240 likes | 364 Views
Kathy O’Brien. NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004. Outline. Review of current shared networks Impact of PHIPA Good faith efforts. Current Networks – NEON. NEON – Shared access to Meditech information system HRSRH (primary licensee)
E N D
Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004
Outline • Review of current shared networks • Impact of PHIPA • Good faith efforts
Current Networks – NEON • NEON – Shared access to Meditech information system • HRSRH (primary licensee) • Timmins • Englehart • Kirkland • Chapleau • Temiskaming • NEMHC • SRF
Current Networks – NEON • NEON Shared Information System Service Agreement • Requires the NEON members to protect confidential information on the System through: • Common privacy policy • Physical security measures – HRSRH to advise on measures to be taken • Appointment of security officer – trained by Meditech • Implementation of logical security measures – passwords, etc., controlled by Meditech and common to all sites • Each hospital must ensure only approved users have access
Current Networks – NORrad • NORrad PACS System • TDH (primary licensee) • Hearst • Kapuskasing • Kirkland • MICs Group • SRF • Weeneebayko
Current Networks – NORrad • NORrad Inter-Hospital Agreement (in process of being signed) • Common privacy policy • Common acknowledgement presented to patients describing how PHI is used and who may access • Common policy applicable to personnel and privileged health care providers limiting access to shared patient database • Each hospital designates individual for compliance
Current Networks – NORrad • NORrad Inter-Hospital Agreement (in process of being signed) • Common privacy policy (cont’d) • Obtaining knowledge and consent of individual for collection, use of disclosure of PHI, except where impossible or impractical • Limiting use and disclosure of PHI to what is necessary • Instituting security safeguards
Current Networks – NORrad • NORrad Inter-Hospital Agreement (in process of being signed) • Common security policy • Use and confidentiality of passwords • Use of a warning upon log-in that information is confidential • Mandatory log-out at end of use • Encryption across network • Limited electronic access based on need-to-know
Current Networks – NORrad • NORrad Inter-Hospital Agreement (in process of being signed) • Common security policy (cont’d) • Regular audits of access to records • Other measures appropriate for industry
Impact of PHIPA • Good news • Does not add significant new hurdles • Essentially codifies and reinforces past privacy advice • Notice to patients • Privacy measures • Security measures • Bad news • PHIPA means a dedicated regulator to enforce privacy requirements and to impose penalties (fines) in the event of non-compliance • Generally cannot indemnify against breach of Act
Impact of PHIPA • Good Faith Immunity (s.70) • No action or proceeding for damages may be instituted against a HIC or any other person (e.g., agents) as long as: • Acting in good faith • Acting reasonably in the circumstances • Any neglect or default under Act that was: • Reasonable in circumstances • Good faith • Arguably does not relieve HIC and agents of possibility of fines: $50K – $250K • How can you wilfully breach Act if acting reasonably and in good faith?
PHIPA – Consent Requirements • PHI on Meditech and PACS systems can be accessed by all hospitals • Confirm • Is access “for purpose of providing health care or helping to provide health care”? • Arguably (if so, implied consent acceptable from patient amongst health care providers -- “Circle of Care” ) • If not, express consent to this access required by PHIPA
PHIPA – Consent and Agents • Could also argue that each hospital is the “agent” of the other hospitals when accessing shared database and subject to same limitations as source hospital • Agents under PHIPA must use PHI only as permitted by source hospital • Source hospital has liability for acts of agents • Agents have obligation under PHIPA to advise source hospital of theft or loss of PHI or unauthorized access at first reasonable opportunity
PHIPA – Electronic Networks • Requirement to have a written agreement with specific security safeguards with agents who provide electronic network • See language in sample Service Provider Privacy & Security Terms and Conditions • Review and follow up with AGFA, Meditech
PHIPA – Consent Issues • What information do we/should we give patients whose PHI is housed on Meditech and PACS about who has access to this information? • Consent – implied (arguably) • Dealing with withholding of consent • Argue that patient cannot withhold consent where recording information on electronic system (accessible by all hospitals) is necessary for “institutional practice”?
PHIPA – Lockbox Dilemma • November 1/05 • Lockbox – how to address express instruction from patient that part of PHI on shared database not to be accessed, used or disclosed • Security measures? • Policy measures? • Exceptions – where refusal to disclose this PHI may result in serious bodily harm
PHIPA – Lockbox Dilemma • November 1/05: • Cannot remove information from record – dealt with in another way • Need to flag to receiving HICs that record is not complete, where there is a lockbox • Seek advice of IPC (willing to help, cooperative not prosecutorial)
PHIPA – Privacy Policies • What policies need to be in place to limit access to need-to-know only? • What discipline needs to be identified in policy for breach of need-to-know policy? • Amendments to by-laws to permit discipline of privileged professionals (who are agents of hospital and only authorized to use PHI as permitted by hospital)
PHIPA – Training, Accountability • Issues: • Has there been training on use of and access to these shared systems? • Is there a NEON privacy officer? • Does each hospital have someone accountable for compliance? Do they meet to discuss shared privacy problems and shared approach to solutions on system?
PHIPA – Security Measures • Passwords? • Confidentiality of passwords? • Warning at log-in? • Mandatory log-out? • Encryption? • Electronic limitation to access (escalating passwords) based on need to know? • Regular audits? • Others?
PHIPA and Shared Networks • Steps: • Accountability – privacy officers • Privacy policy • Privacy notice explaining inability to withhold • Training • Security, as best as possible • Due diligence to demonstrate good faith best efforts with available resources to protect PHI from unauthorized access, disclosure
Cassels Brock & Blackwell LLP 2100 Scotia Plaza, 40 King Street West, Toronto, Canada M5H 3C2 Phone 416.869.5300 Fax 416.360.8877 www.casselsbrock.com