A Year in Review: CIHI s Annual Privacy Report

Transcription

1 A Year in Review: CIHI s Annual Privacy Report

2 Our Vision Better data. Better decisions. Healthier Canadians. Our Mandate To lead the development and maintenance of comprehensive and integrated health information that enables sound policy and effective health system management that improve health and health care. Our Values Respect, Integrity, Collaboration, Excellence, Innovation

3 Table of Contents Introduction... 4 Section 1: Legal Context in Canada... 4 Section 2: Data-Sharing Agreements... 5 Section 3: Policy Review... 6 Section 4: Privacy and Security Training and Awareness... 7 Section 5: Privacy Impact Assessments... 8 Section 6: Privacy Audit Program... 8 Section 7: Privacy Breaches Section 8: Renewal of CIHI s Prescribed Entity Status Under Ontario s Personal Health Information Protection Act, Conclusion... 10

4 Introduction Privacy must be proactively incorporated into networked data systems and technologies, by default. The same is true of security. Both concepts must become integral to organizational priorities, project objectives, design processes, and planning operations... This culture of privacy is what emerges when organizations approach privacy as a business issue not a compliance issue. It is what takes hold when the leadership of an organization comes to see that the implementation of positive privacy [and security] controls creates rather than constrains business opportunities. Ann Cavoukian, Information and Privacy Commissioner, Ontario (2013) This past year, the Canadian Institute for Health Information (CIHI) continued to evolve its Privacy program with an increased focus on integrating privacy and security processes. Privacy and Legal Services and the Information Security branch continued to work together on many initiatives, including staff training, privacy and security incident management, and policies and procedures. All of this reflects the reality that at CIHI, as at many other organizations, privacy and security are interwoven and interdependent. The following annual privacy report is a testament to CIHI s ongoing commitment to privacy and security as a corporate priority. Section 1: Legal Context in Canada CIHI s data providers supply CIHI with the data it needs to fulfill its mandate: to produce the accurate and timely information required to establish sound health policy and to effectively manage the Canadian health system. In order to facilitate the flow of information from data providers to CIHI, it is critical that CIHI s data providers have clear lawful authority to disclose personal health information to CIHI, without an individual s consent. When a jurisdiction enacts or amends health privacy legislation, CIHI makes a submission to the jurisdiction suggesting that the new or amended legislation establish explicit lawful authority for disclosures of personal health information to CIHI without an individual s consent. Since our annual privacy report was published, two new pieces of legislation have referred to CIHI by name and have established lawful authority for disclosures of personal health information to CIHI: Nova Scotia s Personal Health Information Act, which came into force in June 2013; and Yukon s Health Information Privacy and Management Act, which was enacted in December 2013 but has not yet come into force. CIHI is also watching for future health privacy legislation in Prince Edward Island and the Northwest Territories. 4

5 Section 2: Data-Sharing Agreements As a health system user of personal health information, CIHI enters into data-sharing agreements (DSAs) with data providers from across the country. DSAs facilitate the flow of data to CIHI and support CIHI s mandate to provide the accurate and timely information required to establish sound health policy and effectively manage the Canadian health system. CIHI ratified or amended DSAs with the following data providers in : Saskatchewan: The schedule to the umbrella DSA was amended to add multiple sclerosis data to the DSA. Alberta First Nations communities: Agreements were signed with First Nations communities in Alberta to facilitate the flow of personal health information from the communities to CIHI s Home Care Reporting System (HCRS). British Columbia: The schedule to the umbrella DSA was amended to add patient-level physician billing data to the DSA. Northwest Territories: This umbrella DSA replaced the 2009 umbrella DSA. Statistics Canada: This DSA will provide CIHI with access to survey data concerning residential and long-term care facilities. CIHI is also currently negotiating new or amended DSAs with the following data providers: Transplant Quebec: CIHI is negotiating a DSA to permit Transplant Quebec to satisfy its legislative requirements for the disclosure of transplant data to CIHI. Ontario s Trillium Gift of Life Network: This DSA will facilitate the flow of personal health information concerning Ontario organ transplants from Trillium to CIHI for use in the Canadian Organ Replacement Register (CORR). Manitoba: CIHI is negotiating its first DSA with Manitoba. This umbrella DSA will govern all types of data that Manitoba shares with CIHI. Cancer Care Ontario (CCO): This DSA will replace the 2010 DSA and will facilitate the disclosure of renal-related personal health information from CCO to CIHI for use in CORR. In addition to entering into DSAs with data providers, in some cases, CIHI may also enter into a DSA or other legally binding instrument with a data requestor. A DSA with a data requestor becomes necessary when a request is for a significant volume of record-level data or when the need for the data is ongoing and is generally related to a broader program of work (as opposed to a time-limited, project-specific research initiative). Since our annual privacy report was published, CIHI has ratified DSAs with the following data requestors: Better Outcomes Registry and Network (BORN): The DSA was amended to permit BORN to use CIHI s personal health information from the Discharge Abstract Database (DAD) and National Ambulatory Care Reporting System (NACRS) for any work within BORN s legislated mandate. 5

6 CCO: This DSA facilitates the flow of personal health information from the DAD, NACRS and CORR at CIHI to CCO. CCO: This DSA provides CCO with access to Ontario data from the National System for Incident Reporting (NSIR) to improve the safety of cancer treatment. Institute for Clinical Evaluative Sciences (ICES): The DSA was amended to permit ICES to make anonymized Ontario data available to external researchers. The anonymized data is from the DAD, NACRS and CORR. interrai i (Hebrew SeniorLife,): This DSA facilitates the flow of de-identified data from the Continuing Care Reporting System (CCRS) and HCRS at CIHI to the interrai site at Hebrew SeniorLife facility. interrai (University of Michigan): This DSA facilitates the flow of de-identified data from CCRS, at CIHI to the interrai site at the University of Michigan. Patented Medicine Prices Review Board (PMPRB): This DSA permits the PMPRB to access the National Prescription Drug Utilization Information System (NPDUIS) Database. CIHI is also currently negotiating a DSA with the following data requestor: Canadian Nurses Association (CNA): This DSA will replace the previous agreement governing the flow of data regarding registered nurses and licensed practical nurses from CIHI to the CNA. Section 3: Policy Review CIHI is committed to the ongoing review of its privacy policies, procedures and practices in order to determine whether any amendments are needed or any new privacy policies, procedures and practices are required. This review takes place annually; any proposed changes to CIHI s privacy policies are brought to the Senior Management Committee for review and approval. In the case of material changes to CIHI s Privacy Policy, 2010, approval from the Board of Directors is required. The Privacy Policy was first approved by the Board in February Following is a list of the policies reviewed during and any action taken: Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010 (Privacy Policy, 2010): No changes Use of Mobile Computing Equipment Policy and related implementation measures: Policy to be rewritten to align with current technology Privacy and Security Training Policy: No changes i. interrai is a not-for-profit network of researchers committed to improving health care for persons who are elderly, frail or disabled through evidence-based clinical practice and policy decisions. 6

7 As mentioned in last year s report, a recommendation was put forward as a result of a privacy incident to review both the Privacy Breach Management Protocol (governing privacy breaches/suspected privacy breaches or incidents) and the InfoSec Incident Management Protocol (governing information security incidents and information security breaches). The goals were to reduce ambiguity, clarify roles and authority, and possibly merge the two protocols into a single privacy/security incident protocol. While, on paper, the two protocols were intended to address different types of incidents and breaches, in practice they were very similar. CIHI s new Privacy and Security Incident Management Protocol came into force effective April 2013 and was accompanied in September by a mandatory online training module intended to ensure that all staff were familiar with their responsibilities under the protocol. Section 4: Privacy and Security Training and Awareness Privacy and security awareness forms part of CIHI s mandatory privacy and security training. CIHI s Privacy and Security Training Policy encompasses both privacy and security orientation for new employees and ongoing privacy and security training for current employees. In addition, it sets out the requirements for traceable, mandatory privacy and security training for all CIHI staff. Staff awareness is critically important to CIHI s culture of privacy and security. Each September is Information Security Awareness Month at CIHI; this year, all staff completed enhanced online training on CIHI s new, simplified Privacy and Security Incident Management Protocol. An incident management desktop tool was also provided to all staff that gives them the information they need to know should they suspect that a privacy or security incident or breach has occurred. Every January is designated Privacy Awareness Month at CIHI. All CIHI staff successfully completed a recently updated mandatory Privacy and Security Fundamentals training module and renewed their Confidentiality Agreement. Privacy Resources Privacy and Legal Services makes available to staff a number of resources on privacy changes and trends within and outside of Canada. One such resource is a yearly compilation of excerpts relating to personal health information from the annual reports of privacy commissioners in Canada, which have particular relevance for CIHI. In addition, CIHI prepared a summary of the investigation report released by the British Columbia Information and Privacy Commissioner on June 26, 2013, related to three breaches of personal health data for research purposes that happened because the Ministry of Health failed to translate privacy and security policies into meaningful business practices. 7

8 Section 5: Privacy Impact Assessments CIHI adopted and implemented a Privacy Impact Assessment Policy in 2009 as its governing document on privacy impact assessments (PIAs). PIAs have been conducted for all CIHI databases containing either personal health information or health workforce personal information. They are renewed every five years or in the following circumstances: a. When significant changes occur to functionality, purposes, data collection, uses, disclosures, relevant agreements or authorities for a program, initiative, process or system that need to be reflected in the PIA; b. When other changes occur that may potentially affect the privacy and security of those programs, initiatives, processes and systems; or c. When CIHI s Chief Privacy Officer determines that an update of a PIA or a new PIA is required and recommends same. Privacy and Legal Services has created a Privacy Impact Assessment Log and Schedule to track and record the conduct of PIAs. For , the following PIAs are currently in progress or were completed: CIHI Portal: Renewal of the 2008 PIA Primary Health Care Voluntary Reporting System: Addendum to the PIA relating to the cessation of data collection as of December 1, 2013 Canadian Patient Experiences Survey: Preliminary PIA Patient-level physician billing data: New PIA Section 6: Privacy Audit Program CIHI s Privacy Audit program ensures that regular privacy audits are conducted within and outside the organization to monitor compliance with legislative and regulatory requirements, internal policies and procedures, and any other contractual obligations pertaining to privacy and security. The program is in line with the requirements of the Information and Privacy Commissioner of Ontario and is consistent with best practices. The program is risk-based and includes a multi-year plan. It consists of three types of reviews: program area audits, topic audits and external data recipient audits. Program area audits assess the program area s compliance with CIHI s privacy and security policies and privacy best practices. Topic audits may be narrower in scope than program area audits and focus on how a particular issue is managed across the organization. Program area audits and topic audits help CIHI identify any gaps or potential privacy and security vulnerabilities in its policies and practices. 8

9 External data recipient audits evaluate the use and management of CIHI s data and assess whether the recipient s activities comply with requirements set out in CIHI s Data Request Form and Non-Disclosure/Confidentiality Agreement. These audits demonstrate CIHI s diligence in evaluating all aspects of its Privacy program, including the obligations of external data recipients. Collectively, these audits serve a tremendous and inherent remedial and risk mitigation function by making recommendations to address any issues identified. In addition, CIHI incorporates lessons learned that result from findings of audits to support its priorities and strategic direction by identifying privacy and security best practices and strengthening policies, procedures and practices that could more adequately protect the personal health information of Canadians. Below are summaries of four audits approved in the Multi-Year Privacy Audit Plan: two carried over from and two from Identity Management Security Assessment ( ) CIHI conducted an assessment of its Identity Management System to determine whether its development (e.g., technologies) and deployment (e.g., people and processes) had been done in a privacy- and security-sensitive manner. The assessment resulted in eight recommendations, including a roadmap for implementation. Internal Data Access to Unencrypted (Original) HCNs by CIHI Staff ( ) CIHI undertook an audit of its staff s access to unencrypted (original) health card numbers (HCNs). The investigation revealed systemic problems in the data access process, supporting forms and software application. In the final report, five recommendations were made to address the identified gaps and to align processes with CIHI s Privacy Policy Procedures, 2010, including conducting staff awareness and education sessions. Identity Management Access Audit ( ) CIHI is currently conducting an access audit to assess compliance with the Identity Management System s standard operating procedures for authorization and authentication. This audit is in progress. Procurement of External Consulting Services ( ) CIHI undertook an audit to determine whether the process for procuring external consulting resources adheres to CIHI s privacy and security policies, procedures and standards. Recommendations were made, which are either already being put in place or will be implemented early in the next fiscal year. 9

10 Section 7: Privacy Breaches There were no major privacy breaches, as defined by CIHI s Privacy and Security Incident Management Protocol. Section 8: Renewal of CIHI s Prescribed Entity Status Under Ontario s Personal Health Information Protection Act, 2014 Every three years, the Information and Privacy Commissioner of Ontario (IPC/ON) is required to review the information practices of organizations designated as prescribed entities under Ontario s Personal Health Information Protection Act, 2004 (PHIPA). CIHI first received prescribed entity status in 2005, was subsequently renewed in 2008 and was again renewed in October A new process was implemented for the 2011 renewal in which the prescribed entities were required to perform a self-review and submit a detailed written report describing their privacy and security programs, with an affidavit sworn by their presidents and CEOs confirming the report and compliance with IPC/ON requirements. In preparation for renewal again in 2014, the prescribed entities were required to submit their reports to be reviewed by the IPC/ON in the fall of CIHI s report is currently under review, and we look forward to a renewal of our status in the fall of Conclusion The past year was busy and productive for the Privacy program at CIHI. In the year ahead, we look forward to having CIHI s prescribed entity status renewed and celebrating CIHI s 20th anniversary. 10

11 At the heart of data