The problem and how you can help

Some Provider invoices for patient care submitted to Clinical Commissioning Groups for payment via NHS Shared Business Services have been found to contain or have attached to them Personal Confidential Data (PCD). This is in breach of Information Governance Guidelines, and Data Protection law including GDPR. During invoice entry (Paper and Electronic), NHS Shared Business Services load images of these documents onto the Accounts Payable system through an automated process. This means PCD can be viewed by staff, both at SBS and within CCGs, so compromising patient privacy which has the potential to put vulnerable individuals at risk of harm.

What could PCD information contain?

This term describes personal information about identified or identifiable individuals, which should be kept private or secret. For the purposes of this activity ‘personal’ includes the Data Protection definition of personal data, but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in Data Protection Legislation.

Put simply, PCD is information which identifies a person and includes health or other sensitive information; this could be obvious such as a name but it could also be another unique identifier, for example an NHS number or a national insurance number. You may not be able to identify a person directly from a single piece of information, but when it can be combined with other information which may be accessible to you, this may be considered to be confidential.

Your role is very important

Finance and Provider/Contract management staff have a very important role:

• Working for or on behalf of CCGs on invoice processing, coding and approval for payment, staff must be alert to the risks, be vigilant when reviewing invoices to identify inclusion of PCD and follow the established system processes.
• It is vital you follow the SBS process to remove or redact PCD prior to contacting the Provider. Suppliers must be made aware if guidelines have not been followed and what remedial action has been taken in order to prevent recurrence.
• NHS bodies must have in place local monitoring and reporting processes to give internal assurance of compliance.
• Please use the links below to access useful and important training material which includes a webinar demonstration, guidance on letters to suppliers and other supporting material to help you mitigate and reduce the risk of compromising patient’s privacy.

CEfF Compliance statements

• CCG CEfF Compliance Statement
• CSU CEfF Compliance Statement
• Third party CEfF Compliance Statement
• CEfF Change of email address

A training video is available on the NHS England YouTube channel.

Guidance on sharing sensitive information using NHS mail.

Pro forma letters to suppliers can be used to assist in following up data breaches:

• General circular to providers, and notification of data breach – proforma letters

Training materials for Staff involved in validating and approving Provider invoices can be accessed here:

• Invoice validation Integrated Single Finance System (ISFE) staff training
• Technical FAQ’s are available here.

NHS Information Governance managers must support and supervise compliance:

• Working for, or on behalf of CCGs, you need to liaise with Finance colleagues to assess risks and mitigations, identify and report breaches, engage with Suppliers as necessary to inform and educate them on safe invoicing practice.
• It is vital that CCGs monitor compliance in order to provide positive assurance of Information Governance compliance to Accountable Officers.

The following links to Information Governance specific guidance, contain supporting documents to help you when addressing suppliers plus details of how to locate ISFE BI tools Report for monitoring.

• Invoice validation programme general supplier letter
• CCG letter – Update on processing PCD for Invoice validation purposes
• NHS SBS Guidance on Implementation of the new rejection mechanism in ISFE

In the ISFE reporting suite “BI tools”, the current report that allows users to review invoice details (including links to view images of provider invoices and supporting documents as scanned on to support validation) is the “A31” Invoice report:  NHS Finance colleagues working for CCGs will be able to extract this report for you periodically, or provide you with a BI Tools Finance user account login so that you can run this report for yourself.

Suppliers (healthcare providers of all kinds)

The following information is primarily intended for Provider or Supplier administration and finance staff involved in billing CCGs for patient care, however it will also be useful for all NHS Staff involved in the processing of invoices.

• Supplier invoices containing (or accompanied by schedules containing) Personal Confidential Data will be rejected and payment delayed.
• Correct invoicing procedures must prevent Personal Confidential Data from being included or attached to documents sent by post or electronic submission for payment.
• NHS approval for payment is subject to a set of conditions – Suppliers must ensure that invoices addressed to CCGs for patient services have no PCD but only references to suitable patient pseudonyms, such as a secure confidential case reference number, that can be agreed and used locally for validation.
• Not only Invoices but also any attachments or supporting information included to help validate payment must not contravene the Data Protection Act 1998 by including PCD.
• The following links will support you when contacting suppliers to address any recurring problems.
• You should note the specific guidance for suppliers contained in the General letter to suppliers (above), as well as the wider guidance on Information Governance.