Podcast: David Sinclair on the threat of cyber-attacks on GP Practices and steps to take now
With the threat of cyber-attacks on the rise, coupled with a quickly evolving policy landscape when it comes to GDPR, data protection and information security, our Information Law Solicitor, David Sinclair, discusses with Ockham Healthcare what practices should be doing now to ready themselves, who should take responsibility for this critical area of work, and what to expect going forwards.
News
Data Protection Officers – what’s the risk?
Every GP Practice in England and Wales should have a designated Data Protection Officer (‘DPO’) who is key to the practice being able to comply with its UK General Data Protection Regulation 2016 (‘GDPR’) duties. Unfortunately, there is a lack of understanding about the importance of the DPO role, resulting in partners and separately, the DPO, taking on potentially significant regulatory and financial liability. In many practices, the DPO is seen as a secondary function that a partner, practice manager, or relatively junior member of staff can undertake in addition to their normal duties. In this blog, our data and information security solicitor, David Sinclair, identifies some of the key risks and some steps you can take to avoid them.
The role of the DPO
A DPO has significant, statutory data protection responsibilities that require them to possess requisite professional qualities and other abilities (not defined in the legislation), together with an ‘expert knowledge of data protection law and practices’. Given the complexity and ever-changing nature of UK data protection law, this is a significant burden to impose on any professional – even one with considerable information governance experience.
Partner liability
Unless otherwise expressly set out in the partnership agreement, partners are jointly and severally liable for GDPR compliance, including for formally appointing and adequately supporting a competent DPO, and for filing the DPO appointment with the ICO.
Partners bear the full statutory responsibility of ensuring that the DPO (whether a staff member or third party) has the experience, skills and knowledge to fulfil their DPO duties, as well as the required ongoing training, support and resources to enable them to carry out their role.
DPO liability
A DPO carries significant liability if a GDPR breach is attributed in whole or in part to a failure on their part to properly undertake their DPO duties. This is the case even when it can be shown that they perhaps did not have the necessary experience for the role and/or were not provided with adequate training to understand the GDPR’s requirements (many of which are poorly defined and open to interpretation), unless the DPO can demonstrate that they raised these issues with the practice at the earliest opportunity.
A common misconception among DPOs is that they have immunity from prosecution, dismissal, or other disciplinary action by virtue of their status as a DPO. This is not the case.
Article 38 of the GDPR provides DPOs with limited protection from dismissal or other penalty relating purely to the performance of their DPO tasks. In addition, DPOs cannot be personally liable for the partnership’s non-compliance with the GDPR, which remains with the partners.
Data protection law does not, however, protect DPOs who fail to undertake their statutory role or who do so negligently, eg by them failing to advise the partners, or them giving inaccurate advice, particularly where this is due to the DPO’s lack of competence and they failed to raise that with the practice.
Further, the GDPR does not prevent partners disciplining DPO employees (up to and including dismissal) under the terms of their employment contract, or from partners seeking to recover damages (in breach of contract and/or negligence) from external DPOs, whose failure to undertake their role results in a breach of data protection law.
Conclusion
So how can you minimise your liabilities?
Partners should undertake due diligence on a DPO’s competence and suitability to undertake their role. The practice must also provide the DPO with the resources and support they need to carry out their duties. We strongly advise partners to review their DPO appointment on a regular basis.
Existing DPOs and those considering taking on the role should give thought to whether they have the required training, experience, skills and knowledge to undertake the role. Particular consideration should be given to whether they can advise the practice competently and confidently on complex GDPR issues. Individuals who have doubts about their competence in this area should raise this with a partner as a priority.
For more information about GDPR, the role of the DPO or on information governance issues generally, please contact David Sinclair on 01483 511555 or by email to d.sinclair@drsolicitors.com.
News
Weaponising Data Subject Access Requests
If you find yourself in dispute with a partner or employee, then you may well find yourself in receipt of a Data Subject Access Request (DSAR). This is an increasingly common occurrence in civil and employment litigation and requires careful handling. In our experience many primary care practices do not have effective systems in place to deal with DSARs, which can then result in significant reputational damage and financial cost.
In this blog, we look at how and why DSARs are being used as a legal tactic in disputes, and how your Practice can minimise the risk of a claim arising out of one.
What is a DSAR?
The UK General Data Protection Regulation 2016 (‘GDPR’) provides data subjects with a right to access their personal data. Many practices do not realise that a DSAR can be made in any format, including orally, and can be made to anyone in the organisation.
The GDPR also provides data subjects with a statutory right to claim compensation from a provider where they have suffered material (eg medical bills, loss of wages) or non-material (eg distress, anxiety) damage. It has been established that non-material damage can include a data subject’s ‘loss of control over their personal data’.
Article 15 of the GDPR gives a data subject a further right to sue a data controller if they fail or partially fail to respond to a DSAR. ‘Fail’ includes responding late and/or not providing the mandatory information. Recent damages paid range from £750 for the ‘frustration’ felt by a data subject whose personal data had not been erased, to £18,000 awarded for distress following the inclusion of inaccurate personal data in a report.
Why are DSARs important?
DSARs, other than those held to be manifestly unreasonable or excessive, are a fundamental legal and human right that the Courts have held to be ‘purpose blind’. This has led to DSARs being used as a weapon by individual claimants and their solicitors to short-circuit the normal legal disclosure process. The hope is to pressurise a data controller into early and higher settlements by highlighting a breach and/or threatening civil action for compensation.
If poorly managed, DSARs can also result in claimants being given information to which they are not entitled, such as other people’s personal data, which would itself constitute a data breach. This then enables the claimant to increase the size of their own claim, and opens the possibility of further claims from new claimants. Unfortunately, the size of the likely awards means that some solicitors are prepared to act on DSARS and data breach claims on a no win/no fee basis, which simply encourages even more claimants to come forward. In this way a DSAR received on a small dispute can quickly snowball into multiple large claims against a practice.
Managing DSARs
Good DSARs management starts with processes and staff training. Since DSARs can be made to anyone in the practice, all staff must understand what to do if they receive one. This minimises the risk of a DSAR being overlooked. Practices should then have a single point of contact responsible for responding to DSARs, who is trained in the regulations and who has appropriate access to the relevant systems. They should also understand and manage the timelines for responding, and report directly to a responsible partner to enable quick decision-making. It would also be a good idea to know who you will approach in the event you need expert legal help.
Conclusion
The use of DSARs as a litigation weapon is increasing, as are the number and size of claims against data controllers. It is important that primary care practices have robust, formal procedures in place to ensure that:
- all staff can recognise a DSAR;
- all data search, collation, redaction and removal processes are GDPR compliant
- DPA exemptions are correctly applied;
- all non-disclosable information is withheld;
- any consents to disclosure are valid; and
- timeframes are strictly adhered to
Primary care providers who are uncertain about dealing with a DSAR should seek legal advice as soon as possible, particularly if there is a link to a known or potential litigation matter. If you would like more information about this or any other matter, please contact Nils Christiansen or David Sinclair on 01483 511555, email n.christiansen@drsolicitors.com
News
Integrated Care Systems Consultation: Very little time to respond
NHS England recently issued a consultation on significantly extending the role of Integrated Care Systems (ICSs) in the NHS. The proposals are very far reaching for Primary Care as well as other NHS providers, and the consultation is set to close on 8 January 2021 so time is short.
What are the Proposals?
ICSs have been around for a couple of years now, and bring together CCGs, Trusts, Councils and other NHS Organisations to ‘take collective responsibility for managing resources, delivering NHS standards, and improving the health of the population they serveâ. To date ICSs have been collaborations between existing organisations rather than creating anything new.
At heart, the proposals in the consultation paper are to put the ICSs on a firmer footing by introducing new legislation. There are 2 options presented, and it should be noted that ‘Doing Nothing’ is not an option. The implicit conclusion must be that the current organisation of the NHS in England is no longer considered fit for purpose. The options are:
Option 1: a statutory committee model with an Accountable Officer that ‘binds together’ current statutory organisations
Option 2: a statutory corporate NHS body model that additionally brings CCG statutory functions into the ICS.
There is a clear preference in the paper for Option 2. Under this model the current GP-led CCG model would disappear and CCG functions would move into ICSs. ICSs would instead be governed by a board consisting of representatives from the ‘system partners’, including, as a minimum, representatives of NHS providers, primary care and local government.
Under Option 2, ‘many commissioning functions for which NHSE is currently responsible could be transferred or delegated to the ICS’. Critically, it also anticipates allocating ‘combined population-level primary care, community health services and specialised services population budgets to ICSs under this option. There is no doubt that these proposals are very far reaching and, if adopted by the government, will see a radical change to the NHS in England. They will also open the door to a very different role for primary care and we will analyse these changes in a separate blog.
How to respond?
The Consultation poses 4 questions, and asks for responses by 8 January 2021. The questions are all framed as ‘Do you agree thatâ’ so you will need to be clear in your answers if you actually disagree with any of the statements. The four questions are:
1. Do you agree that giving ICSs a statutory footing from 2022, alongside other legislative proposals, provides the right foundation for the NHS over the next decade?
2. Do you agree that option 2 offers a model that provides greater incentive for collaboration alongside clarity of accountability across systems, to Parliament and most importantly, to patients?
3. Do you agree that, other than mandatory participation of NHS bodies and Local Authorities, membership should be sufficiently permissive to allow systems to shape their own governance arrangements to best suit their populations needs?
4. Do you agree, subject to appropriate safeguards and where appropriate, that services currently commissioned by NHSE should be either transferred or delegated to ICS bodies?
Quite how NHSE expects to receive carefully considered responses to such far-reaching proposals in a tight timescale in the midst of a Covid pandemic, during the flu season, and over the Christmas period is not explained. Although we would obviously recommend that readers respond by 8 January if they can, we would suggest that if you would like to respond but feel that the deadlines are too tight, as a minimum you notify NHSE of this so that later representations may possibly be considered.
If you wish to discuss the impacts of any of these changes on your practice, PCN or federation, please contact Nils Christiansen on 01483 511555, info@drsolicitors.com
News
The NHS Long Term Plan: How will GP practices be impacted?
There is a tendency when new plans come out of the NHS for people to say they have seen it all before. Would this be a wise response to the Long Term Plan?
Pleasingly, there is an acknowledgement of the many issues in primary care and a commitment that investment in primary medical and community services will grow faster than the overall NHS budget. Spend should be at least £4.5bn higher in 2024, but the extra money will come with strings attached. If applied consistently, this will mean further change is coming for many GPs in England.
The Network Contract
A new ‘Network Contract’ will route the additional monies and will also incorporate local enhanced services currently commissioned by CCGs. This Network Contract will be in addition to existing GMS, PMS and APMS contracts. ‘Primary Care Networks’ (PCNs) will be responsible for these contracts and will typically cover 30-50,000 patients. Each network will be responsible for expanded community multidisciplinary teams along the lines of the Integrated Care Vanguards. The obvious question is, who will actually hold (and deliver) these contracts? In some parts of the country GP Federations are sufficiently developed to do so, and could then subcontract services to member practices or to other service providers as appropriate. In other areas super-partnerships are sufficiently large and geographically contiguous to do so, though they may be concerned about using their unlimited liability partnerships to do so. Elsewhere again, it is possible that existing community health providers may look to lead.
What is clear is that the Network Contract is supposed to facilitate ‘integrated community-based health care’ and all new money in primary care will flow that way. We are told that practice participation will be voluntary, but it is hard to see how practices will remain financially viable in the medium term if they do not participate.
Online GP consultations
Digital-first primary care will become a new option for every patient. Over the next five years every patient in England will have a new right to choose telephone or online consultations instead of face to face consultations. The plan states this will be ‘usually with their own practice or, if patients prefer, with one of the new digital GP providers’.
The plan goes on to say that a new framework will be created for digital suppliers to offer their platforms to primary care networks on standard NHS terms. It is therefore unclear whether the digital providers enabling online consultations are supposed to be suppliers of services to networks of GPs, or will be able to hold patient lists themselves.
Our recommendations
It has been clear for some time that any increases in funding will go to practices working at scale. Scale working has now been formalised into PCNs . In those areas of the country where there is already an obvious PCN in existence, the immediate focus should be on working out which approach to use for online consultations. Where there is not currently any single obvious PCN, practices would be well advised to reconsider their local joint working arrangements: be that though through federations, mergers, primary care homes or the like.
Remember that the new Network Contract will need to be held by an appropriate business vehicle (there is no indication yet of any restrictions on who could hold them) so you will need to consider who will be the local prime contractor.
We would be delighted to discuss how we can help practices and PCNs prepare for the imminent changes. Please contact Nils Christiansen in the first instance for a no obligation conversation about how we can assist.
News
The advantages and disadvantages of LLPs and Mutuals in Primary Care
There are currently only four types of business vehicle permitted to hold GMS contracts. These are:
- Individual GPs (who have unlimited liability)
- Unlimited liability partnerships including at least one GP (the most common structure)
- Limited partnerships including at least one GP
- Companies limited by shares including at least one GP shareholder
There are statutory mechanisms enabling a GMS contract to be transferred between types 1, 2 and 3, but no statutory mechanism enabling a transfer to or from type 4. The rules for PMS are slightly different, but given the right of PMS contractors to return to GMS the difference is not material for the purposes of this note.
The current options for practices to limit their liability are restricted. They could transfer a GMS contract into a limited partnership, but these entities require at least one partner to have unlimited liability for all the risks of the business. Since only a subset of the partners have limited liability, this would create obvious difficulties in a GP partnership. Using a Company limited by shares would limit the exposure of all the shareholders to the value of their capital, but this is not normally available to practices as there is no mechanism to transfer the GMS contract into the company.
Limited Liability Partnerships (LLPs)
LLPs retain the central feature of partnerships, being that partners both own and manage the business. In a company, by contrast, ownership and management are split between the shareholders and directors. Partnerships are often the preferred business vehicle in the professions because the alignment of ownership and management encourages close collaborative working. This in turn facilitates the transfer of tacit skills and good risk management on which the reputation of the profession relies.
LLPs bring several advantages over other kinds of partnership:
- LLPs are registered legal entities and are therefore capable of contracting in their own name. This means that important assets such as the surgery freehold or lease can be held in the name of the LLP rather than individual LLP member’s names. When a member joins or leaves an LLP, there is no need to change the lease or the land registry title, because the member is not named on it. Discussions amongst members would then change from being whether or not to ‘buy-in’ to the surgery, to whether or not to contribute capital to the LLP.
- The liability of LLP members is limited to their capital contribution. There are ways this can be circumvented such as by a mortgagor requiring personal guarantees, but members know that their liability is limited except where they have agreed otherwise. By contrast in traditional partnerships all partners have unlimited liability except where they have agreed to limit it. The most common ways of doing so are to take out insurance (such as professional indemnity cover) or to have contractual limits to liability in service contracts. In this way it is possible to create structures which arrive at similar levels of risk, but they start from opposite extremes
- In an LLP a member is not responsible or liable for another member’s misconduct or negligence. This is an inevitable consequence of the limited liability status since this removes the joint and several liability inherent in an unlimited liability partnership. Some argue that this can reduce the level of collaboration between LLP members, but this has not generally been the experience of other professions.
- There is considerably more formality around LLPs. Unlimited liability partnerships can be created and dissolved with no documentation, whereas LLPs cannot exist unless they are registered at Companies House. This increased formality eliminates some of the uncertainty around whether a partnership has been created or dissolved, which is at the heart of many GP partnership disputes. However, Companies House requires LLPs to file and disclose information about their membership and accounts which is normally kept private in an unlimited liability partnership.
Mutuals and Social Enterprises
There are a variety of legal structures which enable employee and community ownership of, and involvement in, a business. These are usually known collectively as social enterprises. The only form of social enterprise which is currently open to primary care is a Community Interest Company Limited by Shares (“CIC-CLS”). Since the same ownership rules apply to a CIC-CLS as to an ordinary company limited by shares, it is not possible to use it to broaden employee and community involvement in the practice.
If other social enterprises were to be permitted to hold GMS and PMS contracts, they would most likely include Companies limited by Guarantee (“CLG”), Community Benefit Societies (“BenComs”) and Industrial Provident Societies (IPS).
The primary difference between the various different types of enterprise comes down to who they ultimately seek to benefit:
- Partnerships and LLPs look to provide financial benefit (profit) for the partners/members
- Companies limited by shares look to provide financial benefit (profit) for the shareholders
- CLGs look to provide financial and non-financial benefit to a defined purpose and are often charities
- BenComs look to benefit the community
- IPS’s seek to benefit their members
If social enterprises were able to hold GMS and PMS contracts, they would have similar advantages to LLPs. They all generally have legal personality and so can hold assets and contracts, they have limited liability by default, and they are regulated and must be registered. Social enterprises come with the additional disclosure requirement beyond those of LLPs, to ensure that their social purpose is being complied with.
A further possible advantage with social enterprise is that it might make it easier to integrate across other elements of healthcare, since it would be easier to involve the care and voluntary sectors in a social enterprise such as a BenCom.
Transitioning issues
If LLPs and mutuals were permitted to hold GMS and PMS contracts, this would not resolve the question of how to move existing GMS and PMS contracts into them. As LLPs and mutuals are distinct legal entities, they would suffer from the same procurement problem as Companies limited by shares currently do. This is that procurement law states that public bodies must tender all contracts above a certain value. Because GMS and PMS contracts do not generally have a fixed term, their cumulative value normally exceeds this threshold. Since moving a contract from one legal entity to another is technically a termination and re-grant, the re-grant would by default have to occur through a tender process. There are exceptions to the public tender rule, but it is a matter of some debate whether these exemptions can be applied to GMS and PMS contracts.
If you have any questions or for more information, please contact Nils Christiansen on 01483 511555 or email n.christiansen@drsolicitors.com
News
What does GDPR mean for GP Practices?
What is GDPR and what does it mean to be compliant?
I am sure that you will all by now be aware of GDPR. GDPR comes into effect on 25th May 2018 and seeks to give individuals more control over how organisations use their data.
GDPR is a European regulation, and automatically becomes law in the UK because of our membership of the European Union. Although Brexit would take us out of the European Union, the current plan is to incorporate all EU law into UK law, so GDPR is almost certainly here to stay.
Confusingly, the UK Parliament is drafting its own data protection law called the Data Protection Act 2018 (DPA 2018). This law will supplement the GDPR and replace the existing 1998 Data Protection Act. The DPA 2018 is still working its way through Parliament so is not finalised. Much of the commentary on ‘GDPR’ combines it with the DPA 2018, and so mixes actual law with a draft bill.
Who does it apply to?
GDPR applies to all individuals and businesses who have responsibility for handling personal data. GP practices are ‘data controllers’ registered with the Information Commissioner (ICO) and are responsible for deciding how and why data is processed.
In our experience, practices have long been familiar with the concepts of data confidentiality, but GDPR requires additional levels of process and control, and forces practices to think about all personal data, not just the confidential health data they hold.
The key to understanding compliance with GDPR is not to see it as a tick-box exercise to be completed by 25th May, but rather as developing and embedding a permanent change of culture, whereby protection of personal data is central to every decision made within the practice. When all staff are able to recognise personal data and make informed decisions about protecting and processing it, and know what to do in the event of a breach, you will be well on the way to compliance.
What can GP practices do to prepare for GDPR?
- If you haven’t found it already there is a very helpful 12 Steps to Take Now and Data Controller Self Assessment Toolkit on the ICO Website. Given that the ICO is the data regulator, they are the best place to start with your preparation.
- It is critical that practices can demonstrate that they have sought to comply. The ICO has been clear that they are looking to see reasonable efforts being made. To do this you will need to have identified, documented and explained the legal basis for all the data flows to and from the practice. This is likely to be a time consuming undertaking and will be difficult to do unless you have a member of staff who is familiar with documenting processes and data flows. Remember that this documentation will have to be kept up-to date, so be careful not to outsource all your understanding of this information audit.
- Data Protection policies and procedures must also be updated. Many practices have historically relied on ‘template’ policies, but these are unlikely to be adequate, as procedures will have to relate to the data flows identified in the information audit.
- Privacy Notices are another important part of GDPR. These must be displayed prominently, which as a minimum is likely to be on the practice website and the noticeboard. Practices should think hard about opportunities to draw patient attention to these Privacy Notices, since one of the key principles underlying GDPR is transparency about how you deal with data. New information which must be added to privacy notices includes how you intend to use data, and the ‘lawful basis’ for what you are doing.
- Be aware that much health data falls under one of the GDPR special categories. In addition to the ‘lawful basis’ that all data controllers must identify, practices need to satisfy a second separate condition that the processing is necessary for the purposes of healthcare.
- Staff training is also an important part of compliance. Practices will need to be able to demonstrate that they have trained all their staff, including Partners, in GDPR and have an ongoing program to ensure that they are kept up to date as the law changes.
- One significant change is that practices can no longer charge patients for access to their medical records except in exceptional circumstances. This may unfortunately increase the administrative workload as patients and others get used to making ‘subject access requests’. The time limit for dealing with these has been reduced from 40 days to one month.
- An interesting example of the current uncertainty is the role of the Data Protection Officer (DPO). Under GDPR, it is not at all clear that practices are required to appoint a DPO. However, the DPA 2018 if enacted in its current draft form would certainly require practices to appoint a DPO.
So what happens if there is a breach and what are the risks of non-compliance?
In the event of a data breach affecting patient’s privacy rights, you must notify the Information Commissioner’s Office (ICO) no later than 72 hours after you become aware of the breach. If the breach is likely to present a high risk to their data, the patient must also be informed. You should have a clearly documented process for managing a data breach. This is another example of how proper documenting of processes and staff training is going to be vital.
Conclusion
It is important that practices take ownership of GDPR themselves. Compliance is not really something that can be outsourced, although there are plenty of commentators looking to profit from it. The ICO have made clear that the world will not end on the 25 May 2018 as they realise this is a journey for all businesses and they want to be supportive rather than punitive, but they will want to see evidence that practices are taking data security seriously throughout the organisation.
If you are concerned about your GDPR readiness, then please give us a call and we would be happy to talk through your plans. In our experience, most local medical committees are also aware of what needs to be done and are able to assist members and share good practices on GDPR.
If you would like to discuss GDPR or any other legal matter, please contact Nils Christiansen on 01483 511555, n.christiansen@drsolicitors.com
News
Should a GP practice accept gifts and legacies?
Every now and then, a practice might be fortunate enough to be remembered in a patient’s Will or to receive gifts from grateful patients. Research has shown that the proffering of small gifts is relatively common place. Whilst it is obviously nice to be recognised for one’s good work, it does give rise to a number of professional and legal issues.
Professional issues
Good Medical Practice Guidance states that “You must not encourage patients to give, lend or bequeath money or gifts that will directly or indirectly benefit you.” However you “may accept unsolicited gifts from patients or their relatives” provided that it doesn’t affect the treatment you provide.
Whilst this appears to permit the receipt of unsolicited gifts and legacies, there is a big caveat. In each case, you must “also consider the potential damage this could cause to your patients’ trust in you and the public’s trust in the profession. You should refuse gifts or bequests where they could be perceived as an abuse of trust.” This is clearly a judgmental matter which will be easier to balance for a box of chocolates than for a £100k legacy.
Legal issues
The PMS and GMS Regulations are clear that practices must keep a register of gifts from patients or their relatives that have a value of £100 or more. You should record the name, the NHS number or address of the donor, the nature of the gift, its estimated value and the name of the recipient.
The next question which arises is how should the gift or legacy be shared?
To determine the answer to this question, you need to look at both the gift or legacy itself and the partnership deed.
For example, a legacy may be left ‘to the partners at the XXX Surgery’. So has the gift been left to the GP partners individually in equal shares, or left to the partnership to be divided between the partners in their respective profit sharing ratios? Was it intended for the partners in the practice at the time the Will was written, at the time of death or when the legacy is actually received? Alternatively, is it actually intended for the benefit of the patients and therefore shouldn’t be taken as income at all, but rather invested in healthcare within the practice area? Sometimes the intended purpose is clear because the donor has perhaps left a letter of wishes stating how they want the money to be spent or shared. Unfortunately, this is frequently not the case and a large legacy can often be a source of dispute between the partners.
Recommendations
Practices need to be careful about what gifts and legacies they accept and how these are recorded. The larger the gift, the more care needs to be taken.
Remember that this is, at heart, an ethical issue and whatever decision you make, would you be comfortable in justifying it in front of the GMC, or perhaps even a journalist?
For larger gifts and legacies, in addition to recording them in the gift register, we would recommend that you prepare a paper trail setting out your thinking behind the decision you took and any professional advice that you sought.
You would also be well advised to check what your partnership deed has to say about sharing of gifts and legacies to minimise the risk of future partnership disputes.
If you have any queries relating to legacies and gifts, or any other matter, then please contact Daphne Robertson on 01483 511555 or email d.robertson@drsolicitors.com
News
Can you challenge the CQC?
Despite increasing pressure being placed on frontline care teams, the Care Quality Commission (CQC) has revealed that GP practices are providing a consistently good quality of care, with 93% rated good or outstanding.
Practices are also significantly more likely to maintain their rating upon reinspection than other NHS providers.
But what if an inspection takes place and you disagree with its findings? What are your options for challenging the ratings given?
CQC inspections
All GP practices are subject to a comprehensive inspection by the CQC at least once every three years. This consists of inspectors collating information externally and then being on site for a day to observe. Further follow up inspections may also be undertaken, if a particular concern has been raised in a previous inspection.
Inspectors assess all practices on the following points:
- Are they safe?
- Are they effective?
- Are they caring?
- Are they responsive to people’s needs?
- Are they well-led?
They also look at how services are delivered to people in specific population groups, such as the elderly, people with long term conditions and those experiencing poor mental health.
‘Evidence’ will be gathered from multiple sources. This may include looking at feedback and complaints, assessing local and national data, speaking to service users and staff, and any insights gained through the onsite inspection. From this evidence, a report and ratings will then be produced.
When can you challenge a CQC report?
Draft report
A draft copy of the report will be sent to the practice and it is as this point that you will be invited to provide feedback on its ‘factual accuracy’.
At first glance, the term factual accuracy may suggest that you can only correct stated facts, such as the number of staff they have recorded. However, in reality this is your chance to challenge all inaccuracies in the report and its findings, including questioning the evidence base and how it has been construed to justify the conclusions drawn.
Time is short. You will only have 10 working days to review the draft report and submit any comments.
Published report
Once a report has been published, you can also ask for a review of the ratings if you feel inspectors did not follow the correct process and procedures. You must tell the CQC of your intention to do this within 5 working days of the report being published.
Drafting your response
While there may be things in the report that you disagree with or feel are unfair, that alone is not enough. Any challenge must be based on specific issues with the evidence and how it has been interpreted, or the process that inspectors have followed.
If you believe a report to be an unfair representation of the level of service you provide, then how you word your response is important.
- Your aim is to describe why the service provided does not justify the rating it has been given, in relation to the Provider Guidance descriptions. It is therefore important that you refer back to the specific items in the Guidance (available on the CQC website).
- Don’t worry about fitting your comments within the boxes provided on the form. It is more important that you lay out your case clearly, so feel free to write on a separate sheet.
- Show you understand the whole process and all guidelines by making reference to The Fundamental Standards, The CQC Provider Guidance and The CQC Enforcement Policy
- Always avoid including any comments that are emotive (‘this is completely unfair’) or just opinion, (‘it’s impossible with the funding we have’). You need to demonstrate how a different opinion could/should have reasonably been reached by looking at the facts more carefully.
Our recommendations
While it is true that many challenges are not upheld, it is by no means uncommon for challenges to succeed. The key is always in the preparation of the supporting documentation.
If you are unhappy, make sure your concerns are submitted within the deadline. This is difficult in itself as the deadlines are so tight.
We’d always recommend that you prepare fully for the inspection itself, and present the strongest evidence you can. Try to gauge at the inspection itself whether there are any concerns, since you will only have 10 days to respond once you receive the draft report and this is very little time to gather any additional evidence. Then, if you are faced with a report and ratings you feel are unfair and inaccurate, ensure you document your response in the right way.
If in doubt, ask for advice as quickly as possible from an experienced legal team, as they will be able to help you prepare your challenge, giving you best the possible chance of it being upheld.
For more information, please contact Daphne Robertson on 01483 511555 or email d.robertson@drsolicitors.com
News
Are you in breach of your GMS or PMS contract?
A GMS contract is a legally binding agreement made between a GP practice and NHS England (NHSE) that sets out certain obligations for both parties. It is the most important asset a practice will hold.
Running to over 270 pages plus lengthy appendices, it is a substantial and complicated document, both to navigate and understand.
Unless a practice has read it from beginning to end, and has very careful monitoring in place, it is likely that most practices will be in breach of their obligations at some point or another – in many cases, without realising.
So, what can practices do to protect their contracts?
Dealing with a breach
There are many reasons why a practice may be in breach of their GMS contract. Some are minor and some more serious.
If you do become aware of a contractual breach, you should rectify the problem as soon as possible and put procedures in place to ensure it doesn’t happen again. You should then assess the impact of the breach.
An example of a minor breach might be a failure to keep the practice leaflet or website up to date. There is not normally any obligation to inform NHSE of these minor breaches, although a practice would be obliged to provide such information if requested. If NHSE were to find out they would probably issue a breach or remediation notice. Once a practice receives two or more of these, NHSE become entitled to terminate the contract on notice, subject to a cumulative impact test.
For more serious breaches, you may be obliged to notify NHSE. In particular you should notify NHSE as soon as reasonably practicable, of “any serious incident that, in your reasonable opinion, affects or is likely to affect your performance of your obligations under the contract.”
Whilst this leaves room for ambiguity, a breach would certainly be considered ‘serious’ if it put patient safety at risk. An example of this might be a failure of the vaccine fridge, combined with inadequate records to prove that the no vaccines had been compromised.
Once NHSE becomes aware of a serious breach, they would consider whether to deal with it under the breach and remediation notices procedure outlines above, or possibly to terminate the contract forthwith. They could only do the latter, however, if they could show that patient safety was at serious risk.
There are particular notification requirements for breaches where:
- a contractor is no longer eligible to hold a contract – for example, if there is no General Practitioner left in the partnership
- if a partner becomes bankrupt, convicted of a serious criminal offence, is disqualified or suspended, or if a partnership is dissolved
In these instances there is a requirement to notify NHSE, who then need to consider contract termination (although there is not necessarily a requirement for them to terminate).
It is worth noting that while we are talking about GMS contracts in this blog, PMS contracts usually – but not always – have very similar clauses so always refer to your individual contract to be sure.
Our recommendations
We advise practices to familiarise themselves with their core contracts and ensure they understand their obligations. Put systems in place to help monitor compliance and if a breach occurs, attempt to remedy the situation as soon as possible and put processes in place to prevent it happening again.
In the case of more serious breaches, for which practices are obliged to inform NHSE, you should let them know as soon as you can, include an impact assessment, and show that procedures have been put in place to reduce the risk of re-occurrence.
The complex nature of the core contract means it is not always clear whether you might be in breach, nor whether you need to notify NHSE. If you are in any doubt about your compliance, the severity of a breach, or if you have received a breach or remediation notice, then always seek the advice of an experienced legal team.
For more information about managing a breach, or any other related issues, please contact Daphne Robertson on 01483 511555 or email d.robertson@drsolicitors.com