RECORDS MANAGEMENT FRAMEWORK

Transcription

1 RECORDS MANAGEMENT FRAMEWORK Policy Number: 253 Supersedes: Standards For Healthcare Services No/s 1, 19, 20 Version No: Date Of Review: Reviewer Name: 1.1 Nov 2011 Alison Gittins 1.2 Mar 2015 Alison Gittins Completed Action: Prepare for IGSC Prepare for IGSC Approved by: Date Approved: New Review Date: Brief Summary of Document: The enables the Health Board (UHB) to establish good practices around the handling of records, promotes a culture of awareness and improvement, and complies with legislation and other mandatory standards in the filed of records management. To be read in conjunction with: Health Records Strategy 192 Health Records Policy 224 Information Classification Policy 173 Freedom of Information Policy 225 Data Protection Policy Business Continuity Plans Information Governance Training Plan Corporate Records Management Strategy & Policy Classification: Corporate Category: Framework Freedom Of Information Status Open Authorised by: Joanne Wilson Job Title Interim Board Secretary Signature:

2 Responsible Officer/Author: Contact Details: Alison Gittins Dept Corporate Services Job Title: Base Head of Corporate Governance Support HQ, Corporate Offices, Ystwyth Building, Hafan Derwen, St David s Park, Carmarthen Tel No alison.gittins@wales.nhs.uk Scope ORGANISATION WIDE DIRECTORATE DEPARTMENT ONLY COUNTY ONLY Staff Group Administrative/ Estates Medical & Dental Nursing Allied Health Professionals Ancillary Maintenance Scientific & Professional Other CONSULTATION Please indicate the name of the individual(s)/group(s) or committee(s) involved in the consultation process and state date agreement obtained. Individual(s) Date(s) April 2015 Group(s) Date(s) Committee(s) IGSC Date(s) RATIFYING AUTHORITY (in accordance with the Schedule of Delegation) NAME OF COMMITTEE Information Governance Sub- Committee A = Approval Required FR = Final Ratification A KEY Date Approval Obtained COMMENTS/ POINTS TO NOTE Date Equality Impact Assessment Undertaken 09/04/15 Group completing Equality impact assessment Alison Gittins Jackie Hooper Please enter any keywords to be used in the policy search system to enable staff to locate this policy Records Management Database No: 253 Page 2 of 14 Version 2

3 Document Implementation Plan How Will This Policy Be Implemented? Who Should Use The Document? What (if any) Training/Financial Implications are Associated with this document? Disseminated via the staff intranet, by guidance, and as a part of post induction Information Governance training All staff who use, create, modify, disseminate or transfer any records in any format or medium, on behalf of the UHB. Failure to comply could result in financial penalties being instigated by the Information Commissioner s office. Action By Whom By When Agreement to proceed IGSC Ratified IGC What are the Action Plan/Timescales for implementing this policy? Framework Made active on intranet Active framework ed to all staff via global Highlight framework to all staff via ongoing Information Governance training. Policy Co-ordinator Policy Co-ordinator Information Governance Manger Ongoing Database No: 253 Page 3 of 14 Version 2

4 CONTENTS 1. INTRODUCTION SCOPE Records Staff AIMS KEY ELEMENTS of the records management framework Organisational Arrangements to Support Records Management Records Management Policies Keeping Records to Meet the HB s Requirements in Terms of Business, Regulatory, Legal and Accountability Purposes Records Systems to Enable Records to be Stored and Retrieved as Necessary Storage & Maintenance of Records Security & Access Disposal of Records Records Created in the Course of Collaborative Working or Through Out-Sourcing Monitoring & Reporting on Records and Information Management GOVERNANCE STRUCTURE TRAINING AND GUIDANCE RECORDS MANAGEMENT AWARENESS INCIDENT MANAGEMENT RISK MANAGEMENT MEASURE OF SUCCESS AUDIT IMPLEMENTATION REVIEW Database No: 253 Page 4 of 14 Version 2

5 1. INTRODUCTION Records management is the way in which records are managed within an organisation in order to ensure that they are dealt with legally, securely, efficiently and effectively, and in order to deliver the best possible care. Records and information are the lifeblood of any organisation. They are the basis on which decisions are made, services provided, and policies developed and communicated. Records management is recognised by Hywel Dda University Health Board (UHB) as a core corporate function, covering records in all their various formats and throughout their lifecycle, from their planning and creation through to their disposal. The effective management of records will bring with it the following benefits for the UHB: supports the UHB s business and discharge of its functions, promotes business efficiency, and underpins service delivery, by ensuring that authoritative information about past activities can be retrieved, used and relied upon within current business; supports compliance with other legislation which requires records and information to be kept, controlled and accessible, such as employment legislation, health & safety legislation, and the Data Protection Act 1998; improves accountability, enabling compliance with legislation and other rules and requirements to be demonstrated to those with a right to audit or otherwise investigate the UHB and its actions; enables protection of the rights and interests of the UHB, its staff, and its stakeholders; increases efficiency and cost-effectiveness by ensuring that records are disposed of when no longer needed, to enable the more effective use of resources; provides for an organisational memory. Poor records management creates risks for the UHB, including: poor decisions based on inaccurate or incomplete information; inconsistent or poor levels of service; financial or legal loss if information required as evidence is not available or cannot be relied upon; non-compliance with statutory or other regulatory requirements, or with standards that apply to the health service sector; failure to handle confidential information with an appropriate level of security, and the possibility of unauthorised access or disposal taking place; failure to protect information that is vital to the continued functioning of the UHB, leading to inadequate business continuity planning; unnecessary costs caused by storing records and other information for longer than they are needed; staff time wasted searching for records; staff time wasted considering issues that have previously been addressed and resolved; loss of reputation as a result of all of the above. It is important that records are: properly controlled; readily accessible and available for use; and, where appropriate, archived or destroyed. Database No: 253 Page 5 of 14 Version 2

6 It is also important that the commitment for effective and efficient records management is demonstrated at all levels within the organisation. Within this context the quality of records management is the responsibility of all staff within the UHB. 2. SCOPE 2.1. Records This applies to all information and data collected or accessed in relation to the UHB s activities, whether by UHB employees, or individuals and organisations under a contractual relationship with the UHB. It applies to all information stored on facilities owned or managed by the UHB, and all such information belongs to the UHB unless determined otherwise. For the purposes of this Framework, records are as defined in the relevant British Standard (BS ISO :2001 Information and documentation Records Management), namely information created, received and maintained as evidence and information by an organisation or person, in pursuance of legal obligations or in the transaction of business When handling any type of record, it is important to make the distinction between a record and a document, and within the context of the IG Toolkit requirement, a document becomes a record when it has been finalised and becomes a part of an organisation s corporate information. At this point, the record should not be amended and should only be held in the corporate system, for example, the network drive or shared folder, and not on a local drive on a PC or laptop The principles underlying records management creation, retention, identification and retrieval of records will apply equally to both electronic and paper records The Framework covers five main types of records: Corporate Records referring to information generated and received by the HB other than clinical/care (or service user) information. The term describes the records generated by the HB s business activities, and could therefore include records from Estates, Financial, Information Management & Technology (IM&T), Workforce & OD, Purchasing/Supplies, etc, as well as from other areas of the organisation. Acute Health Records refers to information which has been created or gathered as a result of any aspect of the delivery of patient care, including personal health records (electronic, microfilm, scanned images and paper based); audio and video tapes, cassettes, CD-Rom, etc; computer databases, output and disks and all other electronic records; material intended for short term or transitory use including notes and spare copies of documents. Community Nursing Records as above, but with a particular focus on community nursing records Community Therapies and Health Sciences Records as above, but with a particular focus on community therapies and health sciences records. Mental Health Records as above, but with a particular focus on mental health records 2.2. Staff The Framework applies to all users of UHB information and/or systems including employees and non UHB employees who have been authorised to access and use UHB information and systems. Database No: 253 Page 6 of 14 Version 2

7 The UHB requires all employees to comply with policies, procedures and guidelines which are, or which will be, put in place to implement and support the. 3. AIMS The identifies how the UHB will meet the key requirements of a wide range of records management related matters. The purpose of the Framework is to set out and promote a culture of good practice around records management to support the provision of high quality care, and to ensure that records are handled to high ethical and quality standards in a secure and confidential manner. The will enable the UHB to establish good practices around the handling of records, promote a culture of awareness and improvement, and comply with legislation and other mandatory standards. 4. KEY ELEMENTS OF THE RECORDS MANAGEMENT FRAMEWORK A Code of Practice on Records Management has been developed by the Department of Health (DoH), and compliance with this Code will assist the UHB in meeting legislative and other standards of good practice in relation to the creation, management, disposal, use and re-use of records and information, and to prevent it from being in breach of its statutory obligations. The UHB has developed its in line with this Code of Practice, and sets out the procedures the UHB will follow in relation to recommended good practice for the organisational arrangements, decisions, and processes, required for effective records management, as follows Organisational Arrangements to Support Records Management The UHB recognises records management as a core corporate function by putting in place a, underpinned by Records Management Strategies & Policies covering Health Records and Corporate Records, with the management of Community Nursing Records, Therapies and Health Sciences Records, and Mental Health Records, within operational management arrangements within their respective Directorates. Any risks associated with records management will be identified within the UHB s Corporate Risk Register, with their risk score reflecting the potential extent of disruption and any resulting damage. The has also identified the following defined roles and lines of responsibility, in regard to records management: Accountable Officer The Chief Executive as Accountable Officer has overall accountability and responsibility for records management and is required to provide assurance, through the Annual Governance Statement, that all risks, including those relating to records management, are effectively managed and mitigated Senior Information Risk Owner (SIRO) The Senior Information Risk Owner (SIRO), acting as advocate for information on both the Board and internal discussions, will provide advice to the Chief Executive on the content of the Annual Governance Statement in regard to information risk. The SIRO will lead and implement the Information Governance risk management processes within the organisation and advise the Board on the effectiveness of information risk management across the UHB. Database No: 253 Page 7 of 14 Version 2

8 The SIRO also has a distinct role relating to policy and process Caldicott Guardian The Caldicott Guardian plays a key role in ensuring that the UHB satisfies the highest practical standards for handling patient information. Acting as the conscience of the organisation, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for the lawful and ethical processing of information. The Caldicott Guardian has a strategic role, which involves representing and championing confidentiality and information sharing requirements and issues at a senior management level Information Governance (IG) Lead The Information Governance (IG) lead is responsible for ensuring effective management, accountability, compliance and assurance for all aspects of IG, such as: a) Developing, implementation and promotion of IG policies. b) Ensuring compliance with all aspects of the Data Protection Act 1998 and the Freedom of Information Act c) Developing Information Sharing Protocols (ISPs). d) Developing and undertaking IG training. e) Completing the Caldicott Annual Assessment (C-PIP). f) Ensuring compliance with the IG Toolkit. g) Training staff on information governance matters Records Manager(s) The Records Manager for Health Records is the UHBs Health Records Manager. The UHB s Head of Corporate Governance Support is the Corporate Records Manager, with the management of corporate records within operational arrangements within each of the UHB s Directorates. The management of Community Nursing Health Records is within operational management arrangements within each County. The management of Therapies and Health Sciences Records is within operational management arrangements within each department. The management of Mental Health Records is within operational management arrangements within the Mental Health and Learning Disabilities Directorate. Clearly defined instructions regarding the creation, keeping and management of records are set out in the accompanying Health Records and Corporate Records Management Strategies and Policies, together with the identification of information and business systems that hold these records. Induction and training on records management will be made available to all staff, as appropriate, and as set out in the UHB s Information Governance Training Plan Records Management Strategies and Policies Health Records and Corporate Records Management Strategies and Policies have been endorsed by the UHB s Integrated Governance Committee on the Board s behalf, for dissemination to all UHB staff at all levels. These Strategies and Policies will set out the UHB s commitment to creating, keeping and managing those records which document its principal activities. They will also define key individual s roles and responsibilities, including the responsibility of individual members of staff Database No: 253 Page 8 of 14 Version 2

9 to document their work in the UHB s records in the manner prescribed, and to use those records appropriately. These Strategies and Policies will be reviewed every three years, or sooner if required, and will be published on both the UHB s intranet and internet sites Keeping Records to Meet the HB s Requirements in Terms of Business, Regulatory, Legal and Accountability Purposes The takes into account the legislative and regulatory environment in which the UHB operates to determine the records to be kept, including: WHC(2000)71 For the Record Managing Records in NHS Trusts and Health Authorities this circular provides guidance on the legal obligations for all NHS organisations to keep proper records; requirements for the selection of records for permanent preservation and the minimum retention periods for documents. Confidentiality of Information the NHS and all persons working within the service have a common law duty of confidence to patients and a duty to maintain professional ethical standards of confidentiality. In addition, all HB staff have to abide by the principles of the Caldicott Report 1997 and the Data Protection Act The Caldicott Review of Patient Identifiable Information 1997 the Caldicott Committee recommended that all NHS organisations must, through clinical governance processes, continually improve confidential and security procedures in respect of patient identifiable information. The Data Protection Act 1998 the Act established a set of principles for the fair and lawful processing of person identifiable information within which the UHB must comply. Informing Healthcare, Information Strategy for NHS Wales this represents Welsh Government s strategy to support the modernisation of health services in Wales using information and communication technologies. It aims to combine new ways of working and working technologies with better management of knowledge and better support for patients and carers. Freedom of Information Act the Lord Chancellor issued two Codes of Practice, Section 45 which sets out the practices to be followed by authorities when dealing with requests for information (the UHB has developed a separate Freedom of Information Policy to cover this area of work), and Section 46 requiring organisations to implement a Code of Practice for Records Management. All corporate information, for example, contracts and commercially sensitive information, should be created with the awareness that a request for this information may be received, and information which is not exempt must be disclosed to comply with the Act. Healthcare Standards the revised Healthcare Standards for Wales are used by NHS organisations to help drive improvements in the standards of services for which they are responsible. In terms of records management, organisations are required to manage all records in accordance with legislation and guidance to ensure that they are: designed, prepared, reviewed and accessible to meet the required needs; stored safely, maintained securely, are retrievable in a timely manner and disposed of appropriately; accurate, complete, understandable and contemporaneous in accordance with professional standards and guidance; and shared as appropriate. Guidance identifying those records that should be kept, by whom, at what point in the process or transaction, what those records should contain, and where and how they should be stored, Database No: 253 Page 9 of 14 Version 2

10 are addressed in the accompanying Health Records and Corporate Records Management Strategies and Policies, together with consideration of whether any of these records should be subject to particular controls. Staff will be made aware of which records the UHB has decided to keep, and of their individual responsibility to follow the UHBs business rules and to keep accurate and complete records as part of their daily work, within accompanying Health Records and Corporate Records Management Strategies and Policies Records Systems to Enable Records to be Stored and Retrieved as Necessary As the UHB creates records electronically in the main, good practice would suggest that the resulting records should be held electronically. The various systems available for records management within the UHB will be set out in the accompanying Health Records and Corporate Records Management Strategies and Policies which are designed to meet the UHBs operational needs Storage & Maintenance of Records The UHB is required to know what records are held, what information they contain, in what form they are accessible, their value to the organisation and how they relate to organisational functions. In order to achieve this, the UHB has gathered data on records and information assets through a Records Inventory Survey Form to map and review the records and information held by four distinct areas within the UHB (Workforce & OD, Finance, Procurement and Estates). Storage of records will follow accepted standards in respect of the storage environment, fire precautions, and health and safety, with appropriate precautions put in place to ensure that records remain usable. Records that are no longer required for frequent reference will be removed from current systems to off-line (for electronic media) or off-site (for paper) storage. These arrangements are set out in the accompanying Health Records and Corporate Records Management Strategies and Policies. The UHB s Business Continuity Plans will identify those records that are essential to the continued functioning or the reconstitution of the UHB in the event of any disaster, and include actions to be taken to protect and recover these Security & Access The UHB has in place an Information Security Policy to address the storage arrangements, handling procedures, and the arrangements for the transmission of records, to reflect accepted standards and good practice in information security. The access restrictions to be applied when necessary to protect any information, are contained within the UHBs Information Classification Policy Disposal of Records As a general principle, records will be kept for as long as they are needed by the UHB, either for reference or accountability purposes, to comply with regulatory requirements, or to protect legal and other rights and interests. Destruction of records once they are no longer needed, will ensure that both office and server space are not used, and costs are not incurred, in maintaining records that are no longer required. Database No: 253 Page 10 of 14 Version 2

11 Disposal schedules are timetables that set out when individual or groups of records are due for review, transfer to an archive facility, or destruction, which will make it easier for the UHB to establish whether a record exists if a request for that record is received. The length of the retention period will depend upon the type of record and its importance to the UHB bearing in mind that whilst the destruction of records is an irreversible act, the cost of keeping them can be high and continuing. Disposal of records will be undertaken in accordance with clearly established procedures as set out in the accompanying Corporate Records Management Strategy based on the retention schedules contained within the Welsh Health Circular(2000)71: For the Record Records Created in the Course of Collaborative Working or Through Out- Sourcing The UHB has signed up to the Wales Accord for the Sharing of Personal Information (WASPI) framework, requires it to develop Information Sharing Protocols (ISPs) in the new WASPI format when working in partnership with other organisations and sharing information. Instructions and training is provided to those required to develop ISPs through the HB s ISPs Facilitators. Some of the UHBs records will be held on its behalf by other bodies, such as the UHB s Joint Committees i.e. the Welsh Health Specialised Services Committee and the NHS Wales Shared Services Partnership Committee. Governance arrangements are in place to ensure that the provisions of the Code of Practice on Records Management are equally applied to these, as well as other UHB records Monitoring & Reporting on Records and Information Management The UHB has identified performance measures that reflect its information governance needs and the risks that non-compliance with the Code would present, and has agreed to be performance managed against the DoH s IG Toolkit via the UHB s Information Governance Sub-Committee (IGSC). Monitoring is undertaken on a quarterly basis with the results reported to the UHB s Senior Information Risk Owner who is a member of the IGSC, and an assurance provided to the Board via the Integrated Governance Committee. 5. GOVERNANCE STRUCTURE The UHB has a clear governance structure responsible for ensuring compliance with information governance legislation and standards. Database No: 253 Page 11 of 14 Version 2

12 The Information Governance Sub-Committee (IGSC), as a Sub-Committee of the Integrated Governance Committee (IGC) is responsible for ensuring the UHB is compliant with information governance legislation and good practice standards. This will be undertaken by reviewing progress against the DoH s Information Governance Toolkit, and the Caldicott Principals into Practice assessment, which covers the following areas:- Information Governance Management Information Security Assurance Confidentiality and Data Protection Assurance Clinical Information Assurance Secondary Use Assurance Corporate Information Assurance (including Records Management) All matters relating to Patient Identifiable information The IGSC will provide an assurance to the Board, via the Integrated Governance Committee that there is a robust Information Governance framework and work programme in place. The IGSC has responsibility for approving all strategies, policies, procedures and guidelines which relate to information governance, and recommending them to the Integrated Governance Committee for their final ratification on behalf of the Board. In terms of Records Management, the following Strategies and Policies which are subject to a three year review will apply. Policy Name Implementation Date Review Date Reviewed by Approved by Health Records Management September 2011 Currently HRC/IGSC IGC Strategy under review Health Records Management September 2011 Currently HRC/IGSC IGC Policy under review Health Records Operational September 2011 Currently HRC/IGSC IGC Policy under review Records Management Framework December 2011 December 2014 IGSC (March 2015) IGC (April 2015) Corporate Records June 2013 June 2016 IGSC IGC Management Strategy Corporate Records June 2013 June 2016 IGSC IGC Management Policy Retention and Destruction of Sept 2011 Currently HRC/IGSC IGC Records Policy under review Clinical Record Keeping Sept 2011 Currently HRC/IGSC IGC Policy under review Information Classification Sept 2011 Currently IGSC IGC Policy under review Information Security Policy July 2012 July 2015 IGSC IGC Database No: 253 Page 12 of 14 Version 2

13 6. TRAINING AND GUIDANCE Good records management will not be achieved unless staff understand the importance of proper record keeping. For non-specialist staff, this is likely to be achieved through induction and top-up training. The UHB includes information governance as part of its mandatory training for staff which can be extended to include records management. The following approach will ensure that all staff receive training appropriate to their roles: All staff will receive basic information governance training as part of their induction process; Managers will be required to assess the training needs of their staff annually, and specify whether staff require basic information governance awareness training, or more specialised training for their role. Those staff who have been assessed as requiring basic IG awareness will be required to undertake information governance training via an IG e-learning tool every three years An Information Governance Training Plan is in place within the UHB. Specialist information governance training can be arranged by Managers in discussion with the UHB s Information Governance Manager, to be delivered either face to face, or in classroom format. 7. RECORDS MANAGEMENT AWARENESS In order to ensure that all staff are aware of their responsibilities in regard to records management, the Corporate Governance Team will undertake a number of awareness raising activities, such as the production of regular newsletters and the provision of information for Team Briefs. These activities will supplement the Information Governance Training Plan. 8. INCIDENT MANAGEMENT All incidents which relate to a suspected or actual records management breach should be reported to the relevant line manager, and an incident reporting form completed via DATIX and/or SecurityIncidents2. The line manager should also contact the SIRO to initiate an investigation into the breach/incident. All breaches and investigation outcomes will be reported to the IGSC, in order to review outcomes and to consider any recommendations and improvement plans. 9. RISK MANAGEMENT The IGSC is responsible for the monitoring of information governance risks to the organisation and ensuring that mitigating action is undertaken by officers. Risks are reported within the IGSC s Update Report to Integrated Governance Committee, which provides an assurance to the Board around the UHB s healthcare assurance and risk management frameworks. An Information Governance Risk Register is in place, containing all information governance and records management risks, which is a standing agenda item at each IGSC meeting. Database No: 253 Page 13 of 14 Version 2

14 10. MEASURE OF SUCCESS The success of the UHB in improving records management will be measured against the DoH s Information Governance Toolkit. The UHB aims to reach at least level 2 in all areas of the Toolkit. 11. AUDIT Compliance with the Information Governance Toolkit is included within the Internal Audit Work Plan and will be reviewed annually. 12. IMPLEMENTATION As detailed within the Document Implementation Plan on page REVIEW This will be reviewed every three years, or more frequently if new legislation, codes of practice or national standards in the field of records management are introduced. Database No: 253 Page 14 of 14 Version 2