1.47k likes | 1.52k Views
This training provides guidelines for implementing privacy and security processes in compliance with privacy legislation. It covers the Integrated Assessment Record (IAR) and its key processes such as incident management, consent management, client privacy rights support, and more.
E N D
Integrated Assessment Record (IAR) Data Protection Training Thursday, January 31, 2019
Purpose of Training • To provide an understanding of the key privacy and security processes that support IAR as mentioned in the Data Sharing Agreement (DSA) and laid out in the Common Privacy Framework (CPF) • To provide guidelines to implement these privacy and security processes in each your organization as a Health Information Custodian (HIC) in compliance with privacy legislation • To facilitate the integration of the IAR processes into your existing HIC processes
Agenda The Integrated Assessment Record (IAR) Assessment information Where it is needed When it is needed Overview Data Sharing Agreement Privacy & Security Processes Incident Management Consent Management Client Privacy Rights Support User Account Management Audit Log Review Privacy Review Enterprise Master Patient Index Wrap Up
Overview Introduction to the IAR Agenda
What is the Integrated Assessment Record (IAR)? • The IAR is an application that allows assessment information to move with the client from one health service provider to another. • Health Information Custodians (HICs) can use the IAR to view assessment information: • electronically • securely • accurately Community Care Access Centres Long-Term Care Homes CommunitySupport Services Others Inpatient Mental Health Addictions Community Mental Health
Information Flow: Before IAR Disclosure Use Fax Collection Mail Phone Clients YourHIC Other HICs Courier Your HIC’s privacy policy and processes Governed and supported by:
Information Flow: With IAR Disclosure LHIN LTCH CMH YourHIC Data Sharing Agreement (DSA) Incident Management Consent Management ClientPrivacyRightsSupport AuditLogReview Privacy Review UserAccountManagement EnterpriseMasterPatientIndex Governed and supported by:
Collection, Use and Disclosure of Assessments Disclosure Use Fax Collection Mail Phone YourHIC Clients Other HICs Disclosure Courier Disclosure LHIN LTCH CMH Other HICs
What is Privacy? • Privacy is the right of an individual to control the collection, use and disclosure of their personal information. • For health professionals this aligns with ethical requirements to respect patient autonomy and patient consent • For IT professionals this overlaps with confidentiality obligations • Key Takeaway: • Institution owns the records and protects confidentiality • Individuals have rights related to the information in those records
Health Information Custodian (HIC) • “Health information custodian” means a person or organization (described in PHIPA) who has custody or control of Personal Health Information (PHI) as a result of or in connection with performing the person’s or organization’s powers or duties. • The HIC who collects/uses/discloses the assessment is the accountable Health Information Custodian (HIC) for the assessment that has to fulfill their obligations as prescribed in PHIPA.
Health Information Network Provider (HINP) PHIPA defines this term as “a person [includes organizations] who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.” O. Reg. 329/04, s. 6 (2).
Collection, Use and Disclosure The primary privacy activities are described using three terms: Collect:An HIC has ‘collected’ PHI when it has gathered, acquired, received or obtained information about a client by any means from any source. Use:An HIC ‘uses’ PHI when it handles or deals with PHI that it has collected. Disclose: An HIC discloses PHI when it makes information in its custody available to other HICs or to other people outside of the HIC. In addition, the full life cycle of PHI includes ‘Retention’ and ‘Disposal/Destruction’.
PHIPA: The Personal Health Information Protection Act • Ontario’s privacy in healthcare legislation introduced in 2004. • PHIPA is informed by the 10 privacy principles set out in the Canadian Standards Association Model Code for the Protection of Personal Information • The Act regulates how patients’ (or clients’) Personal Health Information is collected, used, retained, transferred, disclosed, provided access to and disposed of. • The Act applies to a variety of organizations and individuals within the health care sector, including but not limited to, health information custodians (e.g., hospitals and health care practitioners), agents to HIC (who can be either organizations or individuals, and who are authorized to act for or on a health information custodian’s behalf), health information network provider (HINP).
Privacy Obligations Health Information Custodians (HICs) & Health Information Network Providers (HINPs)
HIC Privacy and Security Obligations After signing the Data Sharing Agreement (DSA): • Designate a privacy contact person (HIC Privacy Officer) • Manage client’s consent and consent directive • Manage privacy incidents • Support individuals' privacy rights • Manage user accounts • Review logs • Manage client’s demographics in Enterprise Master Patient Index (EMPI) • Other HIC’s general privacy obligations (i.e., publish privacy practices, data accuracy)
HINP Privacy and Security Obligations • Designate a Health Information Network Provider (HINP) Privacy Officer • Sign the Data Sharing Agreement (DSA) • Coordinate consent/consent directive management • Coordinate incident management • Coordinate the support of individuals’ privacy rights • Manage user accounts in IAR • Review IAR logs • Perform Threat and Risk Assessment (TRA) and Privacy Impact Assessment (PIA) • Publish privacy practices, plain language description of IAR services, safeguards for IAR services, summary of PIA/TRA
Data Sharing Agreement Rights and Responsibilities Agenda
Data Sharing Agreement • Formal agreement between parties who agree to share data that • Defined the terms and conditions governing data sharing • Establishes the accountabilities and responsibilities with regards to data sharing • Defines the obligations and rights of each participant • Describes the PHI privacy and security requirements • Establishes a basis for trust among participants to enable the data sharing • https://www.ccim.on.ca/wp-content/uploads/2017/07/1_IAR_ProvDSA_v1.0_20121001_CCIM.pdf Data Sharing Agreement (DSA)
DSA Structure - Articles • Article 1 – Definitions and Interpretation • Article 2 – Purpose and Application of Agreement • Article 3 – Statutory Compliance • Article 4 – Personal Health Information • Article 5 – Management and Coordination • Article 6 – Participant Obligations • Article 7 – Participant Privacy and Security Practices • Article 8 – Term and Termination • Article 9 – Liability and Indemnification • Article 10 – Dispute Resolution • Article 11 – General
DSA Structure - Schedules Schedule A – Parties to the Agreement Schedule B – Existing Agreements Schedule C – Provincial Integrated Assessment Record Solution Schedule D – Form of Adhesion Schedule E – Plain Language Description of Network Services and Security Schedule F – Safeguards Regarding Confidentiality; IAR Confidentiality and Security Schedule G – Enterprise Master Patient Index System Schedule H – Reporting Services Schedule I – Consent Call Centre Services Schedule J – The Privacy and Security and Data Access Committees
DSA Key Content 1 Purpose of the Agreement Participants to the Agreement • To outline responsibilities, obligations and rights of each participant for sharing client / patient PHI through shared system • To outline role and responsibilities of the Health Information Network Provider (HINP) with respect to PHI • Health Information Custodians upload and view assessments • Health Information Network Providers host the systems and provide support • William Osler Health System (WOHS) & Health Sciences North (HSN) as IAR HINP & Agents • Transform Shared Services Organization (TSSO) as IAR HINP, EMPI HINP and Agent (formerly CHIS)
DSA Key Content 2 Authority to Upload Assessment Data Custodian • Each participant that collects data to be uploaded to the shared system acknowledges they are authorized by law to collect and upload it • Personal Health Information belongs to the client / patient regardless of which HIC submitted it to the shared system • The HIC who submits assessments is the health information custodian (HIC) accountable for those assessments • The HINP provides electronic services to enable the data sharing and is NOT the owner / custodian of the assessments
DSA Key Content 3 The IAR Provincial Steering Committee is designated to review and approve new HIC applications to join the DSA, and any uses of assessment data, and request an audit if required Privacy and Security Committee develops privacy and security processes and supporting artifacts Data Access Committee reviews and provides recommendations on reporting and secondary data uses IAR Governance operates within project scope and budget as approved by MOHLTC Project Governance
DSA Key Content 4 Termination • An HIC may withdraw from the agreement or be terminated for default • The agreement may also be terminated if certain special circumstances arise • Upon termination or withdrawal, a Participant must: (1) suspend access by its users to the Shared System, and; (2) cease uploading PHI to the Sharing System • Upon termination or withdrawal, participants will liaise with the Provincial Steering Committee regarding responsibilities that remain in regard of their data, or to arrange deletion of the data
DSA Key Content 5 Integrated Assessment Record (IAR) System A sharing system that allows care providers to share assessment data to facilitate collaborative client/patient care Provides a central repository for assessment data Permits participants to upload assessment data Permits authorized users to view assessment data Enterprise Master Patient Index (EMPI) System An electronic system to store and manage client / patient information from multiple source systems through multiple IAR instances Identifies and links records across these source systems Allows participants to uniquely identify client records
DSA Key Content 6 Reporting Services Consent Call Centre (TSSO) • Sets out that a Reporting Environment will be established and maintained at TSSO , who will provide Reporting Services as directed by the governance bodies • Reporting Services consist of production of reports for HICs, fulfillment of permitted data transfers (i.e. transfers under enabling legislation), and possibly true secondary uses or research uses • Allows IAR HINPs as Agents to allow transfer of assessment data to TSSO, where it is staged and the reports/transfers are performed • Permits authorized users to view assessment data • Clients call to make IAR level consent directives • Operatives use the EMPI for authentication • Results in messages to the IAR HINP Privacy Officers to apply directives • No access to assessment data and can’t change assessment level directives • Do collect PHI (HCN and directive) so act as Agents
DSA Key Content 7 Privacy, Security and Data Access Committee • Reviews and provides recommendations on secondary uses or transfers of data • Operates under Terms of Reference from the IAR Provincial Steering Committee • Logs and publishes all uses • If a use involves PHI and is not permitted by enabling legislation, HICs may “opt-out” their data from such uses • Research would need pre-approved REB approval from an appropriate REB
DSA Key Content 8 Permitted Use • Only authorized users from each participant may access client / patient assessment data on a need to know basis for the purpose of providing health care • Any secondary use of the assessment data must be reviewed by the Data Access Committee and approved and the IAR Provincial Steering Committee
DSA Key Content 9 Sharing Demographic Information through EMPI • The EMPI solution exchanges Client/Patient information with multiple instances of the IAR solution in Ontario • Client/Patient information stored in the EMPI is used by all HICs that are participating in multiple instances of the IAR • In exchanging Client/Patient information with the EMPI, each HIC must have the implied or express consent of the Client/Patient to collect, use and disclose PHI for the purposes of providing health care or assisting with the provision of health care
DSA Key Content 10 Participants’ Obligations • HICs must implement processes to manage privacy in a collaborative way including: • Consent management • Incident management • Client privacy right support • Audit log review • User account management • HINPs must provide support for IAR privacy management (as listed above)
DSA Key Content 11 Ensuring Compliance with the Agreement Subpoena & Legal Terms • Each participant must conduct a privacy self-assessment annually for review by the Privacy and Security Committee • IAR Provincial Steering Committee may request an audit on non-HICs with unaddressed gaps • In the event that the HINP receives a court order (or similar request) requiring the disclosure of some or all of a Participant’s Confidential Information, the HINP shall work with the HIC to determine how to respond to the request • General Legal Terms are also included
Privacy and Security Processes F_cus on getting things done Agenda
Privacy and Security Framework IAR Privacy & Security Implementation Framework Data Sharing Agreement (DSA) Incident Management Consent Management ClientPrivacyRightsSupport AuditLogReview Privacy Review UserAccountManagement EnterpriseMasterPatientIndex Communication - Awareness and Training Privacy and Security Support
Integrated Incident Management Incident Management Agenda
Incident Management Incident Management • Incident Management is the process of providing end-to-end management of a series of events that are initiated in response to the detection of an unauthorized collection, use, or disclosure of confidential or sensitive information whether by an authorized or by an unauthorized person. When the information involved is personal health information (PHI) we call this a privacy breach. • An Integrated incident management process must be established to coordinate the incident response activities among all participating organizations, which includes: • Detection • Escalation, notification and reporting • Incident handling (containment, eradication, recovery) • Lessons learned • The process will interface with each HIC’s incident management process and will focus on collaboration and cooperation activities
Incident Management Phases at CCIM Incident Management • Plan and Prepare • Policies & Planning • Training & Testing • Detection and Reporting • Information collection & monitoring • Detection & Alerts • Reporting events • Assessment and Decision • Triage of events and potential incidents • Responses • Containment & Eradication • Recovery • Lessons Learnt • Identification • Improvements • Evaluation
Privacy Breach Protocol Incident Management The Office of the Information & Privacy Commissioner of Ontario (IPC) recommends that every HIC develops a privacy breach protocol to handle any potential privacy breach incident. The basic steps recommended by the IPC when a breach is detected are the following: HIC responsibilities: • Notify relevant staff • Develop and implement a plan to contain the breach and notify those affected • Contact the IPC • Retrieve and secure information where possible • Find and retrieve any copies of information • Determine and address any additional security and privacy risks created by the breach • Notify patients/clients whose data may have been breached • Notify the Commissioner as required • Conduct an internal investigation • Address any issues necessary to reduce the risk of a recurrence to an acceptable level. https://www.ipc.on.ca/health/breach-reporting-2/
Example of Incidents Incident Management The following is a sample of privacy breaches that may occur with respect to IAR PHI: • Printed patient assessment information is left in a public area • Example: Files left on a table in a coffee shop • Theft, loss, damage, unauthorized destruction, or modification of patient records. • Example: Un-shredded files in a dumpster • Inappropriate access of patient information by unauthorized users • Example: A person finding a USB key with health data • Large number of IAR records were accessed by a single individual in a short period of time (out of the ordinary) • Violation of joint security and privacy policies or procedures • Security incidents that could lead to a privacy breach. • User account and password was compromised. • Network infrastructure is attacked by hackers
Incident Management Assumptions Incident Management • Incident management processes exist at both health information custodian (HIC) and health information network provider (HINP) organizations • Privacy Officer role exists at HICs and HINP • Existing HIC level incident management process has identified incident contact person (e.g., Privacy Officer) • Incidents can be reported through the incident contact person at the HICs
Integrated Incident Management Approach Incident Management • Four phases in the integrated incident management process for the IAR: • Detection • Escalation • Handling • Reporting • The most responsible party activates internal processes to handle the incident • The party that receives incident report escalates incident to the most responsible party • The most responsible party updates the Incident Registry at HINP and notifies affected clients
Process Steps & Process Maps Incident Management
Incident Management Process Maps Incident Management • Incidents can be detected or reported from the following parties: • HIC • Client or third party of the HIC • HINP • Third parties (e.g., agents or service providers) of HINP • Processes have been developed based on the four parties defined above
Scenario 1Incident Detected by HIC This scenario is triggered when a HIC, or an agent of the HIC, detects that a privacy breach has, or may have occurred, with respect to IAR data. A worker in your HIC found a box of printed patient assessments left in a public area at the HIC. Grey shaded processes are internal to the HIC Blue shaded processes are integrated breach processes Incident Management
Scenario 2Incident Reported to HIC This scenario is triggered when a HIC, or an agent of the HIC, receives information or a notification that a privacy breach has occurred, or may have occurred with respect to IAR data. Client reports: “My ex-spouse working in your organization accessed my medical information and used it in our child custody case. Why can he/she access my medical records?” Someone (non-patient) found printed patient assessment information on HIC letterhead left at Tim Horton’s. Incident Management
Scenario 3Incident Detected by HINP This scenario is triggered when a HINP, or a person or organization working for the HINP, detects that a privacy breach has, or may have, occurred with respect to IAR data. IAR backup data unaccounted for (loss or stolen) IAR database hacked into by hackers Large amount of IAR records were accessed by a single individual in a short period of time (out of the ordinary) Missing data backup tape that contains server and system data, but no personal health information (PHI) Incident Management
Scenario 4Incident Reported to HIC This scenario is triggered when a HINP, or an agent of the HINP, receives information or a notification that a privacy breach has occurred, or may have occurred with respect to IAR data. Record management service provider reports to HINP that one IAR data backup tape went missing during transit Missing data backup tape that contains server and system data, but no PHI Incident Management
Mandatory Breach Reporting to the IPC Incident Management • Use or disclosure without authority When a person deliberately access or uses PHI for inappropriate purposes, the Commissioner should be notified. Examples include ‘snooping’ for non-work related purposes or simple curiosity. This generally does not include accidental disclosures. • Stolen information When a HIC becomes aware that PHI has been stolen, it must notify the Commissioner. If the PHI has been de-identified or properly encrypted no notification is required. • Further use or disclosure without authority after a breach If, after an initial breach, a HIC becomes aware that the PHI was or will be further used without authority, it must notify the Commissioner. • Pattern of similar breaches If a breach is accidental or insignificant by itself, if it is part of a pattern of similar breaches it must be reported to the Commissioner • Disciplinary action against a college member A duty to report an employee or other agent to a health regulatory college also triggers a duty to notify the Commissioner. Where an employee is a member of a college, the notification is triggered if: • The HIC terminates, suspends or disciplines the employee as a result of the breach; or • The employee resigns and the HIC believes that this action is related to the breach. • Where a health care practitioner with privileges is involved, the notification is triggered if: • The HIC revokes, suspends, or restricts privileges or affiliation; or • The practitioner relinquishes or voluntarily restricts their privileges or affiliation and the HIC believes that this action is related to the breach • Disciplinary action against a non-college member Where an employee or other agent of a HIC is not a member of a college the HIC must notify the Commissioner in the same circumstances that would have triggered notification to a college, had the person been a member of a college. • Significant breach In addition to any of the circumstances above, you should notify the Commissioner if the breach is significant. To determine significance you should consider whether: • The information is sensitive • The breach involves a large volume of information • The breach involves many individuals’ information • More than one custodian or agent was responsible for the breach. Any breach that triggers this Integrated Incident Management Process (i.e. any breach involving more than one HIC or a breach involving a HIC and a HINP) will trigger notification to the Commissioner.
Breach Report to the IPC Incident Management • Breach Description (What happened) Prepare a detailed description of the breach including: • What happened? What information is involved? • When did it happen? • Who was involved? • How did the breach occur? • Where did the breach occur? • Why did the breach occur? • Breach Response (What did you do to implement your privacy breach protocol?) • Containment • What was the scope of the breach? • What steps were taken to contain it? • Was the containment successful? • Notification • Were all affected individuals notified? • When were they notified? • How were they notified? Did the notice include • The details and extent of the breach • The specifics of the personal health information at issue • The steps that have been taken/will be taken to address the breach • That the IPC was notified • How to file a complaint with the IPC • The contact information for your privacy contact person • Investigation and Remediation (items if applicable) • Does your organization conduct privacy training; at what intervals? • Does your organization require signed confidentiality agreements? How often? • Does your organization conduct random or scheduled audits? • Does your health information system contain privacy warnings before access? • Will any of your organization’s policies or procedures be amended? • What other steps will you be taking to address the breach • With respect to the offending employee(s) if applicable: • What disciplinary measures were taken • Was the person referred to a professional college • How long have they been an employee/contractor/volunteer • What is your policy for discipline for unauthorized access • Did the employee receive privacy training • How many times • Dates of the training • Copies of the training material for most recent training • Did the employee/contractor/volunteer sign a confidentiality agreement • How many times, what dates • When was the last signature? • Provide a copy of the agreement • Did the employee/contractor/volunteer view a privacy notice when logging in • Provide a copy of the privacy notice • Was a general audit conducted of the employee/contractor/volunteer’s to determine the possibility of other breaches • When was the time or timeframe of the audit • What was the result of the audit • Did the employee(s) admit to the unauthorized access? • What reason was given? • What personal health information did the employee/contractor/volunteer view? • How long was each screen viewed? • How many incidents have been noted.
Breach Report (continued) Incident Management
Consent Management Consent Management Agenda