Hospital Mental Health Database Privacy Impact Assessment

Transcription

1 Hospital Mental Health Database Privacy Impact Assessment Standards and Data Submission

2 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health system and the health of Canadians. Funded by federal, provincial and territorial governments, we are guided by a Board of Directors made up of health leaders across the country. Our Vision To help improve Canada s health system and the well-being of Canadians by being a leading source of unbiased, credible and comparable information that will enable health leaders to make better-informed decisions.

3 CIHI is pleased to publish the following Privacy Impact Assessment pursuant to its Privacy Impact Assessment Policy: HOSPITAL MENTAL HEALTH DATABASE PRIVACY IMPACT ASSESSMENT Approved by: Jean-Marie Berthelot Vice-President, Programs Mimi Lepage Chief Privacy Officer and General Counsel Ottawa March 2011

4

5 Table of Contents 10 Quick Facts About the Hospital Mental Health Database... iii 1 Introduction The Hospital Mental Health Database at CIHI Background Data Flow Diagrams Privacy Analysis Authorities Governing CIHI and the Hospital Mental Health Database Principle 1: Accountability for Personal Health Information Principle 2: Identifying Purposes for Personal Health Information Principle 3: Consent for the Collection, Use or Disclosure of Personal Health Information Principle 4: Limiting Collection of Personal Health Information Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information Principle 6: Accuracy of Personal Health Information Principle 7: Safeguards for Personal Health Information Principle 8: Openness About the Management of Personal Health Information Principle 9: Individual Access to, and Amendment of, Personal Health Information Principle 10: Complaints About CIHI s Handling of Personal Health Information Conclusion... 13

6

7 10 Quick Facts About the Hospital Mental Health Database 1. The Hospital Mental Health Database (HMHDB) is a national source of standardized data on mental health services in Canada; it does not include data on community mental health. 2. The HMHDB contains 22 data elements (the minimum data set), including diagnosis information for each event. 3. The HMHDB contains eight years of data, going back to Health service administrators, policy-makers, governments, researchers and others use data from the HMHDB to identify the following: The types of mental illnesses for which Canadians are hospitalized; The lengths of hospitalizations for the treatment of mental illness; and The demographic characteristics of the recipients of inpatient hospital services for the treatment of mental illness. 5. The HMHDB supports the collection, sharing and analysis of data on mental health episodes from Canadian psychiatric and general hospitals. 6. HMHDB data comes from a variety of sources. Data is originally collected from hospital administrative records. 7. Currently, 776 facilities from all provinces and territories participate in the HMHDB. 8. About 99% of the data in the HMHDB comes directly from internal CIHI sources: the Discharge Abstract Database (DAD) and the Ontario Mental Health Reporting System (OMHRS). 9. As of , data that is related to discharges from designated adult psychiatric beds in Ontario flows to CIHI directly from hospitals via OMHRS. Activity for these beds is no longer reflected in the DAD. Discharges that are related to designated acute care beds in Ontario that have a primary mental illness diagnosis are reported to the DAD and are included in the HMHDB. 10. Recent analyses produced by CIHI using data from the HMHDB include HMHDB Quick Stats. iii

8

9 1 Introduction The Canadian Institute for Health Information (CIHI) collects and analyzes information on health and health care in Canada. Its mandate is to provide timely, accurate and comparable information to inform health policies, support the effective delivery of health services and raise awareness among Canadians of the factors that contribute to good health. CIHI obtains data directly from hospitals, regional health authorities, medical practitioners and governments, including personal health information about patients and registration and practice information about health professionals. The purpose of this privacy impact assessment (PIA) is to examine the privacy, confidentiality and security risks associated with the Hospital Mental Health Database (HMHDB). It includes a review of the 10 privacy principles set out in the Canadian Standards Association s Model Code for the Protection of Personal Information as they apply to the database. This PIA updates the one completed in

10 2 The Hospital Mental Health Database at CIHI 2.1 Background CIHI acquired responsibility for collecting mental health data in from Statistics Canada. Statistics Canada continues to maintain a historical Mental Health Database dating back to The HMHDB is a national source of standardized data on mental health services in Canada. It contains diagnostic and administrative data related to inpatient hospital stays. The HMHDB has a historical series that allows for year-over-year comparisons of some aspects of Canadian inpatient hospital services for the treatment of mental illness. Data from the HMHDB is used to produce statistics on inpatient mental health services in psychiatric and general hospitals. Health service administrators, policy-makers, governments, researchers and others use these statistics to identify the following: The types of mental illnesses for which Canadians are hospitalized; The lengths of hospitalizations for the treatment of mental illness; and The demographic characteristics of the recipients of inpatient hospital services for the treatment of mental illness. The data can be used for comparative analysis among jurisdictions and for trend analysis to assess and monitor the impact of differences in policy, practices and service delivery. HMHDB data comes from a variety of sources. Data is originally collected from hospital administrative records i from both psychiatric and general hospitals. Since 2003, there have been a number of significant changes to the data sources of the HMHDB, including the following: As of , data that is related to separations from designated adult psychiatric beds in Ontario flows to CIHI directly from hospitals via the Ontario Mental Health Reporting System (OMHRS). A subset of OMHRS data is now included in the HMHDB. Activity for these beds is no longer reflected in the Discharge Abstract Database (DAD). i. Hospital administrative records include discharges and deaths. 2

11 However, separations that do not occur in designated mental health beds in Ontario that have a primary mental illness diagnosis are reported to the HMHDB from the DAD. Data from Quebec hospitals now comes exclusively via CIHI s Hospital Morbidity Database. CIHI no longer receives any data via the Hygiène mentale des centres hospitaliers du Québec. Fewer hospitals/ministries submit data directly to CIHI via the Hospital Mental Health Survey. These hospitals/ministries now submit data to CIHI via the DAD or OMHRS, from which a subset of data elements is copied into the HMHDB. ICD-10-CA ii was adopted to code diagnoses for all hospital separations reported in the DAD across Canada. DSM-IV iii diagnosis codes are used for primary mental illness diagnoses. The change in data sources since 2003 has been largely driven by clinical and health policy requirements on the part of the stakeholders who provide mental health services and the ministries that mandate such data collection. Data elements in the HMHDB are limited to the minimum number possible to meet the purposes of the database. The 22 data elements are the following: Data Element in HMHDB Year Province of Hospital Hospital Number Date of Birth Sex Postal Code Admission Age Separation Age Admission Date Admission Type Primary Admission Diagnosis Secondary Admission Diagnosis Separation Date Length of Stay Description The fiscal year the patient was discharged Province in which the reporting hospital is located Hospital identification number assigned to the hospital by the province Patient s date of birth Patient s sex Patient s residential postal code Age of patient at admission Age of patient when released from hospital The date the patient was admitted to the institution A code identifying whether the patient has had any previous psychiatric admissions The diagnosis code that describes the most significant condition of the patient at admission Second diagnosis code identifying the comorbidity (condition) that contributed to the patient s hospitalization upon admission The date the patient was formally discharged from the institution The total number of days the patient was hospitalized, from date of admission to date of discharge ii. ICD-10-CA is the International Statistical Classification of Diseases and Related Health Problems, Tenth Revision, Canada. iii. DSM-IV is the American Psychiatric Association s Diagnostic and Statistical Manual of Mental Health. 3

12 Data Element in HMHDB Primary Separation Diagnosis Secondary Separation Diagnosis Separation Type Source Hospital Type Encrypted Health Card Number Psychiatric Hospital DiagCategory Description Code describing the most significant condition of the patient during hospitalization Code identifying the comorbidity (other condition) that contributed to the patient s hospitalization Indicates the status of the patient upon discharge (for example, discharged home, transferred to another facility, died) The original source of the records in the merged file (DAD, OMHRS, etc.) The code identifying the level of care the hospital provides, such as acute, general, chronic or rehabilitation Encrypted health card number of the patient Indicator for differentiating psychiatric and general hospitals Mental health diagnosis category Currently, 776 facilities from all provinces and territories participate in the HMHDB. Furthermore, the HMHDB contains eight years of data, going back to

13 2.2 Data Flow Diagrams Data Sources Flowing Into the Hospital Mental Health Database Discharge Abstract Database (DAD) N.L., N.S., N.B., Ont.,* Man., Alta., B.C. Hospital Mental Health Survey (HMHS) P.E.I., Man., Sask. Ontario Mental Health Reporting System (OHMRS) Ont. Hospital Mental Health Database Hospital Morbidity Database (HMDB) N.L., P.E.I., N.S., N.B., Que., Ont.,* Man., Sask., Alta., B.C., Y.T., N.W.T., Nun. Note * Ontario facilities report mental health separations from non designated adult mental health beds to the DAD. 5

14 The following diagram is intended to give the reader a more granular view of the types of data providers by province/territory. Participating Facilities, Hospital Mental Health Database Psychiatric Hospitals P.E.I., Man., Sask. Psychiatric Hospitals (with designated adult mental health beds) Ont. Hospital Mental Health Survey (HMHS) Long-term psychiatric cases from general hospitals in Sask. (three psychiatric wings in general hospitals not in the HMDB) General Hospitals (with designated adult mental health beds) Ont. Ontario Mental Health Reporting System (OMHRS) Psychiatric Hospitals N.L., N.S., N.B., Ont.,* Man., Alta., B.C. Psychiatric Hospitals Que. Discharge Abstract Database (DAD) Hospital Mental Health Database General Hospitals N.L., P.E.I., N.S., N.B., Que., Ont., Man., Sask., Alta., B.C., Y.T., N.W.T., Nun. Hospital Morbidity Database (HMDB) Notes * Ontario facilities report mental health separations from non designated adult mental health beds to the DAD. Two of Quebec s psychiatric facilities reported to the HMDB via MED-ÉCHO. 6

15 3 Privacy Analysis 3.1 Authorities Governing CIHI and the Hospital Mental Health Database General CIHI adheres to its Privacy Policy, 2010 and to any applicable privacy legislation and/or agreements. Legislation CIHI is a secondary data collector of health information, specifically for the planning and management of the health system, including statistical analysis and reporting. Data providers are responsible for meeting the statutory requirements in their respective jurisdictions, where applicable, at the time the data is collected. All provinces and territories have public-sector privacy legislation in place. Canadian privacy legislation includes provisions that authorize public bodies covered by the acts to disclose person-identifiable data, without the consent of the individual, for statistical purposes. Alberta, Saskatchewan, Manitoba, Ontario and New Brunswick (legislation pending in Newfoundland and Labrador and Nova Scotia) also have health information specific privacy legislation with express lawful authority to use and disclose personal health information, without individual consent, for the purpose of managing the health system, including statistical analysis and reporting. For example, CIHI is recognized as a prescribed entity under the Personal Health Information Protection Act of Ontario. Custodians in Ontario may disclose personal health information to CIHI without patient consent pursuant to Section 29 as permitted by Section 45(1) of the act. Agreements As indicated above, data flows directly to CIHI via existing applications/systems (such as DAD and OMHRS). For the most part, these existing data flows are governed by CIHI s Privacy Policy, 2010, existing legislation in the jurisdictions and data-sharing agreements with the provinces and territories. The datasharing agreements set out the purpose, use, disclosure and retention requirements, as well as any subsequent data sharing that may be permitted. 7

16 3.2 Principle 1: Accountability for Personal Health Information CIHI s president and chief executive officer is accountable for ensuring compliance with CIHI s Privacy Policy. CIHI has a chief privacy officer and general counsel, a corporate Privacy, Confidentiality and Security team, a Privacy and Data Protection Committee of its Board of Directors and an external chief privacy advisor. Organization and Governance The HMHDB is managed by the Mental Health and Addictions program area at CIHI. The following table identifies key internal positions and groups with responsibilities for the HMHDB in terms of privacy and security risk management: Position/Group Vice President, Programs Director, Continuing and Specialized Care Information Services Manager, Rehabilitation and Mental Health Vice President and Chief Technology Officer Chief Privacy Officer Program Lead, Mental Health and Addictions Senior Analyst, Mental Health and Addictions Analyst, Mental Health and Addictions Program Lead, ITS Senior Analyst, ITS Roles/Responsibilities The vice president, programs, is responsible for the overall operations and strategic direction of the HMHDB. The director is fully accountable for the HMHDB. He or she is responsible for strategic and operational decisions about the HMHDB and ensuring its continued successful development. The manager is responsible for the ongoing management, development and deployment of the HMHDB. He or she makes operational decisions about the database and manages consultation with HMHDB stakeholders as appropriate. The vice president and chief technology officer is responsible for the strategic direction and overall operations/ implementation of CIHI s technological and security solutions. The chief privacy officer is responsible for the strategic direction and the overall implementation of CIHI s privacy program. The program lead, mental health and addictions, supervises the production of the HMHDB as well as any analytical work or reporting conducted using the HMHDB and other mental health data. He or she facilitates and reviews data requests prior to review and approval by the manager and director. The senior analyst, mental health and addictions, is involved in the production of the HMHDB and the validation of its accuracy, as well as in statistical analysis using its data. The analyst, mental health and addictions, is involved in the production of the HMHDB and the validation of its accuracy, as well as in statistical analysis using its data. The program lead, ITS, supervises processing of the source data to create the HMHDB file. The senior analyst, ITS, is involved in processing the source data to create the HMHDB file. 8

17 3.3 Principle 2: Identifying Purposes for Personal Health Information The HMHDB supports the collection, sharing and analysis of data on mental health separations from Canadian hospitals. These purposes are clearly stated on CIHI s website, in HMHDB reports and bulletins and in this PIA. 3.4 Principle 3: Consent for the Collection, Use or Disclosure of Personal Health Information About 99% of the data included in the HMHDB comes directly from internal CIHI sources (DAD and OMHRS). This data was disclosed to CIHI originally without individual consent for the purposes of the planning and management of the health system, including statistical analysis and reporting. 3.5 Principle 4: Limiting Collection of Personal Health Information CIHI is committed to the principle of data minimization. As per sections 1 and 2 of CIHI s Privacy Policy, 2010, CIHI collects from data providers only that personal health information and de-identified data that are reasonably required for health system uses, including statistical analysis and reporting, in support of the management, evaluation or monitoring of the allocation of resources to, or planning for, the health care system in Canada, including support for the improvement of the overall health of Canadians. The HMHDB minimum data set has 22 data elements, including diagnosis information for each event. One field contains a unique patient identifier, which is encrypted. This field is used to enhance the value of the database. For instance, the key indicator hospital readmission rate was developed to enhance the value of the database. Calculating this indicator requires the ability to link individual records and track people s hospital service use over specific time periods. While the addition of a unique patient identifier has significant privacy-related concerns, the encryption and policies in place minimize the risks associated with the addition of this field to the database. 3.6 Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information Limiting Use CIHI limits the use of data in the HMHDB to authorized purposes, and only authorized users have access. Staff from the Mental Health and Addictions program area are permitted to access and use data on a need-to-know basis only. 9

18 Access to and use of data by other CIHI staff outside of the Mental Health and Addictions program area, which may be required to prepare reports or publications, is done in compliance with CIHI s Privacy Policy, 2010 and related procedures. Prior to granting access to other staff, justification for use, manager approval and auditing is required. Employee access to specific data holdings is frequently reviewed and validated by the program manager. At CIHI, sensitive data elements, such as health card number, are encrypted before the data set is used for analysis or report production. Health card numbers in an unencrypted form are rarely available to CIHI staff. Since 2009, data sets used for analysis purposes do not contain unencrypted health card numbers (generally, patient names are not collected by CIHI). Data Linkage No linkages using data from the HMHDB have been approved in the last three years Limiting Disclosure As part of its mandate, CIHI publishes only aggregated data in a manner designed to minimize any risk of identifiability and residual disclosure. This generally requires a minimum of five observations per cell. Third-Party Data Requests Aggregate and de-identified record-level data from the HMHDB is periodically requested by a variety of users, such as Statistics Canada, Health Canada, hospital staff, researchers, consumer groups, the pharmaceutical industry and the media. CIHI administers a third-party data request program that contains tight privacy and security controls and ensures that they are followed within the recipient organization. Furthermore, as set out in sections 45 to 47 of CIHI s Privacy Policy, 2010, CIHI data disclosures are made at the highest degree of anonymity possible while still meeting the research and/or analytical purposes of the requester. This means that, whenever possible, data is aggregated. Where aggregate data is not sufficiently detailed for the intended purpose, data that has been de-identified may be disclosed to the recipient on a case-by-case basis and where the recipient has entered into a data protection agreement or other legally binding instrument with CIHI. Only those data elements necessary to meet the intended purpose may be disclosed. Researchers requesting data are required to submit a written request. They must also sign an agreement wherein they agree to use the data for only the research specified. 10

19 In 2009, CIHI adopted a complete lifecycle approach to data management. As part of that lifecycle, Privacy and Legal Services (PLS) developed and is responsible for the ongoing compliance monitoring process whereby all data sets that are disclosed to third-party data recipients are tracked and monitored for secure destruction at the end of their lifecycle. Prior to disclosing data, thirdparty recipients sign a data protection agreement and agree to comply with the conditions and restrictions imposed by CIHI relating to the collection, purpose, use, security, disclosure and return or disposal of data. As of January 2011, in addition to the compliance monitoring process, which leverages data captured to monitor compliance with data destruction requirements, PLS contacts third-party data recipients on an annual basis to certify that they continue to comply with their obligations as set out in the thirdparty data request form and data protection agreement signed with CIHI. All data protection agreements with third parties specify that receiving organizations must keep de-identified record-level data strictly confidential and not disclose such data to anyone outside the organization. Moreover, CIHI imposes obligations on these third-party recipients, including Secure destruction requirements; CIHI s right to audit; Restriction on the publication of cell sizes less than five; and Strong encryption technology that meets or exceeds CIHI s standards where mobile computing devices are used Limiting Retention The HMHDB forms part of CIHI s information holdings; consistent with its mandate and core functions, CIHI retains such information for as long as necessary to meet the identified purposes. 3.7 Principle 6: Accuracy of Personal Health Information CIHI has a comprehensive data quality program. Any known data quality issues are addressed by the data provider or documented in data limitations documentation, which is made available to all users. Similar to other CIHI data holdings, the HMHDB is subject to an annual data quality assessment, based on CIHI s Data Quality Framework. The process of completing the framework includes numerous activities to assess the accuracy of the HMHDB data. Also, preliminary counts and indicator values for each province are shared with each provincial/territorial ministry of health for their review and confirmation before the data is released to the public. 11

20 3.8 Principle 7: Safeguards for Personal Health Information System Security About 99% of the data included in the HMHDB comes directly from internal CIHI sources (DAD and OMHRS). This data is initially sent to CIHI via CIHI s secure web-based electronic data submission service (edss) to OMHRS or DAD. The MED-ÉCHO portion of the Hospital Morbidity Database, which represents Quebec s inpatient data, comes to CIHI on a password-protected and encrypted CD. The remaining data comes to CIHI through the Hospital Mental Health Survey submitted via edss. When hospitals/ministries submit data, either directly or indirectly, to the HMHDB, they do so according to a predetermined record layout of data elements. Patient health card numbers are sent in encrypted format. The HMHDB files reside on a secure server that is maintained by CIHI s ITS department. In 2003, the PIA concluded that the security used to protect the data was sufficient. While a threat risk assessment has not been conducted, the database s security features have been updated on numerous occasions since 2003, in conjunction with CIHI s corporate IT security updates. The process of transferring data into the HMHDB within CIHI is carried out electronically, thereby ensuring that only that data that is part of the record layout is transferred from the original data holding to the HMHDB. Electronic transfer also limits the number of people with access to the data. More generally, CIHI has established physical, technical and administrative security practices to ensure the confidentiality and security of all of its data holdings. Moreover, CIHI employees are aware of the importance of maintaining the confidentiality of personal health information through a mandatory privacy and security training program and through ongoing communications about CIHI s privacy and security policies and procedures. CIHI is committed to safeguarding its IT ecosystem, to securing its data holdings and to protecting information with administrative, physical and technical security safeguards appropriate to the sensitivity of the information. Audits are an important component of CIHI s overall information security program and are intended to ensure that best practices are being followed and to assess compliance with all information security policies, procedures and practices implemented by CIHI. Audits are used to assess, among other things, technical compliance of information processing systems with best practices and published architectural and security standards, CIHI s ability to safeguard its 12

21 information and information processing systems against threats and vulnerabilities, and the overall security posture of CIHI s technical infrastructure, including networks, servers, firewalls, software and applications. An important component of CIHI s audit program is regular third-party vulnerability assessments and penetration tests of its infrastructure and selected applications. All recommendations resulting from third-party audits are tracked in the corporate risk register, and appropriate action is taken. 3.9 Principle 8: Openness About the Management of Personal Health Information CIHI makes information available about its privacy policies, data practices and programs relating to the management of personal health information. Specifically, CIHI s Privacy and Security Framework, 2010 and Privacy Policy, 2010 are available to the public on its corporate website ( Principle 9: Individual Access to, and Amendment of, Personal Health Information Personal health information held by CIHI is not used to make any administrative or personal health decisions affecting the individual. An individual seeking access to his or her personal health information will be processed in accordance with sections 60 to 63 of CIHI s Privacy Policy, It should be noted that over the six years since the original PIA was completed, there have been no cases where an individual has approached CIHI to request access to, or amendment of, his or her personal health information in the HMHDB Principle 10: Complaints About CIHI s Handling of Personal Health Information As set out in sections 64 and 65 of CIHI s Privacy Policy, 2010, complaints about CIHI s handling of personal health information are investigated by the chief privacy officer. The chief privacy officer may direct an inquiry or complaint to the privacy commissioner of the jurisdiction of the person making the inquiry or complaint. 4 Conclusion CIHI s assessment of the HMHDB did not identify any privacy risks. 13

22

23 All rights reserved. The contents of this publication may be reproduced unaltered, in whole or in part and by any means, solely for non-commercial purposes, provided that the Canadian Institute for Health Information is properly and fully acknowledged as the copyright owner. Any reproduction or use of this publication or its contents for any commercial purpose requires the prior written authorization of the Canadian Institute for Health Information. Reproduction or use that suggests endorsement by, or affiliation with, the Canadian Institute for Health Information is prohibited. For permission or information, please contact CIHI: Canadian Institute for Health Information 495 Richmond Road, Suite 600 Ottawa, Ontario K2A 4H6 Phone: Fax: Canadian Institute for Health Information Cette publication est aussi disponible en français sous le titre Évaluation des incidences sur la vie privée de la Base de données sur la santé mentale en milieu hospitalier..

24 Talk to Us CIHI Ottawa 495 Richmond Road, Suite 600 Ottawa, Ontario K2A 4H6 Phone: CIHI Toronto 4110 Yonge Street, Suite 300 Toronto, Ontario M2P 2B7 Phone: CIHI Montréal 1010 Sherbrooke Street West, Suite 300 Montréal, Quebec H3A 2R7 Phone: CIHI St. John s 140 Water Street, Suite 701 St. John s, Newfoundland and Labrador A1C 6H6 Phone: CIHI Victoria 880 Douglas Street, Suite 600 Victoria, British Columbia V8W 2B7 Phone: May