kathy o’brien
DESCRIPTION
Kathy O’Brien. NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004. Outline. Review of current shared networks Impact of PHIPA Good faith efforts. Current Networks – NEON. NEON – Shared access to Meditech information system HRSRH (primary licensee) - PowerPoint PPT PresentationTRANSCRIPT
Kathy O’Brien
NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA
August 26, 2004
Outline
• Review of current shared networks
• Impact of PHIPA
• Good faith efforts
Current Networks – NEON • NEON – Shared access to Meditech
information system• HRSRH (primary licensee)• Timmins• Englehart• Kirkland• Chapleau• Temiskaming• NEMHC• SRF
Current Networks – NEON • NEON Shared Information System Service
Agreement• Requires the NEON members to protect
confidential information on the System through:• Common privacy policy• Physical security measures – HRSRH to advise on
measures to be taken• Appointment of security officer – trained by Meditech• Implementation of logical security measures –
passwords, etc., controlled by Meditech and common to all sites
• Each hospital must ensure only approved users have access
Current Networks – NORrad
• NORrad PACS System• TDH (primary licensee)• Hearst• Kapuskasing• Kirkland• MICs Group• SRF• Weeneebayko
Current Networks – NORrad • NORrad Inter-Hospital Agreement (in
process of being signed)• Common privacy policy
• Common acknowledgement presented to patients describing how PHI is used and who may access
• Common policy applicable to personnel and privileged health care providers limiting access to shared patient database
• Each hospital designates individual for compliance
Current Networks – NORrad
• NORrad Inter-Hospital Agreement (in process of being signed)• Common privacy policy (cont’d)
• Obtaining knowledge and consent of individual for collection, use of disclosure of PHI, except where impossible or impractical
• Limiting use and disclosure of PHI to what is necessary
• Instituting security safeguards
Current Networks – NORrad • NORrad Inter-Hospital Agreement (in
process of being signed)• Common security policy
• Use and confidentiality of passwords• Use of a warning upon log-in that information is
confidential• Mandatory log-out at end of use• Encryption across network• Limited electronic access based on need-to-
know
Current Networks – NORrad
• NORrad Inter-Hospital Agreement (in process of being signed)• Common security policy (cont’d)
• Regular audits of access to records• Other measures appropriate for industry
Impact of PHIPA on Shared Networks
Impact of PHIPA• Good news
• Does not add significant new hurdles• Essentially codifies and reinforces past privacy
advice• Notice to patients• Privacy measures• Security measures
• Bad news• PHIPA means a dedicated regulator to enforce
privacy requirements and to impose penalties (fines) in the event of non-compliance
• Generally cannot indemnify against breach of Act
Impact of PHIPA• Good Faith Immunity (s.70)
• No action or proceeding for damages may be instituted against a HIC or any other person (e.g., agents) as long as:
• Acting in good faith • Acting reasonably in the circumstances• Any neglect or default under Act that was:
• Reasonable in circumstances• Good faith
• Arguably does not relieve HIC and agents of possibility of fines: $50K – $250K• How can you wilfully breach Act if acting reasonably and in
good faith?
PHIPA – Consent Requirements• PHI on Meditech and PACS systems can
be accessed by all hospitals• Confirm
• Is access “for purpose of providing health care or helping to provide health care”?• Arguably (if so, implied consent acceptable from
patient amongst health care providers -- “Circle of Care” )
• If not, express consent to this access required by PHIPA
PHIPA – Consent and Agents• Could also argue that each hospital is the
“agent” of the other hospitals when accessing shared database and subject to same limitations as source hospital• Agents under PHIPA must use PHI only as
permitted by source hospital• Source hospital has liability for acts of agents• Agents have obligation under PHIPA to advise
source hospital of theft or loss of PHI or unauthorized access at first reasonable opportunity
PHIPA – Electronic Networks
• Requirement to have a written agreement with specific security safeguards with agents who provide electronic network• See language in sample Service Provider
Privacy & Security Terms and Conditions• Review and follow up with AGFA, Meditech
PHIPA – Consent Issues• What information do we/should we give
patients whose PHI is housed on Meditech and PACS about who has access to this information?
• Consent – implied (arguably)• Dealing with withholding of consent
• Argue that patient cannot withhold consent where recording information on electronic system (accessible by all hospitals) is necessary for “institutional practice”?
PHIPA – Lockbox Dilemma
• November 1/05• Lockbox – how to address express
instruction from patient that part of PHI on shared database not to be accessed, used or disclosed
• Security measures?• Policy measures?• Exceptions – where refusal to disclose this
PHI may result in serious bodily harm
PHIPA – Lockbox Dilemma
• November 1/05:• Cannot remove information from record –
dealt with in another way• Need to flag to receiving HICs that record
is not complete, where there is a lockbox• Seek advice of IPC (willing to help,
cooperative not prosecutorial)
PHIPA – Privacy Policies • What policies need to be in place to limit
access to need-to-know only?• What discipline needs to be identified in
policy for breach of need-to-know policy?• Amendments to by-laws to permit
discipline of privileged professionals (who are agents of hospital and only authorized to use PHI as permitted by hospital)
PHIPA – Training, Accountability
• Issues:• Has there been training on use of and
access to these shared systems?• Is there a NEON privacy officer? • Does each hospital have someone
accountable for compliance? Do they meet to discuss shared privacy problems and shared approach to solutions on system?
PHIPA – Security Measures• Passwords?• Confidentiality of passwords?• Warning at log-in?• Mandatory log-out?• Encryption?• Electronic limitation to access (escalating
passwords) based on need to know?• Regular audits?• Others?
PHIPA and Shared Networks• Steps:
• Accountability – privacy officers• Privacy policy• Privacy notice explaining inability to withhold• Training• Security, as best as possible
• Due diligence to demonstrate good faith best efforts with available resources to protect PHI from unauthorized access, disclosure
Cassels Brock & Blackwell LLP2100 Scotia Plaza, 40 King Street West,
Toronto, Canada M5H 3C2Phone 416.869.5300 Fax 416.360.8877
www.casselsbrock.com