Update on Processing PCD for Invoice Validation
The problem and how you can help
Some Provider invoices for patient care submitted to Clinical Commissioning Groups for payment via NHS Shared Business Services have been found to contain or have attached to them Personal Confidential Data (PCD). This is in breach of Information Governance Guidelines, and Data Protection law including GDPR. During invoice entry (Paper and Electronic), NHS Shared Business Services load images of these documents onto the Accounts Payable system through an automated process. This means PCD can be viewed by staff, both at SBS and within CCGs, so compromising patient privacy which has the potential to put vulnerable individuals at risk of harm.
What could PCD information contain?
This term describes personal information about identified or identifiable individuals, which should be kept private or secret. For the purposes of this activity ‘personal’ includes the Data Protection definition of personal data, but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in Data Protection Legislation.
Put simply, PCD can be anything which identifies a person; this could be obvious such as a name but it could also be another unique identifier, for example an NHS number or a national insurance number. You may not be able to identify a person directly from a single piece of information, but when it can be combined with other information which may be accessible to you, this may be considered to be confidential.
Your role is very important
Finance and Provider/Contract management staff have a very important role.
- Working for or on behalf of CCGs on invoice processing, coding and approval for payment, staff must be alert to the risks, be vigilant when reviewing invoices to identify inclusion of PCD and follow the established system processes.
- It is vital you follow the SBS process to remove or redact PCD prior to contacting the Provider. Suppliers must be made aware if guidelines have not been followed and what remedial action has been taken in order to prevent recurrence.
- NHS bodies must have in place local monitoring and reporting processes to give internal assurance of compliance.
- Please use the links below to access useful and important training material which includes a webinar demonstration, guidance on letters to suppliers and other supporting material to help you mitigate and reduce the risk of compromising patient’s privacy.
A training video is available on the NHS England YouTube channel.
Pro forma letters to suppliers can be used to assist in following up data breaches:
Training materials for Staff involved in validating and approving Provider invoices can be accessed here:
NHS Information Governance managers must support and supervise compliance
- Working for, or on behalf of CCGs, you need to liaise with Finance colleagues to assess risks and mitigations, identify and report breaches, engage with Suppliers as necessary to inform and educate them on safe invoicing practice.
- It is vital that CCGs monitor compliance in order to provide positive assurance of IG compliance to Accountable Officers.
The following links to IG Specific guidance, contain supporting documents to help you when addressing suppliers plus details of how to locate ISFE BI tools Report for monitoring.
- Invoice validation programme general supplier letter
- CCG letter – Update on processing PCD for Invoice validation purposes
- NHS SBS Guidance on Implementation of the new rejection mechanism in ISFE
In the ISFE reporting suite “BI tools”, the current report that allows users to review invoice details (including links to view images of provider invoices and supporting documents as scanned on to support validation) is the “A31” Invoice report: NHS Finance colleagues working for CCGs will be able to extract this report for you periodically, or provide you with a BI Tools Finance user account login so that you can run this report for yourself.
Suppliers (Healthcare Providers of all kinds)
The following information is primarily intended for Provider or Supplier administration and finance staff involved in billing CCGs for patient care, however it will also be useful for all NHS Staff involved in the processing of invoices.
- Supplier invoices containing (or accompanied by schedules containing) Personal Confidential Data will be rejected and payment delayed.
- Correct invoicing procedures must prevent Personal Confidential Data from being included or attached to documents sent by post or electronic submission for payment.
- NHS approval for payment is subject to a set of conditions – Suppliers must ensure that invoices addressed to CCGs for patient services have no PCD but only references to suitable patient pseudonyms, such as a secure confidential case reference number, that can be agreed and used locally for validation.
- Not only Invoices but also any attachments or supporting information included to help validate payment must not contravene the Data Protection Act 1998 by including PCD.
- The following links will support you when contacting suppliers to address any recurring problems.
You should note the specific guidance for suppliers contained in the General letter to suppliers (above), as well as the wider guidance on Information Governance.
Who Pays? Information governance advice for invoice validation
The Secretary of State for Health has approved the NHS England application for support under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (Section 251 Support). This allows Clinical Commissioning Groups (CCGs) and Commissioning Support Units (CSUs) to process Personal Confidential Data (PCD) which are required for invoice validation purposes. This approval is subject to a set of conditions. This advice explains these conditions and sets the actions that CCGs, CSUs and Providers must now take in order to ensure they are acting lawfully.
An extension until 31 March 2017 has been granted for application CAG 7-07(a-c)/2013 for invoice validation.
CCGs are reminded to notify NHS England if they change their supplier for invoice validation services. This can be done by completing the Supplier Change Proposal Form in the Controlled Environment for Finance (CEfF) Assurance Statement document.
NHS England is grateful to South London CSU who worked collaboratively with us to produce this advice.
- The List of Controlled Environment for Finance Organisations is available in PDF and Excel format. Please note that the PDF is the definitive version.
Urgent update regarding S251 CAG Approvals – 28 March 2017
Confidentiality Advisory Group (CAG) s251 Approvals for Risk Stratification (CAG 7-04)(a)/2013) and Invoice Validation (CAG 7-07(a-c)/2013)
NHS England attended the Confidentiality Advisory Group meeting in late February 2017 with a view to requesting the extension of the current CAG approvals for Risk Stratification and Invoice Validation – both of which include the use of all datasets listed under CAG 2-03(a)/2013 until the end of Sept 2018. CAG indicated that they did not envisage any issues with the request and they will provide their response in due course and that in the meantime, the current approvals do not expire. This would ensure that all processing under the above s251 approvals can continue.
During the course of the discussion with CAG members, it was also felt that to ensure sufficient legal cover continues to be in place to enable the de-identification of data previously processed under CAG 2-03(a)/2013 (ASH) and currently held by CCGs/CSUs in an identifiable format, this approval be also extended but only for a period of 4 months to the end of July 2017. This would support the de-identification of data in line with the ICO Anonymisation Code of Practice.
NHS England will update the website again as soon as NHS England receives a formal response from CAG.
If you have any queries relating to the above, please email them to email@example.com.