You are here: Home Services & Applications Summary Care Record (SCR) SCR information for NHS Staff Implementing Summary Care Records Information governance Legitimate Relationships
 

Legitimate Relationships

Once a user has been authenticated and is in receipt of a smartcard, in order to access a patient’s Summary Care Record, they must ensure that there is a legitimate relationship (LR) with the patient. LRs are used to restrict access so that only health-care staff actually involved in the patient’s care can access their clinical information. 

It ensures that clinicians cannot access a record for any other reason than to treat a patient.


The relationship is between the patient, as identified by their NHS Number, and a group of users or an individual user (for example a clinician or members of the Emergency Department).  The user therefore may have an LR with the patient either directly, or by virtue of being a member of the group of users.

Role Separation

Workgroups

Types of LR

Example LR's by care setting

LRs with the patient are normally created as part of a registration or referral process and apply when viewing SCR to validate the need for a clinician to access the patient’s medical details. In order to understand the different types of LR, it is first important to understand the principles behind them – Role Separation and Workgroups. These principles are automatically set when using an integrated system solution where SCR can be viewed as part of the host system but need to be manually set when using the Summary Care Record application.

Role Separation


Role separation adds an extra layer of security to the Summary Care Record. Access to the Summary Care Record by back office staff using a centrally developed application (known as DSA), is governed by mechanisms that align with the LR concept. 

A user who is able to access the demographic parts of the record, but not the clinical part of the record (governed by RBAC) can create a work item for one or more particular patient records.  Another user, with a role that gives them access to the clinical content of records, can only access a particular patient record for which a work item has already been created. 

So, two different people must be involved in the process, before any clinical information is at all accessible, and both of them must have been granted the appropriate privilege to use the software.
The approach that is most likely to be appropriate to a particular care setting depends on a variety of factors. The following factors all favour use of Patient Self-Referral LRs:

  • Where a Summary Care Record will exist and be accessed for the majority of patients being seen;
  • Where an administrator or other non-clinical staff is available to register patients as they arrive for care; and
  • Where the patient’s Summary Care Record is likely to be accessed on more than one occasion by a member of the care team (either by multiple or the same health-care staff members )

Workgroups


Workgroups are important because they affect the Role Based Access Code (RBAC) and LR controls.
A workgroup is a team, or set of teams, that work together to provide a service to patients.

For example, a General Practice may typically include GPs, practice and community nurses, and practice administrators who work as a team to provide primary care to patients. This means that all of these people would be members of a general practice workgroup. 

Users, such as the practice receptionist, must be part of the workgroup because they require access to the records of all patients in the practice, even if they are only entitled to see a very limited part of the clinical record (e.g. appointments). 

This will be controlled by their RBAC codes on their smartcard. In a hospital setting, the workgroups will reflect the way people work together in secondary care.  For example, there may be a workgroup for every ward, a workgroup for every surgical team and a workgroup for all the staff who work in Accident and Emergency.

All of these workgroups would be linked together into a single workgroup hierarchy representing the legal organisation for the hospital NHS Trust.

Types of LR

There are 2 types of Legitimate Relationship:

  1. Patient Self Referral


Role separation enables LR to be verified

  • When registering the patient attendance, an administrator (without access to the clinical record, but with the RBAC activity (B0030) to create a Self-Referral LR) traces the patient to create an LR for their workgroup(s). Other clinical team members can then access the patient record without having to self-claim.  This process is done automatically in an integrated solution (for example integrated Adastra) by the system but must be done manually in the SCR Application. For more information on setting up LR’s, click through to the SCR Application information at the bottom of this section.
  • The legitimate relationship then lasts for 26 weeks
  •  Role separation exists to generate legitimate relationship eg. Patient presents to reception that creates the LR for clinical staff to access the patient SCR on treatment using the ‘Select for Care’ action in the drop down menu. This is controlled by the RBAC codes on a user’s smartcard to stop clinicians selecting for care themselves to avoid an alert.
  • Alert generated? No, because the legitimate relationship is created with the help of more than one person (role separation), there is no need for Privacy Officer to check for inappropriate use and therefore no alert is generated.
  • Exception: If an administrator is not generally going to be available to register patients, then it would still be possible to use Patient Self-Referral Legitimate Relationships with a clinical team member creating the Self-Referral LR.  It is difficult to ensure good information governance without the role separation between the administrator (who creates the LR) and the care staff (who view the care records), but this can be mitigated by appropriate levels of audit and alerts.

 
2. Clinician Self Claim


Clinician accessing patient record and verifying the LR themselves

  • Each user requiring access to the Summary Care Record self-claims an LR which supports subsequent accesses for up to 5 days for that user alone.  An IG Alert is generated which will need to be investigated by a Privacy Officer (a member of staff appointed to safeguard the privacy of the patients) and reconciled with local files to confirm the patient’s attendance. 
    Absence of role separation
  • The legitimate relationship lasts for 5 days
  • Alert generated?  Yes, because the creation of a Self-Claimed LR can be carried out by an individual acting alone, a privacy officer is made aware of this event by the generation of an alert to indicate the possibility of inappropriate accesses. For example, where a clinician has looked at a patient record without actually treating the patient themselves. 

The key thing to note about legitimate relationships and alerts is that as long as there is a legitimate reason for you to be accessing the SCR then, even if an alert is raised, there is nothing to worry about. The privacy officer will simply match up your alert with a corresponding entry on your patient administration system and close the alert.
If it is found that there is no legitimate reason for a record to be accessed you will be asked to explain your actions.  This applies in both primary and secondary care.