Presentation on theme: "Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004."— Presentation transcript:
Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004
Outline Review of current shared networks Impact of PHIPA Good faith efforts
Current Networks – NEON NEON – Shared access to Meditech information system HRSRH (primary licensee) Timmins Englehart Kirkland Chapleau Temiskaming NEMHC SRF
Current Networks – NORrad NORrad PACS System TDH (primary licensee) Hearst Kapuskasing Kirkland MICs Group SRF Weeneebayko
Current Networks – NORrad NORrad Inter-Hospital Agreement (in process of being signed) Common security policy Use and confidentiality of passwords Use of a warning upon log-in that information is confidential Mandatory log-out at end of use Encryption across network Limited electronic access based on need-to- know
Current Networks – NORrad NORrad Inter-Hospital Agreement (in process of being signed) Common security policy (cont’d) Regular audits of access to records Other measures appropriate for industry
Impact of PHIPA on Shared Networks
Impact of PHIPA Good news Does not add significant new hurdles Essentially codifies and reinforces past privacy advice Notice to patients Privacy measures Security measures Bad news PHIPA means a dedicated regulator to enforce privacy requirements and to impose penalties (fines) in the event of non-compliance Generally cannot indemnify against breach of Act
Impact of PHIPA Good Faith Immunity (s.70) No action or proceeding for damages may be instituted against a HIC or any other person (e.g., agents) as long as: Acting in good faith Acting reasonably in the circumstances Any neglect or default under Act that was: Reasonable in circumstances Good faith Arguably does not relieve HIC and agents of possibility of fines: $50K – $250K How can you wilfully breach Act if acting reasonably and in good faith?
PHIPA – Consent Requirements PHI on Meditech and PACS systems can be accessed by all hospitals Confirm Is access “for purpose of providing health care or helping to provide health care”? Arguably (if so, implied consent acceptable from patient amongst health care providers -- “Circle of Care” ) If not, express consent to this access required by PHIPA
PHIPA – Consent and Agents Could also argue that each hospital is the “agent” of the other hospitals when accessing shared database and subject to same limitations as source hospital Agents under PHIPA must use PHI only as permitted by source hospital Source hospital has liability for acts of agents Agents have obligation under PHIPA to advise source hospital of theft or loss of PHI or unauthorized access at first reasonable opportunity
PHIPA – Electronic Networks Requirement to have a written agreement with specific security safeguards with agents who provide electronic network See language in sample Service Provider Privacy & Security Terms and Conditions Review and follow up with AGFA, Meditech
PHIPA – Consent Issues What information do we/should we give patients whose PHI is housed on Meditech and PACS about who has access to this information? Consent – implied (arguably) Dealing with withholding of consent Argue that patient cannot withhold consent where recording information on electronic system (accessible by all hospitals) is necessary for “institutional practice”?
PHIPA – Lockbox Dilemma November 1/05 Lockbox – how to address express instruction from patient that part of PHI on shared database not to be accessed, used or disclosed Security measures? Policy measures? Exceptions – where refusal to disclose this PHI may result in serious bodily harm
PHIPA – Lockbox Dilemma November 1/05: Cannot remove information from record – dealt with in another way Need to flag to receiving HICs that record is not complete, where there is a lockbox Seek advice of IPC (willing to help, cooperative not prosecutorial)
PHIPA – Privacy Policies What policies need to be in place to limit access to need-to-know only? What discipline needs to be identified in policy for breach of need-to-know policy? Amendments to by-laws to permit discipline of privileged professionals (who are agents of hospital and only authorized to use PHI as permitted by hospital)
PHIPA – Training, Accountability Issues: Has there been training on use of and access to these shared systems? Is there a NEON privacy officer? Does each hospital have someone accountable for compliance? Do they meet to discuss shared privacy problems and shared approach to solutions on system?
PHIPA – Security Measures Passwords? Confidentiality of passwords? Warning at log-in? Mandatory log-out? Encryption? Electronic limitation to access (escalating passwords) based on need to know? Regular audits? Others?
Cassels Brock & Blackwell LLP 2100 Scotia Plaza, 40 King Street West, Toronto, Canada M5H 3C2 Phone Fax