Managing Patient Information Professional Staff Development Series February 15, 2013.

47
Managing Patient Information Professional Staff Development Series February 15, 2013

Transcript of Managing Patient Information Professional Staff Development Series February 15, 2013.

Managing Patient Information

Professional Staff Development Series February 15, 2013

2

Learning Objectives

To understand:• privacy legislation and how to comply in practice, clinically

and academically;• the process involved when there is a privacy complaint or

breach;• documentation requirements and the integrity of the health

record;• documentation requirements from a Royal College

perspective.

3

Ontario has a law that governs health information:

Personal Health Information Protection Act - PHIPA• Provincial law - enacted Nov/04• Governs obligations of HICs on the:

• collection, use, disclosure and protection of personal health information (PHI), as well as the right of a patient/SDM to:

• access their PHI• request to correct PHI• challenge a HIC’s privacy practices• restrict collection, use and disclosure of PHI (lockbox)

4

What the heck is a HIC and are you one?

Short answer – not in your professional staff role.

• LHSC and St Joseph’s are the Health Information Custodian (HIC) and have custody and control of PHI on a patient who has a registered visit to the hospital

• whether the PHI is used for health care, research, education, etc.

• staff, physicians, students, volunteers employed/granted privileges/affiliated through a HIC are “agents” of the HIC

5

Mrs. Jones arrives for a first visit to your clinic

Mrs. Jones reports a history of previous visits to the hospital and to the regional hospitals who share the EPR.• Can you access Mrs. Jones hard

copy record and/or the EPR to get her historical information?

• What type of consent do you need to collect and use her information from this point onwards?

6

Unless the patient has told you not to, you can assume “implied consent” to:

• collect;• access/use;• share information within the “circle of

care”.

*Take reasonable steps to inform the patient about how LHSC/St Joseph’s collects, uses, and discloses their PHI.

Mrs. Jones arrives for a first visit to your clinic…cont.

7

Implied consent no consent

Reasonable steps:• posters, brochures, web site -

make sure your office, clinic has these;

• talk to the patient e.g. you are consulting a specialist or asking the family MD to follow up post discharge – it is implied that you will share information to facilitate that referral unless the patient objects;

• make Privacy aware of any restrictions.

8

Who is in and out of the Circle of Care?

In the circle of care…• those providing or facilitating

health care for that patient within the hospital and in the community

• can rely on “implied” consent to use and/or disclose within circle of care, e.g. family MD, CCAC

Not within circle = express consent required, (company supplying services or home equipment but not providing care, lawyers, insurers)

9

You are not in the circle of care for…

Family, friends, colleagues, etc.

• because you have access to the entire EPR system does not mean you have the right to access any information or record, even if you keep it confidential

If you wish to access your own health record contact HIM for information on hospital process.

Privacy Office audits EPR to determine compliance

10

Mrs. Green…

You go to the clinic desk to review information on your next patient. When you arrive, the computer is logged into PowerChart – how convenient! You search for her information and notice that there is a flag (“Lockbox Restriction”).

11

Is it OK to use someone else’s log in?

What does this Lockbox Restriction flag mean and does it affect you?

Mrs. Green cont…

12

You should:• close that access and log in under your own user

name/password;• remind user that he/she left log in open and

unattended;• not share your user name/password nor allow

others to use your account;• not use an access left unattended;• not leave your own access open and

unattended.

Mrs. Green cont…

You are responsible for all activity under your login

13

PHIPA grants patients the right to restrict use and/or disclosure of their PHI, even for health care.

Without the patient’s consent, you cannot access lockboxed PHI unless specific situations exist.

Policy and process at LHSC and St Joseph’s…options:• discuss with patient – is PHI critical for ongoing care or

does lockbox apply to isolated PHI/visit?• determine if you can provide care with lockbox in place• discuss with Chief, VP Medicine, Risk and/or Privacy if

considering refusing elective care

Mrs. Green cont…

14

What If a Patient Requests a New Lockbox?

Begin the discussion, use lockbox brochure• what are the concerns• explain risks

Notify Privacy Office - work with patient to:• review request to ensure patient is

requesting lockbox, or 1-1 denial;• review risks;• complete request form, validate ID;• apply lockbox to record.

• hard copy• limited ability in EPR

15

What Cannot Be Lockboxed?

Patient will be informed that lockbox does not apply:

• to use for administrative purposes, (billing, risk management, quality assurance);

• to PHI collected during an active IP visit;

• when the use/disclosure is permitted or required by law;

• permitted – to PHIPA- recognized registry, (CCO etc.);• required – mandatory disclosure, (child abuse, MTO);• in an emergency situation where the information is

necessary for eliminating or reducing significant risk of harm to patient or other person/s = override.

16

You Are An ED MD and a Patient Arrives From a MVC - VSA

The ED clerk calls HIM and they say you cannot get the record as it is lockboxed in both hard copy and EPR.

Having the PHI may raise the chance of a positive outcome for the patient – what do you do?

17

Lockbox override

PHIPA permits an override of a lockbox if:• patient consents (must be considered first)• risk of significant harm to patient (applies in this

situation)• PHIPA permitted or required use

Complete override form declaring what situation exists, fax to HIM:• HIM will release record or enable access to EPR

(Pilot e-lockbox – access may take time – may get hard copy of printed EPR)

• Privacy Office audits all overrides

18

Lockbox example

• patient seen in surgeon’s office and booked for Sx• patient asks Privacy Office for lockbox restrictions to her

PHI for any reason• patient visit in Pre Admit – tried to get record from HIM –

denied, so PAC staff asked for surgeon’s office file• patient furious that office file releasedPrivacy and Surgeon had to negotiate an agreement to get surgery done – challenges:• originally, patient didn’t want anyone but surgeon to

access hard copy record during IP stay• didn’t want pre-op assessment used for IP stayNot all lockbox requests are this complex, but important to make Privacy aware and respect restrictions

19

Mrs. Jones

You think that Mrs. Jones would be a good case to take to Grand Rounds so start to prepare the presentation…what information can be shared without violating the patient’s privacy, corporate policy and PHIPA?

20

Use of PHI for education

De-identify information:• totally when using PHI for external presentations;• as much as possible, for internal teaching rounds;• bedside rounds – be aware of other patients.

But what is considered identifiable – new rules since PHIPA

Which of the following are considered identifiable:a. nameb. Initialsc. hospital PIN/J#d. postal code e. all of the abovef. none of the above

21

All of the above (on the previous slide)

Rules have changed since PHIPA:• Identifiable = information used alone or in

combination to identify the patient

Contrary to popular belief, “identifiable” includes:• initials, postal code, HC#, PIN/J#…• unusual condition in small population/study size

Use of PHI for education

22

Mrs. Jones

After the discussion about Mrs. Jones at Grand Rounds you and your colleagues realize that there is a group of patients with similar issues that would lend itself to a publication.

What steps are needed to use this information for publication or for research? You start to create:• a database with all the patient information – this looks

interesting and may make a good research project• a summary document with all the patients’ PHI and load it

onto your laptop so that you can work on it at home…what do you need to pay attention to?

23

Can You Use PHI for Research?

Short answer – yes….under rules set by PHIPA

To use PHI for research, you must:• have UWO REB and Lawson approval;• follow policy and submit completed form to HIM for chart pulls or

to use PHI regardless of the format;• submit any changes to the protocol or to who is accessing the

PHI for the project to REB;• protect the PHI, e.g. do not

save information on portable devices or hard drives unless strongly encrypted;

• databases – need REB approval at beginning – even if no specific research is planned.

24

Information Security

Avoid storing identifiable PHI on a hard drive of any device e.g. PC, laptop, Blackberry, home computer, memory stick…store on hospital network.

If you must use a hard drive or portable device:• encrypt – hospital encryption system – HelpDesk;• store minimum information;• for as short a time as possible;• back up on network drive;• physical security of the device.

Avoid taking identifiable information out of the hospital in any format

25

You would like to send that identifiable research data to the co-investigator at UHN. What are the options to send it to ensure its security?• e-mail• fax• Canada Post• courier

Information Security

26

Information Security

NOT E-mail• only to accounts within secure system -@lhsc,

@sjhc, @londonhospitals, @lawson @schulich – nothing else is secure, including @uwo, @hotmail, @yahoo etc

You can:• Fax – use care when entering fax #, always use

cover page with your own contact information on it – breaches from human error;

• Canada Post;• courier $$• consider Secure File Transfer

27

Information Security Breach examples:

• 2007 – theft of non-encrypted hard drives storing research databases

• 270 patients notified

• 2009 – EPR patient lists:• found in Masonville Mall – very sensitive PHI, e.g. erectile

dysfunction - 20 patients notified;• found flying around schoolyard – 16 patients notified

• 2009 – employee e-mailed Excel file to Resident’s Hotmail account – against hospital policy, and entered wrong e-mail address

• 33 patients notified

• 2009 Durham Region – loss of memory stick – notification of >83,000 patients – directive from IPC to all HICs – ENCRYPT!!

28

Monitoring and Auditing for Privacy Compliance

You receive a call from the Privacy Office

• a patient had called and asked for an audit of his/her chart;

• the audit shows that your (privately hired) secretary accessed the EPR record, however this patient has never been a patient of your service nor have you been consulted about this patient …what next?

29

EPR & PACS Audits

Performed:• at request of patient/SDM or leader;• on randomly selected staff/affiliates, high profile

patients, deceased or hospitalized staff/affiliates.

Breaches being detected – mainly on family, friends, co-workers, high profile patients:• Misconception re “authorized use”;• PHIPA requires HICs to notify patients if their PHI is

lost, stolen or accessed without authority;• if asked, we tell the patient who committed the

breach.

30

As the Employer of the Secretary, You Are Required To:

• Follow direction of Privacy Office (HR if hospital is employer)

• Investigate…was a referral sent to you, but patient never seen, has employee done P and C Education?

• If you cannot validate reason for access:• meet with employee (with HR if hospital is employer)

and ask to validate reason for access, relationship to patient

• If found to be a breach, possible outcomes include:• education• verbal warning • written warning• suspension• termination

31

Correction of PHI

You are contacted by a Privacy Specialist/Consultant who received a request from a patient to correct his record.

The PHI challenged is in your admission history. It reports that he is diabetic – patient challenges the accuracy of this. He says he has been tested for low blood sugar, but he was told he was not diabetic.

What do you do?• nothing – your documentation is correct;• get the record & black out the entry;• if you recall the patient reporting diabetes, not change

the entry;• if you cannot recall, correct the entry.

32

Patient has right to request change if they feel PHI is incorrect or incomplete.

Key points:• PHIPA timeline – notify Privacy asap• we are not required to change if:

• professional opinion/observation made in good faith;• patient does not provide the information necessary to

make the correction;• record was not made by agent of HIC• HIC /agent does not have the knowledge or expertise

to make correctionIf HIC refuses correction, patient has right to:• place Statement of Disagreement on record• appeal to Privacy Commissioner of Ontario – this has

occurred

Correction of PHI

33

Physician Billing

As a new physician to LHSC/St Joseph’s, you need to have someone do your billing. You know of external agencies who do this. You also know of a secretary in another department who does billing on off hours.

What do you need to consider when having someone other than your secretary do your billing?

34

Physician Billing Guidelines

Helps protect you, the hospital and the confidentiality/ security of the PHI.If you use someone other than your secretary or other hospital employee whose hospital role is to do your billing:• have a written contract with external agency/person

that binds the agent;• to the confidentiality of the PHI & MD information• to put security measures in place - both physical and

technical;• avoid taking PHI out of organization;• P&C education and agreement;• actions in case of a breach.

35

Watch where you have clinical discussions:

36

Privacy Breaches are:

Distressing for patients:• fears of identify theft, impact on their care;• anger that we have not taken precautions;• time consuming, costly for you, and the hospital

Breaches can result in:• letter to file;• suspension or termination of privileges;• report to CPSO;• complaints to the Information & Privacy Commissioner.

37

Mrs. Jones

Mrs. Jones is ready for discharge and discharge documentation is required…what are the obligations for completion?

38

The Hybrid Record

LHSC and St. Joseph’s have a Hybrid Record … documents and results that are available electronically in the EPR are not found filed on the paper record. You will need to refer to both the paper and the electronic portions of the record to obtain a full documentation history for the patient.

39

Clinical Documentation

• The timely completion and authentication of all required Clinical Documentation is important for the following reasons:

• To facilitate accurate communication among health care providers for continuing patient care,

• Properly done, to manage risk for all medical and non-medical professional staff as well as the hospital,

• To facilitate appropriate hospital funding, and • In order to comply with legislation and accreditation

standards

• All patient visits must be registered

• All visits to the hospital or any remote site of the hospital require clinical documentation

40

Clinical Documentation Requirements

• To support patient safety and ensure that clinical documentation at our hospitals complies with legislation, the hospital identifies clinical documentation and document authentication requirements for Professional Staff

• ALL CHART COMPLETION REQUIREMENTS ARE TO BE MET WITHIN 14 DAYS FOLLOWING DISCHARGE.

• Your signature is your authentication

• All electronically documented clinical reports will be distributed to the author (as well as internal cc’s) using “message centre” and require your review and electronic signature to trigger external distribution

41

Audited Clinical Documentation

ALL Inpatient Discharges require an authenticated Discharge Summary

ALL Deaths require an authenticated Death Summary

ALL procedures carried out in the Operating Room require an authenticated OR Report and Anaesthesia Report

ALL major procedures require an authenticated Procedure Report

ALL births require an authenticated Delivery Summary

42

Alternative Documentation Strategies

Central Dictation/Transcription services are available

Does your office assistant transcribe clinical reports for you ? Ask about receiving Cerner’s transcription module from Helpdesk.

Do you have high keyboarding skills or prefer to enter your own reports electronically ? Ask about access and training for Advanced Clinical Notes (ACN).

Do you prefer to use central dictation and

transcription resources, but want to save time and help to reduce the workload on transcription ? Ask about establishing templates for some of your clinical reports from Transcription.

43

Chart Completion Process

• Health Records will send the responsible Professional Staff a reminder notices of chart deficiencies at 7, 14 and 21 days post separation

• The notice at 21 days reminds you that you have just 7 additional days before the hospital will suspend privileges. Privileges will be reinstated upon completion of all outstanding deficiencies.

• If you know you are going to be away from the hospital for 7 days or longer … let Health Records know. They will ‘stop the clock’ and resume it upon your return

• If the chart becomes required for continuing care and is not available for you to complete your documentation in Health Records for a period of time … the ‘clock’ will also stop and resume upon the return of the chart to Health Records

• Suspension of privileges 3 times in the same appointment year will be reported to the CPSO

44

Mrs. Jones

Mrs. Jones is admitted to your service with you as the MRP. The nurse calls you to advise that Mrs. Jones is having pain and you provide a verbal order for some analgesics. Later that morning you are doing rounds with the medical student and you review the investigations that need to be ordered for this patient. The medical student documents the orders. That afternoon you ask when the CT scan will be done on Mrs. Jones and discover that the order has not been processed…why?

45

Verbal and Telephone Orders• Telephone orders may only be accepted in situations where the

prescriber is not present and there is a need for direction with patient care.

• In this example:• the prescriber (MRP) is not present• Mrs. Jones is experiencing pain • The nurse, being authorized under the RHPA & Regs and hospital

policy may transcribe the order• Telephone order for Dr. Smith/Jane Doe RN 2230 hrs. May 15, 2009• The order for analgesia may now be acted upon

• Follow up is then required by the MRP (the prescriber or delegate) to:• Sign the order within 24 hours (acute care)• Sign the order on the next working day (RMHC) and • Sign the order at the next visit to the unit (Parkwood Hospital and

Mount Hope).

   

   

   

   

46

Verbal and Telephone Orders

• Verbal orders may only be accepted in emergency situations when the prescriber is physically unable to write his or her own orders and a delay in treatment would not be in the best interest of the patient.

• So, in this example:• Conditions were not met for accepting verbal orders• A senior medical student may write orders … but the orders

must be countersigned before they can be processed or acted on (Scope of activities for Senior Medical Students Policy)

• In this example, the MRP should have written the orders him/herself … or at the very least, countersigned the orders so that they could be acted upon.

   

   

   

   

47

Resources:

LHSC/St. Joseph’s Privacy Office32996

Health Information Management64296

Medical Affairs Contact75125