Audit trail

Concerns were raised around maintaining an audit trail in a shared care record, especially if editing is allowed within that record, as we believe it must be to deal with erroneous and/or duplicate entries. More generally concerns were raised over the loss of audit trails with the demise or a change of host systems, particularly where they had contributed to a shared care record. We recommend that a national solution is sought for this, and what follows outlines how this could be done.

The key step would be to log any change made to a record entry in the patient database as a change log entry in the patient record itself rather than in a separate audit file. Each change log entry would record the change being requested, when, by whom, why and any patient data added / removed / changed / assigned a different status. Placing a visible flag in the patient record would alert the user to the presence of a change log entry, which could, with the addition of the relevant facilities to the application software, be used to create a version of the patient record as it was at any time in the past. It would however require a viewer to be available for the record for as long as the database concerned exists.

Changes to the payload of a record entry should be made by the organisation of prime entry and propagated to any organisation that has received a copy of it , e.g. as part a composite shared record.

This would not remove the normal requirement to back up the complete database at intervals to mitigate the (very different) risk of it being destroyed or becoming unusable for some other reason. Such backups would include any change log entries in the patient database.

Curation of records

EPRs are dynamic records and to enable good care need curation facilities to enable erroneous entries to be relegated to a change log entry in the audit trail. Curation is usually under-valued, currently very rarely performed and even more rarely budgeted for. Curation is more important than ever for shared records. Who curates a record and when and from what perspective is recognized as a hazard: the general rule is wherever possible data should be curated by the organisation - and ideally the person - that generated it. However keeping the audit trail as part of the record as proposed above in 3.1 would enable curation considered inappropriate to be undone, and then done differently if required. This process could be repeated ad nauseam. It would be helpful to visibly show places in the record where curation has occurred, and which could be used to access the corresponding change log entry in the audit trail.

Data quality

Poor data quality can significantly affect good care. The lack of proper training in the use of EPRs and data quality is felt to be a significant contributor to this hazard. The better design of systems and the use of templates can mitigate this risk to some extent.


Shared care records will encounter multiple entries for the same event. In some cases, it is easy to resolve as only one event such as a hysterectomy can ever take place. In others, e.g. myocardial Infarction, deciding whether it is one or multiple events is more difficult. Accurately recording the dates of each occurrence usually resolves the problem. Many Shared Care records integrating multiple records will use an automatic de-duplication process and we believe it should always be clear to the user that this has happened. If all data removed or changed, plus who made the change, why and when is retained in a change log audit trail material in the patient record itself as suggested in 3.1, this would make de-duplication visible and its resolution possible if required.

Erroneous/Disputed entries

In both single shared records and shared care records issues arise where a data item is felt to be either erroneous or disputed. Where it has been entered by a different organisation, correcting it should be done by the originator, probably after prompting by the recipient. We recognized that one solution was to have an executive body to take responsibility for this and ensuring there are appropriate ways to manage it in a timely manner. It was also felt that there should be the ability to flag a data item as erroneous or disputed or simply a concern, so that it is treated with caution if it cannot be resolved. The audit trail mechanism suggested in 3.1 would record this change in status of a data item, as it would any change to the item itself.

Legal issues

Concern was expressed about third party data and the risk that it may be inappropriately shared. The group noted that there is currently no way of flagging data (and therefore identifying) data as about and /or provided by a third party. We felt this must be explored, ultimately with a view to routinely identifying third party data at the time of recording, and where it is provided by the third party, asking if it may be shared it with others caring for the patient, and whether the patient should be made aware of it.

Role-based access controls

Role Based access was not felt to be granular enough to ensure that data is only seen by those who need to see it. One mitigation is to ensure regular audit of record access, so that inappropriate access was highly likely to be discovered. Under the COPI regulations this has been relaxed for direct care and it would seem to make sense to keep this relaxation making data sharing much easier across NHS/Social Care for the purposes of direct care.

Retention limits for safeguarding and child protection conference data

Safeguarding data and information around child protection conferences may have retention dates after which the data must be removed. This becomes difficult to ensure where the data is shared and copies are created in other records. It is essential if this is permitted that the retention date is also shared and acted upon by the receiving system.

Problems with accessing legal documents

Advanced directives, powers of attorney and other such documents may be referred to in the shared record but the original document are not available. The group supported the idea of a national repository for such documents, so they are accessible from all records where they are relevant.

Medication in both SSRs and LHCRs

The hazards around medication were focused on the

  • inability of one organisation to alter the medication prescribed by another in the light of changes to the patient's condition since it was originally prescribed and
  • clarity about who is responsible for on-going prescribing.

The concept of a single medication record for a patient, perhaps even a single national medication record, was felt to be an idea worth supporting but would not overcome the problem of who is responsible for the overall medication of the patient when care passes from one organisation to another.

Creating a record structure for shared care records

The way in which a record is structured and laid out is important in ensuring that significant data is not overlooked, and there are likely to be different conventions in primary, secondary and community care. Creating a shared care record is likely to require semantic interoperability between disparate record structures. There is a risk that context and provenance is lost in sharing where contributing records have different structures. There is a case for more similarity in the structure of EPRs where it can be had without degrading their content.

Creating referrals from shared records

When data is shared in a record - especially a single shared record - there is no clear guidance on how much information needs to be included in a referral and how much can be derived from the record visible to both parties. Good practice should be agreed across organisations sharing their records.

Responsibility for care

Where two or more organisations are caring for the same patient and a new hazard is identified and it may be unclear who should be responsible for acting on information newly recorded in it, e.g. when a test result comes back, and a consultant and GP are both involved in the patient's care. Solutions to this should be agreed by the professions, nationally adopted, and their use monitored. Consideration should also be given to mechanisms to embed formal requests for a hand-over of care in system design, allowing for acceptance or rejection of the request by the recipient.

Resolving conflicts between treatments managed or proposed by different clinicians for different problems

This problem also occurs where shared records are not used but is likely to be noticed sooner and more reliably when they are. This requires a code of practice to be in place and used when significant change is proposed to the care plan for an existing problem / a care plan is proposed for a new problem.

Teaching and implementation

The group recommended on-going support and training in the optimal use of systems for patient care (and not just at the induction of new staff or at initial system deployment,; and better training throughout clinical education for all care disciplines in the use of EHRs, data entry and the importance of keeping high quality electronic records.


There should be agreed and mandated standards for record-keeping across agreed care pathways, mitigating for differences in systems. Snomed terms should be used at a minimum for all nonnumeric data used for algorithmic decision support. All staff using and /or entering data into patient records - not just doctors - should receive ongoing education and training in how to use and update patient records, including an appreciation of the different hierarchies available in Snomed.


Users should be involved in the design of systems. Poor usability can make the system difficult to use effectively. It needs to be recognized that users from different specialties and different organisations will need different views of the data. One size will not fit all.

Value sets

List of concepts are increasingly being used to constraint data entry in particular circumstances, in order to increase data quality. But unless they are kept up to date and are error-free, they will have the opposite effect.

Be aware of the possibility of systematic incompleteness in shared record content

The patient may be undergoing treatment at a care unit that is not submitting data to his or her Shared Single Record or Composite Shared Record, One example would be an episode of care at a national centre of excellence such as Great Ormond Street or a care unit outside the patient' locality. Arrangements must be made/ continued to ensure that the data generated by the associated episode of care is captured in the patient' GP record.