Privacy Education Session CMHA-WECB/CCHC Volunteers/Students CMHA-WECB Privacy Training Privacy Education Session CMHA-WECB/CCHC Volunteers/Students Laura Liebrock Chief Quality Improvement & Privacy Officer

Overview An introduction to Privacy Legislation and how it applies at CMHA-WECB What is PHIPA? Consent What I Need to Know Personal Behaviour

CMHA-WECB Privacy Training What is the PHIPA? Personal Health Information Protection Act Privacy legislation for the health care sector – e.g. Hospitals, CHCs, Community Mental Health Agencies, CCAC, Public Health Units Compliance required in November 2004

What is PHIPA? What is the purpose of PHIPA? To establish rules for the collection, use and disclosure of personal health information (PHI) To provide individuals with a right to access and correct PHI To provide for review and resolution of complaints about PHI

CMHA-WECB Privacy Training When Does PHIPA Apply? PHIPA applies to: Health Information Custodians (HICs) – organizations like CMHA-WECB that collect, use and disclose PHI Agents of HICs – employees, students, volunteers, affiliated physicians, therapists, consultants, contractors, researchers Non HICs – others who receive PHI from a HIC – police, insurers, social service partners

What is Personal Health Information? CMHA-WECB Privacy Training What is Personal Health Information? Personal Health Information (PHI) is: Oral (spoken) or recorded information (written or electronic) Information that on its own or linked can be used to identify an individual Relates to an individual’s physical and/or mental health including diagnosis and family history

What is Personal Health Information? Relates to health care received or to the people providing the care OHIP number Identification of a substitute decision maker Test results Anything else included in a record which contains PHI that can identify an individual

Why was PHIPA introduced? PHI is amongst the most sensitive information available on an individual PHI in the wrong hands can have a devastating impact on reputation, employment, obtaining insurance and family relationships

Why was PHIPA introduced? PIPEDA (Personal Information Protection and Electronic Documents Act) January 2004, did not focus on issues related to healthcare PHIPA provides direction to all individuals who collect, use and disclose personal health information (PHI) In particular, mental health information carries a negative stigma in our society Our society is rights based and PHIPA gives the client right of access The increasing use of electronic information systems may increase risk of disclosure of PHI

Privacy Principles Accountability Purpose for Collection Consent Limit Collection Limit Use & Disclosure Accuracy Safeguards Openness Access Challenge Compliance

Using the Privacy Principles Creates new rules for collection, use and disclosure of PHI Introduces the concept of HIC Differentiates between: Disclosure inside and outside the “circle of care” Disclosure for health care or other purposes Situations where express, implied or no consent is required

CONSENT Express Consent Written, verbal, by telephone or electronically Written, signed consent must be placed in the health record Verbal consent must be documented in the health record

CONSENT Implied Consent Is generally understood as being consent given by an individual’s action or inaction Example – you are opening a record and asking the client for information. They answer your questions, implying consent is given Example – a client arrives at a lab to have blood work drawn. They sit and put out their arm, implying consent is given.

Personal Behaviour Wear a name tag and introduce yourself in person and on the phone by your name and status Share PHI on a need to know basis with people directly involved in the client’s care

Personal Behaviour Avoid discussions with each other or with clients, in hallways or public areas Think before you share!

Personal Behaviour Do not attempt to interpret the privacy legislation – ASK!

Personal Behaviour Lock your screen when away from your work station

Personal Behaviour Remember to keep your computer screen turned so others cannot view it

Personal Behaviour Practice a “clean desk” policy Do not keep client information in your desk/office/home This Not this!

Personal Behaviour Consider the sensitivity of material when, printing, emailing or faxing PHI. Ensure the security of the recipient. Printing Email Fax

Personal Behaviour Correctly dispose of any hardcopy documents containing personal health information by shredding.

Personal Behaviour Maintain privacy & confidentiality of information related to CMHA/CHC staff and affiliates – respect your colleagues’ right to privacy

Personal Behaviour Do not review information or ask questions about PHI just for “interest”

Personal Behaviour Look for privacy issues and report them! Report all “near misses” If you have a concern about a privacy issue, report it to Volunteer Services or the Chief Privacy Officer

Personal Behaviour Contact Laura Liebrock, Chief Quality Improvement & Privacy Officer, for questions relating to PHI and privacy

Non-Compliance The CPO investigates all breaches An affected individual may file a complaint with the Privacy Commission, sue the agency for damages and/or sue the individual provider for damages Max. $250,000 for the agency Max. $50,000 for the individual

Non-compliance Failure to maintain privacy and confidentiality may result in discipline including: Loss of privileges Loss of affiliation Reporting to your professional college Civil action Criminal prosecution Institutional and personal fines Termination of contract Termination of Employment

Summary If you have any questions about privacy issues always ask Volunteer Services or the Chief Privacy Officer. Review the privacy handouts and complete the self-assessment. Electronically sign the Privacy Agreement. Congratulations – you have completed the privacy orientation!