Lecture 3

Question 1

What is the difference between paper and electronic health records?

Answer 1

• Traditional collection of PHI was in paper format which was easy to maintain since the record could only be in one place at a time
• There has been a movement to electronic health records

Question 2

Benefits of EHR

Answer 2

• Greater facilitation of PHI transmission
• Can be viewed simultaneously by many
• Tighter security possible
• Easier data collection and transmission for research

Question 3

Drawbacks of EHR

Answer 3

• Loss of control of where the PHI goes
• Easy and unauthorized access
• Loss of control over how ones health info is used

Question 4

How have EHR concerns been addressed?

Answer 4

• Government put legislation in place to protect PHI
• Collection and dissemination of PHI was already guarded under previous legislation
• Legislation was updated under context of EHR

Question 5

What is privacy

Answer 5

the ability of an individual to control their own personal information

Question 6

what is security?

Answer 6

electronic and physical measures put in place to protect personal information

Question 7

What is confidentiality?

Answer 7

the responsibility of an individual privy to personal information to not disclose

Question 8

Mechanisms to protect privacy, security and confidentiality

Answer 8

Privacy: Signed consents for release
Security: Locked rooms and doors (paper), username and password (electronic)
Confidentiality: Organizational policies

Question 9

Federal policies governing PHI

Answer 9

• CSA 10 principles
• PIPEDA
• Provide a foundation and framework for legislation and policies governing PHI in Canada
• Documents are not specific to PHI

Question 10

CSA 10 Principles

Answer 10

-first published in 1996
-Preceded by OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
Two main categories of principles:
-How the organization should collect, use, disclose and protect personal information
-The individual’s right to access the information and correct it if necessary

Question 11

What are the 10 CSA Principles?

Answer 11

• accountability
• identifying purpose
• consent
• limiting collection
• limiting use, disclosure and retention
• accuracy
• safeguards
• openness
• individual access
• challenging compliance
• See descriptions in lecture 3*

Question 12

What is PIPEDA

Answer 12

• jan 1 2001- jan 1 2004
• Covers: individual rights under the act and responsibilities of businesses/organizations
• provinces were required to have substantially similar legislation otherwise PIPEDA would apply
• includes 10 CSA Principles

Question 13

What are jurisdictional variations?

Answer 13

• jurisdictions adopted similar legislation for health information (QC, ON, AB, BC)
• Jurisdictions adopt legislation according to what they hold inviolate
• jurisdictional legislation governs our day to day activity

Question 14

PHIPA

Answer 14

• Based on CSA principles with specific requirements for Ontario
• came into effect November 2004

Question 15

Scope of PHIPA

Answer 15

• Health information custodians that collect, se and disclose PHI
• non-health information custodians where they receive PHI from a HIC

Question 16

Strengths of PHIPA

Answer 16

• implied consent for sharing of PHI within circle of care
• Creation of health data institute to address criticism of ‘directed disclosures’
• Open regulation-making process to bring public scrutiny to future regulations
• Adequate powers of investigation to ensure that complaints are properly reviewed

Question 17

General record management processes (musts)

Answer 17

• take reasonable steps to ensure accuracy
• maintain security of PHI
• have contact with a person who can ensure compliance with the Act and respond to access/correction requests and inquiries and complaints from the public
• have information practices in place that comply with the act
• make available a written statement of information practices
• be responsible for actions of agents

Question 18

Concept of PHIPA ‘consent’

Answer 18

• required for collection, use and disclosure of PHIPA
• Must be the consent of the individual, knowledgeable, relate to the information, not be obtained through deception
• expressed or implied

Question 19

What is implied consent?

Answer 19

• custodians can imply consent when disclosing PHI to other custodians for the purpose of providing health care for the individual
• exception is when the individual withdrawals consent (lock box concept)

Question 20

PHIPA Right of Access and Correction

Answer 20

• expands and codifies the common law right of access
• rights to access all records of PHI in custody of a HIC
• right to correct records

Question 21

3 options to correct records

Answer 21

1. Strike Out: Information in a manner that does not obliterate it
2. Label: Information as incorrect and sever it from the record, maintaining a link to it
3. Inform Persons: Accessing the record of information cannot be corrected and where to find the correct information

Question 22

What is a statement of disagreement?

Answer 22

• if the correction is refused the individual is entitled to attach a statement of disagreement
• custodian must make reasonable effort to notify everyone that correction was made

Question 23

CHIMA Position Statement

Answer 23

• access and disclosure of personal health information
• provides overview of collection, use and disclosure of health information and the professionals who carry this out
• provides practical commentary on how to implement the CSA 10 principles

Question 24

General Practices for privacy control

Answer 24

• security, monitoring and auditing of access
• privacy impact assessments
• privacy audits
• information sharing agreements

Question 25

Practical tips from the IPC

Answer 25

• don’t discuss confidential information in public areas
• Don’t leave PHI where it can be viewed by the public
• don’t leave computer terminals with PHI readily visible (log off before leaving terminal)
• Access only the information required
• Don’t reveal confidential information to others unless they need to know
• Wear your ID badge at all times
• Keep your password to yourself
• Shred papers that contain PHI when no longer in use