Privacy & Security for Electronic Medical Records

©2011 OntarioMD Inc. Confidential, not to be reproduced without permission.

Privacy & Security for

Electronic Medical Records

Delivered to: [Insert Name of Practice]Delivered by: [Insert Name of Field Staff]

Date: [Insert Date]

©2011 OntarioMD Inc. Confidential, not to be reproduced without permission. 2

Note:

OntarioMD is not an authoritative source of privacy legislation or policies.

The information and tools provided are intended to guide and assist physicians and their staff, and should not replace the practice’s own review and understanding of legislation and/or advisement of legal counsel.

OntarioMD is not involved in monitoring or assessing adherence to privacy and security, nor does it get involved in privacy breaches.


Agenda

Introduction

Key Concepts and Definitions

Responsibilities of the Practice

OntarioMD’s Privacy and Security Guide and Workbook

Additional Content

Q&A

IPC Orders

PHIPA and Privacy Breaches

Health Information Network Providers

3


INTRODUCTION

4


Objectives

• Provide an overview of privacy and security, with a particular focus on the Personal Health Information Protection Act (2004) and Electronic Medical Records, including:• Importance of privacy and security• Key concepts and definitions• Responsibilities of physicians and practices• How to handle privacy breaches

• Introduce the Privacy & Security Guide and Workbook for Electronic Medical Records, along with supporting resources and tools

5


Importance of Privacy & Security

• Sensitive nature of personal health information

• Need to establish trust and comfort in the system and care providers

• Time, resources, costs and reputational implications for privacy breaches

• It’s the law

Privacy and security risks can be minimized with some fundamental tools, processes and practices.

6


Implications of Privacy Breaches

• Discrimination, stigmatization and psychological or economic harm to patients based on the information

• Patients may withhold or even falsify information to providers• Conditions may go untreated• Patient safety may be at risk

• Compromised quality of health services• Reputational damage to health provider• Time, resources and costs to address privacy

breaches, including legal liabilities and proceedings

7


How do privacy and security requirements change with an EMR in the picture?

• They don’t – the same requirements apply• However, with EMRs there are additional

considerations:• Electronic format of information easier to transfer

to portable devices and removed from a secure location

• Hardware and devices should be secure• Transfer of information needs to be encrypted

8


KEY CONCEPTS AND DEFINITIONS

9


Personal Health Information Protection Act (PHIPA)

• Aka “the Act”• Ontario legislation, as of November 1, 2004• Pertains to the collection, use and disclosure

of personal health information by organizations and individuals delivering health care

10


Personal Health Information (PHI)

• Relates to a person’s physical or mental health• Relates to the provision of health care to the

person• Identifies a person’s health care provider • Identifies the person’s substitute decision maker• Relates to payments or eligibility for health care• Is the person’s health number• Relates to the donation of body parts or

substances• Is a plan of service under the Home Care and

Community Services Act, 1994

11


Health Information Custodians (HICs)

• A health care practitioner who provides health care • A person who operates a group practice of health care

practitioners who provide health care• Hospitals, psychiatric facilities, independent health facilities• Pharmacies, ambulance services, laboratories, specimen

collection centres• Long-term care homes, care homes, homes for special care• Community care access corporations• Medical officers of health of boards of health• Minister/Ministry of Health and Long-Term Care• Minister/Ministry of Health Promotion

12


Agents (of Health Information Custodians)

• Someone who acts for, or on behalf of, the HIC for a wide range of purposes

• May have access to complete or partial records• Examples include:

• Employees of the HIC• Records management service providers• Claims management services

13


Electronic Service Providers

• Persons who supply goods and services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information (e.g. EMR vendor, document management providers, etc.)

• Generally, PHIPA requires that such service providers:• Must not use any personal health information to which they

have access, except as necessary in the course of providing the services;

• Must not disclose any personal health information to which they have access;

• Must not permit persons acting on their behalf to access information, unless the person agrees to comply with the restrictions placed on electronic service providers.

14


Health Information Network Providers

“…a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.”

15

There are a number of specific obligations of HINPs set out in PHIPA.


A Note About Consent

• In Ontario, consent for the collection, disclosure and use of personal health information is implied (i.e. no explicit consent is required)

• Individuals can withdraw consent • Express consent required when:

• An HIC makes the disclosure to a person that is not an HIC, or

• An HIC makes the disclosure to another HIC and the disclosure is not for the purposes of providing health care or assisting in providing health care

16


Information Privacy Commissioner

• Public and stakeholder education • Providing information to the public on

the Act and the roles and responsibilities of the IPC

• Receiving and responding to complaints

• Undertaking reviews and investigations

• Issuing orders

17

• The Information and Privacy Commissioner of Ontario (IPC) has oversight responsibility for the Act, which includes:


RESPONSIBILITIES OF THE PRACTICE

18


7 Checklist Items based on PHIPA

19

1. Privacy contact person for the practice has been identified.

2. Privacy contact person is adequately and sufficiently educated and trained

Privacy Contact Person

3. Existence of a written privacy policy

4. Existence of a written public privacy policy

Policies and Practices

5. Staff understand, agree to and comply with privacy and security requirements

6. Third parties understand, agree to and comply with privacy and security requirements

Understanding and Agreements

7. The work environment is safe and secure in protecting personal health information

Information Security

19

This checklist is contained in the Privacy and Security Guide and Workbook, along with a number of resources (tools and templates) for each checklist item as required.


1. Privacy contact person for the practice has been identified• Most often, this person should be a physician

• Designate backup/contingency contact as well

• Examples of responsibilities of the contact person(s) include:

• Monitoring of compliances and breaches to policies; escalation as required and notification to patients

• Ensuring ongoing understanding and agreements of staff and third parties

• Communication and dissemination of policies and information

20


2. Privacy contact person is adequately and sufficiently educated and trained• This applies to the back-up contact as well

• The privacy contact should be familiar with PHIPA as well as various approaches to address privacy and security requirements for the practice

21


3. Existence of a written privacy policy addressing the collection, use, disclosure and retention of PHI in accordance with PHIPA and other applicable legislation• In addition to having a policy, the privacy contact

should make efforts to ensure that that policies are actually implemented, followed and monitored

• Practices should be established for dealing with suspected and actual privacy breaches within the practice

22


4. Existence of a written public policy regarding the practice’s information practices, who to contact with privacy questions or complaints, and how to obtain access or request correction of a record of personal health information• Public policies should be readily accessible to patients. For

example:

• A paper copy could be on-hand to be shown to anyone who requests it

• An electronic copy could be made available and/or posted on the practice’s website

• A printed copy could be posted in the practice).

• Ensure that a practice is prepared by having necessary consent management practices and policies in place

23


5. Staff understand, agree to, and comply with privacy and security requirements

• Ensure that employees understand the concepts reflected in the agreement

• Provide information, educational tools and/or sessions as necessary

• Monitor compliance

24


6. Third parties understand, agree to, and comply with privacy and security requirements.

• These may include various agents, electronic service providers, and/or health information network providers

25


7. The work environment is safe and secure in protecting PHI.• Considerations should be made for the following (at a minimum):

• Printers, photocopiers, and fax machines

• Phone manner and etiquette

• Meeting (areas)

• Mobile computing

• Physical (clear) desk environment

• Password guidelines

• Email use

• Protection and backup of information

26


ONTARIOMD’S PRIVACY AND SECURITY GUIDE AND WORKBOOK

27


Overview

28


General Privacy & Security Checklist

29

Addresses the previously mentioned responsibilities of the practice


Tools and Templates for all Checklist Items

Examples:• Sample Office Privacy Policy • Confidentiality Agreement for

Physician Office Employees• Sample Contractual Privacy

Clause for Employees and Third Parties

• Sample Office Privacy Handout• E-mail Policy Sample

30


Additional Resources Cited and Provided

31

Personal Health Information Protection Act, 2004


ADDITIONAL CONTENT

32


Q&A

33


Which of the following are the Acts regarding privacy of information in Ontario?

a) Freedom of Information and Protection of Privacy Act (FIPPA)

b) Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)

c) Health Insurance Portability and Accountability Act of 1996 (HIPAA)

d) Personal Health Information Protection Act, 2004 (PHIPA

e) Don’t ask, don’t tell

34

Q


Which of the following are the Acts regarding privacy of information in Ontario? Aa) Freedom of Information and Protection of

Privacy Act (FIPPA)b) Municipal Freedom of Information and

Protection of Privacy Act (MFIPPA) c) Health Insurance Portability and

Accountability Act of 1996 (HIPAA)d) Personal Health Information Protection Act,

2004 (PHIPA e) Don’t ask, don’t tell


Which of the following is a Health Information Custodian?

36

Qa) Doctorb) Nursec) Clinic managerd) Clinic Volunteere) Laboratoryf) Receptionistg) Office cat


Aa) Doctorb) Nursec) Clinic managerd) Clinic Volunteere) Laboratoryf) Receptionistg) Office cat

Which of the following is a Health Information Custodian?

37


QWhat role does the Information Privacy Commissioner play in privacy of health information?

a) Oversight responsibility for the Actb) Public and stakeholder education c) Personally thrashing PHIPA violatorsd) Providing information to the public on the

Act and the roles and responsibilities of the IPC

e) Receiving and responding to complaintsf) Undertaking reviews and investigations g) Issuing orders

38


A What role does the Information Privacy Commissioner play in privacy of health information?

a) Oversight responsibility for the Actb) Public and stakeholder education c) Personally thrashing PHIPA violatorsd) Providing information to the public on the

Act and the roles and responsibilities of the IPC

e) Receiving and responding to complaintsf) Undertaking reviews and investigations g) Issuing orders


Which of the following is NOT considered to be personal health information?

40

Qa) Name

b) Phone number

c) Eye color

d) Eligibility for Ontario Drug Benefit Program

e) Dating history

f) Listing on Doctor’s patient roster

g) OHIP number

h) Mother’s heart disease


Which of the following is NOT considered to be personal health information?A

a) Nameb) Phone numberc) Eye colord) Eligibility for Ontario Drug Benefit Programe) Dating historyf) Listing on Doctor’s patient rosterg) OHIP numberh) Mother’s heart disease


What are the steps involved in responding to a privacy breach?

42

Qa) Contain, Respond, Notify, Investigate,

Remediateb) Respond, Contain, Notify, Investigate,

Remediatec) Respond, Contain, Notify, Remediated) Notify, Respond, Contain, Investigate,

Remediate


What are the steps involved in responding to a privacy breach?

43

Aa) Contain, Respond, Notify, Investigate,

Remediateb) Respond, Contain, Notify, Investigate,

Remediatec) Respond, Contain, Notify, Remediated) Notify, Respond, Contain, Investigate,

Remediate


Which of the following are privacy and security responsibilities of HICs under PHIPA?

44

Qa) Designate a privacy officer or contact

b) Develop a written privacy policy addressing the collection, user, disclosure and retention of PHI

c) Develop a written public policy regarding the practice’s information practices

d) Ensure that staff understand, agree to, and comply with privacy and security requirements

e) Ensure that third parties understand, agree to, and comply with privacy and security requirements

f) Ensure that the work environment is safe and secure in protecting PHI

g) Educate individual patients and collect signatures signifying consent


A All except g.

a) Designate a privacy officer or contact

b) Develop a written privacy policy addressing the collection, user, disclosure and retention of PHI

c) Develop a written public policy regarding the practice’s information practices

d) Ensure that staff understand, agree to, and comply with privacy and security requirements

e) Ensure that third parties understand, agree to, and comply with privacy and security requirements

f) Ensure that the work environment is safe and secure in protecting PHI

g) Educate individual patients and collect signatures signifying consent


IPC ORDERS___________________________

Mobile and Portable Devices& Disposal of PHI

46


Mobile and Portable Devices

The IPC has issued three orders in the context of mobile and portable devices:

Order HO-004•Theft of a laptop containing the unencrypted personal health information of 2,900 individuals

Order HO-007 •Loss of a USB memory stick containing the unencrypted personal health information of 83,524 individuals

Order HO-008•Theft of a laptop containing the unencrypted personal health information of 20,000 individuals

47


Protecting PHI on Mobile and Portable Devices

• Not retain personal health information on such devices unless necessary for the purpose

• Consider alternatives to retaining personal health information on a mobile or portable device

• Retain de-identified information on the device• Retain encoded information on the device and storing

the code to unlock the identifying information separately on a secure computing device

• Retain personal health information on a secure server and accessing the information remotely through a secure connection or virtual private network

48


Example: Order (HO-001)

• A medical clinic hired a company to shred records of personal health information dated between 1992-1994

• Due to a misunderstanding, the records were given to a recycling company instead of being shredded

• The recycling company sold the records to a special effects company and were used in a film shoot

49


Learnings from the order

• Ensure secure disposal that does not make reconstruction reasonably foreseeable • For paper records cross-cut shredding

(pulverization or incineration if the records are particularly sensitive)

• For electronic records physically damage and discard media rendering it unusable. If re-use is preferred, use effective wiping utilities

50


Third Party Disposal Considerations

• Ensure it is accredited or is willing to undergo independent audits

• An agreement should set out the third party’s responsibilities in securely disposing of the records, sets out who, how and under what conditions records will be securely disposed

• A signed written attestation is provided that sets out the date, time and location of the secure disposal

• Secure storage of the records pending their secure disposal is required

• The time frame within which the records will be securely disposed is specified

51


PHIPA AND PRIVACY BREACHES

52


What is a privacy breach?

A privacy breach occurs whenever a person has contravened or is about to contravene a provision of the Act or its regulations, including section 12(1) of the Act. Section 12(1) of the Act requires health information custodians to take steps that are reasonable in the circumstances to ensure personal health information in their custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that records containing personal health information are protected against unauthorized copying, modification or disposal.

53


IPC Orders

The IPC may issue an order directing that:•An individual be granted access to his or her records of personal health information •The fees charged for providing access be reduced•Records of personal health information be corrected•A person cease collecting, using or disclosing personal health information in contravention of the Act•A person dispose of records of personal health information collected in contravention of the Act•A person alter, cease or implement an information practice

Orders may contain comments/recommendations

54

…


• An order of the IPC that has become final may be filed with the Superior Court of Justice and on filing is enforceable as a judgment or order of the court

• A person affected by an order of the IPC that has become final may commence a proceeding with the Superior Court of Justice for damages for actual harm suffered as a result of a breach of the Act

55

IPC Orders (cont’d)


• The IPC may conduct an investigation where:• A written complaint has been received• In the absence of complaint, where there are

reasonable grounds to believe the Act has or is about to be contravened

• In conducting an investigation, the IPC may:• Enter and inspect any premises except a dwelling• Demand production of books, records or other

documents• Compel testimony or compel written evidence

56

IPC Investigations


Offenses and Breaches

• The Act creates offences for contravention, including:• Willfully collecting, using or disclosing personal

health information in contravention of the Act• Once an access request is made, disposing of a

record of personal information in an attempt to evade the request

• Willfully obstructing, making a false statement or failing to comply with an order of the IPC

• On conviction, an individual may be liable for a fine of up to $50,000 and a corporation up to $250,000

57


5 Steps to Respond to a Privacy Breach

58

1 – Respond• Implement protocol• Notify appropriate staff (including privacy contact/officer)• Inform IPC

2 – Contain

• Prevent additional unauthorized access (e.g. change passwords, identification numbers and/or temporarily shut down a system)

• Retrieve the PHI as required (e.g. hard copies)• Ensure no copies have been made

3 – Notify

• Notify individuals affected by breach, with:• Details of the breach (extent, specific PHI)• Steps that have been taken or to be taken to

address

…


4 – Investigate

• Conduct internal investigation that:• Ensures immediate requirements to contain and notify• Reviews circumstances of breach• Reviews adequacy of existing policies and procedures

5 – Remediate

• Address the situation systematically • Advise IPC of findings • Cooperate in any further investigation into the incident

undertaken by the IPC

Continued…

59

5 Steps to Respond to a Privacy Breach (cont’d)


MORE ON HEALTH INFORMATION NETWORK PROVIDERS

60


HINP requirements as per PHIPA

• Notify every applicable health information custodian if there has been a privacy breach;

• Provide to each applicable health information custodian a plain language description of the services provided, including a general description of the safeguards in place to protect personal health information;

• Make available to the public the plain language description of the services provided, as well as any directives, guidelines and policies relating to these services, and a general description of the safeguards implemented by the service provider;

…

61


HINP requirements as per PHIPA (cont’d)

• Make available to each applicable health information custodian, upon request, an electronic record of all access to all or part of the personal health information and all transfers of all or part of the information associated with the custodian;

• Perform and provide, to each applicable health information custodian, written copies of the results of a threat assessment and a privacy impact assessment of the services provided;

• Ensure that any third party that provides services to the health information network provider complies with the restrictions and conditions necessary to enable compliance with the requirements of PHIPA; and

• Enter into a written agreement with each health information custodian concerning the services provided.

62

Documents

Privacy & Security for Electronic Medical Records