Presentation is loading. Please wait.

Presentation is loading. Please wait.

Health Information Act Orientation College of Registered Dental Hygienists of Alberta January 22, 2011.

Similar presentations


Presentation on theme: "Health Information Act Orientation College of Registered Dental Hygienists of Alberta January 22, 2011."— Presentation transcript:

1 Health Information Act Orientation College of Registered Dental Hygienists of Alberta January 22, 2011

2 Agenda What is the HIA? What does the HIA mean to you? Basic HIA concepts Your questions

3 What is access? Patients have a right to access their own health records Practically, this means making arrangements to view records or making a copy Right is not absolute – some exceptions may apply

4 What is privacy? (my opinion) Privacy means the ability to exercise control over what is done with your personal and health information Privacy is not absolute. Some health information needs to be exchanged in order to provide services.

5 Health Information Act Alberta’s access and privacy law for health information Proclaimed 2001, amended 2006 and 2010 Enables electronic health records Regulates Albertans’ rights:  to access their own health information and  to request corrections Regulates collection, use and disclosure of health information whenever a health service is provided  Confidentiality of health information  Reasonable measures to protect health information Provides independent oversight  Information and Privacy Commissioner

6 HIA Jurisdiction HIA applies to health information in custody or control of custodians Health information is information about a health service recorded in any form or medium Custody means you have it Control means you can make decisions about it A health service is a service provided to an individual to: Protect, promote or maintain health Prevent or diagnose illness Rehabilitation Care for health of ill, disabled, injured or dying (Dental hygiene is a ‘health service’) Custodians are responsible for compliance with HIA

7 HIA Scope changes Before September 1, 2010, HIA applied to the health services paid for in public health system Now HIA applies to health services, regardless of who pays New types of custodians named (that is why you are here!)

8 Other changes to HIA Alberta provincial electronic health record regulation Sets rules and governance for Netcare Specifies audit requirements for electronic health records Custodian responsibility transfer Custodians can now become affiliates of other custodians Useful for practices where one custodian takes the lead Minister must approve Health Information Repositories Stay tuned – regulations not released yet Two new roles for health regulatory colleges  Making health information available to Netcare  Standards of practice as prerequisites to members using Netcare

9 OIPC Office of the Information & Privacy Commissioner Commissioner - Frank Work an officer of the Legislative Assembly Independent of government Has a broad range of responsibilities and powers, including enforcing: Freedom of Information and Protection of Privacy Act (FOIP) Personal Information Protection Act (PIPA) Health Information Act (HIA) Commissioner does not make the 3 laws Government is responsible for legislation PIPA & FOIP – Alberta Government Services HIA – Alberta Health & Wellness

10 OIPC Portfolio Officers You are most likely to encounter portfolio officers in your job as we: Investigate and mediate access, correction and privacy complaints Review Privacy Impact Assessments Provide advice and education on access and privacy issues in health sector  My portfolio includes dental hygienists, dentists and denturists

11 What does the HIA mean to you? Your roles and responsibilities under the HIA

12 Custodians are responsible for HIA compliance Policies Training and awareness Responding to access and correction requests Protecting health information Privacy Impact Assessments Reviewing effectiveness of policies

13 Who is a custodian? Still custodians: Minister of Health and Wellness Alberta Health and Wellness Alberta Health Services Health Quality Council of Alberta Members of College of Physicians and Surgeons of Alberta Members of Alberta College of Pharmacists, & pharmacies Nursing Homes Boards and committees established by custodians Others may be named in regulation New custodians (as of September 1), members of: Alberta College of Optometrists Alberta Opticians Association Alberta College and Association of Chiropractors Alberta Association of Midwives Alberta Podiatry Association College of Alberta Denturists

14 More new custodians 6 months after proclamation (March 2011), members of: Alberta Dental Association and College College of Registered Dental Hygienists of Alberta 1 year after proclamation (September 2011), members of: College and Association of Registered Nurses of Alberta More to come… Will be professionals under Health Professions Act We don’t know which ones yet

15 Custodians and affiliates Custodians are responsible for HIA compliance HIA says both dentists and dental hygienists will be custodians Confused? Affiliates work for custodians Paid, or non-paid (volunteers, students, interns, etc.) If you work for a custodian (a dentist, AHS, nursing home, etc.) you are an affiliate If you are in independent practice, you are a custodian

16 What does this mean to you if you work for a custodian? You are an affiliate to a custodian Dentist Institution (AHS, nursing home, etc.) You need to follow custodian’s HIA policies Access requests from patients Correction requests from patients Collection Use Disclosure Information security Only collect, use and disclose the amount of health information you need to do your job A custodian may delegate some HIA responsibilities to you

17 What you need to do if you are a custodian Put someone in charge (it may be you) Get to know the HIA Assess shortfalls, risks regularly Develop policies and procedures Train staff (or yourself) Develop forms and communications material Review contracts Develop complaints/breach processes

18 HIA concepts Collection, use and disclosure Access and Correction Requests Consent Protecting health information Information managers Privacy Impact Assessments Caveat: (Review the HIA Guide and the Act)

19 Collection, Use and Disclosure of Health Information Collection (when you receive health information from a patient or other source) Use (what you do with health information while it is under your custody or control) Disclosure (when you give health information to someone else – other health services providers, insurance, family, lawyers)

20 Collection, Use and Disclosure Dental Office Insurance Database Application Collection Use Disclosure

21 Collection Custodians may collect health information to provide health services Including Personal Health Number (PHN) Only collect what you need Rule of thumb: Collect directly from patient where possible Indirect collection OK, but make sure you do so under circumstances listed in HIA You need to provide collection notice Could be on poster and/or new patient registration form HIA lists what needs to be in collection notice (see Guide)

22 Use Custodians may use health information to provide health services Only use what you need to do your job No snooping! Patients can ask for a record of who has accessed their health information in electronic health records If you can’t find a particular use listed in the HIA, don’t use it for that purpose (see Guide)

23 Bad news! fined $10,000

24 Disclosure Custodians may disclose health information to provide health services Other types of disclosures listed in HIA (see Guide) If it’s not listed in the HIA, don’t disclose without consent

25 Access and correction requests Duty to respond within 30 days, or longer if permitted by HIA or Commissioner Legal representatives may act on behalf of patients to make access and correction requests (see Guide for types of representatives) Access  Patients have a right to access their own health records, subject to limitations in HIA  Custodian may charge a fee (HIA fee Schedule)  You can also disclose informally Correction  Patients may ask to have records corrected  Custodian must consider request, but does not have to make change (e.g. medical opinions)  If custodian refuses to make change, patients can ask to have 500 word statement of disagreement placed on their file or ask Commissioner to mediate  If the change is routine (e.g. address change), just make the change – no need to use formal process

26 Consent Consent applies to disclosure of health information only Rule of thumb: Generally, you can collect, use and disclose health information to provide health services without patient consent You can also disclose without consent for several other purposes (including processing payment) – see the HIA Guide Anything not listed, get consent HIA specifies requirements for consent (see HIA Guide)

27 Protecting Health Information 3 kinds of measures Administrative (Management, policies, training) Physical (Locks, alarms, controlled file rooms) Technical (IT security: access controls, backup, malware protection, firewall, encryption) Standard is reasonableness, not perfection Take reasonable measures to protect against reasonably anticipated threats See our PIA Requirements for a list of what OIPC considers reasonable

28 Information Managers (IM) Kind of affiliate who has access to health information, but is not a health services provider IMs may:  Process, store, or retrieve health information  Provide IM or information technology services  Create non-identifying information (anonymization) Examples  Records storage company  Shredding company  IT service provider (Help desk) Requirements for IMs and IM agreements set out in HIA and Regulation Custodian is responsible for actions of IM

29 Privacy Impact Assessment An assessment of privacy risk for a new project Describes custodian’s management and policy structure that support HIA Describes project Analyses flows of health information Confirms legal authority to collect, use and disclose health information Identifies risks to confidentiality, integrity and availability of health information Describes measures to mitigate risk Describes plans to ensure on-going compliance Mandatory for custodians under HIA when implementing new information systems or business practices that will collect, use or disclose health information

30 New PIA Requirements Effective April 15, 2010 Download from our website, or buy from Queen’s Printer

31 Your questions

32 Mature minors – what’s reasonable? Scenario: A dental hygienist was present during a dental examination. After the examination the dentist asked the client, “Do I have your permission to share the results of this dental examination with your parents?” Question: Must a clinician routinely ask children/teenagers if they can share information with their parents; or is it only if the client expresses that it not be made and if the client is a mature minor? We see the quote on page 40 of Health Information: A Personal Matter, ‘Parents don’t have an automatic right to children’s information.’ Please expand on this. Answer: Use your professional judgement. If you have some reason to believe the patient is acting as a mature minor, get permission. If you don’t know the patient, err on the side of caution. The younger the patient, the less this is necessary.

33 Records retention Q: When can records be destroyed as per CRDHA? A: Generally, the HIA doesn’t change existing records retention requirements set by your professional college Two HIA records retention requirements: keep for 10 years: 1. Disclosure notations (who you disclosed the information to, date, purpose and description) 2. Access logs in Netcare

34 Communication between dental offices Q: When receiving a verbal request from dental offices for x- rays, may we disclose whether there are recent or any x- rays? Does a signed statement from the client in question be on file first? Q: On behalf of clients, may we request information or must we get a signed statement from client first? (i.e. request information from a dentist in a different practice?) A: (for both questions) Custodians may disclose health information to each other to provide health services without consent

35 Access requests - fees Q: What is a reasonable fee to charge clients access to records? A:HIA sets out a fee Schedule in the Health Information Regulation $25, up to 20 pages Over 20 pages - custodian may charge additional fees, per the Schedule

36 Question – mobile device security Q I have a mobile practice and I use a laptop which contains all of my patient data, files and records. (I am a paperless office). When I'm not using the laptop it is at my home residence (i.e. my home office). Is it really necessary to physically lock up the computer when not in use? I already have it password protected and my home has a security system.

37 Example risk assessment What are the risks to laptops?  Unauthorized access to health information due to theft or loss  Unauthorized access through wireless  Destruction/loss of data (availability) How do you mitigate these risks?  Physical security: locks, cables  Encrypt data stored on laptop  Only connect to secure wireless networks and encrypt your data traffic over wireless networks  Back-up your data to another site (encrypt your backup too)  Training and awareness (how do I do all this technical stuff?)

38 Mobile device security AUnder the HIA, you need to take reasonable measures to secure health information, based on reasonably anticipated risk. It looks like your laptop is secure enough from theft at home. (I might have a different answer for an office environment.) BUT Laptops are mobile computer devices. They are vulnerable to theft and loss. Your laptop is most vulnerable while you are away from your home office. Locks and passwords alone don’t offer much protection. The best protection is encryption. Our investigation report IR H2006-IR-002 established a checklist for mobile device protection: 1. Assess the risk of using a mobile device 2. Only store health information on mobile device when necessary and only store as much as you need. 3. Consider secure remote access to health information, rather than storing the data on the mobile device. 4. If you store health information on a mobile device, encrypt it.

39 HIA – further reading Health Information Act (and regulations) Queen’s printer>Laws Online:  Correct version of Health Information Regulation that mentions Dental Hygienists is under Orders in Council – navigate to: Queens printer>Legislative Publications>Orders in Council> July 2010>Health and Wellness Health Information Regulation is (OC 264/2010) OIPC’s Practical Guide to the HIA PIA Requirements Orders and Investigation Reports Publications>HIA

40 Thank you! Brian Hamilton Portfolio Officer, Health Information Act Office of the Information and Privacy Commissioner, Alberta (780)


Download ppt "Health Information Act Orientation College of Registered Dental Hygienists of Alberta January 22, 2011."

Similar presentations


Ads by Google