Invoice validation

Confidentiality Advisory Group (CAG) approval to s251 support for invoice validation data processing (CAG 7-07(a-c)/2013)

The Secretary of State for Health has previously approved the NHS England application for an extension (until the end of September 2022) for support under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (Section 251 Support) which allowed clinical commissioning groups (CCGs) and commissioning support units (CSUs) to process personal confidential data (PCD) which are required for invoice validation purposes, subject to a set of conditions.

From 1 July 2022, CCGs will be replaced with integrated care boards (ICBs) under the Health and Care Act 2022. CAG has confirmed that an administrative amendment is supported for ICBs to legally process patient confidential data in line with the new Act. The formal outcome has now been provided by CAG.

As responsible data controllers, ICBs will be required to undertake a review of their processing activities and update their own privacy notices in order to ensure transparency and transfer of data controller responsibilities.

An extension until end of September 2024 has been granted for application Confidentiality Advisory Group (CAG) 7-07(a-c)/2013 for invoice validation

ICBs are reminded to notify NHS England if they change their supplier for invoice validation services. This can be done by completing a controlled environment for finance compliance statement.

The list of controlled environment for finance organisations is available in PDF and Excel format. Please note that the PDF is the definitive version.

In line with the recommendation from the National Data Guardian outlined in the national data the Review of data security, consent and opt-outs CAG have agreed to waive the requirement to apply national data opt-outs to data required for invoice validation purposes as set out in the CAG 7-07(a-c)/2013 approval.

The NDG review indicated that ‘members of the public did not express a concern about their information being used for payment purposes. Overall, there were no issues with this example of data sharing because the information is shared within the NHS. The law is not clear on whether personal confidential data can be used for these purposes without an opt-out. Taking into account the importance of accurately allocating NHS resources and the lack of evidence of public concern in relation to the use of data for this specific purpose, it is recommended that invoice validation for non-contracted activity should be an exception to the opt-out’.

This means that data which includes an identifier (usually NHS number) which is flowing from NHS Digital to commissioners for invoice validation/challenge purposes will be provided for all patients to ensure that providers receive the correct funding for the health and care services they provide.

Confidentiality Advisory Group (CAG) approval amendment to add date of birth as a supporting data item to s251 support for invoice validation (CAG 7-07(a-c)/2013)

Due to the closure of National Health and Information Service (NHAIS) batch tracing system which previously enabled organisations to run activity reports against NHAIS to ensure that the correct patient details were matched in the data required for validating invoices, it has been necessary for NHS England to request an amendment to the current CAG approval to enable the date of birth to be included in the backing data which is shared by providers.

This is because the new process, provided by NHS Digital, to support invoice validation uses the Personal Demographics Service, and this requires both a date of birth and the NHS number to trace on. 

Adding date of birth will allow the continuation of processing to ensure that organisations receive the correct funding for the NHS services they provide and are contracted for. The amendment is conditional on the organisations listed in the controlled environment for finance register processing data under CAG 7-07(a-c)/2013 approval meeting DSPT standards and therefore will be in place until the 17 March 2022 to enable NHS England to take further action to ensure that all organisations meet these standards.

A further update will be provided to CAG at that time.  If you are listed on the register and do not have an up to date DSPT in place, please take action now to meet the required standards.

If you have any queries relating to the above, please email