Lecture 3 Flashcards
Midterm 1
What is the difference between paper and electronic health records?
- Traditional collection of PHI was in paper format which was easy to maintain since the record could only be in one place at a time
- There has been a movement to electronic health records
Benefits of EHR
- Greater facilitation of PHI transmission
- Can be viewed simultaneously by many
- Tighter security possible
- Easier data collection and transmission for research
Drawbacks of EHR
- Loss of control of where the PHI goes
- Easy and unauthorized access
- Loss of control over how ones health info is used
How have EHR concerns been addressed?
- Government put legislation in place to protect PHI
- Collection and dissemination of PHI was already guarded under previous legislation
- Legislation was updated under context of EHR
What is privacy
the ability of an individual to control their own personal information
what is security?
electronic and physical measures put in place to protect personal information
What is confidentiality?
the responsibility of an individual privy to personal information to not disclose
Mechanisms to protect privacy, security and confidentiality
Privacy: Signed consents for release
Security: Locked rooms and doors (paper), username and password (electronic)
Confidentiality: Organizational policies
Federal policies governing PHI
- CSA 10 principles
- PIPEDA
- Provide a foundation and framework for legislation and policies governing PHI in Canada
- Documents are not specific to PHI
CSA 10 Principles
-first published in 1996
-Preceded by OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
Two main categories of principles:
-How the organization should collect, use, disclose and protect personal information
-The individual’s right to access the information and correct it if necessary
What are the 10 CSA Principles?
- accountability
- identifying purpose
- consent
- limiting collection
- limiting use, disclosure and retention
- accuracy
- safeguards
- openness
- individual access
- challenging compliance
- See descriptions in lecture 3*
What is PIPEDA
- jan 1 2001- jan 1 2004
- Covers: individual rights under the act and responsibilities of businesses/organizations
- provinces were required to have substantially similar legislation otherwise PIPEDA would apply
- includes 10 CSA Principles
What are jurisdictional variations?
- jurisdictions adopted similar legislation for health information (QC, ON, AB, BC)
- Jurisdictions adopt legislation according to what they hold inviolate
- jurisdictional legislation governs our day to day activity
PHIPA
- Based on CSA principles with specific requirements for Ontario
- came into effect November 2004
Scope of PHIPA
- Health information custodians that collect, se and disclose PHI
- non-health information custodians where they receive PHI from a HIC
Strengths of PHIPA
- implied consent for sharing of PHI within circle of care
- Creation of health data institute to address criticism of ‘directed disclosures’
- Open regulation-making process to bring public scrutiny to future regulations
- Adequate powers of investigation to ensure that complaints are properly reviewed
General record management processes (musts)
- take reasonable steps to ensure accuracy
- maintain security of PHI
- have contact with a person who can ensure compliance with the Act and respond to access/correction requests and inquiries and complaints from the public
- have information practices in place that comply with the act
- make available a written statement of information practices
- be responsible for actions of agents
Concept of PHIPA ‘consent’
- required for collection, use and disclosure of PHIPA
- Must be the consent of the individual, knowledgeable, relate to the information, not be obtained through deception
- expressed or implied
What is implied consent?
- custodians can imply consent when disclosing PHI to other custodians for the purpose of providing health care for the individual
- exception is when the individual withdrawals consent (lock box concept)
PHIPA Right of Access and Correction
- expands and codifies the common law right of access
- rights to access all records of PHI in custody of a HIC
- right to correct records
3 options to correct records
- Strike Out: Information in a manner that does not obliterate it
- Label: Information as incorrect and sever it from the record, maintaining a link to it
- Inform Persons: Accessing the record of information cannot be corrected and where to find the correct information
What is a statement of disagreement?
- if the correction is refused the individual is entitled to attach a statement of disagreement
- custodian must make reasonable effort to notify everyone that correction was made
CHIMA Position Statement
- access and disclosure of personal health information
- provides overview of collection, use and disclosure of health information and the professionals who carry this out
- provides practical commentary on how to implement the CSA 10 principles
General Practices for privacy control
- security, monitoring and auditing of access
- privacy impact assessments
- privacy audits
- information sharing agreements
Practical tips from the IPC
- don’t discuss confidential information in public areas
- Don’t leave PHI where it can be viewed by the public
- don’t leave computer terminals with PHI readily visible (log off before leaving terminal)
- Access only the information required
- Don’t reveal confidential information to others unless they need to know
- Wear your ID badge at all times
- Keep your password to yourself
- Shred papers that contain PHI when no longer in use