1

Healthcare Interoperability Between Canada and the United

States

Rick Shields - nNovation LLP

and

Joan Roch – Canada Health Infoway

A Presentation to IAPP Canada – Privacy Symposium

May 9, 2014

2

This is not legal advice...

3

Our Agenda

• Meet the panel

• EHR backgrounder

• Canadian health information privacy/security setting

• What does “HIPAA-compliant” mean?

• Buying/selling EHR technology in Canada: “Canadianizing” the product

• Canada Health Infoway: Canada’s EHR quarterback

• Q & A

4

EHR - What is it?

• …An EHR refers to the systems that make up the secure and private lifetime record of a person’s health and health care history. These systems store and share such information as lab results, medication profiles, key clinical reports (e.g., hospital discharge summaries), diagnostic images (e.g., X-rays), and immunization history. The information is available electronically to authorized health care providers.

Canada Health Infoway

©Canada Health Infoway 2014 5

EHR – A National Plan

In Canada, EHR development is being guided by Canada Health Infoway

With its partners, Infoway helps accelerate the development, adoption and effective use of digital health solutions across Canada

Each jurisdiction has its own EHR

− Common architecture is accepted across Canada

• Architecture includes privacy and security requirements

− Standards resources, tools and education for stakeholders and implementers

• Infoway Standards Collaborative

6

EHR or EMR?

• Typically, an EMR is an electronic version of the traditional paper records used to capture patient data

• Can be quite simple (e.g., geared to a single doctor’s office) or more complex (e.g., used by a group medical practice; health facility)

• A ‘point of service’ (POS) in the EHR system

©Canada Health Infoway 2014 7

EHR or EMR?

• …an electronic medical record (EMR) is an office-based system that enables a health care professional, such as a family doctor, to record the information gathered during a patient’s visit. This information might include a person’s weight, blood pressure and clinical information, and would previously have been hand-written and stored in a file folder in a doctor’s office. Eventually the EMR will allow the doctor to access information about a patient’s complete health record, including information from other health care providers that is stored in the EHR…

Canada Health Infoway

8

EHR – Data Sources

• EHRs will make personal health information (PHI) from points of service (POS) available to health information custodians/trustees. POS can include: – Clinical information systems (CIS)/electronic medical

records (EMR)

– Hospital information systems (HIS)

– Pharmacy information systems (PIS)

– Laboratory information systems (LIS)

– Digital image/picture archiving and communications systems (DI/PACS)

©Canada Health Infoway 2014 9

EHR Architecture

©Canada Health Infoway 2014 10

Points of care Homecare

Emergency Services

Pharmacy

Laboratory

Diagnostic Hospital Emergency

Specialist Clinic

Community Care Centre

Clinic

©Canada Health Infoway 2014 11

One patient, one record

Results and images Patient information Medical alerts

Medication history

Interactions

Immunization Problem list

12

EHR – Interoperability

• Goal is to have systems that are interoperable and that conform with applicable privacy and security standards imposed/suggested by Canadian law/best practices

• HIPAA-compliant technology is fine, as long as it can meet privacy/security obligations of Canadian customer

• Many overlaps between US and Canadian privacy and security requirements for PHI

13

Canadian PHI Privacy Setting

• Many laws potentially in play: – 7 provincial PHI laws in force (AB, SK, MB, ON, NB, NS

and NL); 2 territorial PHI laws passed but not yet in force (YT and NWT); PHI law for PEI introduced April 22, 2014

– EHR-specific laws in BC and QC

– NS law governing international disclosures of PI – similar to limitations in BC’s FIPPA

– Provincial/federal public sector laws (all jurisdictions)

– PIPEDA (note “substantial similarity” issue)

– Provincial private sector laws (BC, Alta. and QC)

– Provincial/territorial health sector laws

14

Privacy and health information laws

NL

NS

PE

NB

QC

ON

MB SK

NT

YK

NU

BC

AB

LEGEND

Provincial health information protection laws/provisions

Provincial private sector privacy laws (deemed ‘substantially similar’ to PIPEDA)

Federal private sector privacy law (‘PIPEDA’)

Federal public sector access to information and privacy laws

Provincial public sector freedom of information and privacy laws

Provincial health information laws (deemed ‘substantially similar’ to PIPEDA)

* ON - Bill 78 – second reading November 20, 2013

• YK - Bill 61 –assented December 12, 2013

• NWT - Bill 4 – assented March 13, 2014

• PEI - Bill 42 – first reading April 22, 2014 April 2014 ©Canada Health Infoway 2014

15

Canadian PHI Privacy Setting (cont’d)

• Inter-jurisdictional efforts being made to harmonize rules governing electronic PHI, but no uniform law(s) on horizon

• As result, regional variations exist that can impact relationship between custodian/trustee and technology providers

• Key is to know and apply relevant laws in jurisdiction(s) in which you operate

• Privacy/security obligations of technology vendors/agents/”information managers” should be established by contract

16

US PHI Privacy Rules

• Focus on federal laws/rules – pre-emption of conflicting State laws

• Health Insurance Portability and Accountability Act of 1996 (HIPAA)

– The Privacy Rule (2003) – as amended

– The Security Rule (2003) – as amended

– The Enforcement Rule (2006) – as amended

• Privacy section of the Health Information Technology for Economic and Clinical Health Act (HITECH) (2009)

– The Breach Notification Rule (2009) – as amended

– The Final Omnibus Rule (2013)

• Complex rules applicable to “covered entities” and “business associates”/subcontractors

17

Meaning of “HIPAA-compliant”

• “HIPAA-compliant” refers to systems that possess certain administrative, physical and technical features/safeguards as specified in the Rules made under HIPAA/HITECH:

– Access control (access levels and user roles)

– Password management

– Log-in monitoring

– Unique user identification

– Automatic logoff

18

Meaning of “HIPAA-compliant” (cont’d)

– Audit logging/reporting

– Security incident tracking

– PHI backup/storage

– Encryption/decryption

– PHI integrity controls

– Emergency access procedure

– Disaster recovery plan

– Network/transmission security features

– Facilitated access by individuals to PHI in EHR

19

Meaning of “HIPAA-compliant” (cont’d)

• If processing data for covered entity/business associate:

– Facility security plan, including facility/system access controls

– Business associate agreement and downstream agreement with subcontractor(s)

– Security incident response and reporting process

– Workforce authorization/clearance, supervision and termination procedures

– Electronic media re-use/disposal

– PHI retention, disposal/return processes

20

Canadian EHR Contracts

• In Canada, rules/policies/best practices typically key on same features as those required under HIPAA, so those features should be reflected in contract with vendor

• But may also want/need to contract for additional features or functionalities:

– Express consent capture feature

– Documentation and management of patient privacy preferences and a related data masking/”lock-box” feature

21

Canadian EHR Contracts (cont’d)

– Capacity to display/print entire patient record chronologically and produce same in readily comprehensible format if requested

– Jurisdiction-specific retention/disposal controls

– PHI accuracy/correction/annotation/notification feature

– Data redaction capability

– ISO 27002/ISO 27799/ISO 27789 conformity

– Training module(s)

22

Canadian EHR Contracts (cont’d)

– Confidentiality acknowledgement/notices at initial log-in, at periodic intervals and/or on printed reports

– Regional/facility limits on access to PHI within defined user roles

– Enhanced threat detection/protection features

– Means of preventing unauthorized copying of PHI to portable media

– In some jurisdictions (e.g., BC and NS), limits on international disclosure of PHI

23

Canadian EHR Contracts (cont’d)

– Interoperability with specified existing/planned jurisdictional EHRs to facilitate PHI transfers

– Can produce electronic signatures as per applicable Canadian law

– Audit features that

• Capture date, time, user identity re. PHI access, input, amendment

• Preserve original content of record

• Permit printing of patient-specific audit report that doesn’t include other PHI from patient file

24

Other Considerations

• May need to perform/participate in PIA

• Focus on present and future needs for interoperability with other systems (e.g., EHRs) – don’t want to have to replace expensive system prematurely

• Define all key terms – e.g., PHI, EMR, EHR, etc.

• Always confirm ownership and/or control of PHI

• Address PHI sharing, service levels, installation-related impacts on operations

• Lots of guidance materials available: CHI, COACH, CMPA, Commissioners

©Canada Health Infoway 2014 25

Infoway as ‘Quarterback’

Project Agreements

Privacy Impact Assessment policy for Infoway funded programs

Certification Services

• 9 program areas

• Privacy and security are key components

©Canada Health Infoway 2014 26

Infoway as ‘Quarterback’

EHR Blueprint

• Privacy & Security Requirements

− 2014 refresh – underway

• Privacy & Security Conceptual Architecture

Emerging Technology Group (ETG) • Cloud computing

• 2 papers on mobile computing

• Big Data

− Each paper addresses P&S

Projects

• Consent Management solutions

©Canada Health Infoway 2014 27

Infoway as ‘Quarterback’

“Privacy and EHR Information Flows in Canada: Common Understandings of the Pan-Canadian Health Information Privacy Group”

V1 released June 2010 V2 released July 2012

Bringing people together to find potential solutions

- The Privacy Forum

- The Health Information Privacy Group

28

Resources

• Canada Health Infoway, Electronic Health Records Privacy and Security Requirements; online: https://www.infoway-inforoute.ca/

• Canada Health Infoway, v1.1, 2005, Electronic Health Record Infostructure (EHRi) Privacy and Security Conceptual Architecture; online: https://www.infoway-inforoute.ca/

• Canada Health Infoway, 2008, A Conceptual Privacy Impact Assessment (PIA) on Canada’s Electronic Health Record Solution (EHRS) Blueprint Version 2; online: https://www.infoway-inforoute.ca/

• Canada Health Infoway, 2012, Business and Architecture Considerations for Interoperable Consent Solutions – A Discussion Document; online: https://www.infoway-inforoute.ca/index.php/resources/reports/privacy/doc_download/2055-business-and-architecture-considerations-for-interoperable-consent-solutions-a-discussion-document

29

Resources

• Canada Health Infoway, 2012, Privacy and EHR Information Flows in Canada, Version 2; online: https://www.infoway-inforoute.ca/index.php/resources/reports/privacy/doc_download/626-privacy-and-ehr-information-flows-in-canada-version-2-0

• Canada Health Infoway, 2010, Privacy and EHR Information Flows in Canada, Version 1; online: https://www.infoway-inforoute.ca/index.php/resources/reports/privacy/doc_download/76-privacy-and-ehr-information-flows-in-canada

• Canadian Health Informatics Association (COACH), Putting It into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records: 2013 Guidelines; online: http://www.ehealthontario.on.ca/images/uploads/pages/documents/Putting-it-into-Practice_PrivacySecurityHealthcareProviders.pdf

30

• Canadian Medical Protective Association (CMPA), Electronic Records Handbook; online: https://oplfrpd5.cmpa-acpm.ca/documents/10179/24937/com_electronic_records_handbook-e.pdf

• Cavoukian, A. & Rossos, P., Personal Health Information: A Practical Tool for Physicians Transitioning from Paper-Based Records to Electronic Health Records; online: http://www.ipc.on.ca/images/Resources/phipa-toolforphysicians.pdf

• Sawatsky, E., Information Sharing Agreements for Disclosure of EHR Data within Canada; online: https://www.infoway-inforoute.ca/

31

Q & A

32

Contact

Rick Shields

Partner

nNovation LLP

rshields@nnovation.com

613.656.1293

Joan Roch

Chief Privacy Strategist

Canada Health Infoway

jroch@infoway-

inforoute.ca

514-397-7978