A Privacy Impact Assessment for the Individual Health Identifier (IHI)

Transcription

1 A Privacy Impact Assessment for the Individual Health Identifier (IHI) Final Version for Publication Page 1

2 Table of Contents 1 Purpose of the Document PIA Methodology and Approach What is a Privacy Impact Assessment? Stage 1 Threshold Assessment Stage 2 Identification of Privacy Risks Evaluation of Privacy Risks Stage 3 Identification of Arrangements and Controls to Mitigate Risks Stage 4 Documentation of the Privacy Impact Assessment Establishment of a National Register of Individual Health Identifiers Background The Benefit of Implementing an Individual Health Identifier Legal Basis for the establishment of the Individual Health Identifier Register Assignment of a Unique Identifier Establishment and Maintenance of a National Register Use and Provision of the Identifying Information Access to the National Register of Individual Health Identifiers Offences Relating to Individual Health Identifiers Legal Basis for Using the Department of Social Protection database to populate the National Register Data Held by the Department of Social Protection Provision under the Individual Health Identifiers Act Provision under the Social Welfare Consolidation Act Specification for the Individual Health Identifier and the National Register Format of the Individual Health Identifier Content of the National Register Creation of the Individual Health Identifier Register Implementation of the Individual Health Identifier Register Maintenance of the National Register Business Operations Unit Access to the National Register Final Version for Publication Page 2

3 4.3.5 IHI Proof of Concept Register Privacy Issues associated with the Individual Health Identifier HIQA Information Governance and Management Standards for the Health Identifiers Operator in Ireland Summary of Privacy Issues, Risk s and Mitigations Privacy Issues associated with the establishment of a National Register of Individual Health Identifiers Privacy Issues associated with the ongoing transfer of data for the update and maintenance of the National Register of Individual Health Identifiers Privacy Issues associated with management of the register by HSE Primary Care Reimbursement Service (HSE PCRS) Privacy Issues associated with the proposed dataset Privacy Issues associated with provision of Individual Health Identifiers to Epilepsy Electronic Patient Record (EPR), selected GP practice systems, a Hospice Electronic Medical Record (EMR) system) and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme) Privacy Issues associated with the ongoing inclusion and use of the Individual Health Identifier in Epilepsy Electronic Patient Record (EPR), selected GP practice systems, a Hospice Electronic Medical Record (EMR) system and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme) Individual Health Identifier Privacy Issues associated with the future uses of the Individual Health Identifier Governance Framework Assignment of Responsibility for Privacy Mitigation Safeguards or Controls Mitigation Implementation Responsibility and Timescales Appendix A HIQA proposals for Information Governance and Management Standards for the Health Identifiers Operator in Ireland APPENDIX B: Organisations We Have Consulted to Date Final Version for Publication Page 3

4 1 PURPOSE OF THE DOCUMENT The purpose of this document is to provide the findings of the Privacy Impact Assessment for the establishment of a National Register of Individual Health Identifiers that has been conducted by the Health Service Executive in Ireland. The National Register of Individual Health Identifiers will hold an Individual Health Identifier for every person who has used, is using or may use a health and social care service in Ireland. The Privacy Impact Assessment also considers the privacy implications of access to and adoption of the Individual Health Identifier by the first systems that will access the register and use the IHI: Epilepsy Electronic Patient Record (EPR) selected GP practice systems and a Hospice Electronic Medical Record (EMR) system schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme) Each future change in the use of the Individual Health Identifier, adoption in other systems or access to the National Register by other bodies will are not within the scope of this Privacy Impact Assessment. The impact of such changes will be reviewed against this Privacy Impact Assessment to ensure that any additional privacy issues arising are considered and additional safeguards put in place if required. We will make sure that as other systems start to use the Individual Health Identifier and access the IHI Register we will check that there are no new privacy implications that we haven t considered in this document and if there are we will add to the Privacy Impact Assessment document to cover them too. Final Version for Publication Page 4

5 2 PIA METHODOLOGY AND APPROACH 2.1 WHAT IS A PRIVACY IMPACT ASSESSMENT? Privacy can be defined as the right of an individual to keep information about themselves from being disclosed. Provision of effective, safe health and social care requires personal health information to be processed which can present significant risks to privacy which must be appropriately managed. An individual s right to privacy is protected under Irish legislation by the Data Protection Acts 1988 and 2003 and within Article 8 of the European Human Rights Act. The Irish legislation outlines the rights of individuals under eight key principles of data protection and the responsibilities of those who hold and process personal information. Compliance with data protection legislation is regulated by the Data Protection Commissioner who is responsible for upholding the rights of individuals as set out in the Data Protection Acts and for enforcing the obligations on those holding and processing personal information. The need to protect and respect patients and service users dignity, privacy and autonomy has also been reflected in key health information strategies such as the ehealth Strategy for Ireland, 2013 and the Knowledge and Information Plan, Promotion of patient and service users privacy is embedded within the roles and responsibilities of the Health Information and Quality Authority (HiQA) 1. In respect of their role in this regard HiQA have published Guidance on Privacy Impact Assessment in Health and Social Care which has been followed in the development of this Privacy Impact Assessment. The process of conducting a Privacy Impact Assessment has is summarised in Figure 1 below. A Privacy Impact Assessment involves evaluation of the privacy implications of projects and assessment of their compliance with relevant legislation. Where potential privacy risks are identified it should be possible, in consultation with stakeholders, to identify safeguards or controls to mitigate or reduce these risks without impacting on the objectives or realisation of the benefits of the initiative. An appropriate senior manager should be identified to be accountable and responsible for delivery of the agreed safeguards or controls. Privacy Impact Assessments should be used wherever personal information is processed but are particularly important in the health and social care sector where the information is considered to be sensitive information. Completion of a Privacy Impact Assessment for a project such as the implementation of the Individual Health Identifier ensures that that the proposed processes and procedures for handling personal health information are reviewed to ensure that they comply with legislation and best practice. Further, stakeholder involvement in the PIA process increases awareness among professionals and creates a culture where maintaining personal health information privacy is a priority. 1 More details about The Health Information and Quality Authority can be found at Final Version for Publication Page 5

6 Although a Privacy Impact Assessment is not a legal requirement, it is an effective way to demonstrate how the processing of personal data complies with data protection legislation. Patients and Service Users can be reassured that the Health Service Executive has followed best practice. The Privacy Impact Assessment should ensure that the implementation of the Individual Health Identifier is less privacy intrusive and therefore less likely to affect them in a negative way. In addition, public consultation on the findings of the Privacy Impact Assessment will improve transparency and should make it easier for the public to understand how and why their information is being used. By conducting a Privacy Impact Assessment on the implementation of the Individual Health Identifier, the Health Service Executive will be informed of potential impacts on individual privacy and actions that should be taken to mitigate any impact. This should in turn reduce the likelihood of the organisation failing to meet its legal data protection obligations. Further, consistent use of Privacy Impact Assessments for all relevant projects will increase the awareness of privacy and data protection issues within the Health Service Executive and will ensure that staff involved in design consider privacy issues in the early stages of a project. Final Version for Publication Page 6

7 Final Version for Publication Page 7

8 2.2 STAGE 1 THRESHOLD ASSESSMENT The first stage of the process is the Threshold Assessment. This involves identification of whether the implementation of the Individual Health Identifier presents any potential privacy issues. This requires responses to a series of 11 questions in relation to the project. A YES response to any one of these questions indicates the need for a Privacy Impact Assessment to be conducted. The Individual Health Identifier and associated data set can be considered to be Personal Health Information. It consists of personal demographic information that has been collected and used for the purpose of delivering health and social care. However, it does not include any SENSITIVE Personal Health Information which relates to the condition, care and treatment of an individual. Does the project involve any of the following? The collection, use or disclosure of personal health information? A new use for personal Information that is already held? The linking, matching cross referencing of personal health information already held? Establishing or amending a register or data base containing personal health information? The collection use or disclosure of additional personal health information held by an existing system or source of health information? Sharing of personal health information between organisations? The creation of a new or the adoption of an existing identifier for service users: for YES: It involves the allocation, processing and distribution of an Individual Health Identifier and associated demographic data YES: Personal demographic information from the Department of Social Protection and the PCRS will be used to create and maintain the National Register. YES: The IHI Register will link data from DSP with data from the PCRS where appropriate YES: The IHI Register will be established using data currently held by PCRS. This will only hold demographic information and will not include sensitive health information. YES: Population of the Individual Health Identifiers into the Epilepsy Electronic Patient Record (EPR), selected GP practice systems, a Hospice Electronic Medical Record (EMR) system and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme) will require disclosure of their master patient index (personal data only, not sensitive personal data) for matching. YES: Individual Health Identifiers and associated personal information will be shared across consumer systems within other organisations YES: The project will create a new unique personal identifier (the Individual Health Final Version for Publication Page 8

9 example using a number or biometric? Exchanging or transferring personal health Information outside the republic of Ireland? The use of personal data for research or statistics whether de-identified or not? Any other measure that may affect privacy or that could raise privacy concerns? A new or changed system of data handling; for example policies or practices around access, security, disclosure or retention of personal health information? Identifier) for patient and service users NO: Not within the scope of this PIA, however, subject to relevant national authority, future uses of the IHI may include sharing with the UK for Irish patients treated within their jurisdiction and may be shared with other EU countries as per the EU Directive on the application of patients' rights in cross-border healthcare Directive 2011/24/EU, Article 14. Such uses will be the subject of amendment to this PIA. NO: Although the Health Identifier Act allows for the Individual Health Identifier to be used for the defined secondary purposes including research and analysis any future use of the Individual Health Identifier for secondary purposes will be subject of an amendment to this Privacy Impact Assessment. NO: YES: For Example - rules relating to the provision of information when tracing an individual s Individual Health Identifier on the National Register As a result of the responses to these threshold questions the need for a Privacy Impact Assessment was clearly established. To ensure that all privacy implications and possible privacy enhancement opportunities were considered during the following Stages 2 and 3 of the Privacy Impact Assessment widespread consultation has been conducted with stakeholders in the Health Service Executive, Voluntary Hospitals, a patient representative body, the Department of Health, the Department of Social Protection, the Office of the Data Protection Commissioner and HiQA. A list of those that have been consulted has been included as Appendix B. 2.3 STAGE 2 IDENTIFICATION OF PRIVACY RISKS The second stage of the process involves identifying the privacy risks by exploring the scope, information flows and security arrangements of the project. This stage involved establishing how the information will be used to create the IHI Register, how it will be maintained through updates from other data sources, the functionality that will be available to the Business Operations Unit and how Final Version for Publication Page 9

10 it will interact with the consumer systems included within the Privacy Impact Assessment, Epilepsy Electronic Patient Record, select GP practice systems, a Hospice Electronic Medical Record and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme) An initial check was conducted to ensure that the planned implementation complied with the relevant legislation such as the Health Identifiers Act and the Data Protection Acts. The risks to the privacy of individuals have also been considered including the corporate impacts that might arise such as action by the Data Protection Commissioner, reputational damage and loss of public trust were the risks to materialise. These risks have then been scored and categorised as High, Medium or Low Evaluation of Privacy Risks Each privacy risk will be evaluated to assess the probability of the risk occurring (likelihood) and the consequence (impact) if it were to occur. The corresponding risk score will identify whether the risk is high, medium or low as set out in the following table. Impact Likelihood Rare 1 Unlikely 2 Possible 3 Likely 4 Highly Likely 5 Negligible Minor Moderate Major Critical LOW (1-7) MEDIUM (8-14) HIGH (15-25) 2.4 STAGE 3 IDENTIFICATION OF ARRANGEMENTS AND CONTROLS TO MITIGATE RISKS Stage 3 addresses the privacy risks identified in Stage 2. The aim of this stage is to seek safeguards which will eliminate the privacy risks wherever possible or reduce them by implementing measures that provide robust controls in the handling of the personal data and reduce the risk to privacy. Not all privacy risks can be eliminated but it is important to ensure that the risk can be reduced as far as possible while still achieving the aims and objectives of the implementation of the Individual Health Identifier. This stage creates a series of actions that must be incorporated within the project plan. Each action (which may address one or more of the privacy risks) will be assigned to a business owner and will be given a target delivery date. Final Version for Publication Page 10

11 These actions will be incorporated into the project delivery plan and implementation monitored as part of the overall management of the project. 2.5 STAGE 4 DOCUMENTATION OF THE PRIVACY IMPACT ASSESSMENT The final stage, Stage 4, is the production of a Privacy Impact Assessment Report which details the findings of the assessment. The report must have appropriate sign off from within the Health Services Executive and will be made public. Final Version for Publication Page 11

12 3 ESTABLISHMENT OF A NATIONAL REGISTER OF INDIVIDUAL HEALTH IDENTIFIERS 3.1 BACKGROUND The ehealth Strategy for Ireland December 2013 identified the provision of health identifiers for individuals and health service providers as a key enabler to the success of the strategy. The Health Identifiers Act, enacted in July 2014, allowed for the establishment and maintenance of A National Register of Individual Health Identifiers A National Register of Health Service Providers Identifiers The implementation and operation of Health Identifiers must be in line with the provisions of the Act in accordance with commencement orders, delegation orders and regulations to be made by the Minister for Health. The Minister for Health signed an initial commencement order in September 2015 for the provisions in the act relating to the assignment of the Individual Health Identifier, the establishment of the IHI Register and a delegation order providing the HSE with the authority for these functions. The Minister may, after consultation with the Data Protection Commissioner, establish regulations under the Act. All regulations relating to the provisions of the Act must not be made unless the Minister is satisfied they are in the public interest with due regard to the privacy and the effective achievement of one or more purpose. Regulations made under the Act are to be laid before each house of the Oireachtas as soon as they are made. If a resolution annulling the regulations is passed by either house within 21 days the regulation will be annulled. This PIA is concerned solely with Individual Health Identifiers. A PIA for the National Register of Health Service Provider Identifiers will follow at a later date. 3.2 THE BENEFIT OF IMPLEMENTING AN INDIVIDUAL HEALTH IDENTIFIER The main benefit of having an Individual Health Identifier is to ensure patient safety. Being able to uniquely identify each user will improve patient safety by reducing the number of adverse events that may happen, such as giving the patient the wrong medication or vaccination or admitting the wrong person for surgery. The Individual Health Identifier has the following benefits: Patient Safety Efficiency Reduced likelihood of providing treatment to wrong patient Enhanced ability to reliably associate all records for the same patient thereby providing a more complete picture available to professionals Final Version for Publication Page 12

13 Reduced effort in collecting the same information multiple times Obviating the need for some repeated diagnostics Enhanced ability to reliably associate all records for the same patient thereby providing a more complete profile available for administration purposes Enabling ehealth applications Privacy A key enabler in the implementation of electronic health records A key enabler in overall information sharing required across the health system Reduces the need for identifying information to be included with electronic patient or service user information The benefits for service users are: Improved accuracy in identifying the service user and their medical records will lead to safer and better care being provided. Service User s records in different healthcare organisations may be accurately associated with the correct service user Health information can be shared safely and seamlessly between public and private health service providers, for example referral letters sent from a public hospital to a private sector GP Individual Health Identifiers enable electronic transfer of service user health information, which results in faster care. The benefits for health care practitioners are that Individual Health Identifiers: Accurately link service users to their records Identify patients in all communications with other health and social care providers Enable safe transfer of patient records electronically Enable electronic referrals, discharge summaries and electronic prescriptions to be sent which results in a more timely exchange of information. The benefits for healthcare providers are that Individual Health Identifiers Help to create and maintain a complete record for each patient Enable patient information to be shared safely within and across organisational boundaries Improve efficiency in administrative tasks The benefits for social care providers are that Individual Health Identifiers Accurately and safely identify people who use social care services Final Version for Publication Page 13

14 Help to create a complete record of a person s care by inclusion of records that may span different health and social care organisations Facilitate safe and efficient coordination of social care with healthcare. 3.3 LEGAL BASIS FOR THE ESTABLISHMENT OF THE INDIVIDUAL HEALTH IDENTIFIER REGISTER The legislation to allow the creation of the Individual Health Identifier Register and the data fields to be contained therein is set out in the Health Identifiers Act 2014: The elements of Health Identifiers Act that relate to the unique numbers for a person or organisation that provides a health service are not included within this Privacy Impact Assessment. In relation to the unique health identifier therefore the Act provides the legal basis for: The assignment of a unique number to every individual to whom a health service is being, has been, or may be provided. The establishment and maintenance of a National Register of individual health identifiers and information relating to the individuals to whom the numbers are assigned. The basis on which the National Register may be accessed and the personal data within it may be processed. The delegation of certain functions conferred on the Minister of Health to the Health Service Executive. Amendment to other Acts required as a consequence of the Health Identifiers Act Assignment of a Unique Identifier The Act allows the Minister to assign an Individual Health Identifier to: any living individual, whether or not they are resident in Ireland, to whom a health service is being, has been or may have been provided an individual who has died before the Act comes into operation. Final Version for Publication Page 14

15 The Act requires that the Individual Health Identifier should not contain any personal data for example it must not contain the individuals date of birth and identifies that possession of a unique identifier is not of itself an indication of entitlement to health services. The Act also makes provision for the Individual Health Identifier to be made available to the individual or where the person is deceased or lacks capacity, their personal representative, if the Minister wishes to do so Establishment and Maintenance of a National Register The Act makes provision for a National Register of Individual Heath Identifiers to be established which will hold the Individual Health identifier and other identifying particulars where they are known. The National Register can continue to hold information relating to deceased persons and can annotate their records to indicate that they are deceased and the date of their death. The register must only contain the following personal data: surname forename date of birth place of birth sex all former surnames mother s surname and all former surnames of his or her mother (including mothers surname at mother s birth) address nationality personal public service number date of death in the case of a deceased individual signature photograph and any other particulars as determined by the Minister to be relevant to identifying the individual Use and Provision of the Identifying Information The Act makes provisions for the collection of historical data relating to an individual with a Unique Health Identifier. The Act also makes provision for organisations that are providing or have provided health services to an individual to request that the individual or where appropriate their personal representative should provide information to allow them to be identified. This will be provided to the Minister Final Version for Publication Page 15

16 within 30 days and if the service provider finds them to be inaccurate will be corrected within 30 days to allow corrections to be made. The Act enables any other Minister of the Government to provide identifying information to the Minister and enables a tard-chlaraitheoir (a registrar of births deaths and marriages) to provide information relating to an individual s birth or death in order that the minister can establish or maintain the accuracy of the National Register There are also, within the Act, clear restrictions in relation to how consumers systems (in the first instance this refers to Epilepsy Electronic Patient Record (EPR), selected GP practice systems, a Hospice Electronic Medical Record (EMR) system) and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme) can interface with the National Register to obtain Individual Health Identifiers for inclusion within their systems. The consumer systems will provide a copy of their local master patient index (MPI) to the National Register and will be provided with an Individual Health Identifier for all patients. At no stage will a copy of the register be provided to any third party. Individual Health Identifier data will only be provided by the submission of known individual patient\client details by an authorised Health service provider to the HSE for the provision of an Individual Health Identifier and the other Individual Health Identifier data as outlined in the legislation Access to the National Register of Individual Health Identifiers The Act requires the Minister to put arrangements in place for the National Register to be accessed by relevant persons for a range of relevant purposes and to be protected from being accessed inappropriately. The Act also makes a series of provisions for health service providers to request information from persons they are providing services to that will enable their Individual Health Identifier to be recorded or traced for and to be recorded in the individual s records and used in appropriate communications Offences Relating to Individual Health Identifiers The Act makes it an offence for an individual to provide false information in order to be assigned an Individual Health Identifier. Anyone found guilty of such an offence will be liable on summary conviction to a class B fine or on conviction or indictment to a fine not exceeding 100,000. The Act sets out the purposes for which a person may access the National Register or process an individual s Individual Health Identifier and establishes that it is an offence to knowingly contravene these provisions. Anyone found guilty of such an offence will be liable on summary conviction to a class B fine or on conviction or indictment to a fine not exceeding 100,000. It is an offence for a person to impersonate another person in order to access the National Register. Anyone found guilty of such an offence will be liable on summary conviction to a class B fine. Final Version for Publication Page 16

17 3.4 LEGAL BASIS FOR USING THE DEPARTMENT OF SOCIAL PROTECTION DATABASE TO POPULATE THE NATIONAL REGISTER Data Held by the Department of Social Protection The Department of Social Protection issues a unique Personal Public Service number to assist individuals in accessing benefits and information from public services agencies in Ireland such as Social Welfare, Revenue Public Healthcare and Education. A Personal Public Service number is issued to: Anyone born in Ireland since 1971 Anyone who has worked in Ireland since 1979 Anyone receiving a Social Welfare payment Anyone participating in the Drugs Payment Scheme. The Public Service Identity database is the National Register of Personal Public Service numbers and the associated personal identifying information It is intended that the National Register of Individual Health Identifiers will be created and maintained by data supplied from the Public Service Identity register Provision under the Individual Health Identifiers Act As referred to above, the Health Identifiers Act (Part 2 Section 8) makes specific provision for another government Minister to provide information relating to individuals solely for the purpose of establishing or maintaining the National Register. The Act therefore makes provision for individuals data to be obtained from the Department of Social Protection in order to establish the National Register Provision under the Social Welfare Consolidation Act. In order for the Department of Social Protection to have a legal basis to provide data to the National Register there also needs to be provisions under the Social Welfare Consolidation Act Final Version for Publication Page 17

18 Section 262 (6) of the Social Welfare Consolidation Act, 2005 states that: (6) (a) Where a specified body has a transaction with a person, the Minister may share the person s public service identity with the specified body to the extent necessary in respect of that transaction * for authentication by the specified body of the person s public service identity. (b) A specified body may use a person s public service identity in performing its public functions insofar as those functions relate to the person concerned. (*Inserted by s. 32(a)(iii) Social Welfare &Pensions Act 2007). Section 262 also provides that a transaction means (a) an application, (b) a claim, (c) a communication, (d) a payment, or (e) a supply of a service, relating to a public function of a specified body which relates to a natural person.. These provisions in the Social Welfare Consolidation Act 2005 allow the Department of Social Protection to provide data relating to the population of Ireland (including deceased patients) to the Health Minister for the establishment of the National Register of Individual Health Identifiers. Final Version for Publication Page 18

19 4 SPECIFICATION FOR THE INDIVIDUAL HEALTH IDENTIFIER AND THE NATIONAL REGISTER 4.1 FORMAT OF THE INDIVIDUAL HEALTH IDENTIFIER The Individual Health Identifier will be a unique number used for the purposes of identification of individual patients and service users within health and social care services and will be based upon the NHS s National Patient Identifier model, adapted for use within the Irish health environment. Key criteria used to select the final structure and content of the Individual Health Identifier were: The format of the number must support usability in the Health sector The proposed number range must provide a more than adequate volume of numbers for existing and future population The development cost required for the central Individual Health Identifier system must be significantly less than alternative options There should be pre-existing functionality in many consumer systems for support of the number in the proposed format, significantly reducing the cost of any development required for consumer systems The prescribed standards must be met (HiQA, ASTM UHID ) The number format and standard can be shared world-wide inclusive of Northern Ireland in particular. The number must be compatible with devices such as scanners, bar-code readers and other devices. As a result it has been expected that the Individual Health Identifier will be comprised of 3 items; a 7 digit GS1 standard prefix; a 10 digit core number (the final digit being a modulus 11 check digit); and a final checking digit. A total of 18 digits. It is proposed that the GS1 healthcare standard, already in use within the HSE, will form a pre-fix to the core Individual Health Identifier. The format of the core number is the same as that used for the NHS Number in the UK and may use one of a bank of numbers reserved for the Republic Of Ireland which are to As an example the number below shows the relative components of its construct; [GS1 GSRN Prefix number with no check-digit] [Core IHI number with check-digit] [Final GS1 check digit] Final Version for Publication Page 19

20 4.2 CONTENT OF THE NATIONAL REGISTER The Dataset items to be held on the National Register were defined in the Health Identifier Act as: surname forename date of birth place of birth sex all former surnames mother s surname and all former surnames of his or her mother (including mothers surname at mother s birth) 2 address nationality personal public service number date of death in the case of a deceased individual signature photograph SAFE level of registration this has been defined by the Minister as other particulars required Personal Service Card No. this has been defined by the Minister as other particulars required SAFE level of registration refers to the Standard Authentication Framework Environment designed to assign a level of certainty to the information held about an individual e.g. information about a client is only assigned SAFE Level 2 after a face-to-face interview were the client is required to produce documentary, including photographic, evidence of identity. The IHI will utilise the SAFE* Public Service Card infrastructure operated by the Department of Social Protection. In this way, the Individual Health Identifier will leverage the significant investment to date and the ongoing work by the Department of Social Protection (DSP). It is not intended to replicate the DSP data collection and verification process, except for the small number of patients where the DSP does not have information about the individuals concerned because they would not normally be issued with a PPSN e.g. tourists or temporary residents. This approach will ensure 2 In fact the data that will be held on the IHI Register will be mother s surname at birth only as there is no available source for other surnames to be collected. Final Version for Publication Page 20

21 maximum leveraging of the public service dataset (operated by DSP) while enabling the health sector to operate a sectoral identifier. In many respects, the health service will operate from a carbon copy of the public service identity dataset and this will significantly reduce the cost of the initiative 4.3 CREATION OF THE INDIVIDUAL HEALTH IDENTIFIER REGISTER Implementation of the Individual Health Identifier Register The following diagram sets out the way in which the IHI Register will be generated and maintained Figure 1 Generation and Maintenance of the IHI Register 1. IHI Register: The existing HSE PCRS index will be developed to become the National IHI Register and PCRS Schemes will provide updates as a trusted data source based on business logic put in place. 2. Department of Social Protection Public Service Identity: DSP-PSI will be treated as a trusted data source and will feed data via an appropriate interface which will be put in place. Final Version for Publication Page 21

22 3. Consumer Systems: Consumer systems (including PCRS scheme systems) will be interfaced to access IHI numbers on a planned and phased basis via a standardised interface which will control access. Updates to IHI record data may be facilitated where permitted by the business logic put in place. Note: The list of consumer systems in the diagram are for illustrative purposes only. The actual roadmap for connectivity will depend on legal commencement, technical and business readiness, and strategic planning. Once established, the IHI Register will be held in an encrypted environment. The HSE s Primary Care Reimbursement Service supports the delivery of a wide range of primary care services to the general public, through over 6,600 primary care contractors across a range of community health schemes. These services are provided to more than 3.4 million people in their community by doctors, pharmacists, dentists and optometrists. The Primary Care Reimbursement Service Master Patient Index (OHMPI) will be leveraged to support the requirements of the Individual Health Identifier, utilising existing hardware and software infrastructure and will be modified and adopted to become the National Register. The Primary Care Reimbursement Service Master Patient Index only holds records for individuals that are in receipt of publically funded primary care schemes. In order for the Individual Health Identifier Project to meet its objectives and realise the potential benefits in full, it is imperative that the National Register contains a record for all individuals who have previously accessed or may need to access a health service in Ireland, irrespective of whether the service is provided publically or privately. The Department for Social Protection operate a database which holds Public Service Identity records for all members of the population who transact with public service departments or agencies. All individuals are provided with a Personal Public Service Number for transacting with public service departments, when they are registered at birth or upon immigration to Ireland. This database aggregates information from within the Department of Social Protection and other channels, for example the General Registrations Office. The Public Service Identity database is the most complete register of the population of Ireland. Utilising PSI data as the source of the IHI register leverages a well-managed, quality assured and robust register providing a significant level of assurance that there is a unique identifier, correctly assigned, for each individual. In addition, the DSP are currently undertaking a registration process for PSI clients which will provide an even higher level of assurance in relation to the identity data for individuals on the PSI register and consequently for the IHI register. Therefore it is proposed that the Department of Social Protection s Public Service Identity records will become the main source for the creation of the Individual Health Identifier register with additional data provided by PCRS where available. This is subject to a Memorandum of Agreement between the Department of Social Protection, the Department of Health and the HSE, which outlines how information governance and compliance will be applied by the HSE for the use of PSI data in the context of the Individual Health Identifier. Final Version for Publication Page 22

23 A secure interface between the HSE and DSP will be implemented in order to facilitate on-going record maintenance via the provision of new and updated PSI details. The Primary Care Reimbursement Service Master Patient Index already holds a significant subset of the Public Service Identity database records as the Personal Public Service Number is required for the processing of schemes such as the Medical Card and Drug Payment Refund both of which are publically funded. Prior to the matching of DSP PSI and HSE PCRS records, a body of work will be undertaken to assess and remediate any legacy or organic data variances in the PCRS Master Patient Index. Appropriate cleansing will be undertaken to ensure PSI records are being compared against clean and valid data, for the purposes of creating the IHI Record. To facilitate creation of the IHI Record, relevant Public Service Identity data fields (as authorised by the Health Identifiers Act) will be provided by the Department of Social Protection. A robust matching and record joining triage process (as developed and tested during the IHI Register s Design and Development stages) will result in a final IHI Record. An Individual Health Identifier will then be generated and assigned to each IHI Record. Each Individual Health Identifier must be generated in a manner to ensure that: it is unique it is randomly generated has no association to any attribute belonging to the person it is generated for it is not generated in an identifiable sequence with other IHI numbers is applied to a single individual No individual has more than one IHI It is never recycled or re-used It is comprised of and formatted to the specified parameters of creation The PSI data will be matched against existing Primary Care Reimbursement Service Master Patient Index records. For uniquely matched records the Primary Care Reimbursement Service Master Patient Index will be updated with the relevant PSI details and the records will be assigned Individual Health Identifiers. Any records currently held by the Department of Social Protection that do not already exist on the Primary Care Reimbursement Service Master Patient Index will be added to the National Individual Health Identifier Register and assigned Individual Health Identifiers. Final Version for Publication Page 23

24 Figure 2 - Example of creating the SBR from multiple records 3 The matching algorithm used to match records from the Public Service Identity database and the Primary Care Reimbursement Service Master Patient Index will be designed to maximise the number of records that can be correctly matched automatically but minimise the number of records that require manual intervention by the Business Operations Unit. This will ensure that the number of false positive matches (records that are matched but are not for the same person) and false negative matches (records that are for the same person but have not been matched automatically) are kept to a minimum. Development of the matching and update rules will take place during the design. Any rules for update and matching will be thoroughly tested prior to finalisation Maintenance of the National Register Once created, ongoing maintenance of the National Register will occur through routine updates (at a minimum daily frequency) from the Department of Social Protection. The updates will provide details of changes to existing records and insertions of new records: new records will be assigned an individual Health Identifier Business Operations Unit Given the current role of the Primary Care Reimbursement Service in managing an existing Master Patient Index for the HSE with many of the technical and operational aspects already in place, the Primary Care Directorate has been appointed by the HSE to establish the IHI Unit that will be responsible for the operation of the Individual Health Identifier service. 3 taken from HealthIT2 presentation Final Version for Publication Page 24

25 The responsibilities of the Business Operations Unit will include: IHI Register Data Management from Automated Feeds the manual activities necessary to resolve any issues identified through automated data matching processes IHI Register Data Management from Service Provider Requests the manual processes to deal with requests to change data held in the Central IHI Register Service Provider Access Management the manual processes to grant/update/remove access for users of the Central IHI Register Service Provider Relationship Management the processes required to successfully manage the relationship between the Business Support Team and Service Providers to ensure all stakeholders that they are supported Compliance Management the processes to ensure that the operation of the Central IHI Register is in compliance with all legislative and standards guidelines, and to report such compliance Central IHI Register System Maintenance the processes that support the ongoing technical maintenance of the Central IHI Register Business Support Team Management the processes to ensure the successful operation of the Business Support Team Public Requests for Information the processes to provide members of the public details about the IHI number, if requested Access to the National Register Information Security for the IHI Register is a larger consideration than just protection from unauthorised access, which is just one area of major consideration. Information Security can be viewed in the main as ensuring Confidentiality, Integrity, and Availability of data, however for the IHI project it will be considered in all areas relating to: Security at a technical level Security at a policy / governance level The practical implications of implementation which must be both appropriate and feasible Access to the IHI Register will therefore be driven from a number of focus areas of which some will be driven from: Business decisions determining what is required from a security perspective Technical decisions determining how security is implemented Access to the IHI Register will be determined based on the extent to which internal and external parties are viewed as untrusted networks. The level of access available will be based upon this, for example different methods of access control may be appropriate for e.g.: PCRS internal system Previously interfaced system Brand new consumer system At a minimum both Authorisation and Authentication will take place. Final Version for Publication Page 25

26 Authorisation can be considered as both the business perspective in terms of having an assessment framework and process in place as well as the technical implementations facilitating that such as Role Based Access Control (RBAC) and appropriate audit and tracking technologies. Authentication can be considered as the process of ensuring accountability for data access. / management / handling once authorised and will largely be technology driven utilising appropriate technology controls. For direct IHI Access, the Team will (as controlled through RBAC) be able to perform functions such as: Search or Find data items Trace activity and data items Add new data items Update existing data items Merge data items Un-Merge or Split data items These features will only be available or used as defined in specific Use Cases (for example when the automated matching algorithm cannot 100% determine whether to merge a record or not and so the case is added to a worklist for the IHI Team to review and resolve). The contents of the records visible to the IHI Team will be limited to the demographics as specified in the Health Identifiers Act, and there will be no possibility of access to clinical or other associated information (as it will not be held in the IHI Register). Consumer systems will be similarly restricted in how they access data within the IHI Register, and in reality, will not have direct access, but will be returned controlled data via a standardised interface which will sit between the consumer system and IHI Register. Requests for data based on a limited set of functionality for different use cases (for example Trace IHI for a new patient) will be processed by the interface and responses returned as appropriate. For example if for some reason a record has been marked as sensitive for any reason in the IHI Register, a consumer system requesting that record may not be able to retrieve the demographic details and may instead be responded to with an appropriate information message highlighting that the record cannot be returned. These controls will ensure access abuse is robustly managed. Additionally, as well as performing a controlled message broker role, the standardised consumer system interface and IHI Register will fully track consumer system access activity, with alerts or logging taking places as appropriate. Connection to this standardised interface will only be permitted once the consumer systems has fully completed all necessary activities (e.g. implementation of required technical changes, signing of necessary documentation) and has been verified by the team as ready to connect. Section 4.2 above lists the data items that will be included on the National Register. Although these data items can be used for search purposes all the items may not be returned to the user or to consumer systems. Final Version for Publication Page 26

27 In addition to the standardised interface being designed ground-up, any existing or legacy system interfaces already connected to the Master Patient Index will be identified, assessed, and modified as required to ensure compliance with IHI Information Security before being permitted to read any data contained within the Register. This will ensure that consistent Business Logic for access control is applied across all channels. In line with this requirement existing interfaces between the PCRS register for PCRS schemes can only continue to access the IHI register when the same controls are in place. An assessment of the agreed standardised interface functionality and controls together with the business compliance process will be undertaken before implementation of the consumer system interface. Following the creation of the National Register, access to and use of the Individual Health Identifier will be integrated within a targeted set of external consumer systems (Epilepsy Electronic Patient Record (EPR), selected GP practice systems, a Hospice Electronic Medical Record (EMR) system and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme)), with the requisite interfaces and processes also put in place to maintain these interfaces going forward. Typically, due to birth registration processing, new born babies are not assigned with a Personal Public Service Number and associated Public Service Identity dataset until they are approximately 28 days old. To ensure that an Individual Health Identifier can be available to babies at birth. The IHI will be allocated to babies via a separate process based on the birth notification system in hospitals which will then be reconciled with their Public Service Identity record once it is available. The systems and processes to maintain this for the current and future population will also be put in place. Functionality to provide new born babies with an Individual Health Identifier at birth and use of the number within additional consumer systems will be added as a capability in the future. The privacy implications of all such further expansions of the functionality and use associated with the Individual Health Identifier will be considered within separate PIAs as appropriate IHI Proof of Concept Register The expected lead time for the development and subsequent integration of the IHI Register with consumer systems drove the need to generate practical learnings early so that lessons and understanding could be derived and subsequently applied to the development of the IHI Register. To this end, an IHI Proof of Concept (IHI-POC) Register was created to facilitate direct practical experience and insight in preparing data and producing IHI numbers, for both the development team and business service team members. The output of this activity will directly feed into the IHI Register project design and development activities. The IHI Proof of Concept Register was introduced after work on the Privacy Impact Assessment was already nearing completion and as a result the development team were able to implement appropriate privacy controls as recommended for the IHI register. Final Version for Publication Page 27