Privacy & Confidentiality 2021

Page created by Jose Washington

IT & Technique

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

Privacy &
Confidentiality

 Resident Orientation
        2021

Privacy & Confidentiality
“Privacy” is the fundamental right to control
  information about ourselves (including the
  collection, use and disclosure of and
  access to that information)

“Confidentiality” is an obligation to protect
  personal health information, to maintain
  its secrecy and not misuse or wrongfully
  disclose it

Personal Health Information
Act (PHIA)
 • “Need   to Know” and “Minimum Amount”
 • Governs PHI collection, use, disclosure,
   retention and destruction in health care
 • Balance of 2 objectives: patient privacy
   rights and information needs of custodians
   to provide, support and manage health care
 • Provides a set of rules for “custodians” and
   their “agents”

Personal Health Information (PHI)
4
    Any identifying (directly or indirectly) information
    about an individual (recorded and unrecorded) if the
    information relates to:
    •      Physical or mental health, including health
           history
    •      Application, assessment, eligibility and
           provision of health care and identification of
           health care provider
    •      Payments or eligibility for health care
    •      Donation of any body part, bodily substance or
           the testing or examination
    •      Registration information, including health-card #
    •      Identifies an individual's substitute decision-
           maker                                           NS PHIA

Disclosing PHI

  Disclosures               Disclosures               Disclosures Where
  Requiring Express         Requiring Implied         no Consent is
  Consent                   Knowledgeable             Required
                            Consent
  To a 3rd Party (Lawyer,   To another healthcare     When there is a
  Insurance Company,        provider who is also      Warrant or Subpoena
  Police)                   caring for the patient.
  Except for location     To other healthcare         Mandatory Reporting
  and general condition professionals caring
  (ok without consent     for the patient
  unless patient objects)
  to Family and Friends
  (as long as the patient
  has capacity)
  Research                  To a SDM when the         Research where an
                            patient lacks capacity.   REB Waiver of Consent
                                                      is Obtained

Photography and Patients-What does CMPA Say?
Patients' photographs or videos should be treated as their personal health information. This is especially
so if these depict sensitive or private parts of the body or include items that could identify the patient, such as
a birthmark, a ring, the face, or a unique anatomical feature.

A patient's implied consent is sufficient when you are collecting, using or disclosing an individual's personal
health information to provide health care within the circle of care, for example to monitor disease, for
surveillance of nevi, etc.

However, a patient's express consent must generally be obtained when you share his or her personal
information for purposes other than providing health care…..Given the recent strengthening of Canadian
privacy legislation, it would be wise to obtain the patient's express consent at the time the photographs or
videos are shot.

What should be included in the informed consent discussion for the use of photographs and video for
educational purposes?

     •the reasons for taking the photographs or video
     •what will be photographed or recorded, for example, what anatomy or aspect of the disease
     •whether the patient will be identifiable
     •the possible purposes or applications
     •who may be authorized to access the photographs or video, and in what context
     •the patient's right to refuse, withdraw, or modify consent

Patients should not feel pressured and the discussion should be documented in the patient's medical
record.

                                   https://www.cmpa-acpm.ca/en/advice-publications/browse-
                                   articles/2011/using-clinical-photography-and-video-for-educational-purposes

Knowledgeable Implied Consent

 Knowledgeable Implied Consent is established by
 sharing our Information Practices with our clients.
 When collecting, using, or disclosing information
 based on Knowledgeable Implied Consent make sure
 that you place yourself in the position of the patient
 and ask:
 Would this person reasonably expect to have that
 information collected, used, or disclosed in that
 manner under those circumstances?

PHIA - Safeguards
• NSHA is the Custodian of all patient
  data that is generated from patient
  care at NSHA facilities.
• As custodian NSHA is ultimately
  accountable to the patient for
  safeguarding information from
  breach.

PHIA - Safeguards
Safeguards are in place to protect personal health
 information from:
• Theft or loss
• Unauthorized access to or use, disclosure,
   copying or modification of the information

PHIA Safeguards- Paper PHI
• Paper based PHI should only leave
  the premises in locked bags
• Be careful with patient lists and
  notes, we have had numerous
  breaches of lists found on the
  street or in the cafeteria
• Ensure that paper PHI is disposed
  of properly in locked shred bins.

PHIA Safeguards - Electronics
   • Do not use a personal device to capture PHI
   • If you have an NSHA issued personal device and it is
     lost or stolen notify the help desk so it may be
     remotely wiped.
   • Devices must remain in a secure location when off
     premises.
   • Patient consent is required for photos or videos, this
     must be documented express consent.
   • Photograph and videos are considered PHI under
     PHIA if taken for patient care purposes, other photos
     or videos taken as an agent of NSHA (or other public
     body) may be considered subject to release under
     FOIPOP.

PHIA-Safeguards – E-mail
• Personal E-mail should never be used to communicate
  about patients. Always use your nshealth e-mail address.
• If sending to an e-mail outside of the nshealth network
  you must use the secure e-mail system – SEND.
• PHI must not be included in the subject line.
• Communicate the minimum amount of information
  needed.
• Immediately delete emails containing PHI from the
  mailbox when the information is no longer required and
  once the email has been stored in the legal health record.

What does CMPA Say about e-communication?
Communication via email and messaging

Despite their pervasiveness and convenience, email and texting are often the
  least secure communication tools…..The risks of interception or errors
  in sending email, texts, or instant messages can be significant. For
  these reasons, some privacy commissioners have indicated that using
  unencrypted email and texting with personal health information
  should be avoided……
Despite any disclaimer physicians may include in the message, they remain
  responsible for protecting patient health information and preventing
  unauthorized access. Privacy legislation generally requires that
  custodians adopt safeguards to protect the personal health information
  under their control…….
Physicians considering using unsecured or unencrypted email or messaging
  should do so only for information that does not include identifiable
  personal health information.

                            https://www.cmpa-acpm.ca/en/advice-publications/browse-
                            articles/2013/using-electronic-communications-protecting-privacy

Don’t Get Reeled
in by Phishing
Scams

    9 Signs of a Phishing Scam
1
     Generic salutation
2
     Spelling & grammar errors
3
     Asks you to click a link to reset

4    your password
     Requests personal information
5
     High urgency or threats
6
     Fake addresses or web links
7
     Asks you to enter account information
8
     Lacks contact information
9

     Rewards that seem too good to be true
If you suspect a phishing scam, do not click on any
    links or open attachments. Forward the email
 immediately to reportphishing@nshealth.ca and
                   delete the email.

PHIA – Patient Rights
• Provides a right of access to a patient’s PHI or to get
  copies
• PHIA confers a right for patient to request a correction of
  their record if patient believes their record is not accurate,
  complete or up to date
• PHIA allows for request of a “Record of User Activity” – a
  list of people who have looked at patient’s health
  information on an electronic system
• PHIA allows patients to revoke consent (even implied) for
  the collection, use, or disclosure of their PHI. Revocations
  cannot be retroactive.

Auditing of Electronic Systems
 Records of User Activity
 •   RUA is a record of who accessed PHI of an individual or
     a period of time.
 •   Audits show the date and time of access, who accessed
     the record, and what was accessed.
 Fairwarning Auditing
 •   May be requested by a manager or run as a regular
     random report sent to Privacy Officer
 •   Follow up is done by Privacy and the Leadership when
     an audit shows questionable access

Self Look Up – Why an Issue?
•   Breach of NSHA policies and procedures
    •   Not a Need to know for their role
    •   Clinicians not supposed to treat themselves (Fundamental
        Responsibilities #20, CMA Code of Ethics).
•   Staff/physicians need to follow the same process as everyone
    else in province

•   Not appropriate use of organization resources

•   When investigated, many who looked up own records also
    inappropriately accessed records of other individuals (family,
    co-workers, acquaintances)

What Access is Authorized?
 • Having access to, using, or
   disclosing the minimal
   amount of information that
   is needed to know to
   perform your role.

What is unauthorized?
• Accessing information or more information
  than you need to know to perform your role
• Accessing information that is not permitted
  by legislation or policies & procedures, i.e.
 Self or family look-ups
 Sharing your sign-on information with others in
  order to access the medical record or using
  someone else’s sign-on
 Asking someone to look up patient information if it
  is not part of their role.

When can I look up a record??
•   The only time it is appropriate is if you are caring
    for that patient and the information is required for
    that episode of care.
•   As part of a research study, following the approved
    e-health process (i.e. through a study queue)
•   Approved (or requested) safety or quality reviews
•   As needed for educational purposes
•   ALWAYS only access the minimum amount of
    information required for the task at hand.

What does CMPA say about Privacy and E-Health Records?
Patients whose privacy has been compromised may suffer discrimination,
stigmatization, and economic or psychological harm….Additional stress is
particularly detrimental to patients who are already vulnerable due to health
problems…..Most importantly, patients whose privacy is breached might
lose trust or confidence in the health system.
A survey of Canadian patients confirms that privacy concerns may influence
how and when they connect with the health system. Patients concerned
about privacy may refrain from seeking tests or treatment, engage in
multiple doctoring, or withhold or falsify information, all of which have
serious implications for those attempting to treat or provide care. 2
Since doctors are expected to reasonably protect patient health information,
privacy breaches may also have negative consequences for physicians.
These can include patient complaints to a privacy commissioner,
medical regulatory authority (College) investigations, possible sanctions
by both, as well as lawsuits.
https://www.cmpa-acpm.ca/en/advice-publications/browse-articles/2013/managing-access-to-electronic-health-records

Privacy Breaches
Privacy Breach – an incident where PHI
  entrusted to you/organization is lost, stolen,
  or subject to unauthorized access, use,
  disclosure, copying, or modification.
All breaches must be reported in the SIMS
  system or to Privacy for investigation
Breaches can be nonintentional or intentional

Non-intentional Breaches
•   Misdirected faxes, emails and mail
•   Mis-labelling documents
•   Losing a list or notes from rounds
•   Sending text messages or taking photos containing
    PHI without consent of the patient
•   Leaving documents around/ visible to public
•   Losing an electronic device containing PHI
•   Conversations about patients in public places,
    hallways, or in rooms without closing the door.

Intentional Breaches
•Social media postings about patients
•Accessing records of friends, co-workers, family if you are
not treating them (with or without permission)
•Sharing your login name password / using someone else’s
password
•Asking someone to look up information when it is not part
of their job
•Identity theft or fraud or using PHI for personal gain

Resources
CMPA Electronic Records Handbook
https://www.cmpa-acpm.ca/static-assets/pdf/advice-and-
   publications/handbooks/com_electronic_records_handbook-e.pdf

CMPA Article Regarding Accessing E-Health Records
https://www.cmpa-acpm.ca/en/advice-publications/browse-
   articles/2013/managing-access-to-electronic-health-records

CMPA Article Regarding Photos and Videos
https://www.cmpa-acpm.ca/en/advice-publications/browse-
   articles/2011/using-clinical-photography-and-video-for-educational-purposes

CMPA Article Regarding Privacy and e-Communications
https://www.cmpa-acpm.ca/en/advice-publications/browse-
   articles/2013/using-electronic-communications-protecting-privacy

Your Central Zone Contacts
Angela Currie– Central Zone Privacy Officer
(902) 464-3150
Angela.Currie@nshealth.ca

Karen Hornberger Provincial Director of Privacy
(902) 473-2674
Karen.hornberger@nshealth.ca

Or e-mail Privacy@nshealth.ca

You can also read