190 likes | 380 Views
Security: 2014. Personal Health Information Protection Act, 2004. this 5 min. course covers: changing landscape of electronic health records security threats & obligations protections for personal health information (PHI) . Connecting GTA – Coming in 2014.
E N D
Personal Health Information Protection Act, 2004 this 5 min. course covers: • changing landscape of electronic health records • security threats & obligations • protections for personal health information (PHI)
Connecting GTA – Coming in 2014 • early adoption of cGTA builds on eCare’s success to further strengthen point of care access to electronic patient information • security: critical factor in whether patients consent to sharing personal health information (PHI) in cGTA
cGTA changes the security landscape • health care organizations required to reinforce IT security • planned link (Cerner to cGTA) requires infrastructure incl. • active directory accounts for credentialed physicians • merging Cerner account/active directory account to create “single sign-on” from Cerner to cGTA • strong passwords, change management • Note: physicians without active directory account will be notified; Information Services will support transition
We are in this together … • patients & families trust we have strong security policies & consistent practices to protect their personal health information (PHI)
Threats to electronic PHI • weak passwords • inappropriate chart access • using another’s login/password • theft/loss of laptop, unencrypted USB key/removable storage media • PHI sent by unencrypted e-mail • texting personal identifiers
Information security practices • physical, technical & administrative • work together to protect PHI and information systems
Preventatives work strong passwords, access & change controls network security, secure remote access encrypted e-mail between NYGH sites training, personal accountability confidentiality agreements audit trails of access to technical systems photo ID serious consequences for inappropriate chart access, use or disclosure up to termination of employment, hospital privileges
Strong login passwords mandatory • on desktops, laptops, mobile devices & removable storage media – do not share, write down or store on equipment • STRONG: combination of letters, numbers, symbols, minimum of 8 characters & • no dictionary words
Protect yourself – never share login, password together they serve as your electronic signature everything done using it will be attributed to you until proven otherwise alwayslog off PowerChart
Mobile devices, removable storage media don’t store PHI on laptops/mobile devices unless encrypted (Information & Privacy Commissioner/Ont.) encryption protects electronic info if lost/stolen whole disk encryption: on all NYGH laptops NYGH computers enforce encryptionif you download to a mobile device; password you choose will decrypt
Encrypting files Encrypt a copy, not the original file or else you will have to use a password to open it WORD Document Click “File”> “Protect Document”> “Encrypt with Password” PDF Click “File” > “Properties” > “Security”. Select “Password Security” from the “Security Methods” drop-down menu. Check off “Require a Password to Open the Document” Create a strong password and write it down before entering and saving. Send the file and password by separate emails. In the email sending the file, advise that the password will be sent separately.
Secure email encrypted transmission between NYGH sites: General, Branson, Senior's Health Centre - if intercepted, it cannot be read without encryption: it's like sending a postcard Never send personal health or confidential info from or to a personal email account e.g. hotmail, gmail or yahoo - transmission is not encrypted; can be intercepted & read
Working out of NYGH don't take PHI or confidential info out of hospital unless absolutely necessary instead, use secure remote access where possible
What you can do minimize storage of PHI /confidential info on mobile devices, laptops, storage media back up files to network before leaving ensure encryption enabled on laptop/mobile device use secure storage for laptops, mobile devices, removable media, paper records or keep with you at all times
If it doesn’t go as planned… just call me chief privacy officer 416-756-6448
Security Summary combine physical, administrative & technical protections avoid “What’s the risk?” thinking Encryption protects patients and reputations … still a bargain Nevershare login & password
Information & Privacy Commissioner/Ontario (IPC) • Provides oversight of compliance with the Personal Health Information Protection Act. In this role the Commissioner: • adjudicates access appeals, investigates privacy complaints and may issue public reports • may enter and inspect premises, records, information management practices and require evidence under oath, affirmation • has Order making power; may levy fines of up to $250,000.00 • IPC Contact: 416-326-3333 www.ipc.on.ca
Thank-you For more information please contact Rita Reynolds, Chief Privacy Officer at ext. 6448.