E N D
Policy & Peer Permission (PPP) System Project:Development of User-Friendly Access Control Policy Statements For Use with Electronic Health RecordsMaryann Yeo, RN, Ph.D. Health Telematics Unit University of Calgary
Presentation Outline: • PPP System Development Project • Concept of access control. • Policy Development: • Purpose • Methods • Findings • Implications • Example of PPP site-specific policy. • Questions & Comments
PPP System Development Project: • PPP system automates the authoring and interpretation of policy for granting access to EHRs. • 2 components: • Policy software development • Policy development PPP Project Team: Merv Matson, RightsMarket Inc.; Dr. Penny Jennett, Health Telematics Unit, Faculty of Medicine, University of Calgary; Dr. Tim Cheung, University of Ottawa Heart Institute
Concept of Access Control: • Access control is an information security method. • 2 key objectives: • Allow providers to access information about individuals, where consented, in a timely and efficient manner. • Prevent providers accessing information when they do not have authority or reason.
PPP Policy Development:Purpose & Methods Purpose: To Develop a “starter set” of workable policy statements for use with EHR systems in clinical practice with the RightsEnforcer software. Methods: • Literature Review • Review of Current Legislation • Review of Pilot Site: protocols, policies & operating procedures documents • Interviews with pilot test site.
Findings:Access Control Issues • Broad access: Allow every authorized person access to all the patient records? Vs. • Controlled access: • Who is authorized to access the system? • Which patient records can be looked at? • Which patient records can be changed? • How tightly should access be controlled?
Findings: Impact of Implementing Access Control Policies Implementing changes, such as access control policies involves changes in: • The way things are done; • Processes; • Behaviour of people & teams of people; • Changes can be disruptive & intrusive; • Integration of into the front-lines may be a longer process than first thought.
Findings:Human Behaviour as a Security Threat • Key component of information security. • Internal security threats are threats to the privacy, confidentiality, and security of personal health information caused by workers’ behaviours. • May be intentional, accidental or inadvertent. • Majority of security threats are internal (over 85%) and inadvertent. COACH. (2001). Guidelines for the protection of health information. p.19.
Findings: User Acceptance of Technology • User acceptance includes social & practical acceptability. • People will use a new system: • If it benefits them to do so. • If it is easy to learn. • If it is easy to see. • If it is easy to hear. • If it does what they expect it to do. Nieslon, J, (1993). Usability Engineering. Boston: AP Publishing
Findings:Translating policies • Defined organizational access control policies & procedures need to be established. • Procedures need to translate their intent and goals into everyday practices. • Policy details & procedures tend to vary from location to location. • Tailoring of access control policies to the work setting.
Implications:Tailoring of Policy Statements PPP policy statements are being developed as series of Scenarios which are tailored around: • Specific health care sites involved. • Physician referral, consulting & communication patterns. • Staff information sharing patterns in everyday clinical practice. • Organizational readiness & change management.
Policy Statement Example: 1. Jane Smith is the triage nurse coordinator. 2. The triage nurse coordinator may access, read & print all of my personal health information related to my referral 3. The triage nurse coordinator may transfer this information access right to any clinical colleague who in his/her judgment has a need to access the information to effect or advance my care. 1 Access Policy: The triage nurse coordinator, assigned to me may access, read and print any of my medical records needed for my consultation, diagnostic tests &/or surgery.
Questions ? Comments?