Clarification of the position for opt-outs following the replacement of type 2 opt-outs to national data opt-outs and a recent amendment to the Confidentiality Advisory Group (CAG) approval CAG 7-07(a-c)/2013 for invoice validation data processing

During 2016/2017 NHS England worked with clinical commissioning groups (CCGs) (now replaced with integrated care boards [ICBs]) and ran workshops to understand the issues they were raising related to the processing of invoices for non-contracted activity.

At the time, CCGs indicated that they were unable to meet requirements under standing financial instructions (SFI’s) which require them to validate all invoices for payment. This was because the data they received from NHS Digital did not include data for patients which had lodged a type 2 objection and therefore could not be matched with backing data to verify activity.

They also highlighted that there was a risk of fraud as potentially providers could raise invoices for activity which could not be verified. Information was also required to ensure that commissioners had activity data to manage contract challenges, specifically where CCGs needed to verify whether the care provided was for their patient(s).

NHS England therefore requested an amendment to the CAG 7-07(a-c)/2013 approval which included the following rationale:

• Invoice validation is part of the process by which providers of care or services get paid for the work they do.
• Invoices are submitted to the commissioners of their service for payment, but before payment can be released, commissioners need to ensure that the activity claimed for each patient is their responsibility.
• The invoice validation process is required for a significant portion of NHS treatment that falls outside of standard contracts, systems or expected patient pathways as well as resolving disputes or discrepancies in standard contracts, this is undertaken using SUS activity data. There are also examples which may include non-contract activity, for patients treated out of area and nursing home payments.

The amendment specified to the CAG that without access to data on all patients, regardless of their sharing preference, where patients had indicated a type 2 objection to their data being disseminated from NHS Digital, commissioners are unable to effectively account and pay for care provided to their patients.

A consequence was stated to result invoices not being paid and care not being provided, especially when high cost specialised care services are required.

The amendment request is also in line with the National Data Guardian review of data security, consent and opt-outs, which specifically references the importance of commissioners being able to continue to access data identifiable at NHS number level, without the application of opt-outs

Taking into account the importance of accurately allocating NHS resources and the lack of evidence of public concern in relation to the use of data for this specific purpose, it is recommended that invoice validation for non-contracted activity should be an exception to the opt-out.

The Department of Health and Social Care should enable this through new regulations, which should be limited to when there is no alternative solution, such as the use of anonymised data. NHS England should continue to work on solutions which do not require personal confidential data.

There should be further engagement with the public about how their information is used, including for payment, because this use of information whilst being broadly acceptable was ‘new news’.

Confidentiality Advisory Group (CAG) outcome

The reissued CAG letter dated 5 July 2018 approved the request to waive the application of patient opt-outs to data flowing to controlled environments for finance (CEfF) listed on the NHS England CEfF register (including both NHS England and third party organisations providing CEfF services) for invoice validation purposes.

NHS England has also recently undertaken an exercise to clarify the data flows which are disseminated from NHS Digital (DSCROs) to support invoice validation and have confirmed that all CEfFs are receiving secondary use services, inpatient/outpatient/A&E data only. The CAG 7-07(a-c)/2013 approval now provides support for datasets as shown in the table below:

The purposes covered under the CAG 7-07(a-c)/2013 approval includes both contracted and non-contracted activity which is extended to the end of September 2020:

The revised approvals enable NHS Digital to provide SUS, inpatient/outpatient/A&E data to CEfFs without applying the national data opt-out (NDOP) for the purposes set out below.

• validating systems or expected patient pathways to enable ICBs to reconcile contracted activity in order to resolve disputes or discrepancies in standard contracts.

All other organisations providing invoice backing data (which usually flows directly from health and care providers to CEfFs under strict controls) are also able to provide data *without national data opt-outs being applied for the following purposes:

• identifying the responsible commissioner, validating invoices and making payments for NHS treatment which falls outside of standard contracts (non-contracted activity [NCA]). Key examples of NCA include activity for patients treated out of area and nursing home payments.

* This will apply to all organisations included in the roll out of NDOP which is due to be completed by March 2020.