HINP Privacy & Security Processes

HINP Privacy & Security Processes
14/04/2017 Integrated Assessment Record Privacy, Security and Consent Management Training Intent: to introduce the session. Notes: Welcome and introductions – Quick introduction about facilitator, additional CCIM team members, review break and lunch arrangements (1 break morning and pm) one full hour for lunch. Ask them to put their phone on vibrate. Spend some time to talk about the book to explain the tabs, contents, how it works, will be referred to from time to time. Explain handout structure. Talk about acronyms – try your best to spell them out – ask them to ask if they don’t know. Registration – talk about the importance of signing the registration sheet in order to get reimbursed for travel expenses. Talk about logistics, location of washrooms, break times, etc. Transition: Let’s look at the agenda. Sudbury Regional Hospital Sudbury Regional Hospital Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 1 1

Agenda 14/04/2017 Introduction Privacy and Security Processes Incident Management Consent Management Client Privacy Rights Support Audit Log Review Privacy Review User Account Management EMPI Communications Awareness and Training Next Steps and Reminders Intent: explain the agenda for the day Notes: The bulk of today’s session is around each one of the 7 privacy and security processes mentioned in the Data Sharing Agreement. We will start with an introduction then review each of the privacy and security processes, including consent management. Afterwards we will talk about communications, awareness and training followed by next steps and reminders. Transition: Let’s begin. Sudbury Regional Hospital Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 2

14/04/2017 Introduction Intent: This is the first slide to introduce the “Introduction” section. There are no speaker notes for this slide. Sudbury Regional Hospital Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 3

Purpose of Training Provide a thorough understanding of the privacy and security key processes that support IAR as mentioned in the Data Sharing Agreement Provide guidelines to implement these privacy and security processes in each HSP in compliance with privacy legislation Begin planning the integration of the IAR processes into your existing HSP processes Help you meet the IAR implementation milestones Intent: to explain the purpose of the training Notes: The purpose of today’s training is to: - Provide a thorough understanding of the privacy and security key processes that support IAR as mentioned in the Data Sharing Agreement - Provide some guidelines in how to implement these processes in your organization, and in turn helping your HSP to be in compliance with PHIPA Kick-start your planning of integrating these IAR processes into your existing processes This session is also about consent management which is one of the 7 privacy and security processes. Transition: To start, for those of you who need a refresher or who haven’t been to a session before, we’ll review what IAR is. 4 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

What is the Integrated Assessment Record (IAR)?
The IAR is an application that allows assessment information to move with the client from one health service provider to another. Health service providers (HSPs) can use the IAR to view timely client assessment information: electronically securely accurately Community Care Access Centres Long-Term Care Homes Community Support Services Others Intent: Introduce privacy officers to the IAR in case they missed earlier sessions. Notes: This visual depicts a client/consumer/patient within the circle of care. Every sector has its own assessment, which has been specially designed to support the particular needs of their clients. In many cases, a client may use a range of these services from different care providers. The Integrated Assessment Record is an application that allows this client assessment information to be viewed by multiple authorized health care providers within the client’s circle of care (providing the appropriate level of consent is obtained from the client). Transition: The next slides depict how the IAR affects information flow in the community care sectors. Addictions Inpatient Mental Health Community Mental Health 5 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Information Flow: Today
Use Disclosure Fax Collection Mail Phone Courier Clients Your HSP Other HSPs Intent: Introduce audience to IAR and frame the privacy and security discussion. Notes: Walk through the diagram. We are here to help you prepare for a future of electronic sharing. You will be well positioned to implement the assessment and IAR. Let’s look at the difference between the way information flows by starting with this diagram. This is a ‘traditional’ view of how HSPs collect information from their clients, how they use it internally, and then disclose or share it with other HSPs via phone, fax, courier, and other ways. When HSPs store information on their own servers, this is the same as storing information on the IAR servers hosted at the Health Information Network Provider (HINP) – who is a hospital or other type of health service provider – not a LHIN or government group. When the assessments are stored on the HINP, it is just like storing them on your own servers, except the HINP has substantial support to ensure that their servers are secure. They perform multiple privacy impact assessments and threat risk assessments and have extensive security safeguards in place to protect the servers. Transition: The next slide illustrates how information will flow with the IAR in place. Your HSP’s privacy policy and processes Governed and supported by: 6 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Information Flow: IAR Disclosure CCAC LTCH CMH Your HSP Governed and
Intent: Introduce audience to IAR and frame the privacy and security discussion. Notes: Walk through the diagram. When assessments are DISCLOSED to other health service providers through IAR, it is similar to the way HSPs disclose information to other health service providers, except that the information flow is not one HSP at a time. As a result, when consent is collected from clients, it is important to consider how you will collect consent for the way you disclose information today as well as the ways you will disclose information in the future – through IAR or through other electronic means as we move more and more into an electronic world. If the consents you collect today are very specific and only valid for specifically named HSPs, then you will have to re-collect consent for each and every new partner or program that you build. Consider how many clients you have and if you can manage that additional workflow. Transition: The next slide shows all the points of disclosure with IAR. Governed and supported by: 7 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Collection, Use and Disclosure of Assessments
Fax Collection Mail Phone Clients Courier Your HSP Other HSPs Disclosure Disclosure Intent: The intent of this slide is to illustrate how information can flow both using IAR and via other methods of disclosure currently used. Notes: Walk through the diagram. Consent needs to be designed to support your information flow. Your consent model must support each information flow. Other key message: Within your HSP it is your decision to decide which model you will practice, and then apply it to your C,U,D practices. Then you also need to make sure it works with IAR information flows in a way that works with all other HSPs using IAR. When you join IAR, we will work with you again to build another level onto your consent model to coordinate between HSPs with IAR. For example: how will groups of HSPs handle coordinating and keeping consent updated as clients move between HSPs and update their directive. Transition: Next, let’s talk about the role of health information custodians (HICs) and the health information network providers (HINPs) in upholding the integrity of IAR and PHIPA. CCAC LTCH CMH Other CSS HSPs 8 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

What is Privacy? Privacy is the right of an individual to control the collection, use and disclosure of his/her personal information. You could google privacy and I am sure you will find many definition. For this session purpose, I think this simple definition would do the job. Eg: Airmiles collects information about everything you purchase and sells that information to people who want to sell things to you. It provides you with points in exchange, and it is YOUR CHOICE if you want to participate. Eg: A hockey player in the hospital for knee surgery has the right not to have his health record spied on by nurses who sell his story to the newspaper! (true story in Toronto circa 2002/3) Why is privacy important to CAP project? If a client feels in control of their assessment information or PHI – they can trust their health services providers and will get better service as a result. Conversely, If a client hears staff talking about other clients in the hallway, cafeteria, or on the bus they will lose their trust and clients will no longer want to provide their information 9 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Health Information Custodian
“Health information custodian” means a person or organization (described in PHIPA) who has custody or control of Personal Health Information as a result of or in connection with performing the person’s or organization’s powers or duties or the work. The HSP who collects/uses/discloses the assessment is the Health Information Custodian (HIC) for the assessment – in its role as a HIC, the HSP has to fulfill their obligations as prescribed in PHIPA Let’s pay attention to the word “custodian”. That’s the key word, you as HSP/ clinician, you are custodian of your client’s PHI, but you don’t own that data. A health information custodian, while not mentioned in the Common Privacy Framework is also defined under PHIPA as “an individual or organization that has custody and control of personal health information generally for the purposes of providing health care or services.” If an HSP thinks they may also be a health information custodian, they are advised to seek professional assistance to determine their status under the Act. The HINP term is sometimes used in the Common Privacy Framework to generically refer to a service provider that enables data sharing between HSPs. 10 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 10

Health Information Network Provider
PHIPA defines this legal term as “a person [or organization] who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.” O. Reg. 329/04, s. 6 (2). 11

Collection, Use and Disclosure
Privacy activities are described using three terms: Collect: An HSP has ‘collected’ PHI when it has gathered, acquired, received or obtained information about a client by any means from any source. Use: An HSP ‘uses’ PHI when it handles or deals with PHI that it has collected. Disclose: An HSP discloses PHI when it makes information in its custody available to other HSPs or to other people outside of the HSP. Examples of collection, use and disclosure (from glossary): …. Exercise: Ask the group what kinds of collection, use and disclosure they do on a daily basis 12 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Ontario Health Information Privacy Legislation
PHIPA – Personal Health Information Protection Act Ontario’s privacy in healthcare legislation introduced in 2004 PHIPA is informed by the 10 privacy principles set out in the Canadian Standards Association Model Code for the Protection of Personal Information The Act regulates how patients’ (or clients’) Personal Health Information is collected, used, retained, transferred, disclosed, provided access to and disposed of. The Act applies to a variety of organizations and individuals within the health care sector, including but not limited to, health information custodians (e.g., hospitals and health care practitioners), agents to HIC (who can be either organizations or individuals, and who are authorized to act for or on a health information custodian’s behalf), health information network provider (HINP). We are the last province to have persona health information act. It's based on the 10 CSA privacy principles The CSA principles is a good reference points. We need not go into detail, but just incase people ask, here are the 10 CSA privacy principles and it short definitions. Ten CSA Privacy Principles 1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles. 2. Identifying Purposes The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. 3. Consent The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. 4. Limiting Collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. 5. Limiting Use, Disclosure and Retention Personal information shall not be used or disclosed for purposes other than those for which it is collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the stated purposes. 6. Accuracy Personal information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used. 7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 8. Openness An organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals. 9. Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. 10. Challenging Compliance An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance. For example Accountability – Privacy Officer contact on posters or website 10 Challenging Compliance – supporting client’s privacy right process – we support client compliants 13 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 13

IAR HINP and HIC Privacy Obligations
Intent: To introduce the concept of HIC and HINP privacy obligations. Notes: Why do HSPs need to implement all these privacy and security things? Because PHIPA defines certain privacy and security obligations that you need to fulfill in order to work with IAR. This is a list of the key privacy and security obligations that our analysis of PHIPA has identified. Under PHIPA, HINP is defined as “a person [or organization] who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.” O. Reg. 329/04, s. 6 (2). A HIC is a person or organization that meets the criteria as described in the Personal Health Information Protection Act (PHIPA) This includes doctors, other healthcare practitioners, hospitals, long-term care facilities, healthcare clinics, laboratories, pharmacies, the Ministry of Health and Long-Term Care, other health-related organizations as well as a centre, program or service for community health or mental health whose primary purpose is the provision of healthcare. Transition: Let’s look at HINP privacy and security obligations. 14 14 14 IAR Kick-off Presentation Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 14 14 14 14

HINP Privacy and Security Obligations
Designate a Health Information Network Provider (HINP) Privacy Officer Sign the Data Sharing Agreement (DSA) Coordinate consent/consent directive management Coordinate incident management Coordinate the support of client’s privacy rights Manage user accounts in IAR Review IAR logs Perform Threat and Risk Assessment (TRA) and Privacy Impact Assessment (PIA) Publish privacy practices, plain language description of IAR services, safeguards for IAR services, summary of PIA/TRA Intent: Explain HINP’s obligations Notes: Because PHIPA defines certain privacy and security obligations that you need to fulfill in order to work with IAR. This is a list of the key privacy and security obligations that our analysis of PHIPA has identified. Also, all the obligations listed here are on the DSA. Review listed obligations. Do you have any questions about this? Transition: Now let’s have a look at your obligations as a HIC. 15 15 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital IAR Kick-off Presentation 15 15 15

HIC/HSP Privacy and Security Obligations
HINP Privacy & Security Processes 14/04/2017 HIC/HSP Privacy and Security Obligations Designate a privacy contact person (HSP Privacy Officer) Sign the Data Sharing Agreement (DSA) Manage client’s consent and consent directive Manage privacy incidents Support client’s privacy rights Manage user accounts Review logs Manage client’s demographics in Enterprise Management Patient Index (EMPI) Other HSP’s general privacy obligations (i.e., publish privacy practices, data accuracy) Intent: Explain HIC obligations Notes: Because PHIPA defines certain privacy and security obligations that you need to fulfill in order to work with IAR. This is a list of the key privacy and security obligations that our analysis of PHIPA has identified. Also, all the obligations listed here are on the DSA. Review each of the obligations. What questions do you have about these obligations? Transition: Now let’s take a look at the IAR privacy and security implementation framework. 16 16 Sudbury Regional Hospital Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 16

IAR Privacy and Security Implementation Framework
Intent: Introduce the IAR privacy and security implementation framework Notes: The IAR P+S Implementation framework, or “hot dog” diagram is more focused on what we as HSPs HAVE to do in order to be able to share assessments through the IAR. We will spend the rest of today working through this framework. Transition: This should give you enough context, now let’s jump right into the IAR privacy/ security framework (aka the Hotdog) 17 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Privacy and Security Key Processes
IAR Privacy & Security Implementation Framework DATA SHARING AGREEMENT (DSA) Incident Management Consent Management Client Privacy Rights Support Audit Log Review Privacy Review User Account Management Enterprise Master Patient Index Communication ● Awareness and Training Intent: Introduce the “hotdog” framework and highlight the 7 processes. Notes: Many of you are probably familiar with this implementation framework diagram from pervious workshops. Today, we will be focusing on the 7 colourful boxes, which are the processes. Walk through each of the pieces of the hotdog giving a brief explanation of what they are. Data Sharing Agreement – governs relationship between HINP and HIC Incident Management – process by which incidents (breaches) are reported and handled Consent Management – process by which client consent is informed, collected, documented and registered Client Privacy Rights Support – process by which a client’s basic privacy rights are supported Audit Log Review – process by which the HSP manages IAR usage Privacy Review – process by which the HSP reviews their policies and procedures related to Privacy User Account Management – process by which new users are activated and old usernames and passwords are removed from IAR Enterprise Master Patient Index – process by which the HSP accommodates requests for information from the HINP to manage client profiles in IAR Communication – Awareness and Training – these are the means by which an HSP will manage the change, train staff, and improve awareness about IAR. Privacy and Security Support – this represents the support provided to staff should they have any questions about Privacy and Security Transition: Let’s refresh our memories about the Data Sharing Agreement. Privacy and Security Support 18 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Data Sharing Agreement
Formal agreement between parties who agree to share data Define the terms and conditions governing the data sharing Establish the accountabilities and responsibilities with regards to data sharing Define the obligations and rights of each participant Describe the PHI privacy and security requirements Instil trust among participants to enable the data sharing DSA Workshop available to explain the document in detail DSA is available on the CCIM website: Intent: Introduce audience to DSA in case they missed the DSA workshop and to ensure all aspects of the hotdog diagram are covered. Notes: There is one DSA per cluster. The DSA is: Formal agreement between parties who agree to share data and Define the terms and conditions governing the data sharing Establish the accountabilities and responsibilities with regards to data sharing Define the obligations and rights of each participant Describe the PHI privacy and security requirements Having an agreement instils trust among participants to enable the data sharing to work. You can access the DSA on the CCIM Website. Transition: one more thing we need to about which is our 4-steps approach on implementing the processes. 19 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Privacy and Security Process Implementation Steps
STEP 1 ANALYZE STEP 2 DESIGN STEP 3 DEVELOP STEP 4 IMPLEMENT Analyze existing internal processes with the requirements presented and determine gaps Design new process or process steps to address the gaps Develop the required processes, process steps or supporting artifacts Implement the newly designed and developed process or steps (remember to include training and communications to HSP staff) Intent: Review the 4-steps approach Notes: We have developed a methodology or approach in implementing these privacy and security processes in your organization First you conduct analysis on your existing internal processes using the requirements presented in the session in order to determine any gaps. Secondly, based on the results of the analysis, gaps identified, design new process or steps to address these gaps And Thirdly, based on the design from step 2, you develop the required process or process steps or process steps, as well as any required supporting artifacts. Lastly, step 4, you implement these newly designed and developed process or steps, but don’t forget the training and communication components to your staff. Refer to section: Consent Management Implementation Transition: Let’s dive right into the 7 privacy processes 20 20 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Integrated Incident Management
Intent: The intent of this slide is to frame the next set of slides that talk about Integrated Incident Management. 21 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

Incident Management What is Incident Management? The ability to provide end-to-end management of a series of events that are initiated in response to a privacy or security breach Integrated incident management process must be established to coordinate the incident response activities among all participating organizations, which includes: Detection Escalation, notification and reporting Incident handling (containment, eradication, recovery) Lessons learned The process will interface with each HSP’s incident management process and will focus on collaboration and cooperation activities Intent: Introduce definition of Incident Management Notes: What is Incident Management? The ability to provide end-to-end management of a series of events that are initiated in response to a privacy or security breach. Integrated incident management process must be established to coordinate the incident response activities among all participating organizations, which includes: Detection Escalation, notification and reporting Incident handling (containment, eradication, recovery) Lessons learned The process will interface with each HSP’s incident management process and will focus on collaboration and cooperation activities Transition: Let’s look at some examples of incidents. 22 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

14/04/2017 Example of Incidents Printed patient assessment information is left in public area (e.g., coffee shop) Theft, loss, damage, unauthorized destruction or modification of patient records Inappropriate access to patient information by unauthorized users Out of the ordinary user activity as indicated during a regular log review User account and password was compromised Network infrastructure is attacked by hackers Violation of joint security and privacy policies or procedures Intent: To illustrate potential “incidents” or “breaches” that can happen outside of IAR and with IAR. Notes: You likely understand all of this anyway – the people you train may not have your background. People may not know what we mean when we say incidents. Some of these are not IAR specific they happen now in the real world. Others are more IAR specific. Review list – separate IAR specific from non-specific. This is why we talk through consent processes because this could happen We want everyone to understand that the privacy officer is responsible. The Global privacy officer manages at a higher level. We don’t want to hide the possibility. It’s not really a question of if, but when. It’s the processes in place that mitigate the risk. We have a lot of security built into the IAR, but we know that credit card information can get stolen. Also, not sure if anyone malicious really knows that we exist. Less to be gained here than by breaking into a bank. Feel free to take any of this out, but just know that we understand that these things can happen. Transition: Now let’s look at some assumptions we have about incident management. 23 Sudbury Regional Hospital Sudbury Regional Hospital Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 23

Incident Management Assumptions
HINP Privacy & Security Processes 14/04/2017 Incident Management Assumptions Incident management processes exist at both health information custodian (HIC) and health information network provider (HINP) organizations Privacy Officer role exists at HICs and HINP Existing HIC level incident management process has identified incident contact person (e.g., Privacy Officer) Incidents can be reported through the incident contact person at the HICs Intent: Make sure we all understand the same thing about incident management. Notes: Go through these assumption, and the point to make is that for IAR incidents, the HINP privacy office will get involved. Incident management processes exist at both health information custodian (HIC) and health information network provider (HINP) organizations. Privacy Officer role exists at HICs and HINP. Existing HIC level incident management process has identified incident contact person (e.g., Privacy Officer). Incidents can be reported through the incident contact person at the HICs Transition: Now let’s look at an integrated approach to incident management. 24 Sudbury Regional Hospital Sudbury Regional Hospital Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 24

Integrated Incident Management Approach
HINP Privacy & Security Processes 14/04/2017 Integrated Incident Management Approach Four phases in the integrated incident management process: Detection Escalation Handling Reporting The most responsible party activates internal processes to handle the incident The party that receives incident report escalates incident to the most responsible party The most responsible party updates the Incident Registry at HINP and notifies affected clients Intent: Explain the 4 phases of incident management Notes: Explain a little about the 4 phases of incident management: Detection, Escalation, Handling and Reporting The most responsible party activates internal processes to handle the incident. The party that receives incident report escalates incident to the most responsible party. The most responsible party updates the Incident Registry at HINP and notifies affected clients. The reporting here is to inform other parties about the progress or result of the incident handling, not referring to reporting to the IPC. The concept of the most responsible party is not referring to who is to blame, but who has to take the lead for handling the incident, which include investigation, eradication, mitigation and recovery. Transition: Let’s look at what a Privacy Breach Protocol is. 25 25 Sudbury Regional Hospital Sudbury Regional Hospital Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 25

Privacy Breach Protocol
Information & Privacy Commissioner (IPC) recommends that the HINP develop a privacy breach protocol The protocol enables the HINP and participating HSPs to respond quickly and in a coordinated way during a privacy breach Roles and responsibilities are defined Investigation and containment are effective and efficient Remediation is easy to implement Intent: To describe a Privacy Breach Protocol Notes: The IPC requires the HINP to have a privacy breach protocol, and the reasoning behind is for preparation, during an incident, people are nervous and anxious, thus may forget steps, but if there is a pre-defined process or protocol, things will not missed, and everyone knows what to do, and how to response etc. A breach protocol is helpful because it allows the HSP to: respond quickly and in a coordinated way during a privacy breach Define roles and responsibilities Effectively and efficiently investigate and contain the breach easily implement remediation Transition: Let’s take a look couple of scenarios 26 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Incident Management Process Maps
Incidents can be detected or reported from the following parties: HIC Client or third party of the HIC HINP Third parties (e.g., agents or service providers) of HINP Processes are developed based on the four parties defined above Intent: To introduce this section about incident management processes Notes: We have developed process flow diagrams or maps to illustrate how incidents should be handled, and we develop these based on 4 scenarios, incidents that are detected by a HIC, a client or 3rd party of the HIC, incidents that are detected by the HINP or a 3rd party of the HINP. Transition: Let’s look at a couple of scenarios. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Scenario 1 — Incident Detected by HIC
HIC detected an incident, such as: Printed patient assessment records were lost User account and password were compromised Network at HIC was broken into by hackers (suspect IAR upload files have been accessed) Intent: To introduce Scenario 1 Notes: Explain the first scenario, and use one of the above example to illustrate the scenario before going in to the diagram Transition: Let’s look at a sample business process for an incident detected by a HIC. 28 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

1.0 Incident Detected by HIC
Intent: Review the incident management sample process flow Notes: Since this is the first diagram, spend sometime explaining how to read this flow diagram, what does the grey boxes means (local processes), and how important it is for the interfaces or integration points. Explain columns representing the four steps, the rows represent different parties and review steps with them. Walk through each of the steps in the diagram, who is responsible, and what the resolution is. Ask: Does this make sense? You will see more of these diagrams so it’s important that you understand this. Transition: Let’s look now at a second example – an incident reported by a client or a third party. *Shaded boxes indicate existing steps in HSPs Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Scenario 2 – Incident Reported by Client / Third Party
A client / third party reports an incident to a participating HSP, such as: “My ex-spouse working in your organization accessed my medical information and used it in our child custody case. Why can he / she access my medical record?” A third party (non-client) found printed assessment information on HSP letterhead left at local coffee shop Intent: To introduce scenario 2 Notes: Explain the 2nd scenario, and use the first example to illustrate the scenario before going in to the diagram Transition: Now let’s look at the second diagram. 30 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

2.0 Incident Reported by Client / Third Party of HIC
Intent: To show a sample process flow for scenario 2. Notes: Walk through the flow diagram, again mention about the grey boxes are local process or steps. Transition: Let’s review the third scenario of an incident detected by the HINP *Shaded boxes indicate existing steps in HSPs. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Scenario 3 — Incident Detected by HINP
HINP detected an incident, such as: IAR backup data unaccounted for (lost or stolen) Potential misuse of access is identified Extraordinary user activity as indicated by regular review Data backup tape that contains server and system data is missing Intent: To introduce scenario 3 Notes: Explain this 3rd scenario, and use one of the above example to illustrate the scenario – remember this is for the HINP. Transition: Let’s review the next flow diagram. 32 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

3.0 Incident Detected by HINP
Intent: To show a sample process flow for scenario 3. Notes: Walk through the flow diagram, again mention about the grey boxes are local process or steps. Transition: Let’s review the last scenario of an incident detected by the HINP. *Shaded boxes indicate existing steps in HSPs. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Scenario 4 – Incident Reported by Third Party of HINP
Third party may report an incident to HINP, such as: Record management service provider reports to HINP that one IAR data backup tape is missing during transit Data backup tape that contains server and system data is missing Intent: To introduce scenario 4. Notes: Explain this last scenario, and use the record management service provider example to illustrate the scenario before going in to the diagram. Transition: And one final process diagram. 34 34 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

4.0 Incident Reported by Third Party of HINP
Intent: To show a sample process flow for scenario 4. Notes: Walk through the flow diagram, again mention about the grey boxes are local process or steps. Transition: Let’s now get into more detail about the four-step process for incident management … *Shaded boxes indicate existing steps in HSPs. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Incident Management: Analyze
Map and review existing (internal) incident handling and management process and supporting artifacts Incident handling process Client notification process Investigation, containment and recovery process Communication mechanism to client, staff and third parties (i.e., poster / brochure / website) Intent: Discussion of the first step. Notes: Explain the Analyze steps and how HSPs can make use of the flow diagrams and supporting artifacts Map and review existing (internal) incident handling and management process and supporting artifacts Incident handling process Client notification process Investigation, containment and recovery process Communication mechanism to client, staff and third parties (i.e., poster / brochure / website) Transition: Now let’s look at the design step. 36 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Incident Management: Design
Review each integration point Detection Escalation Handling Reporting Make decision on each integration point Update the existing process Intent: This is the second step – design Notes: After analysis of HSPs “As Is” process, HSPs may design and make decision on the integration points. Review each integration point Detection Escalation Handling Reporting Make decision on each integration point and update the existing process. Transition: Let’s review in more detail the integration points and questions that will help you to develop the process. 37 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Integration Points and Questions
Detection How do staff, clients and third parties know who to contact if they uncover an incident? What information is needed from the incident reporter? What happens after the incident is reported to you or your team? Escalation Who would communicate with HINP Privacy Officer if incident involves other HSPs? How would you prepare incident report and information to assist incident escalation to other HSPs? When the HINP escalates to your organization, do you or your team know what to do next? How do you communicate this process to members of your incident handling team? Handling Review existing incident handling process for investigation, containment and recovery When and how do you involve the IT operations team (if needed) Review procedure to notify client (if their PHI is breached) Reporting Explore ways to review incident logs and gather lessons learned Intent: Discuss integration points. Notes: Here are the questions that you can work with your team to address any gaps with the integration points. This is the develop step, finding the answers to these questions Detection How do staff, clients and third parties know who to contact if they uncover an incident? What information is needed from the incident reporter? What happens after the incident is reported to you or your team? Escalation Who would communicate with HINP Privacy Officer if incident involves other HSPs? How would you prepare incident report and information to assist incident escalation to other HSPs? When the HINP escalates to your organization, do you or your team know what to do next? How do you communicate this process to members of your incident handling team? Handling Review existing incident handling process for investigation, containment and recovery When and how do you involve the IT operations team (if needed) Review procedure to notify client (if their PHI is breached) Reporting Explore ways to review incident logs and gather lessons learned Transition: Now let’s look at the last step, which is to implement your new process. 38 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Incident Management: Implement
Internal approval of revised/new process(es) Provide training and awareness to all staff members in your organization (not just clinicians or IAR users) External communications (clients and third parties) Poster, brochure, corporate website, centralized box Intent: This is the fourth step – implementation. Notes: When you implement the new process or process steps, you need to remember these points: Gain approval from senior management Provide training and awareness for your staff Communicate to your clients and 3rd parties Transition: Now let’s take a look at Consent Management in more detail. 39 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Consent Management Consent Management Intent: Introduce the concept of Consent Management. Notes: You recall in your invitation we invited you to learn about consent management using our e-learining module. We hope you took advantage of this so that you have context as we go through the next several slides. If not, you’re encouraged to take a look at your next opportunity. Transition: Let’s get started. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Consent Management — Overview
Enables client control over how their personal health information (PHI) is collected, used, disclosed and shared Ensures compliance with PHIPA Consent Directive A client’s instruction on how their Personal Health Information can be collected, used and disclosed Consent Model Informed consent Implied and express consent Scope of consent directive Structure of consent form (if required) Consent Management Process Intent: To provide an overview of consent management Notes: Clients control how their PHI is used, disclosed and shared. Consent management is about managing client consent directives. Consent management is about how you provide the capability back to the client so that they can control how their information is disclosed. The steps in the process are: Informing, obtaining, recording, registering and enforcing. Transition: Let’s look at each of the elements of informed consent. Inform Obtain Record Register Enforce 41 41 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 41

Informed Consent — Elements of Informed Consent
Clients should be informed about: What information about them is being collected, used and disclosed Why their information is being collected, use and disclosed (i.e., The purposes of the collection, use or disclosure, as the case may be (2004, c. 3, Sched. A, s. 18 (5).) How information is being collected, used and disclosed and with whom Individual’s right to give or withhold consent (2004, c. 3, Sched. A, s. 18 (5)) The positive and negative consequences of giving, withholding or withdrawing consent Intent: To outline how consent can be said to be informed. Notes: In order for us to be able to trust each other, it is important that we all have a minimum practice to make sure that the client is informed – regardless of whether you use implied or express consent. These minimum requirements include making sure the client also knows about what is being collected used and disclosed about them, what the positive or negative consequences might be, etc. You as a HSP, has the responsibilities to determine what need to tell the clients when it’s comes to consent. They also need to know the positive and the negative consequences. We need to make sure the message is neutral. What are some of the ways that you inform clients now? Do you have conversations? Posters? Something else? Transition: Let’s look at a sample consent form. 42 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Implied and Express Consent Types
Implied Consent – refers to situations in which it is reasonable to infer that the client is consenting and it is not necessary to specifically (or expressly) ask for the client’s Consent. Express Consent – refers to situations where Consent is given explicitly, either orally or in writing. Express Consent can be signed or checked off on a list. The key is to ensure the consent obtained is valid. Key messages: Different types of HSPs use implied or express consent, both of which have different pros and cons. For example: Hospitals use implied consent to minimize overhead. CMH organizations are so dependent on trust with clients, they often use express consent. The way you give the power back to the client is to make sure that they are aware of how their information is being used. In either situation, it is critical for the consent to be valid and for the client to be INFORMED Key message: Remember that express consent isn’t necessarily better for the client. Think about last time you went to the doctor and got handed a clipboard full of forms to sign. Did you feel informed? Did you understand what you were consenting to? 43 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Consent Form – Page 36 Implementation Guide
Intent: To introduce a sample consent form. Notes: The options you have are to obtain consent for each assessment or for all. You need to choose which levels you will support. If you support per assessment: You need to decide how to uniquely identify the assessment. You need to decide if you will use an assessment ID, which date range you will use (eg: date you started the assessment, date you completed it.) The sample consent form is available on the Website and in your learning materials. The central contact number for clients to call if they wish to withdraw their consent for assessments to be viewed in IAR is Transition: Let’s take a look at the sample brochure. 44 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Sample Brochure Intent: To introduce an information brochure that can be given to clients who receive assessments. Notes: In the implementation guide that you have received includes several samples that you can refer to when deciding how your HSP should inform the client. Have a look at WHAT is in these posters, brochures and scripts and think about what you want to inform your clients of and how you will inform them. Transition: This is one page of the sample brochure. Let’s look at the next page. 45 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Sample Brochure Intent: To show page 2 of the information brochure for clients. Notes: Emphasize key components of the brochure and why we designed the samples this way so they know what to think about with reference to their own brochures. Transition: Let’s look at how consent works in IAR. 46 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Sample Poster 47

Message Script The collection, use, disclosure (share) of client’s assessment We will/would like to complete the assessment with you to identify the support and service you need. The assessment will cover <<Description of Information that may be part of the assessment>>. We collect and use your personal health information during the assessment in order to provide you with services that suit your individual needs. We also use your information to coordinate service planning with other Health Service Providers in order to provide you with better service. Sharing of client’s assessment If you agree, your information may also be shared via an electronic sharing system with other agencies that provide services to you. What your Consent means Your information may only shared with other agencies with your Consent. If you do not want to share your assessment information with other agencies, you can let me know today or inform our staff anytime in the future, and we will make sure the assessment will not be shared. We also use a centralized electronic system to share assessments among partner agencies. The electronic system stores all of your assessment from <<HSP name>> and other agencies. If you don’t want any of the assessment information shared in the electronic system, please contact the support centre, who will ensure that no one will be able to access your assessments. You should know that your consent directive will take effect in <<# number of business days>>.Optional: If you give us your consent, this may mean: <<Positive and negative consequences for sharing the assessment>>. If you choose to withdraw your consent and not share your assessment, this may mean: <<Positive and negative consequences for not sharing the assessment>>. Your privacy rights You can request a copy of the assessment information in your file by contacting us. You also have the right to request a correction or amendment to your assessment information, or log a complaint if you feel that we have not addressed your privacy concern correctly. More information or question? If you would like to know more about how your personal health information is handled and shared with agencies, you can contact the privacy officer at the <<HSP name>>. They will help you understand what it means to share your assessment and will be able to answer your questions. Please contact our designated privacy contact at <<contact information>>. 48

Group Discussion Discuss at your table what your current process is for informed consent. What methods do you use? Posters Brochures Face to face discussion What methods do we want to add or change in the future? What types of material would you develop to support the future method of informing? What do we currently tell our clients? What will we tell our clients about IAR? Intent: Group discussion min Notes: Please discuss at your table the following questions and report back Debrief: Let people know that if they want to take this discussion further in their HSP go to the consent management implementation guide on the Website. Transition: Now let’s look more closely at IAR and how consent works within IAR. 49 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

IAR Consent Model IAR supports two levels of Consent Directive:
HSP-level Consent Directive applied to the assessments collected by the individual HSP IAR-level Consent Directive applied to all assessments in IAR relating to a client Intent: The intent of this slide is to review the two ways to manage consent in IAR. Notes: The health service provider level consent directive is applied to the assessment collected by your health service provider, and does not apply to the consent directives that a client may give to other health service providers. The IAR level consent directive is applied to all assessments in the IAR related to a client, meaning that all the assessments stored in the IAR by all the health service providers can have a consent directive applied to them at once. Let’s start by exploring the health service provider level consent directive. The client can always withdraw their consent for sharing any assessments through IAR regardless of which HSP conducted the assessment, and we will see how this works. What questions do you have for me about this information? Transition: Let’s look at how managing consent work in IAR. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

HSP-Level Consent Directive
HSP will obtain consent/Consent Directive from the client and register the consent in the assessment tool Consent Directive, along with the assessment, will be uploaded to IAR IAR will inherit the consent flag submitted along with the individual assessment and automatically enforce the Consent Directive in IAR Alternatively, the HSP can login to the IAR consent interface to register the Consent Directive manually Only the assessments from the HSP will be affected Intent: To introduce how HSP level consent works in IAR. Notes: Mention in here that we provided the schema to all of the vendors, and the vendors should have already implemented it into their software. For the very minority group of HSPs that the software has not completed the implementation, an alternative access is available for HSPs to login to IAR to apply the consent individually to the uploaded assessments. HSP will obtain consent/Consent Directive from the client and register the consent in the assessment tool Consent Directive, along with the assessment, will be uploaded to IAR IAR will inherit the consent flag submitted along with the individual assessment and automatically enforce the Consent Directive in IAR Alternatively, the HSP can login to the IAR consent interface to register the Consent Directive manually Only the assessments from the HSP will be affected Transition: Now let’s look at how the IAR level consent directive works. HSPs need to determine whether their software can upload the consent flag, or if they will need to do this manually Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

IAR-Level Consent Directive
To register the IAR-level Consent Directive, the client can call the Consent Call Centre: Regular Toll-free: TTY Toll-Free: Consent to share in the IAR means all of the client’s assessments across HSPs will be shared with participating HSPs that provide care to the client If consent is withheld in the IAR, all of the client’s assessments already in the IAR, and uploaded in the future, will be locked and participating HSPs will not be able to view them The more restrictive Consent Directive (either HSP-level or IAR-level) will be enforced Intent: To introduce the concept of IAR level consent. Notes: The client can call the Consent Call Centre ( ) to register the IAR-level Consent Directive: Consent to share in the IAR means all of the client’s assessments across HSPs will be shared with participating HSPs that provide care to the client If consent is withheld in the IAR, all of the client’s assessments already in the IAR, and uploaded in the future, will be locked and participating HSPs will not be able to view them The more restrictive Consent Directive (either HSP-level or IAR-level) will be enforced Client needs to understand that once they call the consent call centre and restrict their assessments from being viewed, then even if they give consent to share to an HSP afterwards, the assessment will not be visible until they call the consent call centre and update their directive to share. Transition: Now let’s look at a graphic example of how HSP level consent works in IAR. 52 Sudbury Regional Hospital Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

How Consent Works in IAR
HSP-A HSP-B HSP Level Consent Directive Assessment A1 Assessment A2 Assessment B1 Assessment B2 Yes Yes No No IAR Assessment A1 Assessment A2 Assessment B1 Assessment B2 Client No No Yes Yes Intent: The intent of this slide is to show how consent works in IAR – illustration of HSP level of consent. Notes: As you can see the client is receiving services from two HSPs. At HSP A the client has provided consent for their assessment to be viewable on IAR. As you can see, clinicians within that person’s circle of care are able to view the assessments completed at HSP A. The client is also receiving services at HSP B and has informed the staff that they do not want other clinicians to view their assessments on IAR. This consent directive is recorded and, as you can see, assessment from HSP B are not viewable on IAR. At the IAR level there is no other consent directive recorded – the client has not called to block all clinicians from viewing all assessments, so the HSP-level consent directive applies to these assessments. What questions do you have for me about this? Transition: Now let’s look at a scenario where there is a consent directive recorded at the IAR level. IAR Level Consent Directive IAR Level Consent Directive - YES Clinician 53 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 53

How Consent Works in IAR (Cont’d)
HSP-A HSP-B HSP Level Consent Directive Assessment A1 Assessment A2 Assessment B1 Assessment B2 Yes Yes No No IAR Assessment A1 Assessment A2 Assessment B1 Assessment B2 Yes Yes No No Intent: This slide illustrates the application of a consent directive at the IAR level. Notes: As you can see, the client has called the toll-free number to the IAR call centre and has informed them that they no longer want clinicians to view ANY of their assessments on IAR. Although they originally gave their consent at HSP A to have their assessments viewable, they have changed their mind. Now a “shield” has been applied at the IAR level which restricts clinicians from viewing any client assessments on IAR. Should the client call back and remove this “shield” what assessments do you think would be viewable? How might the client make viewable the assessments from HSP B? What questions do you have for me about this? Transition: Let’s discuss how the IAR is a secure environment to view and share client assessments. IAR Level Consent Directive IAR Level Consent Directive - No Clinician 54 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 54

IAR Consent Directive in Effect
Intent: IAR consent directive displayed in IAR Notes: I just want to show you in the live IAR system when someone locks down their assessments at the IAR level this is the screen you will be seeing. The biggest thing you will notice is the lock box. That means this particular client called the 1855 number to lock down their assessments. You can see some basic information – you can try to click but you won’t see anything more than this. No assessment information, no sector information. Transition: Let’s look at the HSP level consent directive in effect. 55 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

HSP Assessment Consent Directive in Effect
Intent: HSP consent directive in effect. Notes: Here I will show you when someone locks down their assessment at the health service provider. You see first a pop-up that says that restricted documents exist. You’ll see another message on the assessment view. This means that the client has locked down at least one assessment – and you don’t know what kind of assessment, who the assessor was, who the HSP was and what sector. Transition: Sometimes a client needs help – let’s look at how we can help clients. 56 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Scenarios: Client Needs HSP Help
Client is not comfortable or not able to call the Consent Call Centre by himself / herself Client does not have enough information to identify himself / herself Client has a substitute decision maker (SDM) who wants to provide a Consent Directive on his / her behalf Intent: Helping the client. Notes: These are the three scenarios when the HSP may have to step in to help the client. Mentioned in here, this is an action from the HSP/clinician, if the HSP internal policy or procedure prohibit the clinician/case worker’s involvement in this process, kindly decline the request from the client. Transition: Let’s look at this in a bit more depth. 57 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Client Needs Help with Calling Consent Call Centre
The clinician or case worker can help the client place the call to the Consent Call Centre If the client needs assistance navigating through the process during his / her encounter with the Consent Call Centre customer service representative (CSR), the clinician or case worker may help the client by repeating the message from the CSR or explaining what information is required Some basic identifying information about the clinician or case worker will be asked by the CSR to identify the client and link his / her Consent Directive to the correct assessments in IAR The client will still need to provide the consent to the Consent Call Centre himself / herself Intent: What happens when the client needs help to access the consent call centre? Notes: Here are the steps you can take to help: The clinician or case worker can help the client place the call to the Consent Call Centre If the client needs assistance navigating through the process during his / her encounter with the Consent Call Centre customer service representative (CSR), the clinician or case worker may help the client by repeating the message from the CSR or explaining what information is required Some basic identifying information about the clinician or case worker will be asked by the CSR to identify the client and link his / her Consent Directive to the correct assessments in IAR The client will still need to provide the consent to the Consent Call Centre himself / herself Again, only if the HSP is alright to assist, then the clinician will assist the client to place the call to the Consent Call Centre, and during the process, basic identifying information will be asked from the clinicians. Transition: Let’s look at when the client needs help to identify themselves. 58 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

Client Needs Help Identifying Self
If the client does not have a Health Card Number, a fixed address or a telephone number, the client is required to place the call to the Consent Call Centre from an HSP The Consent Call Centre CSR will request the assistance of the clinician or case worker to help verify the identity of the client The client will provide the consent to the Consent Call Centre Some basic information about the clinician will be asked by the Consent Call Centre Intent: To discuss when a client is unable to identify themselves to the consent call centre. Notes: In cases where the client does not have enough identifiable information for the CCC to validate their identity, i.e. no Health Card Number, no fixed address, no phone number etc. Here are the steps: If the client does not have a Health Card Number, a fixed address or a telephone number, the client is required to place the call to the Consent Call Centre from an HSP The Consent Call Centre CSR will request the assistance of the clinician or case worker to help verify the identity of the client The client will provide the consent to the Consent Call Centre Some basic information about the clinician will be asked by the Consent Call Centre Transition: And now let’s look at when the Substitute Decision Maker needs help identifying themselves. 59 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

SDM Needs Help Identifying Themselves
If the client has a Substitute Decision Maker (SDM) providing the Consent Directive on their behalf, the SDM is required to place the call to the Consent Call Centre from an HSP — the Consent Call Centre CSR will request the assistance of the clinician or case worker to help verify the identity of the SDM The CSR will ask the clinician or case worker for information to validate the clinician or case worker as an authorized person from the HSP, including the clinician’s name, HSP name, HSP phone number, IAR user ID, etc. Once the identity of the SDM is verified through the clinician or case worker, the SDM will continue the encounter with the Consent Call Centre, and provide the client’s Consent Directive to the CSR Intent: Scenario: client has a substitute decision maker. Notes: Since the IAR does not keep track of Substitute Decision Maker information, the only way a SDM can be validated is through the HSP. Steps: If the client has a Substitute Decision Maker (SDM) providing the Consent Directive on their behalf, the SDM is required to place the call to the Consent Call Centre from an HSP — the Consent Call Centre CSR will request the assistance of the clinician or case worker to help verify the identity of the SDM The CSR will ask the clinician or case worker for information to validate the clinician or case worker as an authorized person from the HSP, including the clinician’s name, HSP name, HSP phone number, IAR user ID, etc. Once the identity of the SDM is verified through the clinician or case worker, the SDM will continue the encounter with the Consent Call Centre, and provide the client’s Consent Directive to the CSR Transition: Let’s think about how we can integrate these requirements into your current consent management processes. 60 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

14/04/2017 Integration Points Consent Model Informing the client: What to say, how to say it Implied or express consent Scope of the Consent Directive Structure of Consent form Consent Process When to inform the client When and how to obtain and update consent How to record the consent directive in a central location, and who performs this activity Register/Update Consent Directive How to register Consent Directives Who registers Consent Directives Enforcing Consent Directive How to effectively enforce the Consent Directive Intent: To introduce the integration points for managing consent. Notes: Review the bullet points on the slide. Now that we are getting closer to using IAR, let’s make sure we are clear on how we will record the consent directive in a central location so that it can be entered into IAR (either automatically by your software, or manually.) Transition: Now how can we support client privacy rights. Sudbury Regional Hospital Sudbury Regional Hospital Privacy, Security and Consent Management Training for IARSudbury Regional Hospital 61

Client Privacy Rights Support
Intent: This slide frames the upcoming slides around Client Privacy Rights Support. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Client Privacy Rights Support Process
Integrated client privacy support process (service desk) to fulfill Health Information Custodian’s (HIC) privacy obligation to: Provide access to their Personal Health Information (PHI) upon client’s request Make correction to PHI upon client’s request Handle client’s challenge concerning compliance with privacy legislation The process will interface with each HSP’s existing process and will focus on collaboration and cooperation activities Intent: Explain what client privacy right support to audience Notes: Supporting Client Privacy rights related to IAR includes Providing a client with access to his / her Personal Health Information Responding to a request for a correction to his / her Personal Health Information Providing a forum to challenge the organization’s privacy practices Local (HSP level) existing processes are assumed Transition: Let’s take a look at the approach 63 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Approach If the request to access or change the assessment or the complaint relates solely to information in the custody or control of a single HIC, local processes are used If the request to access or change the assessment involves other HICs, the HIC identifies the other involved HICs for the client If the complaint involves more than one HIC, the HINP identifies the most responsible HIC to handle the response Intent: To describe the approach to complaints or request for information. Notes: If the request to access or change the assessment or the complaint relates solely to information in the custody or control of a single HIC, local processes are used If the request to access or change the assessment involves other HICs, the HIC identifies the other involved HICs for the client If the complaint involves more than one HIC, the HINP identifies the most responsible HIC to handle the response Note: Try to point out to the audience, the only aspect IAR adds is when the client’s request (to view, change or complain) involve IAR or other HSPs, then the integrated process applies, otherwise, their local process is sufficient Transition: Let’s look at some assumptions that underscore this approach. 64 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Client Privacy Rights Support Assumptions
Each HIC has in place policies and procedures to support client privacy rights HICs only release and correct information within their custody or control HINP will only participate or coordinate the privacy complaint management process IAR is a repository of information that originates from multiple HICs and is not considered the source of truth for that information Intent: This slide outlines assumptions around client privacy rights support. Note: Each HIC has in place policies and procedures to support client privacy rights HICs only release and correct information within their custody or control HINP will only participate or coordinate the privacy complaint management process IAR is a repository of information that originates from multiple HICs and is not considered the source of truth for that information Remind HSPs that they should have internal policies governs these client privacy right support process, this is important to support the clinicians and front line workers in their response to clients. Transition: Now let’s look at some sample process maps for various client requests. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

1.0 – Request a Copy of Assessment
Intent: This slide shows a sample process for when a client requests a copy of an assessment from the HSP that completed it. Notes: Explain the process flow diagram, and mention the grey boxes are local process. Do you have any questions? What is happening at your HSP now? Transition: The next process map looks at when you receive a request to correct an assessment. *Shaded boxes indicate existing steps in HSPs. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

2.0 – Request a Correction to Assessment
Intent: To show a sample process for when a client requests a correction to an assessment. Notes: Explain the process flow diagram, and mention the grey boxes are local process Do you have any questions about this? Does your HSP have a process in place already? Is it similar to this? Transition: The next example has more players involved – let’s look at a scenario where a client files a complaint with the health information custodian. *Shaded boxes indicate existing steps in HSPs. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

3.0 – File a Complaint With the HIC
Intent: Sample process when a client files a complaint with the Health Information Custodian. Notes: Explain the process flow diagram, and mention the grey boxes are local process. Do you have any questions? This may be a new scenario for you. Do you already have a process in place? Transition: Let’s review the four steps of analyze, design, develop and implement as relates to client privacy rights. *Shaded boxes indicate existing steps in HSPs. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Client Privacy Rights Support: Analyze
Map and review existing Client Privacy Right Support process and supporting artifacts Client Request Form Patient Privacy Right Complaint Form Patient Privacy Right Complaint Report Intent: To show the steps involved in the Analyze phase Notes: Map and review existing Client Privacy Right Support process and supporting artifacts Client Request Form Patient Privacy Right Complaint Form Patient Privacy Right Complaint Report Go back and think about what you do today. Use information obtained here to analyze if any need to update local processes Transition: Let’s look at the “develop” step. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Client Privacy Rights Support: Design
Review each integration point Determine if request to view / access / change involves other HSPs Standard re-direct letter / form template to respond to client Keep Privacy Officer contact list handy for response to client Determine if the filed complaint involves other HSPs Establish a communication mechanism with the HINP for escalation of privacy complaint Make decision on each integration point on the next slide Update the existing process Intent: This slide illustrates the steps involved in designing your process. Notes: Review each integration point and: determine if request to view / access / change involves other HSPs create a standard re-direct letter / form template to respond to client keep Privacy Officer contact list handy for response to client determine if the filed complaint involves other HSPs establish a communication mechanism with the HINP for escalation of privacy complaint Make a decision on each integration point on the next slide. Update the existing process. Transition: Let’s look at the integration points in more detail. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Design Integration Points
HINP Privacy & Security Processes 14/04/2017 Design Integration Points Client requests a copy of an assessment How do you use IAR to determine if the request involves other assessments from HSPs? Redirect client to make request to other HSPs – make use of the provided form template Client requests change to assessment Use IAR to determine if request involves other HSPs Review process of consulting with staff if changes can be made or not Use form template to respond to client Client files privacy complaint Who reviews complaint and determines if other HSPs are involved? Review communication mechanism with HINP to escalate the privacy complaint that involves other HSPs Intent: This slide discusses integration points. Notes: Go through all key integration points. Pick one or two sub-bullets, elaborate them. Client requests a copy of an assessment How do you use IAR to determine if the request involves other assessments from HSPs? Redirect client to make request to other HSPs – make use of the provided form template Client requests change to assessment Use IAR to determine if request involves other HSPs Review process of consulting with staff if changes can be made or not Use form template to respond to client Client files privacy complaint Who reviews complaint and determines if other HSPs are involved? Review communication mechanism with HINP to escalate the privacy complaint that involves other HSPs Refer to the exercise in the manual, even if there is not enough time to do the exercise in class, the HSPs should be reminded to do the exercise when they get back to the office. Transition: Let’s look at development. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 71

Client Privacy Rights Support: Develop
Review the samples provided Determine if you will update your existing materials: Process maps Client Request form, if needed Client Request Response form, if needed Patient Privacy Right Complaint form, if needed Patient Privacy Right Complaint report, if needed Intent: Outlines the develop step for client privacy rights support. Notes: Review the samples provided Determine if you will update your existing materials: Process maps Client Request form, if needed Client Request Response form, if needed Patient Privacy Right Complaint form, if needed Patient Privacy Right Complaint report, if needed Transition: Next we’ll look at the implement step. 72 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

Client Privacy Rights Support: Implement
HINP Privacy & Security Processes 14/04/2017 Client Privacy Rights Support: Implement Approve the process by senior management Communicate the process with all staff Provide training and awareness to your clinical staff or health record personnel Establish a communication mechanism with the HINP ( or phone call) Intent: illustrates the implement step for client privacy rights support. Notes: Approve the process by senior management. Communicate the process with all staff. Provide training and awareness to your clinical staff or health record personnel. Establish a communication mechanism with the HINP ( or phone call). Stress the fact that buy-in from senior management will help them down the road. Transition: Now let’s look at user account management. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 73

User Account Management
Intent: This slide begins the discussion about user account management. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

User Account Management
User account management process must be established to ensure only authorized users with business need can access the IAR: Users within each organization can access IAR systems only for the purpose of providing health care User account request has to be reviewed and approved User account must be disabled immediately when user leaves the organization Intent: This is the purpose of user account management. Notes: User account management process must be established to ensure only authorized users with business need can access the IAR: Users within each organization can access IAR systems only for the purpose of providing health care User account request has to be reviewed and approved User account must be disabled immediately when user leaves the organization Do you have any questions? Transition: Now let’s look at the approach for user account management. 75 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

User Account Management: Approach
User Account Management is centralized IAR Support Centre at CCIM acts as the single point of contact for all HSPs participating in IAR HINP is responsible for all user account administration activities (creation, update, change and removal) Each HSP is asked to identify and submit the name of its user authority and user coordinator to CCIM Intent: Explain IAR User Account Management approach Notes: Emphasize that IAR User account management are done centrally by the HINP, i.e. user account creation, modification, and removal. However, HSPs always send requests to the CCIM contact centre. The CCIM contact centre will relate the request to the appropriate HINP. User Account Management is centralized. IAR Support Centre at CCIM acts as the single point of contact for all HSPs participating in IAR. HINP is responsible for all user account administration activities (creation, update, change and removal). Each HSP is asked to identify and submit the name of its user authority and user coordinator to CCIM. Transition: OK, now let’s look at the responsibilities at the HSP. 76 76 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

HSP User Account Management Responsibilities
Each participating organization has a designated person to authorize user access to IAR called a User Authority (UA) A UA should be someone in management or someone who has knowledge of who should use IAR Each participating organization has a designated contact person for day-to-day user account management activities called a User Coordinator (UC) A UC is responsible for liaising with the Support Centre for modification or update of user details, and removal of user account when user no longer requires access Intent: This slide defines the user authority and the user coordinator roles. Notes: Walk through the roles of User Authority and User Coordinator: Each participating organization has a designated person to authorize user access to IAR called a User Authority (UA) A UA should be someone in management or someone who has knowledge of who should use IAR Each participating organization has a designated contact person for day-today user account management activities called a User Coordinator (UC) A UC is responsible for liaising with the Support Centre for modification or update of user details, and removal of user account when user no longer requires access Emphasize that the UA is accountable to authorize each user from your organization. We have examples in previous implementations that one individual assumed both the UA and UC role, mostly smaller organization. In some organizations, the clinical lead often assumes the UA role, since they know exactly who should have access to IAR and who may not. Transition: Let’s look at user responsibilities. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

User Responsibilities
Every IAR user has to be authorized by an HSP Every IAR user must read the IAR User Agreement before receiving a user account (HSP responsibility) Every IAR user has to read and accept the IAR User Agreement before access (on screen, upon login) User accounts are disabled immediately when users no longer require access Intent: This slide covers user responsibilities. Notes: Upon login, every IAR user will be presented with the Terms of Use again, and the user has to click to accept the terms of use before able to use IAR. Emphasize the responsibilities of the user, that the user must read and sign the User Agreement before the UA authorizes the account request. Keep in mind that: Every IAR user has to be authorized by an HSP Every IAR user must read the IAR User Agreement before receiving a user account (HSP responsibility) Every IAR user has to read and accept the IAR User Agreement before access (on screen, upon login) User accounts are disabled immediately when users no longer require access Transition: Let’s begin to understand the processes for user account management. 78 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

User Account Management Process Maps
HSP can: Request a new user account to access IAR Request a change or update of user account information (e.g., phone number, location, , etc.) Request to remove one or multiple user accounts (e.g., user left organization, user no longer has IAR access) Processes are developed based on these three scenarios Intent: Outlines three user account management processes for HSPs to develop. Notes: There are three scenarios that HSPs are responsible for developing processes around for user account management: Request a new user account to access IAR Request a change or update of user account information (e.g., phone number, location, , etc.) Request to remove one or multiple user accounts (e.g., user left organization, user no longer has IAR access) Transition: Let’s look at a process diagram for creation of new users. 79 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

1.0 Creation of New Users HINP Privacy & Security Processes 14/04/2017 Intent: This slide outlines a sample process based on the first scenario – creation of new users. Notes: Walk through the process map with participants, step by step. Ask if there are any questions. Ask if they might do anything differently. Transition: Let’s look at the next process map based on the scenario, request to change. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 80

2.0 Request to Change HINP Privacy & Security Processes 14/04/2017 Intent: This slide outlines a sample process based on the second scenario – request to change. Notes: Walk through the process map with participants, step by step. Ask if there are any questions. Ask if they might do anything differently. Transition: Let’s look at the next process map based on the scenario, removal of users. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 81

3.0 Removal of Users HINP Privacy & Security Processes 14/04/2017 Intent: This slide outlines a sample process based on the third scenario – removal of users. Notes: Walk through the process map with participants, step by step. Ask if there are any questions. Ask if they might do anything differently. Transition: Let’s look at the steps that can help you to design your process, starting with the first step, analyze. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 82

User Account Management: Analyze
Map and review existing User Account Management process How are current IT user accounts being provisioned? Are there any existing process you can leverage? Who initiates user account creation/change/removal? Who authorizes user account creation? Who authorizes user account change or removal? Intent: How analysis works with user account management. Notes: Map and review existing User Account Management process How are current IT user accounts being provisioned? Are there any existing process you can leverage? Who initiates user account creation/change/removal? Who authorizes user account creation? Who authorizes user account change or removal? HSPs are encouraged to leverage current processes to see what can stay the same versus creating a new process from scratch. Transition: Now let’s look at the next step in creating a process for user account management, design. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

User Account Management: Design Integration Points
Creating new user account after implementation (non-bulk) Changing user details, such as phone number, work locations, or name Remove user account when user no longer requires IAR access (e.g., due to change of job function or departure from the organization) Intent: an overview of the design integration points. Notes: There are three considerations, or design integration points, to think about when creating a process to manage user accounts. When you first set up IAR you create a bulk set of users. How are you going to create new users after this initial set? Think also about how you will change user details, such as phone number, work locations or name? Will the static IP address when a staff person transfers from one program or department to another, for example? Also consider how you might handle removing a user account when the person no longer requires access to IAR – this could be due to a change of job function or a departure from the organization. These are the points to keep in mind as you develop your process. Transition: Now let’s look at how you can develop your process. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

User Account Management: Develop
Obtain decisions on each integration point Who is to be the User Authority? Who is to be the User Coordinator? Do you need multiple UAs and/or UCs? Get your Executive Lead to appoint the UA and UC Update the existing IT account provision process (if needed) Intent: Hints to develop a useful account management process. Notes: It is the Executive Lead (one of the IAR Change Team role) who is responsible to nominate the User Authority and User Coordinator, but as the Privacy and Security Lead, and being on this training, you may want to share some of the information pertaining to these roles with the executive lead to help him/her to decide who are the right person in the organization to assume these roles. Transition: Now let’s look at how you can implement the process. 85 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

User Account Management: Implement
HINP Privacy & Security Processes 14/04/2017 User Account Management: Implement Approve the process by senior management Communicate the process with all staff Provide training and awareness to the User Authority (UA) and User Coordinator (UC), and perhaps all IAR users Intent: Review implementation of user account management. Notes: As with most changes, implementation – and buy-in from senior management – is key. Approve the process by senior management. Communicate the process with all staff. Provide training and awareness to the User Authority (UA) and User Coordinator (UC), and perhaps all IAR users. Do you have any questions? Transition: Now let’s look at the next process: Audit Log Review. Sudbury Regional Hospital Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 86

14/04/2017 Audit Log Review Audit Log Review Intent: This slide begins the discussion on audit log review. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 87

Audit Log Review PHIPA requires access to PHI be on a need-to-know basis Organizations must have controls in place that regulate access and also log activity and procedures to regularly review logs and user access activity Audit logs and reports play an important role in access review process and breach investigations. Log review process must be established to identify any privacy breach and security incident HIC: Organizational level privacy logs should be reviewed by Local Privacy Officer regularly, depending on the volume and perceived risk level, to detect unauthorized access to PHI HINP: Global privacy logs should be reviewed for investigation purpose only by HINP Privacy Officer (e.g., if an incident occurs and HINP needs to perform investigation) Security Event Log should be reviewed daily to once a week by HINP Administrator to detect error or security incidents Intent: Overview of Audit Log review. Notes: PHIPA requires access to PHI be on a need-to-know basis. Organizations must have controls in place that regulate access and also log activity and procedures to regularly review logs and user access activity. Audit logs and reports play an important role in access review process and breach investigations. Log review process must be established to identify any privacy breach and security incident. HIC: Organizational level privacy logs should be reviewed by Local Privacy Officer regularly, depending on the volume and perceived risk level, to detect unauthorized access to PHI HINP: Global privacy logs should be reviewed for investigation purpose only by HINP Privacy Officer (e.g., if an incident occurs and HINP needs to perform investigation) Security Event Log should be reviewed daily to once a week by HINP Administrator to detect error or security incidents Transition: Let’s look at some Audit Log Review guidelines. 88 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Audit Log Review Guidelines
Audit log review is conducted at the HSP and HINP HSP Privacy Officer reviews local audit logs and reports for potential incidents HINP is involved if the log review at the HSP uncovers incident requiring HINP to assist in the investigation HINP Privacy Officer reviews audit logs for potential incidents that affect IAR and the HINP IT infrastructure HINP communicates to HSP if an incident is uncovered at the HINP that affects other HSPs (*This triggers Integrated Incident Management process) Intent: Guidelines for developing an audit log review process. Notes: Each HSP can access the audit log and review activities generated by the users from their organization only, thus the HSP privacy and security lead’s responsibility is to monitoring their user activities for any potential incident or inappropriate access etc. The HINP privacy officer is able to review user activities from every organization in his/her cluster, thus able to support the HSP in any incident investigation. Transition: Let’s look at more guidelines Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Audit Log Review Guidelines
Establish review schedule and routine Understand user activity baseline Look for out-of-ordinary activities and events: Unauthorized access Excessive client searches Excessive assessment searches Investigations User ID-based Client/Patient ID-based Intent: Guidelines for developing an audit log review process. Notes: The single most important step in Audit Log Review is to establish a schedule or routine to regularly review the IAR audit log and reports. If the audit log is not being reviewed, it doesn’t matter how detail information is being captured in the log. In order to make sense of the information in the audit log and report, it is important for the HSP to understand what they are looking for. In order to know what to look out for, it is critical to have an understanding what are consider normal user activities in the organization, or we call it a user activity baseline. Once you have established a baseline, it is much easier to spot any out-of-ordinary behaviour. For example, if you know most of your user login in between Monday to Friday, and between the hours of 8am to 5pm, any access from your user on a Saturday evening at 11pm should warrant more investigation. Transition: The audit log and report provides User-ID and Client-ID based investigation capability (we will show you in a moment) Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Operational Reports OP1 – List of IAR Users
OP2 – List of IAR Organizations Intent: Review functionality of Operational reports Notes: For this section there is also an online video that you can review to help you to navigate through these reports. What you see on the screen is the home screen when you log on as Privacy Officer, the reports are on your left hand side menu. Transition: Let’s look at OP1 – list of IAR users Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

OP1 – List of IAR Users Intent: OP1 - List of IAR users. Notes: IAR Users Report (OP1) This report provides a list of all IAR users, primarily sorted by their organizational affiliations and secondarily by their roles. It can be used to provide a list of all users that have not logged in to IAR for a specified period of time, to identify User Accounts that may need to be deactivated because they are no longer in use. This report can be downloaded in CSV format so that it can be modified in an excel spreadsheet, for example. Transition: Now let’s look at OP2 – List of IAR organizations Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

OP2 — List of IAR Organizations
Intent: OP2 – List of Orgs. Notes: OP2 shows all of the IAR organization, their organization name, Organization ID, as well as when the join this particular cluster. OP2A can be used to identify which organization a user was from when accessing an assessment conducted by your HSP. Transition: Now let’s look at privacy reports. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Privacy Reports PS1 – IAR User Activity Report
PS2 – IAR Event Type Report PS3 - IAR Consent Directives History Report PS4 - IAR Current Consent Directive Report PS5 – IAR User PHI Access Report PS6 – IAR PHI Disclosure Report PS7 – Assessment Disclosure Query Intent: To review privacy reports. Notes: The Privacy Reports can be selected from the Privacy Officer’s home screen, from the menu on the left side of the screen. Transition: Let’s look at the first report, PS1 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

PS1 – User Activity Report
Intent: To introduce participants to the IAR user activities report – PS1 Notes: IAR User Activities Report (PS1) The report will present a list of logged audit events on a user-by-user basis. You may find the information presented are somewhat limited, it is because it is a pre-defined (or canned) report, we only selected the data fields that are most useful for this report. When accessing the audit log files, you will see a lot more information or data fields associated with each audit event record. It can be used to view a list of logged audit events on a user-by-user basis such as searching for a person, opening an assessment, printing an assessment and changing a password. Transition: Now let’s look at PS2 – event type report. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

PS2 – Event Type Report Intent: introduce participants to Event Type Report – PS2 Notes: This report can be used to create a list of user login events. The event type includes failed logins, successful logins or both. Transition: Now let’s look at the IAR consent directives history report. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

PS3 – IAR Consent Directives History Report
HINP Privacy & Security Processes 14/04/2017 Intent: to introduce participants to the IAR consent directives history report – PS3 Notes: This report displays a list of both IAR-level and HSP-level consent directive changes for a client in a specified time period. This report shows all consent directives requested by this client and updated in IAR system during the specified period of time. For this report, the privacy and Security Lead can only generate the report for the client associated with the HSPs the privacy and Security Lead works for. The report will show consent directive type (IAR or HSP) and directive (Grant or Deny). Transition: Now let’s move on to PS4 – IAR consent directive report. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 97

14/04/2017 PS4 – IAR Current Consent Directive Report Intent: to introduce participants to the IAR current consent directive report – PS4 – IAR Notes: This report displays a list of both IAR-level and HSP-level consent directive currently registered for a particular client. If the client has never requested or changed his/her IAR level consent directive, the default IAR-level consent directive is “GRANTED” and is not presented in this report. Therefore, if this report does not display the IAR level consent directive, it indicates that the client gives the consent to share all his/her assessments in IAR. The central privacy officer can generate this report by searching for a particular client. Transition: Let’s take a look at PS5 – User PHI Access Report. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital 98

PS5 – User PHI Access Report
Intent: to introduce participants to the user PHI access report – PS5 Notes: This report presents a list of all the assessments accessed by a specific IAR user. Based on the selected User ID and date/time range, the report shows which patient/client, and which assessments that user has reviewed or accessed. This report is focused on access related events (i.e. events where either the PHI and/or the assessments were viewed). Transition: Now let’s look at PS6 – IAR PHI disclosure report. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

PS6 – IAR PHI Disclosure Report
Intent: PS6 Notes: PS6 - IAR PHI Disclosure Report This report, based on the selected patient id and date/time range, will present which user from which organization has accessed this selected patient’s assessment records upload by the current organization. Typically, this would be use to investigate if a patient come complaining about their assessments are beign inappropriately accessed by someone in other organization, then this report may provide some evident of who from which organization has access the patient’s assessments upload by your organization. This information in itself may not be sufficient to proof inappropriate access. Transition: And finally let’s explore PS7 – Assessment Disclosure Report Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

PS7 – Assessment Disclosure Report
Intent: to introduce participants to the assessment disclosure report – PS7 Notes: This report displays users from outside of the current organization who have accessed person assessments belonged to (uploaded from ) the current organization. This information is useful for the current organization to take note how frequent their uploaded assessments are being accessed, and by how many different organizations. The query will find users only from outside of the current organization who have accessed person assessments uploaded from the current organization. Transition: Let’s look at a different way to view reports that’s different from the onscreen display. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Report Format Intent: Show how formatting works in the web browser Notes: All reports are displayed in a way that let’s you sort the information by column title. Transition: You can also get in CSV format – let’s find out how. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Report in CSV Format Intent: introduce participants to the reports’ CSV format. Notes: All audit log report can also be exported as a CSV file, which stands for Comma Separated Version, that means if you have Microsoft Excel installed on your computer, IAR can automatically export the report result as an Excel file, so you can make use of many Excel feature to sort, filter, print the report. If you do not have excel, the export will look like this file, and this format can be imported to any Excel or excel-like programs. Once exported into a spreadsheet program you can modify and sort and slice and dice the information to suit your needs (i.e., pivot tables) Transition: Now that we have reviewed the reports that help you to conduct your audit log review, let’s move on to Privacy review. CSV formatted files can be imported into Excel for further analysis and formatting Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Privacy Review Privacy Review Intent: This slide frames the discussion about the privacy review process. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Privacy Operations Review
Privacy review is defined in the Data Sharing Agreement All HSPs should conduct privacy and security self-assessment on a regular basis, which will assess the effectiveness and efficiency of the privacy operations to ensure continued compliance with the DSA The self-assessment should be conducted based on a checklist agreed by all HSPs, to ensure consistency and comparability of the result The results of the self-assessment shall be signed off by the HSP’s senior management and submitted to the Privacy and Security Committee for review Privacy and Security Sub-Committee reviews gaps and mitigation plans from HSPs HINP follows up on progress of mitigation plans from HSPs Intent: This slide introduces the concept of privacy operations review. Notes: Privacy review is defined in the Data Sharing Agreement and includes the following elements. All HSPs should conduct privacy and security self-assessment on a regular basis, which will assess the effectiveness and efficiency of the privacy operations to ensure continued compliance with the DSA The self-assessment should be conducted based on a checklist agreed by all HSPs, to ensure consistency and comparability of the result The results of the self-assessment shall be signed off by the HSP’s senior management and submitted to the Privacy and Security Committee for review Privacy and Security Sub-Committee reviews gaps and mitigation plans from HSPs HINP follows up on progress of mitigation plans from HSPs Transition: The use of a self-assessment checklist is required. Let’s take a look at what’s involved. 105 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Self-Assessment Checklists
Sections General Governance and Operations Consent Management Audit Log Review Client Privacy Right Support Integrated Incident Management User Account Management Intent: Introduces participants to the sections in the checklist. Notes: Like a table of contents, the sections allow you to follow the checklist in the booklet. Transition: Let’s look at a screenshot of what it looks like. Refer to checklist in the booklet. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Intent: View of checklist.
Notes: Sample page of the self-assessment checklist – you can ask the audience to open the current Self-Assessment checklist document to see the kind of assessment questions are expected from the Privacy Review process. Transition: Now what do you have to think about when you get back to your HSP. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Integration Points Identify who is accountable for signing off on the self-assessment report Identify who is responsible for performing the self-assessment and conducting the review Identify if there is a need to involve different individuals when conducting the different area or section of the review Intent: Review responsibilities. Notes: Identify who is accountable for signing off on the self-assessment report that is submitted periodically. Identify who is responsible for performing the self-assessment and conducting the review. Identify if there is a need to involve different individuals when conducting the different area or section of the review. Knowing how and what your HSP will be evaluated on, and who in your organization should be prepared to get involved should be part of the implementation consideration. What questions do you have about the self-assessment checklist. Transition: Let’s look at the final Process - EMPI Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Enterprise Master Patient Index (EMPI)
Intent: This slide introduces the topic of the Enterprise Master Patient Index (or EMPI for short). Notes: Mention that next steps for the Health Records Lead will be to attend a webex specific EMPI. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

EMPI Overview EMPI is an Enterprise Master Person Index that uniquely identifies a person across multiple sources (HSPs) EMPI creates a unique enterprise identifier (EID) for any single client EMPI establishes and maintains a mapping between the EID and the client’s identifier used inside each of the participating HSPs EMPI operations ensure the accuracy, completeness and “up-to-date-ness” of a client’s demographics to uniquely identify a person across multiple sources (HSPs) Define the processes to identify, escalate, resolve issues related to client’s demographic information Intent: Explain EMPI and how’s it related to them. Notes: EMPI stands for Enterprise Master Patient Index, some of you may be confused with the Provincial Diabetic registry, they are NOT the same system. The provincial EMPI requires a Health Card Number, where as our IAR EMPI does not. EMPI is an Enterprise Master Patient Index that uniquely identifies a person across multiple sources (HSPs), thus assessments that belongs to the same person, although uploaded from different HSPs, will be linked together, so clinicians or case workers will be able to show all relevant assessment for that client. EMPI uses a special algorithm to compare and match client’s demographic information. Transition: Let’s look at how matching is done. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

How Matching Is Done The EMPI compares demographic data from each assessment and creates matches based on an algorithm and established thresholds Demographic information used includes: First Name Last Name Date of Birth Gender Telephone Number Address Health Card Number Better matches are reached when using a Health Card Number Intent: This slide describes how matching is done in the EMPI. Notes: EMPI basically uses the following 7 pieces of personal information to match a patient First Name Last Name Date of Birth Gender Telephone Number Address Health Card Number When the Heath Card Number is used, the match rate is much higher. Transition: Let’s look at an HSP role that helps the EMPI to match records. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

Health Records Lead Role
Designated by the Executive Lead Helps resolve EMPI data element issues: Potential linkage Potential duplicate Potential overlay Interacts with the EMPI Data Steward (EDS) at Consolidated Health Information Services (CHIS) – the EMPI HINP Liaises with clinicians, health record personnel, and/or Privacy Officer and facilitates resolution to data element issues Intent: Details of the Health Records Lead Role Notes: Each organization has to establish a contact person for EMPI, we called this role, the Health Record Lead. At the EMPI HINP, the organization that hosts and supports the EMPI system, there is a role called the EMPI Data Steward, this person reviews any client information that can not be linked automatically, may be insufficient information. The EMPI Data Steward works with the HSP Health Record Lead to articulate the reason of EMPI rejection, and the HSP health record lead will work with the HSP clinicians and/or case workers to it is a duplicate, an overlay (mistakenly linked together), and then work with the HSP to resolve the date element issue and then re-upload to IAR. Transition: Let’s look at some FAQs about EMPI. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

Typical EMPI Questions
Potential Linkage – record for the same person from a different source Potential Duplicate – duplicate record for same person in same source Potential Overlay – same record with different person (NOTE: no records can be viewed from IAR until an overlay issue is resolved) Intent: Review some typical questions about the EMPI Notes: This slides explains the 3 different potential rejection from EMPI that requires the EMPI Data Steward’s intervention, and in turn help from HSP Health Record Leads Potential Linkage – EMPI finds a second client/patient that may be a match with an existing patient/client record, but not enough information to meet the EMPI threshold, e.g. DOB Oct compare to Feb 10, 1977 Potential Duplicate – EMPI finds a 2nd client record comes in from the same source but with different Client ID or identifier, but the rest of info are same of close, EMPI flag this as a potential duplicate, that needs attention Potential Overlay – EMPI finds a 2nd client records comes in using identifier as a previous client, but demographic info are so different that these are potentially 2 separate individual. Transition: Let’s look at a summary of the process. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

EMPI Process Summary EMPI Data Steward notifies HSP of data quality issues or errors identified from EMPI regarding client demographic information HSPs evaluate, investigate and resolve the identified data quality issues or data errors HSPs resubmit assessments if issues are identified and corrected EMPI Data Steward and CCIM Support to work with HSPs to resolve major demographic data quality issues or data errors Intent: This is a summary page, trying to re-cap discussion from previous slides. Notes: EMPI Data Steward notifies HSP of data quality issues or errors identified from EMPI regarding client demographic information HSPs evaluate, investigate and resolve the identified data quality issues or data errors HSPs resubmit assessments if issues are identified and corrected EMPI Data Steward and CCIM Support to work with HSPs to resolve major demographic data quality issues or data errors Transition: Let’s switch topics now to talk about communications, awareness and training and next steps. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

Communication, Awareness and Training, and Next Steps
Intent: This slide introduces the topics of communication, awareness and training and next steps. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Communication HSPs need to raise key stakeholders’ awareness and support of the privacy and security of IAR HSPs need to obtain the support for the privacy and security implementation HSPs need to ensure timely, consistent, clear and coordinated messages CCIM will support the HSPs in their communication activities through the development of tools and materials Intent: Review communications guidelines Notes: Remember when we looked at the hot dog diagram, we had the “lower bun” communication is one of the boxes in that bottom bun. Communication helps you to implement the dsa processes and fulfull your obligations under the DSA. Transition: Let’s look at the importance of awareness and training. 116 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Awareness and Training
HSPs need to raise the staff’s awareness of the privacy and security of IAR HSPs need to provide training on the privacy processes to the staff who participate in the privacy management activities, such as consent management, breach management, etc. CCIM will support HSPs in their awareness and training activities through the development of training tools and materials Intent: Review Awareness and Training Notes: HSPs need to raise the staff’s awareness of the privacy and security of IAR HSPs need to provide training on the privacy processes to the staff who participate in the privacy management activities, such as consent management, breach management, etc. CCIM will support HSPs in their awareness and training activities through the development of training tools and materials Likewise in the bottom bun supporting your implementation of IAR – awareness and training is critical. You may already have a training program in place. Doing it once a quarter would be great – try to integrate some of what we’ve talked about. You may also want to have an ad-hoc program to talk about the new IAR pieces. Transition: Let’s review your next steps. 117 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Next Steps Review and implement privacy and security processes to support IAR Complete the required forms and send to CCIM Attend the DSA Workshop if you have not already, get the DSA signed, and send it to CCIM Check out the Common Privacy Framework Intent: review next steps Notes: Review and do live demo if web connection exists. Advertise: CPF Framework available on the website to help you to improve your privacy practice. Elearning exists – check it out. Consent management implementation guide Common privacy framework Supplementary materials – push people to website. 118 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

Support Centre Monday to Friday Email 8:30 am ― 4:30 pm
option 8 Intent – to show contact information for CCIM project support. Privacy, Security and Consent Management Training for IARSudbury Regional Hospital Sudbury Regional Hospital

Thank You! Intent: To give thanks for participants. 120 Privacy, Security and Consent Management Training for IARSudbury Regional Hospital

HINP Privacy & Security Processes

Similar presentations

Presentation on theme: "HINP Privacy & Security Processes"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

HINP Privacy & Security Processes

Similar presentations

Presentation on theme: "HINP Privacy & Security Processes"— Presentation transcript:

Similar presentations

About project

Feedback