David Guest wrote:
It seems to me that this makes a computerised medical record
compulsory. Apparently, MD3 would fail as well. Their recall function
moves patients from the "Recall" list to the "Action" list when the
function is activated. If the patient fails to present for the requested
activity, the "Recall" drops out of the system exposing the practice to
potential litigation.
David,
They don't understand how the MD recall system works. They express an
unexplained reservation about recalls in the 3rd edition standards, now
I think I know what it is.
The action list is the recall system's safety net, so if you print a
list of patients for recalls and [optionally] update or delete the
recalls, they are added to the outstanding actions list. It serves to
remind the GP, on opening the patient notes, or the practice, on
routinely scanning the action list, that a recalled patient may not have
presented to have the issue dealt with.
If the GP doesn't read or understand the action prompt's message, or the
practice doesn't scan the action list to check that no one contacted for
recall has failed to turn up, then they need to learn how to use their
software, or get another job, such as canning fish, IMHO.
In relation to the 3rd edition standards I got this reply to questions I
asked one of the accreditation bodies about the competency of the
surveyors to understand what IT security measures the practice actually
has in place.
Hi Greg,
I apologise for not replying earlier to your below request.
The ****** Tip in our latest newsletter refers to Criterion 4.2.3 of the 3rd
Edition Standards. Securing patient information stored electronically is vital
to meeting security and confidentiality requirements for all practices. The 3rd
edition standards stipulate in depth that if a practice uses a computer to
store patient information they must have certain measures in place to ensure it
is secure and can be retrieved when necessary.
At the time of survey visits surveyors may ask to view the policy and procedures manual to verify that security procedures for patient health information are in place including individual passwords for different levels of access for staff. Evidence will be required regarding the procedure for backups and security measures for the computer system. Ideally practices should keep a record of their daily backups (recorded daily and initialed) and these should be password protected. Practices will be asked to provide sufficient evidence to surveyors that an information disaster recovery plan is available and has been trialed. If a Practice has had to use their Disaster Recovery Plan in an actual disaster such as power failure then documented logs of how the plan was used, by whom it was implemented and the outcomes could be shown to surveyors as documentation evidence also.
****** recommends that practices who work with electronic medical records shall have more than one person whom understands the back up system, back ups are taken off site periodically tested to ensure it works. A contracted / employed IT consultant / specialist would be a business advantage, though this depends on individual practice circumstance.
Surveyors have been counseled during recent training as to how to assess this
Criterion as above, looking for evidence the requirements as listed in 4.2.2D&E
are in place and documented policies are available for review. Surveyors during
interviews with Doctors and staff will also determine what measures are in place
and if all staff are familiar with and understand the procedures and policies used
at the practice. It is the surveyors job to review and record what has been
observed through a document review and through interviews with staff at the time of
the survey visit.
A ****** Fact Sheet is being drafted to assist practices in this area and once
finalised will be available for all to access. A future newsletter will advise
its completion date.
If you have any further queries, please don’t hesitate to contact me.
Kind Regards
**********
On 17/7/06 2:13 PM, "Greg Twyford" <[EMAIL PROTECTED]> wrote:
Hello *******,
I'm responding to your ******** Newsletter ****, where you mention the
new information security standards that will apply under the colleges
3rd edition standards.
My question is: What qualifications and appropriate training will you be
requiring of your surveyors in order for them to determine practice's
compliance with these new IT security requirements?
Will it be only necessary for a practice to show you a security manual
and a disaster plan? Will practices need to have documented testing
their disaster plan, and in what detail? How much of the content of the
manual and the disaster plan will be meaningful to the majority of
surveyors?
Will surveyors be expected to check if a UPS is in situ, if virus
definitions are up to date, if user names and passwords are in place, if
operating system patches have been applied, firewalls are correctly
configured, etc.?
Will all these requirements need to be documented in the security and
disaster plans, showing dates, actions taken, activities being signed
off, etc.., in the form of logs?
I understand that surveyors are often doctors or qualified practice
managers, who are well able to survey the clinical and organisational
aspects of an accrediting practice, but I doubt that few have
appropriate information technology qualifications that would enable them
to meaningfully survey the steps a practice has taken to meet the
information security aspects of the 3rd edition standards.
Greg
It fills me with a sense of dismay that an accreditation body would
think it should require a practice to undertake such an onerous set of
tasks, requiring a lot of real expertise, whilst not requiring their
surveyors to possess concomitant skills.
Greg
--
Greg Twyford
Information Management & Technology Program Officer
Canterbury Division of General Practice
E-mail: [EMAIL PROTECTED]
Ph.: 02 9787 9033
Fax: 02 9787 9200
PRIVATE & CONFIDENTIAL
***********************************************************************
The information contained in this e-mail and their attached files,
including replies and forwarded copies, are confidential and intended
solely for the addressee(s) and may be legally privileged or prohibited
from disclosure and unauthorised use. If you are not the intended
recipient, any form of reproduction, dissemination, copying, disclosure,
modification, distribution and/or publication or any action taken or
omitted to be taken in reliance upon this message or its attachments is
prohibited.
All liability for viruses is excluded to the fullest extent permitted by
law.
***********************************************************************
_______________________________________________
Gpcg_talk mailing list
[email protected]
http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
