CLICSIG - Managing the audit trail in shared clinical systems

21 May 2016, The Core, Newcastle University

Discussions held under the Chatham House Rule.
PDF version

CLICSIG Objectives

1. The Question

A meeting of 7 members Primary Health Care Specialist Group of the British Computer Society was held on the 21st May 2016 to consider the question of whether or not it was possible to routinely reconstruct a view of an integrated or shared record (e.g. via portals such as the Medical Interoperability Gateway - MIG and the increasing number of health information exchanges) at the time it had been viewed for performance/legal purposes.

This question had been initially raised by paramedics who wanted a PDF copy, for evidence, because of an increasing number of complaints. The question was framed in a specific way "How should a Shared Care EHR, with information from multiple sources, typically gathered via a portal, handle the important issue of being able to re-create a screen used to make a clinical decision at a later point in time.”

This is essentially a question about contemporary use of audit trails and the developing role of health information exchanges in providing “right time right place” information to clinicians.

2. Approach to the problem

Given the recent discussion about the problems associated with being able to re-create the screen used to make a decision by a clinician at the point of care, the group considered the following points in framing the discussion:

  • Is the audit trail capable of re-creating a view including information syndicated from portals or hubs?
  • If not, should the clinician take a screenshot? Or should the system take a screen shot now and then, or when a decision is being made, or every second, or millisecond? Would a pdf do? Or a tiff?
  • What kind of audit trail would work?
  • Who is going to decide that such an audit trail should be mandatory, and who would be responsible for it?
  • What authority is needed to establish rules for creation/re-creation of viewed records?

Given the origins of the problem in e.g. Ambulance Service use cases, the provenance of information from different information syndicated into an integrated care record was a major consideration. Clinicians already obtain information from a variety of sources in a fluid decision-making process, and as interoperability evolves, this will become the case in many care settings. Paper patient report forms, or an electronic patient report form (e-PRF )or electronic patient record (EPR) system may all be used, and the patient themselves. Therefore there may be variations in how viewing, interpreting and creating patient records, constructed from third party clinical systems, occurs in practice This aspect of the problem was broken down into several parts.

(i) Recreating or preserving the view of the integrated care record when particular data views or screens were used to make a clinical decision.

(ii) Establishing what information could have or would have been available at the time

(iii) Views of patient data may not necessarily be the same on different systems

(iv) Need to recreate the screen(s) - depending on version of software

(v) Checking with the data source to verify availability of the data for clinical decision making: was the clinical record viewed

a. a snapshot (created at a certain date) (e.g. MiG)?
b. data available from multiple sources in real-time (e.g. LPRES)?
c. An episodic construction from several sources by user?

In order to stimulate original thinking on these matters, theoretical models were introduced as a precursor to developing a coherent unified vision of sharing records in clinical decision making (see Fig 1). The common view developed that existing information architectures for large information systems differ between primary and secondary care and the existence of stringent protocols for large scale procurements makes it difficult to work for change in different health systems and their particular geographies. Understanding the motives of stakeholders at different levels is important for making change work at both conversational and social-cultural levels. Only if such issues are discussed by users and other stakeholders from all of the systems involved in the publication and syndication of record extracts for interoperability can system design be optimized.

The concepts of “act of summarisation” and “act of transfer of care” were introduced:

It is an accepted part of care that when a patient is sent from one care setting to another for the purposes of continuing her healthcare, the referring clinician typically summarises “the current issues” and formally transfers responsibility to another clinician, who then accepts that responsibility. On paper this act is represented as an “instrument” of transfer, such as a referral letter or a discharge summary, or an ambulance transfer. The instrument on paper is traditionally signed by the responsible clinician. Is it acceptable for this view of information to be variable in the electronic era? For example, is it acceptable for the re-created view of a discharge document to contain data not originally available , such as investigation results not yet through when the transfer occurred? (see also figure 3 below)

Figure 1 Views of Information

Fig 1 - Views of Information

Those present observed that much of existing health care IT has been developed and well-established at the Engineering and Informatics view levels. This was a solid basis to support only some clinical decision-making. Traditionally, systems development does not address the conversational and socio-cultural views. In many specialties, clinical records are not traditionally developed for use as conversational entities, but when they are, this information is only usually available as narrative text. Clinical records may be used in preparation for talking to patients, in discussions between doctors and patients, between doctors, and in clinical audits, and they may be shared with other healthcare professionals as necessary for patient care and quality assurance activities. It is not possible to ‘systematise’ the Socio-cultural view (in figure 1) but we can systematise at lower levels, creating and exchanging documents at transfer of care for example.

But in order to create secure and trusted interoperable systems for direct care in health, our toolkit is incomplete without the introduction of a formal conversation layer, as without this, any organization operating as an information service provider cannot fulfil their obligations to patients and citizens when they publish information to 3rd parties. This is the case also in publication for secondary use, but even more difficult to configure.. Both Care and Information Governance (IG) are conversational level activities and require norms and principles to bind them. There is a considerable amount of work to be done on assurance at these top two levels (figure 1).

It was noted that the Airline industry is keeping a vast amounts of data on every part of the aircraft. This is necessary to maintain dependability of the aircraft as a long service product (systems developed at the engineering and informatics view). However, patients don’t behave like aircraft parts and so however much you record it doesn’t tell the whole story. GP systems operate between the Informatics view (e.g. the group talked extensively about differences between individual practices and clinicians in data entry i.e. what was entered, the Codes used for entering information and the lack of guidance or standards in data entry: the change to the universal  use of SNOMED CT might improve data entry & use of Coded data in clinical decision-making) and the Conversational view (e.g., interpreting and negotiating roles and responsibilities. )

An emerging question was ‘How can we provide the infrastructure to support innovation and unexpected uses and how do we obtain need for governance. Variants between Systems like EMIS, INPS Vision and TPP SystmOne were discussed but essentially, middleware in the form of Health Information Exchanges or “integration engines”, are needed to provide joined-up views. An integration engine (“middleware”) - consists of

(a) A portal - for data publication & synchronisation

(b) A Switch - to control workflow

(c) An Index - to store names, roles, rules, relationships. This allows coordination of information from systems having different, seemingly incompatible, data structures.

An integration engine (IE), also referred to in this document as a Hub, can be procured and implemented for an integrated modular system like Cerner or it can be a community owned third party (TP) platform (e.g. InterSystems, Tiani Spirit, ORION Rhapsody) operating between different health care providers (Trusts). A number of different approaches were noted: e.g. in the Northwest LPRES project, NHS systems are building on local Hubs linking to regional Hubs and in the future possibly to a “Northern” Hub in Manchester (federated approach). North East England also aspires to this model.

An approach was discussed on how to provide a development strategy for linking Hubs together. The distinction was made between an ‘integrationist’ view which looks at how an integration solution based on as single enterprise (e.g.Foundation Trust) can expand to fill the space for its use and a ‘universalist’ approach where all should join-up in a network, like the public internet. In starting from the perspective of a patient living in a world with multiple communities, it was considered that the networked approach within a federated system (organizations connected together via regional and sub-regional hubs) would be more likely to work than the integrationist approach (typical of NPfIT). In order for a federated approach to work, third party-owned infrastructure is needed that links together organisational (enterprise) systems. (see Figure 2).

Figure 2

Fig 2 - Logical Structure of Federated Health and Social Care

In context, each Hub might be associated with a message/document/data store, allowing information to be retrieved or reused via the integration engine, which can be interrogated and coded to provide information for syndication (e.g. SCR or MiG Viewer). With these federated data-sharing hubs in place, in time it is expected that clinical records could be viewed in real-time by accessing the message store without the need for replication of data between (integrated systems). It was observed that such an approach is proving worthwhile in Lancashire (LPRES) where Tiani Spirit is being deployed as the RIE.

The provenance of Information was also discussed. Making a clinical decision is a result both of informational and conversational acts. Clinical information can be generated cumulatively, derived from multiple record systems, at different times and in different places. In this context, a use case example about the role of discharge communications in transfer of care was presented (Figures 3 and 4).

The discharge letter is boundary object which comprises the information required for ensuring safe patient care and interpretation of the values and principles of care across healthcare settings. Potentially such discharge letters can be shared electronically to ‘inform’ different healthcare professionals attending a patient on her journey, and thereby providing opportunities for ‘anticipatory’ care behaviours to be developed.

Figure 3 The Discharge letter as an inter-cultural communication

Fig 3 - The Discharge Letter as an inter-cultural communication

One consequence of this approach to joining up, through information sharing at all levels is an increased capability for monitoring and control of all interactions between health care providers. It would be possible for requests to consume published knowledge to be stored, rather than the actual data shared, so one would be able to reconstruct what was happening by going back to the messages and viewing through a presentation layer. Provided that the sharing parties can reproduce the data requested.

If certain ‘sign-off’ forms are required (e.g. pdf or tiff), SLAs with Middle ware suppliers would need to stipulate what data needs to be reproduced in the forms Specification at this level involves having the record control access by role, relationship and context, pulling the appropriate data in and saving and publishing the session.

Figure 4 Federating care providers' information

Fig 4 - Federating care providers' information

3. Translation of the problem and its issues into NHS requirements

Following the morning session, 6 remaining members discussed how the problem could be translated into NHS Requirements and what implications this would have for existing technologies and work practices.

The group considered relevant communities of interest who would participate in Information / IT Requirements -including ICT Suppliers. On reflection it was felt that:

(a) Information needs to be shared across many organizations and use cases; the single supplier approach has been tried for integration (see NPfIT) - but has significant problems within the NHS (which is not a single enterprise) and has been rejected to a great extent;

(b) We should to look at community-wide architectural approaches, using middle-ware Hubs (HIEs) as part of the infrastructure .

(c) Overall, in order to develop coherent information transfer, we need to have agreed standards/APIs/etc. to decrease costs, especially for SMEs & new entrants. This could involve open source and Ripple[1] was mentioned here as example but not pursued further.

After considering how middleware can be deployed to support the conversational and socio-cultural views of information, the group returned to the question of how data and information available for making a clinical decision could be ‘re-enacted’. It was recognized that a number of requirements arise for legal purposes, information governance and patient confidence; these requirements would include: -

  • Keeping records of
    • who had accessed the integrated record in what role & with what authority (including patient consent);
    • what information had been requested; what information had been supplied and what information had been viewed.
  • Clarifying where and by whom the clinical record audit trail should be recorded, and who would be responsible for preserving a record of the audit trail with changes to technology or players involved
    • seeing the information available (and viewed) at the time a decision was taken might be highly relevant to legal/regulatory/professional enquiries many years later.
  • Reviewing Consent to view clinical records: a number of scoping questions arise as to how the boundary of viewing can be policed the process of recreating/viewing the state of records around which a clinical decision was made:
    • Needs to be informed
    • Often hard to explain outside direct care
    • Should it be same for direct care of individual, secondary NHS purposes, research & commercial uses (bearing in mind margins blurred at times)?
    • Should consent always cover entire record?
  • Reviewing NHS guidance on duration of retention of records:
    • E.g. for most organisations, this is 8 years after last contact or three years after age of maturity in the case of children: for children with persistent lack of capacity, indefinitely
    • And decide how this would apply to the re-enactment of records viewed in an integrated care record view setting or indeed the storing of data for an audit trail.
  • Recording what was seen as well as what was available (equal importance). Taking a snapshot of the data viewed, would not take into account vital information not viewed but available.
  • Defining responsible roles for recording ‘transactions’ or ‘messages’ were needed: Sender? middleware, recipient?
  • Giving due consideration of what happens if/when integration engine/middleware changes/contract ends? If they hold an audit trail, how will that then be accessible?
  • Accounting for how the reconstructed view might be changed if one or more organizations contributing to original view of “integrated record” had altered record, changed systems or destroyed record in line with NHS guidance.
  • Dealing with unintended consequences: people may be making clinical decisions which are subject to different kinds of scrutiny or surveillance e.g.
    • Recording can impact on behavior. (e.g. increased need to record can lead to risk averse behavior.)
    • Complaints from service users may increase if clinical information for audit capability is readily available
    • An NHS employee may work for other organization e.g. police and be able to use NHS login to access information for police/personal interests.

In summary, the more widespread availability of information gives opportunity for abuse. It was felt that IG & security was a separate important topic.


4. The obsolescence of existing IT Systems with respect to new work priorities

Existing NHS systems lack the capability that clinicians need to share individual patient information at the point of care at the time they need to make decisions. For paramedics, it is necessary to have a wide view of all the options available for sharing the view of the acuity and disposition for patients as well as the prior information given by summary and detailed views of care records (as given by MiG, Tiani spirit, Graphnet and similar data integration methods).

Given the increasing need to share records and for accountability in clinical decision-making, the group outlined a range of issues and recommendations about technologies required for sharing ‘context-sensitive’ clinical decision-making for future developments & new entrants to the NHS electronic care record marketplace.

  • Open source may be a lower cost long-term commitment (it may protect against obsolescence; may keep skills in-house)
  • The MIG and alternative shared care record systems and Health Information Exchanges (“Hubs”) may be able to relate /publish much relevant data but have their own viewers with different views for different purposes. These do not always suffice for supporting a clinical decision in specific environments such as paramedics, nursing homes etc.
  • The specific viewer may be too constrained, it may be necessary provide a richer view of the record.
  • The group felt that:
    • A full record of Publishing and Consuming (Viewing) shared care record should be kept and maintained on each system. (A record of the requests for data and the screens viewed)
    • Publishers of data should retain an audit trail of what actions are  requested by remote systems
      • Who requested what data
      • Using which data sharing permissions
      • Etc.
    • If other organizations depend on shared records, what are the clinical decision-making and recording obligations on those creating clinical records?
    • Each electronic record system must indicate what information is made available / published when there is a requests to view / consume data
    • Middleware suppliers have no vested interest in storing data for clients.
    • The principle should be that each Hub retains transactions (message store) and each care organization (e.g. Trust/Practice) publishing data to that Hub takes responsibility for maintaining an audit trail of publication, recipient, data sharing agreement, user ID, time, role, place etc.
    • As NHS organizations change it may no longer be possible to access previous records. The value of retaining all the detail of interaction is liable to be expensive (this is an unknown), but less so than retaining all the data shared. This might be the subject of a subsequent meeting.
  • Curation and retention Policies:
    • Local hardware and software may become unable to store or retrieve data
    • Should systems retain all data (copy), or hold in a message store?
    • What should the period for retention of audit data from remote systems be? (See NHS guidance on retention of records and records. - E.g. child protection data may have to be destroyed at some stage. Group also discussed prison records and Rehabilitation of Offenders Act)
    • Will it be possible to store all binary large objects as (HTML screenshots, pdfs etc.) that would be required support previous clinical decisions.
  • Obsolescence of software needs to be monitored and recorded
    • Changes and expiry of software/systems, e.g. Synergy, EMIS LV
      How in these circumstances can problems of audit trail reconstruction be mitigated?
    • Are there pre-existing standards to help manage multi-system audit trails?
      IHE Standard for audit trail events is a resource standard in FHIR
    • Should the NHS standardize audit trails in terms of data requested (by consumers) and provided (by publishers); there may be differences between records held in source systems and the shared record system at a particular point in time during an episode of shared clinical decision-making. This might happen where a care plan has been published and the source data changed without updating the plan.
    • Consider forms of data warehousing relevant to charting the provenance of data, clinical decisions and clinical audits that cross over periods of systems change
    • Algorithmic approached to aiding decision making: NHS Pathways (in use in NEAS) - consider what algorithms in NHS pathways were used at particular time; post event messaging in system like Adastra
  • User interface design
    • Knowing what screens looked like and how their design might have influenced a decision
    • Need to recreate information viewed at time decisions made


Rendering data, information and explicit knowledge for decision-making accessible at the point of care in a shared record, is probably best served by middleware technologies in a federal approach. These will often be third party or community owned systems, which act as a service and have no interest in retaining large expensive audit trails of data. However there needs to be a means to reconstruct, what was visible and what might have been visible in relation to a chain of clinical decisions.

A Suggestion, which in part led to this meeting - had been for Ambulance paramedics to take screen shot (pdf) of the shared record screen, when they took a decision. We agreed that this may be necessary for best endeavours. However, the screenshot is not necessarily sufficient to justify the whole decision-making process. It will only record what was viewed and not what else was available.

Another possibility is that the HIE should retain a full audit trail of all data shared with it. This was discounted for the reasons above and if a federated development of these HIEs took place to enable sharing wider across larger communities then it becomes absurd.

The group favoured the option for the HIE to retain a record of all “messages” it handles. Thus it knows what was requested and what screens viewed at any time. The publisher of the data already in most cases will have an audit trail and should be able to reproduce the data which would have been consumed on each occasion.

There need to be rules for audit trails regarding the retention and access of messages (used by integration engines). Responsibilities need to be defined at the conversational level to ensure these happen in any shared record project.

This aspect of the debate is fertile ground for further analysis and conceptual development of the context in which clinical records can be / should be shared.

There are a number of pointers and recommendations arising from the debate.

  1. Information governance needs to be treated as a solution rather than a block to change.
  2. Records sharing implies that standards must be developed and refined. The values and educational resources of making data consistent, reliable and valid when shared are a paramount concern.
  3. Training on health informatics needs to be improved
  4. Standards for transfers of care and discharge letters can be developed.
  5. Understanding how infrastructure supports interoperability is an ongoing research question