1 Hospital Mental Health Database Privacy Impact Assessment Standards and Data Submission
2 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health system and the health of Canadians. Funded by federal, provincial and territorial governments, we are guided by a Board of Directors made up of health leaders across the country. Our Vision To help improve Canada s health system and the well-being of Canadians by being a leading source of unbiased, credible and comparable information that will enable health leaders to make better-informed decisions.
3 CIHI is pleased to publish the following Privacy Impact Assessment pursuant to its Privacy Impact Assessment Policy: HOSPITAL MENTAL HEALTH DATABASE PRIVACY IMPACT ASSESSMENT Approved by: Jean-Marie Berthelot Vice-President, Programs Mimi Lepage Chief Privacy Officer and General Counsel Ottawa March 2011
5 Table of Contents 10 Quick Facts About the Hospital Mental Health Database... iii 1 Introduction The Hospital Mental Health Database at CIHI Background Data Flow Diagrams Privacy Analysis Authorities Governing CIHI and the Hospital Mental Health Database Principle 1: Accountability for Personal Health Information Principle 2: Identifying Purposes for Personal Health Information Principle 3: Consent for the Collection, Use or Disclosure of Personal Health Information Principle 4: Limiting Collection of Personal Health Information Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information Principle 6: Accuracy of Personal Health Information Principle 7: Safeguards for Personal Health Information Principle 8: Openness About the Management of Personal Health Information Principle 9: Individual Access to, and Amendment of, Personal Health Information Principle 10: Complaints About CIHI s Handling of Personal Health Information Conclusion... 13
7 10 Quick Facts About the Hospital Mental Health Database 1. The Hospital Mental Health Database (HMHDB) is a national source of standardized data on mental health services in Canada; it does not include data on community mental health. 2. The HMHDB contains 22 data elements (the minimum data set), including diagnosis information for each event. 3. The HMHDB contains eight years of data, going back to Health service administrators, policy-makers, governments, researchers and others use data from the HMHDB to identify the following: The types of mental illnesses for which Canadians are hospitalized; The lengths of hospitalizations for the treatment of mental illness; and The demographic characteristics of the recipients of inpatient hospital services for the treatment of mental illness. 5. The HMHDB supports the collection, sharing and analysis of data on mental health episodes from Canadian psychiatric and general hospitals. 6. HMHDB data comes from a variety of sources. Data is originally collected from hospital administrative records. 7. Currently, 776 facilities from all provinces and territories participate in the HMHDB. 8. About 99% of the data in the HMHDB comes directly from internal CIHI sources: the Discharge Abstract Database (DAD) and the Ontario Mental Health Reporting System (OMHRS). 9. As of , data that is related to discharges from designated adult psychiatric beds in Ontario flows to CIHI directly from hospitals via OMHRS. Activity for these beds is no longer reflected in the DAD. Discharges that are related to designated acute care beds in Ontario that have a primary mental illness diagnosis are reported to the DAD and are included in the HMHDB. 10. Recent analyses produced by CIHI using data from the HMHDB include HMHDB Quick Stats. iii
9 1 Introduction The Canadian Institute for Health Information (CIHI) collects and analyzes information on health and health care in Canada. Its mandate is to provide timely, accurate and comparable information to inform health policies, support the effective delivery of health services and raise awareness among Canadians of the factors that contribute to good health. CIHI obtains data directly from hospitals, regional health authorities, medical practitioners and governments, including personal health information about patients and registration and practice information about health professionals. The purpose of this privacy impact assessment (PIA) is to examine the privacy, confidentiality and security risks associated with the Hospital Mental Health Database (HMHDB). It includes a review of the 10 privacy principles set out in the Canadian Standards Association s Model Code for the Protection of Personal Information as they apply to the database. This PIA updates the one completed in
10 2 The Hospital Mental Health Database at CIHI 2.1 Background CIHI acquired responsibility for collecting mental health data in from Statistics Canada. Statistics Canada continues to maintain a historical Mental Health Database dating back to The HMHDB is a national source of standardized data on mental health services in Canada. It contains diagnostic and administrative data related to inpatient hospital stays. The HMHDB has a historical series that allows for year-over-year comparisons of some aspects of Canadian inpatient hospital services for the treatment of mental illness. Data from the HMHDB is used to produce statistics on inpatient mental health services in psychiatric and general hospitals. Health service administrators, policy-makers, governments, researchers and others use these statistics to identify the following: The types of mental illnesses for which Canadians are hospitalized; The lengths of hospitalizations for the treatment of mental illness; and The demographic characteristics of the recipients of inpatient hospital services for the treatment of mental illness. The data can be used for comparative analysis among jurisdictions and for trend analysis to assess and monitor the impact of differences in policy, practices and service delivery. HMHDB data comes from a variety of sources. Data is originally collected from hospital administrative records i from both psychiatric and general hospitals. Since 2003, there have been a number of significant changes to the data sources of the HMHDB, including the following: As of , data that is related to separations from designated adult psychiatric beds in Ontario flows to CIHI directly from hospitals via the Ontario Mental Health Reporting System (OMHRS). A subset of OMHRS data is now included in the HMHDB. Activity for these beds is no longer reflected in the Discharge Abstract Database (DAD). i. Hospital administrative records include discharges and deaths. 2
11 However, separations that do not occur in designated mental health beds in Ontario that have a primary mental illness diagnosis are reported to the HMHDB from the DAD. Data from Quebec hospitals now comes exclusively via CIHI s Hospital Morbidity Database. CIHI no longer receives any data via the Hygiène mentale des centres hospitaliers du Québec. Fewer hospitals/ministries submit data directly to CIHI via the Hospital Mental Health Survey. These hospitals/ministries now submit data to CIHI via the DAD or OMHRS, from which a subset of data elements is copied into the HMHDB. ICD-10-CA ii was adopted to code diagnoses for all hospital separations reported in the DAD across Canada. DSM-IV iii diagnosis codes are used for primary mental illness diagnoses. The change in data sources since 2003 has been largely driven by clinical and health policy requirements on the part of the stakeholders who provide mental health services and the ministries that mandate such data collection. Data elements in the HMHDB are limited to the minimum number possible to meet the purposes of the database. The 22 data elements are the following: Data Element in HMHDB Year Province of Hospital Hospital Number Date of Birth Sex Postal Code Admission Age Separation Age Admission Date Admission Type Primary Admission Diagnosis Secondary Admission Diagnosis Separation Date Length of Stay Description The fiscal year the patient was discharged Province in which the reporting hospital is located Hospital identification number assigned to the hospital by the province Patient s date of birth Patient s sex Patient s residential postal code Age of patient at admission Age of patient when released from hospital The date the patient was admitted to the institution A code identifying whether the patient has had any previous psychiatric admissions The diagnosis code that describes the most significant condition of the patient at admission Second diagnosis code identifying the comorbidity (condition) that contributed to the patient s hospitalization upon admission The date the patient was formally discharged from the institution The total number of days the patient was hospitalized, from date of admission to date of discharge ii. ICD-10-CA is the International Statistical Classification of Diseases and Related Health Problems, Tenth Revision, Canada. iii. DSM-IV is the American Psychiatric Association s Diagnostic and Statistical Manual of Mental Health. 3
12 Data Element in HMHDB Primary Separation Diagnosis Secondary Separation Diagnosis Separation Type Source Hospital Type Encrypted Health Card Number Psychiatric Hospital DiagCategory Description Code describing the most significant condition of the patient during hospitalization Code identifying the comorbidity (other condition) that contributed to the patient s hospitalization Indicates the status of the patient upon discharge (for example, discharged home, transferred to another facility, died) The original source of the records in the merged file (DAD, OMHRS, etc.) The code identifying the level of care the hospital provides, such as acute, general, chronic or rehabilitation Encrypted health card number of the patient Indicator for differentiating psychiatric and general hospitals Mental health diagnosis category Currently, 776 facilities from all provinces and territories participate in the HMHDB. Furthermore, the HMHDB contains eight years of data, going back to
13 2.2 Data Flow Diagrams Data Sources Flowing Into the Hospital Mental Health Database Discharge Abstract Database (DAD) N.L., N.S., N.B., Ont.,* Man., Alta., B.C. Hospital Mental Health Survey (HMHS) P.E.I., Man., Sask. Ontario Mental Health Reporting System (OHMRS) Ont. Hospital Mental Health Database Hospital Morbidity Database (HMDB) N.L., P.E.I., N.S., N.B., Que., Ont.,* Man., Sask., Alta., B.C., Y.T., N.W.T., Nun. Note * Ontario facilities report mental health separations from non designated adult mental health beds to the DAD. 5
14 The following diagram is intended to give the reader a more granular view of the types of data providers by province/territory. Participating Facilities, Hospital Mental Health Database Psychiatric Hospitals P.E.I., Man., Sask. Psychiatric Hospitals (with designated adult mental health beds) Ont. Hospital Mental Health Survey (HMHS) Long-term psychiatric cases from general hospitals in Sask. (three psychiatric wings in general hospitals not in the HMDB) General Hospitals (with designated adult mental health beds) Ont. Ontario Mental Health Reporting System (OMHRS) Psychiatric Hospitals N.L., N.S., N.B., Ont.,* Man., Alta., B.C. Psychiatric Hospitals Que. Discharge Abstract Database (DAD) Hospital Mental Health Database General Hospitals N.L., P.E.I., N.S., N.B., Que., Ont., Man., Sask., Alta., B.C., Y.T., N.W.T., Nun. Hospital Morbidity Database (HMDB) Notes * Ontario facilities report mental health separations from non designated adult mental health beds to the DAD. Two of Quebec s psychiatric facilities reported to the HMDB via MED-ÉCHO. 6
19 In 2009, CIHI adopted a complete lifecycle approach to data management. As part of that lifecycle, Privacy and Legal Services (PLS) developed and is responsible for the ongoing compliance monitoring process whereby all data sets that are disclosed to third-party data recipients are tracked and monitored for secure destruction at the end of their lifecycle. Prior to disclosing data, thirdparty recipients sign a data protection agreement and agree to comply with the conditions and restrictions imposed by CIHI relating to the collection, purpose, use, security, disclosure and return or disposal of data. As of January 2011, in addition to the compliance monitoring process, which leverages data captured to monitor compliance with data destruction requirements, PLS contacts third-party data recipients on an annual basis to certify that they continue to comply with their obligations as set out in the thirdparty data request form and data protection agreement signed with CIHI. All data protection agreements with third parties specify that receiving organizations must keep de-identified record-level data strictly confidential and not disclose such data to anyone outside the organization. Moreover, CIHI imposes obligations on these third-party recipients, including Secure destruction requirements; CIHI s right to audit; Restriction on the publication of cell sizes less than five; and Strong encryption technology that meets or exceeds CIHI s standards where mobile computing devices are used Limiting Retention The HMHDB forms part of CIHI s information holdings; consistent with its mandate and core functions, CIHI retains such information for as long as necessary to meet the identified purposes. 3.7 Principle 6: Accuracy of Personal Health Information CIHI has a comprehensive data quality program. Any known data quality issues are addressed by the data provider or documented in data limitations documentation, which is made available to all users. Similar to other CIHI data holdings, the HMHDB is subject to an annual data quality assessment, based on CIHI s Data Quality Framework. The process of completing the framework includes numerous activities to assess the accuracy of the HMHDB data. Also, preliminary counts and indicator values for each province are shared with each provincial/territorial ministry of health for their review and confirmation before the data is released to the public. 11
20 3.8 Principle 7: Safeguards for Personal Health Information System Security About 99% of the data included in the HMHDB comes directly from internal CIHI sources (DAD and OMHRS). This data is initially sent to CIHI via CIHI s secure web-based electronic data submission service (edss) to OMHRS or DAD. The MED-ÉCHO portion of the Hospital Morbidity Database, which represents Quebec s inpatient data, comes to CIHI on a password-protected and encrypted CD. The remaining data comes to CIHI through the Hospital Mental Health Survey submitted via edss. When hospitals/ministries submit data, either directly or indirectly, to the HMHDB, they do so according to a predetermined record layout of data elements. Patient health card numbers are sent in encrypted format. The HMHDB files reside on a secure server that is maintained by CIHI s ITS department. In 2003, the PIA concluded that the security used to protect the data was sufficient. While a threat risk assessment has not been conducted, the database s security features have been updated on numerous occasions since 2003, in conjunction with CIHI s corporate IT security updates. The process of transferring data into the HMHDB within CIHI is carried out electronically, thereby ensuring that only that data that is part of the record layout is transferred from the original data holding to the HMHDB. Electronic transfer also limits the number of people with access to the data. More generally, CIHI has established physical, technical and administrative security practices to ensure the confidentiality and security of all of its data holdings. Moreover, CIHI employees are aware of the importance of maintaining the confidentiality of personal health information through a mandatory privacy and security training program and through ongoing communications about CIHI s privacy and security policies and procedures. CIHI is committed to safeguarding its IT ecosystem, to securing its data holdings and to protecting information with administrative, physical and technical security safeguards appropriate to the sensitivity of the information. Audits are an important component of CIHI s overall information security program and are intended to ensure that best practices are being followed and to assess compliance with all information security policies, procedures and practices implemented by CIHI. Audits are used to assess, among other things, technical compliance of information processing systems with best practices and published architectural and security standards, CIHI s ability to safeguard its 12
23 All rights reserved. The contents of this publication may be reproduced unaltered, in whole or in part and by any means, solely for non-commercial purposes, provided that the Canadian Institute for Health Information is properly and fully acknowledged as the copyright owner. Any reproduction or use of this publication or its contents for any commercial purpose requires the prior written authorization of the Canadian Institute for Health Information. Reproduction or use that suggests endorsement by, or affiliation with, the Canadian Institute for Health Information is prohibited. For permission or information, please contact CIHI: Canadian Institute for Health Information 495 Richmond Road, Suite 600 Ottawa, Ontario K2A 4H6 Phone: Fax: Canadian Institute for Health Information Cette publication est aussi disponible en français sous le titre Évaluation des incidences sur la vie privée de la Base de données sur la santé mentale en milieu hospitalier..
24 Talk to Us CIHI Ottawa 495 Richmond Road, Suite 600 Ottawa, Ontario K2A 4H6 Phone: CIHI Toronto 4110 Yonge Street, Suite 300 Toronto, Ontario M2P 2B7 Phone: CIHI Montréal 1010 Sherbrooke Street West, Suite 300 Montréal, Quebec H3A 2R7 Phone: CIHI St. John s 140 Water Street, Suite 701 St. John s, Newfoundland and Labrador A1C 6H6 Phone: CIHI Victoria 880 Douglas Street, Suite 600 Victoria, British Columbia V8W 2B7 Phone: May 2011