1 / 24

Kathy O’Brien

Kathy O’Brien. NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004. Outline. Review of current shared networks Impact of PHIPA Good faith efforts. Current Networks – NEON. NEON – Shared access to Meditech information system HRSRH (primary licensee)

morwenna-awena
Download Presentation

Kathy O’Brien

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004

  2. Outline • Review of current shared networks • Impact of PHIPA • Good faith efforts

  3. Current Networks – NEON • NEON – Shared access to Meditech information system • HRSRH (primary licensee) • Timmins • Englehart • Kirkland • Chapleau • Temiskaming • NEMHC • SRF

  4. Current Networks – NEON • NEON Shared Information System Service Agreement • Requires the NEON members to protect confidential information on the System through: • Common privacy policy • Physical security measures – HRSRH to advise on measures to be taken • Appointment of security officer – trained by Meditech • Implementation of logical security measures – passwords, etc., controlled by Meditech and common to all sites • Each hospital must ensure only approved users have access

  5. Current Networks – NORrad • NORrad PACS System • TDH (primary licensee) • Hearst • Kapuskasing • Kirkland • MICs Group • SRF • Weeneebayko

  6. Current Networks – NORrad • NORrad Inter-Hospital Agreement (in process of being signed) • Common privacy policy • Common acknowledgement presented to patients describing how PHI is used and who may access • Common policy applicable to personnel and privileged health care providers limiting access to shared patient database • Each hospital designates individual for compliance

  7. Current Networks – NORrad • NORrad Inter-Hospital Agreement (in process of being signed) • Common privacy policy (cont’d) • Obtaining knowledge and consent of individual for collection, use of disclosure of PHI, except where impossible or impractical • Limiting use and disclosure of PHI to what is necessary • Instituting security safeguards

  8. Current Networks – NORrad • NORrad Inter-Hospital Agreement (in process of being signed) • Common security policy • Use and confidentiality of passwords • Use of a warning upon log-in that information is confidential • Mandatory log-out at end of use • Encryption across network • Limited electronic access based on need-to-know

  9. Current Networks – NORrad • NORrad Inter-Hospital Agreement (in process of being signed) • Common security policy (cont’d) • Regular audits of access to records • Other measures appropriate for industry

  10. Impact of PHIPA on Shared Networks

  11. Impact of PHIPA • Good news • Does not add significant new hurdles • Essentially codifies and reinforces past privacy advice • Notice to patients • Privacy measures • Security measures • Bad news • PHIPA means a dedicated regulator to enforce privacy requirements and to impose penalties (fines) in the event of non-compliance • Generally cannot indemnify against breach of Act

  12. Impact of PHIPA • Good Faith Immunity (s.70) • No action or proceeding for damages may be instituted against a HIC or any other person (e.g., agents) as long as: • Acting in good faith • Acting reasonably in the circumstances • Any neglect or default under Act that was: • Reasonable in circumstances • Good faith • Arguably does not relieve HIC and agents of possibility of fines: $50K – $250K • How can you wilfully breach Act if acting reasonably and in good faith?

  13. PHIPA – Consent Requirements • PHI on Meditech and PACS systems can be accessed by all hospitals • Confirm • Is access “for purpose of providing health care or helping to provide health care”? • Arguably (if so, implied consent acceptable from patient amongst health care providers -- “Circle of Care” ) • If not, express consent to this access required by PHIPA

  14. PHIPA – Consent and Agents • Could also argue that each hospital is the “agent” of the other hospitals when accessing shared database and subject to same limitations as source hospital • Agents under PHIPA must use PHI only as permitted by source hospital • Source hospital has liability for acts of agents • Agents have obligation under PHIPA to advise source hospital of theft or loss of PHI or unauthorized access at first reasonable opportunity

  15. PHIPA – Electronic Networks • Requirement to have a written agreement with specific security safeguards with agents who provide electronic network • See language in sample Service Provider Privacy & Security Terms and Conditions • Review and follow up with AGFA, Meditech

  16. PHIPA – Consent Issues • What information do we/should we give patients whose PHI is housed on Meditech and PACS about who has access to this information? • Consent – implied (arguably) • Dealing with withholding of consent • Argue that patient cannot withhold consent where recording information on electronic system (accessible by all hospitals) is necessary for “institutional practice”?

  17. PHIPA – Lockbox Dilemma • November 1/05 • Lockbox – how to address express instruction from patient that part of PHI on shared database not to be accessed, used or disclosed • Security measures? • Policy measures? • Exceptions – where refusal to disclose this PHI may result in serious bodily harm

  18. PHIPA – Lockbox Dilemma • November 1/05: • Cannot remove information from record – dealt with in another way • Need to flag to receiving HICs that record is not complete, where there is a lockbox • Seek advice of IPC (willing to help, cooperative not prosecutorial)

  19. PHIPA – Privacy Policies • What policies need to be in place to limit access to need-to-know only? • What discipline needs to be identified in policy for breach of need-to-know policy? • Amendments to by-laws to permit discipline of privileged professionals (who are agents of hospital and only authorized to use PHI as permitted by hospital)

  20. PHIPA – Training, Accountability • Issues: • Has there been training on use of and access to these shared systems? • Is there a NEON privacy officer? • Does each hospital have someone accountable for compliance? Do they meet to discuss shared privacy problems and shared approach to solutions on system?

  21. PHIPA – Security Measures • Passwords? • Confidentiality of passwords? • Warning at log-in? • Mandatory log-out? • Encryption? • Electronic limitation to access (escalating passwords) based on need to know? • Regular audits? • Others?

  22. PHIPA and Shared Networks • Steps: • Accountability – privacy officers • Privacy policy • Privacy notice explaining inability to withhold • Training • Security, as best as possible • Due diligence to demonstrate good faith best efforts with available resources to protect PHI from unauthorized access, disclosure

  23. Cassels Brock & Blackwell LLP 2100 Scotia Plaza, 40 King Street West, Toronto, Canada M5H 3C2 Phone 416.869.5300 Fax 416.360.8877 www.casselsbrock.com

More Related