Data Sharing Consent/Privacy Practice Summary

Similar documents
ConnectingGTA Overview. April 29, 2014

CONNECTIVITY IN THE COMMUNITY

Memorial Hermann Information Exchange. MHiE POLICIES & PROCEDURES MANUAL

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

ecw Integration PIX, XACML, CCD with Basic Clinical Event Notifications Project Scope Definition

Connecting South West Ontario Program

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

Overview of Privacy Legislation in Ontario

Managing Patient Consent on the echn Portal

Notice of Privacy Practices

PRIVACY AND ANTI-SPAM CODE FOR OUR DENTAL OFFICE Please refer to Appendix A for a glossary of defined terms.

PRIVACY AND ANTI-SPAM CODE FOR OUR ORGANIZATION

Behavioral Health Information Network of Arizona

E-Health System and EHR. Health and Wellness Atlantic Access and Privacy Workshop June 27-28, 2005

Meaningful Use Hello Health v7 Guide for Eligible Professionals. Stage 2

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

the BE Technical Report

Patient Unified Lookup System for Emergencies (PULSE) System Requirements

CHI Mercy Health. Definitions

Meaningful Use Hello Health v7 Guide for Eligible Professionals. Stage 1

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

Notice of HIPAA Privacy Practices Updates

This notice describes Florida Hospital DeLand s practices and that of: All departments and units of Florida Hospital DeLand.

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

1. What are the requirements for Stage 1 of the HITECH Act for CPOE to qualify for incentive payments?

Request for Information NJ Health Information Network. State of New Jersey. New Jersey HIT Coordinators Office. Request for Information

IVAN FRANKO HOME Пансіон Ім. Івана Франка

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)


Welcome to Rochester RHIO s GET DIRECTed! Denise DiNoto Director of Community Services March 2014

YOUR HEALTH INFORMATION EXCHANGE

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

COLLABORATING FOR VALUE. A Winning Strategy for Health Plans and Providers in a Shared Risk Environment

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

NOTICE OF PRIVACY PRACTICES

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

Nonprofit partnership. A grass roots organization where Board of Directors have vested interest in its success.

JOINT NOTICE OF PRIVACY PRACTICES

Quanum Electronic Health Record Frequently Asked Questions

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

improvement program to Electronic Health variety of reasons, experts suggest that up to

Opp Health and Rehabilitation, LLC 115 Paulk Avenue P.O. Box 730 Opp, AL Phone Number: (334)

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Chapter 9 Legal Aspects of Health Information Management

Building a healthy legacy together. Presentation by Shelley Lipon, Executive Regional Director, Canada Health Infoway to ICTAM October 28, 2009

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

Pennsylvania Patient and Provider Network (P3N)

Meaningful Use Modified Stage 2 Roadmap Eligible Hospitals

ALC Resource Matching & Referral Provincial Reference Model Overview. ehealth Ontario Information Session at ITAC. Thursday, March 11, 2010

Patient Privacy Requirements Beyond HIPAA

A PHIPA Update from the IPC

NOTICE OF PRIVACY PRACTICES MOUNT CARMEL HEALTH SYSTEM

IMPROVING TRANSITIONS OF CARE IN POPULATION HEALTH

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

NCPDP s Recommendations for an Integrated, Interoperable Solution to Ensure Patient Safe Use of Controlled Substances

NOTICE OF PRIVACY PRACTICES

CIO Legislative Brief

appendix a: freedom of information and protection of privacy fact sheet

Iatric Systems Supports the Achievement of Meaningful Use

Component Description Unit Topics 1. Introduction to Healthcare and Public Health in the U.S. 2. The Culture of Healthcare

ehealth Report for Ed Clark November 10, 2016 My Background and Context:

Notice of Privacy Practices

MURRAY MEDICAL CENTER HIPAA NOTICE OF PRIVACY PRACTICES

Notice of privacy practices

Agenda. New 42 CFR Part 2 Regulations and Information Sharing. Presented by: Christina Grijalva, RHIA, CHC OCHIN Compliance Specialist 4/28/2016

Care360 EHR Frequently Asked Questions

HIPAA & HEALTH INFORMATION EXCHANGE

Sharing Behavioral Health Information in Massachusetts: Obstacles and Potential Solutions. March 30, 2016

BON SECOURS RICHMOND NOTICE OF PRIVACY PRACTICES

Health Current: Roadmap Practice Transformation using Information & Data

PERSONAL HEALTH INFORMATION PROTECTION ACT (PHIPA) Frequently Asked Questions (FAQ s) Office of Access and Privacy

Deriving Value from a Health Information Exchange. HIMSS17 DA-CH Community Conference Healthix I New York I February 20, 2017

How to Participate Today 4/28/2015. HealthFusion.com 2015 HealthFusion, Inc. 1. Meaningful Use Stage 3: What the Future Holds

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

Part I: A History and Overview of the OACCAC s ehealth Assets

HIE Implications in Meaningful Use Stage 1 Requirements

Missouri Health Connection. One Connection For A Healthier Missouri

Opening the Door Hospitals & FOI. Applying PHIPA and FIPPA to Personal. Information: Guidance for Hospitals.

Prescription Monitoring Program NL. Information for Prescribers and Dispensers

HIE Implications in Meaningful Use Stage 1 Requirements

CLINICAL INTEGRATION STRATEGY

Privacy and EHR Information Flows in Canada

The Queen s Medical Center HIPAA Training Packet for Researchers

Proposed Regulations NEW YORK STATE DEPARTMENT OF HEALTH Return to Public Health Forum

42 CFR Part 2: Improvements and New Challenges with the Use and Disclosure of Substance Use Disorder Treatment Records

HIPAA PRIVACY NOTICE

PRIVACY IMPACT ASSESSMENT (PIA) For the

NOTICE OF PRIVACY PRACTICES

State of Alaska Department of Corrections Policies and Procedures Chapter: Subject:

Meaningful Use Stage 2

OREGON HIPAA NOTICE FORM

Health Information Exchange: Substance Abuse Patient Records March 3, 2016

PRIVACY IMPACT ASSESSMENT (PIA) For the

Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations.

2018 American Medical Association. All rights reserved.

NATIONAL ASSOCIATION FOR STATE CONTROLLED SUBSTANCES AUTHORITIES (NASCSA) MODEL PRESCRIPTION MONITORING PROGRAM (PMP) ACT (2016) COMMENT

Sevocity v Advancing Care Information User Reference Guide

Wolf EMR. Enhanced Patient Care with Electronic Medical Record.

Transcription:

Data Sharing Consent/Privacy Practice Summary Profile Element Description Responsible Entity Legal Authority Entities Involved in Data Exchange HIPAAT International Inc. US HIPAA HITECH 42CFR Part II Canada Personal Information Protection and Electronic Documents Act (PIPEDA) Ontario Personal Health Information Protection Act (PHIPA) HIE: Connecting the Greater Toronto Area (cgta) 6 local Health Integration Networks 750 healthcare organization Over 12,000 physicians Services include: acute care, community support services, complex continuing care, long term care, mental health and addiction, primary care, rehabilitation Many more added since, but as of October 2014:

Problem Addressed EHR Privacy Considerations Allow for the collection, use and disclosure of large amounts of health information from diverse sources Health care providers do not have sole custody or control of health information in a shared system Health care providers have different processes for implementing patient consent models EHR Risks: Increases the risk of health care providers using or disclosing health information for unauthorized purposes May attract hackers and others with malicious intent Easier to remove health information from a secure location and to transfer it to an unsecure device

Data Governance: (Personal Health Information Protection Act PHIPA) Health Care Providers encompass a wide breadth of individuals and organizations, including (i) a person or entity permitted to provide health care services in Ontario, including a Health Service Provider or HSP as defined under the Local Health System Integration Act, 2006 or a health information custodian as defined under PHIPA; (ii) a prescribed person who compiles or maintains a registry of Personal Health Information under Section 39(1) of PHIPA; (iii) a prescribed entity under Section 45(1) of PHIPA; (iv) a health data institute under Section 47(2) of PHIPA; and (v) a researcher or other person granted access by another Health Care Provider in accordance with PHIPA.

Consent Management both local and external domains Privacy Policy Management Access Control limited display of PHI subject to a directive Override/Break the Glass Auditing Description The ConnectingGTA Project is a major clinical integration initiative which encompasses a population of 6.3 million across a large, diverse, and complex set of health care services and Health Care Providers. Individual Health Care Providers often have limited access to Electronic Patient Data outside the boundaries of their organization or practice. To make informed diagnostic decisions, individual Health Care Providers currently may be repeating laboratory/diagnostic tests or performing administrative tasks to collect the necessary Electronic Patient Data that may already exist at other organizations or practices previously visited by their patients. This is often an inefficient process increasing the cost to the health care system and negatively impacting the quality of patient care. The cgta Project was initiated to improve patient care delivery by allowing for timely initiation of treatment and increased coordination amongst individual Health Care Providers while creating a robust technical infrastructure that would allow multiple partners and vendors the ability to develop new and innovative functionality in the future. To achieve this, the ConnectingGTA Project identified the following key objectives: Providing individual Health Care Providers with access to relevant Electronic Patient Data at the point of care thereby improving the patient experience as patients navigate through the continuum of care within the GTA Developing and implementing a robust, scalable and extensible platform that will allow Electronic Patient Data to be exchanged securely and seamlessly while fostering innovation where multiple partners and vendors can participate Developing the infrastructure and services to support other regional and provincial e health initiatives Fostering collaboration amongst Health Care Providers in working towards Electronic Health Records (EHRs) and personal health records Guiding Principles to Deliver Clinical Value. Use a patient centered approach to build a comprehensive patient view, by

capturing and sharing the largest volume of data needed most frequently by patients and providers (e.g. transitions from acute to community). ConnectingGTA seeks to: Support continuity of care and seamless transition between providers Deliver clinical value to clinicians as quickly and efficiently as possible Utilize existing expertise and work effort Build a compelling value proposition for clinicians and patients Data Governance: The Individual may make, modify or withdraw the following Consent Directives in respect of the Individual s PHI in the ConnectingGTA Solution: Global Consent Directives (Opt out) Domain Consent Directives (ie: radiology, labs, etc.) Record level Consent Directives Organizational Consent Directives Clinician specific Consent Directives Consent validation Auditing Standards Implemented Policies Adopted IHE ATNA audit messages HISPC III Intrastate and Interstate Consent Policy Option: Opt out with Exceptions A [provider clinician] shall only override a Consent Directive and shall only collect PHI in the ConnectingGTA Solution that is the subject of a Consent Directive where the [provider clinician] seeking to collect the PHI: Obtains the express consent of the Individual to whom the PHI relates Believes on reasonable grounds that the collection is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the Individual to whom the PHI relates and it is not

reasonably possible to obtain the consent of the Individual in a timely manner A [provider clinician] that overrides a Consent Directive and that collects PHI in the ConnectingGTA Solution that is the subject of the Consent Directive, shall only use or disclose that PHI for the purpose for which the PHI was collected. US UK All instances where all or part of the PHI in the ConnectingGTA Solution is collected as a result of an override of a Consent Directive shall be monitored and notice to the [provider organization] that collected the PHI in the ConnectingGTA Solution that is the subject of the Consent Directive as well as notice to the Individual to whom the PHI relates shall be provided. Nationwide Privacy & Security Framework for Electronic Exchange of IIHI Principles for Implementing Permission to View for the Summary Care Record (v2.0) Sealed Envelopes Briefing Paper (v2.0) Share with Care: People s views on Consent & Confidentiality of Patient Information Legal Agreements Clinical Workflow Impacts Technical Overview [HIE Participant] EHR Contributor Agreement [HIE Platform Vendor] Master Sales Agreement [HIPAAT] Software License and Maintenance Agreement and associated Statements of Work. There is no impact to the clinical workflow unless the clinician encounters a situation where a patient, or an organization, has enacted a consent directive against a specified PHI artifact. Only at that time does the clinical flow get interrupted with a message generated by the system that the user will need to interact with to either cancel their query, or gain override/break the glass access to the PHI artifact which will then trigger an auditable event and provide a notification to a designated individual (ie: Compliance Officer). The overall ConnectingGTA Solution involves a comprehensive integrated technology solution comprised of hardware, software, and services. There are approximately 700 Health Service Providers (HSPs) in the greater Toronto Area (GTA) that have the potential to participate in the ConnectingGTA Solution. From the outset, of these 700 HSPs, there are 5 Community Care Access Centres (CCAC), 45 Hospitals, 28 Community Health Centres, 157 Mental Health and Addiction

Services, 202 Long Term Care Facilities, and 257 Community Support Services. In addition, there are 60 Family Health Teams as well as over 2,000 individual Health Care Providers in the GTA. The overall ConnectingGTA Solution is composed of several information system components, and viewed as a single system by any Point of Service System accessing it. The ConnectingGTA Solution brings together: A GTA health information access layer (HIAL) developed on a Commercial Off The Shelf (COTS) platform to enable different types of Electronic Patient Data to be accessed and displayed in an interoperable and trusted manner across the Health Care Providers of the GTA A GTA Clinical Data Repository (CDR) with a COTS database designed to store specific Electronic Patient Data A GTA Provider Portal and Portlets to provide access to ConnectingGTA services and available provincial domains through a standard web browser or desktop (e.g. a compliant Hospital Information System (HIS), Electronic Medical Record (EMR), or other portal)

Privacy esuite was developed to centrally manage and help control and enforce health information privacy preferences (or, consent directives) established by patients, organizations and jurisdictions. It manages directives regarding the collection, use and disclosure of electronic protected/private health information (PHI). Authorized users may create, store, update and revoke privacy policies/consent directives on behalf of patients. All of these actions are carried out and audited immediately across the network and enforced by access control mechanisms. Thereby providing functionality for the: Management of consent directives on the behalf of clients to restrict access to their PHI Evaluation of consent directives to determine appropriateness of access to a client s PHI Audit logging of all consent directive events for reporting and alert notification

It provides the decision point for balancing personal health information (PHI) privacy against clinical access to health information in support of improved quality of care. Standards based privacy policies may be created at various levels of granularity including, but not limited to: Purpose of use o treatment, research, marketing, etc Information type o laboratory results, radiology exam, medication, etc Specific user(s) o roles, groups of users, facility, etc PHI identifiers o category codes, classification codes, etc Within the Privacy esuite environment, there are different components that allow for the proper management of information privacy. myconsentminder (mycm). This GUI is a web based, end user facing application (citizen, patient, clinician or social services agent) for managing privacy preferences. Users create privacy policies using simple preconfigured

web templates created through PeS. Consent Management Service (CMS). This enables consumer, organizational and jurisdictional privacy policies to be administered and processed into computable access rules. Consent Validation Service (CVS). This high speed service (>1,000 tps) determines if a user s access to a patient s PHI is appropriate based on the rules of the existing privacy policies. The Privacy esuite solution provides two user interfaces for the administration and management of consent directives. The esuiteadmin user interface application is for use by system administrators and compliance/privacy officers, and provides full management capabilities to these users based on roles and functions allowed for each. The myconsentminder is a template based portlet which can be used within any clinical portal. It is intended for use by clients, patients, substitute decision makers, or clinical staff. The consent validation service evaluates any active

directives for a patient and provides a decision of Permit, Deny, or Permit through override to the requesting system. The Universal Audit Repository (UAR) is a java based, IHE ATNA compliant audit repository. It is the central audit repository that tracks audit events related to updates, queries, and retrievals. The UAR is the primary source for privacy and security reports for all update and access to PHI. Some of the key functional features are: Provides the ability for authorized users to create reports based upon any audit event data as well as to schedule the generation of reports (ie: Accounting of Disclosures) Provides security notifications based upon the receipt of Security Alert audit event messages o Allows for external Notification Alerts to be utilized Accepts all (IHE ATNA) audit log messages Interoperability between the cgta technology platform and the HIPAAT Privacy esuite was accomplished using both the Java Consent Validation Interface (JCVI) and the Java Consent Policy Interface (JCPI). Java Consent Validation Interface (JCVI) : Provides a standards based integration point between the consumer application and the consent validation service Interoperability service, where requests can be sent and received using Simple Object Access Protocol (SOAP). Deals with the creation of the request and interpreting the response

Java Consent Policy Interface (JCPI): Direct interactions with an enterprise service bus (ESB) and manages privacy policies programmatically Create/update/revoke/reorder patient policies and system consent directives Supports both single and batch requests Documented Improvements that the practice enables Privacy controls encourage people to seek treatment without fear that by doing so, their privacy would be compromised and they could be subject to negative perceptions and discrimination, criminal legal consequences (ie: substance abuse), or civil legal consequences such as: loss of child custody, employment or housing. Ensures that the organization manages personal health information in a manner that is consistent with its public commitments and legislative responsibilities. improve the patient experience mitigate privacy risks support best practices Challenges Lessons Learned: (Chief Privacy Officer)

No two organizations are the same Be prepared to change Agree on common terminology Bring privacy into the design of the system Separate the policy from the standards Policies and standards should focus on patient s perspective Ensure privacy is embed into the clinical and patient processes Align participant's privacy programs Test and Learn References Contacts cgta Privacy & Security Lead on 2014 HP IAPP Privacy Innovation Award (large organization category) https://www.youtube.com/watch?v=w5popi5urxw Kel Callahan HIPAAT International Inc. kcallahan@hipaat.com

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback