Privacy and Confidentiality: Understanding Important Definitions and Safeguards

PRIVACY AND YOU Presented by: Crystal Llewellyn & Sherri Maye Access to Information & Privacy Analysts 1

Goals of this presentation Goals of this presentation Review important privacy basics Review what you can do in your role to protect privacy Provide information about what to do when things go wrong Review some ways to help prevent privacy incidents from occurring 2

Presentation outline Presentation outline Privacy & Confidentiality Important Definitions Heath Information Act, a brief overview Safeguards-what can you do to protect privacy? Need to know vs. circle of care Breach Management Common breach scenarios how to prevent them. The importance of PSMS documentation 3

Privacy & Confidentiality Privacy & Confidentiality Confidentiality the obligation of one person to preserve the secrecy of another s personal information Privacy A person s right to be free from intrusion, a person s right to control when, how and to what extent information about them is communicated to others

Important Definitions Important Definitions Personal Health Information (PHI) - As defined in the Health Information Act, identifying information about an individual in oral or recorded form that includes but is not limited to information related to: the individual s physical or mental health, family history or genetic information; the provision of health care to the individual; a drug, device or product provided to the individual by prescription or other authorization of a health care provider; payments or eligibility for health care; donation of any body part or bodily substance; or the identity of the individual s substitute decision maker or health care provider. 5

Definitions continued Collection gathering, acquiring, receiving or obtaining personal health information by any means from any source (written, verbal, photograph, video, etc.). Use handling, accessing or dealing with PHI or applying the PHI for a purpose that includes reproducing PHI but not disclosing it. Disclosure making PHI available or releasing it to another custodian or another person. 6

Health Information Act (HIA) Health Information Act (HIA) The HIA is important legislation for PEI Came into force July 1, 2017 Outlines rules regarding personal health information (PHI) Framed on 10 privacy principles Applies to public and private health care providers in PEI (all are considered custodians) Health PEI is a custodian of the information gathered more information about the HIA that you can access through the Staff Resource Centre 7

CSA Model Code for the Protection of CSA Model Code for the Protection of Personal Information Personal Information 10 Privacy Principles: 10 Privacy Principles: 1. Accountability 6. Accuracy 2. Identify Purpose 7. Safeguards 3. Consent 8. Openness 4. Limit Collection 9. Individual Access 5. Limit Use, Disclosure and Retention 10. Challenging Compliance

Accountability Accountability Privacy Officer for HPEI Directors/Managers/Supervisors are responsible for: implementing privacy policy and practices ensuring privacy awareness/education for staff All Staff are responsible for protecting PHI in their custody or control. Identifying Purpose Identifying Purpose Purposes for collection, use and disclosure of PHI by HPEI: provision of care planning and management of health system other authorized purposes

Consent Consent Consent for collection, use and/or disclosure of PHI may be required BUT can be Implied consent (assumption) can be relied on for collection, use, or disclosure of personal health information for the purposes of care, in most circumstances Custodian must make privacy practices available Express consent (active ask) is required for: disclosure of personal health information to someone other than a health care provider, or disclosure of personal health information for a non-health related purpose at the discretion of a program or service (optional) Substitute decision makers can consent on behalf of others, as outlined in the HIA People have the right to refuse or withdraw consent but there are potential impacts 10

Limiting Collection, Use & Disclosure of Limiting Collection, Use & Disclosure of Personal Health Information Personal Health Information For a purpose authorized by legislation Health PEI care and treatment, managing the health system, etc. Only collect, use or disclose what is necessary to serve the purpose (minimum amount of information). Direct collection where possible (from the patient). Follow the Need to know principle vs. Circle of Care . Use role-based access within electronic systems

Need Need- -to to- -know vs the circle know vs the circle- -of of- -care The HIA follows a Need to Know principle for collection, access, use and disclosures of PHI care A common misconception: Being part of a patient/client/resident s circle of care at some point in time means permitted access that person s information at any time and for any reason. This is not the case and in fact is not permittedby legislation. We need to transition our Health PEI way of thinking to follow the need to know as per the HIA. What this means is that we always need to operate by considering the minimum amount of information that will serve the purpose. only accessing the information that is required to provide care in that moment, only disclosing the information that is required or permitted to serve the purpose and only collecting the information that is relevant to the purpose for which you are collecting it. Use professional judgment and do a case-by-case assessment to determine what information is necessary in each scenario. If you are initiating the use/disclosure you are accountable for ensuring the appropriate level of PHI is accessed or shared. Just because the PHI is requested does not always mean that amount of PHI is needed! The following may be helpful considerations when deciding if you need to know ; Do I need to know this info for the purposes of my role on the client s care team? What is the trigger or reason for my need to know? Will I be taking action or making a recommendation or decision as a result of accessing this info? 12

Current Event Current Event ** Snooping/Unapproved Chart Access ** Snooping/Unapproved Chart Access What is Snooping ?? I saw my neighbor at the Emergency Department last night, is it ok if I look at his chart to make sure he is alright? What do you mean by Health PEI s auditing program? 13

Accuracy Accuracy HPEI must take reasonable steps to ensure accuracy of PHI People have a right to request correction of PHI if they believe there is inaccurate information on their chart.

Safeguards Safeguards Technical, physical and administrative measures to protect PHI What are some safeguards that HPEI has in place? Legislation - Health Information Act and others Policies Privacy and the Protection of Personal Health Information Policy Access, Disclosure & Correction of PHI Protocol PIA Protocol *Breach Management Protocol Codes of conduct, professional ethics Education and agreements Orientation for new staff Oath of confidentiality Training sessions Unique passwords/usernames Role-based access Locked cabinets/doors Swipe card access Automatic time out on computer terminals 15

Safeguards contd Safeguards cont d What are some safeguards that you would use on a daily basis?? In an office or clinic setting? When transporting information? When working from home? When releasing information? When charting/keeping records? Being mindful of conversations/info sharing/posts/etc. 16

Current Events Current Events - - **Social Media Use **Social Media Use Scenario 1 I posted on my social media account about my 35 yr. old patient with ALS who drove an hour for his appointment yesterday, telling me how appreciative he and his family are for the care he is receiving. I didn t include his name though, so that is ok, right?? Scenario 2 The social media site I use deletes the info after 24 hours, so it is safer to use, right? Scenario 3 I saw a picture posted on social media by a friend/colleague that shows patient information, what should I do? 17

Follow up Follow up - - Social Media Use Social Media Use Increases risk of unauthorized disclosure Increases the likelihood & impact Re-identification risks Nothing online is private Nothing online goes away HPEI Policies Privacy and Protection of Personal Health Information Social Media Policy Use of Personal Cell Phones Emailing/Texting policies 18

Openness Openness Privacy and Your Personal Health Information webpage Posters, brochures, privacy statements Staff should be able to explain general purpose for collection, use and disclosure of PHI Individual Access Individual Access Right of access to PHI Refusal of access Process to request Access, Disclosure & Correction of PHI protocol Challenging Compliance Challenging Compliance Following up on privacy-related complaints Information & Privacy Commissioner role

Breach Management Breach Management 20

What do I do when a breach occurs?? What do I do when a breach occurs?? 1. Containment and preliminary assessment Prevent further breach (contain it) Gather initial details of what happened Record incident in PSMS 2. Notification and reporting In consultation with Privacy Officer, ATIP team and Quality/Risk Coordinator, disclosure to affected individual(s) and notification to Commissioner are required, unless: No adverse impact on provision of care to or well-being (mental, physical, economic or social) of the affected individual(s) HPEI CEO (in consult with Privacy Officer & ATIP team) notifies Commissioner 21

3. Investigation (Manager responsible, Privacy Officer and others as appropriate) Gather further information from varied sources Conduct auditing, if applicable Confirm facts of the breach and identify factors, failed safeguards, intentional vs. accidental, etc 4. Remediation and prevention Do we need new or enhanced safeguards? (Technical, physical and administrative measures to protect PHI) Is discipline required? if applicable HR leads this process Share findings with affected individual(s) and Commissioner (HPEI CEO via Privacy Officer/ATIP team) Prevention of breaches and having privacy by design in our programs/projects is key be proactive before a breach occurs! What can we learn from this? 22

Current Events Current Events - - **Working in Multiple **Working in Multiple Roles/Locations Roles/Locations Scenario I work as a Med Admin at a Physician s office in the community, so I have assisted Jane Doe in accessing care with a HCP and have become aware of her test results and diagnoses. I also work as a casual Admitting Clerk at the emergency dept. at the local hospital. Would it be appropriate for me to disclose what I know about Jane Doe to the other staff working at the ED? How to reduce the risk of unauthorized access & unauthorized disclosure Always follow the need to know principle Be mindful of over sharing PHI from one location in another work setting Ask yourself is it appropriate and do I have the authority to do so? Be mindful of disclosing information with other patients, even if unintentional 23

Common Breach Scenarios & Ways to Common Breach Scenarios & Ways to Prevent them Prevent them Faxing, emailing, printing to unintended recipient always double check who will be receiving the info! Charts being left open/accessible paper or electronic who can hear/see private information? Laptops or devices being lost or stolen - use proper safeguards Conversations being overheard - clinics, waiting rooms, exam rooms, outside of clinical environment Release of information- redacting info when appropriate, ensuring correct recipient and correct records given Keeping accurate records double check for correct address, phone number, email address every time! Being mindful of conversations/info sharing/posts/etc. should I be saying/sharing/posting this info? Is it mine to share? Is there a need to know for the purposes of care? 24

Provincial Safety Management System Provincial Safety Management System (PSMS) Documentation (PSMS) Documentation Why is it important?? **Documentation is the proof that supports the action: shows that steps were taken to prevent, contain, remediate and follow up on complaints, breaches, incidents, etc. PSMS reports allow us to compile documentation in one place, we can use it to learn from errors and to try to prevent future errors of similar nature from occurring we can share knowledge and ensure that we have completed all the necessary steps! 25

Key Messages for Staff Key Messages for Staff The definition of PHI PHI belongs to the individual Privacy is an individual s legal right to control their PHI Follow the Need-to-know rule Collect, Use and Disclose the minimum amount of PHI Report breaches (suspected and potential) -PSMS Ensure you have consent for collection, use or disclosure of PHI as required. Protect PHI in your care Documentation is important! Know where to get more information and support related privacy and information access

FOR QUESTIONS OR FEEDBACK REGARDING THIS FOR QUESTIONS OR FEEDBACK REGARDING THIS PRESENTATION, PLEASE CONTACT US AT PRESENTATION, PLEASE CONTACT US AT HEALTHPRIVACY@IHIS.ORG HEALTHPRIVACY@IHIS.ORG OR 902 OR 902- -569 569- -7734 Thank you! 7734 27