Safeguarding vulnerable patients who may in the future have access to their online health record

Many patients who are vulnerable will belong to known high risk groups, including those known to be at increased risk of coercion, such as victims of domestic abuse or individual who may lack capacity. 

These patients may already have a safeguarding or related care plan in place, and therefore may already be known to general practice and have an adult safeguarding or related clinical code in their record indicating potential to experience harm.

Some at-risk patients may not be known to general practice and individuals’ circumstances can change to place them at-risk. When risk is identified, record access should be considered as part of wider safeguarding planning to maintain safety and reduce the risk of harm. 

Healthcare workers should review the level of records access for any individual considered to be vulnerable to coercion, whose recorded information may be harmful to them, or who may be unable to keep it secure. This functionality already exists in general practice systems.

Where there may be concerns that certain patients should not have access because of risk of harm, healthcare workers can prevent automatic access (before the practice goes live) to new information by adding a Systematised Nomenclature of Medicine (SNOMED Clinical Terms (CT)) code to their record. After prospective records access is switched on, access can be amended via the online services settings of the electronic health record system.

Practice staff should be documenting every entry in the notes going forward with patient viewing in mind, applying use of online visibility tools if and where required. If any risks/vulnerabilities are identified, these can be managed during the consultation including a discussion on what level of online access is appropriate.

As patients turn 16, access to their prospective GP records will turn on automatically.

If someone younger than 16 has requested access to their records and is deemed to have capacity for this decision, they may already have access to their records. Upon turning 16 this access will automatically update to include full prospective record access.

Practices are advised to embed a process to identify patients ahead of their 16th birthday to identify individuals who might be at-risk of harm from having access to their full prospective record and for whom enhanced review is indicated. Such patients should have the ‘104’ code added prior to turning 16.

Applying the '1364731000000104 Enhanced review indicated before granting access to your own health record' code to a patient's record before records access is enabled will prevent that patient from automatically viewing new entries in their health record however, it will not amend or switch off any access that has previously been given. If a patient is identified at-risk of harm, you MUST also review any access the patient currently has.

When a patient transfers to a different general practice, any GP Online Services account at the old practice is deleted. When the patient next logs into the NHS App using their NHS login a new GP Online Services account is automatically created at the new practice.

Any 104 or 106 codes on the patient's records will transfer with the patient record via GP2GP and the same logic will apply at the receiving practice once the record has been received and accepted. Their use will also help to alert the new practice of concern around online access to records. However, if the patient is given an online services account at the new practice before the GP2GP transfer has completed and/or the GP2GP transfer fails, then any enhanced review code on the record from the previous practice will not block automatic prospective access. For this reason, the date for prospective records access will reset to the date the patient registers with the new GP practice.

Early adopter sites used a variety of different approaches to identify, and where necessary exclude, people who should not have access to their records due to a risk of serious harm to themselves or others.

NHS Bath and North East Somerset, Swindon and Wiltshire Clinical Commissioning Group, Named Safeguarding GPs have developed some supporting guidance, these have been shared below as good practice.

It should be noted that the code lists and processes below are a mitigation and rely on patient records being coded to show they may lack capacity or have safeguarding concerns correctly within the record, before these tools are used by practices.

Some practices chose not to proactively apply the code to at-risk groups, and instead had robust processes to identify and review record settings as new information was being entered.  

Caution should be applied if cohorts of patients are excluded to prevent potential discrimination. Practices are not required to use all the searches used by the early adopter sites. They should instead make a practice-level decision on which to apply, prioritising those who identify vulnerable patients and those who may not be able to keep their data safe.

Effort should be made to ensure at-risk individuals are reviewed to assess if record access can be provided. 

These instructions (available by signing into our dedicated FutureNHS pages) detail how to search for and add the SNOMED code 'enhanced review indicated before granting access to own health records' to groups of individuals where their record indicates the patient may lack capacity or may be vulnerable to abused due to their circumstances. 

Watch a recording of a webinar, presented by Dr James Higgins and Dr Devin Gray, which focuses on reducing harm and safeguarding risk reduction, including the reporting mechanism for safeguarding incidents and improving efficacy.

You will need a NHSFutures account to login.  

TPP-focused webinar on enabling online record access and safeguarding patients took place on the 6 October. The session included a discussion between Helen Crowther, National Digital Primary Care Nurse Lead for NHS England, and Dr Tim Caroe, NHS England South East Medical Director Primary Care Transformation and GP at The Lighthouse Medical Practice. This was followed by a presentation from colleagues at Pelton and Fellrose Medical Group. 

Questions from the webinar have been added to the existing document. You can also watch the recording and view the presentation slides (requires FutureNHS login).

These instructions detail how to set up a pop-up box to prompt primary care staff members where a safeguarding code exists in a patient record, which practices may choose to put in place. 

The pop-up box triggers can be amended once the pop-up box is up and running within a surgery.