Invoice Validation – FAQs

What is invoice validation?

Invoice validation is part of the process by which providers of care or services get paid for the work they do.

Invoices are submitted to the commissioners of their service for payment, but before payment can be released, commissioners need to ensure that the activity claimed for each patient is their responsibility.

Prior to April 2013, personal confidential data (PCD) were used for invoice validation. Post April 2013 this is not possible. Why not?

The introduction of the Health and Social Care Act 2012 changed the structure of the NHS. This Act, which became law on 1 April 2013, did not provide a clear legal basis for clinical commissioning groups (CCGs) and commissioning support units (CSUs) to set aside the common law duty of confidentiality for this purpose.

Can invoice validation be done with Section 251 approval?

Yes, but the Section 251 approval is limited to the scope of the current application approved by the Confidentiality Advisory Group (CAG). To ensure that you understand the limitations and requirements you need to have in place before you can use the powers.

Please read the guidance published.

As a healthcare provider or supplier to the NHS, what do I need to send NHS Shared Business Services (NHS SBS) to receive payments?

The original invoice needs to go to NHS SBS for payment. It must not contain any personal confidential data (PCD). It must have a unique reference/invoice number. This unique reference number will allow the relevant commissioner to identify and approve the reference.

Failure to provide the appropriate identification or the inclusion of PCD within the invoice will delay payment of your invoice. Inclusion of PCD within the invoice is considered a breach of confidentiality and should be reported as such.

The relevant guidance for breaches is the Health & Social Care Information Centre’s Checklist Guidance for Reporting, Managing and Investigating Information Governance Serious Incidents Requiring Investigation.

NHS SBS do not require and should not receive any patient confidential data to provide their services.

Good Practice Guidance on invoices is available from NHS SBS.

Where do I send the backing data or supporting documentation that enables the invoice to be validated and then paid?

Healthcare providers and other suppliers must send the relevant supporting documentation or “backing data” to the clinical commissioning group’s nominated secure environment. Any backing data must be sent by a method that meets the NHS standard of secure data transmission.

Validation of invoices is being done on behalf of clinical commissioning groups by a nominated secure environment. View the list of nominated secure environments.

The minimal data required for the specific purpose should be used. A backing data set is included in Appendix B of the Who Pays? Information Governance Advice for Invoice Validation.

The nominated secure environment should also be sent a copy of the invoice you have sent to NHS Shared Business Services (NHS SBS).

These backing data must include the same unique reference number as the relevant invoice. This reference number ensures that the correct invoice is associated with the correct backing data.

The variants are:

  • Data Services for Commissioners Regional Office (DSCRO) – electronic data can be sent, securely, to the DSCRO where they are a nominated secure environment.
    The DSCRO can forward details to a Controlled Environment for Finance (CEfF) for Invoice Validation purposes. The details shared with CEfF can include PCD. A weakly pseudonymised version of the backing data can be passed to Accredited Safe Haven (ASH) by the DSCRO.
    See the advice for the definition of weakly pseudonymised. These flows of data are enabled by the relevant approvals under Section 251 of the NHS Act 2006.
  • Controlled Environment for Finance (CEfF) – electronic and paper data can be securely sent to the CEfF where this is a nominated environment.
    These flows of data are enabled by the relevant approvals under Section 251 of the NHS Act 2006.
  • An Accredited Safe Haven (ASH) may receive weakly pseudonymised data from a DSCRO for invoice validation purposes (in addition to other commissioning purposes).
    These flows of data are enabled by the relevant approvals under Section 251 of the NHS Act 2006.

Additional details relevant to additional flows (for example between CEfF and ASHs) are currently being clarified. Our FAQs will be updated with new information as this becomes available.

What are the differences between an Accredited Safe Haven (ASH), a Data Services for Commissioners Regional Office (DSCRO) and Controlled Environments for Finance (CEfF)?

An Accredited Safe Haven (ASH) is a controlled environment within a CCG or CSU where staff can receive weakly pseudonymised data. The conditions ASHs must work to were set in an earlier approved Section 251 application (CAG 2-03(a)/2013). The relevant regulations set strict conditions and limits on the use and access to personal data. These ASHs do not have access to systems that would enable identification of the patient.

These weakly pseudonymised data, which contains one strong identifier, would be classed as personal data under Data Protection Act outside of the ASH environment.

A Data Services for Commissioners Regional Office (DSCRO) is a regional office of NHS Digital. Under the Health and Social Care Act 2012, s. 252-277, NHS Digital and its DSCROs can lawfully hold PCD for secondary purposes which do not directly relate to care.

View the relevant legislation information.

A Controlled Environments for Finance (CEfF) is either part of a CSU or part of a CCG. It is a nominated secure environment that can receive the minimum necessary PCD to validate invoices. Staff within the CEfF can access and view PCD to determine the relevant commissioner as part of invoice validation. They can also provide de-identified data sets for further analysis. CEfF are an innovation to assist in the resolution of invoice validation issues and are expected to be a short-term solution.

Strict guidelines apply to every CEfF in order to meet the lawful basis provided by the approved Section 251 applications. (CAG 7-07 (a-c))

What do I need to send to the nominated secure environment conducting invoice validation on behalf of the commissioner?

The nominated secure environment validating the invoice will require a copy of the invoice sent to NHS Shared Business Services, as well as the backing data to evidence the activity and patients claimed for.

A CEfF may receive personal confidential data (PCD), subject to the conditions outlined in the advice, Who Pays? Information Governance Advice for Invoice Validation, and associated FAQs. Accredited Safe Havens (ASHs) may only receive a weakly pseudonymised data set as detailed in the same advice document.

The backing data must also have the same unique reference number as the invoice it relates to, to enable the correct backing data to be linked to the correct invoice.

How do I send data to the nominated secure environment?

Any backing data must be sent by a method that meets the NHS standard of secure data transmission. This applies to both backing data set and any weakly pseudonymised variation.

Each nominated secure environment is required to set one secure contact point for this purpose. It is expected to be an email account and likely to be an Other systems that meet the same standards of security are available and can be considered.

What data can flow into a Controlled Environment for Finance (CEfF)?

Annexe B of the Who Pays? Information Governance Advice for Invoice Validation includes a list of data items in an approved “backing data” set. This backing data set is approved under the relevant section 251 applications (CAG 7-07 (a-c)). Where additional data items are identified as being required to validate an invoice, their inclusion will need to be justified and details provided through the assurance process.

However, organisations still have a duty to comply with the Data Protection Act, and should use the minimum number of data items necessary for the purpose of invoice validation.

Providers and DSCROs can flow ‘backing data’ into the relevant CEfF, along with a copy of the invoice. This is a copy of the original “front” page invoice sent to NHS SBS which must contain no PCD.

View advice and updates.

How long does the current Section 251 approval in relation to invoice validation last for?

The Section 251 approval for invoice validation is valid until September 2020. There are requirements to provide regular updates on progress with invoice validations processes and systems, as well as the use of data, to the Confidentiality Advisory Group of the Health Research Authority.

The current solution should be seen as being temporary. It gives NHS England, commissioners and providers time to review invoice validation processes. Part of this review must determine the need for PCD to validate invoices, whether validating invoices can be achieved with patient row level (pseudonymised) or weakly pseudonymised data.

The working assumption is that once the commissioner is identified, PCD are no longer required and further validation can be undertaken on patient row level data (which are fully pseudonymised).

What is not covered by the Section 251 approved applications (CAG 7-07 (a-c)?

The following activities are not covered by the approved applications Section 251:

  • Provider-to-provider invoicing is not covered (e.g., where one acute provider is providing a service to a number of acute providers in the local area)
  • Cross-border invoice validation (for patients resident outside of England, but are treated in England, such as a person registered with a Glasgow GP who is treated by A&E in Norwich)
  • Data processors (commercial third party) providing invoice validation services.
  • Access to PCD for financial audit purposes.

More details of what is in scope and what is out of scope of the approved applications can be found in Section 4 of Who Pays? Information Governance Advice for Invoice Validation..

However, the principles and use of PCD within the advice apply more generally. Crucially, no invoice should contain personal confidential data and PCD must not be sent to NHS Shared Business Services for invoice validation for NHS patients.

What about cross border and provider-to-provider Invoice Validation and other issues that are out of scope of the current advice?

There are still outstanding issues around invoice validation and we continue to work with partners on solutions. This work includes cross border invoice validation.

We will publish more information as it soon as it becomes available.

Outside of the Section 251 framework, what data can be shared with CCGs or CSUs for invoice validation?

Where there is consent or another legal basis established to meet common law duty of confidentiality requirements, then the minimum data necessary can be shared in a fully identifiable format.

Alternatively, anonymised data or aggregated data may be supplied where this is sufficient for the commissioner to discharge its responsibilities to confirm it is the responsible commissioner.

Where can I go for more information about invoice validation?

The advice developed will need to be implemented locally to meet your own business requirements. The advice is intended to become guidance in due course. Healthcare providers, suppliers and commissioners are all required to undertake work as part of this change process.