Search the Herefordshire and Worcestershire Health and Care NHS Trust website

Advanced options

CRIS (Powered by Akrivia Health)

CRIS (Clinical Record Interactive Search), powered by Akrivia Health, provides secure access to de‑identified electronic patient records. It supports research studies, clinical audits, service evaluations, and quality improvement projects across the Trust.

Who is Akrivia ?  

Akrivia Health works with the healthcare organisations like the NHS to help improve mental health care through research. They support the safe and responsible use of health information to better understand mental health conditions, treatments and services, with the aim of improving care for patients now and in the future.

How does our Trust and NHS benefit?  

Akrivia Health supports the use of the Clinical Record Interactive Search (CRIS) system. CRIS securely uses anonymised information from patient records for approved research studies. This means personal details are masked or removed, and researchers cannot identify individual patients. By taking part in CRIS, our Trust is contributing to important mental health research while protecting patient confidentiality and helping shape better services and treatments for the future.

This short film by South London and Maudsley NHS Foundation Trust offers a great overview of CRIS. It shares the benefits of using CRIS over the last 10-15 years and how they work with a patient advisory group:

 

Introducing CRIS (Case Record Interactive Search) system

The CRIS computer system allows us to carry out research using information from our Trust’s clinical records.  

CRIS transforms clinical information so that your clinical details can be used in research but personal details cannot.

CRIS removes or covers up any information that can identify you.

CRIS is safe and secure. It does not reveal your personal details.

We believe CRIS can make a real and positive difference to future treatments and care. 

 

What sort of things will CRIS help with? 

CRIS will help us to look at real-life situations in large quantities. This means it’s easier to see patterns and trends; what works for some and doesn’t for others.

We may link information about your treatment and care in our Trust with other aspects of your health. This will help to improve physical and mental health as a whole. 

How are your personal details protected?

CRIS removes or covers up any information that can identify you. This is called de-identification. 

CRIS has received ethical approval from an independent (non-Trust) committee, as a safe, secure and confidential information source for research.

We will continue to seek the permission of independent organisations outside our Trust to assess our arrangements. This is to make sure that the security of your information and your confidentiality is always protected. 


Who can access CRIS?

CRIS is only available to researchers who are employed by our Trust. These researchers might work in collaboration with other organisations. The information in CRIS is protected by strict information security and by law. 

 

How is the healthcare data managed?

We (the NHS) let Akrivia securely use healthcare data.  
We, our Trust, remain the data controller.  
Akrivia remove personal information like patient names and addresses. As a lot of mental health data is handwritten, such as clinician notes, this can be hard to use in research. Akrivia use artificial intelligence (AI) within a secure environment to sort this information into tables. This makes it much easier for us, NHS researchers, to use without having to access private information.  
Working in this way provides a fuller picture of patient health while improving patient privacy. It will also enable us to conduct research to improve the quality of our services, such as addressing inequalities in healthcare.  

 

Taking a closer look - Akrivia’s holistic approach to data protection in CRIS: 

1. De-identification: removes directly identifying and confidential patient information. 
A range of ‘de-identification techniques’ are used to pseudonymise patient ID’s, and mask and truncate directly identifying information. 
The outcome? Heavily pseudonymised data free of confidential patient information. 

2. Data Structuring: organises free-text, unstructured, data/notes using NLP (Natural Language Processing). 
The outcome? A research-ready dataset enabling fast cohort building for research studies. Researchers are also less likely to need to manually review progress notes.  This short film from South London and Maudsley NHS Foundation Trust shows how applying natural language processing (NLP) to real world data from electronic health records in CRIS is driving research forward:

3. Virtual desktop: provides a secure environment for access by researchers. Nothing can get in or out without approval. Data is accessed through secure virtual desktop infrastructure. Only approved data can come in or go out and every transfer is carefully monitored. The outcome? Reduced risk of data breaches. 

4. Controlled Access Management: Allows healthcare organisations (us) to administer role-based user access. 
Trained administrators retain full control and visibility over who can access the data and for which research studies.  
The outcome? Strong role-based access controls and auditability. 
 

Support from our Trust’s Information Governance (IG) team:

Information Governance is a comprehensive framework of policies, procedures, and controls used to manage information throughout its lifecycle, from creation to disposal. It balances data use and security, ensuring compliance with legal and ethical standards. It does this while optimising operational efficiency.

Our Trust’s IG team is supporting us to provide all the required privacy, security, and compliance paperwork. For further information please see our Trust’s Privacy notice. 

Our IG team have completed these key documents and checks to make sure the system is safe, legal and protects patients' privacy. This includes: 

  • Model DPIA: A standard assessment that checks how personal data is used and whether the risks are properly managed.
  • Privacy notice: A clear explanation for people about how their data is collected, used, stored, and protected.
  • DSPT – The Data Security and Protection Toolkit: Organisations must complete to show they meet NHS data‑security standards.
  • DTAC – The Digital Technology Assessment Criteria: This checks whether a digital product is safe, secure, and suitable for use in health and care settings.
  • CE+ documentation: Evidence that the organisation meets Cyber Essentials Plus, a UK government cybersecurity certification.
  • Assurance that BRC IDs cannot be linked back to patients:  Confirmation that any identifiers used (e.g., research codes) cannot be traced back to real individuals, protecting patient anonymity. 

I’d like to opt out. How do I do this?

You can opt out at any time. The National Data Opt-Out (NDOO) service enables people to view or change their NDOO choices. People can decide whether their confidential patient information can be used for research and planning, including CRIS.

People can view or change their NDOO choice at any time by using the online service or by clicking on ‘Your Health’ in the NHS App. Then select ‘Choose if data from your health records is shared for research and planning.’

Further information can also be found at manage your choice | NHS website

How CRIS supports research

Here are three video examples from outside our Trust showing how CRIS has supported research: 

Using CRIS for Dementia research:

Using CRIS for Multimorbidity among people with serious mental illness research:

Using CRIS to identify health inequalities — city living and isolation:

 

How will CRIS affect individual care delivery right now?

The research made possible by CRIS is unlikely to impact directly on care right now. Nevertheless, as demonstrated above, we believe CRIS can make a real and positive difference to future treatments and care.

As shown, anonymous or de-identified data from medical records can be very useful for research. Significant amounts of information are recorded in these records - particularly the free text notes. This information can help organisations better understand how care is being delivered, the causes of disease and the effectiveness of interventions and medications. This de-identified data can help answer all these questions. 

For some research, CRIS can help us find groups of patients that researchers would like to invite to take part in their research.

For example: 

  • An NHS Trust wants to speak to patients with schizophrenia who are female and between the ages of 25-45.  
  • They can use CRIS to search the anonymous database and find out how many people they have who fit this criteria.  
  • If these people have given their consent to be contacted about relevant research projects, a special process can be carried out to allow the researchers to get in contact with these (and only these) individuals. 

Frequently asked questions

Data Security and management of CRIS: 

Q: Do we have control over our Trust’s data?  
A: Yes – our Trust retains control.

Q: Does anyone oversee/monitor CRIS from our Trust?  
A: Yes. A local CRIS administrator will oversee the day to day running of the system. The system captures all actions carried out on CRIS via an audit log. This enables the CRIS administrator and the organisation to know exactly how CRIS users are using the system. Additionally, we will have an oversight committee in place with patient representation. 

Q: Who can access CRIS data?  
A: Researchers employed by our Trust. 

Q: Who manages this access? 
A: We have a strict process in place to control who can access the database. Our CRIS administrator and the oversight committee will manage access. All users will need to register to use CRIS, providing any appropriate evidence of contracts and training completed as defined by us.  

Q: What is de-identified data? 
A: This is data which has had information removed, masked or modified to protect patient privacy. Items such as name, surname, telephone numbers, addresses and NHS numbers will all be removed or masked to minimise any chance a patient could be identified from the data. 

Governance committee???? 

 

Opting out: 

Q: How and when can patients opt out? 
A: Patients can find out more about opting out at any time via the NDDO website. They can opt out here.  
They can also opt out via the NHS App. Click on ‘Your Health’ and select ‘Choose if data from your health records is shared for research and planning.’  

Question: Can patients change their opt out preferences at any time? 
Answer: Yes they can via the NDDO website. They can opt out here. 

Question: Can a patient’s preference for opting out be updated by staff via Rio (our patient records system)? 
A: No. This cannot be done via RIO. The patient will need to do this via the NDOO service website or NHS App. 

 

Patient vulnerability and capacity: 

Q: How are decisions managed when a person lacks capacity?  
A: As data controller, our Trust identifies which data sets will be used. 
Staff can direct patients to the NDDO website and refer to the Trust’s NDOO Policy.  
All patient data is anonymised.  
As with any research study, we can only approach the patient once their clinical team have gained their consent for us to contact them. After which there is a robust consenting process.  
There are also robust processes for enrolling people who lack capacity. 

Q: What is the role of staff in supporting or safeguarding patient wishes? 
A: As with every aspect of decision making in healthcare, staff play a vital role in ensuring that patient preferences and rights are respected throughout all stages of care and data use. This includes CRIS.  
Staff:  - Support informed decision-making: by helping patients understand their choices and the implications of consent or opt-out decisions. 
- Safeguard confidentiality: by following data protection and information governance standards to keep patient data secure. 
- Support patient decisions: by ensuring that care and research processes reflect each individual’s expressed wishes. 
- Act when concerns arise: by raising issues through appropriate safeguarding or governance channels if a patient’s wishes are not being upheld. 
- Ensure consistency: by recording and honouring patient preferences across systems such as CRIS and Akrivia Health. 

How to lodge a complaint with the supervisory authority

If you wish to raise a complaint on how we have handled your personal data, please see our ‘what are your rights?’ section on our Trust privacy notice page.

You can make a complaint to us at WHCNHS.InformationGovernance@nhs.net. If you are still unhappy with how we have used your data, you can then complain to the ICO. We are registered with the Information Commissioner's Office (ICO — the UK’s Supervisory Authority). Our registration number is Z2745227.

Make a complaint about how an organisation has used your personal information on the ICO website.