Add to collection(s) Add to saved
  1. Science
  2. Health Science
  3. Dentistry

Health Information Act Orientation

advertisement 
Health Information Act
Orientation
College of Registered Dental Hygienists of Alberta
January 22, 2011
Agenda

What is the HIA?

What does the HIA mean to you?

Basic HIA concepts

Your questions
What is access?

Patients have a right to access their own
health records

Practically, this means making arrangements
to view records or making a copy

Right is not absolute – some exceptions may
apply
What is privacy? (my opinion)

Privacy means the ability to exercise
control over what is done with your
personal and health information

Privacy is not absolute. Some health
information needs to be exchanged in order
to provide services.
Health Information Act

Alberta’s access and privacy law for health information
 Proclaimed 2001, amended 2006 and 2010

Enables electronic health records

Regulates Albertans’ rights:



Regulates collection, use and disclosure of health information
whenever a health service is provided



to access their own health information and
to request corrections
Confidentiality of health information
Reasonable measures to protect health information
Provides independent oversight

Information and Privacy Commissioner
HIA Jurisdiction

HIA applies to health information in custody or control of custodians

Health information is information about a health service recorded in any
form or medium

Custody means you have it
Control means you can make decisions about it


A health service is a service provided to an
individual to:






Protect, promote or maintain health
Prevent or diagnose illness
Rehabilitation
Care for health of ill, disabled, injured or dying
(Dental hygiene is a ‘health service’)
Custodians are responsible for compliance
with HIA
HIA Scope changes

Before September 1, 2010, HIA applied to the health
services paid for in public health system

Now HIA applies to health services,
regardless of who pays

New types of custodians named

(that is why you are here!)
Other changes to HIA

Alberta provincial electronic health record regulation
 Sets rules and governance for Netcare
 Specifies audit requirements for electronic health records

Custodian responsibility transfer
 Custodians can now become affiliates of other custodians
 Useful for practices where one custodian takes the lead
 Minister must approve

Health Information Repositories
 Stay tuned – regulations not released yet

Two new roles for health regulatory colleges


Making health information available to Netcare
Standards of practice as prerequisites to members using Netcare
OIPC
Office of the Information & Privacy Commissioner

Commissioner - Frank Work



Has a broad range of responsibilities and powers, including
enforcing:





an officer of the Legislative Assembly
Independent of government
Freedom of Information and Protection of Privacy Act (FOIP)
Personal Information Protection Act (PIPA)
Health Information Act (HIA)
Commissioner does not make the 3 laws
Government is responsible for legislation


PIPA & FOIP – Alberta Government Services
HIA – Alberta Health & Wellness
OIPC Portfolio Officers

You are most likely to encounter portfolio
officers in your job as we:

Investigate and mediate access, correction and
privacy complaints

Review Privacy Impact Assessments

Provide advice and education on access and privacy
issues in health sector

My portfolio includes dental hygienists, dentists and
denturists
What does the HIA
mean to you?
Your roles and responsibilities
under the HIA
Custodians are responsible for
HIA compliance






Policies
Training and awareness
Responding to access and
correction requests
Protecting health information
Privacy Impact Assessments
Reviewing effectiveness of policies
Who is a custodian?

Still custodians:










Minister of Health and Wellness
Alberta Health and Wellness
Alberta Health Services
Health Quality Council of Alberta
Members of College of Physicians and Surgeons of Alberta
Members of Alberta College of Pharmacists, & pharmacies
Nursing Homes
Boards and committees established by custodians
Others may be named in regulation
New custodians (as of September 1), members of:






Alberta College of Optometrists
Alberta Opticians Association
Alberta College and Association of Chiropractors
Alberta Association of Midwives
Alberta Podiatry Association
College of Alberta Denturists
More new custodians

6 months after proclamation (March 2011), members of:
 Alberta Dental Association and College
 College of Registered Dental Hygienists of Alberta

1 year after proclamation
(September 2011), members of:
 College and Association of
Registered Nurses of Alberta

More to come…
 Will be professionals under
Health Professions Act
 We don’t know which ones yet
Custodians and affiliates

Custodians are responsible for HIA compliance

HIA says both dentists and dental hygienists will be custodians


Confused?
Affiliates work for custodians

Paid, or non-paid (volunteers, students, interns, etc.)

If you work for a custodian (a dentist, AHS, nursing home, etc.)
you are an affiliate

If you are in independent practice, you are a custodian
What does this mean to you if you
work for a custodian?

You are an affiliate to a custodian



Dentist
Institution (AHS, nursing home, etc.)
You need to follow custodian’s HIA policies






Access requests from patients
Correction requests from patients
Collection
Use
Disclosure
Information security

Only collect, use and disclose the
amount of health information you need
to do your job

A custodian may delegate some HIA responsibilities to you
What you need to do if you are
a custodian

Put someone in charge (it may be you)

Get to know the HIA

Assess shortfalls, risks regularly

Develop policies and
procedures

Train staff (or yourself)

Develop forms and
communications material

Review contracts

Develop complaints/breach processes
HIA concepts
Collection, use and disclosure
Access and Correction Requests
Consent
Protecting health information
Information managers
Privacy Impact Assessments
Caveat: (Review the HIA Guide and the Act)
Collection, Use and Disclosure
of Health Information

Collection (when you receive health information from
a patient or other source)

Use (what you do with health information while it is
under your custody or control)

Disclosure (when you give health information to
someone else – other health services providers,
insurance, family, lawyers)
Collection, Use and Disclosure
Dental Office
Collection
Application
Insurance
Use
Application
Disclosure
Database
Collection

Custodians may collect health information to provide health
services

Including Personal Health Number (PHN)

Only collect what you need

Rule of thumb:



Collect directly from patient where possible
Indirect collection OK, but make sure you do so under circumstances
listed in HIA
You need to provide collection notice


Could be on poster and/or new patient registration form
HIA lists what needs to be in collection notice (see Guide)
Use

Custodians may use health information to provide
health services

Only use what you need to do your job



No snooping!
Patients can ask for a record of who has accessed
their health information in electronic health records
If you can’t find a particular use listed in the HIA,
don’t use it for that purpose (see Guide)
Bad news!
fined $10,000
Disclosure

Custodians may disclose health information
to provide health services

Other types of disclosures listed in HIA (see
Guide)

If it’s not listed in the HIA, don’t disclose
without consent
Access and correction
requests

Duty to respond within 30 days, or longer if permitted by HIA or
Commissioner

Legal representatives may act on behalf of patients to make access and
correction requests (see Guide for types of representatives)

Access




Patients have a right to access their own health records, subject to limitations in HIA
Custodian may charge a fee (HIA fee Schedule)
You can also disclose informally
Correction




Patients may ask to have records corrected
Custodian must consider request, but does not have to make change (e.g. medical
opinions)
If custodian refuses to make change, patients can ask to have 500 word statement of
disagreement placed on their file or ask Commissioner to mediate
If the change is routine (e.g. address change), just make the change – no need to use
formal process
Consent

Consent applies to disclosure of health information only

Rule of thumb:

Generally, you can collect, use and disclose health information to
provide health services without patient consent

You can also disclose without consent for several other purposes
(including processing payment) – see the HIA Guide

Anything not listed, get consent

HIA specifies requirements for consent (see HIA Guide)
Protecting Health Information

3 kinds of measures



Administrative (Management, policies, training)
Physical (Locks, alarms, controlled file rooms)
Technical (IT security: access controls, backup, malware protection,
firewall, encryption)

Standard is reasonableness, not perfection

Take reasonable measures
to protect against reasonably
anticipated threats

See our PIA Requirements for a list
of what OIPC considers reasonable
Information Managers (IM)

Kind of affiliate who has access to health information, but is not a health
services provider

IMs may:




Process, store, or retrieve health information
Provide IM or information technology services
Create non-identifying information (anonymization)
Examples



Records storage company
Shredding company
IT service provider (Help desk)

Requirements for IMs and IM agreements set out in HIA and Regulation

Custodian is responsible for actions of IM
Privacy Impact Assessment

An assessment of privacy risk for a new project








Describes custodian’s management and policy structure that
support HIA
Describes project
Analyses flows of health information
Confirms legal authority to collect, use and disclose health
information
Identifies risks to confidentiality, integrity and availability of health
information
Describes measures to mitigate risk
Describes plans to ensure on-going compliance
Mandatory for custodians under HIA when implementing new
information systems or business practices that will collect, use or
disclose health information
New PIA Requirements

Effective April 15, 2010

Download from our
website, or buy from
Queen’s Printer
Your questions
Mature minors – what’s
reasonable?

Scenario:
A dental hygienist was present during a dental examination. After the examination the
dentist asked the client, “Do I have your permission to share the results of this dental
examination with your parents?”

Question:
Must a clinician routinely ask children/teenagers if they can share information with
their parents; or is it only if the client expresses that it not be made and if the client is
a mature minor? We see the quote on page 40 of Health Information: A Personal
Matter, ‘Parents don’t have an automatic right to children’s information.’ Please
expand on this.

Answer:
Use your professional judgement. If you have some reason to believe the patient is
acting as a mature minor, get permission. If you don’t know the patient, err on the
side of caution. The younger the patient, the less this is necessary.
Records retention
Q: When can records be destroyed as per CRDHA?
A: Generally, the HIA doesn’t change existing records retention
requirements set by your professional college
Two HIA records retention requirements: keep for 10 years:
1. Disclosure notations
(who you disclosed the
information to, date,
purpose and description)
2. Access logs in Netcare
Communication between
dental offices
Q: When receiving a verbal request from dental offices for xrays, may we disclose whether there are recent or any xrays? Does a signed statement from the client in question be
on file first?
Q: On behalf of clients, may we request information or must we
get a signed statement from client first? (i.e. request
information from a dentist in a different practice?)
A: (for both questions) Custodians may disclose health
information to each other to provide health services without
consent
Access requests - fees
Q: What is a reasonable fee to charge clients access to records?
A: HIA sets out a fee Schedule in the Health Information
Regulation
$25, up to 20 pages
Over 20 pages - custodian
may charge additional fees,
per the Schedule
Question – mobile device
security
Q
I have a mobile practice and I use a laptop which contains all of
my patient data, files and records. (I am a paperless office). When
I'm not using the laptop it is at my home residence (i.e. my home
office).
Is it really necessary to physically lock up the computer when not
in use? I already have it password protected and my home has a
security system.
Example risk assessment

What are the risks to laptops?




Unauthorized access to health information due to theft or loss
Unauthorized access through wireless
Destruction/loss of data (availability)
How do you mitigate these risks?





Physical security: locks, cables
Encrypt data stored on laptop
Only connect to secure wireless networks and encrypt your data
traffic over wireless networks
Back-up your data to another site (encrypt your backup too)
Training and awareness (how do I do all this technical stuff?)
Mobile device security
A
Under the HIA, you need to take reasonable measures to secure health
information, based on reasonably anticipated risk.
It looks like your laptop is secure enough from theft at home.
(I might have a different answer for an office environment.)
BUT
Laptops are mobile computer devices. They are vulnerable to theft and loss. Your
laptop is most vulnerable while you are away from your home office. Locks and
passwords alone don’t offer much protection. The best protection is encryption.
Our investigation report IR H2006-IR-002 established a checklist for mobile device
protection:
1.
2.
3.
4.
Assess the risk of using a mobile device
Only store health information on mobile device when necessary and only store as much
as you need.
Consider secure remote access to health information, rather than storing the data on the
mobile device.
If you store health information on a mobile device, encrypt it.
HIA – further reading

Health Information Act (and regulations)

Queen’s printer>Laws Online: www.qp.ab.ca




Correct version of Health Information Regulation that mentions Dental
Hygienists is under Orders in Council – navigate to:
Queens printer>Legislative Publications>Orders in Council> July
2010>Health and Wellness
Health Information Regulation is 10264 (OC 264/2010)
OIPC’s Practical Guide to the HIA
PIA Requirements
Orders and Investigation Reports

www.oipc.ab.ca: Publications>HIA
Thank you!
Brian Hamilton
Portfolio Officer, Health Information Act
Office of the Information and
Privacy Commissioner, Alberta
bhamilton@oipc.ab.ca
www.oipc.ab.ca
(780) 422-6860
Related documents
Research and the Health Information Act
Research and the Health Information Act
Oil & Gas Development & Health in Ghana
Oil & Gas Development & Health in Ghana
Health impact assessment
Health impact assessment
Appraising Potential Consequences of Policies
Appraising Potential Consequences of Policies
Malaysia - HIA in ASEAN
Malaysia - HIA in ASEAN
HIA - National Collaborating Centre for Healthy Public Policy
HIA - National Collaborating Centre for Healthy Public Policy
HIA and Digital Health Services
HIA and Digital Health Services
The basics of health impact assessment (HIA): Part 1
The basics of health impact assessment (HIA): Part 1
HIA in the Lao PDR National Policy
HIA in the Lao PDR National Policy
document - The Pew Charitable Trusts
document - The Pew Charitable Trusts
Download
advertisement