How To Ensure Your Health Care Is Safe

Transcription

1 Guidelines fr Custdians t assess cmpliance with the Persnal Health Infrmatin Privacy and Access Act (PHIPAA) This dcument is designed t help custdians evaluate readiness fr cmpliance with PHIPAA and t help identify where plicies r practices may need t be develped and/r changed t ensure cmpliance. It is intended t cmplement the dcument entitled: Preparing fr the Persnal Health Infrmatin Privacy and Access Act (PHIPAA): a checklist fr custdians. NOTE: This dcument is a guide nly; it is nt intended t prvide a cmplete statement f yur rganizatin s legal bligatins and as such it shuld nt be cnstrued as legal advice. Reference shuld always be made t the fficial text f PHIPAA and its regulatins fr a cmplete statement f the law and fr further infrmatin abut the pints presented here. The relevant sectins f the Act are referenced in parentheses thrughut the dcument t assist yu. 1. Are yu a custdian as defined by PHIPAA? (Sectin 1) PHIPAA applies t persnal health infrmatin that is cllected, used r disclsed by a custdian r that is in the custdy r cntrl f the custdian. Custdian means an individual r rganizatin that cllects, maintains r uses persnal health infrmatin fr the purpse f prviding r assisting in the prvisin f health care r treatment r the planning and management f the health-care system r delivering a gvernment prgram r service and includes: (a) public bdies, (b) health-care prviders, (c) the Minister, (d) the fllwing rganizatins r agencies: (i) Ambulance New Brunswick Inc., (ii) the New Brunswick Health Cuncil, (iii) FacilicrpNB Ltd., (iv) reginal health authrities, (v) WrkSafeNB (vi) Canadian Bld Services, (e) infrmatin managers, (f) researchers cnducting a research prject apprved in accrdance with this Act, (g) health-care facilities, (h) a labratry r a specimen cllectin centre, (i) nursing hmes and peratrs as thse terms are defined in the Nursing Hmes Act, and (j) a persn designated in the regulatins as a custdian. Are yu (r is yur rganizatin) a custdian as defined abve? 1

2 2. D yu cllect, use, disclse r maintain persnal health infrmatin that may be subject t PHIPAA? (Sectins 1 and 3) PHIPAA applies t persnal health infrmatin that is cllected, used, maintained r disclsed by a custdian r that is in the custdy r cntrl f the custdian. Persnal health infrmatin is defined in part as identifying infrmatin abut an individual pertaining t that persn s mental r physical health, family histry r health care histry. This includes: genetic infrmatin; registratin infrmatin, including the Medicare number f the individual; infrmatin abut payments r eligibility fr health care r health-care cverage; infrmatin pertaining t a dnatin by the individual f any bdy part r bdily substance; infrmatin derived frm the testing f a bdy part r bdily substance f the individual; and infrmatin that identifies the individual s health-care prvider r substitute decisin maker. Certain recrds and infrmatin cntaining persnal health infrmatin may nt be subject t PHIPAA. Please refer t Questin 3 and als cnsult the Act fr mre infrmatin. D yu have recrds cntaining persnal health infrmatin? 3. D the exceptins defined in PHIPAA, which exclude persnal health infrmatin frm the applicatin f PHIPAA, apply t the persnal health infrmatin in yur custdy r cntrl? (Sectins 3 and 4) The Act prvides fr certain instances whereby persnal health infrmatin will be excluded frm the applicatin f PHIPAA and the Act will nt apply. Fr example, the Act des nt apply t: an individual r rganizatin that cllects, maintains r uses persnal health infrmatin fr purpses ther than health care r treatment and the planning and management f the health-care system, r fr delivering a gvernment prgram and service including: emplyers (public and private), insurance cmpanies, regulatry bdies f health-care prviders, licensed r registered health-care prviders wh d nt prvide health care, and certain ther individuals r rganizatins prescribed by regulatin; persnal health infrmatin in a recrd created 100 r mre years agr where 50 r mre years have passed since the death f the individual; infrmatin in a curt recrd, such as a recrd f supprt services prvided t a judge r curt fficial; a recrd created r infrmatin held by a persn under the prvisins f certain ther Acts f the Legislative Assembly, including the Family Services Act, the Mental Health Act, and any ther Act f the Legislative Assembly prescribed by regulatin. Cnsult the Act and regulatins fr mre infrmatin n instances where PHIPAA may nt apply. Check yes if there are exceptins that may exclude the persnal health infrmatin in yur custdy r cntrl frm the applicatin f PHIPPA. Yur answers t Questins 1, 2, and 3 may be used t assess whether PHIPAA will apply t all r sme f the persnal health infrmatin in yur custdy r cntrl. Fr a mre cmprehensive assessment f the applicatin f PHIPAA in yur specific circumstances, cnsult the Act and regulatins. 2

3 4. Rights f the individual 4.1. Obtaining cnsent (Sectins 17, 18, 19) General cnsideratins regarding cnsent Have yu btained cnsent frm the individual fr the cllectin, use r disclsure f persnal infrmatin unless therwise required r permitted by the Act r by law? Is cnsent knwledgeable? (fr cnsent t be knwledgeable, individuals must be infrmed (by way f a readily available ntice r similar means) in laymen s terms abut the purpse f the cllectin, use r disclsure f their infrmatin bth within and utside f the circle f care and infrmed f their right t withhld r withdraw their cnsent) Is cnsent specifically related t the persnal health infrmatin cllected and the purpse(s) fr which it will be used? Is cnsent vluntary (cnsent may nt be cerced)? Express cnsent Where applicable, have yu btained express cnsent fr the cllectin, use r disclsure f persnal health infrmatin? (Where cnsent is required by the Act, it must be express unless the Act specifically permits an implied cnsent see belw). Express cnsent will generally be required when infrmatin is being disclsed t any f the fllwing (unless therwise prvided in the Act): the media; a persn fr the purpse f fund-raising; a visitr t a health-care facility; a persn fr a nn-health care related purpse (fr example, infrmatin disclsed t an insurance cmpany); a persn utside f New Brunswick (sme exceptins apply refer t Sectin 47); and a persn fr the purpse f research (sme exceptins apply refer t Sectin 43). Will yu ensure the express cnsent is btained in writing frm the individual r his r her substitute decisin-maker? Have the general cnsideratins fr cnsent utlined in been met? 3

4 4.1.3 Implied cnsent Is there implied knwledgeable cnsent f the individual t share his/her persnal health infrmatin within the circle f care fr prviding health care t that individual? (Fr implied knwledgeable cnsent t exist, it must be reasnable t assume that the individual understands the purpse fr the cllectin, use r disclsure f his r her persnal health infrmatin within the circle f care and the implicatins f prviding r withdrawing cnsent). Have the general cnsideratins fr cnsent utlined in been met? Cnsent nt required If yu will cllect, use r disclse persnal health infrmatin withut cnsent, has the authrity under the Act t d s been dcumented and cnfirmed? D yu have a prcess in place t ensure there is a recrd f all persnal health infrmatin disclsed withut cnsent under the Act as required by Sectin 46? 4.2. Cnsent Directives (Sectin 22) Where cnsent has been btained, are there prcedures in place t address an individual s request t withdraw cnsent t the cllectin, use r disclsure f his r her persnal health infrmatin? Are prcedures in place t cntrl and mnitr situatins where a custdian may be required tverride an individual s cnsent directive in accrdance with the Act (fr example, fr health and safety reasns)? (prcedures shuld include, but nt be limited t: lgging, mnitring and auditing cnsent directive verrides t ensure that they are dcumented and authrized by the Act). If infrmatin netwrks are used, is a prcess in place t infrm individuals abut hw they can exercise their right t prevent access tr disclsure f their persnal health infrmatin cntained in an infrmatin netwrk? (nte, hwever, that an individual may nt withhld his r her cnsent fr the cllectin f persnal health infrmatin by a custdian fr creating and maintaining an infrmatin netwrk). 4.3 Right t be infrmed (Sectin 31) Have yu taken reasnable steps t directly infrm individuals whse persnal health infrmatin is being cllected directly f the purpse (including anticipated uses and disclsures) fr which the infrmatin is being cllected befre r as sn as practical after it is cllected? ( Reasnable steps may include, fr example, creating a pster r a privacy ntice and making it available n the custdian s website r as a handut; ntifying individuals either verbally r in writing abut hw they may btain a cpy f the rganizatin s privacy ntice; and describing the purpse f cllectin n frms used t cllect persnal health infrmatin.). 4

5 4.4. Cllecting the Medicare number (Sectin 48) Are individuals nly required t prduce their Medicare number fr reasns cnnected t health services? If yu require the Medicare number fr nn-health purpses, is the cllectin authrized by an Act r regulatin? (If nt, cllectin can be vluntary, but cannt be made as a cnditin f receiving a service. Individuals must have the ptin f using ther identificatin) Individual s right t cmplain t the Access t Infrmatin and Privacy Cmmissiner regarding an actin/decisin f a custdian (Part 6) Are individuals infrmed f their right t cntact the Access t Infrmatin and Privacy Cmmissiner t request a review f an actin taken r a decisin made in the event that yu cannt reslve a cncern regarding their persnal health infrmatin? 4.6. Individual s ability t designate a substitute decisin-maker (Sectins 25,26) D yu have prcedures t prcess an individual s written request t designate anther individual t act n his r her behalf regarding his r her rights pertaining t his r her persnal health infrmatin? If an individual is nt able t act n his r her behalf; d yu ensure that the designated persn meets ne f the circumstances identified in Sectin 25 f the Act? 4.7. Requests fr access t persnal health infrmatin (Part 2, Divisin A) Have yu established prcedures t receive requests fr, and prvide access t recrds cntaining persnal health infrmatin? Will yu charge a fee fr prviding access? If s, is it cnsistent with the regulatins under PHIPAA? When respnding t requests fr disclsure f persnal health infrmatin d yu have prcedures in place t uniquely identify the individual t whm the infrmatin relates befre granting access t the infrmatin? 4.8. Requests t crrect persnal health infrmatin Have yu established prcedures t crrect recrds f persnal health infrmatin when required by the individual abut whm the infrmatin pertains; r t place a statement f disagreement n the recrds f the individual s persnal health infrmatin? 5

6 5. Prtectin f persnal health infrmatin 5.1. Duty t prtect (Sectin 50) Have yu develped a security plicy and supprting prcedures that utline hw yur rganizatin will ensure that reasnable safeguards are in place t prtect the cnfidentiality, security, accuracy and integrity f the persnal health infrmatin in yur custdy r cntrl? Has a review been cnducted t ensure that infrmatin practices and plicies cnfrm with industry standard (natinal r jurisdictinal) infrmatin technlgy security standards and prcesses apprpriate fr the level f sensitivity f the persnal health infrmatin t be prtected? Have yu implemented reasnable physical safeguards such as lcked cabinets and use f access cards t cntrl entry t strage areas that cntain persnal health infrmatin? Have yu implemented reasnable administrative safeguards such as backgrund checks, mandatry emplyee training and apprpriate privacy and security plicies t prtect persnal health infrmatin against risks such as unauthrized access, use, disclsure r mdificatin? Have yu implemented reasnable technical safeguards such as apprpriate encryptin f persnal health infrmatin, strng passwrds, anti-virus prtectin and firewalls t prtect persnal health infrmatin against unauthrized access, use, disclsure r mdificatin? Are the plicies and prcedures described abve designed t prtect infrmatin in all frms including, but nt limited t paper recrds; cmputer recrds including databases, , electrnic frms; and micrfilm/fiche? 5.2. Retentin, strage and secure destructin (Sectin 55) D yu have written plicies fr the retentin, archival strage, access and secure destructin f persnal health infrmatin in yur custdy and/r cntrl? D yur existing prcedures enable cmpliance with such plicies? D retentin plicies cmply with any applicable legislative requirements? D the abve plicies apply t recrds in all frmats (fr example,. paper, electrnic databases, , micrfilm/fiche) regardless f media? Are there plicies r prcedures that ensure persnal health infrmatin is securely destryed when n lnger required? (Plicies shuld mitigate risks such as recrds cntaining persnal health infrmatin thrwn in a garbage can r electrnic recrds nt cmpletely remved frm a hard drive sld fr salvage). D yu have a frmal /secure system and prcess t backup electrnic data cntained n all cmputer systems that stre persnal health infrmatin? Are backup tapes securely stred and apprpriately destryed nce they have reached the end f their useful life? 6

7 D yu ensure paper recrds are safely stred where they will nt suffer damage frm risks such as flding/water damage? D yu keep a frmal recrd f the cntents f all recrds cntaining individuals persnal health infrmatin destryed in accrdance with the retentin and/r destructin plicy? Is persnal health infrmatin in the rganizatin s custdy r cntrl stred utside Canada nly fr authrized purpses (strage utside f Canada is nt permitted unless the individual has cnsented r unless such strage is specifically authrized under the Act)? 5.3. Infrmatin Management Service Prvider agreements (Sectin 52) Have yu identified all infrmatin managers (fr example, paper shredding services, IT service prviders) engaged by yur rganizatin in delivering prgrams and services? D yu have written agreements with all infrmatin managers that cntain apprpriate privacy and security clauses including: a descriptin f hw the persnal health infrmatin will be prtected against risks such as unauthrized access t r use r disclsure f the infrmatin, unsecure destructin r alteratin; the requirement fr the infrmatin manager t cmply with the PHIPAA and regulatins; the requirement that infrmatin managers d nt stre persnal health infrmatin utside f Canada except in the case f maintenance and technical supprt prvided fr persnal health infrmatin systems r unless therwise prvided fr in the Act Duty t cllect accurate infrmatin (Sectin 53) D yu take reasnable steps t ensure that the persnal health infrmatin yu cllect is accurate and cmplete? 6. Cllectin, use and disclsure 6.1. Limitatins n cllectin (Sectin 29) D yu take steps t limit the persnal health infrmatin that is cllected, used r disclsed tnly what is necessary t satisfy the purpse f the cllectin, use r disclsure? D yu use r disclse de-identified persnal health infrmatin if it will serve the purpse as identifiable infrmatin? 7

8 6.2. Manner f cllectin (Sectin 28) D yu nly cllect persnal health infrmatin directly frm the individual abut whm that infrmatin pertains? If persnal health infrmatin is cllected indirectly frm ther surces, has the individual cnsented t cllectin by the ther means r des the cllectin fall under ne f the exceptins specified in Sectin 28 f the Act? When cllecting persnal health infrmatin frm ther surces, d yu take reasnable steps t verify the accuracy f the infrmatin? 6.3. Restrictins n use and disclsure (Sectins 32-45) D yu have plicy r prcedures t limit the use and disclsure f persnal health infrmatin t the minimum amunt f infrmatin necessary t accmplish the purpse fr which it is t be used r disclsed? D yu have plicy r prcedures t restrict access tr disclsure f an individual s persnal health infrmatin by persns such as emplyees, vlunteers and thers wh d nt need t knw the infrmatin t perfrm their jbs? D yu have cnsent frm individuals fr every use f their persnal health infrmatin? If yu d nt always have cnsent t use an individual s persnal health infrmatin, des the use meet ne f the criteria utlined in Sectin 34 f the Act? D yu take steps t ensure that cnsent is btained prir t disclsing persnal health infrmatin unless the disclsure is specifically authrized by the Act? If yu d nt have cnsent t disclse an individual s persnal health infrmatin, is the reasn fr disclsure ne f the circumstances identified in Sectin 37(6) and Sectins f the Act? (These sectins allw limited disclsure withut cnsent.) D yu infrm nn-custdians that they can nly use persnal health infrmatin fr the purpse(s) fr which yu are disclsing it t them and fr nther reasn, except where permitted by the Act? D yu have a plicy requiring that persnal health infrmatin be de-identified in circumstances where cnsent fr use r disclsure has nt been btained and where the use r disclsure f persnal health infrmatin is nt authrized by the Act? In the case where de-identified infrmatin will be used r disclsed, d yu have prcedures in place t prvide reasnable assurance that the infrmatin cannt be used either alne r in cmbinatin with ther infrmatin t re-identify an individual r individuals whse persnal health infrmatin is cntained in the data set? 8

9 6.4. Use r disclsure fr research (Sectin 43) Will persnal health infrmatin be used r disclsed fr research? If persnal health infrmatin is t be used r disclsed fr research, has the prject been apprved by an authrized research review bdy having met all f the requirements f the Act? 7. Other things t cnsider general privacy practices 7.1. Respnsibility fr privacy Have yu designated ne r mre individuals wh will be respnsible fr implementing and verseeing cmpliance with PHIPAA? (individual(s) shuld be apprpriately trained and be prvided with adequate resurces t d the jb) 7.2. Privacy plicy develpment and cmpliance D yu have a written privacy plicy intended t ensure cmpliance with the Act within yur rganizatin? Are staff and cntractrs familiar with the privacy plicy, and are they peridically reminded f their respnsibilities fr cmpliance with the plicy? Are staff and cntractrs required t sign cnfidentiality agreements that cntain a written requirement fr them t cmply with PHIPAA and the rganizatin s privacy plicies? Are prcedures in place t mnitr and ensure agents (fr example, emplyees, cntractrs, vlunteers ) cmpliance with the rganizatin s privacy and security plicies? 7.3 Privacy tice Have yu develped a publicly displayed privacy ntice fr yur rganizatin that will prvide individuals with reasnable ntice f yur rganizatin s privacy practices? (A privacy ntice may be made available, fr example, n the rganizatin s website, incrprated within psters and brchures, r by way f vice recrding). A privacy ntice is a cmmunicatin tl that is different than (but must be cnsistent with) the rganizatin s privacy plicy. The privacy plicy is an internal dcument that utlines emplyees and agents respnsibilities fr privacy under the legislatin. Have yu reviewed the rganizatin s frms, applicatins, etc., that are used t cllect persnal health infrmatin t ensure that individuals are apprpriately infrmed abut the purpses fr the cllectin f the infrmatin at the time it is prvided? This may be dne either by incrprating an explanatin f the purpse directly within the frms r by a shrt statement explaining hw the individual may btain a cpy f the privacy ntice r btain mre infrmatin abut the purpse f the cllectin. 9

10 7.4. Privacy training and awareness D yu have a plan in place t regularly deliver mandatry privacy training t all emplyees and cntractrs t reinfrce their bligatins under PHIPAA and the rganizatin s privacy plicies? D yu have a plan in place t cmmunicate the rganizatin s privacy plicies t emplyees and t assist emplyees/managers develp prcedures that supprt alignment with the plicies? 7.5. Privacy inventry and gap analysis Have yu cmpleted an inventry f yur rganizatin s infrmatin hldings and identified the varius purpses fr which yu cllect, use and disclse persnal health infrmatin? Have yu cnducted a gap analysis based n the inventry t determine areas f risk and nn-cmpliance? 7.6. Investigatin f privacy incidents and breaches D yu have a prcess fr receiving and investigating privacy cmplaints in a timely manner? Have yu develped a privacy incident respnse plicy and prcedures t manage and cntain a privacy breach shuld it ccur? Have yu develped a prcess fr reprting a privacy breach t the Access t Infrmatin and Privacy Cmmissiner and fr ntifying the affected individual(s)? CNB