Shared EMR Access Administrator (AA) Guide ~ External

Transcription

1 Shared EMR Access Administrator (AA) Guide ~ External Developed and maintained by: Information Stewardship Office (ISO) Information Sharing Framework Governance Committee (ISF GC)

2 TABLE OF CONTENTS Purpose of Guide 3 Shared EMR 3 Information Sharing Framework 3 EMR Custodian 3 Appointing the Access Administrator 4 User Access Management (Access Administrator Responsibilities) 4 Information Security Awareness 6 Privacy Awareness 8 Reporting of Breaches 9 External Delegation of Access Administration (EDoAA) Form 9 Staff Access Request Form (SARF) 10 Shared EMR Security Roles 10 Shared EMR Access Administrator Guide Version 11 Appendices Appendix A Definitions Appendix B - SARF Security Roles (eclinician) Appendix C Frequently Asked Questions

3 PURPOSE OF GUIDE This guide provides shared electronic medical record (semr) Access Administrator s (AA) with instructions to carry out their user access management duties as per the requirements identified in the EMR Information Exchange Protocol (EMR IEP). The EMR IEP contains the rules that all authorized custodians and their affiliates must follow with respect to access, use, disclosure and retention of prescribed health information via the shared EMR. Custodians will receive a copy of the EMR IEP during the initial engagement and implementation process. Custodians may also request a copy of the EMR IEP at anytime. SHARED EMR The shared EMR is a medical record system shared by multiple custodians, with each custodian contributing patient information and data to the system. Co-custodians of the shared EMR include participating physicians, Alberta Health Services (AHS), and Covenant Health. eclinician eclinician is a shared EMR system, used in the Edmonton area, for ambulatory care physicians to schedule and manage patient appointments, initiate or accept referrals, store patient electronic health records and bill for healthcare services. Currently only ambulatory (outpatient) information is stored in eclinician. INFORMATION SHARING FRAMEWORK The Information Sharing Framework (ISF) establishes governance of health information stored in an AHS operated shared EMR system. This legal framework includes information sharing agreements between physicians as co-custodians and AHS, participating physician agreements, and an information exchange protocol. See Appendix A for more information regarding the ISF, participating parties, and legal agreements. EMR CUSTODIAN Before any custodian is authorized to access a shared EMR, they must execute an agreement under the ISF and complete an Organizational Readiness Assessment. Custodians must also sign legal agreements prior to becoming authorized to access the shared EMR. Physician Participation Agreement (PPA) agreement to become part of the shared EMR environment, contributing and using information within. By signing this agreement, a physician agrees to terms in the Information Management Agreement and the Information Sharing Agreement. 3

4 Once a custodian has executed the PPA, they may appoint an AA. The AA will act on the custodian s behalf to request shared EMR access for the affiliates. As per HIA section 62(2), any collection, use or disclosure of health information by an affiliate of a custodian is considered to be a collection, use or disclosure by the custodian. Consequently, the appointed AA must ensure that the affiliate s access to shared EMR information is restricted based on their role in the healthcare system. This means that access permissions and other security credentials are set up so that affiliates have enough information to do their jobs, while ensuring that information is accessible on a need to know basis only. EMR custodians are: Participating physicians Alberta Health Services (AHS) Covenant Health (COV) APPOINTING THE ACCESS ADMINISTRATOR AAs must be approved by the EMR custodians for each clinic where they carry out user access management duties. Designation of the AA will initially be done during the onboarding process for clinics and facilities to the shared EMR and this position role will be identified in their Organizational Readiness Assessment. The custodian appoints the AA by completing the External Delegation of Access Administration (EDoAA) Form and adding their approval as the Organization Requestor. The appointed AA s are acting on behalf of the custodian to ensure user access to confidential health information is properly administered and given only to those who need this access to perform their jobs. EMR custodians are: Participating physicians Alberta Health Services (AHS) Covenant Health (COV) USER ACCESS MANAGEMENT (ACCESS ADMINISTRATOR RESPONSIBILITIES) The AA is the primary contact regarding user access to the shared EMR for their clinic or clinics. The main responsibility of the AA is to perform user access management duties that include the following: 4

5 Shared EMR Access The AA is responsible for ensuring that the affiliate s access to the shared EMR is based on the HIA principle of a need to know and the least amount of information to do their job. Specific responsibilities include: Approve and submit access requests in a timely manner. Requests are submitted using the Staff Access Request Form (SARF). During this process, the AA to confirm user has completed the organization s privacy and security training and the confidentiality and user agreement have been signed. Restrict user access to shared EMR information in accordance with their duties to the custodian, selecting the appropriate security levels and login department(s) on the SARF form. For example, certain administrative roles are not required to enter or modify encounters or medications and therefore will have their access restricted to what is required to do their job. Verify that the user permissions are appropriate for the role or job duties and meet the HIA principle of a need to know and the least amount of information to do their job. Terminate user permission when access is no longer required. Process terminations by completing and submitting the SARF form. Ensure users have been advised of their HIA obligations and the EMR IEP rules for collection, use, and disclosure of shared EMR information through organizational and application specific training. Review user s access information and permissions to ensure that information is complete and accurate. Submit changes to user information and permissions to ensure that information is complete and accurate. Comply with legislative and custodian policy obligations when collecting user information while performing user access management duties. Privacy and Security Training As per HIA section 62(2), custodians are responsible for the actions of their affiliates. If an affiliate does something the HIA forbids them to do, it is as if the custodian did it. Consequently, affiliates must comply with the HIA, as well as with the policies and procedures adopted by the custodian. As the appointed representative of the custodian, the AA will ensure users have been educated and informed about: 5

6 The information security and privacy issues related to the shared EMR, including potential annual refresher training. That information used in the shared EMR is private and confidential and the user must take reasonable steps to maintain the confidentiality of the information. Of their compliance obligations under the HIA. That a person who knowingly collects, uses or discloses health information in contravention with the HIA, may be found guilty of an offence and liable to a fine defined in the HIA. That the Information Manager monitors access to the shared EMR for security purposes and to protect the information. By accessing the shared EMR, users are expressly consenting to these monitoring activities. About what is considered a security or privacy breach and how to report a breach. Auditing User Access to the shared EMR Custodians are responsible and obligated to protect the privacy and confidentiality of shared EMR information. They must ensure that this information is only used for the purposes and under the terms and conditions stipulated in the EMR IEP and the HIA. Access logs play an important role in auditing user access, proactive monitoring and responding to breach investigations. The AA can request that the Information Manager provide access logs on their users. The Information Manager regularly audits for misuse of the shared EMR. i.e. users looking at their own health record i.e. users accessing a masked (protected) chart inappropriately or outside their job role. INFORMATION SECURITY AWARENESS Information security means: Preserving the confidentiality and integrity of information and ensuring that systems are available to provide service to patients. Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The EMR IEP outlines the general responsibilities of EMR custodians: EMR IEP : Each EMR custodian has a duty pursuant to Section 60 of the Health Information Act to protect the confidentiality of EMR information and to protect against 6

7 reasonably anticipated threat or hazard to the security of that EMR information, or unauthorized use, disclosure, modification or unauthorized access to EMR information. EMR IEP : EMR custodians are responsible for all EMR information accessed and used by the EMR custodian and their EMR affiliates. AAs assist by safeguarding the confidentiality, integrity and availability of the health information under the control of the custodian. Protecting the confidentiality of information means only authorized users can access sensitive information. It means taking steps to prevent any unauthorized access, use or disclosure of information. Access is based on user role and profession. This means that access permission and other security credentials are set up so that users have enough information to do their jobs, while ensuring that information is accessed only on a need to know basis. The integrity of information is about maintaining the reliability and accuracy of information so it can be used to make informed health decisions. An unauthorized change of health information used for decision making or an error in the information is an example of something that causes loss of integrity. Ensuring the continued availability of information means it is accessible to those who need the information. A system outage is something that causes loss of availability. When granting access to the shared EMR, the following security principles should be followed: Segregation of duties: The separation of duties in order to manage conflict of interest, the appearance of conflict of interest, and fraud. It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual. Example: Users cannot approve their own access to the shared EMR. It must be approved by the AA. Authorization to use and disclose: Once you have been given access to the shared EMR information, you are required to use that information only during the course of your work. Using or disclosing that information for personal gain or for purposes outside of the HIA is prohibited and is considered a breach. The HIA sets out fines for custodians and affiliates who knowingly breach the Act. 7

8 PRIVACY AWARENESS The following EMR IEP rules must be adhered to by all users of the shared EMR: EMR IEP and 4.1.3: An EMR custodian may access and use EMR information for provision of health services. EMR IEP 4.1.2: Use of EMR information shall adhere to the principles of: using the least amount of EMR information necessary for the purpose and using EMR information only on a need to know basis. EMR IEP 6.1.1: An EMR custodian may disclose EMR information for any purpose where the individual who is the subject of the information has provided consent for that disclosure. EMR IEP 6.2.1: An EMR custodian may disclose specific EMR information where expressly authorized or required by Sections 35 or 37 of the Health Information Act. EMR IEP : An affiliate must be authorized by an EMR custodian for access. Affiliates retain full responsibility for all EMR information they access. Any use or disclosure of EMR information by an affiliate is considered use or disclosure by the EMR custodian. The following HIA privacy provisions must be adhered to when granting access to the shared EMR: HIA Section 57: The duty of a custodian to collect, use or disclose individually identifying health information with the highest degree of anonymity possible. HIA Section 58: The duty of a custodian to collect, use or disclose the least amount of individually identifying health information. HIA Sections 24, 28, 43: The duty of an affiliate to collect, use or disclose health information in a manner that is in accordance with the affiliate s responsibilities as determined by their custodian ( need to know basis). HIA Section 60: The duty of a custodian to protect the confidentiality of health information. HIA Section 58(2): The duty of a custodian to consider the expressed wishes of an individual regarding the disclosure of individually identifying health information. 8

9 Further information regarding the HIA can be obtained from the following: HIA Guidelines and Practices Manual This manual provides supplementary information regarding the HIA and Regulations. The manual explains the role and responsibilities with respect to the administration of the Act, and is intended to provide guidelines and suggest best practices, not binding rules. Manual - Manual.pdf Manual Appendix 3 and 4 Responsibilities of Custodians in Administering the HIA: HIA and Regulations REPORTING OF BREACHES An information security and privacy breach occurs when there is a violation of the: (1) HIA; (2) EMR IEP rules for accessing shared EMR information; and/or (3) security and privacy policies of the custodian. A breach can also happen if there is a failure or absence of required safeguards to prevent a loss of confidentiality, integrity, or availability of information. Examples of security incidents include: Deliberate misuse of health information in the shared EMR A missing laptop, PDA or portable device containing health information Virus, spyware, or malware infection impacting health information Disclosure of your shared EMR password or other authentication credentials Security and privacy breaches are to be reported promptly to the Information Manager and the custodian. The Information Manager will report any security or privacy breaches to the Information Stewardship Office (ISO) and a formal investigation will be initiated. EXTERNAL DELEGATION OF ACCESS ADMINISTRATION (EDoAA) FORM Purpose The EDoAA is used by the authorized custodian (or multiple custodians) to add, remove or amend the appointed AA for their facility or multiple facilities. 9

10 Completion The most current version of the EDoAA form is located on the public-facing Alberta Health Services website. Submission The completed form is to be submitted to the Information Stewardship Office at: Fax: Pre-implementation to shared EMR EDoAA Submission Process (initial request, changes to AA, removal of AA) AHS-IT EMR Deployment Team Notifies ISO of upcoming clinic to the shared EMR environment Provide clinic with EDoAA form in ERM and ISF package information. Clinic/AA ISO Clinic and ISO to ensure AA position is outlined in the Privacy Impact Assessment Clinic AA to complete EDoAA form and submit to ISO. Review and approve EDoAA form and submit to IM. For initial requests: verify clinic validity and the clinic s privacy and security measures. IM Review and approve. Inform clinic of AA approval. STAFF ACCESS REQUEST FORM (SARF) The SARF is used by the appointed AA to manage the user access to the shared EMR for affiliates of the custodian. Only authorized custodians and their affiliates can access the shared EMR. SHARED EMR SECURITY ROLES According to the HIA Sections 57 and 58, the sharing of health information must, in all cases, be carried out in the most limited manner and with the highest degree of anonymity that is 10

11 possible. According to the HIA Section 28 and 43, affiliates must only share or access health information in accordance with their duties to the custodian. This is called a need to know basis. Consequently, the AA must manage user access to the shared EMR based on the need to know and the least amount of information for the user to do their job. The security role matrix for the shared EMR is located with the SARF form. Access to the shared EMR is based on the security role matrix, which lists roles/duties with corresponding access permissions. The AA will select a role based on the affiliate s duties to the custodian ( need to know ). Security roles will be assigned per system to include: Referrals Scheduling EMR Billing Each role in the security role matrix comes with standard access, which is automatically assigned when the role is selected and departmental access must be selected in order to be assigned. Certain roles are restricted to specific professions. For example, EMR Roles 1-3 and 21 are allocated to medical professionals; while EMR Roles 14 and 16 are allocated for administrative staff. Role assignment must adhere to the HIA, EMR IEP, and be based on the job the affiliate is doing for the custodian. See Appendix B for more detail. SHARED EMR ACCESS ADMINISTRATOR GUIDE VERSIONS VERSION V01 APPENDICES DATE YYYY-MM-DD Appendix A: Definitions Appendix B: SARF Security Roles Appendix C: Frequently Asked Questions 11

12 APPENDIX A: DEFINITIONS Access Administrator (AA) An individual designated by a participating custodian to complete and submit access requests for custodian affiliates to the shared EMR system. Affiliate An affiliate is an employee of an EMR custodian, permitted by the custodian to access, use or disclose shared EMR information on behalf of the custodian. The custodian is responsible for the actions of their affiliates. HIA 1(1)(a) In relation to the custodian, i. an individual employed by the custodian, ii. a person who performs a service for the custodian as an appointee, volunteer or student or under a contract or agency relationship with the custodian, iii. a health services provider who is exercising the right to admit and treat patients at a hospital as defined in the Hospitals Act, iv. an information manager as defined in section 66(1) Example: Affiliates are hospital staff or physician office staff employed by a custodian. Custodian A custodian is permitted to access, use or disclose shared EMR information in accordance with the Information Sharing Agreement, Information Management Agreement, Health Information Act (HIA), and EMR Information Exchange Protocol (EMR IEP). HIA 1(1)(f) (i) board of approved hospital as defined in the Hospitals Act (ii) operator of nursing home as defined in the Nursing Homes Act (iii) a provincial health board established pursuant to the regulations made under 17(1)(a) of the Regional Health Authorities Act (ix) a health services provider who is designated in the regulations as a custodian, or who is within a class of health services providers that is designated in the regulations (xiv) other entity designated in the regulations Co -custodian A co-custodian is a custodian, as outlined above, that shares custodianship of shared EMR records. Example: Participating physicians, AHS, and Covenant Health are co-custodians of the Information shared EMR Manager records (i.e. (IM) eclinician). Each co-custodian contributes and shares information within the shared EMR environment. 12

13 The IM is the service provider for the shared EMR system. The IM provides information management and information technology services and audits for misuse of EMR information. AHS is the Information Manager for the shared EMR. Information Sharing Framework (ISF) The ISF establishes governance of health information stored in an AHS operated shared EMR system. Within this framework, a governance body that is neutral and represents all participating custodians exists. Legal agreements have also been put into place to ensure that all parties comply with their legislative requirements and roles within the EMR IEP. ISF Governance Committee (ISF GC) The ISF GC includes membership from AHS, AMA, Covenant Health, Faculties of Medicine, Alberta Health, CMPA, CPSA and a member of the public. Maintain information sharing agreements Establish policy and monitor use and disclosure of EMR information Oversee privacy and security issues related to the shared EMR Resolve disputes between AHS and participating physicians Information Stewardship Office (ISO) The ISO is a neutral office reporting to the ISF GC to exercise a number of its operational functions. Develop policy and security policies for the shared EMR Notify ISF GC of audits and investigations Provide recommendations should a breach occur Mediate disputes related to access, use and disclosure of the shared EMR Coordinate secondary use and research requests Monitor the Information Manager s compliance with the Information Management Agreement and Information Exchange Protocol Legal Agreements EMR Information Exchange Protocol (EMR IEP) The EMR IEP outlines rules for access, use and disclosure of EMR information. Information Sharing Agreement (ISA) Participating physicians and AHS agree to submit information to and share information within the shared EMR system. This agreement is incorporated into the Information Manager Agreement below. Access, use and disclose shared EMR information as per the principles and guidelines of the HIA and EMR IEP. 13

14 Information Manager Agreement (IMA) Participating physicians recognize AHS, as service provider, in the role of Information Manager (IM). Information Manager to provide information management and information technology services. Provide regular auditing to identify any inappropriate use and disclosure of EMR information. This permission does NOT grant the Information Manager to use data within the shared EMR as they see fit. The ISO will closely monitor the IM to ensure compliance with their role as service provider. Participating Physician Agreement Physicians agree to become part of the Information Sharing Framework to become a cocustodian of the shared EMR data and submit their information to the shared EMR system. They grant permission for AHS to act as Information Manager for their shared EMR data. By signing this agreement, they agree to terms outlined in the IMA and ISA above. 14

15 APPENDIX B: SARF SECURITY ROLES (eclinician) 15

16 16

17 17

18 18

19 19

20 20

21 21

22 APPENDIX C: FREQUENTLY ASKED QUESTIONS Who are the custodians in eclinician? The eclinician co-custodians are AHS, Covenant Health and participating physicians. Who decides if an affiliate should receive access to the shared EMR? It is the responsibility of the custodian to determine who requires access to the shared EMR system based on their role and responsibility. A custodian may delegate this authority to an Access Administrator to act on their behalf, requesting access for the affiliate(s). ) The AA must ensure that the affiliate s access to shared EMR information is restricted based on their role in the healthcare system. Access permissions and other security credentials are set up on the principle of a need to know basis. What training and education is required for users of the shared EMR? All EMR Custodians are required to take reasonable steps to advise their affiliates of their privacy expectations. As per Health Information Regulation Section 8(6), a custodian must ensure that its affiliates are aware of and adhere to all the custodian s administrative, technical and physical safeguards in respect of health information. This education may take place through the AA. Users are expected to take any system training specific to their role and responsibilities within the shared EMR system. Users will not be granted access to the EMR system prior to completion of this training. Training requests may be ed to: ISeCLINICIANTrainingRequests@albertahealthservices.ca. Under what circumstances can a user access and disclose shared EMR information? A user may access shared EMR information as follows: EMR IEP Using the least amount of EMR information necessary for the purpose and only on a need to know basis. EMR IEP For providing health services to the individual and information is necessary for the provision of health services or for making a determination for a related health service. 22

23 EMR IEP Subject to the professional standards of practice of the CPSA and other professional bodies, non-identifying EMR information may be used by an EMR custodian for any purpose. HIA Section 28 and EMR IEP An affiliate of a custodian (i.e. physician office staff under physician as custodian) must not use health information in any manner that is not in accordance with the affiliate s duties to the custodian. Any use or disclosure of EMR information by an affiliate is considered use or disclosure by the custodian. A user may disclose shared EMR information as follows: EMR IEP For any purpose where the individual who is the subject of the EMR information has provided consent for that disclosure. HIA Section 35 (1) A custodian may disclosure identifying health information, without patient consent, to a person who is responsible for providing continuing treatment and care, for the purpose of a court proceeding, in compliance with a subpoena/warrant, for the purpose of processing payment for health services, etc. Can a user access their own information or information of a family member? A user, including custodians and affiliates, does not have right to access information of a family member or of themselves unless they are directly involved in the provision of a health service. In circumstances where information is required, the user would then become an applicant and be required to follow the process outlined in EMR IEP and Custodians that access this information, without going through the proper release process, would be considered in breach of the EMR IEP and HIA. Privacy, security and confidentiality of health information are essential. Individuals have the right to access their health information through the appropriate and secure means by following the access and disclosure policies and procedures. EMR custodians and affiliates must follow the same process as those without access to the shared EMR when obtaining their health information. Shared EMR access is a privilege and assigned based on the role and responsibility of the users in the provision of health services. Misuse of these systems can result in restriction or suspension of your access rights, which may impact your employment or ability to deliver patient care. 23

24 What should I do if I encounter a security or privacy breach? Security and privacy breaches are to be reported promptly to the Information Manager and the custodian. The Information Manager will report any security or privacy breaches to the Information Stewardship Office (ISO) and a formal investigation will be initiated. What if the breach was performed by the custodian? All security and privacy breaches, including those by a custodian, must be reported to the Information Manager. What access levels are included in each of the security roles for eclinician? Below is a high level summary of what each security role entails. Additional details may be found in the Staff Access Request Form (SARF) instructions. Referral Security Roles Default 0 All other users by default have ability to view referrals and assign referrals to appointments. Role 1 Users who require greatest control over scheduling (i.e. primary scheduler). Role 2 Users responsible for triage of patients require ability to allow or disallow scheduling of referrals. Role 3 Users who only require the ability to view and create new referrals. Billing Security Roles Role 1 Users whose function includes administration of clinic financials and accounting. Have access to all billing functions, including ability to run financial reports for the entire clinic. Role 2 Users that require access to billing functionality in order to manage and process clinic billing (i.e. Senior Billing Clerk). Role 3 Users that process patient invoicing and are responsible for running end of day billing reports. Role 4 Users that process patient invoicing at the point of service. Limited to creating and processing third party claims at the point of service (i.e. Registration Clerk). Role 5 Users that require access to clinic statistical and financial reports, but do not do client billing. Scheduling Security Roles Role 1 Users who require greatest control over scheduling (i.e. primary schedulers). Role 2 Users who routinely schedule appointments but do not require the ability to modify a provider s schedule (i.e. Senior Scheduler). Role 3 Users who require scheduling functionality, but would not overrule a provider s schedule. Role 4 Users without the experience to book visits beyond the clinic s normal scheduling rules (i.e. Entry Level Scheduler). 24

25 Role 5 Users who can run department appointment reports and direct patient traffic. Role 7 Users who only perform check in and check out of patient appointments. EMR Security Roles Medical Professionals Role 1 Clinically authorized health care provider (i.e. Nurse Practitioner or fully licensed physician). Users carry the greatest responsibility over a patient s chart and accordingly have the highest level of access. Role 21 Clinicians who require charting abilities but are limited in their ability to administrate aspects of a patient s chart. These users are considered to have the appropriate level of expertise to be able to close their own encounters (i.e. Senior Resident). Role 2 Clinicians who require charting abilities but are limited in their ability to administrate aspects of a patient s chart without the support of a clinically authorized health care provider (i.e. Senior Resident). Role 3 Clinicians requiring charting capabilities whose work must be reviewed and signed off by a clinically authorized health care provider (i.e. Resident). Licensed/Accredited Professional and Clinical Support Staff Role 4 Acting without oversight of a Role 1 provider (above), these fully licensed or accredited professionals need to sign certain orders as the authorizing provider (i.e. referrals as part of mental health intake assessment). (i.e. RN,RPN,RD, PH, PT, OT) Role 5 Fully licensed or accredited professional who sign both medication and procedure orders as a delegate of a clinically authorized provider. More commonly used security role than above. (i.e. RN,RPN,RD, PH, PT, OT) Role 22 Fully licensed or accredited professionals who sign both medication and procedure orders as a delegate of a clinically authorized provider. Same as role 5 above but also allows user to do problem oriented charting. (i.e. RN,RPN,RD, PH, PT, OT) Role 7 Clinical support staff who has been appointed a higher level of responsibility by a clinically authorizing provider, such as writing medication orders. (i.e. LPN, MOA, Technologists). Administrative Roles Role 14 Will be used by the HIM Access and Disclosure group. Users require ability to chart on certain non-scheduled, non-face to face encounters (i.e. release of information), and full access to the current and historical patient chart. 25

26 Role 16 Typically, an abstractor role. Users require the ability to chart on non-scheduled, non-face to face encounters, and the ability to close encounters and modify the problem list. View Only and Access to Service Roles Role 17 View only role with the In Basket Results. Users will use this role as an interim role used by clinicians to familiarize with eclinician. Role 18 View only role with non-clinical In Basket. Users will use this role as an interim role used by front office or admin staff to familiarize with eclinician. Role 19 View only role with non-clinical In Basket and the ability to chart on letters. Users able to create, edit, print and route both patient and provider letters from within a letter navigator tied to scheduled visits. Role 20 View only role with In Basket Results and the ability to chart on letters. Role is combination of Roles 17 and