EMBEDDING PRIVACY INTO ELECTRONIC HEALTH RECORDS. Manuela Di Re Associate Director of Legal Services Information and Privacy Commissioner of Ontario

Transcription

1 EMBEDDING PRIVACY INTO ELECTRONIC HEALTH RECORDS Manuela Di Re Associate Director of Legal Services Information and Privacy Commissioner of Ontario

2 Presentation Outline 1. Definitions 2. Need to Protect Privacy of Individuals Personal Health Information 3. The Promise of Electronic Health Records 4. The Peril of Electronic Health Records 5. Consequences if Inadequate Attention Paid to Privacy 6. Privacy Issues in the Design of Electronic Health Records 7. Privacy Issues in the Transition to Electronic Health Records

3 Definitions Electronic Health Record An electronic record of the health and of the care and treatment provided to an individual that integrates information provided by multiple providers of health care to the individual Electronic Medical Record An electronic record used by one health care provider or facility that includes information about the care and treatment provided only by that one health care provider or facility Personal Health Record An application that allows individuals to create, review, annotate or maintain a record in respect of their own care and treatment

4 The Need to Protect the Privacy of Individuals Personal Health Information The need to protect the privacy of individuals personal health information has never been greater given the: Extreme sensitivity of personal health information Greater number of individuals involved in the delivery of health care to an individual Increased portability of personal health information Emphasis on information technology and electronic exchanges of personal health information Need to use or disclose health information for secondary purposes seen to be in public interest

5 The Promise of Electronic Health Records Facilitate provision of more efficient and effective health care and improve the quality of diagnosis and treatment Readily accessible by all health care providers involved in the health care of an individual regardless of their location More complete than paper records which are spread over a range of health care providers Easier to read and locate than paper records and require less space and fewer administrative resources to maintain Can be designed to enhance privacy i.e. access controls, audit logs, encryption and user authentication

6 The Peril of Electronic Health Records If privacy is not built into the design, electronic health records pose unique risks to the privacy of individuals and to the security of personal health information Allow for the collection, use and disclosure of massive amounts of personal health information from diverse sources May attract hackers and others with malicious intent, including health care providers who would otherwise be permitted to access these systems but who access the information for other than health care purposes Once information is in electronic format it is easy to transfer to portable devices and removed from a secure location

7 Order HO-002- Unauthorized Access A patient told a hospital that her estranged husband and his girlfriend were employees and that she did not want them to know she was a patient Following discharge the patient became concerned, following a conversation with her estranged husband, that he was aware of her personal health information The complainant filed a complaint and the hospital placed a VIP flag on her electronic record of personal health information and ordered an audit The girlfriend, a nurse who was not involved in the health care of the patient, viewed the electronic record of personal health information on numerous occasions

8 Order HO-010- Unauthorized Access A patient complained to a hospital that an employee of the hospital inappropriately accessed the patient s records of personal health information The employee of the hospital was the former spouse of the patient s current spouse An audit revealed that the records of the patient were accessed by the employee on six separate occasions The employee was not involved in providing or assisting in providing health care to the patient

9 Orders HO-004, HO-007 and HO Portable Devices The Information and Privacy Commissioner of Ontario has issued three orders in the context of portable devices: Order HO-004 Theft of a laptop containing the unencrypted personal health information of 2,900 individuals Order HO-007 Loss of a USB memory stick containing the unencrypted personal health information of 83,524 individuals Order HO-008 Theft of a laptop containing the unencrypted personal health information of 20,000 individuals

10 The Peril of Paper-Based Records Paper-based and electronic records each have their own unique privacy and security risks and vulnerabilities Breaches also occur with paper-based records of personal health information due to the failure to: Retain records securely (i.e. abandoned records) Securely dispose of records (i.e. records found in dumpsters) Transfer records in a secure manner resulting in improper collection, use and disclosure (i.e. misdirected faxes)

11 Order HO-001 A medical clinic hired a company to shred records of personal health information dated between Due to a misunderstanding, the records were given to a recycling company instead of being shredded The recycling company sold the records to a special effects company and were used in a film shoot

12 Order HO-006 Employees of a laboratory placed records of personal health information in boxes designated for recycling as opposed to that designated for shredding The boxes designated for recycling were located immediately beside boxes designated for shredding The records of personal health information were found scattered on the street outside the laboratory

13 Consequences If Inadequate Attention Paid to Privacy If inadequate attention is paid to privacy, this may result in: Discrimination, stigmatization and psychological or economic harm to individuals based on the information Individuals may be deterred from seeking information, testing or treatment for certain medical conditions Individuals may withhold or falsify information provided Loss of trust or confidence in the public health system and damage to the reputation of the health care provider Significant time and resources expended in dealing with privacy breaches The costs associated with legal liabilities and proceedings

14 Risks Can be Minimized Through Concept of Privacy by Design Privacy and security risks can be minimized by carefully considering privacy and security implications during the design and implementation of electronic health records Privacy by Design is a term developed by the Information and Privacy Commissioner of Ontario to build privacy up front into design specifications and the architecture of systems and business processes On October 29, 2010 regulators from around the world unanimously passed a landmark resolution recognizing Privacy by Design as an essential component of fundamental privacy protection at the annual assembly of International Data Protection and Privacy Commissioners

15 Some Privacy Issues to be Addressed in Designing Electronic Health Records What personal health information will be included in electronic health records? Will individuals be able to withhold their consent from having their personal health included in electronic health records? Will the personal health information be included subject to the right of individuals to mask their personal health information? How will individuals be uniquely identified? What type of masking will be available all-or-nothing, encounter based, field based, provider based, etc.? Under what conditions can personal health information be unmasked? Which health care providers will have access, what information will different health care providers have access to and for what purposes?

16 Some Privacy Issues to be Addressed in Designing Electronic Health Records Will health care providers be required to satisfy certain criteria prior to being granted access to the electronic health record? - What criteria must be satisfied? - Who will be responsible for determining the criteria? - Who will be responsible for ensuring the criteria is satisfied? Who will be responsible for auditing access to electronic health records? With what frequency will audits be conducted? Will secondary uses and disclosures of personal health information in electronic health records be permitted? - Under what conditions? - Who will be responsible for determining the conditions? - Who will be responsible for ensuring the conditions are satisfied?

17 Some Privacy Issues to be Addressed in Designing Electronic Health Records Governance structure for sharing duties and responsibilities for privacy and security, including identifying accountability for: - Developing privacy and security policies and procedures? - Auditing compliance with these policies and procedures? - Conducting privacy and security audits? - Receiving and responding to requests for access? - Receiving and responding to requests for correction? - Receiving and responding to privacy inquiries? - Receiving, investigating and responding to privacy complaints? - Investigating and remediating privacy and security breaches? - Notifying individuals of privacy and security breaches? Mechanism by which the governance structure for electronic health records will be codified i.e. in legislation and/or agreements

18 Privacy Issues in the Transition to Electronic Health Records Personal health information may be most vulnerable when transitioning to electronic records given: Not fully trained on electronic system Electronic system may not be fully functional or privacy and security features may be turned off or set to minimal protection Conversion of paper records to electronic format may require frequent access to the records by larger numbers of individuals Records may be duplicated in paper and electronic format, thereby increasing the volume of records requiring protection The need to dispose of paper records in a secure manner The Information and Privacy Commissioner of Ontario, along with Dr. Peter Rossos, published a toolkit to manage privacy issues raised in transitioning from paper-based to electronic health records

19 Addresses measures such as: Obtaining necessary security expertise Educating and training agents Implementing access controls Implementing the use of strong passwords Auditing access to electronic records Privacy Issues in the Transition to Electronic Health Records Managing the retention, transfer and disposal of paper-based records Drafting or updating policies and procedures, such as policies and procedures with respect to: Transferring personal health information to portable storage devices Auditing access to electronic health records Identifying, containing, notifying, investigating and remediating privacy and security breaches or suspected breaches