Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Privacy & Security for Electronic Medical Records Delivered to: [Insert Name.

Similar presentations


Presentation on theme: "©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Privacy & Security for Electronic Medical Records Delivered to: [Insert Name."— Presentation transcript:

1 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Privacy & Security for Electronic Medical Records Delivered to: [Insert Name of Practice] Delivered by: [Insert Name of Field Staff] Date: [Insert Date]

2 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 2 Note: OntarioMD is not an authoritative source of privacy legislation or policies. The information and tools provided are intended to guide and assist physicians and their staff, and should not replace the practice’s own review and understanding of legislation and/or advisement of legal counsel. OntarioMD is not involved in monitoring or assessing adherence to privacy and security, nor does it get involved in privacy breaches.

3 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Agenda Introduction Key Concepts and Definitions Responsibilities of the Practice OntarioMD’s Privacy and Security Guide and Workbook Additional Content Q&A IPC Orders PHIPA and Privacy Breaches Health Information Network Providers 3

4 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. INTRODUCTION 4

5 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Objectives Provide an overview of privacy and security, with a particular focus on the Personal Health Information Protection Act (2004) and Electronic Medical Records, including: Importance of privacy and security Key concepts and definitions Responsibilities of physicians and practices How to handle privacy breaches Introduce the Privacy & Security Guide and Workbook for Electronic Medical Records, along with supporting resources and tools 5

6 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Importance of Privacy & Security Sensitive nature of personal health information Need to establish trust and comfort in the system and care providers Time, resources, costs and reputational implications for privacy breaches It’s the law Privacy and security risks can be minimized with some fundamental tools, processes and practices. 6

7 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Implications of Privacy Breaches Discrimination, stigmatization and psychological or economic harm to patients based on the information Patients may withhold or even falsify information to providers Conditions may go untreated Patient safety may be at risk Compromised quality of health services Reputational damage to health provider Time, resources and costs to address privacy breaches, including legal liabilities and proceedings 7

8 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. How do privacy and security requirements change with an EMR in the picture? They don’t – the same requirements apply However, with EMRs there are additional considerations: Electronic format of information easier to transfer to portable devices and removed from a secure location Hardware and devices should be secure Transfer of information needs to be encrypted 8

9 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. KEY CONCEPTS AND DEFINITIONS 9

10 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Personal Health Information Protection Act (PHIPA) Aka “the Act” Ontario legislation, as of November 1, 2004 Pertains to the collection, use and disclosure of personal health information by organizations and individuals delivering health care 10

11 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Personal Health Information (PHI) Relates to a person’s physical or mental health Relates to the provision of health care to the person Identifies a person’s health care provider Identifies the person’s substitute decision maker Relates to payments or eligibility for health care Is the person’s health number Relates to the donation of body parts or substances Is a plan of service under the Home Care and Community Services Act,

12 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Health Information Custodians (HICs) A health care practitioner who provides health care A person who operates a group practice of health care practitioners who provide health care Hospitals, psychiatric facilities, independent health facilities Pharmacies, ambulance services, laboratories, specimen collection centres Long-term care homes, care homes, homes for special care Community care access corporations Medical officers of health of boards of health Minister/Ministry of Health and Long-Term Care Minister/Ministry of Health Promotion 12

13 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Agents (of Health Information Custodians) Someone who acts for, or on behalf of, the HIC for a wide range of purposes May have access to complete or partial records Examples include: Employees of the HIC Records management service providers Claims management services 13

14 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Electronic Service Providers Persons who supply goods and services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information (e.g. EMR vendor, document management providers, etc.) Generally, PHIPA requires that such service providers: Must not use any personal health information to which they have access, except as necessary in the course of providing the services; Must not disclose any personal health information to which they have access; Must not permit persons acting on their behalf to access information, unless the person agrees to comply with the restrictions placed on electronic service providers. 14

15 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Health Information Network Providers “…a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.” 15 There are a number of specific obligations of HINPs set out in PHIPA.

16 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. A Note About Consent In Ontario, consent for the collection, disclosure and use of personal health information is implied (i.e. no explicit consent is required) Individuals can withdraw consent Express consent required when: An HIC makes the disclosure to a person that is not an HIC, or An HIC makes the disclosure to another HIC and the disclosure is not for the purposes of providing health care or assisting in providing health care 16

17 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Information Privacy Commissioner Public and stakeholder education Providing information to the public on the Act and the roles and responsibilities of the IPC Receiving and responding to complaints Undertaking reviews and investigations Issuing orders 17 The Information and Privacy Commissioner of Ontario (IPC) has oversight responsibility for the Act, which includes:

18 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. RESPONSIBILITIES OF THE PRACTICE 18

19 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 7 Checklist Items based on PHIPA 19 1.Privacy contact person for the practice has been identified. 2.Privacy contact person is adequately and sufficiently educated and trained Privacy Contact Person 3.Existence of a written privacy policy 4.Existence of a written public privacy policy Policies and Practices 5.Staff understand, agree to and comply with privacy and security requirements 6.Third parties understand, agree to and comply with privacy and security requirements Understanding and Agreements 7.The work environment is safe and secure in protecting personal health information Information Security 19 This checklist is contained in the Privacy and Security Guide and Workbook, along with a number of resources (tools and templates) for each checklist item as required.

20 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 1. Privacy contact person for the practice has been identified Most often, this person should be a physician Designate backup/contingency contact as well Examples of responsibilities of the contact person(s) include: Monitoring of compliances and breaches to policies; escalation as required and notification to patients Ensuring ongoing understanding and agreements of staff and third parties Communication and dissemination of policies and information 20

21 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 2. Privacy contact person is adequately and sufficiently educated and trained This applies to the back-up contact as well The privacy contact should be familiar with PHIPA as well as various approaches to address privacy and security requirements for the practice 21

22 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 3. Existence of a written privacy policy addressing the collection, use, disclosure and retention of PHI in accordance with PHIPA and other applicable legislation In addition to having a policy, the privacy contact should make efforts to ensure that that policies are actually implemented, followed and monitored Practices should be established for dealing with suspected and actual privacy breaches within the practice 22

23 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 4. Existence of a written public policy regarding the practice’s information practices, who to contact with privacy questions or complaints, and how to obtain access or request correction of a record of personal health information Public policies should be readily accessible to patients. For example: A paper copy could be on-hand to be shown to anyone who requests it An electronic copy could be made available and/or posted on the practice’s website A printed copy could be posted in the practice). Ensure that a practice is prepared by having necessary consent management practices and policies in place 23

24 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 5. Staff understand, agree to, and comply with privacy and security requirements Ensure that employees understand the concepts reflected in the agreement Provide information, educational tools and/or sessions as necessary Monitor compliance 24

25 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 6. Third parties understand, agree to, and comply with privacy and security requirements. These may include various agents, electronic service providers, and/or health information network providers 25

26 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 7. The work environment is safe and secure in protecting PHI. Considerations should be made for the following (at a minimum): Printers, photocopiers, and fax machines Phone manner and etiquette Meeting (areas) Mobile computing Physical (clear) desk environment Password guidelines use Protection and backup of information 26

27 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. ONTARIOMD’S PRIVACY AND SECURITY GUIDE AND WORKBOOK 27

28 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Overview 28

29 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. General Privacy & Security Checklist 29 Addresses the previously mentioned responsibilities of the practice

30 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Tools and Templates for all Checklist Items Examples: Sample Office Privacy Policy Confidentiality Agreement for Physician Office Employees Sample Contractual Privacy Clause for Employees and Third Parties Sample Office Privacy Handout Policy Sample 30

31 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Additional Resources Cited and Provided 31 Personal Health Information Protection Act, 2004

32 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. ADDITIONAL CONTENT 32

33 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Q&A 33

34 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Which of the following are the Acts regarding privacy of information in Ontario? a)Freedom of Information and Protection of Privacy Act (FIPPA) b)Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) c)Health Insurance Portability and Accountability Act of 1996 (HIPAA) d)Personal Health Information Protection Act, 2004 (PHIPA e)Don’t ask, don’t tell 34 Q

35 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 35 Which of the following are the Acts regarding privacy of information in Ontario? A a)Freedom of Information and Protection of Privacy Act (FIPPA) b)Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) c)Health Insurance Portability and Accountability Act of 1996 (HIPAA) d)Personal Health Information Protection Act, 2004 (PHIPA e)Don’t ask, don’t tell

36 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Which of the following is a Health Information Custodian? 36 Q a)Doctor b)Nurse c)Clinic manager d)Clinic Volunteer e)Laboratory f)Receptionist g)Office cat

37 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. A a)Doctor b)Nurse c)Clinic manager d)Clinic Volunteer e)Laboratory f)Receptionist g)Office cat Which of the following is a Health Information Custodian? 37

38 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Q What role does the Information Privacy Commissioner play in privacy of health information? a)Oversight responsibility for the Act b)Public and stakeholder education c)Personally thrashing PHIPA violators d)Providing information to the public on the Act and the roles and responsibilities of the IPC e)Receiving and responding to complaints f)Undertaking reviews and investigations g)Issuing orders 38

39 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 39 A What role does the Information Privacy Commissioner play in privacy of health information? a)Oversight responsibility for the Act b)Public and stakeholder education c)Personally thrashing PHIPA violators d)Providing information to the public on the Act and the roles and responsibilities of the IPC e)Receiving and responding to complaints f)Undertaking reviews and investigations g)Issuing orders

40 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Which of the following is NOT considered to be personal health information? 40 Q a)Name b)Phone number c)Eye color d)Eligibility for Ontario Drug Benefit Program e)Dating history f)Listing on Doctor’s patient roster g)OHIP number h)Mother’s heart disease

41 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 41 Which of the following is NOT considered to be personal health information? A a)Name b)Phone number c)Eye color d)Eligibility for Ontario Drug Benefit Program e)Dating history f)Listing on Doctor’s patient roster g)OHIP number h)Mother’s heart disease

42 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. What are the steps involved in responding to a privacy breach? 42 Q a)Contain, Respond, Notify, Investigate, Remediate b)Respond, Contain, Notify, Investigate, Remediate c)Respond, Contain, Notify, Remediate d)Notify, Respond, Contain, Investigate, Remediate

43 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. What are the steps involved in responding to a privacy breach? 43 A a)Contain, Respond, Notify, Investigate, Remediate b)Respond, Contain, Notify, Investigate, Remediate c)Respond, Contain, Notify, Remediate d)Notify, Respond, Contain, Investigate, Remediate

44 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Which of the following are privacy and security responsibilities of HICs under PHIPA? 44 Q a)Designate a privacy officer or contact b)Develop a written privacy policy addressing the collection, user, disclosure and retention of PHI c)Develop a written public policy regarding the practice’s information practices d)Ensure that staff understand, agree to, and comply with privacy and security requirements e)Ensure that third parties understand, agree to, and comply with privacy and security requirements f)Ensure that the work environment is safe and secure in protecting PHI g)Educate individual patients and collect signatures signifying consent

45 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 45 A All except g. a)Designate a privacy officer or contact b)Develop a written privacy policy addressing the collection, user, disclosure and retention of PHI c)Develop a written public policy regarding the practice’s information practices d)Ensure that staff understand, agree to, and comply with privacy and security requirements e)Ensure that third parties understand, agree to, and comply with privacy and security requirements f)Ensure that the work environment is safe and secure in protecting PHI g)Educate individual patients and collect signatures signifying consent

46 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. IPC ORDERS ___________________________ Mobile and Portable Devices & Disposal of PHI 46

47 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Mobile and Portable Devices The IPC has issued three orders in the context of mobile and portable devices: Order HO-004 Theft of a laptop containing the unencrypted personal health information of 2,900 individuals Order HO-007 Loss of a USB memory stick containing the unencrypted personal health information of 83,524 individuals Order HO-008 Theft of a laptop containing the unencrypted personal health information of 20,000 individuals 47

48 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Protecting PHI on Mobile and Portable Devices Not retain personal health information on such devices unless necessary for the purpose Consider alternatives to retaining personal health information on a mobile or portable device Retain de-identified information on the device Retain encoded information on the device and storing the code to unlock the identifying information separately on a secure computing device Retain personal health information on a secure server and accessing the information remotely through a secure connection or virtual private network 48

49 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Example: Order (HO-001) A medical clinic hired a company to shred records of personal health information dated between Due to a misunderstanding, the records were given to a recycling company instead of being shredded The recycling company sold the records to a special effects company and were used in a film shoot 49

50 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Learnings from the order Ensure secure disposal that does not make reconstruction reasonably foreseeable For paper records  cross-cut shredding (pulverization or incineration if the records are particularly sensitive) For electronic records  physically damage and discard media rendering it unusable. If re-use is preferred, use effective wiping utilities 50

51 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Third Party Disposal Considerations Ensure it is accredited or is willing to undergo independent audits An agreement should set out the third party’s responsibilities in securely disposing of the records, sets out who, how and under what conditions records will be securely disposed A signed written attestation is provided that sets out the date, time and location of the secure disposal Secure storage of the records pending their secure disposal is required The time frame within which the records will be securely disposed is specified 51

52 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. PHIPA AND PRIVACY BREACHES 52

53 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. What is a privacy breach? A privacy breach occurs whenever a person has contravened or is about to contravene a provision of the Act or its regulations, including section 12(1) of the Act. Section 12(1) of the Act requires health information custodians to take steps that are reasonable in the circumstances to ensure personal health information in their custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that records containing personal health information are protected against unauthorized copying, modification or disposal. 53

54 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. IPC Orders The IPC may issue an order directing that: An individual be granted access to his or her records of personal health information The fees charged for providing access be reduced Records of personal health information be corrected A person cease collecting, using or disclosing personal health information in contravention of the Act A person dispose of records of personal health information collected in contravention of the Act A person alter, cease or implement an information practice Orders may contain comments/recommendations 54 …

55 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. An order of the IPC that has become final may be filed with the Superior Court of Justice and on filing is enforceable as a judgment or order of the court A person affected by an order of the IPC that has become final may commence a proceeding with the Superior Court of Justice for damages for actual harm suffered as a result of a breach of the Act 55 IPC Orders (cont’d)

56 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. The IPC may conduct an investigation where: A written complaint has been received In the absence of complaint, where there are reasonable grounds to believe the Act has or is about to be contravened In conducting an investigation, the IPC may: Enter and inspect any premises except a dwelling Demand production of books, records or other documents Compel testimony or compel written evidence 56 IPC Investigations

57 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Offenses and Breaches The Act creates offences for contravention, including: Willfully collecting, using or disclosing personal health information in contravention of the Act Once an access request is made, disposing of a record of personal information in an attempt to evade the request Willfully obstructing, making a false statement or failing to comply with an order of the IPC On conviction, an individual may be liable for a fine of up to $50,000 and a corporation up to $250,000 57

58 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 5 Steps to Respond to a Privacy Breach 58 1 – Respond Implement protocol Notify appropriate staff (including privacy contact/officer) Inform IPC 2 – Contain Prevent additional unauthorized access (e.g. change passwords, identification numbers and/or temporarily shut down a system) Retrieve the PHI as required (e.g. hard copies) Ensure no copies have been made 3 – Notify Notify individuals affected by breach, with: Details of the breach (extent, specific PHI) Steps that have been taken or to be taken to address …

59 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission – Investigate Conduct internal investigation that: Ensures immediate requirements to contain and notify Reviews circumstances of breach Reviews adequacy of existing policies and procedures 5 – Remediate Address the situation systematically Advise IPC of findings Cooperate in any further investigation into the incident undertaken by the IPC Continued… 59 5 Steps to Respond to a Privacy Breach (cont’d)

60 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. MORE ON HEALTH INFORMATION NETWORK PROVIDERS 60

61 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. HINP requirements as per PHIPA Notify every applicable health information custodian if there has been a privacy breach; Provide to each applicable health information custodian a plain language description of the services provided, including a general description of the safeguards in place to protect personal health information; Make available to the public the plain language description of the services provided, as well as any directives, guidelines and policies relating to these services, and a general description of the safeguards implemented by the service provider; … 61

62 ©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. HINP requirements as per PHIPA (cont’d) Make available to each applicable health information custodian, upon request, an electronic record of all access to all or part of the personal health information and all transfers of all or part of the information associated with the custodian; Perform and provide, to each applicable health information custodian, written copies of the results of a threat assessment and a privacy impact assessment of the services provided; Ensure that any third party that provides services to the health information network provider complies with the restrictions and conditions necessary to enable compliance with the requirements of PHIPA; and Enter into a written agreement with each health information custodian concerning the services provided. 62


Download ppt "©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. Privacy & Security for Electronic Medical Records Delivered to: [Insert Name."

Similar presentations


Ads by Google