Patient safety and electronic patient record systems: Patient Safety Learning’s response to HSSIB report (27 November 2025)

Summary

On the 27 November 2025, the Health Services Safety Investigations Body (HSSIB) published a new report looking at patient safety issues associated with electronic patient record (EPR) systems. It is a thematic review which draws on findings from investigation reports by HSSIB and its predecessor organisation – the Healthcare Safety Investigation Branch (HSIB).

In this article, Patient Safety Learning sets out its reflections on the report’s findings.

Content

HSSIB investigates patient safety concerns across the NHS in England and in independent healthcare settings where safety learning could also help to improve NHS care.

Their latest report, Patient safety issues associated with electronic patient record (EPR) systems – a thematic review, summarises and analyses their previous investigation findings relating to EPR systems.[1] Its intention is to identify themes arising from these investigations and to share any additional safety learning.

Patient Safety Learning welcomes HSSIB undertaking this work. We contributed to this report during its consultation stage and, in this article, we set out our reflections on its findings.

EPR systems

An EPR is a set of electronic information about a single patient. It can include:

• a patients’ own notes
• test results
• observations by a range of different clinicians
• prescribed medications.

EPR systems are a way of managing clinical information with the intention of making it more easily accessible to both patients and healthcare professionals. They are becoming increasingly common in healthcare settings across the world and are a core part of how patient care is delivered. 

Patient Safety Learning perspective

When safely implemented, EPR systems can help to support and improve care and treatment. However, there are also significant patient safety risks associated with their implementation and use.

At Patient Safety Learning we highlighted a number of these issues last year in our report, Electronic patient record systems: Putting patient safety at the heart of implementation.[2] We believe patient safety should be core to all EPR systems, with robust safety considerations integrated throughout every stage of their introduction:

Development

Patient safety must be at the heart of the initial procurement, design, configuration and development of EPR systems. There should be a focus on:

• Interoperability (the ability to work with other computer systems or software used by the organisation to exchange and make use of information).
• Usability and design for safety, taking a user centred systems and human factors approach.
• Designing EPRs in collaboration with the staff who will use them.

Rollout

As EPRs are introduced into organisations, it is vital that the appropriate training and support is provided to staff. There needs to be:

• Sufficient usability testing (allowing staff who would be using these systems the opportunity to try them and provide feedback)
• Time allowed for amendments being made to reflect the most efficient and effective processes. Staff should not have to undertake significant workarounds to make an EPR functional; it needs to meet their needs as healthcare professionals and decision makers.
• A greater role for EPR manufacturers in providing training and support to staff.

Implementation

Once an EPR is in place, monitoring how it is operating in practice and learning and acting on any risk assessments, incidents or near misses that take place relating to this, is essential.

In each of these stages there should be clear steps to involve and engage both patients and frontline staff as part of this process.

HSSIB report

Considering the patient safety issues associated with EPR systems, HSSIB’s new report states:

“The review found that EPR systems could contribute to the risks of patient care being missed, delayed or incorrect. These risks were persistent despite national recommendations and actions seeking to mitigate them.”

They grouped their findings into three main categories:

1. Choosing an EPR system capable of meeting the needs of an organisation
2. Implementing an EPR system that meets the needs of users
3. Seeking feedback and ongoing EPR system optimisation

Choosing an EPR system capable of meeting the needs of an organisation

Before introducing a new EPR system into a healthcare organisation, it is vital that the appropriate planning and preparation takes place. Introducing these systems should be recognised as major organisational change programmes, and as such require the requisite investment of time and commitment from organisational leaders.

HSSIB’s report picks up on a number of issues in this area, highlighting that:

• Organisations do not always have a clear understanding of their requirements/needs from an EPR system, limiting their ability to match requirements to system capabilities.
• Choosing an EPR system at the procurement stage is complicated by this lack of understanding, which is often compounded by limited awareness of how these systems meet national requirements, including interoperability (the ability to work with other IT systems) and clinical risk-management standards.
• They found evidence of limited support at a national or regional level to help organisations identify their local requirements/needs for an EPR system.

Implementing an EPR system that meets the needs of users

At Patient Safety Learning we believe that healthcare professionals and those who will be the primary users of EPR systems should be involved in each stage of their design, planning and implementation.

HSSIB’s report also underlines the importance of this, noting issues including:

• Implementation of an EPR system was found to be a complex project that did not always effectively engage users to ensure it was safe and successful.
• When users were involved in EPR system implementation they were not always representative of those using the system in practice, with difficulties releasing staff from clinical work to contribute to implementation.
• Staff training in how to use an EPR system was often perceived to be limited. It did not always reflect how a system would be used in the ‘real world’, or offer advice on what to do if the EPR system failed.

Seeking feedback and ongoing EPR system optimisation

In our response as part of the consultation on this report, we emphasised the importance of the ongoing monitoring of how an EPR system operates after it has been introduced. 

This is a key issue we also highlighted in our report last year, connected with the often discussed concept in patient safety of the difference between ‘work as imagined’, ‘work as prescribed’ and ‘work as done’.[3] [4] With EPR systems, we need to look at the difference between how these are intended to work, and how they work in practice. Once an EPR system is live, there should be ‘continuous feedback loops’ to understand, and learn from, how it is working.

We are therefore pleased to see that HSSIB highlight a number of these issues in their report, including:

• Staff reported limited routes for raising concerns about poor functionality and usability of EPR systems, and limited action when concerns were reported that could impact on patient safety.
• Ongoing management of EPR systems, including upgrades and changes, did not always align with the digital standards for clinical risk management.
• EPR systems were not always kept up to date in line with national guidance and standards, or changes to internal care processes.
• There were limited opportunities for organisations to share their experiences of implementing and optimising EPR systems for the benefit of other organisations.

In seeking to assure the clinical safety of their health IT software, organisations in the NHS are required to meet a formal standard titled DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems. This standard, which is completed by a trust purchasing a system:

“… provides a set of requirements suitably structured to promote and ensure the effective application of clinical risk management by those health organisations that are responsible for the deployment, use, maintenance or decommissioning of Health IT Systems within the health and care environment.”[5]

DCB0160 documentation is typically completed by the clinical safety officer before the system is launched. The standard suggests that this also applies post launch. We think this exercise would be of particular value in the case of EPR systems, if it was also completed several months after launch as such a system may look and operate quite differently to the way it was expected to pre-launch.

At Patient Safety Learning, we believe that organisations should consider completing a DCB0160 post-implementation.

Concluding comments

This new report from HSSIB makes a strong and valuable contribution on the subject of EPR systems and patient safety. The local-level learning prompts in the report, intended to help organisations consider and mitigate risks around procuring, implementing and optimising EPR systems, are particularly helpful.

EPR systems have the potential to improve patient treatment and safety, increase efficiency and reduce the costs of healthcare. However, there are patient safety risks associated with their introduction and implementation. To fully realise their benefits, we need to ensure patient safety considerations are at the heart of their design, development and rollout.

References

1. HSSIB. Patient safety issues associated with electronic patient record (EPR) systems – a thematic review. 27 November 2025.
2. Patient Safety Learning. Electronic patient record systems: Putting patient safety at the heart of implementation. 31 July 2024.
3. Steven Shorrock. The Varieties of Human Work. 5 December 2016.
4. Claire Cox. Putting the writing on the wall: Explaining work as imagined vs work as done. 1 August 2023.
5. NHS England, DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems, Last Accessed 26 November 2025.