Brave New World: Understanding and Managing Privacy
Programs in an E-Health World
e-Health Conference 2013: Accelerating Change
May 28, 2013, 11.30 a.m.
Presented by:
Robin Gould Soil, CPO, University Health Network
Presenter Disclosure
Presenter: Robin Gould-Soil, CPO, University Health Network
Relationships with commercial interests:
•
Nothing to disclose
2 | Confidential—not for public distribution
ConnectingGTA is delivering a regional electronic health
record that will make patient information available at the pointof-care to improve the patient and clinician experience
6 Local Health Integration Networks
750+ Health Care Organizations
6,267 Family Physicians
6,930 Physician Specialists
49,905 Nurses
All
•
•
•
•
•
•
•
3 | Confidential—not for public distribution
sectors of care:
Acute Care
Community Support Services
Complex Continuing Care
Long Term Care
Mental Health & Addictions
Primary Care
Rehabilitation
ConnectingGTA is providing three foundational
components to support Ontario’s eHealth Blueprint
• Information to be shared
seamlessly & securely
IDENTIFY
& COLLECT
information
(CDR)
• Clinicians with point of care
access
• Robust, scalable & reusable
platform
Provide
ACCESS to
information
(e.g. Provider
Portal)
4 | Confidential—not for public distribution
Provide
ability to
EXCHANGE
information
(HIAL)
• Infrastructure & services that
can support or be leveraged
• Increase collaboration among
clinicians & organizations
• Respect standards in terms
of privacy, stewardship of
information, security
How does privacy support the delivery of an EHR
Assure individuals that organizations manage personal health
information in a manner that is consistent with its public
commitments and legislative responsibilities
Help support the
clinician workflow
and improve the
patient experience
Identify weaknesses
in information
management practices
Support existing
best practices
5 | Confidential—not for public distribution
A privacy
program
should:
Help mitigate
privacy risks to
an organization
Further demonstrate
due diligence
Privacy Considerations and Risks of an EHR
Considerations
Risks
•
Allow for the collection, use
and disclosure of large
amounts of health information
from diverse sources
•
Increases the risk of health
care providers using or
disclosing health information
for unauthorized purposes
•
Health care providers do not
have sole custody or control
of health information in a
shared system
•
May attract hackers and
others with malicious intent
•
Easier to remove health
information from a secure
location and to transfer it to
an unsecure device
•
Health care providers have
different processes for
implementing patient consent
models
6 | Confidential—not for public distribution
Approach for Developing Policies
Make it patient & clinician
focused
Set and manage expectations
Establish service standards
Track success
7 | Confidential—not for public distribution
Governance Committees
Makes Decisions About
Privacy and Security Policies, Procedures, and Standards
Defines & Guides
Planning of
Program
Advising
Auditing
Monitoring
Operational
& Reporting
Processes
Support for
Privacy
rights
Consent
Mgmt.
Privacy
Auditing &
Review
Access
Control
P&S Breach
Mgmt
Identity
Mgmt
Activities to Manage
ConnectingGTA
Privacy Program
People
Communications
Vulnerability
Mgmt
Activities to Meet Operational Obligations
Training
Technology
Technology
8 | Confidential—not for public distribution
Security
System Dev
Monitoring &
Lifecycle
Auditing
Support
Lessons Learned
•
No two organizations are the same
•
Be prepared to change
•
Agree on common terminology
•
Bring privacy into the design of the
system
•
Separate the policy from the
standards
•
Policies and standards should focus
on patient’s perspective
•
Ensure privacy is embed into the
clinical and patient processes
•
Align participant's privacy programs
•
Test and Learn
9 | Confidential—not for public distribution
Thank you!
Visit ConnectingGTA at: www.ehealthontario.ca
Email the team at: ConnectingGTA@uhn.ca