Privacy and Disclosure Directives in Panorama for End Users February 11,

Disclaimer This presentation will be recorded and posted on the Panorama Manitoba website. Please mute your line during the presentation to help us create a clear recording 2

Introductions Introduce the people presenting today PresenterTitleOrganizationSubject Area Arielle Goldman Smith Project Coordinator Manitoba Health, Healthy Living and Seniors Host, Overview of Panorama, MIMS Micheal Harding Legislative Analyst Manitoba Health, Healthy Living and Seniors PHIA Legal Counsel Martin BajtBusiness Analysis Team Manager Panorama Project Team Describes workflow in Panorama Ruth DeaneClinical AnalystPanorama Project Team Discusses implications for public health nurses 3

Agenda for Training Public Health Users 1. Target audience and purpose of this presentation 2. User Provisioning in Panorama 3. Differences between MIMS and Panorama 4. Security Audits in Panorama 5. Terms of Use Agreements 6. Disclosure Directives 7. Implications for Public Health Practice 8. Resources 9. Questions and Answers 4

Target Audience and Purpose The target audience for this presentation is:  Panorama End users The purpose of this presentation is to provide Panorama End Users with the information they need to:  Understand how Privacy and Personal Health Information legislation impacts Panorama use  Sign the Terms of Use agreements  Be aware of how User Audits and Disclosure Directives will be in Panorama and may impact public health practice 5

Panorama User Provisioning Public Health users will receive access to Panorama through named User IDs  Access to Panorama is managed through assigned user roles  User roles are a set of permissions attached to a user ID that define what actions a user can perform in Panorama All Public Health staff who will use Panorama will be asked to sign the Terms of Use Agreement that outlines responsible use of the Panorama solution A signed copy of the Terms of Use Agreement must be sent to eHealth where it will be kept on file  No User IDs will be distributed without a signed ToU agreement  Regions are advised to keep a copy of the ToU with the employee file  Regions should submit the signed ToU agreement and User ID requests two weeks before their rollout date 6

Transitioning from MIMS to Panorama There are significant differences between MIMS and Panorama As public health staff transition from MIMS to Panorama to look up and enter immunization information, there may be a need to change practice or to be aware of your responsibilities when accessing information The next three slides describe the differences between MIMS and Panorama 7

Differences between MIMS and Panorama MIMS is an immunization registry that contains immunization records and has been in use for over 30 years in Manitoba – The privacy and security requirements were consistent with requirements of the time – Disclosure directives not available is an electronic public health record that will contain immunization and communicable disease management information for all Manitobans – The privacy and security requirements reflect current legislative and health requirements and practice – Disclosure directives are available for clients who request them Panorama 8

Differences between MIMS and Panorama MIMS users received hands-on training on the production environment using real clients and viewing real data in real- time Panorama users will be trained in a training environment using fake clients and data – It is appropriate to provide coaching or support to new Panorama users in the production environment so long as the client information accessed is appropriate. E.g. looking up clients scheduled for clinic to preview immunization history, etc. MIMSPanorama 9

Differences between MIMS and Panorama Panorama will be used as an electronic public health record for immunizations and managing communicable diseases and outbreaks  Users must sign a Terms of Use agreement  Manitoba Health will have the ability to audit or track use in Panorama MIMSPanorama Some public health practitioners used MIMS for non-immunization record management  Users did not sign a Terms of Use Agreement  There was no audit trail in MIMS 10

Audits in Panorama Client Requested Auditing of PHI Access  A public health client may request a report of who has accessed their personal health information in Panorama. Site Requested Auditing of PHI Access  A public health site may request a report of whose personal health information has been accessed by a user at their site. MHHLS Requested Auditing of PHI Access  On a routine basis MHHLS will request that public health sites audit access to personal health information by users at their site. Disclosure Directive Override Auditing  MMHLS will require an audit when a user at a public health site accesses a client record that has been blocked by a disclosure directive. 11

Who Receives the Audit Reports? Audit Reports will be generated by Manitoba Health Sent to the Privacy Officer in the organization where the activity occurred The organization’s Privacy Officer is best placed to investigate the report of activity locally  Contact the Public Health practitioner to discuss the incident  Discuss with supervisor/manager as appropriate  Determine if the access was appropriate or not The organization’s Privacy Officer will report to Manitoba Health:  Confirmation that the incident has been managed  Ensure integrity of the system 12

Terms of Use Agreements Information Sharing Agreements (ISA) with Manitoba Health describe how Panorama information will be used and shared.  The ISA requires that every Panorama user must sign a Terms of Use Agreement The Terms of Use Agreement outlines the users’ responsibilities for protecting personal health information in Panorama The agreement informs the user that the user’s activities in Panorama will be monitored and can be audited 13

Terms of Use Agreement Signing Process Read and sign the Terms of Use agreement document Each region/organization will designate a person who will collect the agreements and submit them to Manitoba eHealth  User IDs and roles for Panorama will be created after Manitoba eHealth receives the agreements A copy of your signed agreement will be kept in the HR file in the region/organization where the user works 14

Disclosure Directives: What are they? The Personal Health Information Act (PHIA) requires that a process be available for clients to request that their information be masked or hidden in any electronic health recording system – such as Panorama eChart has developed processes for clients to:  Request that their personal health information not be disclosed  However the name, PHIN, DoB and address are viewable  Request a report of who has viewed their information Panorama has a disclosure directive  Also implements this type of process 15

How can a client request a Disclosure Directive? Forms and information are available on the Manitoba Health website  When this presentation was developed the ma.html ma.html  Clients will download the form and fax or mail it to Manitoba Health where their request will be verified and entered in Panorama Disclosure directives can also be removed at the client’s request Clients with questions are directed to contact Manitoba Health 16

What is Public Health’s responsibility for informing clients about disclosure directives? Public Health Practitioners should direct clients to the Manitoba Health website for further information Manitoba Health will provide posters describing disclosure directives – Posters should be displayed in public health offices and at mass immunization clinics For the 2015/16 school year Manitoba Health will provide information about disclosure directives that must be included with consent documents provided to parents for the school clinics Similar products will be provided to other immunization providers 17

Disclosure Directives in Practice The following slides describe the workflows from the perspective of the Panorama user that are relevant for Disclosure Directives  This does not describe the workflow that will be used to create a Disclosure Directive 18

User Workflow - Overview If a disclosure directive is in place for a client, a warning is presented to the user with an option to override in order to access the client’s record Based on clinical judgement, the user must provide a reason for accessing the record The reason is captured in the audit log and will be used as part of the override audit that is initiated by “breaking-the-glass” 19

User Workflow – Client Search User enters parameters and searches for a client Warning message is presented if directive is in place Verify the search parameters before overriding to ensure the intended client’s record will be accessed 20

User Workflow - Override User must enter a reason for the override (1 of 5 predefined reasons plus a comment) This is the information that will form the basis for the audit that is triggered by overriding 21

User Workflow – Select Client Client can now be selected from the search results, set into context and their record accessed for the duration of the session log in 22

User Workflow – Mass Event The same warning and override must be done if the client is part of a mass immunization event cohort 23

Standard Reason for Override Standard ReasonDescriptionExample Scenario(s) Client provides temporary consent. Client presents for public health service and gives consent to access their record. Client presents at an immunization clinic; client presents at a public health office seeking other services (e.g. disease prevention, harm reduction). Public health investigation of an adverse event following immunization. Client has not granted consent, but has been reported as experiencing an AEFI. An AEFI report is submitted to public health as required by the Public Health Act and requires follow-up and documentation. Public health investigation of a reportable disease or condition. Client has not granted consent, but has been identified as a case or contact to a reportable disease or condition. A lab or clinician has reported a disease or condition as required by the Public Health Act; public health is investigating as outlined in MB Health disease specific protocols. 24

Standard Reason for Override Standard ReasonDescriptionExample Scenario(s) Public health investigation of an outbreak. Client has not granted consent, but has been identified as part of an outbreak. Several cases of chickenpox are identified in a classroom so immunization records for all of those exposed are assessed, interventions are based on number of immunized and non immunized clients. OtherClient has not granted consent, but information may be required for other reasons. Clinical care audits; legal reasons. 25

What are the implications for nursing and public health practice? Nurses understand the need for, and right to, privacy and confidentiality Nurses will continue to view and collect holistic information about their clients  Consider the information that is required for the service provided Clinical judgment should prevail  Access the information when there is a legitimate clinical need  Justification is accountability Goal is to protect the individual’s information. 26

Tools and further information Resources for End Users  PowerPoint version of this presentation  Recorded version of this webinar that you can use for review  Links to other privacy resources All materials will be on the websitewww.panoramamanitoba.ca 27

Questions and Answers 28