Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.

Similar presentations


Presentation on theme: "Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004."— Presentation transcript:

1 Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004

2 Outline Review of current shared networks Impact of PHIPA Good faith efforts

3 Current Networks – NEON NEON – Shared access to Meditech information system HRSRH (primary licensee) Timmins Englehart Kirkland Chapleau Temiskaming NEMHC SRF

4 Current Networks – NEON NEON Shared Information System Service Agreement Requires the NEON members to protect confidential information on the System through: Common privacy policy Physical security measures – HRSRH to advise on measures to be taken Appointment of security officer – trained by Meditech Implementation of logical security measures – passwords, etc., controlled by Meditech and common to all sites Each hospital must ensure only approved users have access

5 Current Networks – NORrad NORrad PACS System TDH (primary licensee) Hearst Kapuskasing Kirkland MICs Group SRF Weeneebayko

6 Current Networks – NORrad NORrad Inter-Hospital Agreement (in process of being signed) Common privacy policy Common acknowledgement presented to patients describing how PHI is used and who may access Common policy applicable to personnel and privileged health care providers limiting access to shared patient database Each hospital designates individual for compliance

7 Current Networks – NORrad NORrad Inter-Hospital Agreement (in process of being signed) Common privacy policy (cont’d) Obtaining knowledge and consent of individual for collection, use of disclosure of PHI, except where impossible or impractical Limiting use and disclosure of PHI to what is necessary Instituting security safeguards

8 Current Networks – NORrad NORrad Inter-Hospital Agreement (in process of being signed) Common security policy Use and confidentiality of passwords Use of a warning upon log-in that information is confidential Mandatory log-out at end of use Encryption across network Limited electronic access based on need-to- know

9 Current Networks – NORrad NORrad Inter-Hospital Agreement (in process of being signed) Common security policy (cont’d) Regular audits of access to records Other measures appropriate for industry

10 Impact of PHIPA on Shared Networks

11 Impact of PHIPA Good news Does not add significant new hurdles Essentially codifies and reinforces past privacy advice Notice to patients Privacy measures Security measures Bad news PHIPA means a dedicated regulator to enforce privacy requirements and to impose penalties (fines) in the event of non-compliance Generally cannot indemnify against breach of Act

12 Impact of PHIPA Good Faith Immunity (s.70) No action or proceeding for damages may be instituted against a HIC or any other person (e.g., agents) as long as: Acting in good faith Acting reasonably in the circumstances Any neglect or default under Act that was: Reasonable in circumstances Good faith Arguably does not relieve HIC and agents of possibility of fines: $50K – $250K How can you wilfully breach Act if acting reasonably and in good faith?

13 PHIPA – Consent Requirements PHI on Meditech and PACS systems can be accessed by all hospitals Confirm Is access “for purpose of providing health care or helping to provide health care”? Arguably (if so, implied consent acceptable from patient amongst health care providers -- “Circle of Care” ) If not, express consent to this access required by PHIPA

14 PHIPA – Consent and Agents Could also argue that each hospital is the “agent” of the other hospitals when accessing shared database and subject to same limitations as source hospital Agents under PHIPA must use PHI only as permitted by source hospital Source hospital has liability for acts of agents Agents have obligation under PHIPA to advise source hospital of theft or loss of PHI or unauthorized access at first reasonable opportunity

15 PHIPA – Electronic Networks Requirement to have a written agreement with specific security safeguards with agents who provide electronic network See language in sample Service Provider Privacy & Security Terms and Conditions Review and follow up with AGFA, Meditech

16 PHIPA – Consent Issues What information do we/should we give patients whose PHI is housed on Meditech and PACS about who has access to this information? Consent – implied (arguably) Dealing with withholding of consent Argue that patient cannot withhold consent where recording information on electronic system (accessible by all hospitals) is necessary for “institutional practice”?

17 PHIPA – Lockbox Dilemma November 1/05 Lockbox – how to address express instruction from patient that part of PHI on shared database not to be accessed, used or disclosed Security measures? Policy measures? Exceptions – where refusal to disclose this PHI may result in serious bodily harm

18 PHIPA – Lockbox Dilemma November 1/05: Cannot remove information from record – dealt with in another way Need to flag to receiving HICs that record is not complete, where there is a lockbox Seek advice of IPC (willing to help, cooperative not prosecutorial)

19 PHIPA – Privacy Policies What policies need to be in place to limit access to need-to-know only? What discipline needs to be identified in policy for breach of need-to-know policy? Amendments to by-laws to permit discipline of privileged professionals (who are agents of hospital and only authorized to use PHI as permitted by hospital)

20 PHIPA – Training, Accountability Issues: Has there been training on use of and access to these shared systems? Is there a NEON privacy officer? Does each hospital have someone accountable for compliance? Do they meet to discuss shared privacy problems and shared approach to solutions on system?

21 PHIPA – Security Measures Passwords? Confidentiality of passwords? Warning at log-in? Mandatory log-out? Encryption? Electronic limitation to access (escalating passwords) based on need to know? Regular audits? Others?

22 PHIPA and Shared Networks Steps: Accountability – privacy officers Privacy policy Privacy notice explaining inability to withhold Training Security, as best as possible Due diligence to demonstrate good faith best efforts with available resources to protect PHI from unauthorized access, disclosure

23 Cassels Brock & Blackwell LLP 2100 Scotia Plaza, 40 King Street West, Toronto, Canada M5H 3C2 Phone Fax

24


Download ppt "Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004."

Similar presentations


Ads by Google