Investigation report: Wrong site surgery – wrong patient

1.1.1 The accurate identification of a patient is critical to ensure the correct patient is matched to an intended healthcare intervention. Failures in the patient identification process may occur when the identity check of a patient is not completed effectively, and the intended care is not clearly established with the patient.

1.1.2 Achieving patient identification requires healthcare staff to gather or view the correct patient details, which may be presented either on paper or from an IT system, and match these to the details provided and confirmed by the patient.

‘Safe care begins with proper identification.’
(The Joint Commission, 2018)

1.1.3 The process of patient identification occurs frequently during a patient’s visit to a healthcare setting. Such repetitive and well-practised activities can become automatic to people, to increase the efficiency and reduce the effort associated with routine activities (Norman and Bobrow, 1975). The more automatically a person completes an activity, the smaller the amount of conscious processing they are required to do. This is beneficial for certain tasks that require many activities and a high level of performance, such as driving a car. The regular repetition of similar checks in healthcare may have the same effect, but with detrimental consequences if there is a reduction in the attention given to a check which affects the quality of the check (Toft and MascieTaylor, 2005).

1.1.4 In 2004 the National Patient Safety Agency (NPSA) released a framework for action to reduce errors in matching patients to their intended care (National Patient Safety Agency, 2004). Subsequently, the NPSA issued safety alerts in 2005 and 2007 on the use of wristbands for the identification of hospital inpatients.

1.1.5 NHS England and NHS Improvement (NHSE/I) (NHS England and NHS Improvement, 2018) published a document to advise organisations that the NPSA guidance continued to be relevant to safe patient care. The World Health Organization (WHO) acknowledged patient identification as contributing to wrong patient procedures (World Health Organization, 2007) and more recently the issue of correct patient identification has been recognised by The Joint Commission as an ongoing problem for healthcare (The Joint Commission, 2018). These alerts and documents do not specifically highlight safety initiatives for outpatient settings. Schoofs Hundt et al (2005) observed that there has been little written, or little research completed, on patient safety for outpatient settings. This continues to be the case, with little evidence of further publications in this area.

1.2.1 The concept of a Never Event was introduced in 2009 (NHS Improvement, 2018a) to differentiate between serious incidents that are deemed entirely preventable and other serious incidents. NHS Improvement defines Never Events as ‘patient safety incidents that are wholly preventable where guidance or safety recommendations that provide strong systemic protective barriers are available at a national level and have been implemented by healthcare providers’ (NHS Improvement, 2018a).

1.2.2 NHSE/I suggests that a single Never Event in an organisation is a warning, which implies an organisation’s systems for implementing safety advice/alerts may not be robust. This suggests that when a Never Event occurs it is due to a failure in these ‘strong’ barriers; therefore, when a Never Event does not occur, this implies the barriers are effective in preventing harm.

1.2.3 Never Events have the potential to cause significant physical harm, as well as psychological harm, to patients, families, and staff. Despite interventions to date, Never Events continue to occur in the NHS, with difficulties in identifying technical solutions to prevent recurrence. Past work has often focused on administrative interventions, increased education, and more checks (Healthcare Safety Investigation Branch, 2021a)

1.3.1 There were 472 serious incidents reported as Never Events between 1 April 2019 and 31 March 2020 (NHS England and NHS Improvement, 2020); of these, 226 (48%) were classified as wrong site surgery. Wrong site surgery was defined in 2018 as ‘An invasive procedure performed on the wrong patient or at the wrong site (wrong knee, eye, limb, tooth). The incident is detected at any time after the start of the procedure’ (NHS England, 2018).

1.3.2 An invasive procedure is suggested as including ‘all surgical and interventional procedures performed in operating theatres, outpatient treatment areas’ and ‘have the potential to be associated with a Never Event if safety standards are not set and followed’ (NHS England, 2015a).

1.3.3 The national safety requirements suggested necessary to manage and prevent the risk of wrong site surgery in ‘all settings providing NHS-funded care’ include the use of wristbands and standardised identifiers, and the use of the WHO surgical safety checklist and National Safety Standards for Invasive Procedures (NatSSIPs) (see 1.4) (NHS England, 2015b).

1.3.4 The Never Event category of ‘misidentification of patients’ was limited to inpatients and the use of wristbands. This type of Never Event was removed from the official Never Events list by NHS England in 2015 following an open consultation. It was concluded that incidents in which patients were misidentified would be recorded under other Never Event categories, most notably ‘wrong site surgery’ (NHS England, 2015b). NHS England reported some concern about the removal of this Never Event, noting that ‘there was some discomfort about removing this as it was suggested that removing from the list would remove any incentive for change’ (NHS England, 2015b). This was suggested as potentially reducing further work to obtain knowledge on the sufficiency of existing barriers for misidentification.

1.4.1 In 2009, the mandatory introduction of the WHO surgical safety checklist hoped to reduce the incidence of wrong site surgery Never Events (World Health Organization, 2009). Reduction in the reporting of these incidents did not materialise. In 2013 NHS England commissioned a task force to develop recommendations to address the reasons identified for recurrent wrong site surgery patient safety incidents. This task force reported the following year, concluding that to reduce variability in practice and support a safer environment for patients, there needed to be greater standardisation of the practices within operating departments (NHS England, 2014).

1.4.2 In 2015 NHS England issued NatSSIPs. NatSSIPs made recommendations which were intended to extend the benefits observed from the implementation of the WHO surgical safety checklist beyond the surgical setting. These recommendations aimed to improve the safety of all invasive procedures completed in hospitals including in outpatient settings (NHS England, 2015a).

1.4.3 The NatSSIPs document provided guidance to individual healthcare organisations to develop Local Safety Standards for Invasive Procedures (LocSSIPs). The aim of LocSSIPs was to ‘harmonise’ and standardise the approach to patient safety relevant to invasive procedures, irrespective of the department or location in which they were completed (NHS England, 2015a)

1.4.4 The NatSSIPs document emphasised the need for a team approach by clinical staff in the development of the LocSSIPs, which should be accompanied by multidisciplinary training and consideration of human factors (NHS England, 2015a).

1.5.1 Healthcare organisations seek to understand and control the risks recognised in all areas of patient care. The greater the consequence and the higher the likelihood of a safety issue occurring, the greater the risk and need for controls to mitigate the potential for harm (Health and Safety Executive, 2017). These principles are explored further in previous HSIB investigation reports (Healthcare Safety Investigation Branch, 2021a; 2021b; 2020a).

1.5.2 There is a hierarchy of the effectiveness of controls that can be implemented to manage risks. The hierarchy of controls (see figure 1) describes the properties of a safety control. This is based on the understanding that not all controls are equal, with those at the top of the hierarchy considered to be more effective and sustainable solutions to safety issues, compared with those at the bottom (The National Institute for Occupational Safety and Health, 2020).

1.5.3 The strongest type of control is referred to as a barrier. The term barrier has a distinct description within safety industries as ‘A risk control that seeks to prevent unintended events from occurring, or prevent escalation of events into incidents with harmful consequences’ (International Association of Oil and Gas Producers, 2016). The phrase ‘strong systemic protective barriers’ is used in the definition of a Never Event (NHS England, 2018).

1.5.4 The concept of barrier management is used in many industries and often represented within a bowtie diagram (see figure 2), to visualise the threats to safety and the controls relied upon. (Chartered Institute for Ergonomics and Human Factors, 2016). The control of risks relied upon in healthcare settings typically involves the actions or decisions of people (human controls – see appendix 1), with less evidence of a combined approach that layers different types of barriers (such as engineered or organisational controls) (McLeod and Bowie, 2018).

1.6.1 Public Health England is responsible for the cervical screening (smear test) programme within the UK, inviting women between the ages of 25 and 64 to attend every three years to monitor for serious conditions (Public Health England, 2016).

1.6.2 A colposcopy is a procedure to examine the cervix, the lower part of the womb and top of the vagina (see figure 3). This procedure is usually undertaken if cervical screening has indicated the presence of abnormal cells, which may indicate cervical cancer. A biopsy may be taken at this time, to allow a small sample of tissue to be sent for further tests (Public Health England, 2016).

3.1.1 In November 2019, an NHS trust contacted HSIB regarding an incident where a woman had been incorrectly identified. The event occurred when she attended for a fertility appointment at the gynaecology outpatient department. Instead of receiving the intended appointment she left having received a colposcopy, which is an invasive procedure (NHS Improvement, 2018a).

3.1.2 The Trust where the reference event occurred (referred to in this report as ‘the Trust’) had reported it as a serious incident on the national serious incident database (the Strategic Executive Information System (StEIS)) (NHS England, 2015a).

3.1.3 HSIB contacted the Trust and a scoping investigation was commenced. The purpose of scoping investigations is to explore the identified patient safety risk(s), and to consider the practicality and value of proceeding to a national investigation. The Trust welcomed HSIB’s involvement and collaborated with information gathering

3.2.1 Following preliminary information gathering, HSIB concluded that the safety issues represented by this event met the criteria for investigation. HSIB’s Chief Investigator authorised a national investigation.

3.2.2 A summary of the analysis against HSIB’s investigation criteria is given below.

Outcome impact – what was, or is, the impact of the safety issue on people and services across the healthcare system?

3.2.3 The consequence of misidentification may lead to patients receiving the wrong intervention and potential physical and psychological harm. Identification of a patient is the first task required when attending any healthcare setting. As such it is a frequent task and can potentially be perceived as a simple one.

3.2.4 Misidentification or lack of patient identification can cause delays to diagnosis or treatment, harm and even death. The distress caused may undermine patient confidence in healthcare services. The consequences of misidentification may also create a financial burden and harm a hospital’s reputation. Systemic risk – how widespread and how common a safety issue is this across the healthcare system?

3.2.5 Visits to outpatient clinics have nearly doubled in the past decade from 54 million to 94 million (NHS England, 2019). While there is substantial evidence to support patient safety in inpatient settings, there appears to be little focus on the issue of patient identification in outpatient settings.

3.2.6 The scale of the issue of misidentification in the outpatient setting is not well understood. Unless an incident causes harm it is unlikely that it will be recorded and the frequency of these events recognised.

3.2.7 Correct patient identification has been considered as one of healthcare’s ‘wicked problems’ (Ferguson et al, 2019). The term ‘wicked problem’ is used to describe issues that emerge because of the complexity of a system. The complexity develops as individual staff and teams interact and respond to local incentives and organisational performance targets. This creates emergent and unconscious behaviours from staff as they aim to balance organisational goals. The complexity of such problems means there is no single solution but a need to influence the system at multiple points in a care pathway.

Learning potential – what is the potential for an HSIB investigation to lead to positive changes and improvements to patient safety across the healthcare system?

3.2.8 Patient misidentification may be cited in incident reports. However, there is a lack of clarity about which contributory factors are most likely to influence a misidentification incident. A safety investigation provides an opportunity to consider how the healthcare system influences the likelihood of correct identification.

3.2.9 Currently, the solutions proposed within incident reports to ensure correct identification in outpatient settings rely on staff training and a reflection of an individual’s practice and communication. A safety investigation can explore why and how the system may not adequately control the risk of misidentification.

3.3.1 Following an initial scoping investigation, it was agreed that the national investigation would review the national context of existing issues and controls relevant to the identification of patients in an outpatient setting.

The investigation:

• drew on the field of human factors to understand how the outpatient context influences the reliability of patient identification
• sought to identify the risks associated with the identification of patients specifically attending for invasive procedures in outpatient settings, and potential opportunities to manage or minimise them.

3.4.1 The investigation was undertaken between December 2019 and September 2020. The investigation was affected by the COVID-19 pandemic and the need for HSIB to refocus some operational work in this period, as well as limitations in gaining access to hospitals.

3.4.2 HSIB adopts a no-blame approach to all investigations. The investigation process is tailored to the context of the safety event and particular clinical environment. The healthcare system is considered in its entirety, including the equipment, physical space, tasks, human capabilities and organisational culture, to establish the factors most likely to have contributed to the outcome. The analysis of the data collated considers principles and evidence relevant to the science of design, engineering and psychology and relies heavily on the safety science of human factors.

3.5.1 The HSIB investigation team consisted of four staff, all with a knowledge of healthcare systems and experience in healthcare investigation methods, medicine, human factors and engineering.

3.6.1 The investigation required visits and observations at the site where Patient A’s care had occurred. This was within a gynaecology outpatient department in a large district general hospital. Further observations were completed at the same Trust in a smaller gynaecology outpatient setting and a general outpatient department.

3.7.1 Patient A was contacted and interviewed to establish her perspective on the reference event. The staff directly involved in the reference event were also formally interviewed. These included administrative staff, nursing staff, medical staff and clinical leads.

3.7.2 Additionally, informal interviews were held with additional Trust staff and the Trust’s policy on patient identification was reviewed.

3.8.1 Access to the second patient (Patient B) was not provided as there was no impact on her and there was no concern for patient wellbeing.

3.9.1 A review of literature was undertaken to identify good practice and expertise in patient identification.

3.9.2 The national investigation engaged with seven clinically and physically different outpatient settings. The investigation used multiple methods to collect evidence which included interviews, observations and a review of organisational documents. This approach enabled the development of a reference event timeline and drew out the system factors considered to influence the delivery of care in the outpatient setting.

3.9.3 Interview and observation schedules were informed by the Systems Engineering Initiative for Patient Safety (SEIPS) (see figure 5). Interview data was either digitally recorded or notes taken, which were then thematically coded, along with field notes made during the visit, based on the SEIPS framework.

3.9.4 A representation of the key patient identification tasks undertaken during a patient’s attendance at an outpatient appointment was produced following the reference event. This enabled the investigation to identify safety issues and risks associated to specific stages of the outpatient pathway.

4.1.1 The investigation identified factors that contributed to or influenced how and when patient identification occurred within the reference event.

4.1.2 The observations and interviews undertaken at the reference event Trust provided the investigation with an understanding of the process of patient identification within an outpatient appointment.

4.1.3 There were five potential points in the outpatient appointment process when information could be matched to identify the patient. These will be explained further in this section and section 5 of the report. Clinical staff perceived that the more checks within the process the greater the safety of the outpatient system. Within an outpatient appointment multiple checks would be completed. This involved the matching of patient details with the patient, which included the use of patient hospital stickers, paper notes and computer records. How this was achieved varied at different points during the appointment and depended upon the job role and member of staff completing the check.

4.2.1 When the patients in the reference event arrived at the outpatient department reception desk their identities were confirmed by administration staff. For patients who are attending the clinic for the first time this identity check relies on using two pieces of formal identification – either a driver’s licence or a household bill – to check the name and address against the patient’s details in the outpatient clinic list. The investigation found on subsequent visits for different appointments, further verbal checks were required; these included checking the patient’s date of birth (DOB), GP name and surgery and contact telephone number.

4.2.2 Administrative staff described to the investigation their experience of managing particularly busy clinics, where the queue for patients to check in snaked around the corridors. They were conscious of their role in avoiding delays. Administrative staff reported that Wednesday was the busiest day for clinics within the department, creating a time-pressured and distracting environment.

4.2.3 Typically, a patient is checked in on the IT system as having arrived by the administrative staff member, who then places the outcome sheet in a filing tray at the reception desk. This confirms to clinical staff that the patient’s identity has been checked. There is no further record of the patient’s visual identity on the IT system, or a physical item retained by the patient to confirm their identity has been checked.

4.2.4 The patient is then required to find their way to the waiting room. This transition was suggested as sometimes creating a delay in locating the patient for their appointment, as patients sometimes took a wrong turn or waited in the wrong area.

4.2.5 The reception staff at the reference event site reported that patients were often in an anxious state in anticipation of their appointment, and therefore may struggle to navigate their way around the department to the correct waiting area.

4.3.1 The outcome sheet is delivered by a nurse to the administrative member of staff, at the nurses’ station adjacent to the waiting room. Staff recognised how correct identification relies on the correct stickers and associated paperwork, namely the outcome sheet, being transferred from the front desk to the administrative staff at the nurses’ station, where it will be aligned with the patient’s notes.

4.3.2 The prepared notes for all clinics are laid out in the nurses’ station. This creates a large volume of notes presented on a single worksurface, ordered to help clinical staff locate the correct medical records based on the order of patients on the clinic list. Staff attach the collected outcome sheet to the medical notes. All outcome sheets are the same colour, irrespective of the type of clinic. In the department where the reference event took place seven clinics run in parallel and the notes for all patients are stored in the same physical space. All patient notes for the intended clinic are transferred by the nurse to the consulting room at the start of a clinic.

4.3.3 The administrative member of staff commented that the environment was challenging. The administrator told the investigation that high levels of attention were required to ensure accuracy in the task of aligning all relevant paperwork correctly. The environment was a shared space where clinical staff gathered to collect notes and discuss patients.

“Because other people who use the department are trying to be helpful and going to get the outcome sheets from the desk, they’ll put them down without doing all the other things they need to do. What then tends to happen is the first lady that is next is underneath and you pick up the top one thinking that’s the next one.”

4.3.4 The administrative staff were observed matching at least two patient identifiers between the patient and computer or paper records, to align all relevant paperwork to ensure the right information was ready for clinical staff to check with the right patient. Administrative staff highlighted their strategy of using the NHS number, a unique patient identifier, to ensure all patient records matched. Typically, they adopted a shortcut in using the last four digits of the NHS number to complete the matching task.

4.3.5 This administrative role was critical. Staff told the investigation that if they were absent, or on a break, their work may not be covered by staff trained in the role. The investigation heard this was also the case in other clinics run within the Trust.

4.4.1 The investigation observed that in the waiting room clinical staff made a verbal announcement of the patient’s first name and surname to inform the patient that it was their turn to be seen. In the reference event the waiting area was relatively quiet as it was early in the clinic. The waiting room in the reference event was being used by seven clinics, shared with the obstetrics department; this could equate to a footfall of 70 patients during one clinic session (4.5 hours). While all patients would be attending for women’s health issues, some might be there to receive interventions and others might not. This introduces a complexity to ensuring the right patient reaches the right clinic. In a smaller neighbouring unit at the Trust, which was visited during the investigation, this risk did not exist as there was only the physical space to run one clinic at a time.

4.4.2 In the reference event, despite calling the first name and surname of Patient B several times, no patient came forward. The nurse resulted to just using Patient B’s first name and Patient A explained that this name sounded like her surname. Patient A was anticipating being called; she questioned the nurse, by repeating her own surname. Patient A explained to the investigation that she was unfamiliar with the nurse’s accent and this caused her to question the pronunciation of the name. The nurse used the outcome sheet with Patient B’s identifiers on the attached patient identification sticker to gain confirmation of Patient A’s identity.

4.4.3 The nurse explained to the investigation that she could not be certain if Patient A had given her full attention to the outcome sheet. Patient A described her high state of anxiety and anticipation for a long-awaited appointment as influencing her that morning.

4.5.1 From interviews with staff, the investigation identified several factors that impeded the recognition of the misidentification after Patient A had entered the clinic room. On entering the clinic room both Patient A and the nurse assumed they had successfully confirmed the patient’s identity. The consultant recalls asking the nurse if this was Patient B, which she confirmed. Neither Patient A or the staff recollected any further formal identification of the patient.

4.5.2 The consultant told Patient A that she had an abnormal cervical smear test result and required a colposcopy. The consultant informed the investigation that it is not unusual for a patient to attend and be unaware of the reason for the referral. Staff also highlighted they perceived a time pressure and had a strong motivation to stay on time to manage the anticipated workload of the morning clinic.

4.5.3 Patient A was shocked to hear of an abnormal smear test result, having had a smear test earlier in the year and not received the result. At the time of her smear test Patient A had been advised that tests were taking longer to be processed and the result may be delayed.

“Now in my head I’ve had a smear test I could have cancer.”

4.5.4 Patient A and her Sister recalled the consultant saying that they looked confused. Patient A believed the consultant may have had greater knowledge of her cervical smear result than her. Furthermore, the consultant told the investigation that having undertaken a physical examination of Patient A later in the appointment, the clinical findings further confirmed their belief that a colposcopy was required.

4.5.5 Public Health England (PHE) (Public Health England, 2016) acknowledges that many women suffer ‘significant negative psychological effects from receiving an abnormal cervical cytology [smear test]’. The Trust described how patients attending following an abnormal smear test would normally receive information relevant to their result and the nature of a colposcopy, as recommended by PHE. In the case of ‘see and treat’ clinic appointments, where the decision to complete a colposcopy is made within the appointment time, PHE still advises that patients receive ‘adequate and appropriate' information in advance of their appointment’ (Public Health England, 2016).

4.5.6 The consultant told the investigation that knowledge of checks completed prior to a patient entering the clinic room provided a level of confidence that the right patient had reached the clinic room. Overconfidence in checks made by other team members is a recognised hazard within healthcare (Armitage, 2007). The consultant and nurse recalled using the patient’s name throughout the consultation. Patient A and her Sister did not recall hearing a name being used. The name used, the first name of Patient B, would have been similar to the surname of Patient A.

4.6.1 Patient A did not recall any further identity checks being made during the consultation and the Local Safety Standards for Invasive Procedures (LocSSIPs) form was not ticked to suggest formal identification was completed. The consultant explained the time pressure associated with the clinic appointments meant the LocSSIPs form may not always be fully completed.

4.6.2 The design of the outcome sheet (which is used by nurses to check patients’ identities) and the LocSSIPs form was noted as requiring the duplication of patient details. The consultant explained that written consent was not required either nationally or by the Trust for a colposcopy, so the LocSSIPs form would be the only formal record of an identification check.

4.6.3 A senior clinical manager explained to the investigation that although nurses support the LocSSIPs check it is “owned” by the “operator” – that is, by the clinician who is carrying out the procedure. There was a suggestion that the doctor might do this check alone. In the smaller local Trust unit visited during the investigation, staff described a team approach to completing the LocSSIPs form, which resembled the sign-in and debrief process typically used within an inpatient surgical safety check (World Health Organization, 2009).

4.6.4 The Trust’s implementation process for the adoption of the LocSSIPs form was described by the consultant as an email circulated with the LocSSIPs form attached, which had been discussed at a previous meeting they had attended. The nursing staff suggested they were not involved in the consultation or evaluation of the LocSSIPs form. This reflects the findings of the Care Quality Commission (CQC) in other trusts (Care Quality Commission, 2018). The CQC found a ‘siloed’ approach to implementation processes, which in the case of the reference event may have influenced staff members’ perception of who ‘owned’ the LocSSIPs form and responsibility for the associated pre-intervention checks. This differed from the intended implementation process suggested in the original standard to ensure team engagement (NHS England, 2015a).

4.7.1 The investigation noted that to complete the check of a patient’s identity, different tools were used by different job roles. Administrative staff checked the patient’s verbal announcement of their name against the patient details in the electronic system. The administrator at the nurses’ station of the outpatient department used the electronic system to match the last four digits of the patient’s NHS number on the outcome sheet with the paper clinic list, prior to printing identifying stickers. The identifying stickers were attached to patient information; this is recognised within the Trust’s patient identification policy as a potential source of misidentification. The clinical staff then relied on the patient’s identifying sticker, attached either to the outcome sheet or notes, to complete the identification check with a patient.

4.7.2 The Trust’s policy states that in an outpatient setting: ‘… prior to consultation or treatment, verification of the patient’s identification must be gained by asking the patient or person accompanying them to verbally state their first name, last name, date of birth and address. This information is then verified against healthcare records.’

4.7.3 Since the Trust’s investigation into the reference event clinical leads have noted discrepancies between the Trust policy, which includes a check of the patient’s address, and staff practices. The policy has since been amended to reflect staff practice and the use of the patient’s name and DOB. This approach will comply with recommendations made by the WHO to use at least two identifiers such as name and DOB. (World Health Organization, 2007). The Trust policy indicates the use of wristbands is justified for procedures and/or treatments where patients may become unable to communicate or care for themselves.

4.7.4 In the reference event clinic, clinic lists are created based on a specific code for each clinic run within an outpatient department. Front desk administrative staff print four copies of the same clinic list from the electronic system. Each list is based on the patients referred; last-minute additions may be made. One paper clinic list remains with the administrators at the front desk and the others are distributed to the nursing staff, the clinic administrator at the nurses’ station, and the consultant.

4.7.5 Administrative staff told the investigation that there was no system in place, either technical or paper-based, to flag patients with similar names attending the clinics. The approach to ensuring safety relied upon vigilance among the staff:

“… if the names are similar then it is taking a little bit more care that the right outcome sheet goes on the right notes on the right pile.”

4.7.6 The Trust’s policy highlights mitigating strategies to manage the risk of having patients with similar names within an inpatient setting. The policy recommends the need to physically separate inpatients with similar names. The staff did not report that any processes, or technical or paper-based systems, were available to indicate patients with similar names within the outpatient setting.

4.7.7 Administrative staff told the investigation that the clinic list was printed the evening before the clinic. The list could be modified even on the morning of the clinic. Handwritten edits were noted on the paper clinic lists distributed across the team, although it was pointed out that the IT system available to all staff could provide real-time updates on the clinic list. The live clinic list could be viewed in the IT system at any time by the nurse and administrator on the IT system at the nurses’ station. This required the user to regularly refresh the computer screen to load the updates. This functionality would reveal any new additions at the start of a clinic or the arrival of a patient at the clinic.

4.7.8 The Trust described that the outcome sheet had multiple functions beyond checking of identity. The sheet provided a summary of what had happened during the consultation and what subsequent appointments or actions were required. This justified the amount of text included on the two sides of the document. The investigation was told that it was not uncommon for clinical staff not to complete this information, as they also entered it into the IT systems. Administrative staff told the investigation they may need to return the outcome sheet to clinical staff to ensure its completion. Patients may be handed the outcome sheet to take to the front desk to secure a repeat appointment; they may forget to do this and take the outcome sheet home without making a further appointment.

4.8.1 At the reference event clinic, clinical staff have to walk back and forth between the clinic rooms and the front desk to identify the patient’s arrival indicated by the outcome sheet placed in the filing tray. Nursing staff said that this created considerable physical effort during a clinic.

4.8.2 Clinical staff estimated about half of all colposcopy clinics overrun the scheduled time. Colposcopy clinics were described as “quite stressful, physically and mentally” and the need for clinical staff to have a break was acknowledged. Clinical staff would have a break between 12:30 hours and 13:00 hours; late running clinics could lead to clinical staff not getting a break, a late start to the afternoon clinic and clinical staff leaving work late. The lack of staff room or nearby catering facilities meant that at least 10 minutes of a break could be spent getting something to eat.

“We can have a clinic running behind after two patients. That has a knock-on effect through the morning and afternoon.”

4.8.3 Nursing staff explained that if the consultant did not arrive the clinic would not run. There was no recommendation for a safe level of working based on the number of nurses. The Trust explained that it aims to have a healthcare assistant to support a nurse during colposcopy clinics; staffing levels may not always enable this.

4.8.4 Changes to the national cervical screening programme have created an increase in demand for colposcopies. This is relevant to the reference event in two ways. Firstly, the resulting delay in receiving results from the cervical screening programme led to the scenario in which Patient A assumed the consultant had information about the results she was waiting for. Secondly, the demand for colposcopies created an environment where staff reported there was an increased time pressure associated with working in colposcopy clinics. Overrunning of the clinics was not unusual, which suggests the time available did not always match the time needed to deliver the required treatment.

4.8.5 The changes to the national cervical screening programme were announced in 2016 and rolled out across England by 2020 (Public Health England, 2016). The implementation of the programme was described as requiring ‘significant service redesign’ and involved centralising the screening programme and reducing the number of laboratories.

4.8.6 One consequence of the modified programme was increased sensitivity associated with additional testing, leading to an increased rate in colposcopy referrals. Between 2018 and 2019, 182,304 women were referred for colposcopies. This was an increase of 3.6% from 2017/18 (when 175,995 women were referred) (NHS Digital and Public Health England, 2019). Furthermore, in 2019 there was a reduction in the workforce available to complete the screening. This increased the turnaround times of cervical screening results, with more than 50% of results taking longer than the two-week national performance target (NHS Digital and Public Health England, 2019).

4.8.7 The perception of time pressure and workload can influence individuals to adopt timesaving strategies, to ensure they achieve their intended goal at an acceptable level of performance (Espin et al, 2006). The investigation heard that the work demands and associated time required for clinical staff to complete all of the necessary work for a colposcopy clinic could vary. This depended upon the accessibility of clinical equipment and areas and the need to reassure patients. When scheduling outpatient clinics, the variability in the time required to complete all tasks is not considered. Subsequently, risks associated with adjustments made to accommodate the workload may not be accounted for in existing risk assessments.

5.1.1 NHS England and NHS Improvement (NHSE/I) acknowledges the need to consider all system factors relevant to clinical performance to understand and address Never Events (NHS England, 2015a). HSIB’s investigation considered the effectiveness of existing safety controls relied upon in an outpatient setting to identify patients. The investigation analysed how, and which, systemic factors may influence the reliability of these controls and threaten to increase the likelihood of a patient receiving an unintended intervention.

5.1.2 The investigation identified three key threats to the correct identification of patients at different points of an outpatient appointment:

• two patients in the waiting area with similar names
• a patient being matched to the wrong notes or wrong clinic
• a clinician assuming that the correct patient has been presented for treatment.

5.1.3 Figure 6 presents a visualisation of these threats using a bowtie analysis. The bowtie maps the threats (on the far left of the diagram) to the existing safety controls which were identified during the investigation (the colour-coded boxes along the horizontal lines within the diagram).

5.1.4 The investigation considered the effectiveness of the safety controls to prevent the selection of the wrong patient to be prepared for a procedure, illustrated by the red circle in the centre of the image. The right-hand side of the image represents the safety controls which may be present in the event of the wrong patient having been prepared for the procedure. These controls were considered to understand whether they were sufficient to prevent the error prior to the patient receiving the wrong procedure.

5.1.5 The bowtie analysis and the visualisation of threats to safety and controls represent the concept of barrier management. Barrier management is a recognised approach to the enhancement of safety through the development of safety controls for recognised risks (see appendix 1) (McLeod and Bowie, 2018; Smith et al, 2011; Health and Safety Executive, 2008).

5.1.6 In safety industries the term ‘barrier’ is reserved for a particular safety control that is reliable and adequate to eliminate or stop a known risk. To classify a control as a barrier it should possess specific properties, and organisations should consider how to develop, evaluate and monitor the effectiveness of controls before classifying them as a barrier (Chartered Institute for Ergonomics and Human Factors, 2016).

The properties of a barrier include:

• ownership – clear responsibility for maintaining and assuring effectiveness
• traceability – clear ability to track a barrier to a specific requirement or process
• specificity – clear statement of staff performance required to prevent the hazard identified
• independence – each barrier is independent of another
• effectiveness – every barrier alone should be able to prevent the hazard
• assurance – the effectiveness of the barrier, in all situations, can be assured.

5.1.7 The term ‘safeguards’ is used to refer to controls that have the intention of enhancing safety and reducing the likelihood of an incident, but that may not meet the criteria required of a barrier. The combination of different types of safety controls provides ‘layers’ to control against an unwanted event (Chartered Institute for Ergonomics and Human Factors, 2016). It is acknowledged that people are always integral to the delivery of all types of safety controls, as they generally provide the function of ensuring the effectiveness of any safety control (Chartered Institute for Ergonomics and Human Factors, 2016). ‘Processes that rely solely on one staff member checking the actions of another or referring to written policies are not strong barriers’ (NHS Improvement, 2018a).

5.2.1 The following sections of this report consider the three threats illustrated in figure 6 in the context of the pathway followed by a patient when attending an outpatient appointment.

5.2.2 The investigation analysed the systemic factors which may reduce the effectiveness of the existing safety controls. These are known as degradation factors – see the yellow boxes in figures 7, 8, 10, and 11.

5.3.1 The investigation observed several outpatient departments in which clinical staff selected the patient for an appointment by calling the patient’s name in a waiting area.

5.3.2 One outpatient clinic visited by the investigation adopted an electronic board which was linked to the clinician’s IT system, although this was not operational during the visit. When the clinician confirmed they were ready to see the patient, they could select the patient’s name from the electronic clinic list, which pushed information to the electronic board in the waiting area, letting the patient know they would be called next. This had been implemented to manage the risk identified of patients not hearing their name being called, as it was a clinic for patients with hearing difficulties. Providing a cue can assist a person to anticipate that there will be a need to respond and pay more attention to their surroundings (Huey and Wickens, 1993).

5.3.3 It is well established that communication is a key contributor to incidents in many different environments (Reason, 1997; Kirwan, 1994) and healthcare is no exception (Parker and Coiera, 2000). There are several challenges associated with verbal communication including how information is presented, differences in language, loudness of voice, and environmental noise and distractions. How verbal information is received and interpreted will also be influenced by a person’s expectation, a hearing impairment, individual motivation, emotion or mood (Civil Aviation Authority, 2014). Although healthcare has considered the risk of error within communications across healthcare teams (Gillespie et al, 2013), there is little evidence in the literature to acknowledge processes where communication with a patient forms part of a safety check in the system. As the investigation heard and observed, it is not uncommon for the wrong person to stand when called.

“… amazing how many people … you can call a person by name and not the right person stands up.”

5.3.4 Clinical staff told the investigation that patients recognise where they are in the clinic list based on the pattern of arrival times and use this to anticipate when they will be called. The level of anticipation and expectation of the content of forthcoming communications can influence what people hear (Civil Aviation Authority, 2014). 5.3.5 The risk associated with verbally calling a patient was the start of the unintended outcome for Patient A in the reference event, resulting in her receiving the wrong procedure. Language, an unfamiliar accent, and the emotional state of the patient were all suggested as influencing the misinterpretation between the nurse and Patient A.

5.3.6 Calling a patient through for an outpatient appointment presents a significant problem and contributes to the risk of the unintended patient being selected. This creates a dependency upon the reliability of subsequent identification checks to act as a control to prevent this error. The investigation considers verbal communication is well recognised to be unreliable and calling a patient from an outpatient waiting area should be recognised as a hazard to correct patient identification; this would benefit from additional controls to support existing human checks.

5.4.1 Prior to their appointment a patient receives a letter inviting them to attend the outpatient department, with instructions on how to locate the department.

5.4.2 When the patient arrives at the department the administrative staff will establish their identity, and then direct them to the appropriate waiting area. The patient may be able to see the relevant waiting area, or they may need verbal directions to help them find their way.

5.4.3 Wayfinding (finding one’s way around) in hospitals is suggested as influencing patient wellbeing, recognising that signage may be ineffective in complicated buildings (Ruddle and Peruch, 2004). At the reference event site, the investigation team counted 30 signs or posters between the main entrance and the waiting area. It is recognised that visual clutter makes it more difficult to see the most important information relevant to the environment. In 2006 the Department of Health (Department of Health, 2006) issued a document to highlight the issue of wayfinding in hospitals and provide guidance to enable trusts to develop solutions based on good design principles.

5.4.4 Staff at all sites visited during the investigation acknowledged that it was quite common for patients to arrive anxious about their appointment. Staff told the investigation that the anxiety and emotional state of the patient may influence the likelihood of them following directions and reaching the correct waiting area. Folkman (1984) considers stress to be a consequence of the interaction of a person and their environment, where the environment is perceived as taxing or challenging to their wellbeing. Lazarus (1999) also considers an individual’s stress reaction is largely related to the subjective evaluation and personal significance of what is happening. Levels of stress may therefore vary between individual patients; however, a stress reaction will influence a person’s ability to allocate attention and process information (Sangar et al, 2014; Matthews et al, 2000). Healthcare environments that seek to reduce patient stress may make it easier for patients to give their attention to checks and information provided by healthcare staff.

5.4.5 The investigation observed outpatient departments where patients visiting different clinics waited in one area. In other departments the waiting areas were physically separated, grouping patients based on the type of clinic they were attending. This reduced the number of patients waiting in one area and aimed to cluster patients waiting for similar care into a smaller group. This had the effect of reducing the likelihood of a patient being called to a clinic room for an entirely different form of care or intervention. A greater number of clinics running simultaneously can increase the number of people within the same waiting area. Clinical staff reported this could create high levels of noise and distraction when trying to call a patient for their appointment. Having a larger number of people in the same space may increase the probability of the wrong person standing when called.

5.4.6 In the reference event the waiting area was not a busy or loud environment. During visits made by the investigation to other outpatient waiting areas a similar event was observed; the wrong patient stood up in a waiting area with just three patients waiting. There appears to be an inherent risk associated with the task of calling out a patient’s name and the reliability of the correct patient responding.

5.5.1 Visits to outpatient clinics have nearly doubled in the past decade, from 54 million to 94 million (NHS England, 2019). Unlike literature on patient safety in inpatient settings, there appears to be little research focus on the outpatient setting and specifically on the issue of patient identification (Schoofs Hundt et al, 2005). National stakeholders consulted with during the investigation suggested outpatient settings had been “left behind”. It was suggested to the investigation that the intensity of the workload associated with outpatient clinics contributed to the risk of incorrect patient identification. It was suggested that this should be raised to inform trust executives of the risk to the integrity of safety checks.

5.5.2 Clinical staff commented that organisational expectations influenced the time or resources available and the perception of the high workload. Staff workload was influenced by the approach to scheduling of patient appointments, staff allocation, physical workspace and national performance targets. Staffing to ensure that safe and effective care can be delivered is currently a national priority for the Royal College of Nursing (2020, 2021).

The perception of a high workload is created when there is a reduction in resources, or insufficient time available to achieve the work required to the standard desired by an individual (Young et al, 2015). A greater time pressure will increase the likelihood of trade-offs made by staff, to ensure all work and targets are achieved to an acceptable level of performance. One consequence of this is an increase in the effort required and the stress experienced by staff (Hollnagel, 2009; Hancock and Warm, 1989). Trade-offs may include the integrity of the completion of checks, especially where there is a perception that the check has been or will be completed by another person (Armitage, 2007).

HSIB makes the following safety observation

5.6.1 NHS trusts have a local policy for patient identification and the investigation identified and reviewed six patient identification policies from six different trusts. All of these refer to and reflect the National Patient Safety Agency (NPSA) guidance on patient identification (National Patient Safety Agency, 2009; 2007; 2005). The only update found to this guidance relates to the issuing of temporary identifiers for patients arriving at an emergency department with an unknown status; this is not relevant to the outpatient setting (NHS Improvement, 2018b).

5.6.2 The review highlighted many similarities across the policies, but also inconsistencies in the information provided on how and when patient identification should occur and who should do it. The NPSA guidance suggests that ‘When identifying patients it is the responsibility of the practitioner to make sure there could be no misidentification with another patient’.

The trusts’ guidance reviewed by the investigation indicates that the use of wristbands is variable in an outpatient setting. Many trusts instruct that a wristband is required where invasive treatments or procedures are to be completed in outpatient settings. Other trusts pass this judgement down to the clinical staff: ‘Wristbands may be applied in the Outpatients’ Department if clinical staff perceives there is a risk of mistaken identity and feel that it is expedient to do so.’ Some of the local guidance suggests that ‘staff must be vigilant’; this implies there are limitations to the safety controls in place. None of the guidance that was reviewed mentioned the need to consider the environment and workload to ensure the effectiveness of patient identification checks.

5.6.3 One trust adopted a simplified approach to communicating how identification checks should be carried out when a wristband is not in use, dividing the checking task into three clear stages (see figure 9). Guidance on what constitutes a ‘good’ check was not obvious from national NHS bodies.

5.6.4 NPSA guidance (2009; 2007) and the Information Standards Board standard (2012) clearly state the need to use the NHS number as a unique identifier. Of the trust guidance reviewed by the investigation, only one trust suggested the use of the NHS number as integral to the positive identification of patients by staff. This suggestion was directed towards administrative staff. This reflects the investigation’s observations, as administrative but not clinical staff were regularly seen using the NHS number to identify patients and their associated paperwork or records.

5.6.5 The investigation observed administrative staff consistently requesting several pieces of information to identify the patient. These included the patient’s name, date of birth (DOB) and the first line of their address. Some clinics adopted the protocol of requiring further evidence in the form of a clinic letter, an official document such as a household bill or driver’s licence, or proof of a text message if these were used by the trust as appointment reminders. Further checks, not solely for the purpose of identification but clearly supporting it, included confirmation of the name of the patient’s GP and a contact number, usually shortened by a request to confirm the last four digits of the number. At two sites visited, self check-in systems had been installed; neither were functioning during the visits. Administrative staff said that patients generally required some level of support to use the self check-in systems, which were positioned close to the reception desks to enable staff to provide this support.

5.6.6 The Clinical Imaging Board (CIB) (2015) issued a statement to highlight the significance of the issue of patient identification. The CIB provides information to support trusts on what should be included in guidance and best practice associated with effective patient identification.

5.6.7 There is variability across trusts in the processes and tools used to carry out patient identification, with limited use of the unique NHS identifying number. The investigation found guidance relating to patient identification issued by national bodies. Information on the principles or requirements for a good identification check, to support trust guidance, was not immediately accessible when using the search function within the NHSE/I websites.

HSIB makes the following safety observation

5.7.1 The investigation observed that electronic clinic lists were created to identify all patients due to attend an outpatient clinic. Most units, as seen at the reference event site, also printed out several copies of the clinic list, as clinical staff may not have consistent access to the IT system. The paper printout was also suggested to provide a back-up in the event of a technical failure.

It was suggested to the investigation that the functionality of the IT system procured by a trust and the administrative staff’s knowledge of the system were both factors that influenced how the IT system may or may not be used to flag patients with similar names within a clinic. The risk of misidentification within IT systems is influenced by the design of the user interface and how or which information is presented at any one time to support identification. The use of photo identification and alerts for patients with similar names are two design features recognised as likely to have a high impact upon safety (Sopan et al, 2014).

5.7.2 The use by clinicians of printed paper clinic lists was the practice most commonly observed by the investigation. The mixing of paper and technology-based systems has two consequences. Firstly, any last-minute edits to the list requires handwritten edits to be made to the multiple paper lists that are printed. Secondly, any safety alert function available within IT systems to flag patients with similar names is lost once a list is printed out.

5.7.3 The mix of paper and IT systems cannot optimise the safety features offered by a fully integrated technical system across an outpatient clinic. The current level of availability of the IT systems to all staff within many outpatient departments limits the accessibility to these safety features. The investigation did observe one clinic using a fully integrated IT system. Clinical staff highlighted how the need to have multiple screens and documents open simultaneously made it difficult to match patient identifiers across all documents. Healthcare organisations need to consider how technology can assist controls to enhance safety, while remaining aware of new emerging risks introduced by the implementation of IT systems in the context of existing work systems and processes (Sittig and Singh, 2011). The investigation heard that a move to remote consultations (due to COVID-19) has increased the reliance upon technical systems where associated emerging risks are yet to be identified.

5.7.4 The investigation heard that a lack of functionality of individual technical systems resulted in the need for multiple unintegrated systems; clinical staff described this as “exasperating”. During an outpatient consultation, recording of clinical information, referrals or requests for future appointments could not always be completed within the IT systems available to the clinician. The investigation heard of workarounds which required records to be made on paper; these documents were then transferred to another individual, within or outside of the outpatient setting, to enable transcription or scanning into the appropriate system. The use of multiple technical systems or multiple pieces of paperwork, transferred across departments, introduces the risk of mismatching patient information. The likelihood of a mismatch is increased due to the task of matching patient details being completed more frequently.

5.7.5 The Joint Commission accurately reflects that technology alone cannot ensure correct patient identification. This requires a systems approach to fully consider the interaction of technology, people and processes to inform the procurement and design of systems, training and procedures (The Joint Commission, 2018). The investigation found that a systems approach is not currently adopted in the delivery of outpatient care. The current lack of technology integration observed by the investigation implies that technology does not contribute to providing independent and effective barriers for misidentification across the outpatient pathway (The Joint Commission, 2018).

5.7.6 Mitigation of the safety issues and risks of misidentification of patients and their information relies upon vigilance of healthcare staff. This suggests that staff actions are the only safety control in place to prevent mismatching of patient information. There appears to be an existing risk for outpatient departments, which have a greater need to repeatedly rely on clinical staff to match patient identifiers and collate paper records to compensate for technical limitations or resources.

HSIB makes the following safety observation

5.8.1 A single outpatient appointment may require a patient to move between several clinic spaces to progress through the required number of consultations. Within inpatient or community healthcare settings these transitions are recognised as a potential risk due to the need to hand over the care of a patient to another group of staff (The Joint Commission, 2018; Johnson et al, 2015; Terrell and Miller, 2011). Similar concerns about this same risk cannot be found in the literature on transitions in outpatient settings.

Once the patient has been effectively identified in one area of the department, as they are not required to wear or hold any form of identification such as a wristband, photo ID badge or NHS unique identifying number, continued correct patient identification relies on further verbal checks with the patient by members of staff. This may be the same member of staff at different points in the patient’s pathway. This does not suggest the checks are independent, as it is recognised there can be a reduction in the attention to subsequent checks made by the same person (Nakata, n.d.; Toft and Mascie-Taylor, 2005). The repetition of verbal checks is also recognised as not increasing safety within a system, due to deference or misplaced confidence given to checks completed earlier in a process and lack of quality in subsequent checks (Armitage, 2007).

5.8.2 The investigation heard that in one outpatient department the pathway had been modified to minimise the number of transitions, to reduce the risk associated with repetitive patient identification checks.

5.8.3 The investigation observed that the arrival of a patient into the outpatient department was indicated in the IT system; a change in the colour of the patient’s name within the list was the most common indicator. In clinical settings where computers were not available to all clinical staff who would be interacting with the patient, paper items with patient details on were clipped together.

5.8.4 The investigation observed variability in which items were physically relied upon to complete subsequent checks. As in the reference event, most departments used a patient identity sticker attached to an outcome sheet, placed in an agreed location, to indicate the patient’s arrival to clinical staff. In some departments, the outcome sheet was accompanied by patient records, paper stickers and blank note paper. In departments that had a greater level of, but not full, technical integration, the outcome sheet and historical patient records were held electronically. However, the practice of using a paper file, known as a ‘dummy file’, to indicate a patient’s arrival within a clinical area was retained and a set of patient stickers and blank note paper may be held within this file.

This perpetuates a risk associated with misidentification of a patient, which can stem from the wrong sticker or a mismatch in all paperwork relevant to a single patient (Healthcare Safety Investigation Branch, 2020b). The need to create a dummy file was justified to the investigation for several reasons: to act as an alert of the patient’s arrival, to provide patient stickers to staff unable to print within all clinic spaces, and the need to record care onto paper due to limitations of the IT systems.

5.8.5 An outpatient appointment may involve a patient seeing multiple clinical staff during a single visit. The investigation was told of a system (but did not observe it due to the constraints of completing the investigation in the context of COVID-19) which tracked the location of the patient through the stages of their appointment. This has the potential to act as a further control to ensure the identification of the correct patient, based on their location within the outpatient pathway.

5.8.6 The type of clinician who sees a patient for consultation may vary within an outpatient setting. They may include doctors, nurses and allied health professionals. The consultation phase and interaction with a patient requires effective forms of communication from all healthcare staff. The reference event highlighted how this may be compromised through the perceived workload pressures associated with the delivery of the outpatient clinic. This finding is supported by a systematic review of the literature, which emphasises that problems with communication and failure to effectively listen to patients are associated with workload (Campbell et al, 2018).

5.8.7 The investigation observed that some clinicians introduced themselves to patients on entering the consultation. They conversed with the patient to establish if they knew why they were attending and then presented information relating to the patient’s previous care or conditions. Clinicians told the investigation that to do all this required time and personal skills. This approach to initiating a consultation achieved several goals: establishing the patient’s level of understanding, enabling shared decision making, informing subsequent consent to an intervention and establishing that the identification of the patient was correct. These less formalised safety controls reduced the reliance on formal identification checks alone.

5.8.8 Some clinical staff recognised the risk of misidentification on every transition of the patient between areas in the outpatient setting.

Making assumptions about the robustness of previous checks, similar checks being made by the same clinical staff and the lack of any form of identification on the patient increase the risk of misidentification. Clinical staff told the investigation they do not wish to keep interrogating patients. Trusts may find it beneficial to consider patient transitions within an outpatient setting as a potential risk to correct patient identification and consider the implementation of additional systemic controls to support verbal checks of identity.

5.8.9 The initiation of a consultation offers an opportunity to probe for information, which can support the confirmation of a patient’s identity and provide an opportunity for patient engagement. The investigation, reference event and literature all support the significance of the impact of clinical workload on the effectiveness of communication required to improve the quality and safety of patient care.

5.9.1 Once a patient has responded to a call in the waiting room, the guidance suggests the use of at least two identifiers to establish that the intended patient has responded (World Health Organization, 2007). The investigation observed considerable variability in how patient identification was completed by staff as they greeted patients and escorted them to the clinic space. 5.9.2 The first identity check, which might mitigate the risk of the wrong patient responding, varied across departments and clinical staff. The interaction ranged from “hello my name is X can I just check your name and date of birth?” (#hellomynameis, n.d.) to “hello, would you like to come through?”.

Clinical staff explained two factors – time pressure and a desire to welcome patients to quickly put them at ease – which may impact staff behaviour and whether they obtain a full match of patient name and DOB. The difficulty described by clinical staff was how to offer a friendly and welcoming greeting to reduce patients’ anxieties, while avoiding the impression of an instant interrogation. The investigation also heard that familiarity and regular attendance of patients may inhibit clinical staff from requesting a patient’s identification details and matching them to their records. These findings suggest there is a tension perceived by clinical staff to perform both safely and with humanity, in order to develop a personal connection with patients. The evidence from the investigation casts doubts on the reliability of the identification check at this stage of the outpatient pathway. From this point forward, staff may be assuming correct confirmation of patient identity: “You expect the nurse to get the right patient.”

5.9.3 At the trusts observed by the investigation, when a patient responded with their name and DOB, healthcare staff had to match the verbally communicated details to the patient identifiers presented within paper-based information. Handheld IT devices were not observed to be in use. In one department visited by the investigation, where IT systems had been fully integrated and supported patient identification, the investigation was informed that individual clinician preference meant paper-based clinic lists were still requested and frequently used.

5.9.4 Typically, paperwork used included the patient’s identity sticker on the outcome sheet, a printed clinic list or the patient sticker on a dummy file. The layout and font size used varied depending upon the paperwork used. This may influence the reliability of reading of the correct order for first and second names, depending on the layout. The usability and design of these paper-based items were not standardised across trusts, with some containing a heavy concentration of text and information, which did not follow principles of good design (Hartley, 1990). The NHS has for many years provided the principles of good design for technical interfaces (NHS Digital, n.d.a; n.d.b). There is less evidence of recent guidance for the development of tools, either paper or electronic, used to assist with safety checks.

5.9.5 Completing any type of check effectively and consistently to a high standard again and again is recognised within the healthcare literature as a difficult task. The variability in individual staff performance is attributed to several factors; these include the design of the check, the working environment, and innate human characteristics, for example the ability to remain focused on relatively simple tasks (Keers et al, 2013; Espin et al, 2006).

5.9.6 Tasks that are dependent upon human attention and vigilance are vulnerable in contexts where distraction and multiple demands are common. The work environment, number of tasks to be completed and time pressure will compromise a person’s ability to attend to information (Keers et al, 2013). This may make it impossible to adhere to procedures and standards for identifying patients. Organisational procedures may not reflect how work is actually done, within time pressured environments, with multiple goals and distractions, and with constrained resources (Dekker, 2003).

5.9.7 The unreliability of matching patients to care was highlighted in studies completed by the National Patient Safety Agency (NPSA) in 2004 (National Patient Safety Agency, 2004). Although the NPSA was unable to quantify the unreliability, sufficient evidence was presented to confirm it was a significant area of concern. The use of wristbands has been required for inpatients who may or may not receive an intervention since 2005 (NHS England and NHS Improvement, 2018). In 2007 the NPSA issued a safer practice notice alerting and informing the NHS about the design of identifiers when presented on a wristband.

In 2009 the Information Standards Board made this a standard requirement (Information Standards Board, 2012). It provided guidance for healthcare systems on the need to use the principles of good design for wristbands. The NPSA aimed to ensure consistency by setting out a minimal set of identifiers to be worn patients by patient during an inpatient stay with an intention to review outpatient settings. The NPSA was disbanded in 2010 and the intended work in relation to outpatient settings does not appear to have been completed (NHS, 2003). The NPSA guidance aimed to reduce the risk of confusion about first names and surnames and to increase the use of a unique patient identifier, the patient’s NHS number.

5.9.8 The investigation found there was a lack of standardisation or good design of the paperwork relied upon to match patient identifiers. The NatSSIPs standard on documentation of invasive procedures ‘recognises that the structure of the documentation can in itself contribute to safe working practices’ (NHS England, 2015a). The investigation observed patient details being written or entered into paper forms which did not clarify first name and surname. The recognition of unfamiliar names was suggested by clinical staff as impeding which name to call as the first name and surname. There was no support to assist the accurate pronunciation of names less familiar to clinical staff.

5.9.9 In 2009 the NPSA issued a safer practice notice recommending the use of the NHS number as a patient identifier (National Patient Safety Agency, 2009). Evidence cited concluded that use of this unique identifier would significantly improve patient safety, specifically in the identification of patients and linking to all relevant information.

‘To ensure correct patient identification, the NHS Number should always be used in conjunction with other identifiers (usually first name, last name and date of birth) when identifying a patient.’
(National Patient Safety Agency, 2009).

5.9.10 The investigation found little evidence of the NHS number being used as a key identifier, other than by administrative staff. The use of barcoding to confirm patient identity is also recommended by the NPSA. This form of technology was not observed in any of the outpatient settings.

5.9.11 The role of the tools used to assist in correct matching of patients to either paper or digital information does not appear to be well understood. The NPSA clearly considered the design and layout of wristbands and the need to rely on the NHS number to minimise the risk of misidentification. There appears to be little guidance for outpatient settings on the design of tools and use of the NHS number. HSIB makes the following safety observation Safety observation O/2021/113: It would be beneficial if there was national guidance on the principles for good design of tools to support the critical task of patient identification.

5.10.1 There is currently no requirement or guidance for NHS trusts to use wristbands to assist with the identification of patients in an outpatient setting. The investigation found variability and differing levels of innovation within organisations and individual specialities relating to the use of wristbands. Some departments used wristbands for patients attending for an intervention; the wristbands had a dual purpose in identifying the patient and the side of the body to be treated. Some clinics used wristbands even when no intervention was planned, in certain clinics referred to as ‘see and treat’ clinics where the need for an intervention may only be decided upon following a clinical assessment. In other settings wristbands were never used. There appeared to be inconsistency in how the risk of patient identification in outpatient settings was perceived and the value of the use of wristbands as a safety control.

5.10.2 The practicalities and cost of providing wristbands was highlighted as a consideration by one department. It was working around these constraints by having a stock of plastic-coated wristbands, to which they attached a patient sticker as part of the identification process. This meant the wristbands could be re-used. This process was only completed halfway through the outpatient visit; the patient would have seen two other healthcare staff prior to being issued with a wristband.

The risk associated with the treatment to be delivered was clearly the motivation for the use of the wristband. This pragmatic approach to the use of wristbands was developed at the departmental level rather than being an organisational initiative. This had two consequences. Firstly, it prevented the provision of mobile wristband printers to enable the printing of wristbands next to the patient, as suggested by the NPSA guidance (National Patient Safety Agency, 2007; 2005).

Secondly, it prevented the standardisation and evaluation of the use of wristbands with a view to avoiding the introduction of new risks. One trust’s guidance recommended writing onto a wristband (if printing was unavailable) and warned against the use of addressograph labels (labels printed on a type of machine often used in hospitals) for wristbands ‘as the ink is easily smudged, becoming illegible. Addressograph stickers may be uncomfortable; may catch on clothing/ skin, are oversized in relation to band with hard/ sharp edges and is an infection in control and prevention risk.'

5.10.3 Inconsistencies are created by a localised approach to the risk assessment of patient identification in outpatient clinics. The risk of each part of the outpatient process and any treatment or intervention delivered does not consistently inform the safety controls adopted to minimise the risks identified. The investigation observed the use of wristbands in contexts where risk of harm may be relatively low and no use of wristbands for physical interventions or the delivery of diagnostic information, which presented a greater potential for harm. This highlights inequalities and knowledge of how the assessment of tasks and associated risks should inform the implementation of safety controls for patient identification.

NatSSIPs and LocSSIPs

5.10.4 The NPSA (2007) recognised the misidentification of patients as a significant risk to patient safety which cuts across all sectors of healthcare practice including delivering interventions, procedures, medications, and care in general.

5.10.5 The NatSSIPs document published in September 2015 (NHS England, 2015a) instructed all trusts to develop and implement their own local standards for invasive procedures (LocSSIPs), based on the national principles set out in the NatSSIPs. This approach was adopted to specifically to ‘help prevent Never Events’ (NHS England, 2015a). The standards include principles of safe practice, advice on training, the use of human factors and the development of standardised checks like the WHO surgical safety checklist. They aim to standardise elements of procedural care, including patient identification.

5.10.6 A survey to evaluate the implementation of NatSSIPs was completed by NHS Improvement in 2018 (NHS Improvement, 2018c); this included 154 trusts. Of these, 130 responded that they had written LocSSIPs. Furthermore, of the 130 trusts that had implemented NatSSIPs and put LocSSIPs in place, 87 had further Never Events. The document ‘Opening the door to change’ was released by the Care Quality Commission (CQC) (2018).

This supported the findings of the NHS Improvement survey, concluding that staff struggle to implement LocSSIPs due to the volume of safety guidance. The CQC report acknowledged that organisational pressure to meet performance targets and patient flow conflicts with systems designed to enhance safety. Lack of team engagement and knowledge of human factors were also highlighted as not supporting the design and implementation of effective safety systems. ‘Opening the door to change’ also suggested that there was no evidence in trust’s LocSSIPs to suggest redesign, workload, and work processes had been considered.

The CQC recommended that NHSE/I review the Never Event framework and consider with professional regulators and royal colleges the strength afforded by different forms of barriers. The recommendation was explicit in suggesting the need to review the vulnerability of barriers that predominantly rely upon human performance, such as checklists, and those that seek to design out the risk. The report acknowledged that safety is more than the barriers in the system and recommended that increased expertise in the field of patient safety is required.

5.10.7 Health Education England (HEE) is leading on the development of the National Patient Safety Syllabus as an integral component of the NHS Patient Safety Strategy. HEE has commissioned the Academy of Medical Royal Colleges to develop the syllabus and the associated materials (Academy of Medical Royal Colleges, 2020).

5.10.8 The Patient Safety Syllabus is a multi-professional syllabus which focuses on proactive risk assessment. It is currently anticipated that all healthcare staff will be offered access to the Level 1 Patient Safety learning module by the end of August 2021, with staff who wish to progress through this learning pathway offered access to Level 2 by the end of September 2021, recognising that safety is the responsibility of all staff. Currently, the specifics for the job requirements of a patient safety specialist are being drafted by NHS England. All patient safety specialists will be expected to be trained across all five levels of the Patient Safety Syllabus. As the content for the Patient Safety Syllabus is still being developed, work is underway to explore how relevant prior experience and/or learning can be credited against these five levels and also what the final awarded qualification will be.

5.10.9 The investigation considers that patient identification should be recognised as a critical task in healthcare. Expertise is required in risk assessments, which consider organisational and human factors, to enable the identification of context-specific risks and the development of effective and appropriate safety controls. Organisational safety systems should support the implementation, reliability and evaluation of controls assessed as necessary to minimise the risk.

HSIB makes the following safety observation:

5.10.10 The CQC (2018) and evidence from the reference event highlight a misunderstanding relating to the responsibility for completion of a LocSSIPs check. The NatSSIP document states that ‘When a document is signed as indicating that a step in a LocSSIP has been performed by a member of a procedural team, that member is signing on behalf of the whole team, and every member of the team therefore shares the responsibility for the performance of the LocSSIP’ (NHS England, 2015a). The document suggests the LocSSIPs are intended to be more than just a record of completion of a check, but is intended to enhance engagement across the team: ‘The basis of safe care is teamwork, and the aim of both NatSSIPs and LocSSIPs is to promote and develop teamwork’ (NHS England, 2015b).

5.10.11 The implementation of welltested initiatives within healthcare is recognised as often failing to achieve impactful change to patient care. Challenges to the process of implementation frequently see good initiatives fail (Damschroder et al, 2009). This appears to be the case for the NatSSIPs document, which included explicit information on the process of implementation (NHS England, 2015b).

5.10.12 The NatSSIPs and LocSSIPs documents aim to enhance the safety culture within a team, to promote teamworking rather than just to standardise an identification check. The context of a time-pressured, high workload environment, with cultural norms such as efficiency trade-offs creating silo working, as seen in the reference event and noted by the CQC (2018), may limit the potential impact of safety initiatives to contribute to changes in culture (Stretton, 2020).

It is acknowledged that for safety initiatives to be successfully implemented in healthcare, there is a need to look beyond the technical format of the initiative and consider how the clinical environment, staff roles and perceptions, leadership and collaboration may prevent the implementation and sustainability of a safety initiative (Dixon-Woods et al, 2013).

5.10.13 Additionally, reluctance to introduce additional formal checks was highlighted throughout the investigation. The explanation for this reluctance was the perceived increase in time required in already time-pressured appointments.

5.10.14 There are currently inconsistencies in patient identification processes across NHS trusts. The current approach to the implementation of NatSSIPs guidance focuses on the LocSSIPs as a check and the investigation found little evidence, or acknowledgement, of promoting a team culture and the value of technical or system design as controls to misidentification.

5.11.1 The NHS cervical screening programme outlines the standards and requirements for trusts delivering colposcopies (Public Health England, 2016). This requires the presence of a trained colposcopist (a clinical member of staff certified to complete colposcopies through the British Society for Colposcopy and Cervical Pathology/Royal College of Obstetricians and Gynaecologists scheme) and a nurse to support the patient and the delivery of the procedure. Consistency in a colposcopy team and the minimum level of staffing are recognised as ensuring adequate emotional support for the patient and consistency in patient care (Public Health England, 2016).

5.11.2 Although the term ‘invasive procedure’ is not used within the standard for the delivery of colposcopies, the definition used within the NatSSIPs standard suggests a colposcopy would be considered as an invasive procedure (NHS England, 2015b). This standard indicates the need to obtain consent but does not indicate there is a requirement to obtain written consent from the patient for a colposcopy. Therefore, this does not provide an opportunity for patient identification, as with some invasive procedures completed within an inpatient setting.

5.11.3 The investigation observed some departments obtaining written consent for colposcopies, as another opportunity for identification prior to the procedure. Written confirmation of identification may provide a further layer to the safety controls for correct patient identification, if there is sufficient time allowed to protect the quality of the patient consultation to provide assurance to the process of consent (General Medical Council, 2013). The investigation heard concerns about additional administrative tasks, due to time pressures associated with these tasks. This was suggested as having the potential to inhibit the implementation of such additional safety controls.

5.12.1 The investigation sought to establish the frequency and likelihood of incidents involving the incorrect identification of patients within an outpatient setting. A review of the National Reporting and Learning System (NRLS) (a database of patient safety incidents) was undertaken (see appendix 2). A search was undertaken for incidents reported between 1 January 2019 and 30 June 2019, using the search terms ‘wrong’ or ‘incorrect’ and ‘outpatients’, which returned 1,124 results.

The search was filtered to focus on outpatient and ambulatory (same-day emergency) care. This returned 473 results, of which 32 were categorised as ‘patient incorrectly identified’. However, within the 473 results, 3 were identical in nature to the reference event but were not captured within the 32 categorised as ‘patient incorrectly identified.'

5.12.2 Incorrect patient identification relevant to ‘wrong patient – wrong procedure’ incidents are not explicitly coded within national reporting databases. Therefore, it is impossible to determine their frequency across all healthcare settings. This impedes national safety organisations from recognising the significance and scale of harm created by patient misidentification.

5.12.3 The NatSSIPs document (NHS England, 2015b) states that when considering Never Events ‘it is necessary to take a systematic and wide ranging approach to the analysis of each incident’. Human factors is suggested as providing an appropriate approach to ensure all parts of the system, for example, teams, tasks, workspaces, equipment and organisational influences, are considered in understanding an incident and developing an appropriate response (NHS England, 2015b). The investigation’s review of NRLS incident data considered the type of corrective actions recorded in response to incidents. The data suggested that typically the safety interventions were training or informing staff of the error with advice to follow policy and be more vigilant. There was only one suggestion that technology could assist as a safety control and there was no mention of the design of the environment, paperwork, checks, processes, and teamwork to minimise the risk of misidentification.

5.12.4 A ‘systematic and wide ranging approach’ (NHS England, 2015b) does not appear to be evident within the NRLS data. This suggests that in the context of the hierarchy of controls (see 1.5.2), the response to the Never Event of a wrong procedure focuses on the lower levels of the system, such as administrative controls (development of procedures and staff awareness).

5.12.5 The approach to recording incidents may limit the understanding of the scale of the risk associated with misidentification of patients. Unless a reporting system can capture the frequency of critical tasks influential to patient misidentification, the significance and sufficiency of existing safety controls cannot be fully appreciated or appropriately prioritised. A reporting system that captures safety issues common to critical tasks that exist across the whole of the healthcare system, irrespective of context, environment or outcome, may enhance organisational learning. Focusing safety initiatives on the outcome of wrong procedure narrows the safety efforts to environments that provide procedures. The correct identification of a patient, or their information, should be considered a critical task for all healthcare interactions.

Factors likely to influence the performance of this task should be risk assessed specific to the healthcare context, to enable mitigation strategies to extend beyond human checks. Safety controls to address the risk of misidentification should be developed to include engineered, organisational and human controls. Use of the term ‘barrier’ should be reserved only for those safety controls which meet the criteria of a barrier (see 5.1.6) (Chartered Institute for Ergonomics and Human Factors, 2016; Seiden and Barach, 2006).

5.12.6 The investigation’s engagement with NHSE/I has highlighted a lack of national consideration of patient identification in the outpatient setting. NHS Resolution acknowledges that the scale of patient misidentification is unknown, as reporting systems and practices do not enable the capturing of all episodes of misidentification, with or without associated harm. Both organisations are currently looking to share the learning across all healthcare providers relative to Never Events, with NHSE/I specifically focusing on the strength of existing barriers.

5.12.7 NHSE/I is developing a new patient safety incident management system (PSIMS), due to be tested in 2021 (NHS England and NHS Improvement, n.d.). The investigation was informed that the system aims to classify healthcare events not purely based on the outcome, such as wrong procedure, but to capture factors influential to the outcome. This should provide greater flexibility and capability to search the reporting system. It also has the potential to identify occasions when the task of patient identification contributed to different types of outcomes.

5.12.8 The next phase of the PSIMS development programme seeks to understand how artificial intelligence can support learning from the commentary provided by staff. An incident reporting system that enables the identification of systemic factors, and which captures the scale and influence of the reliability of patient identification, is essential to inform patient safety initiatives. The effectiveness of PSIMS to meet this goal remains untested at the time of writing

5.13.1 Overall, the investigation identified a number of factors which influenced the effectiveness and reliability of the safety controls in place to ensure the correct identification of patients in an outpatient setting. Considering the properties of a strong barrier (see 5.1.6) the investigation suggests the existing safety controls lack standardisation and clarity of ownership across the team, specificity (a clear statement of what staff are required to do) and independence. The investigation did not observe any strong and systemic barriers.

The safety controls that are currently relied upon to reduce the misidentification of patients, and subsequent risk of a patient receiving the wrong procedure in an outpatient setting, are influenced by the work environment, clinical workload, and the design of safety checks.

HSIB makes the following safety recommendation

The task of calling a patient through for an outpatient appointment presents as a safety issue and contributes to the risk of an unintended patient being selected, influenced by the clarity of verbal communication. This creates a dependency upon the reliability of subsequent identification checks to prevent this error.

• The number of clinics running at the same time within a department, the number of patients required to wait in a similar area and the number of transitions patients make within an outpatient department affect the risk of the wrong patient being selected.
• The format of processes and tools used to identify patients varies across trusts, with limited use of the unique NHS identifying number.
• Technology can be used to support patient identification process. There is a lack of integration of technology in outpatient departments.
• There is a localised approach to the assessment of risks within outpatient settings and variation between trusts in the knowledge required to develop appropriate and sufficient controls to support patient identification.
• There are no formal safety controls to manage the risks that can arise when patients have similar names.
• The increased workload and time pressure associated with delivering interventions in outpatient settings may have a negative impact on the quality of communication and safety checks relied upon for effective patient identification.

HSIB makes the following safety recommendation

HSIB makes the following safety observations:

Barrier management is the process of ensuring threats in a system are prevented through the layers of protection an organisation has put in place between a known safety issue or event (hazard) and an undesired consequence. This process should ensure the layers are robust enough to be successful in thwarting the release of the safety issue and unintended outcome (Chartered Institute for Ergonomics and Human Factors, 2016).

The principles behind barriers to enhance safety draw from the Swiss cheese model of accident causation, developed by James Reason (Reason, 1997; 2008). This uses the analogy of slices of Emmenthal cheese lined up to represent the barriers that exist in a system, with holes indicating weakness in the barriers that allow hazards through, resulting in unintended outcomes. This is a wellknown model that has been modified in recent years to reflect work in healthcare settings, recognising how compensatory actions from frontline staff eliminate adverse outcomes despite weaknesses in barriers. The analogy has been expanded to reflect that the barriers cannot be considered as static. Staff adjust to accommodate and enable the effectiveness of the defence or compensate for weaknesses that may develop in a barrier, at any moment in time. Ultimately, the accumulation of events or factors in the working environment may erode the staff’s ability to compensate and barriers may be inadequate to prevent unintended consequences (Dekker, 2006).

An understanding of how well barriers will perform when put to the test is important when understanding and proactively managing risk. While most safety-critical industries place emphasis on the importance of barriers to guard against unintended consequence, some such as oil and gas, aviation, rail and nuclear, have invested heavily in systems for identifying, analysing and assuring barriers. In some industries regulators have mandated safety management systems with inherent barrier management. For example, the UK civil aviation regulator has embedded bowtie analysis in its Performance Based Oversight and Regulatory Safety Management System and is a model used by operators to help understand their safety risks (Civil Aviation Authority, n.d.).

Bowtie analysis considers the cultural and technical (sociotechnical) context within which a hazard sits at various levels in a system, such as a hospital, a hospital ward or a side-room. By introducing the concept of weakened but not eliminated defences, it allows an understanding of how barriers decay and can fail.

An advantage of bowtie analysis is that it provides a means to ‘communicate not calculate’. By representing risk diagrammatically to a diverse audience, the intention is that organisations can prioritise activity correctly (De Ruijter and Guldenmund, 2016). The HSIB investigation of wrong site surgery – wrong tooth extraction considered the strength and definition of strong systemic barriers, and the need to consider the reliability of barriers dependent upon human performance (Healthcare Safety Investigation Branch, 2021b).

This report raises issues associated with the current definition of a barrier applied by the NHS.