You must set up Organisation Networks to work with other providers you already share patient care with. For example a group of providers in a city or region may agree to work together to increase data sharing to raise safety, lower costs and better care for patients. In England, this is essential for Sustainability and transformation plans (STPs) region, in Wales and Scotland for health boards, in Netherlands for provinces, etc.
If you do not do this, hospitals will not get local GP data, and vice-versa. Every time a professional outside your organisation tries to access the record of one of your patients they must ask your organisation to provide the decryption keys. The manual authorisation is cumbersome for you, it will delay record access by days for other professionals, and the patient will not receive the safe care from a shared record.
If you do do this, professionals in your region can see patient data at the point of care. They only need to click a few screens to document the consent they have to see the patient's record.
What data are shared when
Networks automatically share decryption keys but not the consent for accessing data. To access the data, PKB prompts the user to get explicit consent (e.g. with the patient in clinic); document implied consent (e.g. because the patient has been referred to the team); or ask for one-time break-the-glass access (e.g. because the patient is unconscious in an emergency).
PKB stores a copy of all private keys for all the customer's patients in the customer's institution-wide private key store. No matter which team creates the patient's record, the private keys are stored by the institution, available to all teams. Each team must still get or document consent before they can access the data. This fits into an institution's existing practices for data sharing between teams.
Any employee can document that they have the right to look at a patient's record and proceed to look at the record. The audit trail and employment contracts allow the institution to follow up and punish abuse of these data access privileges and in the meantime clinical teams can quickly see data to provide safe care to the patient.
PKB customers in a network synchronise their private keys with all other institutions in the network. Each team must still get or document consent before they can access the data. Note that this does not require new data sharing agreements between the institutions in the network – the agreements each institution has with PKB are sufficient. The lead institution in the network must reassure itself that the newly joining members of the network have the right processes to follow up and punish abuse of these data access privileges. This feature is critical for regions using PKB as a patient-controlled health information exchange. If you would like advice on the processes and assurances you need to set up a network please contact us.
Networks vs affiliates
Networks automate data sharing at scale between institutions while affiliates speed up manual data sharing on a patient-by-patient basis.
Process for network teams
- Institution A and Institution B are in the same network
- Patient key is copied from Institution A to Institution B
- Team B1 in Institution B can find patient's record
- Team B1 clicks to document consent and access patient's record
Process for affiliate teams
- Institution A's Team A1 and Institution B's Team B2 are affiliates
- Professional from Team A1 clicks to share patient's record with Team B2
- Team B2 can find and access the patient's record with the consent they had received from Team A1's professional
Networked teams vs affiliated teams diagram
Every network must have one lead organisation. This lead is usually the one which signed the information sharing agreement with PKB on behalf of the rest of the network. The lead accepts new members on behalf of existing networks members.
It is important to delegate to a lead organisation because the processes have large consequences (all private keys are shared with a new member) and low frequency (new members are rarely added). So only a small number of organisation administrators can be proficient enough to do this and they must be in a single organisation.
How to set up a network
PKB can set up a network. To be added the to the network, contact your PKB account manager.
Your addition must be accepted by the organisation administrator of the lead organisation within the network. All other organisation administrations in the network are notified by email of this acceptance.
On acceptance, the private keys are exchanged between the new organisation and the accepting organisation within the network.
From that date onwards, whenever a patient's decryption key is added to one organisation in the network, it is copied to all the other organisations in the network.