Privacy and Management of Health Information

Similar documents
Guidelines. Working Extra Hours. Guidelines for Regulated Members on Fitness to Practise and the Provision of Safe, Competent, Ethical Nursing Care

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

PRIVACY AND ANTI-SPAM CODE FOR OUR ORGANIZATION

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

PRIVACY AND ANTI-SPAM CODE FOR OUR DENTAL OFFICE Please refer to Appendix A for a glossary of defined terms.

IVAN FRANKO HOME Пансіон Ім. Івана Франка

Guidelines. Camp Nursing. Guidelines for Registered Nurses

Self-Employment for Nurses

Overview. COTBC Practice Standards for Managing Client Information, Tel: (250) Toll-Free BC: 1 (866) Fax: (250)

Investigation Report H2017-IR-02 Investigation into multiple alleged unauthorized accesses of health information at South Health Campus

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

PERSONAL HEALTH INFORMATION PROTECTION ACT (PHIPA) Frequently Asked Questions (FAQ s) Office of Access and Privacy

A Deep Dive into the Privacy Landscape

Complementary and Alternative Health Care and Natural Health Products Standards

Overview of Privacy Legislation in Ontario

Chapter 9 Legal Aspects of Health Information Management

Compliance with Personal Health Information Protection Act

Eastern Ontario Development Program

Hospice Palliative Care

A Guide for Self-Employed Registered Nurses 2017

YORK REGION DISTRICT SCHOOL BOARD. Policy and Procedure #158.0, Information Access and Privacy Protection

Palliative and End-of-Life Care

Prescribing Standards for Nurse Practitioners (NPs)

DUTIES OF A CUSTODIAN

Opening the Door Hospitals & FOI. Applying PHIPA and FIPPA to Personal. Information: Guidance for Hospitals.

Report of the Information & Privacy Commissioner/Ontario. Review of Cancer Care Ontario:

POLICY STATEMENT PRIVACY POLICY

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

SASKATCHEWAN ASSOCIATIO. Registered Nurse (Nurse Practitioner) Practice Standards RN(NP) Effective December 1, 2017

INFORMATION TECHNOLOGY, MOBILES DIGITAL MEDIA POLICY AND PROCEDURES

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Security Risk Analysis

Province of Alberta ALBERTA HEALTH ACT. Statutes of Alberta, 2010 Chapter A Current as of January 1, Published by Alberta Queen s Printer

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

NOTICE OF PRIVACY PRACTICES

Scope of Practice for Registered Nurses

HIPAA Privacy & Security

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY A. 38

BB: Independent Practice

STANDARDS Point-of-Care Testing

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

Standards of Supervision (TBD)

COMPLIANCE PROGRAM. Our commitment to ethical conduct and compliance depends on all employees having a clear understanding of Corporate expectations.

Position Statement. Position Statement on the Use of Restraints in Client Care Settings

pic National Prescription Drug Utilization Information System Database Privacy Impact Assessment

THE PRIVACY ACT AND THE AUSTRALIAN PRIVACY PRINCIPLES FREQUENTLY ASKED QUESTIONS

Proposed amendments to the Marihuana for Medical Purposes Regulations

INVESTIGATION REPORT

Health Care Provider Guide Digital Health Drug Repository. Version: V 3.0

Assignment Of Client Care: Guidelines for Registered Nurses

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

Province of Alberta HOSPITALS ACT. Revised Statutes of Alberta 2000 Chapter H-12. Current as of December 9, Office Consolidation

New Brunswick Association of Occupational Therapists. Purpose of the Code of Ethics. Page 1 of 6 CODE OF ETHICS

Health Information Privacy Policies and Procedures

Mandatory Reporting and Breach Notification Changes to PHIPA and what you need to know

PATIENT INFORMATION. In Case of Emergency Notification

CANCER REGISTRY REGULATION

Guidelines for Telepractice in Occupational Therapy

WISHIN Statement on Privacy, Security, and HIPAA Compliance - for WISHIN Pulse

Mandatory Reporting A process

Date last amended: (refer Version Control Table) Director, Governance and Legal Division

SECONDARY USE OF DATA IN HEALTH RESEARCH: ETHICS AND PRIVACY CONSIDERATIONS. Donna Roche & Sandra Veenstra

THIS AGREEMENT made effective this day of, 20. BETWEEN: NOVA SCOTIA HEALTH AUTHORITY ("NSHA") AND X. (Hereinafter referred to as the Agency )

Standard Operating Procedures (SOP) Research and Development Office

VCU Health System PatientKeeper Connect. Request Instructions

The Personal Health Information Protection Act

FERPA, CHALLENGES FACING SCHOOL NURSES & DISCIPLINARY ACTIONS FERPA. MELANIE BALESTRA, MN, NP, JD JD August May 4, 22, 2012

Regulatory Issues Facing Student Health Centers Presented by: Richard T. Yarmel and Edward H. Townsend

4/25/2017. If you ve dialed in, please mute your phone. CE Offering Presented by Brett Danko, LLC. Also referred to as personal financial planning

REGISTERED NURSES AND NURSE PRACTITIONERS - AIDING IN MEDICAL ASSISTANCE IN DYING

POSITION STATEMENT. - desires to protect the public from students who are chemically impaired.

Standards. Prescribing Standards for Nurse Practitioners

HIPAA Training

Parental Consent For Minors to Receive Services

Department of Defense INSTRUCTION. SUBJECT: Security of Unclassified DoD Information on Non-DoD Information Systems

Position Statement. The Role of the Registered Nurse in Health Informatics

Ensuring Safe & Efficient Communication of Medication Prescriptions

Overview of. Health Professions Act Nurses (Registered) and Nurse Practitioners Regulation CRNBC Bylaws

STANDARDS OF CONDUCT A MESSAGE FROM THE CHANCELLOR INTRODUCTION COMPLIANCE WITH THE LAW RESEARCH AND SCIENTIFIC INTEGRITY CONFLICTS OF INTEREST

ONE ID Local Registration Authority Procedures Manual. Version: 3.3

OREGON HIPAA NOTICE FORM

Technology Standards of Practice

Medical Assistance in Dying: Guidelines for Nurses in Alberta. March 2017

College of Occupational Therapists of British Columbia

Reporting a Privacy Breach to the Commissioner

Student Orientation Post-Assessment

Information Privacy and Security

Postgraduate Medical Education Committee

Employee Assistance Professionals Association of South Africa: an Association for Professionals in the field of Employee Assistance Programmes

QUEEN ELIZABETH II AWARD AND SCHOLARSHIP REGULATION

NURSING HOMES OPERATION REGULATION

EXAMINATION OF BRITISH COLUMBIA HEALTH AUTHORITY PRIVACY BREACH MANAGEMENT

The Impact of New Technology in Health Care on Privacy

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

ERIE COUNTY MEDICAL CENTER CORPORATION NOTICE OF PRIVACY PRACTICES. Effective Date : April 14, 2003 Revised: August 22, 2016

Committee on Privacy & Data Stewardship. Data Stewardship Framework Draft Version 2.4 August 22, 2007

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Transcription:

Standards Privacy and Management of Health Information Standards for s Regulated Members September

: FOR S REGULATED MEMBERS i Approved by the College and Association of Registered Nurses of Alberta () Provincial Council, September. Permission to reproduce this documents is granted. Please recognize. College and Association of Registered Nurses of Alberta 11620 168 Street Edmonton, AB T5M 4A6 Phone: 780.451.0043 (in Edmonton) or 1.800.252.9392 (Canada-wide) Fax: 780.452.3276 Email: practice@nurses.ab.ca Website: www.nurses.ab.ca

1 Table of Contents PREAMBLE... 2 FOR PRIVACY AND MANAGEMENT OF HEALTH... 4 REFERENCES... 8 RESOURCES... 8 APPENDIX A... 9

2 Preamble On September 1, 2010 amendments to Alberta's Health Information Act (HIA) came into force. Until the most recent amendments, the Act only applied to health services paid for under the Alberta Health Care Insurance Plan. Under the amended Act, the Act applies to all health information collected, used and disclosed, by custodians, in relation to a health service regardless of how it is paid for. "Health information" and "health services" have specific, defined meanings under the Act. The associated HIA Regulation designates who are custodians under the Act. Regulated members of specific health professions have been designated as custodians. The HIA amendments will apply to regulated members 1 of the College and Association of Registered Nurses of Alberta () on September 1,. All regulated members of will be custodians for the purposes of the HIA unless they are an affiliate of another custodian. Individuals who are affiliates of another custodian are deemed not to be a custodian while acting in the capacity of an affiliate. An "affiliate" is: an individual employed by a custodian a person who performs a service for a custodian as an appointee, volunteer or student or under a contract or agency relationship with the custodian a health services provider who is exercising the right to admit and treat patients at a hospital as defined in the Hospitals Act Examples of custodians include: Alberta Health Services Covenant Health nursing home operators Therefore, registered nurses employed by these organizations are affiliates. 1 Regulated members of are: registered nurses (RN), graduate nurses (GN), nurse practitioners (NP), graduate nurse practitioners (GNP), and certified graduate nurses (CGN).

3 Regulated members of may also be self-employed or employed by other organizations such as private industry, corporations and educational institutions that are not custodians under HIA. These organizations may employ regulated members of who provide health services. Although the employer is not a custodian under the HIA, the regulated member is subject to HIA for the health information that they collect for the purpose of providing a health service (for example, health information about employees of the organization). Any regulated member of practising in an employment setting where they collect health information for the purpose of providing a health service is a custodian under HIA. An example of this is an occupational health nurse who is employed by a large oil company to provide health services to the organization s employees. It is important to remember that the HIA does not apply to health information that is collected for purposes other than providing health services. Further, the HIA Regulation excludes a number of services from the definition of health services. For example, insurance companies may hold health information in their files but they are not custodians, as the HIA does not govern the use of health information by them. Two other examples include: the review, interpretation or assessment of results from a drug or alcohol test to determine an individual's fitness to work; and the review, interpretation or assessment of results from medical or health monitoring of an individual to protect the health of workers or determine the individual's fitness to work. (See Appendix A). Regulated members of must continue to be aware of and follow all relevant privacy legislation. Regulated members will still be governed by a variety of privacy legislation that applies to the personal information that they collect, use and disclose. Where the Health Information Act does not apply, Alberta's Personal Information Protection Act (PIPA) or the federal Personal Information Protection and Electronic Documents Act (PIPEDA) may. Regulated members recognize the importance of privacy and confidentiality. The ethical obligations of registered nurses with respect to maintaining privacy and confidentiality are embodied in the Code of Ethics for Registered Nurses, as incorporated into the Nursing Practice Standards. The Nursing Practice Standards apply to overall care and to all regulated members of in clinical practice, research, education and administration. This document builds on those standards and identifies standards for maintaining privacy and confidentiality as well as the management of information in records and the management of electronic records, including the protection, privacy and security of electronic records.

4 For the purposes of the standards set out below, "health information" refers to health information collected, used or disclosed in relation to a health service, as defined in the Health Information Act. Standards for Privacy and Management of Health Information 1. The regulated member is personally responsible and accountable for ensuring that they understand the privacy requirements that apply to their practice. 2. The regulated member collects, uses, and discloses only the amount of health information that is essential for the intended purpose and with the highest degree of anonymity possible. 3. The regulated member takes reasonable steps to ensure the accuracy of health information before using or disclosing the information. 4. The regulated member accesses personal and health information, including electronic health records, only for purposes that are consistent with their professional responsibilities. 5. The regulated member intervenes or takes action if others inappropriately access or disclose personal or health information of persons receiving care. 6. The regulated member is personally responsible and accountable for identifying and confirming whether they are a custodian of health information or an affiliate of a custodian for the purposes of health information legislation and shall advise the College of their status, when requested. 7. The regulated member who is a custodian is personally responsible and accountable for identifying the health information that they collect for the purposes of providing a health service. This will assist the regulated member in identifying and complying with legislated requirements specific to health information. 8. The regulated member who is an affiliate of a custodian of health information is personally responsible and accountable for ensuring that they are familiar with and comply with the legislated requirements specific to health information as well as their custodian's policies and procedures regarding the collection, use, disclosure and security of personal and health information.

5 9. The regulated member who is a custodian of health information is personally responsible and accountable for ensuring that they and their affiliates are familiar with and comply with the legislated requirements specific to health information. 10. The regulated member who is a custodian must take reasonable steps to ensure that client records are accessible for continuity of care for clients. Client records must remain accessible for a period of ten (10) years following the date of last service. For minors, the record must be accessible for a period of ten (10) years or two (2) years past the patient's age of majority, whichever is longer. 11. The regulated member who is a custodian of health information establishes written policies and procedures relating to how they and their affiliates handle health information in their custody and control. These policies and procedures necessarily include a written record of the administrative, technical and physical safeguards in place to protect the privacy and confidentiality of health information in their custody and control. These must include: affiliates are only given access to health information needed for their role reasonable measures to physically secure the areas in which health information is stored such as locked buildings or rooms, locked filing cabinets, and locked shredding bins reasonable measures to maintain the security of health information while it is being transported from one location to another reasonable measures for the secure disposal of records containing health information 12. In additional to Standard 11, the regulated member who is a custodian of health information who uses a computerized or electronic information system must ensure that the system has reasonable safeguards to protect the confidentiality and security of the information, including but not limited to, ensuring that: a. each authorized user can be uniquely identified b. each authorized user has a documented access level based on the user's role c. access to the system is password protected with procedures for password management and updates d. the system creates and maintains audit logs that meet legislative requirements for electronic health record information systems

6 e. identifiable health information is transmitted securely f. appropriate anti-virus systems, firewalls and intrusion detection systems are installed and monitored g. data is backed up securely h. data recovery protocols are in place and regularly tested i. protocols are in place to ensure continuity of care in the event that the information contained within the electronic information system cannot be accessed for a period of time j. secure disposal of hardware that contains identifiable health information such that all data is removed and cannot be reconstructed 13. The regulated member who is a custodian ensures that their affiliates are aware of and adhere to all of their policies and procedures regarding the collection, use, disclosure and security of personal and health information and establishes sanctions for any breach thereof. 14. The regulated member who is a custodian who collects health information for the purposes of providing a health service who is employed by a non-custodian must: a. inform the employer of the regulated member's obligations as a custodian b. review the employer's policies and procedures relating to the collection, use, disclosure, retention and security of health information c. make recommendations to the employer regarding the collection, use, disclosure, retention and security of health information to ensure that legislated requirements specific to health information and their obligations as custodians are met and reflected in the employer's policies and procedures d. where the custodian uses the employer's electronic information systems for health information, the custodian shall use reasonable efforts to enter into a written agreement with their employer that addresses their respective obligations regarding the collection, use, disclosure, retention and security of health information 15. The regulated member who is a custodian of health information periodically assesses the administrative, technical and physical safeguards in respect of:

7 the confidentiality of health information that is in its custody or under its control and the privacy of the individuals who are the subjects of that information any reasonably anticipated threat or hazard to the security or integrity of the health information or to the loss of the health information any unauthorized use, disclosure or modification of the health information or unauthorized access to the health information 16. The regulated member who is a custodian must comply with all legislative requirements, including: a. the preparation and submission of a Privacy Impact Assessment to the Privacy Commissioner, before implementing any proposed new practice or system relating to the collection, use and disclosure of individually identifying health information b. providing clients with access to their personal and health information in compliance with access to information legislation and subject to any statutory exceptions and fees, and allowing for the correction of personal and health information, as required by law 17. If a regulated member who is a custodian places health information in an electronic information management system that is not under their direct custody and control, there must be in place a written agreement that addresses the security of the health information, responding to access to information requests, and the collection, use and disclosure of the health information by the person or body who has custody or control of the health information through the electronic system, as well as any other requirements for such an agreement as set out at law. 18. The regulated member must comply with any written direction by to make specific health information accessible via the Alberta electronic health record.

8 References Alta. Reg. 118/2010. [Alberta Electronic Health Record Regulation]. Alta. Reg. 70/2001. [Health Information Regulation]. Canadian Nurses Association. (2008). Code of ethics for registered nurses. Ottawa, ON: Author. College and Association of Registered Nurses of Alberta. (2003). Nursing practice standards. Edmonton, AB: Author. Health Information Act, R.S.A. 2000, c. H-5. Personal Information Protection Act, S.A. 2003, c. P-6.5. Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5. Resources Alberta Government Service Alberta. www.servicealberta.ca/pipa Office of the Information and Privacy Commissioner of Alberta. www.oipc.ab.ca Office of the Information and Privacy Commissioner of Alberta. (2010). Health information: A personal matter: A practical guide to the Health Information Act. Edmonton, AB: Author. Office of the Privacy Commissioner of Canada. www.priv.gc.ca

9 Appendix A ALBERTA REGULATION 70/2001 Health Information Act HEALTH REGULATION Exclusion from definition of health service 3.1 For the purposes of section 1(1)(m) of the Act, the following services are excluded from the definition of health service: (a) the review, interpretation or assessment by a health services provider of (i) results from a drug or alcohol test performed on a bodily substance from an individual, but only to the extent necessary or reasonably required to determine the individual s fitness to work, (ii) results (A) from medical, health or biological monitoring of an individual, or (B) from medical or health surveillance of an individual, but only to the extent necessary or reasonably required to protect the health of workers or to determine the individual s fitness to work, or (iii) results from a medical or health assessment of an individual, but only to the extent necessary or reasonably required to determine the individual s fitness to work; (b) the review, interpretation or assessment of health information about workers collected under the Occupational Health and Safety Act by the Director of Medical Services for the purposes of protecting the health and safety of workers; (c) an independent medical examination of an individual, or a review of the health information of an individual, by a health services provider who is not involved in the treatment and care of the individual for the purpose of determining benefits or coverage, or both, for insurance purposes; (d) services, including parenting psychological assessments, neuro-psychological assessments and individual or group counselling, provided by psychologists to

10 children and families at the request of a director under the Child, Youth and Family Enhancement Act; (e) the review, interpretation or assessment by a health services provider of results from a drug or alcohol test performed by a laboratory on a bodily substance from an individual at the request of a director under the Child, Youth and Family Enhancement Act; (f) emergency response dispatch services.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback