ehealth EHR Viewer & Integration Joint Service/Access Policy Executive Summary for Authorized Provider Organizations ("APOs")

Transcription

1 ehealth EHR Viewer & Integration Joint Service/Access Policy July 31, 2013 Version BACKGROUND: Executive Summary for Authorized Provider Organizations ("APOs") ehealth Saskatchewan ("ehealth") is a Treasury Board Crown Corporation whose mission is to make patient information available electronically to patients and their healthcare team. One of ehealth's key initiatives is the Electronic Health Record Initiative ("EHR Initiative"). The focus of the EHR Initiative is as follows: To bring personal health information together from various sources such as Regional Health Authorities ("RHAs") and pharmacies; To standardize and organize the information for presentation on a client-centric basis; To provide the information to RHAs and Authorized Provider Organizations ("APOs"), such as physician clinics and pharmacies, through system-to-system integration or a webbased viewer. The personal health information brought together through the EHR Initiative (the "EHR Data") includes: Laboratory test results; Prescription drug information; Clinical documents, including discharge summaries; Immunization information; Chronic disease information; and Additional clinical information as added from time to time. Version -, 2013

2 2. HIGH LEVEL INFORMATION FLOW: Source Systems (Mostly RHAs & Ministry of Health for PIP) ehealth EHR Initiative - Standardize and normalize EHR Data - Organize on a patient-centric basis EHR Integration EHR Viewer Patient Portal* Point of Service Systems RHAs & APOs Healthcare Providers RHAs & APOs Patients (caregivers) * The Patient Portal is not included in the Policy. The Policy is focused on the sharing of information between ehealth and the APOs. The Patient Portal is in the initial planning phases. ehealth will be the trustee under the Health Information Protection Act ("HIPA") for the EHR Data shared with the APOs, with the exception of the Pharmaceutical Information Program ("PIP"). The Ministry of Health will remain as the trustee for PIP under HIPA. Once the EHR Data is shared with an APO through the EHR Integration or EHR Viewer, the APO becomes responsible under HIPA as the trustee of the information. 3. PURPOSE: The purpose of the Joint Services/Access Policy (the "Policy") is to outline the responsibilities of ehealth and the APOs for the sharing of EHR Data. The Policy is a legally binding document. All APOs must agree to comply with the Policy as a pre-requisite to collecting and using the EHR Data. The purpose of this Executive Summary is to provide a summary of the Policy for the APOs. It is intended as a summary only and all APOs must review the Policy in its entirety. 2

3 4. RESPONSIBILITY: ehealth is responsible to protect the EHR Data for so long as it is in ehealth's system. Once the EHR Data is transferred through a system-to-system integration (EHR Integration) or viewed (EHR Viewer) by employees or contractors of the APO, all further use and disclosure is fully the APO's responsibility. It is the responsibility of each APO to ensure they have authority and consent to collect and use EHR Data as outlined in the Policy. The APOs must comply with HIPA (or other applicable laws) and their detailed responsibilities as set out in the Policy. The APOs will be asked to fill out a Privacy and Security checklist when registering for access to the EHR Viewer. APOs must review and complete this form carefully. ehealth will be relying on the accurate completion of the forms by the APOs. 5. RESTRICTION ON COLLECTION AND USE: The primary purpose for collection and use of the EHR Data by the APOs is to provide and support a healthcare service for the individual to whom the information relates. Collection and use of EHR Data for any other purpose is prohibited unless pre-approved specifically in the Policy or in writing by ehealth and the Ministry of Health. 6. CONSENT: The EHR Data is only to be collected and used by APOs for the primary purpose of providing and supporting a healthcare service for the individual to whom the information relates. The issue of consent and communication with patients is one that always needs to be addressed by the individual healthcare provider with the individual patient. ehealth recommends APOs and healthcare providers use implied or express consent rather than deemed consent as set out in HIPA. ehealth will support the APOs or healthcare provider's use of implied consent as follows: Ensure brochures and other communication materials are available for the APOs; Have information available for patients via the ehealth web-site; Answer questions from patients or healthcare providers by providing telephone support. Contact information is as follows: Mail: ehealth Privacy Service Suite 360, 10 Research Drive Regina, SK S4S 7J7 Phone: [email protected] Fax: (306)

4 Offer patient control mechanisms to patients to restrict access to their EHR Data. Current patient control mechanisms include: o Full Block this allows the patient to prevent any access to their EHR Data through the EHR Integration or EHR Viewer. o Masking this allows the patient to mask their EHR Data. A User can unmask the EHR Data where the patient expressly consents, in emergency circumstances, etc. In addition, on request from the patient, ehealth will provide a report to the patient showing who has viewed their information in the EHR Viewer. 7. NEED-TO-KNOW: All APOs must ensure all employees or contractors access and use information only on a strict need-to-know basis to provide or support patient care. 8. SAFEGUARDS: As a trustee, the APO must ensure that it has appropriate physical, organizational and technical safeguards in place as required by HIPA (or other applicable law). All APOs must ensure they follow all recommendations provided by ehealth for system requirements, etc. Assistance is available from the websites for the Saskatchewan Medical Association, College of Physicians & Surgeons, College of Pharmacy, and the Saskatchewan Office of the Information and Privacy Commissioner. 9. AUDITS: ehealth will log and track all access by Users and investigate if there is evidence of improper collection or use. On request, ehealth will provide an audit report to the APO showing the employees or contractors of that APO who have accessed personal health information through the EHR Viewer. 10. ENFORCEMENT: A breach of the Policy or HIPA (or other applicable law) is serious for both healthcare providers and the APO. Enforcement action may include: Investigation and suspension or termination of the healthcare provider's or APO's access to the EHR Initiative; Reporting the incident to the Professional Colleges or to the police for investigation HIPA includes criminal penalties with a fine of up to $50,000 and imprisonment of not more than one year; and/or Liability for any damages for claims from patients. 4

5 11. CHRONIC DISEASE MANAGEMENT QUALITY IMPROVEMENT PROGRAM ("CDM_QIP"): If you are a Physician participating in the CDM-QIP Program, please see the Clinical Best Practices at regarding the completion of the CDM-QIP templates and forms. ***END*** 5