James Williams – Ontario Telemedicine Network. Objectives: 1. Review policy constraints for EHR systems. 2. Traditional approaches to policies in EHRs.

Slides:

Advertisements

Similar presentations

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Advertisements

Emergency Management Unit “S ETTING THE T ABLE ” T O A CCOMPLISH THE T ACTICAL O BJECTIVE C ITY OF O TTAWA S ECURITY AND E MERGENCY M ANAGEMENT B RANCH.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

Confidentiality and HIPAA

HIPAA Privacy Rule Training

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Complying with Privacy to Enable Innovation & Research

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

The AMA Code of Ethics Could Egyptian Marketing Professionals Agree on a List of Rules, Perhaps Similar to This? The IMI Journal. Members of the AMA are.

Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.

ICAICT202A - Work and communicate effectively in an IT environment

Informed Consent and HIPAA Tim Noe Coordinating Center.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Contemporary Issues in Canadian Health Care Nola M. Ries, MPA, LLM Adjunct Assistant Professor, University of Victoria Research Associate, Health Law Institute,

HIPAA Collaborative of Wisconsin PAYMENT, COLLECTIONS, AND ACCEPTED BENEFITS FURTHER DEFINITION OF THE PRIVACY RULE Copyright HIPAA Collaborative.

James Williams – BA, BSc, JD, MSc, Privacy and Security Consultant, Blue Pebble, Phd candidate, University of Victoria.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

HIPAA PRIVACY AND SECURITY AWARENESS.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Tom Clarke VP, Research & Technology National Center for State Courts.

Health Insurance Portability and Accountability Act (HIPAA)

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

State Alliance for e-Health Conference Meeting January 26, 2007.

Patient’s Bill of Rights. The pt. has the right to considerate and respectful care. The pt. has the right to considerate and respectful care. The pt.

© 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June © 2003 IBM Corporation Shortcomings.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Environmental Management System Definitions

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Understanding HIPAA (Health Insurandce Portability and Accountability Act)

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

D1 - 25/10/2015 The present document contains information that remains the property of France Telecom. The recipient’s acceptance of this document implies.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

PIPEDA and Receivables Management Robin Gould-Soil Receivables Management Association of Canada November 16, 2011.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

BC Public Libraries November, 2008 Privacy Principles.

U.S. Department of Education Safeguarding Student Privacy Melanie Muenzer U.S. Department of Education Chief of Staff Office of Planning, Evaluation, and.

POLICIES = CONTROL Simply stated, a policy lays out what management wants employees to do and a procedure describes how it should be done.

Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU)

1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Task Force CoRD Meeting / XML Security for Statistical Data Exchange Gregory Farmakis Agilis SA.

Privacy and Data Protection in e-Communications Sector Legislation, Codes of Practice and Standards Privacy and Data Protection in e-Communications Sector.

Data protection—training materials [Name and details of speaker]

The Health Information Protection Act. What is the Health Information Protection Act (HIPA)? HIPA is legislation that speaks to access to, and protection.

Health Insurance Portability and Accountability Act (HIPAA) © 2013 Project Lead The Way, Inc.Principles of Biomedical Science.

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.

Ethical, legal and social aspects of public health genomics Mark Taylor, School of Law, University of Sheffield 7 th November 2014.

Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.

HIPAA Privacy Rule Training

Nassau Association of School Technologists

Confidential Records and Protected Disclosures

Move this to online module slides 11-56

G.D.P.R General Data Protection Regulations

HIPAA Pros - Minimum Necessary

Investor protection and MIFID

Importance of Law and Policies in the Environmental Management System

Enforcement and Policy Challenges in Health Information Privacy

The Health Insurance Portability and Accountability Act

13 Managing Medical Records Lesson 3:

Presentation transcript:

James Williams – Ontario Telemedicine Network

Objectives: 1. Review policy constraints for EHR systems. 2. Traditional approaches to policies in EHRs. 3. CHI consent management architecture. 4. Current research.

Focus: Policies pertaining to personal health information. Policies may touch upon: Consent directives. Acceptable uses. Permissible disclosure. Appropriate safeguards. Emergency overrides. Retention.

Sources of Policy: 1. Statutes and regulations 2. Case law 3. Codes of conduct 4. Corporate bylaws 5. Professional guidelines / best practices 6. First Nations Sovereignty

Statutes: Privacy The most important legislative instruments are the various privacy and health information statutes. Privacy legislation in Canada is based on a set of fair information practices: 1)Accountability6)Accuracy 2) Identifying purposes7)Safeguards 3)Consent8)Openness 4) Limiting collection9) Individual access 5) Limiting use, disclosure, retention.10) Challenging compliance

Statutes: Establish a basic rule, and then add exceptions. For example, express consent is generally required in order to disclose information to a third party. But: Emergency situations. Law enforcement. Public health. Eligibility for benefits. Risk to third party.

Statutes: Private sector privacy laws

Statutes: Health information laws

Statutes: additional laws Federal: Statistics Act. Quarantine Act. Provincial: Child Protection Act. Communicable Disease Act. Health Act. Worker’s Compensation Act. Mental Health Act.

Other sources Case Law: Eg: Patient has right of access to their own health record. (McInerney v MacDonald). Codes of Conduct: Eg: Canadian Medical Association, Health Information Privacy Code (1998). Corporate bylaws: Hospital policies and procedures. Municipal Information Acts. Best Practices COACH Guidelines for the Protection of Health Information.

Sources: OCAP Ownership: information is owned collectively by the Nation. Control: the Nation retains control over all aspects of information management. Access: the Nation has a right to manage and make decisions regarding access to their collective information. Possession: a mechanism to assert ownership.

The inter-provincial view:

Interoperability:

Some Issues: Custodians disclosing PHI are generally under a duty to ensure that the receiving jurisdiction has ‘comparable safeguards’. Patients may issue consent directives. Ontario imposes a ‘duty to notify’ receiving custodians about these. Patients should be able to avail themselves of additional protections in the new jurisdiction. Who now has control of the information? Consent directives are also sensitive.

More issues: Even if we have a way to solve these issues, one of the major problems is that laws (etc) are dynamic.

Challenge: How do we manage policies in a multi-EHR setting? Traditional route has been to either purchase COTS products, or to develop systems for a particular jurisdiction. (Hard coded business rules).

CHI’s Consent Directives Management System Applies constraints prior to providing access or transmitting PHI. Allows consent directives at various levels of granularity. Relies on common privacy vocabulary to apply consent requirements. Can store with EHRi data, or in consolidated form.

Processing Consent Directives in a Jurisdiction 1. Transfer consent directives from clinical applications to the EHR. 2. Let either the EHR or (sending clinical application) process consent directives prior to disclosing a patient’s PHI. 3. Transfer consent directives from EHR to clinical applications whenever PHI is disclosed from the EHR. Want to avoid having too many consent directives management systems.

Interjurisdictional Transfer Consent directives will be processed whether an access request is received from a POS system, or clinical portal, or from an EHR in another jurisdiction. Jurisdictions need to agree upon and set policies as to how consent directives made in one jurisdiction will be managed following disclosure to another. A nationally adopted messaging schema is required for conveying consent directives between jurisdictions.

Interjurisdictional Transfer (2) Several goals must be achieved before policy enforcement can be automated by a policy management service: Jurisdictional policies must be harmonized. Rules must be captured and codified. Special support for changes to rules. Common vocabultary. Data containing consent directives may flow from one jurisdiction to another, but policy related data does not.

Can we do better? The inter-jurisdictional data transfer problem is complex. Can we bring some technical tools to bear on the problem? Representing policy rules. Operationalizing the representations. Storing and securing the representations. Managing the representations through their lifecycle. Verification and validation.

Current work: There has been quite a bit of work on representing policies and regulations. L.Cranor, M. Langehreich, M. Marchiori, J. Reagle, The Platform for Privacy Preferences (P3P 1.0) Specification. R. Agrawal, J. Kiernan, R. Srikant, Y. Xu, An Xpath based preference language for P3P. N. Li, T. Yu, A.I. Anton, A semantics based approach to privacy languages. (2006)

Current Work P. Ashley, S. Hada, G. Karjoth, C. Powers, M. Schunter, Enterprise Privacy Authorization Language (EPAL 1.1). A. Barth, J.C. Mitchell, J. Rosenstein, Conflict and combination in privacy policy languages (2004). (DPAL) eXtensible Access Control Markup Language. (XACML)

Current Work The above frameworks provide a formalism to specify data protection policy. They provide methods for evaluating and enforcing policies. Drawback: they are built to manage policies within single organizations. (Guarda, Zannone, Toward the Development of Privacy Aware Systems, 2008)

Current Work Recent efforts: Extend XACML with algorithms addressing issue of policy similarities and integration across organizations. (Mazzoleni et al, XACML policy integration algorithms, 2008). Distributed temporal logic. (Hilty et al, On obligations, 2005). Privacy in Peer to Peer Networks. Automated policy enforcement. (Weber, Obry).