AOHC Privacy Meeting
Jan. 30th, 2013
Security Roles
 AOHC Standard User Roles
• Nightingale has worked with AOHC to create a list of standard
user roles (Administrator; Super User; Ordering; Non-Ordering)
• Nightingale creates these initial user roles and assigns to each
active provider based on the Needs Analysis completed by each
centre.
• Administrators at each centre are trained on how to create
additional user roles and alter existing user roles and assign to
users accordingly.
• Enterprises with multiple locations can grant a user access to the
multiple locations with varying user roles, as well as restrict
access to the multiple locations.
User Role
Client Consent
Client consent can be recorded as a CPP medical alert
• Information is visible on first opening the client’s chart.
•Always available in the chart header
•
• Updates to the medical alerts are tracked in the audit log, who updated, when
and what was the update.
Client Consent
•Medical alerts can also be updated by moving the current alert to past
history and creating a new CPP Alert.
•Moving previous versions of the consent to past history will keep a
historical record of the changes to consent.
•Both options are tracked in the client’s security audit log.
Consent audit log
OLIS Consent
OLIS consent
• Client are able to block their data, remove consent, or require consent
from a provider to access their data through OLIS.
•Client can remove consent at the test result level or report level.
•Providers will be identified on the lab reports, if requesting provider is not
the ordering, attending, admitting or copy-to provider then they will not see
the result unless client gives consent.
Providers can send a consent override by selecting the Consent
Override check box, Choose whether consent was from patient
or substitute decision maker. This activity is tracked in the OLIS
Query Audit Log.
OLIS Consent
OLIS Report Blocked
 Before Consent Override
 After Consent Override
OLIS Lab Result Blocked
 Before Consent Override
 After Consent Override
OLIS Query Activity Log
OLIS activity log within NOD can be searched by provider, user,
or type of query.
System Audit Log
Access
 User/Client audit logs
• Administrators are given the access rights to run audit logs
• User audit log
•Client audit log
System Audit Log
Print/fax Log
• Printing Rx, Labs and Referrals letters show in the audit log as additions to
the client’s chart.
•
Data Extract
 when you
run a data
export from
NOD the user
and date the
export took
place is
tracked in the
audit log.
Release of Information
Tracking the release of information
 Written Consent is scanned into the client’s chart
 Verbal Consent
• Note verbal consent on a referral letter within the Consultant Notes of the
letter template.
Lock Box
CHC Enterprise
Each CHC is set up as their own NOD Enterprise and does not have
access to other NOD Enterprises. Each Enterprise has access to the
charts within their Enterprise only.
Masking a client record
 Users who have the user rights to mask data can access the record
locking feature.
 Individual sections of the clients chart can be locked
Lock Box
Users can mask the data element from all users except self ; mask from
specific user roles; or individual users.
Lock Box cont
 Only users with the ability to unmask can unmask data.
 If unmasking data it is required to enter the length of time
to unmask and a reason.
 Masking and unmasking is tracked in the client’s audit log
or a user audit log.
Masking cont
Masking and BIRT
 If data is masked from any user within the CHC Enterprise
that data will not be sent to BIRT.
Updating Client Data
Client requests an update to their chart
 Addendums can be added to a clinical note.
 Deleting data from a client’s chart requires a reason for
deletion. All tracked in the audit log.
 Communication between a Centre and a client can be logged
with the phone icon.
System Security
 Each user has the ability to set their NOD Dashboard settings
to automatically log off after so many minutes.
 Clinical lists created per provider are managed per provider, if
one provider updates their list this does not affect the other
providers.
Privacy/Security Incident Management
Question and Answer