of information under Subject Access Requests or through the continued misfiling and loose storage that could lead to information about one patient being used clinically to treat another patient and/or information becoming lost due to inappropriate storage of information. 7. Next Steps: Action plan to be developed to manage and monitor the trends in incidents; and identifying the actions being undertaken in addressing the reoccurring themes. Plan to be developed by the VCC Information Governance Manager with IG trend analysis reports to be continually provided at the VCC IG & IM&T Group, VCC Senior Management Team and the Trusts IG & IM&T Management Group and Committee. In addition continual staff engagement and awareness of the importance to ensure personal information is always being protected and safeguarded. The Group s consideration and further dissemination to staff of the importance and responsibilities to ensure the correct processes are followed when handling, using, access, etc all organisational information. Page 4

111 IG & IM&T COMMITTEE C-PIP Reports and Plan Meeting Date: 5 September 2016 Author: Sponsoring Executive Director: Report Presented by: Committee/Group who have received or considered this paper: Neil Stevens, Information Governance Manager Steve Ham, Chief Executive, Velindre NHS Trust Neil Stevens, Information Governance Manager (VCC) VCC IG & IM&T Group WBS IG & Records Management Group, IG&IM&T Management Group Trust Resolution to: (please tick) Approve: Endorse: Discuss: Note: Recommendation: The Committee are being requested to NOTE the content of this report This report supports the following Trust objectives as set out in the Integrated Medium Term Plan: (please tick) Equitable and timely services Providing evidence based care and research which is clinically effective Supporting our staff to excel Safe and reliable services First class patient /donor experience Spending every pound well This report supports the following Health & Care Standards: Standard 3.4 Information Governance and Communications Technology Standard 3.5 Record Keeping

112 1. Introduction / Background The Caldicott Manual provides all involved with protecting and using Patient Identifiable Information (PII) with a knowledge framework with what they need to know, why they need to do it and how to do it. 2. Timing: On an annual basis there is a requirement for NHS Wales organisations to develop work programmes and complete an annual online Caldicott: Principles into Practice (C-PIP) assessment tool; which enables the organisation to quickly evaluate its compliance rate and plan improvements. 3. Description: For the purpose of providing assurance to the Committee of divisional and hosted organisational continued compliance with Caldicott. 4. Financial Impact: There are no financial considerations. 5. Quality, Equality, Safety and Patient Experience Impact: There are no quality, equality, safety and patient experience impact considerations. 6. Considerations for Board / Committee: The Trust differs from other NHS Wales Health Boards/Trusts in that operational divisions and hosted organisations are responsible for completing their own C-PIP assessments. They include individual assessments undertaken by: Welsh Blood Service Velindre Cancer Centre NHS Wales Informatics Service NHS Wales Shared Services Partnership Completion of the C-PIP assessment tool on an annual basis provides all divisions and hosted organisations with the opportunity to measure the extent to which they put the Caldicott Principles into practice. This measurement is achieved through the completion of a set of 41 robust and challenging standards. The tool allows a simple and effective assessment of organisational performance by rating current performance in percentage against the standards to construct an organisational profile. The results of which are then used to form the basis of any necessary Caldicott work/improvement plans. The Committee are being requested to NOTE the content of this report and the attached respective Caldicott out-turn reports and improvement plans. 7. Next Steps: This report sets out the main findings following completion of the 2015/16 Caldicott Assessment, along with the key improvements that need to be considered moving forward for operational divisions and hosted organisations of the Trust.

113 VELINDRE CANCER CENTRE CALDICOTT: PRINCIPLES INTO PRACTICE OUT-TURN REPORT 2015/16 & IMPROVEMENT PLAN 2016/17 April 2016 Prepared by: Neil Stevens Information Governance Manager Velindre Cancer Centre

114 Change Control Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 Version Handler Details Date Version 0.1 Neil Stevens Initial Draft 21 st April 2016 Approval Version Handler Group Date V1 Neil VCC SMT 20/06/2016 Stevens Page 2 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

115 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 Contents Page Executive Summary 4 1. VCC Caldicott Out-Turn Report 2015/ Introduction 1.2. Outstanding Caldicott Improvement Plan 2015/ VCC Caldicott Standards & Self Assessment 2015/ C-PIP Score 1.5. Yearly C-PIP Score Comparison 2. VCC Caldicott Improvement Plan 2016/ Compliance and Improvement 2.2. Responsibilities 2.3. Timescale 3. Summary 8 Appendices Appendix A VCC Caldicott Assessment 2015/16 9 Appendix B VCC Caldicott Improvement Plan 2017/18 17 Page 3 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

116 EXECUTIVE SUMMARY Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 The objective of the Velindre Cancer Centre (VCC) Caldicott Out-Turn Report 2015/16 and subsequent 2016/17 Improvement Plan is to demonstrate continued compliance with Caldicott and its principles. On an annual basis VCC is required to develop work programmes and complete an annual online C-PIP assessment tool; which enables the organisation to quickly evaluate its compliance rate and plan improvements. Furthermore VCC has a duty to ensure any outstanding actions from the previous year s improvement plan are also maintained and incorporated within the development of the 2016/17 improvement plan. VCC compliance with Caldicott and its principles is an evolving 3 year rolling process:- Improvement Plan 2015/16 Caldicott Out-Turn Report 2015/16 Improvement Plan 2016/17 The Improvement Plan 2015/16 status provides VCC with the assurance that necessary improvements have already been instigated and implemented within the organisation to ensure the continued compliance with Caldicott. These assurances demonstrate that: - Applicable and fully reviewed Information Security Policy; Review of existing portfolio as a means to ensure all devices (with exception to those defined as being medical devices) are encrypted in line with the organisation encryption programme of work. Despite this, there still remain a number of outstanding actions from the 2015/16 plan, all of which have been transferred and incorporated within the 2016/17 VCC Caldicott Improvement Plan. Caldicott Out-Turn Report 2015/16 demonstrates that the organisation has completed its annual requirement of developing work programmes and undertaking the online C-PIP assessment. VCC completed such requirements in April 2016; and gained a C-PIP score of 96%. This demonstrates that currently VCC has an excellent level of assurance of Information Governance risks although there are some weaknesses which require addressing. There was a 1% increase overall from the previous year s assessment. Improvement Plan 2016/17 provides VCC with the work programmes that need to commence over the course of the year to address identified areas of weakness and ensure the organisations continued compliance with Caldicott and its principles. The main areas to highlight are: - Governance Documented procedures established to ensure all new processes undergo some form of privacy impact assessment to check compliance with confidentiality and Data Protection requirements Page 4 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

117 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 Management Developing a more in depth organisational business continuity and disaster recovery plan. Information Management establish information flows into and out of the organisation considering flows containing PII. Progress in respect of the improvement plan will be monitored via a number of mechanisms; namely the VCC IG & IM&T Strategy Group, Velindre NHS Trust IG & IM&T Management Group and the Velindre NHS Trust IG & IM&T Committee. The organisation s senior management are therefore recommended to: (a) Accept this report; (b) Continue to receive updates on all Information Governance issues that affect the flows of PII; and (c) Endorse the VCC Caldicott Improvement Plan 2016/17. This report sets out the main findings following completion of the 2015/16 Caldicott Assessment, along with the key improvements that need to be considered. Page 5 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

118 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 1. VCC CALDICOTT OUT-TURN REPORT 2015/ Introduction Since the Caldicott Report was published in 1997 by Dame Fiona Caldicott, there have been significant changes to both Legislation and Codes of Practice which govern access to and use of patient identifiable information. The Caldicott manual provides Guardians and their support staff with updated knowledge about the legal background to their duties and aspects of Information Governance. The manual sets out what as an organisation VCC needs to do and the arrangements that need to be in place to ensure patient information is handled appropriately. This also includes an online Self Assessment tool (C-PIP Assessment) which enables organisations to quickly evaluate where they are with compliance and plan improvement. The C-PIP Assessment consists of 41 Self Assessment standards which have been grouped into 6 sections. Against each question there is a hierarchy of answers, that dependant on which option is selected, will automatically generate a score. VCC must annually assess their compliance with the Caldicott Principles and produce a programme of work and continual improvement plan. 1.2 Outstanding Caldicott Improvement Plan 2015/16 As a result of the annual assessments against the Caldicott Principles and the resultant improvement plans; the organisation has demonstrated a number of improvements over the past year. These include: - Applicable and fully reviewed Information Security Policy; Review of existing portfolio as a means to ensure all devices (with exception to those defined as being medical devices) are encrypted in line with the organisation encryption programme of work. However, there still remain a number of outstanding actions from the 2015/16 plan. Therefore, to ensure continuity, all remaining actions have been appropriately transferred and incorporated into the 2016/17 VCC Caldicott Improvement Plan (Appendix B). 1.3 VCC Caldicott Standards & Self Assessment 2015/16 As part of the Caldicott Annual Programme of Improvement, VCC has self assessed itself against the Caldicott standards. The self assessment allows a simple and effective assessment of organisational performance by rating current performance in percentage against the standards to construct an organisational profile. The online assessment was completed in April 2016 with Appendix A providing:- A copy of the standards; Page 6 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

119 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 The organisation s response (whether fully or partially compliant); Score and any additional comments. 1.4 C-PIP Score Star Rating C-PIP Score ***** % Your responses to the assessment demonstrate an excellent level of assurance of information governance risks. **** 76-90% Your responses to the assessment demonstrate a good level of assurance of information governance risks; but there is still work to be done. *** 51-75% Your responses to the assessment demonstrate a satisfactory level of assurance of information governance risks although there are some significant weaknesses which you should address. ** 21-50% Your responses to the assessment demonstrate an insufficient level of assurance of information governance risks and a number of significant weaknesses which you need to be addressed. * Your responses to the assessment suggest an inadequate level of assurance of information governance risks should be addressed as a matter of urgency. VCC scored 96% and therefore falls within the category highlighted above. 1.5 Yearly C-PIP Score Comparison Out of the 41 standards, VCC are compliant with 37 of the standards and partially compliant with 4. No non compliant responses recorded. This demonstrates VCC compliance with Caldicott and its principles on a number of diverse areas; to include: - appropriately assigned Caldicott Guardian and Information Governance roles and responsibilities including Freedom of Information; Information Governance refresher training/awareness programme for all existing staff that includes the ability to provide more tailored IG awareness sessions to key VCC staff groups; effective reporting and information sharing arrangements in place with appropriate trained personnel; dedicated policies in relation to Information Governance in place; ensuring information is dealt with legally, securely, efficiently and effectively; effective, confidential contractual arrangements with supporting organisations and other service providers; and However the assessment has also indicated a number of areas where improvements can be made; these include but are not exhaustive to: - Page 7 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

120 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 fully developed business continuity and disaster recovery plan; mapping and identification of information flows in and out of the organisation; fully documented process to ensure all new processes undergo some form of privacy impact assessment to check compliance with confidentiality and Data Protection requirements 2. VCC CALDICOTT IMPROVEMENT PLAN 2016/ Compliance and Improvement To ensure VCC continuing compliance and the subsequent need for improvement with respect to Caldicott and its principles, the organisation must appropriately implement a number of management action points as indicated within the Caldicott 2016/17 Improvement Plan (Appendix B). These points include: - Developing a more in depth organisational business continuity and disaster recovery plan; Establishment and mapping of information flows containing PII into and out of the organisation; Documented procedures established to ensure all new processes undergo some form of privacy impact assessment to check compliance with confidentiality and Data Protection requirements. Appendix B provides an analysis of all the necessary standards and their subsequent management action points. 2.2 Responsibilities Implementation and monitoring the progress of the Improvement Plan will be the responsibility of: VCC IG & IM&T Strategy Group; VCC Senior Management Team. 2.3 Timescale VCC will progress the Improvement Plan over the next financial year and regular updates will be monitored via the appropriate organisational/trust forums. There will be requirement placed upon the organisation to complete a new assessment for 2016/17 and ensure any outstanding issues from the existing plan are appropriately transferred and incorporated within any future/revised plans. 3. SUMMARY This report will be presented to VCC Senior Management Team, the VCC IG & IM&T Strategy Group and the Trust s Information Governance & IM&T Management Group and Committee. Actions will be monitored by the VCC Information Governance Manager to ensure continual progress and compliance with the Caldicott Principles. Page 8 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

121 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 VCC Caldicott Assessment 2015/16 Appendix A Number Assessment Standard VCC Response Score Comments Section 1 Governance The organisation must assign Caldicott and Information Governance responsibilities G1 Has your organisation appointed a Caldicott Guardian? Compliant 2/2 The organisation has an appointed Caldicott Guardian who is appropriately trained and receives updates on all aspect of Information Governance. They are a senior member of staff and sit on the management board/equivalent of the organisation. Additionally twice yearly Trust Caldicott Guardian meetings in place. G2 G3 Does your organisation have an Information Management or Governance Strategy that has been approved by the Board or equivalent? Is Information Governance included within the responsibilities of a Board within your organisation and does it receive regular reports from Information Governance? Compliant 1/1 Appropriately endorsed strategy and all necessary policies are in place and approved. Compliant 1/1 Information Governance is a part of the Board and regular highlight reports/updates are provided to appropriate Velindre senior management, Trust IG & IM&T Management and Committee forums. With reports also cascaded to the VCC IG & IM&T Strategy Group. G4 Is there an Information Governance work plan, sponsored by the Caldicott Guardian and approved by the Board or its equivalent? Compliant 1/1 The Caldicott Guardian is continually made aware of all issues that relate to PII within the organisation with necessary work plans in place between the Caldicott Guardian and Information Governance Manager. Page 9 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

122 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 G5 G6 G7 G8 G9 Has the Records Management Policy and implementation plan been approved by the Board or its equivalent, communicated to appropriate staff and reviewed on a regular basis? Do mechanisms and guidelines exist to ensure that any decision taken by a patient or service user to restrict the disclosure of their personal information are appropriately respected? Is information risk management included in the organisation s wider risk assessment and management framework? Does the organisation have documented and accessible information security incident reporting, investigation and resolution procedures in place that are explained to all staff? Does the organisation have formal contractual arrangements with all contractors and support organisations that include their responsibilities in respect of information security and confidentiality? Compliant 1/1 The policy has been approved by the Board and has been communicated to all members of staff, who have access to and been made aware of any changes to the policy. Compliant 2/2 Appropriate mechanisms are in place within VCC to ensure compliance with both legislative and necessary codes of practice responsibilities. Training is provided to staff. Compliant 2/2 A robust framework is in place whereby all staff have the capability to raise and report any potential risk to the organisation. Regular reviews/updates are undertaken by appropriate local and Trust forums. Compliant 2/2 Currently all IT related incidents are captured via the organisational ServicePoint mechanism in addition to the Datix Incident Management System. Those within the Datix system are captured against a predefined set of Information Governance/IT related Codes. Incidents are investigated, reported and communicated to necessary local and Trust forums. Compliant 2/2 Contracts include necessary aspects of information security and confidentiality responsibilities. Contracts are monitored and security measures enforced. Contracts allow for amendment according to legislation/review. G10 Does the organisation ensure that all new services, projects, processes, software and hardware comply with information security, Partially Compliant 1.2/2 Safeguards exist to ensure new processes are approved prior to implementation. Furthermore dedicated roles and responsibilities in place within Page 10 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

123 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 confidentiality and data protection requirements? VCC for ensuring these requirements are managed. No formal documentation in place setting out the requirement for Privacy Impact Assessment to be undertaken across the site. M1 M2 M3 M4 M5 M6 Where staff have been assigned Information Governance roles, are they appropriately qualified & trained Was the organisations last assessment of performance against the Caldicott Standards completed within the last year? Does the organisation have a comprehensive Records Management Policy for corporate and medical records? Does the organisation have an accurate and up to date Notification to the Information Commissioner under the Data Protection Act 1998? Is Data Protection comprehensively addressed either in a dedicated policy or by its incorporation into another policy? Is Information Security comprehensively addressed either in a dedicated policy or by its incorporation in a wider security policy? Compliant 5/5 Throughout the organisation there are appropriate levels of roles and responsibilities delegated that meet the requirements of the organisation. All roles have the necessary level of expertise and training. Compliant 1/1 Assessment within the last year. Compliant 1/1 Trust policy in place. Compliant 1/1 Notification is reviewed periodically and updated as and when required. As a Division of Velindre NHS Trust - VCC are named as an associated organisation within the Trusts registration with the ICO (Registration number - Z ). Compliant 1/1 The policy has been approved by the Trust Board and has been communicated to all members of staff. Staff are made aware of any changes to policy. Compliant 1/1 The policy has been approved by the Trust Board and has been communicated to all members of staff. Staff are made aware of any changes to policy. M7 Does the organisation have an up to date Partially 1/2 Both Business Continuity and Disaster Recovery Page 11 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

124 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 Business Continuity and Disaster Recovery Plan? Compliant plans agreed at the VCC IG & IM&T Group. Plan limited to a specific VCC area in the first instance with work to develop a more in depth plan to commence during 2015/16. M8 M9 IP1 IP2 Is a comprehensive confidentiality statement included within all established staff and nonstaff contracts Does the organisation have arrangements in place to include staff responsibility for the following areas? Does the organisation have appropriate procedures for recognising and responding to patient and service user to access their own records? Do you tell patients and service users about the ways in which their information will, or may be used? Compliant 1/1 All established staff and agency contracts consist of a comprehensive confidentiality statement. Compliant 2/2 All aspects are included in job descriptions. Compliant 2/2 Formal documented procedure and polices in place. Compliant 2/2 Posters and leaflets are placed in prominent positions and the organisation also makes use of electronic displays to promote the Your information Your Rights Information Leaflets. Patient Information Manager and Information Governance Manager in post. TA1 TA2 Does your organisation have a mechanism for addressing Information Governance for new staff at induction? Have you conducted an analysis of information governance training needs? Compliant 2/2 Induction training programme in place. Compliant 2/2 Review and analysis of IG training needs and refresher periods undertaken in conjunction with Ed & Dev Department. Page 12 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

125 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 TA3 TA4 Do you provide information governance training to staff, other than at induction? What percentage of your staff have undertaken an Information Governance training session? Compliant 2/2 Refresher training is available to all staff and volunteers with tailored/bespoke sessions also being established for key staff groups. Partially Compliant 0.8/1 63% of staff reported as being complaint in respect of IG training. IM1 Have information flows been comprehensively mapped and has ownership for information assets been established? Partially Compliant 1/2 Some, but not all information flows have been mapped (i.e. Velindre patient information journey within Canisc established). Work is continually taking place to ensure all flows have been noted. IM2 IM3 IM4 Does the organisation have a policy and procedures in place to ensure the security of paper and electronic records in transit? Has the organisation made progress in implementing the Wales Accord for the Sharing of Personal Information (WASPI)? Is there awareness of the organisation s responsibilities when transferring personal data outside of the European Economic Area (EEA)? Compliant 2/2 Specific VCC Secure Transfer of Information procedure in place. All appropriate staff have been made aware of this procedure and its availability via the VCC Intranet page. Compliant 2/2 The Accord has been signed at Trust level and any new ISP s are developed using the WASPI templates. Compliant 1/1 The organisation has notified the transfer of personal data on the Data Protection register and arrangements are in place to recognise transfer requirements. IM5 Does the organisation have a strategy to ensure the correct NHS number is recorded for each active patient and service user, and that it is used routinely in clinical communications? Compliant 2/2 An audit of incomplete datasets i.e. the NHS Wales Data Switching Service (NWDSS) is received on a regular basis. The NHS number is included on clinical correspondence. Steps underway to ensure compliance with a recent Page 13 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

126 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 IM6 IM7 IM8 CA1 CA2 CA3 Does the organisation have paper health records of a standard design? Does the organisation have documented procedures on the identification and resolution of duplicate or confused patient records for patients and service users? Does the organisation have processes and procedures in place to enable it to regularly monitor, measure and trace paper health records? Is there a Confidentiality Code of Conduct (or equivalent) which provides staff with clear guidance on the disclosure of patient/service user identifiable information? Are processes in place to ensure that contractors understand their responsibilities regarding confidentiality and information security? Has the organisation made progress with encryption of devices containing personal identifiable information (PII) in line with the Encryption Code of Practice for NHS Wales organisations (2009)? DSCN issued by the Welsh Government setting out the operational use of the NHS Number. Compliant 1/1 Standard design in place and reviewed as per the VCC Health Records Group. Compliant 1/1 A robust system is in place to prevent and identify duplicate records. Compliant 1/1 Tracking system in place and fully utilised. Regular monitoring is undertaken by the Health Records Manager. Compliant 2/2 A programme is in place to support compliance with the code i.e. Monitoring and Information Governance Training. Compliant 1/1 All contractors understand their responsibilities. Compliant 2/2 Review of existing portfolio as a means to ensure all devices (with exception to those defined as being medical devices) are encrypted in line with the organisation encryption programme of work. Formal process agreement in place for the dissemination of encrypted USB memory sticks. Furthermore implementation and use of the Secure File Sharing Portal. CA4 What controls are in place to restrict staff Compliant 2/2 Appropriate defined and documented (Microsoft Page 14 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

127 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 CA5 CA6 CA7 access to patient/service user identifiable information? Are there physical access controls in place for relevant buildings? What password management controls are in place for information systems that hold patient/service user information? Has the organisation established appropriate confidentiality audit procedures to monitor access to patient identifiable information? Access Protocols) access rights are in place and agreed for all staff. Developed process for authorising access to Canisc authorised VCC signatories limited to just four roles Information Governance Manager, Health Records Manager, Head of IM&T and Caldicott Guardian. Compliant 2/2 All offices/identified departments have the necessary physical security measures in place that are proportionate to the sensitivity of the information. Code lock systems are currently in operation. Visitors are required to appropriately sign in at the reception desk. CCTV is utilised across a number of departments with extra security measures also in place i.e. security guard facility. Compliant 1/1 All systems are protected by Microsoft Access protocol with staff receiving regular prompts to change their password. In addition staff are continually reminded of the importance to keep their password confidential with any sharing totally prohibited. Access to any potential PII is on a strict need to know and password entry basis with access requiring the necessary authorisation. Compliant 2/2 An audit capability exists within existing systems and any potential breaches are appropriately investigated by the Information Governance Manager. In addition a robust electronic Incident Reporting tool is available to all staff and responsibility for monitoring has been assigned. Page 15 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

128 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 Furthermore the organisation has implemented the National Intelligent Integrated Audit Solution as a further enhancement to existing audit and monitoring techniques. CA8 Does the organisation have appropriate policies in place to cover risks associated with off-site working using electronic and manual records containing person identifiable information (PII)? Compliant 1/1 Policies for off-site working are in place as well as associated risk assessment processes. Page 16 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

129 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 VCC Caldicott Improvement Plan 2016/17 Appendix B G10 Assessment Standard Does the organisation ensure that all new services, projects, processes, software and hardware comply with information security, confidentiality and data protection requirements? Management Action Documented procedures established to ensure all new processes undergo some form of privacy impact assessment to check compliance with confidentiality and Data Protection requirements. Responsible Department All Objective Owner IG & IM&T representatives Implementation Date Qtr 4 Progress (Traffic Light) Comments M7 IM1 Does the organisation have an up to date Business Continuity and Disaster Recovery Plan? Have information flows been comprehensively mapped and has ownership for information assets been established? Development of a more comprehensive/ tried and tested Business Continuity and Disaster Recovery Plan Establish information flows into and out of the organisation considering flows containing PII Cancer Services All Director of Operational Services Departmental Heads Qtr 4 Qtr 4 Interim plan in place with work ongoing to establish a more fully developed and tested plan Information flows partially mapped through the project implementation - overview of Velindre patient information journey within Page 17 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

130 Velindre Cancer Centre Caldicott Out-Turn Report 2015/16 Canisc established Page 18 of 18 Author: Neil Stevens Version 1 Approved by: VCC SMT

131 WELSH BLOOD SERVICE CALDICOTT: PRINCIPLES INTO PRACTICE OUT-TURN REPORT 2015/16 & IMPROVEMENT PLAN 2016/2017 April 2016 Prepared by: Clare Small Quality & Risk Development Manager

132 CONTENTS 1.0 Executive Summary Background Work Programme Action Required Report Summary Caldicott: Principles into Practice (C-PIP) Caldicott Standards & Self Assessment 2.3 C-PIP Score 2.4 Yearly Score Comparison Improvement Plan 2016/ Improvement Plan 2016/ Responsibilities Time-scales Quality Assurance Summary 12 Appendix A 13 Page 2 of 15

133 1.0 EXECUTIVE SUMMARY 1.1 Background In 2008, a review was undertaken of the Caldicott Manual, which resulted in the launch of the new The Foundation Manual for Caldicott Guardians, Caldicott Leads and Information Governance Leads. This manual provides all involved with protecting and using PII with a knowledge framework with what they need to know, why they need to do it and how to do it. It also includes an online Self-Assessment tool (C-PIP Assessment) which enables organisations to quickly evaluate where they are with compliance and improvement. 1.2 Work Programme WBS is required to develop work programmes to assess their compliance with the Caldicott Principles on an annual basis. As such WBS has completed the online self-assessment tool in April 2016 and has developed this Improvement Plan. Progress with the improvement plan will be monitored via the via the WBS Information Management Technology and Governance (IMT&G) Group on a quarterly basis. The following out-turn report provides a summary of the completed assessment for 2015/16 and the improvement plan for 2016/17. Any outstanding issues from previous Caldicott Improvement Plans (CIP) will have been transferred into the 2016/17 CIP. 1.3 Action Required The Senior Management Team (SMT) are therefore asked to: (a) Accept this report (b) Continue to receive updates on all Information Governance issues that affect the floes of PII (c) Endorse the Improvement Plan shows in Appendix A Page 3 of 15

134 2.0 REPORT SUMMARY 2.1 Caldicott: Principles into Practice (C-PIP) The Caldicott Foundation Manual: Principles into Practice (C-PIP) provides Guardians and their support staff with updated knowledge about the legal background to their duties and aspects of Information Governance. The manual sets out what as an organisations, WBS, needs to do and the arrangements that need to be in place to ensure patient/donor information is handled appropriately. The C-PIP Assessment consists of 41 Self Assessment standards which have been grouped into 6 sections. Against each question there is a hierarchy of answers that depending on which option is selected will automatically generate a score. WBS must then annually assess their compliance with the Caldicott Principles and produce a programme of work and continual improvement. 2.2 Caldicott Standards & Self Assessment As part of the Caldicott Annual Programme of Improvement, WBS has self-assessed itself against the updated Caldicott standards. The self assessment allows a simple and effective assessment of organisational performance by rating current performance in percentage against the standards to construct an organisational profile. In doing this, the on line assessment was completed with a copy of the standards below, the organisation s response (whether fully or partially compliant), score and any additional comments: Number Assessment Standard WBS Response Score Comments Section 1 Governance The organisation must assign Caldicott and Information Governance responsibilities G1 Has your organisation appointed a Caldicott Guardian 2/2 Yes, out Caldicott Guardian is a senior member of staff who sits on the Senior Management Team (SMT) or equivalent. The Caldicott Guardian has received appropriate Information Governance training. The Caldicott Guardian receives and is able to provide regular updates to colleagues in respect of G2 Does your organisation have an Information Management Strategy that has been approved by the Board or equivalent? information governance. 1/1 Yes, this has been approved by the board and is up to date. Page 4 of 15

135 G3 G4 G5 G6 G7 G8 G9 Do staff responsible for Information Governance provide regular reports to the Board or equivalent? Is there an Information Governance work plan, sponsored by the Caldicott Guardian and approved by the Board or equivalent? Has the Records Management Policy and implementation plan been approved by the Board or its equivalent, communicated to appropriate staff and reviewed on a regular basis? Do mechanisms and guidelines exist to ensure that any decision taken by a patient or service user to restrict the disclosure of their personal information are appropriately respected? Is information risk management included in the organisation s wider risk assessment and management framework? Does the organisation have documented and accessible information security incident reporting, investigation and resolution procedures in place that are explained to all staff? Does the organisation have formal contractual arrangements with all contractors and support organisations that include their responsibilities in respect of information security and confidentiality? 1/1 Yes. This is provided through incidents reported on Datix 1/1 Yes, this has been approved by the SMT and is up to date. 1/1 Approved by the Board or its equivalent, communicated to appropriate staff and reviewed on a regular basis. 2/2 Yes, the guidelines and procedures are freely available and all the appropriate staff are aware. Policy and guidelines are subject to regular review. 2/2 A formal programme exists with regular reviews, outcome reports, and recommendations provided to reduce likelihood of any breaches of confidentiality, These are made to the board or equivalent. 2/2 Procedures are documented and accessible to all staff to ensure incidents are reported and investigated properly. 2/2 Yes basic confidentiality statements are included in contracts with supporting organisation. Contracts are monitored and security measures enforced. Information security policies are provided to service providers when the organisation enters into contracts which involves exchange of/access to patient/donor/services user data and access to the Page 5 of 15

136 G10 Does the organisation ensure that all new services, projects, processes, software and hardware comply with information security, confidentiality and data protection requirements? Section 2 Management The organisation must have core policies in place for Caldicott and Information Governance. M1 Where staff have been assigned Information Governance roles, are they appropriately qualified & trained M2 M3 M4 M5 M6 Was the organisations last assessment of performance against the Caldicott Standards completed within the last year Does the organisation have a comprehensive Records Management Policy for corporate and medical records Does the organisation have an accurate and up to date Notification to the Information Commissioner under the Data Protection Act 1998? Is Data Protection comprehensively addressed either in a dedicated policy or by its incorporation into another policy Is Information Security comprehensively addressed either in a dedicated policy or by organisations IT systems. Contracts allow for amendments according to legislation and annual reviews. Contracts allow for monitoring of compliance with the organisations policies. 2/2 Yes- there are documented procedures to ensure all new processes undergo some form or privacy impact assessment to check compliance with confidentiality and Data Protection Requirements. The organisation approves all new processes before they are implemented. 5/5 Where roles have been assigned training has been completed. 1/1 Yes 1/1 Clear guidelines on the storage of records. Guidelines on the process for records creation. Guidelines on staff training in record keeping. Guidelines on formal procedures for closure, disposal and retention of records 1/1 Yes 1/1 Yes, the policy is up to date. It is subject to regular review and monitoring. It is comprehensive. It is freely available. 1/1 Yes, the policy is up to date. It is subject to regular review and monitoring. It is comprehensive. It is Page 6 of 15

137 its incorporation in a wider security policy freely available. M7 Does the organisation have an up to date Business Continuity and Disaster Recovery Plan? 2/2 WBS has a Business Continuity Plan and Disaster Recovery Plan for Information Systems, These plans are tested and regularly reviewed. M8 Is a comprehensive confidentiality statement included within all established staff and nonstaff contracts 1/1 Included in temporary staff contracts, agency staff contracts, volunteer contracts and in established staff contracts. M9 Are personal responsibilities in respect of confidentiality, records management, information security, data protection and freedom of information in all job descriptions? 1/2 Confidentiality, Records Management, Information Security, Data Protection and Freedom of Information are included in job descriptions and information is presented at induction and staff awareness sessions. Section 3 Information for Patients and Service Users The organisation must have an active information campaign in place to inform patients about the use of their information. IP1 Does the organisation have appropriate procedures for recognising and responding to patient requests for access to health records 2/2 There is a formally documented procedure which is subject to regular review and is updated where necessary. The procedure has been publicised and staff who are likely to receive a subject access request have been effectively made aware of procedure. The organisation also actively informs the general public about their rights to access the data held about them through posters, leaflets, websites IP2 Do you tell patients and service users about the ways in which their information will or may be used? and newsletters. 2/2 Staff actively promote understanding of the ways in which patient/service user information will be used, including where patient information is used for purposes other than direct care. Information for patients is regularly updated and this is supported by comprehensive arrangements for patients with special/different needs. Section 4 Training and Awareness The organisation must assess Information Governance training needs and ensure that role specific information is provided to all staff. Page 7 of 15

138 TA1 TA2 TA3 Does your organisation effectively address information governance for all staff at induction? Have you conducted an analysis of information governance training needs? Do you provide information governance training to staff, other than at induction? TA4 What percentage of staff have undertaken and Information Governance training session? Section 5 Information Management 2/2 Yes, information governance is part of the statutory training and compliance is monitored. 2/2 Systematic and comprehensive assessment of staff training needs is undertaken (both staff groups and individual) 2/2 Yes training provision is targeted where comprehensive information governance training is provided to all staff according to training need and written evidence is kept. 1/1 88% of staff have undertaken Information Governance training The organisation must ensure that information is dealt with legally, securely, efficiently and effectively. IM1 Have information flows been comprehensively mapped and has ownership for information assets been established? IM2 IM3 IM4 IM5 Does the organisation have appropriate arrangements in place to support the Information Sharing Agenda? Has the organisation made progress in implementing the Wales Accord for the Sharing of Personal Information (WASPI)? Are sufficient arrangements in place to ensure that the organisation complies with Data Protection requirements in respect of personal data outside of the EEA? Does the organisation have a strategy to ensure the correct NHS number is recorded for each active patient and that it is used 2/2 Information flows have been mapped, recorded and are subject to review. 2/2 Yes, and procedures are in place. 2/2 Yes, we have signed the Accord at Trust level. 1/1 The organisation has document information flows and has specifically accounted for any transfers outside EEA. Measures are in place to ensure an adequate level of protection for the data and the rights of individuals. 2/2 The NHS number is not widely used within WBS, however the new IT initiatives will have an impact on WBS and the NHS number could be more widely Page 8 of 15

139 routinely in clinical communications? used (e.g. LIMS,BECS). It is not intended to use the NHS number within BECS. THE NWIS IG Lead agreed that WBS should score this actions as complete because there is no N/A facility in the assessments. The NHS number is not controlled by the WBS. The requirement for the use of the NHS Number for all patients is included within a policy. NHS number IS in use, but its use is not mandatory IM6 Does the organisation have paper health records of a standard design? IM7 Does the organisation have documented procedures on the identification and resolution of duplicate or confused patient records? IM8 Does the organisation have processes and procedures in place to enable it to regularly monitor, measure and trace paper health records? Section 6 Controlling Access to Confidential Information The organisation must have arrangements in place to control and monitor access to information. CA1 Is there a Confidentiality Code of Conduct which provides staff with clear guidance on the disclosure of patient/service user identifiable information? The only way we monitor compliance as to the correct NHS number - SERIF does not allow duplicate NHS numbers so when an identical NGS number is attempted the user is alerted and has to sort out the problem. 1/1 The organisation has an agreed standard design and changes are approved by the appropriate forum prior to implementation. 1/1 Yes, procedures are in place and reports are produced and acted upon to take remedial action. 1/1 Processes for monitoring and measuring health records availability are in place and regularly reviewed. 2/2 A clear and comprehensive Code of Conduct exists and is freely available. All staff are made aware of it and the impact it has on their work area. A training and awareness programme is in place to support Page 9 of 15

140 CA2 CA3 CA4 CA5 CA6 CA7 CA8 Are processes in place to ensure that contractors understand their responsibilities regarding confidentiality and information security? Are there safe haven procedures in place for sharing information both electronically and manually? What controls are in place to restrict staff access to patient/service user identifiable information? Are there physical access controls in place for relevant buildings? What password management controls are in place for information systems that hold patient/service user identifiable information systems? Has the organisation established appropriate confidentiality audit procedures to monitor access to patient identifiable information? Does the organisation have appropriate policies in place to cover risks associated compliance with the Code. 1/1 We include advice to all contractors on confidentiality and include it in our procurement processes. 2/2 Yes High Risk devices containing PII have been encrypted and All portable computers containing PII have been encrypted. 2/2 All staff have defined and documented access rights agreed by the System Owner and/or Caldicott Guardian. Access is controlled, monitored and audited. 2/2 Yes the security controls deployed are proportionate to the sensitivity of the information. Physical access controls are in place for buildings, storage areas and rooms within buildings; security procedures are regularly reviewed and their effectiveness monitored. 1/1 All systems are protected by a strong password element and user name. At regular intervals passwords have to be changed with staff informed that sharing passwords is prohibited, Access to any potential PII is on a need to know basis and must be approved by the appropriate individual 2/2 Responsibility for monitoring and auditing access to patient/donor information has been assigned. Procedures are implemented and action is taken where confidentiality processes have been breached. Audit procedures are regularly reviewed and updated as necessary. 1/1 Yes, risk assessments are undertaken where a user is or may be required to work with PII off site. Page 10 of 15

141 Page 11 of 15 with mobile/tele working?

142 2.3 C-PIP Score Star Rating C-PIP Score ***** % Your responses to the assessment demonstrate an excellent level of assurance of information governance risks. **** 76-90% Your responses to the assessment demonstrate a good level of assurance of information governance risks; but there is still work to be done. *** 51-75% Your responses to the assessment demonstrate a satisfactory level of assurance of information governance risks although there are some significant weaknesses which you should address. ** 21-50% Your responses to the assessment demonstrate an insufficient level of assurance of information governance risks and a number of significant weaknesses which you need to be addressed. * Your responses to the assessment suggest an inadequate level of assurance of information governance risks should be addressed as a matter of urgency. WBS has scored 99% and therefore falls within the category highlighted above at a 5 star rating 2.4 Yearly Score Comparison The organisation is fully compliant with 40 standards, and 1 not applicable. 3.0 IMPROVEMENT PLAN 2016/ Responsibilities Implementation and progress of the Improvement Plan [Appendix A] will be the responsibility of SMT. Considerable work has been undertaken since 2008 resulting in WBS achieving a 99% compliance rating. National initiatives, such as the introduction of strong passwords, has also impacted on the organisations compliance levels. This has resulted in no direct actions from this year s assessment. The improvement plan indicates that compliance will be monitored over the coming year, in particular during the introduction of new IT processes for the Collection Teams. Page 12 of 15

143 3.2 Timescale WBS will progress the Improvement Plan over the next financial year and regular updates will be monitored via the WBS Information Management, Technology and Governance Group. 4.0 SUMMARY This report will be presented to the WBS IMT&G & SMT, but also Velindre NHS Trusts IM&T and IG Committee. Actions will be monitored by the WBS IMT&G on a quarterly basis, as this will help to ensure continual progress and compliance with the Caldicott Principles. Page 13 of 15

144 Caldicott Improvement Plan 2016/17 APPENDIX A M1 IM2 IM3 Assessment Standard Where staff have been assigned Information Governance roles, are they appropriately qualified and trained? Does the organisation have a policy and procedures in place to ensure the security of paper and electronic records in transit? Has the organisation made progress in implementing the Wales Accord for the Sharing of Personal Information (WASPI)? Management Action Establish who within WBS will take these roles going forward to the next financial year following changes within QA structure in the last 6 months. Assess training record to ensure all staff have been made aware policies relating to security of records in transit, Confirm details of trained facilitators using the WASPI template within WBS and develop new information sharing protocols and replace existing ones. Responsible Department QA /Caldicott Guardian All Caldicott Guardian Objective Owner Learning and Development Departmental Heads and Quality Assurance Caldicott Guardian Implementation Date Q4 Q4 Q4 Progress (Traffic Light) Amber Amber Amber Comments Page 14 of 15

145 IM5 CA3 Does the organisation have a strategy to ensure the correct NHS number is recorded for each active patient and service user, and that it is used routinely in clinical communications? Has the organisation made progress with encryption of devices containing personal identifiable information (PII) in line with the Encryption Code of Practice for NHS Wales Organisations (2009)? Assess the use of NHS number in WBS in the next 12 months and look at potential required policies with this. Discuss in line with trust due to a difference in use of the NHS number within WBS to the rest of the trust. Review current encryption of devices used at WBS. All IT Departmental Heads IG & IM&T IT representative Q4 Q4 Amber Amber Page 15 of 15

146 NHS Wales Shared Services Partnership (NWSSP) CALDICOTT: PRINCIPLES INTO PRACTICE (C-PIP) OUT-TURN REPORT 2015 & IMPROVEMENT PLAN 2015/16 Version No. final Status: Approved Author: Beth Webb/Tim Knifton Approver: SMT Date: 01/11/2015 Next Review Date: 31/10/2016 NHS Wales Shared Services Partnership 4-5 Charnwood Court, Heol Billingsley, Parc Nantgarw, Cardiff CF15 7QZ