Health Information Act Orientation
College of Registered Dental Hygienists of Alberta January 22, 2011
Agenda
What is the HIA?
What does the HIA mean to you?
Basic HIA concepts
Your questions
What is access?
Patients have a right to access their own health records
Practically, this means making arrangements to view records or making a copy
Right is not absolute – some exceptions may apply
What is privacy? (my opinion)
Privacy means the ability to exercise control over what is done with your personal and health information
Privacy is not absolute. Some health information needs to be exchanged in order to provide services.
Health Information Act Alberta’s access and privacy law for health information
Proclaimed 2001, amended 2006 and 2010
Enables electronic health records
Regulates Albertans’ rights: to access their own health information and to request corrections
Regulates collection, use and disclosure of health information whenever a health service is provided
Confidentiality of health information Reasonable measures to protect health information
Provides independent oversight Information and Privacy Commissioner
HIA Jurisdiction HIA applies to health information in custody or control of custodians
Health information is information about a health service recorded in any form or medium
Custody means you have it Control means you can make decisions about it
A health service is a service provided to an individual to:
Protect, promote or maintain health Prevent or diagnose illness Rehabilitation Care for health of ill, disabled, injured or dying (Dental hygiene is a ‘health service’)
Custodians are responsible for compliance with HIA
HIA Scope changes
Before September 1, 2010, HIA applied to the health services paid for in public health system
Now HIA applies to health services, regardless of who pays
New types of custodians named (that is why you are here!)
Other changes to HIA Alberta provincial electronic health record regulation
Sets rules and governance for Netcare Specifies audit requirements for electronic health records
Custodian responsibility transfer Custodians can now become affiliates of other custodians Useful for practices where one custodian takes the lead Minister must approve
Health Information Repositories Stay tuned – regulations not released yet
Two new roles for health regulatory colleges Making health information available to Netcare Standards of practice as prerequisites to members using Netcare
OIPC Office of the Information & Privacy Commissioner
Commissioner - Frank Work an officer of the Legislative Assembly Independent of government
Has a broad range of responsibilities and powers, including enforcing:
Freedom of Information and Protection of Privacy Act (FOIP) Personal Information Protection Act (PIPA) Health Information Act (HIA)
Commissioner does not make the 3 laws Government is responsible for legislation
PIPA & FOIP – Alberta Government Services HIA – Alberta Health & Wellness
OIPC Portfolio Officers
You are most likely to encounter portfolio officers in your job as we:
Investigate and mediate access, correction and privacy complaints
Review Privacy Impact Assessments
Provide advice and education on access and privacy issues in health sector
My portfolio includes dental hygienists, dentists and denturists
What does the HIA mean to you?
Your roles and responsibilities under the HIA
Custodians are responsible for HIA compliance
Policies Training and awareness Responding to access and
correction requests Protecting health information Privacy Impact Assessments Reviewing effectiveness of policies
Who is a custodian? Still custodians:
Minister of Health and Wellness Alberta Health and Wellness Alberta Health Services Health Quality Council of Alberta Members of College of Physicians and Surgeons of Alberta Members of Alberta College of Pharmacists, & pharmacies Nursing Homes Boards and committees established by custodians Others may be named in regulation
New custodians (as of September 1), members of: Alberta College of Optometrists Alberta Opticians Association Alberta College and Association of Chiropractors Alberta Association of Midwives Alberta Podiatry Association College of Alberta Denturists
More new custodians 6 months after proclamation (March 2011), members of:
Alberta Dental Association and College College of Registered Dental Hygienists of Alberta
1 year after proclamation (September 2011), members of: College and Association of
Registered Nurses of Alberta
More to come… Will be professionals under
Health Professions Act We don’t know which ones yet
Custodians and affiliates Custodians are responsible for HIA compliance
HIA says both dentists and dental hygienists will be custodians Confused?
Affiliates work for custodians Paid, or non-paid (volunteers, students, interns, etc.)
If you work for a custodian (a dentist, AHS, nursing home, etc.) you are an affiliate
If you are in independent practice, you are a custodian
What does this mean to you if you work for a custodian? You are an affiliate to a custodian
Dentist Institution (AHS, nursing home, etc.)
You need to follow custodian’s HIA policies Access requests from patients Correction requests from patients Collection Use Disclosure Information security
Only collect, use and disclose the amount of health information you need to do your job
A custodian may delegate some HIA responsibilities to you
What you need to do if you are a custodian Put someone in charge (it may be you)
Get to know the HIA
Assess shortfalls, risks regularly
Develop policies and procedures
Train staff (or yourself)
Develop forms and communications material
Review contracts
Develop complaints/breach processes
HIA concepts
Collection, use and disclosureAccess and Correction Requests
ConsentProtecting health information
Information managersPrivacy Impact Assessments
Caveat: (Review the HIA Guide and the Act)
Collection, Use and Disclosure of Health Information
Collection (when you receive health information from a patient or other source)
Use (what you do with health information while it is under your custody or control)
Disclosure (when you give health information to someone else – other health services providers, insurance, family, lawyers)
Collection, Use and Disclosure
Dental Office
Insurance
Database
Application
Application
Collection
Use
Disclosure
Collection Custodians may collect health information to provide health
services Including Personal Health Number (PHN)
Only collect what you need
Rule of thumb: Collect directly from patient where possible Indirect collection OK, but make sure you do so under circumstances
listed in HIA
You need to provide collection notice Could be on poster and/or new patient registration form HIA lists what needs to be in collection notice (see Guide)
Use
Custodians may use health information to provide health services
Only use what you need to do your job No snooping! Patients can ask for a record of who has accessed
their health information in electronic health records
If you can’t find a particular use listed in the HIA, don’t use it for that purpose (see Guide)
Bad news!
fined $10,000
Disclosure
Custodians may disclose health information to provide health services
Other types of disclosures listed in HIA (see Guide)
If it’s not listed in the HIA, don’t disclose without consent
Access and correction requests Duty to respond within 30 days, or longer if permitted by HIA or
Commissioner
Legal representatives may act on behalf of patients to make access and correction requests (see Guide for types of representatives)
Access Patients have a right to access their own health records, subject to limitations in HIA Custodian may charge a fee (HIA fee Schedule) You can also disclose informally
Correction Patients may ask to have records corrected Custodian must consider request, but does not have to make change (e.g. medical
opinions) If custodian refuses to make change, patients can ask to have 500 word statement of
disagreement placed on their file or ask Commissioner to mediate If the change is routine (e.g. address change), just make the change – no need to
use formal process
Consent Consent applies to disclosure of health information only
Rule of thumb: Generally, you can collect, use and disclose health information to
provide health services without patient consent
You can also disclose without consent for several other purposes (including processing payment) – see the HIA Guide
Anything not listed, get consent HIA specifies requirements for consent (see HIA Guide)
Protecting Health Information 3 kinds of measures
Administrative (Management, policies, training) Physical (Locks, alarms, controlled file rooms) Technical (IT security: access controls, backup, malware protection,
firewall, encryption)
Standard is reasonableness, not perfection
Take reasonable measures to protect against reasonably anticipated threats
See our PIA Requirements for a list of what OIPC considers reasonable
Information Managers (IM)
Kind of affiliate who has access to health information, but is not a health services provider
IMs may: Process, store, or retrieve health information Provide IM or information technology services Create non-identifying information (anonymization)
Examples Records storage company Shredding company IT service provider (Help desk)
Requirements for IMs and IM agreements set out in HIA and Regulation
Custodian is responsible for actions of IM
Privacy Impact Assessment An assessment of privacy risk for a new project
Describes custodian’s management and policy structure that support HIA
Describes project Analyses flows of health information Confirms legal authority to collect, use and disclose health information Identifies risks to confidentiality, integrity and availability of health
information Describes measures to mitigate risk Describes plans to ensure on-going compliance
Mandatory for custodians under HIA when implementing new information systems or business practices that will collect, use or disclose health information
New PIA Requirements
Effective April 15, 2010
Download from our website, or buy from Queen’s Printer
Your questions
Mature minors – what’s reasonable? Scenario:
A dental hygienist was present during a dental examination. After the examination the dentist asked the client, “Do I have your permission to share the results of this dental examination with your parents?”
Question:
Must a clinician routinely ask children/teenagers if they can share information with their parents; or is it only if the client expresses that it not be made and if the client is a mature minor? We see the quote on page 40 of Health Information: A Personal Matter, ‘Parents don’t have an automatic right to children’s information.’ Please expand on this.
Answer:
Use your professional judgement. If you have some reason to believe the patient is acting as a mature minor, get permission. If you don’t know the patient, err on the side of caution. The younger the patient, the less this is necessary.
Records retention
Q: When can records be destroyed as per CRDHA?
A: Generally, the HIA doesn’t change existing records retention requirements set by your professional college
Two HIA records retention requirements: keep for 10 years:1. Disclosure notations
(who you disclosed the information to, date, purpose and description)
2. Access logs in Netcare
Communication between dental offices
Q: When receiving a verbal request from dental offices for x-rays, may we disclose whether there are recent or any x-rays? Does a signed statement from the client in question be on file first?
Q: On behalf of clients, may we request information or must we get a signed statement from client first? (i.e. request information from a dentist in a different practice?)
A: (for both questions) Custodians may disclose health information to each other to provide health services without consent
Access requests - fees
Q: What is a reasonable fee to charge clients access to records?
A: HIA sets out a fee Schedule in the Health Information Regulation
$25, up to 20 pages
Over 20 pages - custodian may charge additional fees, per the Schedule
Question – mobile device security
Q I have a mobile practice and I use a laptop which contains all of my patient data, files and records. (I am a paperless office). When I'm not using the laptop it is at my home residence (i.e. my home office).
Is it really necessary to physically lock up the computer when not in use? I already have it password protected and my home has a security system.
Example risk assessment
What are the risks to laptops? Unauthorized access to health information due to theft or loss Unauthorized access through wireless Destruction/loss of data (availability)
How do you mitigate these risks? Physical security: locks, cables Encrypt data stored on laptop Only connect to secure wireless networks and encrypt your data
traffic over wireless networks Back-up your data to another site (encrypt your backup too) Training and awareness (how do I do all this technical stuff?)
Mobile device security
A Under the HIA, you need to take reasonable measures to secure health information, based on reasonably anticipated risk.
It looks like your laptop is secure enough from theft at home.(I might have a different answer for an office environment.)
BUT
Laptops are mobile computer devices. They are vulnerable to theft and loss. Your laptop is most vulnerable while you are away from your home office. Locks and passwords alone don’t offer much protection. The best protection is encryption.
Our investigation report IR H2006-IR-002 established a checklist for mobile device protection:
1. Assess the risk of using a mobile device2. Only store health information on mobile device when necessary and only store as much
as you need.3. Consider secure remote access to health information, rather than storing the data on
the mobile device.4. If you store health information on a mobile device, encrypt it.
HIA – further reading
Health Information Act (and regulations) Queen’s printer>Laws Online: www.qp.ab.ca
Correct version of Health Information Regulation that mentions Dental Hygienists is under Orders in Council – navigate to:Queens printer>Legislative Publications>Orders in Council> July 2010>Health and WellnessHealth Information Regulation is 10264 (OC 264/2010)
OIPC’s Practical Guide to the HIA PIA Requirements Orders and Investigation Reports
www.oipc.ab.ca: Publications>HIA
Thank you!
Brian Hamilton
Portfolio Officer, Health Information Act
Office of the Information and
Privacy Commissioner, Alberta
www.oipc.ab.ca
(780) 422-6860
Top Related