Embed Size (px)
Citation preview
PHIA and Research Janet Gallant, Program Manager, Research
Services
Dr. Stacy Ackroyd Research Director, Emergency Medicine
Overview
• Key points of the legislation
• The relationship of PHIA to research
• Considerations for Researchers and Teams
• Next steps
• Strategies
• Resources
Personal Health Information Act (PHIA)
• Nova Scotia provincial legislation, Bill No. 89
• Passed in 2010, in force June 1, 2013
• Governs the collection, use, disclosure, retention, disposal & destruction of PHI.
• Recognizes both patient rights and need of custodians to collect, use & disclose PHI to provide, support & manage health care.
Consequences of Non-Compliance
Failure to reasonably meet PHIA requirements and/or lack of a plan to address gaps in compliance may lead to: • Investigation & findings by Provincial Review Officer, • Fines, • Loss of trust & reputation with patients and public, • Legal action arising from breaches of privacy, and • Research consequences.
Personal Health Information (PHI)
• Individually identifiable information or information that could reasonably lead to identification of an individual and includes, but is not limited to:
• Demographic information
• Health history
• Payment information
• Information related to provision of healthcare
• Donation of body parts/substances
Includes recorded and unrecorded information (e.g. lab result, verbal conversations) and continues to be subject to legislation after death.
When does PHIA not apply?
• Statistical, aggregate or de-identified information.
• If the information (either alone or in combination with other information) does not identify an individual, it is not “personal health information” and is not subject to the Act.
• It does not apply to PHI about an individual after the earlier date: – The record was created 120 years ago OR
– The individual died 50 years ago
PHIA applies to:
• The collection, use & disclosure of PHI by custodians and the use & disclosure of PHI by persons to whom a custodian has disclosed the information.
Custodian = individual or organization who has custody or control of PHI as a result of or in connection with performing the person’s / organization’s powers or duties (e.g., regulated health professionals, DHW, DHAs & IWK, pharmacies, continuing care facilities, Can. Blood Services)
Agent = person who, with the custodian’s authorization, acts for or on behalf of the custodian in respect of PHI for the purposes of the custodian
Custodian
• CDHA is the custodian of all PHI collected from patients who receive care within CDHA facilities.
• Individual services/health professionals and researchers/research staff are not the custodians and do not have the right to collect, use, disclose PHI except as permitted by CDHA and PHIA.
Basic Principles of PHIA
PHI
• Should only be collected, used and disclosed on a need to know basis
• Is the minimum amount of information required
• Generally requires consent (often this is implied )
Consent
In most cases, PHIA requires the individual’s consent.
Consent can be:
• Implied, if certain conditions have been met;
• Express (written or oral);
• Waived, in certain situations;
• Unnecessary, if the custodian is required by law to collect, use or disclose the PHI.
Consent must be knowledgeable, specific, voluntary & revokeable.
Circle of Care and Implied Consent
• Circle of care is defined as individuals and activities related to the care and treatment of a patient…who deliver care and services for the primary therapeutic benefit of the patient ..(Industry Canada’s guidelines for health sector).
• Custodians are able to assume an individual’s implied consent to collect, use or disclose PHI for the purposes of providing health care, unless the individual has withheld or withdrawn consent (they must be made aware of implied consent by the custodian).
When is consent not required?
• Patient consent is not required for
• planning program and service delivery, including allocation of resources
• ensuring quality or standards of care within a quality review program
• modifying information to conceal identity
PHIA and Research
Researcher Access to PHI
Custodians may disclose PHI to researchers if the researcher submits to the custodian:
• an application in writing,
• a research plan containing prescribed elements, &
• a copy of the submission to & approval by the REB
AND agrees to: comply with terms & conditions imposed by the REB & custodian; adhere to the research plan; allow inspection; report any breaches; and refrain from identifying or contacting individuals without their consent.
Impact
• REB authorization for research use of PHI • REB approval to conduct the project • Consent for collection, use and/or disclosure of
PHI • Application to custodian to disclose PHI • Written agreement from the researcher as
required by regulations
Basic principles still apply!
Consent and Research
• Although there may be overlap between provision of care and clinical research the healthcare provider must consider when collection, use and disclosure of information is for research purposes and not only for the purpose of clinical care.
• Under PHIA, EXPRESS CONSENT of patient is required for use of PHI for research unless the REB agreed to waive the requirement for consent .
knowledgeable implied consent
Non-Custodian (Employer -
Benefits) )
Custodian (NP)
Personal Health
Information
Non-Custodian (Researchers)
Non-Custodian (Insurance)
Non-Custodian (Media)
EXPRESS CONSENT
EXPRESS CONSENT
EX
PR
ES
S C
ON
SE
NT
E
XP
RE
SS
CO
NS
EN
T
Custodian
(GP)
Custodian
(LTC)
Custodian (Dentist)
Custodian (DHA)
etc.
Researcher Access to PHI without Consent
Custodians may disclose PHI without consent if:
• REB has determined that consent is not required,
• PHI is limited to what’s absolutely necessary,
• PHI is in the most de-identified form possible,
• PHI will be used in a manner than ensures confidentiality,
• Obtaining consent is impracticable, and
• The custodian informs the DHW’s Privacy Review Officer.
Impracticable = degree of difficulty higher than inconvenience or impracticality but lower than impossibility
Access to PHI for Research
• If you have a REB approved study specific consent form that details what PHI will be collected, used or disclosed as per the REB’s specifications and you are acting within these parameters you are compliant with PHIA’s requirements for express consent.
• If the REB has waived the requirement for consent you are compliant with PHIA requirements.
• If the REB has not waived the requirement and you are accessing PHI before a study specific consent has been obtained you must obtain express consent or obtain a waiver from the REB.
Consent or Waiver is also required for:
• Determining study feasibility: Reviewing PHI to decide if a study is of clinical interest and whether the patient population is sufficient;
• Conducting non-interventional studies (e.g. chart reviews): Extracting identifying or non-identifying data form health records, databases, etc.;
• Participant recruitment: Using PHI to identify and contact potential study participants.
Considerations for Researchers
Determine: Is it research?
Does it require use of PHI?
Do I have or can I get consent?
Can I get approval from REB to proceed without consent on the grounds that it is impracticable?
FAQs
• If current research projects do not meet PHIA requirements what do I do?
• I am not sure if I am compliant with PHIA, do I need to stop my research?
• What about non-CDHA research team members?
Please refer to memo for additional FAQs.
Next Steps
• REB forms and systems are being revised
• Revised application for disclosure from Health Records with researchers agreement
• Consent logistics and content will be specific to the research context
• Currently, there is no single solution
• Start thinking about what might work in your particular setting
• We are available to provide guidance and support and will share additional solutions as they are identified
General Strategies
• Start with easy fixes
• Build defensible arguments for impracticability
• Understand and strengthen measures for de-identification
• Develop (& adhere to) standard description of data security measures
• Strengthen relationship between clinical care & research
• Identify mechanisms for informing public about research and ways to secure consent to be contacted for future research
• Please be patient – this is a work-in-progress…
One Approach…
Review procedures for current studies (Short-term)
Develop strategies for different types of studies (Medium-term)
Develop an integrated approach within a program of research/ specific
unit and/or division (Long-term)
Study Team
Clinical & Research
Teams
Study Team +/- Research Committee
Clinical Trials
• Potentially more challenging: Pre-screening – Create/maintain list of patients who have agreed to have their
health record reviewed by Research Coordinator to confirm screening for eligibility (Short-term)
– Have the front–line staff get patient’s consent to speak to a Research Coordinator who can obtain verbal consent to access PHI and document consent on health record (Short-term)
– Generic consent template for feasibility/pre-screening (to be developed; will likely need REB approval)
Health Record Reviews
• Where there is no care relationship & no consent from the patient, you don’t have the legal authority to look at their record unless:
– You get REB exemption; or
– Project is part of a quality review program**
• This is not new - but legislation brings consequences for unauthorized access & an audit trail.
** New processes in development
http://www.aihealthsolutions.ca/arecci/areccitools.php
Health Record Reviews
• Build defensible arguments for impracticability
– Size of population;
– Proportion likely to have relocated or died since data were collected; or
– Lack of existing relationship; such that:
Potential for introducing bias (affecting validity &/or defeating purpose of study) or “the additional financial, material, human, organizational and other resources needed to obtain consent could impose a hardship or burden on the researchers or organization so burdensome that the research could not be done.”
Database-related Studies
• Use least amount necessary to answer research question & in an manner that ensures confidentiality
• Understand & strengthen measures for de-identification
• Build defensible arguments for impracticability
• Develop (and adhere to) standard description of data security measures
• Identify technological solutions to maximize data security
For all research….
• Identify mechanisms for informing public about research and ways to secure consent to be contacted for future research
– May need to start at clinic/division or department-level
– Working towards organization-level approach
Reflections from an Investigator
• “Buck stops” with PI – Leading research team (CH & non-
CH staff/trainees)
• May delegate actions, but still must understand implications of PHIA
• New cohort of medical students entering system in Fall 2013 – Research in Medicine (RIM) Program
•Loss of trust & reputation with patients and public
Increase public awareness &
support of research
Resources
• NS government website: PHIA, Regulations, Toolkit for Custodians (Chapter 7 Research)
http://novascotia.ca/dhw/phia/
• Stacy Ackroyd Research Director, Emergency Medicine
• Janet Gallant Program Manager, Research Services
• Privacy Officer and Legal Services
PHIA and Research Janet Gallant, Program Manager, Research
Services
Dr. Stacy Ackroyd Research Director, Emergency Medicine
Overview
• Key points of the legislation
• The relationship of PHIA to research
• Considerations for Researchers and Teams
• Next steps
• Strategies
• Resources
Personal Health Information Act (PHIA)
• Nova Scotia provincial legislation, Bill No. 89
• Passed in 2010, in force June 1, 2013
• Governs the collection, use, disclosure, retention, disposal & destruction of PHI.
• Recognizes both patient rights and need of custodians to collect, use & disclose PHI to provide, support & manage health care.
Consequences of Non-Compliance
Failure to reasonably meet PHIA requirements and/or lack of a plan to address gaps in compliance may lead to: • Investigation & findings by Provincial Review Officer, • Fines, • Loss of trust & reputation with patients and public, • Legal action arising from breaches of privacy, and • Research consequences.
Personal Health Information (PHI)
• Individually identifiable information or information that could reasonably lead to identification of an individual and includes, but is not limited to:
• Demographic information
• Health history
• Payment information
• Information related to provision of healthcare
• Donation of body parts/substances
Includes recorded and unrecorded information (e.g. lab result, verbal conversations) and continues to be subject to legislation after death.
When does PHIA not apply?
• Statistical, aggregate or de-identified information.
• If the information (either alone or in combination with other information) does not identify an individual, it is not “personal health information” and is not subject to the Act.
• It does not apply to PHI about an individual after the earlier date: – The record was created 120 years ago OR
– The individual died 50 years ago
PHIA applies to:
• The collection, use & disclosure of PHI by custodians and the use & disclosure of PHI by persons to whom a custodian has disclosed the information.
Custodian = individual or organization who has custody or control of PHI as a result of or in connection with performing the person’s / organization’s powers or duties (e.g., regulated health professionals, DHW, DHAs & IWK, pharmacies, continuing care facilities, Can. Blood Services)
Agent = person who, with the custodian’s authorization, acts for or on behalf of the custodian in respect of PHI for the purposes of the custodian
Custodian
• CDHA is the custodian of all PHI collected from patients who receive care within CDHA facilities.
• Individual services/health professionals and researchers/research staff are not the custodians and do not have the right to collect, use, disclose PHI except as permitted by CDHA and PHIA.
Basic Principles of PHIA
PHI
• Should only be collected, used and disclosed on a need to know basis
• Is the minimum amount of information required
• Generally requires consent (often this is implied )
Consent
In most cases, PHIA requires the individual’s consent.
Consent can be:
• Implied, if certain conditions have been met;
• Express (written or oral);
• Waived, in certain situations;
• Unnecessary, if the custodian is required by law to collect, use or disclose the PHI.
Consent must be knowledgeable, specific, voluntary & revokeable.
Circle of Care and Implied Consent
• Circle of care is defined as individuals and activities related to the care and treatment of a patient…who deliver care and services for the primary therapeutic benefit of the patient ..(Industry Canada’s guidelines for health sector).
• Custodians are able to assume an individual’s implied consent to collect, use or disclose PHI for the purposes of providing health care, unless the individual has withheld or withdrawn consent (they must be made aware of implied consent by the custodian).
When is consent not required?
• Patient consent is not required for
• planning program and service delivery, including allocation of resources
• ensuring quality or standards of care within a quality review program
• modifying information to conceal identity
PHIA and Research
Researcher Access to PHI
Custodians may disclose PHI to researchers if the researcher submits to the custodian:
• an application in writing,
• a research plan containing prescribed elements, &
• a copy of the submission to & approval by the REB
AND agrees to: comply with terms & conditions imposed by the REB & custodian; adhere to the research plan; allow inspection; report any breaches; and refrain from identifying or contacting individuals without their consent.
Impact
• REB authorization for research use of PHI • REB approval to conduct the project • Consent for collection, use and/or disclosure of
PHI • Application to custodian to disclose PHI • Written agreement from the researcher as
required by regulations
Basic principles still apply!
Consent and Research
• Although there may be overlap between provision of care and clinical research the healthcare provider must consider when collection, use and disclosure of information is for research purposes and not only for the purpose of clinical care.
• Under PHIA, EXPRESS CONSENT of patient is required for use of PHI for research unless the REB agreed to waive the requirement for consent .
knowledgeable implied consent
Non-Custodian (Employer -
Benefits) )
Custodian (NP)
Personal Health
Information
Non-Custodian (Researchers)
Non-Custodian (Insurance)
Non-Custodian (Media)
EXPRESS CONSENT
EXPRESS CONSENT
EX
PR
ES
S C
ON
SE
NT
E
XP
RE
SS
CO
NS
EN
T
Custodian
(GP)
Custodian
(LTC)
Custodian (Dentist)
Custodian (DHA)
etc.
Researcher Access to PHI without Consent
Custodians may disclose PHI without consent if:
• REB has determined that consent is not required,
• PHI is limited to what’s absolutely necessary,
• PHI is in the most de-identified form possible,
• PHI will be used in a manner than ensures confidentiality,
• Obtaining consent is impracticable, and
• The custodian informs the DHW’s Privacy Review Officer.
Impracticable = degree of difficulty higher than inconvenience or impracticality but lower than impossibility
Access to PHI for Research
• If you have a REB approved study specific consent form that details what PHI will be collected, used or disclosed as per the REB’s specifications and you are acting within these parameters you are compliant with PHIA’s requirements for express consent.
• If the REB has waived the requirement for consent you are compliant with PHIA requirements.
• If the REB has not waived the requirement and you are accessing PHI before a study specific consent has been obtained you must obtain express consent or obtain a waiver from the REB.
Consent or Waiver is also required for:
• Determining study feasibility: Reviewing PHI to decide if a study is of clinical interest and whether the patient population is sufficient;
• Conducting non-interventional studies (e.g. chart reviews): Extracting identifying or non-identifying data form health records, databases, etc.;
• Participant recruitment: Using PHI to identify and contact potential study participants.
Considerations for Researchers
Determine: Is it research?
Does it require use of PHI?
Do I have or can I get consent?
Can I get approval from REB to proceed without consent on the grounds that it is impracticable?
FAQs
• If current research projects do not meet PHIA requirements what do I do?
• I am not sure if I am compliant with PHIA, do I need to stop my research?
• What about non-CDHA research team members?
Please refer to memo for additional FAQs.
Next Steps
• REB forms and systems are being revised
• Revised application for disclosure from Health Records with researchers agreement
• Consent logistics and content will be specific to the research context
• Currently, there is no single solution
• Start thinking about what might work in your particular setting
• We are available to provide guidance and support and will share additional solutions as they are identified
General Strategies
• Start with easy fixes
• Build defensible arguments for impracticability
• Understand and strengthen measures for de-identification
• Develop (& adhere to) standard description of data security measures
• Strengthen relationship between clinical care & research
• Identify mechanisms for informing public about research and ways to secure consent to be contacted for future research
• Please be patient – this is a work-in-progress…
One Approach…
Review procedures for current studies (Short-term)
Develop strategies for different types of studies (Medium-term)
Develop an integrated approach within a program of research/ specific
unit and/or division (Long-term)
Study Team
Clinical & Research
Teams
Study Team +/- Research Committee
Clinical Trials
• Potentially more challenging: Pre-screening – Create/maintain list of patients who have agreed to have their
health record reviewed by Research Coordinator to confirm screening for eligibility (Short-term)
– Have the front–line staff get patient’s consent to speak to a Research Coordinator who can obtain verbal consent to access PHI and document consent on health record (Short-term)
– Generic consent template for feasibility/pre-screening (to be developed; will likely need REB approval)
Health Record Reviews
• Where there is no care relationship & no consent from the patient, you don’t have the legal authority to look at their record unless:
– You get REB exemption; or
– Project is part of a quality review program**
• This is not new - but legislation brings consequences for unauthorized access & an audit trail.
** New processes in development
http://www.aihealthsolutions.ca/arecci/areccitools.php
Health Record Reviews
• Build defensible arguments for impracticability
– Size of population;
– Proportion likely to have relocated or died since data were collected; or
– Lack of existing relationship; such that:
Potential for introducing bias (affecting validity &/or defeating purpose of study) or “the additional financial, material, human, organizational and other resources needed to obtain consent could impose a hardship or burden on the researchers or organization so burdensome that the research could not be done.”
Database-related Studies
• Use least amount necessary to answer research question & in an manner that ensures confidentiality
• Understand & strengthen measures for de-identification
• Build defensible arguments for impracticability
• Develop (and adhere to) standard description of data security measures
• Identify technological solutions to maximize data security
For all research….
• Identify mechanisms for informing public about research and ways to secure consent to be contacted for future research
– May need to start at clinic/division or department-level
– Working towards organization-level approach
Reflections from an Investigator
• “Buck stops” with PI – Leading research team (CH & non-
CH staff/trainees)
• May delegate actions, but still must understand implications of PHIA
• New cohort of medical students entering system in Fall 2013 – Research in Medicine (RIM) Program
•Loss of trust & reputation with patients and public
Increase public awareness &
support of research
Resources
• NS government website: PHIA, Regulations, Toolkit for Custodians (Chapter 7 Research)
http://novascotia.ca/dhw/phia/
• Stacy Ackroyd Research Director, Emergency Medicine
• Janet Gallant Program Manager, Research Services
• Privacy Officer and Legal Services
