160 likes | 302 Views
Privacy, Confidentiality, and Security of Information: Annual Training 2018 – Part 1. D o I Need P rivacy T raining?. To understand the privacy principles and your accountability for handling patient information
E N D
Privacy, Confidentiality, and Security of Information: Annual Training 2018 – Part 1
Do I Need Privacy Training? To understand the privacy principles and your accountability for handling patient information To understand how you apply principles everyday while working at SMGH and after you leave the hospital To reduce risk related privacy issues To outline strategies to maintain confidentiality and protect information, and reduce risk of privacy breaches To review consequences of a privacy breach
What is Personal Health Information (PHI)? Any information about a patient: Name, address, phone number, next of kin, tests, diagnosis, treatment, discharge plans Includes any patient information you have: Written, read, observed, heard at the hospital
SMGH is committed to protecting all patient personal health information (no matter what form) in our custody and control.
All SMGH staff who have the right to access PHI in the course of their work, have an ethical and professional obligation to protect the confidentiality of the information and to access and use only as required in their work. All staff are expected to implement good security practices consistent with the value of the information.
Privacy is a RIGHT that is protected by law and gives an individual control on how, when and to what extent their information will be shared with others. What is Privacy? What is Confidentiality? Confidentiality is a hospital’s obligation to ensure privacy by limiting access and disclosure.
PHIPA is a provincial law regulating the management of personal health information Regulates how patients’ information is collected, used and disclosed Under this law patients have greater control over their information Hospitals are held accountable for informing patients of breaches What is the Personal Health Information Act (PHIPA)?
Patients’ Rights PHIPA establishes a set of rules regarding personal health information. PHIPA gives patients the right to: • be informed of the reasons for the collection, use and disclosure of their personal health information • be notified of the theft or loss or of the unauthorized use or disclosure of their personal health information • refuse or give consent to the collection, use or disclosure of their personal health information, except in certain circumstances • withdraw consent by providing notice
Patients’ Rights Continued • expressly instruct that their personal health information not be used or disclosed for health care purposes without consent • access a copy of their personal health information, except in limited circumstances • request corrections be made to their health records • complain to the Information and Privacy Commissioner (IPC)
How does SMGH Protect Information? SMGH has administrative, physical, and technical measures in place to protect the information in its custody from inappropriate collection, access, and disclosure. Let’s look at these measures more closely.
Privacy Policy & Procedures (These procedures include policies to protect against unauthorized useof PHI). Mandatory Privacy Training Confidentiality agreements (including annual attestations) Record Retention & Destruction practices Examples of Administrative Measures at SMGH?
Secure storage, locked filing cabinets, restricted access to offices, secure workstations Ensuring hardcopy patient records and patient lists are not viewable by the public Examples of Physical Measures
Examples of Technical Measures • Users log in with passwords. Remember to only access the computer system under your own password and log off when finished. Access is limited based on needsof individual staff.
Technical Measures Examples Continued: • Firewalls (a network security system, either hardware or software based) that controls incoming and outgoing network traffic based on rules Audits (a process for assessing information handling practices, including using software to monitor access/use of PHI)
Non-clinical staff can only access and share patient information when they need to access and share specific information to complete their assigned duties including: Patient Registration Billing in Finance Coding in Health Records When Can Non-Clinical Staff Access and Share Patient Information?
The ‘circle of care’ refers to those individuals who directly provide or assist in the care or treatment of a particular patient at a particular point in time and need to know the information to provide or help to provide care to the patient. Personal health information can be released to those in the “circle of care” for the provision of care based on implied consent. Circle of Care