Presentation on theme: "Policy & Peer Permission (PPP) System Project: Development of User-Friendly Access Control Policy Statements For Use with Electronic Health Records Maryann."— Presentation transcript:
Policy & Peer Permission (PPP) System Project: Development of User-Friendly Access Control Policy Statements For Use with Electronic Health Records Maryann Yeo, RN, Ph.D. Health Telematics Unit University of Calgary
Presentation Outline: PPP System Development Project Concept of access control. Policy Development: Purpose Methods Findings Implications Example of PPP site-specific policy. Questions & Comments
PPP System Development Project: PPP system automates the authoring and interpretation of policy for granting access to EHRs. 2 components: Policy software development Policy development PPP Project Team: Merv Matson, RightsMarket Inc.; Dr. Penny Jennett, Health Telematics Unit, Faculty of Medicine, University of Calgary; Dr. Tim Cheung, University of Ottawa Heart Institute
Concept of Access Control: Access control is an information security method. 2 key objectives: Allow providers to access information about individuals, where consented, in a timely and efficient manner. Prevent providers accessing information when they do not have authority or reason.
PPP Policy Development: Purpose & Methods Purpose: To Develop a “starter set” of workable policy statements for use with EHR systems in clinical practice with the RightsEnforcer software. Methods: Literature Review Review of Current Legislation Review of Pilot Site: protocols, policies & operating procedures documents Interviews with pilot test site.
Findings: Access Control Issues Broad access: Allow every authorized person access to all the patient records? Vs. Controlled access: –Who is authorized to access the system? –Which patient records can be looked at? –Which patient records can be changed? How tightly should access be controlled?
Findings: Impact of Implementing Access Control Policies Implementing changes, such as access control policies involves changes in: The way things are done; Processes; Behaviour of people & teams of people; Changes can be disruptive & intrusive; Integration of into the front-lines may be a longer process than first thought.
Findings: Human Behaviour as a Security Threat Key component of information security. Internal security threats are threats to the privacy, confidentiality, and security of personal health information caused by workers’ behaviours. May be intentional, accidental or inadvertent. Majority of security threats are internal (over 85%) and inadvertent. COACH. (2001). Guidelines for the protection of health information. p.19.
Findings: User Acceptance of Technology User acceptance includes social & practical acceptability. People will use a new system: If it benefits them to do so. If it is easy to learn. If it is easy to see. If it is easy to hear. If it does what they expect it to do. Nieslon, J, (1993). Usability Engineering. Boston: AP Publishing
Findings: Translating policies Defined organizational access control policies & procedures need to be established. Procedures need to translate their intent and goals into everyday practices. Policy details & procedures tend to vary from location to location. Tailoring of access control policies to the work setting.
Implications: Tailoring of Policy Statements PPP policy statements are being developed as series of Scenarios which are tailored around: Specific health care sites involved. Physician referral, consulting & communication patterns. Staff information sharing patterns in everyday clinical practice. Organizational readiness & change management.
Policy Statement Example: 1. Jane Smith is the triage nurse coordinator. 2. The triage nurse coordinator may access, read & print all of my personal health information related to my referral 3. The triage nurse coordinator may transfer this information access right to any clinical colleague who in his/her judgment has a need to access the information to effect or advance my care. 1 Access Policy: The triage nurse coordinator, assigned to me may access, read and print any of my medical records needed for my consultation, diagnostic tests &/or surgery.