Brave New World: Understanding and Managing Privacy Programs in an E-Health World

1. Brave New World: Understanding and Managing Privacy Programs in an E-Health World e-Health Conference2013: Accelerating Change May 28, 2013, 11.30 a.m. Presented by: Robin Gould Soil, CPO, University Health Network

2. Presenter Disclosure • Presenter: Robin Gould-Soil, CPO, University Health Network • Relationships with commercial interests: • Nothing to disclose

3. ConnectingGTA is delivering a regional electronic health record that will make patient information available at the point-of-care to improve the patient and clinician experience • 6 Local Health Integration Networks • 750+ Health Care Organizations • 6,267 Family Physicians • 6,930 Physician Specialists • 49,905Nurses • All sectors of care: • Acute Care • Community Support Services • Complex Continuing Care • Long Term Care • Mental Health & Addictions • Primary Care • Rehabilitation

4. ConnectingGTA is providing three foundational components to support Ontario’s eHealth Blueprint IDENTIFY & COLLECT information (CDR) • Information to be shared seamlessly & securely • Clinicians with point of care access • Robust, scalable & reusable platform • Infrastructure & services that can support or be leveraged • Increase collaboration among clinicians & organizations • Respect standards in terms of privacy, stewardship of information, security Provide ACCESS to information (e.g. Provider Portal) Provide ability to EXCHANGE information (HIAL)

5. How does privacy support the delivery of an EHR • Assure individuals that organizations manage personal health information in a manner that is consistent with its public commitments and legislative responsibilities

6. Privacy Considerations and Risks of an EHR • Risks • Increases the risk of health care providers using or disclosing health information for unauthorized purposes • May attract hackers and others with malicious intent • Easier to remove health information from a secure location and to transfer it to an unsecure device • Considerations • Allow for the collection, use and disclosure of large amounts of health information from diverse sources • Health care providers do not have sole custody or control of health information in a shared system • Health care providers have different processes for implementing patient consent models

7. Approach for Developing Policies • Make it patient & clinician focused • Set and manage expectations • Establish service standards • Track success

8. Governance Committees Governance Committees Makes Decisions About Makes Decisions About Privacy and Security Policies, Procedures, and Standards Privacy and Security Policies, Procedures, and Standards Defines & Guides Defines & Guides Planning of Program Planning of Program Advising Advising Support for Privacy rights Support for Privacy rights Consent Mgmt. Consent Mgmt. Privacy Auditing & Review Privacy Auditing & Review Security Monitoring & Auditing Security Monitoring & Auditing System Dev Lifecycle System Dev Lifecycle Monitoring & Reporting Monitoring & Reporting Auditing Operational Processes Auditing Operational Processes Access Control Access Control P&S Breach Mgmt P&S Breach Mgmt Identity Mgmt Identity Mgmt Vulnerability Mgmt Vulnerability Mgmt Activities to Manage ConnectingGTA Privacy Program Activities to Manage ConnectingGTA Privacy Program Activities to Meet Operational Obligations Activities to Meet Operational Obligations Communications Communications Training Training Support Support People People Technology Technology

9. Lessons Learned • No two organizations are the same • Be prepared to change • Agree on common terminology • Bring privacy into the design of the system • Separate the policy from the standards • Policies and standards should focus on patient’s perspective • Ensure privacy is embed into the clinical and patient processes • Align participant's privacy programs • Test and Learn

10. Visit ConnectingGTA at: www.ehealthontario.ca Email the team at: ConnectingGTA@uhn.ca