620 likes | 730 Views
Privacy & Security for Electronic Medical Records. Delivered to: [Insert Name of Practice] Delivered by: [Insert Name of Field Staff] Date: [Insert Date]. Note: OntarioMD is not an authoritative source of privacy legislation or policies.
E N D
Privacy & Security for Electronic Medical Records Delivered to: [Insert Name of Practice] Delivered by: [Insert Name of Field Staff] Date: [Insert Date]
Note: OntarioMD is not an authoritative source of privacy legislation or policies. The information and tools provided are intended to guide and assist physicians and their staff, and should not replace the practice’s own review and understanding of legislation and/or advisement of legal counsel. OntarioMD is not involved in monitoring or assessing adherence to privacy and security, nor does it get involved in privacy breaches.
Objectives • Provide an overview of privacy and security, with a particular focus on the Personal Health Information Protection Act (2004) and Electronic Medical Records, including: • Importance of privacy and security • Key concepts and definitions • Responsibilities of physicians and practices • How to handle privacy breaches • Introduce the Privacy & Security Guide and Workbook for Electronic Medical Records, along with supporting resources and tools
Importance of Privacy & Security • Sensitive nature of personal health information • Need to establish trust and comfort in the system and care providers • Time, resources, costs and reputational implications for privacy breaches • It’s the law Privacy and security risks can be minimized with some fundamental tools, processes and practices.
Implications of Privacy Breaches • Discrimination, stigmatization and psychological or economic harm to patients based on the information • Patients may withhold or even falsify information to providers • Conditions may go untreated • Patient safety may be at risk • Compromised quality of health services • Reputational damage to health provider • Time, resources and costs to address privacy breaches, including legal liabilities and proceedings
How do privacy and security requirements change with an EMR in the picture? • They don’t – the same requirements apply • However, with EMRs there are additional considerations: • Electronic format of information easier to transfer to portable devices and removed from a secure location • Hardware and devices should be secure • Transfer of information needs to be encrypted
Personal Health Information Protection Act (PHIPA) • Aka “the Act” • Ontario legislation, as of November 1, 2004 • Pertains to the collection, use and disclosure of personal health information by organizations and individuals delivering health care
Personal Health Information (PHI) • Relates to a person’s physical or mental health • Relates to the provision of health care to the person • Identifies a person’s health care provider • Identifies the person’s substitute decision maker • Relates to payments or eligibility for health care • Is the person’s health number • Relates to the donation of body parts or substances • Is a plan of service under the Home Care and Community Services Act, 1994
Health Information Custodians (HICs) • A health care practitioner who provides health care • A person who operates a group practice of health care practitioners who provide health care • Hospitals, psychiatric facilities, independent health facilities • Pharmacies, ambulance services, laboratories, specimen collection centres • Long-term care homes, care homes, homes for special care • Community care access corporations • Medical officers of health of boards of health • Minister/Ministry of Health and Long-Term Care • Minister/Ministry of Health Promotion
Agents (of Health Information Custodians) • Someone who acts for, or on behalf of, the HIC for a wide range of purposes • May have access to complete or partial records • Examples include: • Employees of the HIC • Records management service providers • Claims management services
Electronic Service Providers • Persons who supply goods and services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information (e.g. EMR vendor, document management providers, etc.) • Generally, PHIPA requires that such service providers: • Must not use any personal health information to which they have access, except as necessary in the course of providing the services; • Must not disclose any personal health information to which they have access; • Must not permit persons acting on their behalf to access information, unless the person agrees to comply with the restrictions placed on electronic service providers.
Health Information Network Providers “…a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.” There are a number of specific obligations of HINPs set out in PHIPA.
A Note About Consent • In Ontario, consent for the collection, disclosure and use of personal health information is implied (i.e. no explicit consent is required) • Individuals can withdraw consent • Express consent required when: • An HIC makes the disclosure to a person that is not an HIC, or • An HIC makes the disclosure to another HIC and the disclosure is not for the purposes of providing health care or assisting in providing health care
Information Privacy Commissioner • The Information and Privacy Commissioner of Ontario (IPC) has oversight responsibility for the Act, which includes: • Public and stakeholder education • Providing information to the public on the Act and the roles and responsibilities of the IPC • Receiving and responding to complaints • Undertaking reviews and investigations • Issuing orders
7 Checklist Items based on PHIPA This checklist is contained in the Privacy and Security Guide and Workbook, along with a number of resources (tools and templates) for each checklist item as required. 19
1. Privacy contact person for the practice has been identified • Most often, this person should be a physician • Designate backup/contingency contact as well • Examples of responsibilities of the contact person(s) include: • Monitoring of compliances and breaches to policies; escalation as required and notification to patients • Ensuring ongoing understanding and agreements of staff and third parties • Communication and dissemination of policies and information
2. Privacy contact person is adequately and sufficiently educated and trained • This applies to the back-up contact as well • The privacy contact should be familiar with PHIPA as well as various approaches to address privacy and security requirements for the practice
3. Existence of a written privacy policy addressing the collection, use, disclosure and retention of PHI in accordance with PHIPA and other applicable legislation • In addition to having a policy, the privacy contact should make efforts to ensure that that policies are actually implemented, followed and monitored • Practices should be established for dealing with suspected and actual privacy breaches within the practice
4. Existence of a written public policy regarding the practice’s information practices, who to contact with privacy questions or complaints, and how to obtain access or request correction of a record of personal health information • Public policies should be readily accessible to patients. For example: • A paper copy could be on-hand to be shown to anyone who requests it • An electronic copy could be made available and/or posted on the practice’s website • A printed copy could be posted in the practice). • Ensure that a practice is prepared by having necessary consent management practices and policies in place
5. Staff understand, agree to, and comply with privacy and security requirements • Ensure that employees understand the concepts reflected in the agreement • Provide information, educational tools and/or sessions as necessary • Monitor compliance
6. Third parties understand, agree to, and comply with privacy and security requirements. • These may include various agents, electronic service providers, and/or health information network providers
7. The work environment is safe and secure in protecting PHI. • Considerations should be made for the following (at a minimum): • Printers, photocopiers, and fax machines • Phone manner and etiquette • Meeting (areas) • Mobile computing • Physical (clear) desk environment • Password guidelines • Email use • Protection and backup of information
General Privacy & Security Checklist Addresses the previously mentioned responsibilities of the practice
Tools and Templates for all Checklist Items Examples: • Sample Office Privacy Policy • Confidentiality Agreement for Physician Office Employees • Sample Contractual Privacy Clause for Employees and Third Parties • Sample Office Privacy Handout • E-mail Policy Sample
Additional Resources Cited and Provided Personal Health Information Protection Act, 2004
Q Which of the following are the Acts regarding privacy of information in Ontario? • Freedom of Information and Protection of Privacy Act (FIPPA) • Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Personal Health Information Protection Act, 2004 (PHIPA • Don’t ask, don’t tell
A Which of the following are the Acts regarding privacy of information in Ontario? Freedom of Information and Protection of Privacy Act (FIPPA) Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Personal Health Information Protection Act, 2004 (PHIPA Don’t ask, don’t tell
Q Which of the following is a Health Information Custodian? • Doctor • Nurse • Clinic manager • Clinic Volunteer • Laboratory • Receptionist • Office cat
A Which of the following is a Health Information Custodian? • Doctor • Nurse • Clinic manager • Clinic Volunteer • Laboratory • Receptionist • Office cat
Q What role does the Information Privacy Commissioner play in privacy of health information? • Oversight responsibility for the Act • Public and stakeholder education • Personally thrashing PHIPA violators • Providing information to the public on the Act and the roles and responsibilities of the IPC • Receiving and responding to complaints • Undertaking reviews and investigations • Issuing orders
A What role does the Information Privacy Commissioner play in privacy of health information? Oversight responsibility for the Act Public and stakeholder education Personally thrashing PHIPA violators Providing information to the public on the Act and the roles and responsibilities of the IPC Receiving and responding to complaints Undertaking reviews and investigations Issuing orders
Which of the following is NOT considered to be personal health information? Q • Name • Phone number • Eye color • Eligibility for Ontario Drug Benefit Program • Dating history • Listing on Doctor’s patient roster • OHIP number • Mother’s heart disease
Which of the following is NOT considered to be personal health information? A Name Phone number Eye color Eligibility for Ontario Drug Benefit Program Dating history Listing on Doctor’s patient roster OHIP number Mother’s heart disease
What are the steps involved in responding to a privacy breach? Q • Contain, Respond, Notify, Investigate, Remediate • Respond, Contain, Notify, Investigate, Remediate • Respond, Contain, Notify, Remediate • Notify, Respond, Contain, Investigate, Remediate
What are the steps involved in responding to a privacy breach? A • Contain, Respond, Notify, Investigate, Remediate • Respond, Contain, Notify, Investigate, Remediate • Respond, Contain, Notify, Remediate • Notify, Respond, Contain, Investigate, Remediate
Which of the following are privacy and security responsibilities of HICs under PHIPA? Q • Designate a privacy officer or contact • Develop a written privacy policy addressing the collection, user, disclosure and retention of PHI • Develop a written public policy regarding the practice’s information practices • Ensure that staff understand, agree to, and comply with privacy and security requirements • Ensure that third parties understand, agree to, and comply with privacy and security requirements • Ensure that the work environment is safe and secure in protecting PHI • Educate individual patients and collect signatures signifying consent
All except g. A • Designate a privacy officer or contact • Develop a written privacy policy addressing the collection, user, disclosure and retention of PHI • Develop a written public policy regarding the practice’s information practices • Ensure that staff understand, agree to, and comply with privacy and security requirements • Ensure that third parties understand, agree to, and comply with privacy and security requirements • Ensure that the work environment is safe and secure in protecting PHI • Educate individual patients and collect signatures signifying consent
IPC Orders___________________________Mobile and Portable Devices& Disposal of PHI
Mobile and Portable Devices The IPC has issued three orders in the context of mobile and portable devices: Order HO-004 • Theft of a laptop containing the unencrypted personal health information of 2,900 individuals Order HO-007 • Loss of a USB memory stick containing the unencrypted personal health information of 83,524 individuals Order HO-008 • Theft of a laptop containing the unencrypted personal health information of 20,000 individuals
Protecting PHI on Mobile and Portable Devices • Not retain personal health information on such devices unless necessary for the purpose • Consider alternatives to retaining personal health information on a mobile or portable device • Retain de-identified information on the device • Retain encoded information on the device and storing the code to unlock the identifying information separately on a secure computing device • Retain personal health information on a secure server and accessing the information remotely through a secure connection or virtual private network
Example: Order (HO-001) • A medical clinic hired a company to shred records of personal health information dated between 1992-1994 • Due to a misunderstanding, the records were given to a recycling company instead of being shredded • The recycling company sold the records to a special effects company and were used in a film shoot
Learnings from the order • Ensure secure disposal that does not make reconstruction reasonably foreseeable • For paper records cross-cut shredding (pulverization or incineration if the records are particularly sensitive) • For electronic records physically damage and discard media rendering it unusable. If re-use is preferred, use effective wiping utilities