How To Understand The Health Care System In Canada

Transcription

1 Healthcare Interoperability Between Canada and the United States A Presentation to IAPP Canada Privacy Symposium May 9, 2014 Rick Shields - nnovation LLP and Joan Roch Canada Health Infoway 1

2 This is not legal advice... 2

3 Our Agenda Meet the panel EHR backgrounder Canadian health information privacy/security setting What does HIPAA-compliant mean? Buying/selling EHR technology in Canada: Canadianizing the product Canada Health Infoway: Canada s EHR quarterback Q & A 3

4 EHR - What is it? An EHR refers to the systems that make up the secure and private lifetime record of a person s health and health care history. These systems store and share such information as lab results, medication profiles, key clinical reports (e.g., hospital discharge summaries), diagnostic images (e.g., X-rays), and immunization history. The information is available electronically to authorized health care providers. Canada Health Infoway 4

5 EHR A National Plan In Canada, EHR development is being guided by Canada Health Infoway With its partners, Infoway helps accelerate the development, adoption and effective use of digital health solutions across Canada Each jurisdiction has its own EHR Common architecture is accepted across Canada Architecture includes privacy and security requirements Standards resources, tools and education for stakeholders and implementers Infoway Standards Collaborative Canada Health Infoway

6 EHR or EMR? Typically, an EMR is an electronic version of the traditional paper records used to capture patient data Can be quite simple (e.g., geared to a single doctor s office) or more complex (e.g., used by a group medical practice; health facility) A point of service (POS) in the EHR system 6

7 EHR or EMR? an electronic medical record (EMR) is an office-based system that enables a health care professional, such as a family doctor, to record the information gathered during a patient s visit. This information might include a person s weight, blood pressure and clinical information, and would previously have been hand-written and stored in a file folder in a doctor s office. Eventually the EMR will allow the doctor to access information about a patient s complete health record, including information from other health care providers that is stored in the EHR Canada Health Infoway Canada Health Infoway

8 EHR Data Sources EHRs will make personal health information (PHI) from points of service (POS) available to health information custodians/trustees. POS can include: Clinical information systems (CIS)/electronic medical records (EMR) Hospital information systems (HIS) Pharmacy information systems (PIS) Laboratory information systems (LIS) Digital image/picture archiving and communications systems (DI/PACS) 8

9 EHR Architecture Canada Health Infoway

10 Points of care Clinic Homecare Emergency Services Community Care Centre Pharmacy Specialist Clinic Laboratory Hospital Emergency Diagnostic Canada Health Infoway

11 One patient, one record Results and images Patient information Medical alerts Medication history Interactions Problem list Immunization Canada Health Infoway

12 EHR Interoperability Goal is to have systems that are interoperable and that conform with applicable privacy and security standards imposed/suggested by Canadian law/best practices HIPAA-compliant technology is fine, as long as it can meet privacy/security obligations of Canadian customer Many overlaps between US and Canadian privacy and security requirements for PHI 12

13 Canadian PHI Privacy Setting Many laws potentially in play: 7 provincial PHI laws in force (AB, SK, MB, ON, NB, NS and NL); 2 territorial PHI laws passed but not yet in force (YT and NWT); PHI law for PEI introduced April 22, 2014 EHR-specific laws in BC and QC NS law governing international disclosures of PI similar to limitations in BC s FIPPA Provincial/federal public sector laws (all jurisdictions) PIPEDA (note substantial similarity issue) Provincial private sector laws (BC, Alta. and QC) Provincial/territorial health sector laws 13

14 Privacy and health information laws LEGEND Provincial health information laws (deemed substantially similar to PIPEDA) Provincial health information protection laws/provisions Provincial private sector privacy laws (deemed substantially similar to PIPEDA) YK NT NU Federal private sector privacy law ( PIPEDA ) Federal public sector access to information and privacy laws Provincial public sector freedom of information and privacy laws BC AB SK MB QC ON PE NL * ON - Bill 78 second reading November 20, 2013 NB YK - Bill 61 assented December 12, 2013 NS NWT - Bill 4 assented March 13, 2014 PEI - Bill 42 first reading April 22, 2014 April 2014 Canada Health Infoway

15 Canadian PHI Privacy Setting (cont d) Inter-jurisdictional efforts being made to harmonize rules governing electronic PHI, but no uniform law(s) on horizon As result, regional variations exist that can impact relationship between custodian/trustee and technology providers Key is to know and apply relevant laws in jurisdiction(s) in which you operate Privacy/security obligations of technology vendors/agents/ information managers should be established by contract 15

16 US PHI Privacy Rules Focus on federal laws/rules pre-emption of conflicting State laws Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Privacy Rule (2003) as amended The Security Rule (2003) as amended The Enforcement Rule (2006) as amended Privacy section of the Health Information Technology for Economic and Clinical Health Act (HITECH) (2009) The Breach Notification Rule (2009) as amended The Final Omnibus Rule (2013) Complex rules applicable to covered entities and business associates /subcontractors 16

17 Meaning of HIPAA-compliant HIPAA-compliant refers to systems that possess certain administrative, physical and technical features/safeguards as specified in the Rules made under HIPAA/HITECH: Access control (access levels and user roles) Password management Log-in monitoring Unique user identification Automatic logoff 17

18 Meaning of HIPAA-compliant (cont d) Audit logging/reporting Security incident tracking PHI backup/storage Encryption/decryption PHI integrity controls Emergency access procedure Disaster recovery plan Network/transmission security features Facilitated access by individuals to PHI in EHR 18

19 Meaning of HIPAA-compliant (cont d) If processing data for covered entity/business associate: Facility security plan, including facility/system access controls Business associate agreement and downstream agreement with subcontractor(s) Security incident response and reporting process Workforce authorization/clearance, supervision and termination procedures Electronic media re-use/disposal PHI retention, disposal/return processes 19

20 Canadian EHR Contracts In Canada, rules/policies/best practices typically key on same features as those required under HIPAA, so those features should be reflected in contract with vendor But may also want/need to contract for additional features or functionalities: Express consent capture feature Documentation and management of patient privacy preferences and a related data masking/ lock-box feature 20

21 Canadian EHR Contracts (cont d) Capacity to display/print entire patient record chronologically and produce same in readily comprehensible format if requested Jurisdiction-specific retention/disposal controls PHI accuracy/correction/annotation/notification feature Data redaction capability ISO 27002/ISO 27799/ISO conformity Training module(s) 21

22 Canadian EHR Contracts (cont d) Confidentiality acknowledgement/notices at initial log-in, at periodic intervals and/or on printed reports Regional/facility limits on access to PHI within defined user roles Enhanced threat detection/protection features Means of preventing unauthorized copying of PHI to portable media In some jurisdictions (e.g., BC and NS), limits on international disclosure of PHI 22

23 Canadian EHR Contracts (cont d) Interoperability with specified existing/planned jurisdictional EHRs to facilitate PHI transfers Can produce electronic signatures as per applicable Canadian law Audit features that Capture date, time, user identity re. PHI access, input, amendment Preserve original content of record Permit printing of patient-specific audit report that doesn t include other PHI from patient file 23

24 Other Considerations May need to perform/participate in PIA Focus on present and future needs for interoperability with other systems (e.g., EHRs) don t want to have to replace expensive system prematurely Define all key terms e.g., PHI, EMR, EHR, etc. Always confirm ownership and/or control of PHI Address PHI sharing, service levels, installationrelated impacts on operations Lots of guidance materials available: CHI, COACH, CMPA, Commissioners 24

25 Infoway as Quarterback Project Agreements Privacy Impact Assessment policy for Infoway funded programs Certification Services 9 program areas Privacy and security are key components Canada Health Infoway

26 Infoway as Quarterback EHR Blueprint Privacy & Security Requirements 2014 refresh underway Privacy & Security Conceptual Architecture Emerging Technology Group (ETG) Cloud computing 2 papers on mobile computing Big Data Each paper addresses P&S Projects Consent Management solutions Canada Health Infoway

27 Infoway as Quarterback Bringing people together to find potential solutions - The Privacy Forum - The Health Information Privacy Group Privacy and EHR Information Flows in Canada: Common Understandings of the Pan-Canadian Health Information Privacy Group V1 released June 2010 V2 released July 2012 Canada Health Infoway

28 Resources Canada Health Infoway, Electronic Health Records Privacy and Security Requirements; online: Canada Health Infoway, v1.1, 2005, Electronic Health Record Infostructure (EHRi) Privacy and Security Conceptual Architecture; online: Canada Health Infoway, 2008, A Conceptual Privacy Impact Assessment (PIA) on Canada s Electronic Health Record Solution (EHRS) Blueprint Version 2; online: Canada Health Infoway, 2012, Business and Architecture Considerations for Interoperable Consent Solutions A Discussion Document; online: business-and-architecture-considerations-for-interoperableconsent-solutions-a-discussion-document 28

29 Resources Canada Health Infoway, 2012, Privacy and EHR Information Flows in Canada, Version 2; online: 26-privacy-and-ehr-information-flows-in-canada-version-2-0 Canada Health Infoway, 2010, Privacy and EHR Information Flows in Canada, Version 1; online: 6-privacy-and-ehr-information-flows-in-canada Canadian Health Informatics Association (COACH), Putting It into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records: 2013 Guidelines; online: ts/putting-it-into-practice_privacysecurityhealthcareproviders.pdf 29

30 Canadian Medical Protective Association (CMPA), Electronic Records Handbook; online: _handbook-e.pdf Cavoukian, A. & Rossos, P., Personal Health Information: A Practical Tool for Physicians Transitioning from Paper-Based Records to Electronic Health Records; online: Sawatsky, E., Information Sharing Agreements for Disclosure of EHR Data within Canada; online: 30

31 Q & A 31

32 Contact Joan Roch Chief Privacy Strategist Canada Health Infoway Rick Shields Partner nnovation LLP