Linda is the Health Information Manager for the Auckland District Health Board.

In the “good old days”, we had four separate hospitals, four clinical record departments (one per each), separate paper-based patient records for each of the hospitals, and lots of resources were required to move records around. Clear policy for on records for “direct patient use”, or other things that were appropriate, eg, research … but these uses had to be signed off. Paper records had to be shifted to where they were needed, and although they had no direct audit trail, the records were “pretty safe”.

Fast forward to 1999. The “Health Services Delivery Plan” called for the 3 adult hospitals to become one, with Greenlane Hospital becoming a center for outpatients and day surgery. Huge change programme, eg, all of the administrative staff positions were dis-established, so the new combined hospital could start again. Introduced a range of new patient information systems.
– Concerto Clinical Workstation Portal
– Web1000 … radiology images and reports
– Eclair … labs and other results
– Electronic discharge summaries
– Medical documents
– Clinical Record Information Systems (CRIS) … scan all old records as they are re-actived, and the entire thing is scanned.

Managing privacy, security and access:
– the policy is that you only get access to client records when you need them for client care.
– the “confidentiality agreement” used to be about one sentence long, but now is very detailed. Eg, “if you come across a record for someone you know, pass it on to someone else or your manager”
– CRIS can predict, based on schedules of forward care planning, which people will need access to certain records at a certain point in time. Eg, a nurse will need access a couple of days before a new client come in … this will be automatically set up. If access is needed outside of normal parameters, senior doctors can “break the glass” to see a record, but they do need to write out why they have accessed the record.
– very clear HR Policy and Processes … what to do when someone does a wrong thing.
– retrospective auditing … the crux of the security of the system. Key tests run each month … on users (eg, every staff member is audited every year, and at least 6 months of access data is used.), high profile patients, designated records, same name match (eg, a match between a staff name and a patient name), ad hoc as required (eg, a call from a patient).

So how are we doing?
– Auditing about 300-600 staff members per month. A small percentage of staff are looking at their own records, and this is actually a breach of current ADHB policy. This is up for active debate, because staff have access to their own records, but it is supposed to go through an official release of information policy. This is a case of the technology changing expectations.
– A very small number of staff members have accessed records for family members, generally their children. As parents, these people actually have access to this information, but it is supposed to go through the official release of information policy.

What are the benefits of this?
– Timely access to pertinent information to facilitate diagnosis and treatment.
– Reduced clinical risk.
– Reduced effort.