AOHC Privacy Meeting Jan. 30th, 2013 Security Roles AOHC Standard User Roles • Nightingale has worked with AOHC to create a list of standard user roles (Administrator; Super User; Ordering; Non-Ordering) • Nightingale creates these initial user roles and assigns to each active provider based on the Needs Analysis completed by each centre. • Administrators at each centre are trained on how to create additional user roles and alter existing user roles and assign to users accordingly. • Enterprises with multiple locations can grant a user access to the multiple locations with varying user roles, as well as restrict access to the multiple locations. User Role Client Consent Client consent can be recorded as a CPP medical alert • Information is visible on first opening the client’s chart. •Always available in the chart header • • Updates to the medical alerts are tracked in the audit log, who updated, when and what was the update. Client Consent •Medical alerts can also be updated by moving the current alert to past history and creating a new CPP Alert. •Moving previous versions of the consent to past history will keep a historical record of the changes to consent. •Both options are tracked in the client’s security audit log. Consent audit log OLIS Consent OLIS consent • Client are able to block their data, remove consent, or require consent from a provider to access their data through OLIS. •Client can remove consent at the test result level or report level. •Providers will be identified on the lab reports, if requesting provider is not the ordering, attending, admitting or copy-to provider then they will not see the result unless client gives consent. Providers can send a consent override by selecting the Consent Override check box, Choose whether consent was from patient or substitute decision maker. This activity is tracked in the OLIS Query Audit Log. OLIS Consent OLIS Report Blocked Before Consent Override After Consent Override OLIS Lab Result Blocked Before Consent Override After Consent Override OLIS Query Activity Log OLIS activity log within NOD can be searched by provider, user, or type of query. System Audit Log Access User/Client audit logs • Administrators are given the access rights to run audit logs • User audit log •Client audit log System Audit Log Print/fax Log • Printing Rx, Labs and Referrals letters show in the audit log as additions to the client’s chart. • Data Extract when you run a data export from NOD the user and date the export took place is tracked in the audit log. Release of Information Tracking the release of information Written Consent is scanned into the client’s chart Verbal Consent • Note verbal consent on a referral letter within the Consultant Notes of the letter template. Lock Box CHC Enterprise Each CHC is set up as their own NOD Enterprise and does not have access to other NOD Enterprises. Each Enterprise has access to the charts within their Enterprise only. Masking a client record Users who have the user rights to mask data can access the record locking feature. Individual sections of the clients chart can be locked Lock Box Users can mask the data element from all users except self ; mask from specific user roles; or individual users. Lock Box cont Only users with the ability to unmask can unmask data. If unmasking data it is required to enter the length of time to unmask and a reason. Masking and unmasking is tracked in the client’s audit log or a user audit log. Masking cont Masking and BIRT If data is masked from any user within the CHC Enterprise that data will not be sent to BIRT. Updating Client Data Client requests an update to their chart Addendums can be added to a clinical note. Deleting data from a client’s chart requires a reason for deletion. All tracked in the audit log. Communication between a Centre and a client can be logged with the phone icon. System Security Each user has the ability to set their NOD Dashboard settings to automatically log off after so many minutes. Clinical lists created per provider are managed per provider, if one provider updates their list this does not affect the other providers. Privacy/Security Incident Management Question and Answer