BS10008 compliance: Destroy scanned originals with confidence

Key Messages

  • Able to securely destroy scanned paper-based records without fear of legal challenge
  • Savings can be realised relating to the storage, management and handling of paper records
  • BS10008 compliance is a test of the existence of robust internal processes and underlining technology.
  • MediViewer is BS10008 compliant and ensures the scanned documents cannot be deleted or altered in any way, as well as providing a full audit trail. Its version control technology enables a healthcare professional to view documents in context within a patient medical record, reflecting how they were at any previous point in time since scanning and archiving.

The requirement

When making the decision to digitise patient records, it is of utmost importance to any Hospital that the integrity and availability of the patient health record is not compromised in any way through the scanning of paper records.  It is also vitally important to be able to destroy these records once they have been scanned or risk not being able to realise significant savings relating to storage costs.

When embarking on its Digital Health Record (DHR) project, Noble’s Hospital, based on the Isle of Man, wanted to ensure that robust procedures were being put in place.  They needed assurance that all operations carried out for both the scanning of historical records and the ongoing scanning of paper would be carried out in a manner that complies with all relevant Legislation, NHS Guidance and Standards of Best Practice.

In July 2016, Noble’s Hospital awarded a contract to IMMJ Systems, a System C partner, for the delivery and implementation of an EDMS solution specifically designed for clinical use – MediViewer.

Noble’s Hospital are now fully live with over 1,100 clinicians trained and using MediViewer to access digitized patient records.   Their objective, to scan all 110,000 patient paper records, has now been achieved and discussions are taking place to determine how the empty record library, occupying a prime location on the main hospital site, can be re-purposed for clinical use.

The back-scanning function was outsourced to MISL, an established UK scanning specialist with a proven track record in digitising patient files.  In order to meet the stringent service levels required by the Hospital, MISL set up an on-island bureau specifically for this project.   Noble’s Medical Records team have been cross-trained and their roles have transitioned from managing physical patient records to providing a critical day forward scanning service – meeting and exceeding a 24-hour turnaround time for making new patient documentation available on MediViewer.

Destroying the originals after scanning represents a clinical and legislative risk.  It was agreed that the best way of minimising those risks is to ensure that Noble’s would be able to demonstrate compliance to a best practice standard.   Therefore, an independent assessment was initiated to provide assurance that the Hospital and both scanning bureaux were operating within rigorous guidelines set out in BS10008, the standard for legal admissibility of electronic records.

The Hospital’s success in being awarded a Certificate of Compliance for BS10008 was partly thanks to help and advice from both IMMJ Systems and Alan Shipman of Group 5 Training Ltd, the co-author of the BS10008 standard.

Moving towards compliance  

The consultancy work was split into two stages.

The initial stage entailed reviewing existing policies and procedures and the proposed processes relating to archive scanning and forward scanning.  By conducting the review at this early stage helped ensure that Noble’s had future proofed their plans and would be following best practice.  It included an overview and opinion on the existing policy framework, project governance and specific requirements relating to the proposed technology relating to both scanning and the EDMs viewer.

The second phase took place after go live in March 2017 and included a comprehensive review of the fully developed procedures, documentation generated and assessing the results of audits undertaken by both scanning provider and the Hospital.

Documentary evidence compiled 

  1. Policies/Procedures
  • Information Governance Policy
  • Electronic Medical Records and Health Records Policy
  • Clinical Recordkeeping & EMR Policy
  • New Health Records documentation procedure
  • Compliance of New Processes, Hardware and Software procedure
  • System supplier technical questionnaire
  • Disaster recovery and business continuity plan
  • IT Change management policy
  • Scanning Department procedure change control document
  1. Records Management Code of Practice
  • DOH guidance
  • Records management retention of audit trails
  1. Information Security Policy
  • Data Security and Confidentiality Undertaking Form (DSCU)
  • Information Security Workplace Assessment
  1. Systems Management
  • Procedures for Transferring information and use of portable devices
  • EMR output procedures (legal copies)
  • EMR Systems management
  • Misfiles management
  1. Committees
  • Information Governance Framework
  • IGG minutes and terms of reference
  • Recommendation for scanned records destruction
  • Clinical Advisory Group minutes and terms of reference
  • EDM Project Board
  • Health Records Committee
  1. Product
  • EDM supplier documentation and installation, configuration procedures
  • Standard Integration techniques (supplier document)
  • Security model documentation
  • Conceptual overview
  • Installation guide
  • EDM system test scripts
  1. Operational procedures
  • Medical Records Scanning Bureau Service Working Procedures
  • Scanning Bureau staff induction
  • Team meeting minutes
  • Key Job descriptions
  1. Project Documentation
  • EMR Risk log
  • Threat and vulnerability assessment
  • Risk logs
  • EMR Business Case and PID
  • Full Business Case
  • Project Initiation Document (including communications plan)
  1. Audit
  • Audit forms and Evidence
  • Documentation of audits performed
  • BS10008 Gap analysis
  • Compliance Report from external auditor