The last year has seen the use of remote consultation rocket – how can you be sure you are using the right one?
The CQC states that there are two types of online service:
- Online doctor services: provide online medical consultations and may issue prescriptions or arrange medical tests. If they are based in England, and treat people in England, the CQC register and regulate most of them. However, some companies operate in a way that means that they fall outside of CQC’s scope of regulation.
- Online pharmacy: dispenses medicines. Find out more, including General Pharmaceutical Council (GPhC) registration, in the NHS information dangers of buying medicine online.
Before you consider using an online healthcare service, the CQC recommends you find out:
- where they are based;
- which regulators they are registered with.
The BMA suggests using two checklists to ensure you are choosing the right platform.
Checklist one: safety and quality assurance
- Conformance with DCB0129 (Clinical risk management: its application in the manufacture of health IT systems, NHS Digital)
– Suppliers maintain adequate risk management processes.
– Suppliers must have a clinical safety officer who is accountable for quality standards, and conduct regular risk analyses, maintain a hazard log, and evaluate the system’s deployment and delivery.
– They must ensure any third-party products used in their system have adequate risk management checks.
- Conformance with DCB0160 (Clinical risk management: its application in the deployment and use of health IT systems, NHS Digital)
This standard complements DCB0129; it requires those in health organisations who are responsible for health IT systems to carry out effective clinical risk management prior to deploying, using, maintaining or decommissioning health IT systems.
- Registration with the Medicines and Healthcare Products Regulatory Agency
Apps and software that qualify as a medical device must be CE marked, in line with the EU medical devices directive. This covers software and monitoring tools as well as hardware and devices. ‘Medical purpose’ can include:
– prevention of disease ;
– diagnosis of disease, injury or handicap (including percentage risk scores) ;
– monitoring of disease, injury or handicap.
For example, CE marking should be sought for triage tools, symptom checkers and algorithmic decision trees. Upon registering with the MHRA, systems are subject to the Yellow Card scheme for adverse incidents, unexpected results, inaccuracies or safety concerns. Where systems use a third-party symptom checker or similar, it is important to clarify the compliance with CE marking, governance and risk management.
Checklist two: data management
- Compliance with the NHS data security and protection toolkit, covering information governance, GDPR and cyber security
- All suppliers should have a government-approved cyber essentials certificate
Protecting against malware, hacking and cyberattacks means maintaining up-to-date operating systems, devices and software; using antivirus software, firewalls and security settings; downloading only from approved sites; and controlling access to data and services.
- Practices have a legal obligation to provide a secure and confidential service; they must have processes to adequately authenticate and verify patients’ identity, ensuring no one else can access their account
The patient’s date of birth, name and address is not sufficient, however, as the information could be available to friends or family members. If patients have consented to a carer or relative communicating on their behalf, they should have a separate verification process.
Where data breaches occur, practices may be at risk of financial penalties.
- Within GDPR, practices are the data controllers and suppliers the data processors. In a data breach, system suppliers should help practices to report and investigate, and comply with the requirement to notify the Information Commissioner’s Office within 72 hours
Data disclosure requests from patients may include information processed by the online consultation system, so the supplier’s records must be detailed and accurate, securely held in the UK, and easily accessible to the practice.
- Integration with existing GP operating systems enables data to be electronically transferred directly to the patient’s clinical records. Online consultation systems should use recognised clinical coding systems to do this (eg SNOMED CT)
Manually transferring clinical information from one system to another can increase workload and the risk of errors, and negatively affect continuity of care. Where systems use artificial intelligence, or symptom checkers to point patients to other services, this information must be captured, relayed to the GP and integrated into the patient’s record.