160 likes | 186 Views
Privacy, Confidentiality, and Security of Information: Annual Training 2018 – Part 2. “Need to Know” Principle & Implied Consent
E N D
Privacy, Confidentiality, and Security of Information: Annual Training 2018 – Part 2
“Need to Know” Principle & Implied Consent When a patient seeks health care services at the hospital it is assumed that the patient does not object to their PHI being collected, used and disclosed for the following purposes: Provision of health care and treatment Sharing the information with other health care providers within the patient’s ‘circle of care’ Billing Compiling statistics Ensuring quality of all patient care Implied Consent
You need to get explicit (express) consent before you can access or share personal health information with people who are not within the patient’s “Circle of Care”. Consent may be given verbally or in writing. Examples of when express consent is required: Lawyers Insurance companies Employers Express consent can be withdrawn at any time Express Consent
Examples of people who are notwithin the patient’s “Circle of Care” include: Family members who are not the substitute decision maker Police, with the exception of a legal process, including search warrant, court order Lawyers Insurance Companies When Do You Need Express Patient Consent to Release PHI?
The patient may give verbal or written consent, depending on their situation The written consent form must be attached to the patient’s health record Verbal consent must be documentedin the patient’s health record How Do You Document Express Consent?
What is Duty to Report? Legislation requires that healthcare professionals report specific information to the authorities in certain circumstances Examples (click on the pdfs to view policy): Gunshot wounds Suspected child abuse or neglect Suspected elder abuse Communicable diseases These requirements override the privacy legislation Provide only limited information which is necessary to report the concern.
Portable Devices: use only hospital approved encryption for all portable devices, as mandated by the Information & Privacy Commissioner of Ontario. Do notsave personal health information on portable devices unless approved by the Hospital. Any personal health information that needs to be saved to a portable device will require the device to be encrypted by IT approved encryption technology. How To Protect Confidentiality of Personal Health Information
Faxing Verify the fax number and recipient before sending Pre-program frequently used numbers into fax machine to avoid misdirected faxes Double-check your entry of the fax number Maintain record of fax Labels Labeling errors are a source of privacy breaches Always double check prescriptions and discharge instructions to ensure accurate patient information is sent home with each patient How To Protect Confidentiality of Personal Health Information
How To Protect Confidentiality of Personal Health Information Practice measures: Avoidspeaking about confidential information in a public area. If this cannot be avoided, such as the nursing station, speak in a low voice and seek out a more private area for any private conversation Even when not using names you should never talk about a patient’s care in elevators, the coffee line, or other public places. Consider what it would be like if that was YOUR information being shared.
What Information Can You Share? Under PHIPA, unless a patient has expressly told us notto release any information we can: • Advise that someone is a patient here (for example, provide their room number) • Advise as to the patient’s general condition (fair, good, satisfactory)
How to Respond to Inquiries About Patients Via Telephone • You can transfer the call to the patient (if the patient is not VIP/Confidential) • You can take the caller’s name and phone number and give it to the patient to call back • If the patient has provided the individual with the 4 digit “privacy code” then you can provide personal health information.
Release of Information to Police • Click on the following link to read: SMGH Release of Information Police policy • Copies of records/lab samples • Direct to Health Records, unless acting on behalf of the Coroner (can immediately release with appropriate documentation) • Can acknowledge presence/location in the facility (with full name, and if a patient hasn’t expressly withheld consent to have their presence acknowledged) • Other circumstances where there is a threat of bodily harm • If in doubt, ask your Manager or the Chief Privacy Officer
The VIP Patient Flag SMGH uses a flagging system with the electronic patient record to protect the PHI of the following patients: • Staff and Physicians • Political or well known community personalities • Those in need of information protection (news media, high profile) • Those requesting protection of information
How To Mark a Patient as VIP in the Meditech System The Registration Clerk or other care givers must notify the IT Help Desk to mark the patient as VIP.
How to Tell if a Patient is Flagged as a VIP in Meditech? VIP patients will be identified with a * beside their name (these charts are audited weekly)
Information and communication technologies are provided to staff to conduct Hospital business only. Communications sent and received through these systems are the property of the Hospital. These systems are monitored to ensure security