OHA Primer: A Practical Guide for Hospital Records Management Programs

Similar documents
COUNTY OF PERTH. Chief Administrative Officer. Clerk s Office Business Plan. January 2017

DUTIES OF A CUSTODIAN

Freedom of Information and Protection of Privacy

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

RECORDS MANAGEMENT TRAINING

PRIVACY AND ANTI-SPAM CODE FOR OUR ORGANIZATION

A Privacy Compliance Checklist: Organizing for Privacy Management

A PHIPA Update from the IPC

Chapter 9 Legal Aspects of Health Information Management

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

Department of Defense DIRECTIVE

Personal Electronic Devices Acceptable Use Policy

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release January 17, January 17, 2014

PRIVACY AND ANTI-SPAM CODE FOR OUR DENTAL OFFICE Please refer to Appendix A for a glossary of defined terms.

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

DODEA REGULATION RECORDS MANAGEMENT PROGRAM

Department of Defense INSTRUCTION

A Deep Dive into the Privacy Landscape

Department of Defense Defense Commissary Agency Fort Lee, VA DIRECTIVE. Records Management Program

System of Records Notice (SORN) Checklist

Accountability Framework and Organizational Requirements

UNIVERSITY OF WISCONSIN SYSTEM GRANT AND RELATED RECORDS GENERAL RECORDS SCHEDULE 11/2016

REQUEST FOR PROPOSAL

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Overview. COTBC Practice Standards for Managing Client Information, Tel: (250) Toll-Free BC: 1 (866) Fax: (250)

YORK REGION DISTRICT SCHOOL BOARD. Policy and Procedure #158.0, Information Access and Privacy Protection

ANPR Policy Version , March 2016

Retention and Disposal Authority for Records of the Accredited Training Function

Compliance with Personal Health Information Protection Act

Addendum 1 Compliance indicators for the Australian Privacy Principles

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY A. 38

Reporting a Privacy Breach to the Commissioner

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

NATO UNCLASSIFIED ARCHIVES COMMITTEE. Directive on the Public Disclosure of NATO Information

Standard Operating Procedures (SOP) Research and Development Office

[Enter Organization Logo] CONSENT TO DISCLOSE HEALTH INFORMATION UNDER MINNESOTA LAW. Policy Number: [Enter] Effective Date: [Enter]

ONE ID Local Registration Authority Procedures Manual. Version: 3.3

POPULATION DATA BC. Privacy in Health Research. Caitlin Pencarrick Hertzman Population Data BC University of British Columbia CFRI, April 2012

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

Practice Review Guide

AGENCY SPECIFIC RECORD SCHEDULE FOR: Vermont State Hospital

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Mandatory Reporting A process

ARTICLE 12. RECORDS RETENTION

Health Information Privacy Policies and Procedures

Application Guide for the Aboriginal Participation Fund

How the Quality Improvement Plan and the Service Accountability Agreement Can Transform the Health Care System

RECORDS MANAGEMENT VITAL RECORDS MANAGEMENT

ACC Privacy Policy. Policy Statement. Objective. Scope. Policy system. Policy standards. Collection

I. PURPOSE DEFINITIONS. Page 1 of 5

RESEARCH POLICY MANUAL

PRIVACY MANAGEMENT FRAMEWORK

Title 10 DEPARTMENT OF HEALTH AND MENTAL HYGIENE

Practice Review Guide April 2015

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

SECURITY CAMERA ACCEPTABLE USE POLICY

City of St. John s Public Art Program

GDPR DATA PROCESSING ADDENDUM. (Revision March 2018)

Routine Disclosure Plan

NHS Digital Audit of Data Sharing Activities: London Borough of Enfield Council Public Health

Guide to the Canadian Environmental Assessment Registry

Work of Internal Auditors

Office of the Australian Information Commissioner

STEP BY STEP SCHOOL. Data Protection Policy and Privacy Notice

GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

Your Privacy. Ontario s Information and Privacy Commissioner.

PROCEDURE-STUDENT RECORDS

Identification and Protection of Unclassified Controlled Nuclear Information

GENERAL ORDER 427 BODY WORN CAMERAS

Request for Proposals

Final Environmental Restoration Program Recordkeeping Manual

PATIENT RIGHTS TO ACCESS PERSONAL MEDICAL RECORDS California Health & Safety Code Section

POSITION STATEMENT. - desires to protect the public from students who are chemically impaired.

PRIVACY POLICIES AND PROCEDURES

Copy. RECORDS RETENTION SCHEDULE Department of Public Health- Infectious Disease RECORDS RETENTION SCHEDULE#

IVAN FRANKO HOME Пансіон Ім. Івана Франка

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

NURSES ASSOCIATION OF NEW BRUNSWICK 2015

SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD for NON-CHANNELERS

CLINICAL SERVICES POLICY & PROCEDURE (CSPP No. 25) Clinical Photography Policy in the Pre-Hospital Setting. January 2017

FAFSA Completion Initiative Participation Agreement

UNITBD STATBS MARINE CORPS MARINE CORPS INSTALLATIONS EAST-MARINE CORPS BASE PSC BOX CAMP LEJEUNE NC

Aboriginal Community Capital Grants Program Guide

Opening the Door Hospitals & FOI. Applying PHIPA and FIPPA to Personal. Information: Guidance for Hospitals.

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

CLINICIAN S GUIDE TO HIPAA PRIVACY

National Standards for the Conduct of Reviews of Patient Safety Incidents

Data Integration and Big Data In Ontario Brian Beamish Information and Privacy Commissioner of Ontario

Guidelines for Telepractice in Occupational Therapy

Executive Compensation Policy and Framework BLUEWATER HEALTH

Research Policy. Date of first issue: Version: 1.0 Date of version issue: 5 th January 2012

Precedence Privacy Policy

CHIEF NATIONAL GUARD BUREAU INSTRUCTION

United States Department of Agriculture. Office of the Chief Information Officer DN

CARE RECORDS MANAGEMENT POLICY (Electronic and Manual)

Procedure: 4.2.2p2. Telework and Alternate Work Locations

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

re-credentialling APPliCATion PACKAge Credentialled infection Control Professional (CiCP) Application Number:

Eastern Ontario Development Program

Transcription:

OHA Primer: A Practical Guide for Hospital Records Management Programs

Disclaimer This Primer was prepared for the ownership and use of the Ontario Hospital Association (OHA) as a general guide to assist hospitals in furthering their records management efforts. The materials in this Primer are for general information only and should be adapted by hospitals to suit their own individual circumstances. The Primer reflects the interpretations and recommendations regarded as valid at the time of publicaton based on available information, and is not intended as, nor should it be construed as, legal or professional advice or opinion. Hospitals concerned about the applicability of FIPPA to their activities are advised to seek legal or professional advice. The OHA will not be held responsible or liable for any harm, damage, or other losses resulting from reliance on, or the use or misuse of the general information contained in this Primer. Copyright 2012 by the Ontario Hospital Association. All rights reserved. This Primer is published for OHA members. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, except for the use of OHA members, without prior written permission of the OHA. ISBN #978-0-88621-349-7

Acknowledgements This Primer was prepared by the Ontario Hospital Association with input from the following hospital members. Susan Anthistle Information and Privacy Officer Centre for Addictions and Mental Health Susan Berezny Senior Specialist, Freedom of Information The Ottawa Hospital Amanda Brennan Corporate Privacy Officer and Freedom of Information Coordinator Mount Sinai Hospital Betty Dann FIPPA Specialist St. Joseph s Health Care London Joan Demontigny Freedom of Information and Privacy Specialist Niagara Health System Rita Reynolds Chief Privacy and Freedom of Information Officer North York General Hospital Sonia Tassone Freedom of Information and Privacy Coordinator Sault Area Hospital OHA Staff Elizabeth Carlton Director, Policy, Legislative and Legal Affairs Melinda Moore Manager, Regional and Board Affairs Amy Clark Public Affairs Specialist Melissa Prokopy Senior Legislative Advisor Karen Sequeira Project Manager, Freedom of Information Implementation Angelique Hamilton Freedom of Information Coordinator St. Michael s Hospital Michelle Jones Document Management Specialist Huron Perth Healthcare Alliance Anne MacDonald Director, Privacy and Access The Ottawa Hospital Janet Money Information and Privacy Coordinator Holland Bloorview Kids Rehabilitation

Table of Contents 1. Introduction 1 2. Key Elements of a Hospital Records Management Program 3 2.1 Governance, Leadership and Accountability 3 2.2 Directory of Records and Inventory of Records 3 2.3 Record Retention and Disposal Schedules 4 2.4 Policies and Procedures 6 2.5 Training and Communications 7 2.6 Audit and Evaluation 7 3. Key Resources 28 Toolkit Tools and Templates 38

1. Introduction Effective records management, which includes timely access to accurate and reliable information, is a critical component of effective hospital administration. Key elements of an effective records management program include an up-to-date records retention schedule, organizational policies and procedures, with complementary staff and physician training, an information technology infrastructure to ensure appropriate record storage, integrity, and security; and support and endorsement from senior leadership. Having effective oversight for records management programs can ensure that hospitals meet legal, business and professional obligations for all records in their custody or under their control, and improve organizational operational efficiency. For many hospitals, the focus of records management programs has been patient health records, which hospitals have very successfully managed. Traditionally, these records have been paper-based files, but increasingly as hospitals migrate to electronic-based formats, new challenges are arising in the management of health records (e.g., access controls, use of portable devices, security when utilizing shared electronic health records). Generally, the maintenance of corporate or administrative records has traditionally occurred at the program, department or individual staff level. More recently, the extension of the Freedom of Information and Protection of Privacy Act (FIPPA) to hospitals, which provides a right of access to records in the custody or under the control of hospitals, has many hospitals reviewing their records management programs to ensure compliance with the requirements that FIPPA imposes, and in doing so, has presented some challenges in identifying what records are created, where they are located, and who owns them. Building the Case for Records Management Programs Effective records management programs help to: 1. Ensure legislative and regulatory compliance 2. Increase accountability and transparency to the public 3. Minimize litigation risks 4. Preserve organizational history 5. Ensure business continuity 6. Reduce operating costs and improve efficiency and productivity 7. Safeguard essential information, despite staff turnover FIPPA requires that hospitals provide the Minister of Government Services with a Directory of Records, which is a list of the types of records in the custody or under the control of the hospital. With hospitals completing this for January 1, 2012, this has resulted with one critical step of the records management program being achieved. Definition of a Record Records contain information, and document the decisions, transactions and administrative actions of the organization. Records, in the hospital context, are generally categorized as being either clinical (e.g., patient health records) or administrative (e.g., employment, financial and accounting, procurement, 1

medical affairs), and may be held in any of the following formats: Paper (both printed and handwritten), reports, notebooks, etc.; Email or electronic (on a desktop, laptop or smart device); Databases; X-rays and other images; Photograph, audio, videotape; or Other method of storing information. An effective records management program will take into consideration all record formats, from the point of creation through to distribution, use and maintenance through to storage/retention and eventual record disposal or archival also known as the records life-cycle. The Ontario Hospital Association (OHA) has developed this Primer to support hospitals in furthering their records management efforts. Specifically, this document will outline key elements of a records management program and identify suggested priorities and action items. In addition, the OHA is updating its Records Retention Guidelines, which will provide a comprehensive, up-to-date summary of legislative and regulatory requirements for retention of hospital records and support hospitals in developing their records retention schedule. These Guidelines will be available in late summer/early Fall 2012. Figure 1: Records Life-Cycle Disposition Creation Distribution Use Maintenance Archival 2

2. Key Elements of a Hospital Records Management Program In this Primer, six elements critical to an effective records management program are discussed: 1. Governance, Leadership and Accountability 2. Directory of Records and Inventory of Records 3. Records Retention and Disposal Schedules 4. Policies and Procedures 5. Staff Training and Education 6. Audit and Evaluation 2.1 Governance, Leadership and Accountability Similar to other organizational programs or services (e.g., finance, human resources, information technology), the records management function should be recognized as a corporate program within the hospital, and to support this, the following is recommended: Confirm a Senior Leadership Lead. Having a senior manager designated as the lead for records management can help ensure administrative oversight and appropriate budgetary and staff resources. It may be appropriate to choose a senior lead (i.e., Chief Executive Officer, Chief Operations Officer, Chief Information Officer, Chief Risk Officer, Vice President Corporate Affairs) that is also the executive who has accountability for the data protection, freedom of information (FOI), health records, or corporate risk management domains at the hospital. Designate a Records Management Lead. The hospital may designate one or two lead(s) to work with the executive lead and support implementation of strategic and operational priorities related to the hospital s records management program. Some hospitals may already have a designated records advisor or records manager. Other hospitals may have identified a lead for clinical records (e.g., health records manager), but may not have identified an overall lead for the management of administrative records, which might be decentralized and managed at the program and departmental level. Having one records management lead for the hospital can ensure accountability for completion of the hospital objectives and deliverables of the program (e.g., Directory of Records, records retention schedule). Convene a Records Management Committee. Convening a multi-disciplinary committee can ensure expertise is available to support the development of hospital policies, records retention schedules, and training content. To ensure inclusiveness of all functional areas, representation may include information technology and data security, FOI, health records, privacy, legal, audit, facilities, communications, purchasing and capital projects, risk management, quality and patient safety, medical affairs, and other program or clinical areas. 2.2 Directory of Records and Inventory of Records FIPPA imposes a legal requirement to complete a Directory of Records, which is a list of the general classes of records prepared by or in the custody or under the control of the hospital, and submit to the Minister of Government Services. An inventory of records provides more details about hospital record holdings than a Directory of Records, and while there 3

is no legal requirement to complete an inventory of records, completing one can assist the hospital's records management program. Complete a Hospital Directory of Records and Inventory of Records. Determine whether the hospital has an up-to-date Directory of Records (and inventory of records) that accounts for all record classes, in all formats (paper and electronic). In addition, hospitals should have a process in place to maintain the Directory of Records (and inventory of records) regularly ensuring new classes/types of records are accounted for. 2.3 Record Retention and Disposal Schedule Once the hospital has completed the Directory of Records (and inventory of records), through the Records Management Committee, the hospital should ensure that a retention and disposition schedule for each of the record classes are up-to-date and consistent with legislative, regulatory, business, and professional requirements. What Information Should Be Included in the Hospital Inventory of Records? Generally, a hospital will categorize the records in its inventory as (1) general/administrative records or (2) personal information banks. Through surveying hospital programs, departments and individuals, the inventory should result in the collection of details related to each of the general classes or types of records, which are prepared by or in the custody of the hospital. For general/administrative records, details should include: The subject of the record; A brief description of the general type of record; The location of the record, including the hospital site, department, or office; Format of the records; Retention and disposal information or crossreference to the hospital s up-to-date retention and disposal policy or procedures; Status of the record (i.e., draft, final, circulated version, made public); and, Names of individuals who are authorized to access the record. For personal information banks, details should include: Name and location; The legal authority for its establishment; The types of personal information maintained in it; How the personal information is disclosed on a regular basis; To whom the personal information is disclosed on a regular basis; The categories of individuals about whom personal information is maintained; and, Any specific policies and practices applicable to the retention and disposal of the personal information. Refer to the OHA Hospital Freedom of Information Toolkit: A Guide to Implementing the Freedom of Information and Protection of Privacy Act, section 4.1.1 in Chapter F Hospital Implementation and Ongoing Requirements for details on how to complete an inventory of hospital records. 4

The hospital may discover that there are a number of classes of records that do not have a retention and disposition schedule assigned to them. Working through the Records Management Committee, and in consultation with the program or department, the hospital should determine whether such records would fall under another record class, and where it doesn t, consider the legislative, regulatory, or business need for retention and then set a minimum or maximum retention schedule for that record. Additionally, there may be records (e.g., patient health records) where the hospital determines that it requires longer retention periods, or perhaps even permanent archival retention of the records, and where this occurs, articulating clearly the business decision for doing so in the hospital policy, along with procedures related to ongoing management of such records is critical. Hospitals are reminded that as of January 1, 2012, FIPPA imposes two new record retention requirements, one for personal information and one for records that are subject to an open FOI request (or an appeal related to the FOI request). These two new record retention requirements supersede any other retention requirements imposed on hospital records. Refer to the OHA Hospital Freedom of Information Toolkit: A Guide to Implementing the Freedom of Information and Protection of Privacy Act, section 4.1.2 in Chapter F Hospital Implementation and Ongoing Requirements for details on these two new retention requirements. Did You Know? All records need to be in compliance with the hospital records retention schedule, including emails. Increasingly, hospital business is conducted by email as a way of conveying information and requires a comprehensive information technology infrastructure to ensure data authenticity, security, and appropriate storage, however emails are more difficult to manage organizationally since control is at an individual level. The retention of email is dependent upon the content of the email, not the fact that it is an email message. An email can be comprised of the following: Textual message Metadata (i.e., to, from, subject, time, date) Attachments For example, emails containing information about procurement business decisions and an attachment containing the contractual agreement related to a competitive bid process would need to be retained for seven years based on the Ministry of Health and Long-Term Care s Procurement Directive. The lengthy retention requirements for emails with such content, makes the email system inappropriate for record-keeping or records management, and hospital policies and procedures should ensure that such records be stored centrally in a shared drive in such a way that record authenticity and security is maintained. Transitory Emails Some emails (also telephone messages and other documents) serve to convey information considered to be of a temporary nature or value (e.g., confirming meet up for coffee or lunch, advising someone the printer doesn t work, routine announcements). Such records are often defined as transitory since they have only immediate or short term usefulness and will not be needed again in the future. These records do not contain legal or financial obligations nor include information required by the hospital to support decision-making or operational activities. While in most instances, such emails are not needed after the task or event has concluded, retention would depend upon the content of such emails, not the fact that it is transitory, and hospital policies should consider such records. 5

Update the Hospital Record Retention and Disposition Schedule. Through the Hospital Records Management Committee, develop and approve a formal retention and disposition schedule for the hospital, which addresses all records and is consistent with legislative, regulatory, business, and professional requirements. The OHA is updating the Records Retention Guidelines, which will be published in late summer/early fall 2012. Determine Appropriate Disposition Methods. Certain records may require a more secure method of destruction (i.e., incineration, maceration, shredding, pulping, secure electronic destruction). The hospital should outline acceptable procedures for disposition of each of the classes of records within its custody or under its control. In some cases hospitals may opt to dispose of records on their own, while in other cases they may obtain the services of a third-party firm. Obtain Senior Management Approval for the Hospital Records Retention and Disposition Schedule. This is especially important where there are records within the hospital s custody or under its control that do not have legislative or regulatory retention requirements, and schedules are set based on best practices or risk assessments. 2.4 Policies and Procedures Once the records retention and disposition schedule is approved, hospitals can take steps to review their records management policies and procedures to determine if any updates need to be put in place. The policies should outline the purpose and scope of the records management program, procedures for storage, retrieval, dissemination, protection, preservation, retention, and destruction, and serve as the foundation for how the organization conducts day-to-day business. The policy will help support the hospital to systematically and efficiently manage records from their time of creation (or receipt) until they are archived or disposed, in compliance with legislative, regulatory, business and professional requirements. Some key components of the policy include: A statement identifying the organization s commitment to records management; Goals, objectives and scope (should include both paper and electronic); Definitions of key roles/responsibilities; A records classification structure that reflects a grouping of records not dependent on the organizational structure; The records retention schedule to ensure records are being retained, archived, or destroyed at designated and approved times; How the hospital ensures information authenticity and reliability (e.g., metadata storage) 1 ; How the hospital ensures security (e.g., protection from unauthorized access, encryption requirements); Contingency and business continuity of records; Training requirements for staff and professionals; and Details on how compliance will be monitored and maintained (i.e., records management system audits), and implications for non-compliance. 1 Metadata is information that describes details about the data including date/time of creation, author of data, etc. 6

Review and Update Existing Records Management Policies. Take an inventory of existing policies and procedures, and update through the Records Management Committee, obtaining appropriate senior leadership sign-off. 2.5 Training and Communications Once the hospital has the records retention schedule in place and has reviewed and updated its policies, staff should be made aware of these and should undergo appropriate training. All staff and professionals must be appropriately trained (and re-trained) to ensure they are aware of the importance of good records retention, the hospital culture to support an effective records management program, and that they are responsible for any records that they create or use in the course of their duties, and what legal, business, and professional obligations those records have. Training can start with reviewing the inventory of records that the program area or department has, and include suggestions for how information could be recorded (e.g., templates for minutes), the retention of particular records, suggestions for records classification schemes, and how the hospital will monitor and audit information. Roll out Education and Training Program. Ensure all staff and professionals are appropriately trained. The hospital may wish to consider a roll out strategy that occurs program-by-program or department-by-department, addressing record classes that each area specifically deals with. Communication Strategy. Hospitals should work with their communications department to develop and implement internal communications to support records management awareness and compliance (i.e., fact sheets, website, posters, newsletter, records clean-up days), which target all departments, programs and individuals (staff and professionals). 2.6 Audit and Evaluation As with other hospital programs and services, completing an evaluation is critical to ensure that organizational goals and objectives are being met and identifying any opportunities for improvement. Further, with transparency being the centerpiece of the FOI legislation, evaluation can ensure that hospital record management practices are in keeping with the principles of FIPPA, and responding to FOI requests is as efficient as possible to obtain responsive records. Through the Records Management Committee, hospitals should determine if department, program or individual practices are in compliance with the policies and procedures and support ongoing training requirements. Additionally, where there are new classes of records, establishing processes for adding them to the hospital Directory of Records and inventory of records, retention and disposition schedule, and education and training program is also important. 7

3. Key Resources Records Management Programs ARMA International s Information Governance Maturity Model (www.arma.org/garp and www. armatoronto.on.ca) Enterprise Content and Record Management for Healthcare (www.ahima.org) Ontario Health Information Management Association (www.ohima.ca) Inventory of Records Record Storage, Retention Schedules and Destruction Archives of Ontario Information Bulletins (http:// www.archives.gov.on.ca/english/archival-records/ recordkeeping.aspx) Information and Privacy Commissioner of Ontario (www.ipc.on.ca) OHA Records Retention Guidelines, 2004. This Guideline is currently being updated and will be available in late summer/early fall 2012. OHA Guidance Document #4: Information/Records Management and Establishing an Inventory of Records (www.oha.com/foi) OHA Hospital Freedom of Information Toolkit: A Guide to Implementing the Freedom of Information and Protection of Privacy Act (www.oha.com/foi) 8

200 Front Street West, Suite 2800 Toronto, Ontario M5V 3L1 www.oha.com

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback