360 likes | 457 Views
Personal Health Information Task Force Presentation. Margaret Cameron Director of Planning and Support Services, Chief Privacy Officer Anne Thibault Manager of Health Records June 19, 2007. R5 Popia Working Group June 2004.
E N D
Personal Health InformationTask Force Presentation Margaret Cameron Director of Planning and Support Services, Chief Privacy Officer Anne Thibault Manager of Health Records June 19, 2007
R5 Popia Working Group June 2004 “Healthcare has always placed great importance on the confidentiality of a patient’s health information”. Why focus on privacy in healthcare? “We all know that a large part of patient-provider relationship is based on trust. Trust is greatly based on ensuring patient privacy.”
Statement from Personal Health Information Access and Privacy Background Paper “There is no information that is more sensitive and in need of protection than personal health information; the information about the state of our bodies and minds…”
Definitions • Privacy • Confidentiality • Security
Definition of Privacy The right of an individual to control who has access to his or her personal information and under what circumstances. Personal health information, which is seen as particularly sensitive by the public, is often thought to be deserving of special privacy protection.
Definition of Confidentiality A third party’s obligation to ensure that information is only accessible to those authorized to have access. Thus, confidentiality refers to organizational duties whereas privacy refers to individual rights.
Definition of Security The preservation of the confidentiality, integrity, and availability of personal information. Information security is achieved by implementing policies and procedures based on relevant legislation, standards and ethical principles, careful planning, design, implementation and maintenance of appropriate technology solutions, and managing ongoing operations related to the collection, classification, access, and disclosure of personal information.
Region 5 steps to assure Privacy, Confidentiality and Security • Designated Chief Privacy Officer – currently the responsibility of the Director of Planning and Support Services, Chair of Information Management Committee and Popia Working Group. • Confidentialty is reinforced in R5 Code of Organizational Values • POPIA working group focusing on three key areas with regards to employee access to information: 1. education, orientation and awareness building of staff, 2. appropriateness of access and disciplinary policies 3. appropriateness of current information safeguards
Region 5 steps to assure Privacy, Confidentiality and Security Education: • Orientation regarding confidentiality provided to all new employees. • Focus on confidentiality policy and pledge for all employees. (Policy also applies to all external parties such as contract employees and vendors) • Confidentiality awareness week annually • Poster campaign “I hear, I see, I say nothing” • Publication – Protecting your Personal Health Information
Region 5 steps to assure Privacy, Confidentiality and Security Access: • Development of processes to address all 10 POPIA Principles (Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use, Disclosure and Retention, Accuracy, Safeguards, Openness, Individual Access and Challenging Compliance) in collaboration with Human Resources, Health Records, Quality Improvement/Risk Management and Information Systems. • Development of computer user access approval process to ensure on-going POPIA compliance. • Establishment of pre-defined access menus for users based on scope of job related responsibilities.
Region 5 steps to assure Privacy, Confidentiality and Security Discipline: • Confirmed incidents or suspected breaches of confidentiality, or complaints regarding privacy, are reported using Med QM and followed up immediately. • Breach of confidentiality audit procedure articulates process to be followed. • Progressive discipline occurs when required.
Region 5 steps to assure Privacy, Confidentiality and Security Safeguards: • Passwords for any electronic access are not provided until staff are educated regarding their responsibilities for privacy, confidentiality and security and pledge of confidentiality and access to password form is signed. • R5 collaborates in comprehensive privacy impact assessment for all new initiatives.
Description of today’s patients Want to: • Understand their medical histories, conditions, reasons for tests, test results • Pursue specialists • Receive education and supportive follow up • Participate actively in their own medical care • Have control over who sees their personal information • Be assured privacy is protected • Have on line access to electronic health record information • Want to be able to access records written in their own language
Patients have the right to: • Expect that their health information will be protected at all times and only provided and used when needed by health care providers who need to know • Agree or object to disclosure of their information to visitors, clergy and others not involved in care delivery • Authorize or refuse additional uses of their information - such as research, for example for health care product vendors • Complain if they believe their rights have been violated • Have their complaint escalated if they believe their rights have been violated
Patients have the right to: • Know how their health information will be used and disclosed • Ask questions about privacy and have these questions clearly and promptly answered • Know who has seen their personal information and for what purpose • See and obtain a copy of their records upon request • Amend or include a statement of disagreement for anything in the record they believe to be in error
Changes in Healthcare delivery • Personal health information is more comprehensive and rigorous than ever • Care is provided using a collaborative, team based, approach that implicates many health care providers • The continuum of care is far reaching – extends beyond the region, to other regions in the province or to other provincial jurisdictions • Focus on disease prevention, wellness focus • Lack of coordinated approach to the management and protection of personal health information within all sectors of the health system • Increasing public demands with respect to an electronic health record
Technology With the advent of transmission of information through enhanced technology, healthcare providers have a critical role to play in protection of personal health information of clients. Examples: • Telehealth • One patient–one record ( EHR) • Computers-on-wheels, laptops, palm devices • Internet
What it the Restigouche Health Authority’s position on the following ? • Scope of Legislation • Consent • Collection, Use and Disclosure • Access to Information • Information Security and Independent Oversight
Scope of Legislation • All accessors/users /contributors/ viewers /health care providers (people, agencies or organizations) of the personal health information. • Private and publicly funded alike. • Whoever has personal health information in their possession. Q 1. Who should new health information legislation apply to?
Scope of Legislation Q 2 a). What types of health information do you think new legislation should cover ? • All health information about a person throughout the health system- wherever it is held /stored/accessed. Examples: Present and past medical histories (physical, mental and family history), information concerning all health services obtained privately or publicly, Medicare number, Power of attorney, alternate decision maker, intent to donate any body part or bodily substance • Legislation should be specific to personal health information – collection, use and disclosure.
Scope of Legislation Q 2 b). Should it apply to both recorded and unrecorded information? Yes. Identifiable personal health information • Paper and electronic formats • Documented or recorded-traceable, retrievable, verifiable No. • Unrecorded or non-verifiable
Scope of Legislation Other considerations: Should be stand alone legislation - harmonizing existing provincial and federal legislation Should facilitate the flow and timely access of information between healthcare providers to enhance patient treatment and care. Should encourage the requirement to use non-identifiable information whenever possible Should clearly define the rights and obligations of the Health Information Custodians as well as punitive consequences for non- compliance. Should clearly define the security and access obligations related to third party access as well as punitive consequences for non- compliance
Consent Q 3. Should implied knowledgeable consent be the standard in New Brunswick new legislation for providing health care? Yes – for all personal health information collected, **used, shared for the purpose of providing health care and treatment across the *continuum of care. • *Continuum of care – needs to be well defined • **Use and sharing in the context of “accurate and timely information to the most appropriate/ right provider at the right time in the right place”. The general public will need to be educated as to the benefits of information access to meeting their health care needs most efficiently and cost effectively.
Consent Q 4 b). What might these be? Disclosure to lawyers, insurance companies etc. Q 4 a). Should expressed consent be required in other situations ? Yes - whenever personally identifiable information is shared outside the well- defined continuum of care
Consent Q 5 a). Should the collection use and disclosure of personal health information sometimes be allowed without a persons consent ? Yes Q 5 b). In what circumstances? By agencies such as the Canadian Institute for Health Information , the Canadian Institute of Health Research and Stats Canada - information collected is converted to non- identifiable data and serves to enrich the knowledge- base of professional and support future evidence based decisions related to the health of the population served, the outcomes of care etc.
Collection, Use and Disclosure Q 6 . Should personal health information be disclosed in situations without a person’s consent? Informing family, identified next of kin about an individuals health condition Giving information to police or other investigators for such things as accident or crime prevention or investigation - threat to health and/or safety of public at large Upon court order Compliance with New Brunswick and Canadian laws Planning, monitoring and evaluating the health system when fraud or criminality is suspected Determining eligibility to receive health service Making information available to health researchers
Collection, Use and Disclosure Whenever possible the patient should be notified that their information has been shared. Timelines and validity of consents needs to be established – R5 consents valid for 90 days, must have original consent from third parties.
Access to Information Q 7 . Are these access provisions reasonable for New Brunswick legislation? Personal health information belongs to the individual it is about. The paper or computer on which it is recorded, however, belongs to the person who recorded the information. Since a individual actually owns their information, as in other provinces, we need to • recognize an individual's right to see the information collected about them, and to request a correction to it • recognize that medical terms or laboratory test results need interpretation to be meaningful to a layperson . Data custodians should be directed o provide interpretation to make the information meaningful.
Access to Information Q 8 a). Should an individual ever be denied access to their own information? Yes Q 8 b). Why? Denial of access could occur if: • Knowledge could endanger patient’s mental or physical health, • Access reveals information about another person, who has not given consent • A review and appeal process is in place
Access to Information Q 9. Should individuals be responsible for some or all of the costs of providing their health information to them? No • for copies related to continuum of care if sent directly from the organization Yes • For personal copies • Copies required by lawyers or insurance company’s Charges based on the provincial cost schedule determined through consensus with all RHA’s
Information Security and Independent Oversight Information Security Q 10. What obligations for holders of personal health information do you think are needed to ensure protection of this information? • Mandatory privacy awareness training and education • Adherence to security standards • Monitoring and measurement of compliance
Independent Oversight • Q 11. What option for independent oversight would be right for New Brunswick? • A Privacy Commissioner • Focus on privacy • Improve public confidence • Advocate for comprehensive public education program informing the general pubic about Personal Health Information Legislation • Create capacity for education and advice to data custodians
Independent Oversight Q 11. Continued What option for independent oversight would be right for New Brunswick? A Privacy Commissioner • Assist with the interpretation of this new legislation • Advance the provincial eHealth (electronic) direction • Provides capacity to monitor and enforce compliance - develop provincial access auditing standards • Develop guidelines regarding; collection, storage, destruction/disposal, protection and stewardship of personal health information • Working closely with Regional Privacy Officers
Restigouche Health Authority believes in the following statement : The people of New Brunswick must be confident that their health information will only be accessed and used when needed, and that it will be protected at all times. Source: Personal Health Information Access and Privacy Consultation Guide
Contact Information Restigouche Health Authority 189 Lily Lake Road, Campbellton, N. B. E3N 3H3 Margaret A. Cameron, Director Planning/Support Services 789-5532 Margaret.Cameron@rsrha.ca Anne Thibault , Manager Health Records 789-5421 Anne.Thibault @rsrha.ca
Questions? • Thank You for your time!