One month after the deadline to switch on prospective records access, 20% of GP practices have not yet complied with the contractual obligation.
This year’s GP contract stipulated that all practices must offer access via the NHS App, unless patients opt out or exceptions apply, by 31 October.
NHS England’s update today said over 4,500 practices (81.1%) now offer automatic access, covering 23.5 million patients.
GP leaders have pushed back against NHS England’s instruction – the BMA’s GP Committee England considered a legal challenge to delay the deadline further, but was later forced to abandon these plans for financial and legal reasons.
More recently, the BMA joined with more than 20 violence against women organisations to express concerns about granting vulnerable patients access to their GP record.
They highlighted the possibility of perpetrators of domestic abuse being able to gain access to a survivor’s records by coercing the survivor to share access.
The GPC has also urged practices to do a data protection impact assessment (DPIA) before enabling records access, and to consider an opt-in model if risks are identified.
While the GP contract letter clearly stated that ‘new health information’ should be available to all patients ‘by 31 October at the latest’, the primary care recovery plan in May set a target for 90% of practices to enable patients to see their records using the NHS App by March 2024.
Pulse understands that NHS England is not taking a punitive enforcement approach for the remaining 20% of practices who have not yet switched on access, but is focusing on supporting them to iron out any issues.
NHSE national director for transformation Vin Diwakar said they ‘strongly encourage the remaining practices to implement the change’ and urged those who are ‘having challenges delivering this service’ to take up the support available.
He said: ‘In October alone, more than nine million people viewed their health records through the NHS App which means they can manage their own heath better while GP practices are seeing a reduction in telephone calls for things like test results.
‘Boosting patient records access will undoubtedly bring improvements for both patients and staff.’
Addressing concerns about vulnerable patients having access to their records, NHSE said it had worked with relevant individuals and organisations to ‘provide guidance to GPs on how to put safeguards in place’.
Have 23.5 million patients all been told they have this access and asked if they want it? That’s a question to ask NHS England.
Total joke of a situation. The government saying just do it. BMA deliberately taking the opposite tack. GPs caught in the middle.
The current implementation of the NHS app, assuming the user is allowing passwords to be stored, allows anyone who knows the phone PIN to get access to the full prospective record including coded entries and free text. How is that safe if patients know nothing about what has happened? How many children will stumble across their parents’ medical details whilst playing with phones? What harm may come of this? How many abusive partners will keep track of what the doctor is being told? Those cases alone suggest an opt in approach is the safest way forward but this won’t achieve the minister’s aims quickly enough and won’t achieve the required numbers for press releases so this approach hasn’t been taken by NHS England.
Totaly agree Mark.
I think while GPs are still legally the data controller we need to look at real life risks (hence DPIA), most of which are beyond our control. Wondering how long before a central (no doubt outsourced) provider like palantir will become effectively the data controller?
Perhaps we need to ask NHS England to add an additional tab to the NHS app that reveals any coded or free text data that is being stored in the FDP? It would save them dealing with Subject Access Requests…
Dear All,
If you read the actual regulations you don’t need to offer blanket access to all. You only need to offer access to those who request it. The regs did indeed create an expectation that practices would offer open access to all by 31/10/23. However for many there was not enough time and for practices like mine when we looked at the DPIA we could not reconcile the proposed mitigations with our duties as Data Controllers. So were unable to complete the DPIA by 31/10/23. If you haven’t done a DPIA the Data Protection act 2018 means you can’t lawfully allow this new processing. That means clause 16.5ZA.7 of the regs now comes into play. This applies to any practice that has not for “whatever reason” (i.e. not having a DPIA) provided access by 31/10/23. Clause 16.5ZA.7 accepts that bulk access has not been provided but then creates an opportunity for providing individual level access. It requires practices to respond to requests from individual patients to provide access under the Subject Access Request arrangements. That’s a bonus for the practice because they then do not have to do the DPIA, the due diligence required for each SAR is in effect a DPIA for an individual. So if you haven’t provided access yet look up 16.5ZA.7 and see if it applies to you.
It means these reg are unusually elegant, they set an expectation but recognising that it might not be possible then provide a contract fulfilling catchall for those that missed the target.
Very neat.
Regards
Paul C