Health Information Act Orientation

College of Registered Dental Hygienists of Alberta January 22, 2011

Agenda

What is the HIA?

What does the HIA mean to you?

Basic HIA concepts

Your questions

What is access?

Patients have a right to access their own health records

Practically, this means making arrangements to view records or making a copy

Right is not absolute – some exceptions may apply

What is privacy? (my opinion)

Privacy means the ability to exercise control over what is done with your personal and health information

Privacy is not absolute. Some health information needs to be exchanged in order to provide services.

Health Information Act Alberta’s access and privacy law for health information

Proclaimed 2001, amended 2006 and 2010

Enables electronic health records

Regulates Albertans’ rights: to access their own health information and to request corrections

Regulates collection, use and disclosure of health information whenever a health service is provided

Confidentiality of health information Reasonable measures to protect health information

Provides independent oversight Information and Privacy Commissioner

HIA Jurisdiction HIA applies to health information in custody or control of custodians

Health information is information about a health service recorded in any form or medium

Custody means you have it Control means you can make decisions about it

A health service is a service provided to an individual to:

Protect, promote or maintain health Prevent or diagnose illness Rehabilitation Care for health of ill, disabled, injured or dying (Dental hygiene is a ‘health service’)

Custodians are responsible for compliance with HIA

HIA Scope changes

Before September 1, 2010, HIA applied to the health services paid for in public health system

Now HIA applies to health services, regardless of who pays

New types of custodians named (that is why you are here!)

Other changes to HIA Alberta provincial electronic health record regulation

Sets rules and governance for Netcare Specifies audit requirements for electronic health records

Custodian responsibility transfer Custodians can now become affiliates of other custodians Useful for practices where one custodian takes the lead Minister must approve

Health Information Repositories Stay tuned – regulations not released yet

Two new roles for health regulatory colleges Making health information available to Netcare Standards of practice as prerequisites to members using Netcare

OIPC Office of the Information & Privacy Commissioner

Commissioner - Frank Work an officer of the Legislative Assembly Independent of government

Has a broad range of responsibilities and powers, including enforcing:

Freedom of Information and Protection of Privacy Act (FOIP) Personal Information Protection Act (PIPA) Health Information Act (HIA)

Commissioner does not make the 3 laws Government is responsible for legislation

PIPA & FOIP – Alberta Government Services HIA – Alberta Health & Wellness

OIPC Portfolio Officers

You are most likely to encounter portfolio officers in your job as we:

Investigate and mediate access, correction and privacy complaints

Review Privacy Impact Assessments

Provide advice and education on access and privacy issues in health sector

My portfolio includes dental hygienists, dentists and denturists

What does the HIA mean to you?

Your roles and responsibilities under the HIA

Custodians are responsible for HIA compliance

Policies Training and awareness Responding to access and

correction requests Protecting health information Privacy Impact Assessments Reviewing effectiveness of policies

Who is a custodian? Still custodians:

Minister of Health and Wellness Alberta Health and Wellness Alberta Health Services Health Quality Council of Alberta Members of College of Physicians and Surgeons of Alberta Members of Alberta College of Pharmacists, & pharmacies Nursing Homes Boards and committees established by custodians Others may be named in regulation

New custodians (as of September 1), members of: Alberta College of Optometrists Alberta Opticians Association Alberta College and Association of Chiropractors Alberta Association of Midwives Alberta Podiatry Association College of Alberta Denturists

More new custodians 6 months after proclamation (March 2011), members of:

Alberta Dental Association and College College of Registered Dental Hygienists of Alberta

1 year after proclamation (September 2011), members of: College and Association of

Registered Nurses of Alberta

More to come… Will be professionals under

Health Professions Act We don’t know which ones yet

Custodians and affiliates Custodians are responsible for HIA compliance

HIA says both dentists and dental hygienists will be custodians Confused?

Affiliates work for custodians Paid, or non-paid (volunteers, students, interns, etc.)

If you work for a custodian (a dentist, AHS, nursing home, etc.) you are an affiliate

If you are in independent practice, you are a custodian

What does this mean to you if you work for a custodian? You are an affiliate to a custodian

Dentist Institution (AHS, nursing home, etc.)

You need to follow custodian’s HIA policies Access requests from patients Correction requests from patients Collection Use Disclosure Information security

Only collect, use and disclose the amount of health information you need to do your job

A custodian may delegate some HIA responsibilities to you

What you need to do if you are a custodian Put someone in charge (it may be you)

Get to know the HIA

Assess shortfalls, risks regularly

Develop policies and procedures

Train staff (or yourself)

Develop forms and communications material

Review contracts

Develop complaints/breach processes

HIA concepts

Collection, use and disclosureAccess and Correction Requests

ConsentProtecting health information

Information managersPrivacy Impact Assessments

Caveat: (Review the HIA Guide and the Act)

Collection, Use and Disclosure of Health Information

Collection (when you receive health information from a patient or other source)

Use (what you do with health information while it is under your custody or control)

Disclosure (when you give health information to someone else – other health services providers, insurance, family, lawyers)

Collection, Use and Disclosure

Dental Office

Insurance

Database

Application

Application

Collection

Use

Disclosure

Collection Custodians may collect health information to provide health

services Including Personal Health Number (PHN)

Only collect what you need

Rule of thumb: Collect directly from patient where possible Indirect collection OK, but make sure you do so under circumstances

listed in HIA

You need to provide collection notice Could be on poster and/or new patient registration form HIA lists what needs to be in collection notice (see Guide)

Use

Custodians may use health information to provide health services

Only use what you need to do your job No snooping! Patients can ask for a record of who has accessed

their health information in electronic health records

If you can’t find a particular use listed in the HIA, don’t use it for that purpose (see Guide)

Bad news!

fined $10,000

Disclosure

Custodians may disclose health information to provide health services

Other types of disclosures listed in HIA (see Guide)

If it’s not listed in the HIA, don’t disclose without consent

Access and correction requests Duty to respond within 30 days, or longer if permitted by HIA or

Commissioner

Legal representatives may act on behalf of patients to make access and correction requests (see Guide for types of representatives)

Access Patients have a right to access their own health records, subject to limitations in HIA Custodian may charge a fee (HIA fee Schedule) You can also disclose informally

Correction Patients may ask to have records corrected Custodian must consider request, but does not have to make change (e.g. medical

opinions) If custodian refuses to make change, patients can ask to have 500 word statement of

disagreement placed on their file or ask Commissioner to mediate If the change is routine (e.g. address change), just make the change – no need to

use formal process

Consent Consent applies to disclosure of health information only

Rule of thumb: Generally, you can collect, use and disclose health information to

provide health services without patient consent

You can also disclose without consent for several other purposes (including processing payment) – see the HIA Guide

Anything not listed, get consent HIA specifies requirements for consent (see HIA Guide)

Protecting Health Information 3 kinds of measures

Administrative (Management, policies, training) Physical (Locks, alarms, controlled file rooms) Technical (IT security: access controls, backup, malware protection,

firewall, encryption)

Standard is reasonableness, not perfection

Take reasonable measures to protect against reasonably anticipated threats

See our PIA Requirements for a list of what OIPC considers reasonable

Information Managers (IM)

Kind of affiliate who has access to health information, but is not a health services provider

IMs may: Process, store, or retrieve health information Provide IM or information technology services Create non-identifying information (anonymization)

Examples Records storage company Shredding company IT service provider (Help desk)

Requirements for IMs and IM agreements set out in HIA and Regulation

Custodian is responsible for actions of IM

Privacy Impact Assessment An assessment of privacy risk for a new project

Describes custodian’s management and policy structure that support HIA

Describes project Analyses flows of health information Confirms legal authority to collect, use and disclose health information Identifies risks to confidentiality, integrity and availability of health

information Describes measures to mitigate risk Describes plans to ensure on-going compliance

Mandatory for custodians under HIA when implementing new information systems or business practices that will collect, use or disclose health information

New PIA Requirements

Effective April 15, 2010

Download from our website, or buy from Queen’s Printer

Your questions

Mature minors – what’s reasonable? Scenario:

A dental hygienist was present during a dental examination. After the examination the dentist asked the client, “Do I have your permission to share the results of this dental examination with your parents?”

Question:

Must a clinician routinely ask children/teenagers if they can share information with their parents; or is it only if the client expresses that it not be made and if the client is a mature minor? We see the quote on page 40 of Health Information: A Personal Matter, ‘Parents don’t have an automatic right to children’s information.’ Please expand on this.

Answer:

Use your professional judgement. If you have some reason to believe the patient is acting as a mature minor, get permission. If you don’t know the patient, err on the side of caution. The younger the patient, the less this is necessary.

Records retention

Q: When can records be destroyed as per CRDHA?

A: Generally, the HIA doesn’t change existing records retention requirements set by your professional college

Two HIA records retention requirements: keep for 10 years:1. Disclosure notations

(who you disclosed the information to, date, purpose and description)

2. Access logs in Netcare

Communication between dental offices

Q: When receiving a verbal request from dental offices for x-rays, may we disclose whether there are recent or any x-rays? Does a signed statement from the client in question be on file first?

Q: On behalf of clients, may we request information or must we get a signed statement from client first? (i.e. request information from a dentist in a different practice?)

A: (for both questions) Custodians may disclose health information to each other to provide health services without consent

Access requests - fees

Q: What is a reasonable fee to charge clients access to records?

A: HIA sets out a fee Schedule in the Health Information Regulation

$25, up to 20 pages

Over 20 pages - custodian may charge additional fees, per the Schedule

Question – mobile device security

Q I have a mobile practice and I use a laptop which contains all of my patient data, files and records. (I am a paperless office). When I'm not using the laptop it is at my home residence (i.e. my home office). 

Is it really necessary to physically lock up the computer when not in use?  I already have it password protected and my home has a security system.

Example risk assessment

What are the risks to laptops? Unauthorized access to health information due to theft or loss Unauthorized access through wireless Destruction/loss of data (availability)

How do you mitigate these risks? Physical security: locks, cables Encrypt data stored on laptop Only connect to secure wireless networks and encrypt your data

traffic over wireless networks Back-up your data to another site (encrypt your backup too) Training and awareness (how do I do all this technical stuff?)

Mobile device security

A Under the HIA, you need to take reasonable measures to secure health information, based on reasonably anticipated risk.

It looks like your laptop is secure enough from theft at home.(I might have a different answer for an office environment.)

BUT

Laptops are mobile computer devices. They are vulnerable to theft and loss. Your laptop is most vulnerable while you are away from your home office. Locks and passwords alone don’t offer much protection. The best protection is encryption.

Our investigation report IR H2006-IR-002 established a checklist for mobile device protection:

1. Assess the risk of using a mobile device2. Only store health information on mobile device when necessary and only store as much

as you need.3. Consider secure remote access to health information, rather than storing the data on

the mobile device.4. If you store health information on a mobile device, encrypt it.

HIA – further reading

Health Information Act (and regulations) Queen’s printer>Laws Online: www.qp.ab.ca

Correct version of Health Information Regulation that mentions Dental Hygienists is under Orders in Council – navigate to:Queens printer>Legislative Publications>Orders in Council> July 2010>Health and WellnessHealth Information Regulation is 10264 (OC 264/2010)

OIPC’s Practical Guide to the HIA PIA Requirements Orders and Investigation Reports

www.oipc.ab.ca: Publications>HIA

Thank you!

Brian Hamilton

Portfolio Officer, Health Information Act

Office of the Information and

Privacy Commissioner, Alberta

bhamilton@oipc.ab.ca

www.oipc.ab.ca

(780) 422-6860