Webinar privacyawarenesswestviewpcn preview

WebinarPrivacyAwarenessWestviewPCN_v3.pptx

Employee OrientationPrivacy Awareness and Health Information Act for Primary Care

Employee Orientation Privacy Awareness Training Information Managers Ltd License valid 2014April to 2015May301

On behalf of Dr. Keith McNicol, Chair of the Westview PCN, welcome to this Privacy and Security Awareness Training Webinar! The Westview Primary Care Network (PCN) has subscribed for a licensed access to the Webinar by providers and staff of the PCN and the PCNs member family practice clinics.Each family practice clinic has a responsibility to ensure that all of its staff members understand their roles and responsibilities regarding personal information. This includes physicians, allied health professionals, employees and other associates of the clinic who have direct patient care, as well as those who are not directly involved in patient care. Due to the nature of your employment, contract or affiliation with the Westview PCN or with your family practice clinic, you might overhear or have an opportunity to see patients attending the PCN or your clinic. Similarly, you might overhear or be directly involved in the management of other personal or employee information that must also be private and confidential. It is therefore very important that you learn about and understand your role in the protection and security of private and confidential health and personal information, collected, used and stored by the PCN or your clinic. You should have received a Privacy Pre-test from your clinic manager or team lead before this session. The Pre-test is to help you assess your understanding of privacy principles. At the end of this session, you will receive a Privacy Post-test for you to self-assess learnings youve gained from this session. It is required that you complete the Pre and Post Tests. These tests and their marks are for you to maintain. At the conclusion of the webinar, present your completed tests to your clinic manager or team lead, and sign your name on the clinics Attendance Sheet. This is so that your clinic can demonstrate that it has fulfilled its responsibility to inform staff and clinic associates of the rules and responsibilities of privacy. Your clinic will provide to you a Certificate of Attendance; physician attendees may submit this certificate (to Grace Moe at the Westview Community Teaching Site) for one CME Mainpro Credit.If you have any questions, please discuss with your clinic manager or clinic Privacy Officer.

Privacy Awareness Employee Orientation1

Privacy Awareness In-servicePower of 3Employee Orientation Privacy Awareness Training Information Managers Ltd 2


What is Privacy?An individualsRight to determine what information about themselves may be collected, used, and disclosedRight to be free from intrusion and interruptionRight of individuals to determine when, how, and to what extent that they want to share information about themselves with others

You can have security without privacyBut you cannot have privacy without security.

Employee Orientation Privacy Awareness Training Information Managers Ltd 3

3Throughout this presentation, I am going to refer to the Power of 3 . There are 3 key points for you to remember in each section of the presentation.

Now, we are going to look at the first set of 3 Privacy, Confidentiality, and Security which provides the scope of our discussion of identifying personal information.

What is Privacy?An Individuals Right to determine what information about themselves may be collected, used, and disclosedRight to be free from intrusion and interruptionRight of individuals to determine when, how, and to what extent that they want to share information about themselves with others

We can exercise our right to privacy in many ways including at the check out counter.Privacy Awareness Employee Orientation

4

Employee Orientation Privacy Awareness Training Information Managers Ltd

If you really like that store and want to get their flyers delivered to your home.

But perhaps you dont provide your personal postal code. If you like the store and want to continue to get the store coupons delivered to your home you could provide the postal code of the a school or community league in your neighbourhood. Limit the information that you share with others. Remember, the store clerk or their back office staff or the bad guy fraudster who is skimming the point of sale device already has your name and financial information when you pay by credit card or debit. And, if you enroll in the stores loyalty points program, you have given them a treasure gift of your valuable information.

There was a study done in Canada in 2012 where 3 pieces of individually identifying information name, date of birth, and the first 3 characters of the postal code were provided to researchers. The researchers using only publicly available data bases, were able to identify 80% of the 5, 000 individuals in the study.

Remember, you have the right to say No thanks the next time you are asked for your information at the checkout.

Be selective with whom you share your personal information.Privacy Awareness Employee Orientation4

What is Confidentiality?

Obligation of the custodian to protect the information entrusted to themMaintain the secrecy of the informationNot misuse or wrongfully disclose it


5Handout:

What is confidentiality? Confidentiality is your job to protect the private information given to you by your patients, employees, and business contacts. It is your job to protect the information entrusted to them

Maintain the secrecy of the information

Not misuse or wrongfully disclose it

Remember, the ability to access records doesnt give us the right to access records that arent needed to do our jobs.

Protect patient information as if it was your own.

The Privacy Officer monitors who can access their health information. But we all have a role to play to remind others. Patient information should not be discussed in public areas.

In health care, Custodians or the people that collect personal information - have a special responsibility to manage the private information provided to them. Generally, custodians are responsible to maintain the security and confidentiality of personally identifying information 24 hours a day, 7 days a week, 365 days a year for the next 10 years.Privacy Awareness Employee Orientation

6


This includes all the information collected in your organization no matter where the information may be stored or how it is accessed.

The custodian is responsible for the information in the four walls of the clinic. You are responsible when the janitor attends the clinic after hours and happens to see information left on desks or when a contractor who has nothing to do with providing patient care overhears a phone conversation with a patient.

The custodian is also responsible for the information when it is maintained outside of his office. If you use an off-site storage facility to maintain inactive patient records, and that storage locker is damaged in a wind storm and the records are now blowing around the custodian is still responsible for the control of those records. You are not responsible for the storm but you are responsible for ensuring that the service provider the storage facility manager notifies you when there is damage to the facility so that you can manage the confidentiality of that information privacy breach.

You are still responsible to ensure that you and your service providers are aware of the procedures to safeguard the confidentiality of the information.Privacy Awareness Employee Orientation6

What is Security?Process of protectionAssessing threats and risks to information and taking steps to prevent it

Although security can aid in information protection and accountability, it cannot be relied upon to enforce ethical behaviors.Employee Orientation Privacy Awareness Training Information Managers Ltd 7

7Security is all of those safeguards that we put into place to lessen the risks that could happen to confidential information. It is the checks and balances that we put into place to lessen the likelihood of risk. We must identify those areas that have a high degree of risk and put in additional layers of safeguards to protect those areas of risk.

Security involves assessing the risk to unauthorized access, use, or disclosure of health information and preventing those risks from happening.

There will always be ways that somebody can get around security measures. One of the biggest things we can do is to ensure that our employees understand the importance of privacy, confidentiality, and security. In this way, employees can better determine what is the right thing to do and ask good questions. Remember, just because we can do something doesnt mean that we should do something.

Privacy Awareness Employee Orientation

8


The Privacy Commissioner of Canada, Jennifer Stoddart, is an Officer of Parliament who reports directly to the House of Commons and the Senate.

We need to continually try to do better about the way that we manage personal information in our office. Just like Jenifer continues to work with Facebook to improve the privacy of Canadians who use Facebook.

We may not be able to do everything but we want to continue to get better.

These illustrations are available from the Privacy Commissioner of Canada website. You can download them to use in your organization as part of your privacy management program education initiatives.

Remember the Power of 3? We have looked at the first set of 3 Privacy, Confidentiality, and Security which provides the scope of our discussion of identifying personal information.

AFTER THE FIRST FEW MINUTES OF THE PRESENTATION, ***** RECORD TIME

OK, Now lets get to the details for all of our paid registrants.

The Learning Guide for todays webinar is available on our Dashboard to the left of your screen.Consider recording for yourself your attendance today to your own personal professional Continuing Education credits. You may use the Learning Guide to record your notes and document your attendance.

After the webinar, you will receive an email which will include the link to the webinar recording. You may access the webinar from any location at work or at home where you have internet access. The webinar re-play will be available for 3 days.You can send a question before or during the webinar using the chat window and your keyboard. If we dont have time to respond during the webinar, I will reply to you by email after the webinar.

Please warm up your keyboards NOW and enter your name and from where you are calling.

I also have a BONUS OFFER to all participants on this live call. More about this later!


What happens without safeguards?

Employee Orientation Privacy Awareness Training 9Identity Theft!

Privacy, Confidentiality and SecurityPrivacy Awareness Employee Orientation9What happens if we cant protect the security of confidential, private information?

We are likely to experience identity theft.

Identity theft is a term used to refer to fraud that involves someone pretending to be someone else in order to steal money or get other benefits. The term is relatively new and is actually a misnomer, since it is not inherently possible to steal an identity, only to use it.

Identities are used as currency by bad guys on the street.

We have a number of privacy risks in our organizations and identity theft is one of the newest. Each identity has a street value of about $150. If you have, for example, 4 000 patient records in your clinic, you have a $60,000 incentive for a hacker or unauthorized individual to access your patient records for illegal purposes.

Bad things can happen to organizations of all sizes.

OPC Guidance DocumentsInformation for individuals regarding the loss of the HRSDC hard driveOn January 11, 2013 Human Resources and Skills Development Canada (HRSDC) announced that a hard drive containing the personal information about more than half a million clients of the Canada Student Loans Program and 250 departmental employees was missing. The Office of the Privacy Commissioner of Canada, which is investigating the matter, has developed information to help those who may have concerns about the missing records.

It is important to note that the HRC identified that they had a security breach they had active control and knowledge about the information sources in their control. They noticed that it was missing. And they reported it to the OIPC and notified individuals at risk to warn them. However, if they had encrypted the information, the level of risk of missing information would have been greatly reduced and likely would not have required this very public media announcements.

Have you ever received a phone call from your bank to tell you that your credit card information may have been stolen?

You can guess that a phone call like this might frighten you and create doubt, inconvenience, time, and expense to recover and manage the loss. If the bank catches the theft early and calls you to let you know about what they have done to stop it and prevent it from continuing you are probably going to thank the bank for helping you look out for your best interest.

The same thing happens when you suspect that you have a privacy breach at work. You need to stop it, report it, inform the patient, and let them know what you are doing now about the breach. It is never an easy phone call to make but most of the time the patient appreciates your concern.

You need to know that there is an active market for personal identities. Generally speaking, most privacy breaches are usually oopses or honest mistakes or a result of not carefully following procedures. But sometimes information is intentionally stolen to harm a specific individual or for financial gain. Sometimes the theft occurs by employees and sometimes by visitors to the clinic.

Today we will look at how we can lessen these risks.

(background)What is the Office of the Privacy Commissioner of Canada doing about the loss of an external hard drive from an HRSDC office?The Office of the Privacy Commissioner of Canada (OPC) has launched an investigation under the Privacy Act, the federal public sector privacy law that applies to personal information handling practices of federal departments and agencies.

What will an investigation do for me?This incident is being investigated under the Privacy Act, which covers federal departments and agencies. The OPC investigates complaints and, given the Commissioners role as an ombudsman, makes recommendations to organizations with respect to their personal information handling practices and seeks to resolve matters on behalf of individuals in Canada. You can expect that the Commissioner will make public her findings in this matter.

Medical Identity Theft (MIT)Taking someones identity:To receive careTo make false claims for money

And in the process:Adding false information to a persons medical record


Medical identity theft happens when somebody impersonates someone else to get access to health care or to make false claims for money.

Medical identity theft can cause incorrect health information to be included in a persons health record. This can cause serious injury to a patient. Wrong information in the record can lead to: 1. Future denials of insurance coverage2. False claims that count toward a lifetime maximum3. False diagnoses4. Unsafe or deadly care

The care provider team relies on the health record for the truth of the patients condition and status. The ability to provide the correct treatment to the correct patient depends upon the accuracy of the health record.

Identity theft can result in:Risk of physical harm such as stalking or harassmentHurt, humiliation, damage to reputation to the patient, physician or the clinic.

Any privacy breach is important to the person that it affects. We need to respect the individuals right to privacy and take all reasonable steps to make sure that we protect personal information of our patients, customers, and employees.


Custodial responsibilitiesParticipate in provincial health information sharing initiativesProvide care and treatment to our patients in a secure and confidential mannerEmployee Orientation Privacy Awareness Training Information Managers Ltd 11

Lets take a minute for WIFM everybodys favorite radio station: Whats In It For Me?

Why do I need to care? Well, in health care, we need to care about this because it is part of our job. As healthcare providers, we need to make sure that we have good practices in place because it affects our patients. It affects our credentialing, accreditation, and our reputation in our community.

Privacy is good for business. Patients prefer to come to a clinic when they know that their information is being protected and safe.

Improves employee motivation. We can feel good about how we manage information. Good management practices include good privacy practices. Demonstrating good privacy practices allows us to participate in provincial health information sharing initiatives like Netcare. We need to be able to demonstrate that we have completed a Privacy Impact Assessment to make sure that everybody who has access to Netcare who we will permit to play in our sandbox knows how to follow the best practices and rules.

Perhaps most importantly, having complete and accurate information, when we need it, allows us to provide care and treatment to our patients in a secure and confidential manner and we all have a good day at work.

Privacy is our responsibility

The care provider relies on the health record for the truth of the patients condition and status.

The ability to provide the correct treatment to the correct patient depends upon the accuracy of the health record.

If we have good policies, procedures, and practices in place in our business, we will be able to easily locate complete patient records.Privacy Awareness Employee Orientation11

NetcareKnow why your health information is collected and whether it is available in NetcareKnow what information about you is in Netcare Limit access to your Netcare record by asking for your information to be maskedKnow who has looked at your information in NetcareRequest that errors be correctedAsk the Information and Privacy Commissioner to review or investigate if you are not satisfied with a decision or response you receive about any of these rights


To help make decisions about your care quickly and efficiently, your health information is available through a province-wide electronic record system named Alberta Netcare, under the authority of the Health Information Act (HIA).

Alberta Netcare, also known as the Alberta Electronic Health Record (EHR), is a network of information systems that allows authorized users to see prescriptions, lab results, diagnostic images (e.g. x-rays and ultrasounds) and hospital reports (e.g. hospital discharge summaries).Netcare is used throughout Alberta in hospitals run by Alberta Health Services and Covenant Health and in medical clinics and pharmacies. This is managed by Alberta Health and Wellness, government of Alberta. Alberta Health Services (regional health authority), community pharmacies, labs and diagnostic imaging centres and other agencies upload patient information to Netcare.

Health care professionals are already sharing patient information by phone, fax and mail. By using Alberta Netcare, health professionals can now share information with greater security, speed and efficiency. The improved communication will reduce treatment delays and cut down on potential medical oversights.

Health care providers can now access important information from a number of different sources, such as patients lab test results, demographic information, prescription dispensing information, and allergy information.

It is important that patients in Alberta understand how Netcare is used, what the risks are, and how they can access their information. One of the guiding principles about privacy is the right to access information.

The Alberta OIPC has started a public awareness campaign about Netcare and individuals rights. This document on the left of your screen can be downloaded . The details are specific to Netcare, but it is also a good example on how to explain or be transparent to patients about where their information is stored.

OIPC - Your rights:Consent to have your health information included in Netcare is not required by law, but you have six rights that allow you to exercise privacy control.

Know why your health information is collected and whether it is available in NetcareKnow what information about you is in Netcare by asking for a print-outLimit access to your Netcare record by asking for your information to be maskedKnow who has looked at your information in NetcareRequest that errors be correctedAsk the Information and Privacy Commissioner to review or investigate if you are not satisfied with a decision or response you receive about any of these rights

See the Action Links on the left side of your screen to see the News Item on our website and the links to the OIPC for more information.

Share this public awareness campaign with your staff in your clinic. Your patients may be asking you these questions in your clinic. Be prepared to answer their questions.


13Myhealth.alberta.ca


One of the projects from Netcare includes MyHealth.Alberta.ca

This is a public source of information that you and your patients can access to find out more about a recent diagnosis, test, or healthy habits. The articles are reviewed by Alberta physicians. The information is usually easy to read and often includes links to other Alberta based resources. Share this information with your patients.

13

Health Information ActRules about

Employee Orientation Privacy Awareness Training Information Managers Ltd 14CollectionUseDisclosureAccess and amendmentsProtection

14Health Information Act

Rules aboutCollectionProtectionUseAccess and amendmentsDisclosure

JEAN:

Proclaimed in April 2001 in Alberta. Other provinces have similar legislation. HIA has paramountancy over other legislation like PIPEDA or PIPA

Amendment from time to time, most recently in September 2013.

The Alberta legislation was the first legislation specific to health information in Canada. Many other provinces now have their own health information legislation and while some of the key terms differ from province to province, the privacy principles regarding the collection, use and disclosure remain very similar.

The Health Information Act legislation applies to custodians. Custodians are responsible for maintaining, protecting and safeguarding health information. Custodians are the gatekeepers of health information.

Individuals have the right to access their own health information, to ask for it to be corrected, and to know why it is being collected.

Personal health numbers of individuals are protected.

In the United States, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) enforced the Privacy Rule in April 2003 and the Security Rule in April 2005. HIPAA has three primary purposes1. Protect and enhance rights of customer2. Improve the quality of healthcare in the US3. Improve the efficiency and effectiveness of healthcare deliveryThis rule became a baseline for ensuring a higher level of confidentiality across the nation. These standards are more important in this day and age because we are such a mobile community and we want to ensure continuity of care without compromising confidentially


HIA Privacy Principles

When you collect, use, or disclose information:Least amount of informationNeed to know basisHighest level of anonymityEmployee Orientation Privacy Awareness Training Information Managers Ltd 15

15

HIA Privacy PrinciplesWhen you collect, use, or disclose information:Least amount of informationNeed to know basisHighest level of anonymityLegal authorityConsent or notification required?

JEAN:

Set up scenario new patient attending a clinicLeast amount of information:Name, DOB, Address, phone number, employer, occupationNOKFamily names of family member or just 3 siblings

Do you ask to the patient to give you their SIN#? No. Why not? Because you dont need it.

Highest level of anonymity Drug reps request tally sheet of how many patients were offered a certain drug.


Picture ID


Do you need to collect Drivers License #?Is there a situation that you may need to ask to see the drivers license? Yes, to verify an individuals identity. When a patient presents to the clinic you may ask to see their Alberta Health Care Insurance Card and picture ID.

See the DL and verify the identity; from the picture to the person in front of you and to the same name on the Alberta Health Care Insurance Card

You should record that you did this, but do not record the DL#. http://www.oipcbc.org/sector_private/public_info/Photo_ID_Guidance.pdf

Privacy, Confidentiality and SecurityPrivacy Awareness Employee Orientation16

Technology

Webinar privacyawarenesswestviewpcn preview