1 / 34

Privacy and Health Information

Learn about the critical need for health privacy in the digital age, privacy risks, protective behaviors, legislative context, and fair information practices. Understand what privacy means and its distinction from security. Navigate Canadian privacy laws and safeguard personal health information effectively.

dmartens
Download Presentation

Privacy and Health Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Health Information Debra Grant, Ph.D. Senior Health Privacy Specialist Information and Privacy Commissioner/Ontario Annual CAMRT Conference PEI Association of Medical Radiation Technologies Charlottetown, P.E.I. June 10, 2005

  2. Health Privacy is Critical • The need for privacy has never been greater: • Extreme sensitivity of personal health information • Patchwork of rules across the health sector; with some areas in some jurisdictions still unregulated • Increasing electronic exchanges of health information • Multiple providers involved in health care of an individual – need to integrate services • Development of health networks • Growing emphasis on improved use of technology, including computerized patient records

  3. Unique Characteristics of Personal Health Information • Highly sensitive and personal in nature • Must be shared immediately and accurately among a range of health care providers for the benefit of the individual’s treatment and care • Widely used and disclosed for secondary purposes that are seen to be in the public interest (e.g., research, planning, fraud investigation, quality assurance)

  4. Privacy Risks:Unauthorized Disclosures 3rd Party Disclosures not authorized by patient may threaten integrity of system • Fear of stigmatization, discrimination, loss of employment opportunities, denial of insurance, denial of housing California HealthCare Foundation survey: • One in six people engage in privacy protective behaviour to shield themselves from misuse of their information

  5. Privacy Protective Behaviours • Multiple doctoring • Out of pocket payment • Avoiding testing • Avoiding treatment • Lying or withholding information from providers • Asking providers to misrepresent diagnosis in records • Inaccurate and incomplete information less helpful for primary purposes, such as treatment, and secondary purposes such as research

  6. Privacy Defined Information Privacy: Data Protection • Freedom of choice; control • Informational self-determination • Personal control over the collection, use and disclosure of any recorded information about an identifiable individual

  7. What Privacy is Not Security Privacy

  8. Authentication Data Integrity Confidentiality Non-repudiation Privacy; Data Protection Fair Information Practices Security Privacy and Security: The Difference

  9. Fair Information Practices • Safeguards • Openness • Individual Access • Challenging Compliance • Accountability • Identifying Purposes • Consent • Limiting Collection • Limiting Use, Disclosure, Retention • Accuracy

  10. Legislative Context • Patchwork of privacy laws • Health sector provincially regulated and funded • Provincial public sector legislation (applies to ministries, hospitals, in some jurisdictions) • Provincial health sector legislation (Alberta, Saskatchewan, Manitoba, Ontario) • Federal private sector (commercial health sector) • Provincial private sector (Quebec, B.C., Alberta)

  11. Privacy Legislation in Canada Canada Privacy Act CanadaPersonal Information Protection and Electronic Documents Act Nunavut Access to Information and Protection of Privacy Act Northwest TerritoriesAccess to Information and Protection of Privacy Act YukonAccess to Information and Protection of Privacy Act Newfoundland & LabradorAccess to Information and Protection of Privacy Act Prince Edward IslandFreedom of Information and Protection of Privacy Act BC Freedom of Information and Protection of Privacy Act BC Personal Information Protection Act Nova ScotiaFreedom of Information and Protection of Privacy Act Nova Scotia Part XX of the Municipal Government Act Alberta Personal Information Protection Act AlbertaFreedom of Information and Protection of Privacy Act AlbertaHealth Information Act Manitoba Freedom of Information and Protection of Privacy Act Manitoba Personal Health Information Act New BrunswickRight to Information Act New BrunswickProtection of Personal Information Act Sask.Freedom of Information and Protection of Privacy Act Sask.Local Authority Freedom of Information and Protection of Privacy Act Sask. Health Information Protection Act OntarioFreedom of Information and Protection of Privacy Act OntarioMunicipal Freedom of Information and Protection of Privacy Act OntarioPersonal Health Information Protection Act QuebecAct Respecting Access to Documents held by Public Bodies and the Protection of Personal Information QuebecAct Respecting the Protection of Personal Information in the Private Sector This map is based on information taken from the Atlas of Canada Web site http://atlas.gc.ca. C 2003. Her Majesty the Queen in Right of Canada with permission of Natural Resources Canada.

  12. Impact of Legislationon Practice • Most jurisdictions do not have privacy legislation that has been/will be declared substantially similar to the federal legislation – more than one statute may apply • All privacy statutes are based on “fair information practices”

  13. FIPsFair Information Practices 1. Accountability • for personal information designate an individual(s) accountable for compliance 2. Identifying Purposes • purpose of collection must be clear at or before time of collection 3. Consent • individual has to give consent to collection, use, disclosure of personal information

  14. FIPs (cont’d) 4. Limiting Collection • collect only information required for the identified purpose; information shall be collected by fair and lawful means 5. Limiting Use, Disclosure, Retention • consent of individual required for all other purposes 6. Accuracy • keep information as accurate and up-to-date as necessary for identified purpose 7. Safeguards • protection and security required, appropriate to the sensitivity of the information

  15. FIPs (cont’d) 8. Openness • policies and other information about the management of personal information should be readily available 9. Individual Access • upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and be given access to that information, be able to challenge its accuracy and completeness and have it amended as appropriate 10. Challenging Compliance • ability to challenge all practices in accord with the above principles to the accountable body in the organization

  16. Ontario’s PHIPAPersonal Health Information Protection Act • Came into force November 1, 2004 • Applies to organizations and individuals involved in the delivery of health care services (including the Ministry of Health) • The only health sector privacy legislation in Canada based on consent • Perhaps the only health sector privacy legislation that will be declared substantially similar to the federal legislation

  17. Records Management: General Practices • Must take reasonable steps to ensure accuracy • Must maintain the security of PHI • Must have a contact person to ensure compliance with legislation, respond to access/correction requests, inquiries and complaints from public • Must have information practices based on fair information practice and transparent to the public • Must be responsible for actions of agents – train and educate all staff on privacy and security

  18. Issues Raised by Medical Radiation Technologists • Individuals right of access to personal health information – who should be fulfilling the request • Analogue images – must share original; custodian may not have custody or control of the image

  19. Privacy Issues: EmergingMedical Radiation Technology • Move from analogue to digital imaging has both benefits and risks • Digital images do not deteriorate; easier to store and manipulate • Digital images can be shared electronically • Digital images are one type of electronic health record – has some of the same advantages and challenges as any other EHR

  20. Electronic Health Records (EHR) Advantages • Improve quality and lower cost of health care • Quick access to wide range of data • Better security through more effective access controls and audit trails • Improve privacy protection by limiting access to those with a need-to-know (e.g., role based access) • Better data for health system management, enhancing quality of care, and research

  21. More about EHRs… Challenges • Facilitates data linkages and data sharing • Unauthorized access is more catastrophic due to volume of records and quantity and quality of data • Multiple users and multiple access points raises accountability issues and increase vulnerability

  22. Key Questions about EHRs • Is participation voluntary or compulsory? • What data should be entered on EHR? • Is data centralized or stored at point of generation? • How do you manage consent, particularly when integrating legacy systems not designed with consent in mind? • What level of security constitutes “reasonable steps”? • Who has access to what information and for what purposes? • If data centralized, who has custody and control of EHR? Who is accountable?

  23. Digital Imaging • Digital imaging is considered to be a key building block for the EHR by CHI – substantial funding investment • Digital imaging systems enable health care providers to view, manage, distribute and electronically store patients’ test images, MRIs, X-rays, CT scans, PET scans, and medical files from any location connected to the system • The PACS (picture archiving and communication system) captures, stores and sends images using digital technology

  24. Digital Imaging Pilots • London, Ontario pilot – goal is to share patient information among care providers across 8 hospitals, through a highly secure information network, to provide a seamless continuum of care • Plan to expand pilot to other hospitals in Southwestern Ontario • Radiologists and clinicians timely access to virtual imaging across the region will enhance patient care • Second pilot implemented by the Fraser Health Authority involving 12 regional hospitals in B.C. • CHI plans to fund two more digital imaging pilot projects

  25. Privacy Issues • Who retains custody and control of the shared archive of images? • Who decides who has access to what information in the archive and under what circumstance? • Who checks for privacy breaches? • Under what legislative authority can a custodian transfer custody and control of the images to a central archive? • What is the legal status of a central archive? (e.g., agent, custodian, registry, etc)

  26. Attitudes of Canadians • Office of Health and the Information Highway, Health Canada reviewed public opinion polls on the use of information and communications technology in the health sector (2002) • Review suggests Canadians would welcome expanded role for information and communications technologies in the health sector, provided privacy and autonomy are protected • 9 in 10 Canadians from all regions of the country support the development of information systems that would make it easier to access and share information • But, Canadians have serious fears about the erosion of personal privacy and doubts about the security of the Internet

  27. Initiatives to Address Privacy Issues • Harmonization of Privacy Rules • Standardization of Privacy and Security Architecture for EHRs

  28. Advisory Committee on Information and Emerging Technologies (ACIET) • Dec. 2002, Federal/Provincial/Territorial Deputy Ministers of Health created ACIET • Mandate to provide policy development and strategic advice on health information issues and emerging health products and technologies

  29. ACIET on Privacy • Privacy one of five initiatives identified for ACIET • Examine how to adequately protectprivacy of personal health information that will be collected/used/disclosed in a EHR system • Pan-Canadian Personal Health Information Privacy and Confidentiality Framework finalized January 2005 – endorsed by all provinces and territories, except Saskatchewan and Quebec • Framework loosely based on Ontario’s new Personal Health Information Protection Act

  30. Canada Health Infoway (CHI) • CHI was established in 2000 to foster and accelerate the development and adoption of pan-Canadian interoperable electronic health information systems • Currently working on an EHR Privacy and Security Conceptual Architecture

  31. Ontario’s E-Health Office • Consent management framework • Technological privacy principles for PHIPA compliance • All work is being coordinated with work of CHI

  32. Legislation Necessary but Not Sufficient for Privacy Protection • “The most effective means to counter technology’s erosion of privacy is technology itself.” Alan Greenspan, Federal Reserve Chairman • “A technology should reveal no more information than is necessary…it should be built to be the least revealing system possible.” Dr. Lawrence Lessig, Harvard, September 1999

  33. Making Health Privacy Work:What You Can Do • Think beyond legislation • Use technology to help protect health information: • Build privacy right into design specifications • Minimize collection and routine use of personally identifiable information – use aggregated or coded information if possible • Use encryption where practicable • Think about anonymity and pseudonymity • Conduct privacy impact assessments

  34. How to Contact Us Debra Grant Senior Health Privacy Specialist Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) 325-9170 Web: www.ipc.on.ca E-mail: debra.grant@ipc.on.ca

More Related