National System for Incident Reporting

National System for Incident Reporting Privacy Impact Assessment

The contents of this publication may be reproduced in whole or in part, provided the intended use is for non-commercial purposes and full acknowledgement is given to the Canadian Institute for Health Information. Canadian Institute for Health Information 495 Richmond Road, Suite 600 Ottawa, Ontario K2A 4H6 Phone: 613-241-7860 Fax: 613-241-8120 www.cihi.ca 2010 Canadian Institute for Health Information

National System for Incident Reporting Privacy Impact Assessment Table of Contents Executive Summary... iii 1 Introduction... 1 1.1 PIA Objectives and Scope... 1 2 NSIR Background and Context... 2 2.1 Background... 2 2.2 Description... 2 2.3 Data Flow Diagram... 4 2.4 System Diagram... 4 2.5 NSIR Data Accessible to Participating Organizations... 5 2.5.1 NSIR Data Accessible to Data Providers... 6 2.5.2 NSIR Data Accessible to Non-Data Providers... 6 2.5.3 NSIR Data Accessible to Third-Party Data Requestors... 6 2.5.4 NSIR Data Accessible to CIHI... 7 2.6 Organization and Governance... 10 2.7 Authorities Governing NSIR... 10 2.7.1 General... 10 2.7.2 Service Agreements for Data Providers... 12 2.7.3 Data-Sharing Agreements for Non Data Providers... 13 3 Privacy Analysis... 14 3.1 Principle 1: Accountability for Personal Health Information... 14 3.2 Principle 2: Identifying Purposes for Personal Health Information... 14 3.3 Principle 3: Consent for the Collection, Use or Disclosure of Personal Health Information... 14 3.4 Principle 4: Limiting Collection of Personal Health Information... 14 3.5 Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information... 15 3.5.1 Limiting Use... 15 3.5.2 Limiting Disclosure... 15 3.5.3 Limiting Retention... 16 3.6 Principle 6: Accuracy of Personal Health Information... 17 3.7 Principle 7: Safeguards for Personal Health Information... 17 3.8 Principle 8: Openness About the Management of Personal Health Information... 19 3.9 Principle 9: Individual Access to, and Amendment of, Personal Health Information... 19

3.10 Principle 10: Complaints About CIHI s Handling of Personal Health Information... 19 4 Conclusion... 19 Appendix A National System for Incident Reporting Minimum Data Set... 20 ii

Executive Summary The purpose of this privacy impact assessment (PIA) is to examine the privacy, confidentiality and security risks associated with the National System for Incident Reporting (NSIR). The NSIR is the system formerly known as CIHI s Canadian Medication Incident Reporting and Prevention System for hospital-based reporting. The NSIR is a web-based, voluntary reporting system that captures standardized data related to medication incidents that have occurred within Canadian hospitals. Analysis of the information can be used to help identify how medication incidents occurred and how similar incidents can be prevented in the future. The Institute for Safe Medication Practices Canada a partner organization in a larger patient safety initiative maintains a similar, yet fully separate, reporting system for individual practitioners. From a privacy perspective, the most important characteristic of the NSIR is that it holds very little personal information about patients or health care providers. The NSIR cannot readily identify patients or providers based on the data reported to and maintained in the system. Data collected by CIHI includes incident discovery, incident impact, medication incident details, drug product information and, where appropriate, patient characteristics and interventions required. The data does not include patient-, provider- or facility-identifiable information. The NSIR minimum data set is composed of 32 data elements, including text fields, that describe the medication incident. These text descriptions are reviewed by CIHI staff for any identifying information before being released to other participating organizations. Data from the NSIR are made available to hospitals or regions that have signed an NSIR service agreement with CIHI, and to other organizations that have signed an NSIR data-sharing agreement. Individual users within participating organizations receive education on privacy and security for use of the NSIR, and must read and accept the terms of use every time they log in and before accessing the NSIR. Third-party data requests are processed only through CIHI and in accordance with CIHI s Privacy Policy. A review of the 10 privacy principles set out in the Canadian Standard Association s Model Code for the Protection of Personal Information as they apply to the NSIR was undertaken and, while a number of potential privacy risks were identified, this assessment concludes that the mitigation measures currently in place are such that CIHI is prepared to accept and manage any remaining risks. CIHI 2010 iii

1 Introduction The Canadian Institute for Health Information (CIHI) collects and analyzes information on health and health care in Canada. Its goal is to provide timely, accurate and comparable information to inform health policies, support the effective delivery of health services and raise awareness among Canadians of the factors that contribute to good health. CIHI obtains data directly from hospitals, regional health authorities, medical practitioners and governments, including personal health information about recipients of health services, registration and practice information about health professionals and health facility information. Other sources provide further data to help inform CIHI s in-depth analytic reports. The NSIR is a web-based, voluntary reporting system developed to capture standardized data on medication incidents that occur in Canadian hospitals. CIHI s NSIR is the hospitalreporting component of the multi-organizational Canadian Medication Incident Reporting and Prevention System (CMIRPS) initiative. The CMIRPS initiative is a collaboration of Health Canada, CIHI and the Institute for Safe Medication Practices Canada (ISMP Canada). ISMP Canada maintains a similar, yet fully separate, reporting system to support reporting from individual practitioners. 1.1 PIA Objectives and Scope The purpose of this privacy impact assessment is to examine the privacy, confidentiality and security risks associated with the NSIR. It includes a review of the 10 privacy principles set out in the Canadian Standards Association s Model Code of the Protection of Personal Information as they apply to the NSIR and a summary of potential privacy risks that have been identified, along with any measures that have been put in place to avoid or mitigate those risks. This privacy impact assessment builds on a preliminary PIA completed in April 2005 to guide initial development of the reporting system. CIHI 2010 1

2 NSIR Background and Context 2.1 Background CIHI developed the NSIR to support the collection, sharing and analysis of data relating to medication incidents in Canadian hospitals. Analysis of this data can help to identify how incidents occurred and how similar incidents can be prevented in the future. This reporting system is CIHI s contribution to a collaborative initiative with Health Canada and ISMP Canada. Together, these organizations support the Canadian Medication Incident Reporting and Prevention System (CMIRPS) program. The purposes of the overall CMIRPS initiative are to: Coordinate the capture, analysis and dissemination of information on medication incidents from both hospitals (CIHI) and individual practitioners (ISMP Canada); Enhance the safety of the medication use system for Canadians; and Support the effective use of resources through the reduction of potential or actual harm caused by preventable medication incidents. Initial development of CIHI s NSIR was funded through a contribution agreement with Health Canada. As of 2008, CIHI assumed funding for system implementation, maintenance and enhancement. 2.2 Description The NSIR is a web-based, voluntary reporting system developed to capture standardized data on medication incidents that occur in Canadian hospitals. This includes general hospitals, pediatric hospitals, cancer treatment hospitals, other specialty hospitals, psychiatric and substance-abuse hospitals and extended-care hospitals. The system is designed to provide anonymized reporting, both to encourage voluntary participation and to protect patient, provider and facility information. The NSIR is designed differently from many other CIHI data holdings. All hospitals and regional health authorities that sign a service agreement to submit data to CIHI s NSIR also have access to the NSIR repository of incident records. CIHI s web-based system includes an analytical tool to promote data analysis and a non-identifying communication tool (similar to web-based email) to facilitate private, anonymous discussion between participating organizations. CIHI remains the custodian of the data, but all participating organizations have access in order to foster learning at the local level. 2 CIHI 2010

The NSIR includes the following: A standardized minimum data set of 32 elements; An incident reporting tool that includes a standardized list of drug products (that is, a drug product database); A secure, privacy-sensitive communication tool to support learning and sharing activities; and An analytical tool to encourage the analysis of record-level incident data. More information on the components of the NSIR is outlined in Section 2.4 below. Data collected by CIHI for the NSIR includes incident discovery, incident impact, medication incident details, drug product information and, where appropriate, patient characteristics (that is, year and month of birth and sex) and interventions required. The data does not include patient-identifiable information such as health card number, chart number or date of admission or discharge, or provider-identifiable information such as name or registration number. Participating organizations with access to the NSIR data include the following: Data providers such as Canadian hospitals and regional health authorities that submit and access NSIR data (upon signing an NSIR service agreement); - As of June 2009 there were 18 hospitals and regional health authorities from five jurisdictions providing data. CIHI; Other organizations that have signed an NSIR data-sharing agreement with CIHI. As of June 2009, ISMP Canada had access to de-identified NSIR data and CIHI is negotiating a similar agreement with the Marketed Health Products Directorate at Health Canada. CIHI 2010 3

2.3 Data Flow Diagram Participating Hospitals/RHAs Med Incident Occurs > Reported Internally > Internal Review Completed ISMP Canada CIHI s NSIR Data Repository Other Orgs With Data- Sharing Agreements Alerts Root Cause Analyses CIHI Analysis Ad Hoc Requests Medication incidents that occur in hospitals are reported and investigated internally prior to submission to the NSIR. Only after the internal hospital review is complete is the data submitted to CIHI s NSIR data repository. CIHI and organizations with a signed NSIR data-sharing agreement do not have the ability to submit data or to amend records in the repository. Should CIHI discover a data-quality issue, the record is returned to the data provider for correction. 2.4 System Diagram Data providers (that is, hospitals or regional health authorities with a signed NSIR service agreement) electronically submit data using the NSIR incident reporting tool. The incident reporting tool is a secure web-based application with an integrated drug product database to aid in the submission of valid medication incident records. The communication tool is similar to an email application; however, the sender and recipient email addresses are replaced with system-generated organizational pseudonyms to maintain anonymity. CIHI and ISMP Canada are exceptions. All NSIR-participating organizations are able to identify messages sent to and received from CIHI and ISMP Canada. The communication tool also allows CIHI to post messages and frequently asked questions on a bulletin board that is accessible to all of the NSIR participants. This feature is unique to CIHI; no other organization has the ability to post items to the NSIR bulletin board. 4 CIHI 2010

Submitted incident records are stored in the data repository and every 60 minutes new or modified records are made available via the analytical tool. The analytical tool allows NSIR participants to build queries and reports using facility de-identified medication incident records. * CIHI expects batch submission functionality to be operational for users in 2010 2011. It will allow multiple records to be simultaneously submitted to the NSIR system. 2.5 NSIR Data Accessible to Participating Organizations The NSIR system was designed to support learning and sharing; as such, all participating organizations have full access to the data repository housed by CIHI and can view or query de-identified incident records. One of the guiding principles for the development of the NSIR was anonymity. For that reason, NSIR incident records do not contain patient-, provider- or facility-identifiable data elements. The NSIR minimum data set includes the following information domains (see Appendix A for the complete minimum data set): Incident Discovery time, place and roles of health providers associated with the incident. Incident Impact categorization of the outcomes (actual and/or potential) and effects of the incident. Patient Characteristics month and year of birth and sex of patient associated with the incident. Medication Incident Details specific medication incident details. Drug Product Information drug product(s) reported in the incident, for example, drug name, strength, dose, route. Investigation and Findings information pertaining to actions planned or implemented to promote learning and inform prevention strategies. CIHI 2010 5

Within NSIR s data repository, an incident record migrates through the following three stages. The level of access to the details of the incident record is dependent on which stage the record is in. Record Status Stage 1: Submitted and unreleased record Stage 2: Submitted and released record Stage 3: Submitted, released and reviewed record Complete record is accessible and viewable only to the data provider. Data is not accessible to CIHI or other NSIR participants. Coded fields of the facility de-identified record are accessible to all NSIR participants; open text fields are suppressed to all participants until reviewed and approved by CIHI. Facility de-identified record (coded and text fields) is accessible to all NSIR participants. 2.5.1 NSIR Data Accessible to Data Providers Data providers are those hospitals and regional health authorities who have a signed NSIR service agreement with CIHI. Data providers have full access to their own data entered into the incident reporting tool (whether the data is unreleased or released), including text fields. Once per hour, the submitted and released data are made available to NSIR participants via the analytical tool. The coded fields of facility de-identified records are then accessible to all of the NSIR-participating organizations. Text fields are suppressed until they have been reviewed and approved by designated CIHI NSIR team member(s). CIHI staff ensures that no identifiers were entered into any text field, and that the text does not otherwise identify individual patients or health care providers. If a text field contains identifiers or otherwise identifies individuals, CIHI notifies the data provider and asks for the identifying information to be removed. Suppression is maintained until the CIHI reviewer indicates that the text does not identify individuals. The CIHI reviewer can also send a message to the submitting organization (via the communication tool) suggesting changes to the submitted text. 2.5.2 NSIR Data Accessible to Non-Data Providers As of June 2009, there was one organization that does not submit incident data but has access to the NSIR system. ISMP Canada is a partner in the original multi-organizational CMIRPS initiative. ISMP Canada had signed an NSIR data-sharing agreement before CIHI enabled its access to the NSIR system (see Section 2.7.3). 2.5.3 NSIR Data Accessible to Third-Party Data Requestors External data requests will be considered on a case-by-case basis in accordance with CIHI s Privacy Policy. Only CIHI may respond to third-party data requests; those organizations receiving data under the terms of a data-sharing agreement must refer third-party requests to CIHI. This requirement is outlined in each NSIR data-sharing agreement. 6 CIHI 2010

2.5.4 NSIR Data Accessible to CIHI Internally, CIHI s NSIR team has several mechanisms in place to ensure that, even within the Pharmaceuticals department of CIHI and in keeping with the need-to-know principle, incidents cannot be connected to the participating organization that submitted the incident record. The NSIR program team at CIHI is divided into two distinct groups: client support and analysis. The following information is illustrated in Figure 2 below. The Client Support team works with hospital and regional contacts, but does not have any access to incident data. Specific functions include: Hospital recruitment; The signing of an initial NSIR service agreement and its annual renewal; Maintenance of the NSIR organizational frame information (that is, the list of hospitals and regional health authorities that submit incident data); Education and client support for participants; and Responses to general queries and coding questions, and the development of frequently asked questions for the communication tool s bulletin board. Participants are encouraged to contact NSIR client support using the communication tool. Messages sent via the communication tool contain only the participant s organizational pseudonyms in the sender email address line, thus providing anonymity. The Client Support team has access to summary and activity reports but has no access to record-level data. The Analysis team is responsible for data quality reviews, the completion of data analyses, third-party data requests and any client support that requires access to record-level data and suppressed text fields during the review of those fields. If the Analysis team has privacy concerns or questions, the team consults with CIHI s Privacy and Legal Services Secretariat. The Analysis team has access to de-identified record-level data but cannot link incident records with known participating hospitals. The Analysis team does not have access to the NSIR organizational frame information (that is, the list of hospitals and regional health authorities that submit incident data). CIHI 2010 7

8 CIHI 2010

CIHI 2010 9

2.6 Organization and Governance The NSIR was established as a project within the Pharmaceuticals department in the Health Resources Information branch in 2004 2005. Funding for the project from 2004 2005 to 2007 2008 was provided by Health Canada. Governance during that period included the Operations Committee (chaired by Health Canada) and the CMIRPS Advisory Committee (with secretariat support from Health Canada). As of 2008 2009, CIHI assumed all funding and operational responsibilities for the NSIR. The following table identifies key internal positions and groups with responsibilities for the NSIR in terms of privacy and security risk management: Position/Group Vice President, Programs Director, Health Resources Information Manager, Pharmaceuticals NSIR Advisory Committee Chief Technology Officer Chief Privacy Officer Manager, Analytical Systems Role/Responsibilities The vice president, Programs is responsible for the overall operations and strategic direction of the NSIR. The director is fully accountable for the NSIR. The director is responsible for strategic and operational decisions about the NSIR, and ensuring its continued successful development. The manager is responsible for ongoing management, development and deployment of the NSIR. The manager makes operational decisions about the NSIR, chairs the NSIR Advisory Committee and consults with the NSIR stakeholders as appropriate. Chaired by CIHI s manager, Pharmaceuticals, this committee s role is to provide input, advice and recommendations to facilitate the ongoing management and enhancements of the NSIR. The chief technology officer is responsible for the strategic direction and overall operations and implementation of CIHI s technological and security solutions. The chief privacy officer is responsible for the strategic direction and the overall implementation of CIHI s privacy program. The manager is responsible for ensuring that technical requirements for the ongoing development and maintenance of the NSIR are met. 2.7 Authorities Governing NSIR 2.7.1 General CIHI adheres to its Principles and Policies for the Protection of Personal Health Information (updated November 2007, 3rd edition) and to any applicable privacy legislation and/or agreements. 10 CIHI 2010

Legislation All provinces and territories have public-sector privacy legislation in place. Canadian privacy legislation includes provisions that authorize public bodies covered by the acts to disclose person-identifiable data, without the consent of the individual, for statistical purposes. Alberta, Saskatchewan, Manitoba and Ontario (legislation pending in Newfoundland and Labrador and New Brunswick) also have health information specific privacy legislation with express lawful authority to use and disclose personal health information, without individual consent, for purposes of management of the health system, including statistical analysis and reporting. Examples of such provisions include the following: The Personal Health Information Protection Act (PHIPA) of Ontario, whereby custodians can disclose personal health information to CIHI without patient consent pursuant to section 29 as permitted by section 45(1). CIHI is recognized as a prescribed entity under PHIPA: Requirement for consent S. 29. A health information custodian shall not collect, use or disclose personal health information about an individual unless, (a) it has the individual s consent under this Act and the collection, use or disclosure, as the case may be, to the best of the custodian s knowledge, is necessary for a lawful purpose; or (b) the collection, use or disclosure, as the case may be, is permitted or required by this Act. Disclosure for planning and management of health system S. 45(1) A health information custodian may disclose to a prescribed entity personal health information for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for all or part of the health system, including the delivery of services, if the entity meets the requirements under subsection (3). The Personal Health Information Act (to be proclaimed) of Newfoundland and Labrador recognizes CIHI as a body to which a custodian may disclose personal health information without the consent of the individual who is the subject of the information: Disclosure for health related purposes S. 39. (1) A custodian may disclose personal health information without the consent of the individual who is the subject of the information [...] (h) to the Canadian Institute for Health Information or other entity prescribed in the regulations for the purpose of compiling and analyzing statistical information to assist in the management, evaluation and monitoring of the allocation of resources, health system planning and delivery of health care services in accordance with the terms of an agreement between the Canadian Institute for Health Information or other entity and the province; [...] CIHI 2010 11

The Personal Health Information Privacy and Access Act (to be proclaimed) of New Brunswick also explicitly recognizes CIHI as a body to which a custodian may disclose personal information relating to an individual without the consent of the individual: Disclosure for health care programs or other programs 38(1) A custodian may disclose personal health information relating to an individual without the consent of the individual if the disclosure is [...] (h) to the Canadian Institute for Health Information or other entity prescribed by regulation for the purpose of compiling and analyzing statistical information to assist in the management, evaluation and monitoring of the allocation of resources, health system planning and delivery of health care services in accordance with the terms of an agreement between the Canadian Institute for Health Information or other entity and the Province, Furthermore, CIHI is recognized as an information manager under both the Health Information Act of Alberta and the Personal Health Information Act of Manitoba. Agreements CIHI has in place the following types of agreements: Bilateral and data-sharing agreements between the provinces and territories and CIHI in support of data collection, and any subsequent data sharing with authorized users. Data-sharing and other types of agreements negotiated between other data providers and CIHI, which set out the purpose, use, disclosure and retention requirements, as well as any subsequent data sharing that may be permitted. 2.7.2 Service Agreements for Data Providers To participate as a data provider, a hospital or regional health authority must first sign an NSIR service agreement with CIHI. The service agreement is signed at a senior level in the organization to ensure that participants are aware of both their organizational responsibilities and the responsibilities of their users. Data providers assume responsibility to ensure that users of the NSIR in their organizations are aware of the terms and conditions of the NSIR service agreement. Within each organization, individual users must be made aware of their strict obligation to: Keep their username and password strictly confidential; Make every reasonable effort to exclude any patient, provider or facility identifiers from data submitted to the NSIR; Keep de-identified record-level data obtained through the NSIR, including any reports, strictly confidential and not disclose such data to persons or organizations outside the organization; Not attempt to identify individuals or organizations when accessing and using de-identified record-level data accessible through the NSIR; and Access the NSIR from the organization s corporate network only. 12 CIHI 2010

As stated in the NSIR service agreement, data providers must immediately notify CIHI of any unauthorized use, access or any other breach of confidentiality or security of which they become aware. As part of CIHI s education session, Preparing for NSIR Implementation, individual users within organizations learn about security and privacy issues. Included in this session is information about the NSIR service agreement. In addition, users must read and accept the terms of use every time they log in and before accessing the NSIR system. 2.7.3 Data-Sharing Agreements for Non Data Providers Data-sharing agreements between CIHI and non data providers (currently ISMP Canada as of June 2009) grant access to the NSIR system, including released records, the analytical tool and the anonymous communication tool. These agreements outline the responsibilities of both CIHI and the non data provider being granted access to the NSIR data. These responsibilities include the following: Strict technical and physical safeguards that must be in place to access the data; The conditions under which data may be disseminated publicly. Any release of aggregate data with fewer than five observations must first receive written approval from the organization(s) that originally submitted the data; any effort to publish or disseminate incident details without their prior written consent is considered a breach by CIHI and results in the immediate removal of access privileges. This requirement is clearly outlined in the NSIR data-sharing agreement. While CIHI will not actively monitor written approvals, the NSIR data-sharing agreement includes an audit clause whereby CIHI can investigate an organization s documentation and data use. CIHI 2010 13

3 Privacy Analysis CIHI s data collection, use and disclosure activities are guided by its corporate Privacy Policy. From a privacy perspective, the most important characteristic of the NSIR is that it holds very little personal information about patients or health care providers. The NSIR cannot readily identify patients or providers based on the data reported to and maintained in the system. 3.1 Principle 1: Accountability for Personal Health Information CIHI s president and chief executive officer is accountable for ensuring compliance with CIHI s Privacy Policy. CIHI has a chief privacy officer and general counsel, a corporate privacy, confidentiality and security team, a privacy and data protection subcommittee of its board of directors and an external chief privacy advisor. The NSIR participants are accountable for the application of the NSIR service agreement within their respective organizations. They are also subject to the requirements of dataprotection laws in their respective jurisdictions and the independent oversight of privacy commissioners or their equivalents. 3.2 Principle 2: Identifying Purposes for Personal Health Information The NSIR supports the collection, sharing and analysis of medication incidents in Canadian hospitals. These purposes are clearly stated on the CIHI website, in the NSIR reports and bulletins and in this privacy impact assessment. 3.3 Principle 3: Consent for the Collection, Use or Disclosure of Personal Health Information The de-identified, record-level data found in NSIR is collected in its original form through the administration of the health care system in the various jurisdictions and provided to CIHI as a secondary user. Data providers are responsible for meeting the statutory requirements in their respective jurisdictions at the time the data is initially collected. 3.4 Principle 4: Limiting Collection of Personal Health Information CIHI limits the collection of personal health information to that which is necessary for the purposes and goals of its medication incident reporting system. The NSIR was developed to allow the collection of medication incident data without the disclosure of patient or health care provider identity. For patients, only month and year of birth and sex are required to group incidents involving patients by age and sex. For health care providers, only job role (for example, registered nurse, pharmacist, ambulance attendant) is collected. Furthermore, the NSIR service agreement specifies that NSIR data providers are to make every reasonable effort to exclude any patient, provider or facility identifiers from data submitted to the NSIR. 14 CIHI 2010

3.5 Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information 3.5.1 Limiting Use CIHI limits the use of the NSIR to authorized purposes, and only authorized users have access. The analytical tool has been designed in such a way that the analytical environment is devoid of records having direct identifiers, and anonymity is maintained by providing access to the data in a non-identifying fashion. The NSIR service agreement and NSIR data-sharing agreements require participants to keep record-level data obtained through the NSIR strictly confidential and not to disclose such data to anyone outside their organization. Privacy Risk Inappropriate Use of Information by Participating Organizations Mitigation Measures Currently in Place As described in Section 2.7.2, participants are required to sign an NSIR service agreement, which imposes confidentiality and security restrictions and obligations. Failure to respect the terms and conditions of the NSIR service agreement would be considered a breach of the agreement and could result in termination of access to NSIR data. CIHI can, and intends to, audit compliance through technological means (electronic audit trails). Each agreement also includes an audit clause that gives CIHI the authority to investigate an organization s security measures or disclosure practices. The NSIR participants are also subject to the requirements of data protection laws in their respective jurisdictions. Similarly, as described in Section 2.7.3, non data providers are required to sign an NSIR data-sharing agreement prior to accessing any NSIR data. The NSIR data-sharing agreement imposes conditions on the use, disclosure and protection of data provided pursuant to the agreement. The participating organizations must also not attempt to identify individuals or organizations when accessing and using the de-identified record-level data that is accessible through the NSIR. 3.5.2 Limiting Disclosure Both the NSIR service agreement and NSIR data-sharing agreement specify that participating organizations must keep de-identified record-level data obtained through the NSIR, including any reports with fewer than five observations, strictly confidential and not disclose such data to anyone outside their organizations. Conditions outlined in the NSIR service agreement Data providers are not permitted to release or disclose any aggregate data generated by the NSIR system that is not their own; any comparison of their own data to pan-canadian totals must use aggregate tables created by CIHI. CIHI 2010 15

Any release or disclosure of individual incident details must first receive written approval from the data provider that submitted the data to the NSIR system. Any effort to release or disclose incident details from other data providers without prior written consent would be considered a breach by CIHI and could result in permanent termination of their access to the NSIR system and its data. This information is clearly outlined in the NSIR service agreement and is supported by an audit clause that permits CIHI to investigate data protection and disclosure. Conditions outlined in the NSIR data-sharing agreement Those organizations with a signed NSIR data-sharing agreement may release or disclose aggregate data generated by the NSIR system provided that all cell counts are equal to or greater than five observations. However, any data requests received from third parties must be completed by CIHI; organizations with a signed NSIR data-sharing agreement are not permitted to respond to external data requests. Any release of aggregate data with cell sizes smaller than five observations, or any release of individual incident details, must first receive written approval from the data provider(s) that submitted the data to the NSIR system. Any effort to release or disclose incident details without prior written consent would be considered a breach by CIHI and could result in permanent termination of their access to the NSIR system and its data. This information is clearly outlined in the NSIR data-sharing agreement and is supported by an audit clause that permits CIHI to investigate data protection and disclosure. CIHI may release data to third parties, but only in accordance with its Privacy Policy. Privacy Risk Release of Information That Could Identify Patients, Providers or Facilities Mitigation Measures Currently in Place The NSIR team has processes in place to ensure that identifiers that may be inadvertently submitted by participants are not available in the analytical environment. When records are submitted and available to the NSIR participants in the analytical environment, text fields are initially suppressed. The text fields are reviewed by the NSIR Analysis staff to ensure that they do not contain any identifier information. Once verified, a suppression flag is removed and the text field is made available in the analytical environment. The NSIR staff has the ability to suppress one or multiple fields within an incident record and also has the ability to flag data-quality issues within a record. Messages can be sent via the NSIR communication tool back to submitting organizations if a record has data-quality issues or identifying text. Should a text field not be corrected by the submitting hospital, CIHI has the ability to release the coded fields of the incident record to the analytical environment without the text field. 3.5.3 Limiting Retention The NSIR data forms part of CIHI s information holdings and is retained permanently for long-term analyses and reporting purposes. Data collection began in November 2008. 16 CIHI 2010

3.6 Principle 6: Accuracy of Personal Health Information CIHI has a comprehensive data quality program. Any known data quality issues are addressed by the data provider or documented in data-limitations documentation, which is made available to all users. The NSIR collection of information is entirely electronic in character, thereby reducing the possibility of transmission error. Validation checks are integrated within the data incident reporting tool to ensure that inaccurate data cannot be submitted. CIHI applies data-quality checks and policies to ensure that the data is accurate and fit for use. Data quality is included in the NSIR education and resource material, and NSIR users have the ability to edit their own submitted, unreleased records. Once records are submitted and released, NSIR staff has the ability to flag potential data-quality issues. CIHI staff will not modify any record but staff do have the ability to send a message back to the data submitter to review specific data elements. The NSIR system also has a report that identifies potential duplicated records. Additionally, the NSIR participants may request that a released record be unreleased if a data-quality issue is identified later. 3.7 Principle 7: Safeguards for Personal Health Information CIHI has established physical, technical and administrative security practices to ensure the confidentiality and security of its data holdings. Additionally, CIHI employees are aware of the importance of maintaining the confidentiality of personal health information through a privacy-training program and through mechanisms for communicating information about CIHI s privacy policies and procedures. In addition to the general safeguards already in place, the NSIR has implemented the following technical and administrative safeguards: The NSIR Security Architectures/Security Filters: Includes security features such as privileges (used to control what features the user can access) and permissions (used to control the level of access a user has, for example, what data and reports the user can see) by role. Users cannot change or remove a security filter it is enforced automatically when users execute queries. Users of the NSIR cannot turn off security features. Only the internal CIHI NSIR administrator has the ability to modify security filters, privileges and permissions. Encryption: The encryption software incorporated into the NSIR for the secure transfer of data over the internet uses a networking protocol called Secure Sockets Layer (SSL). SSL is a cryptographic protocol that provides secure communication on the internet for such things as web browsing, email, internet faxing, instant messaging and other data transfers. Usernames and Passwords: Permit authentication and ensure that only authorized users can access the NSIR. CIHI 2010 17

Privacy Risk Unauthorized Access to the NSIR Mitigation Measures Currently in Place Monitoring and auditing through the use of system audit trails and logs, which includes: - What was queried, when and by whom within the analytical tool; This functionality is currently not turned on for the NSIR pilot, but will be turned on when the system is rolled out across Canada, which is planned for winter 2009 2010. - All queries run within the analytical tool logged by the nature of the query, user ID, time and date; This functionality is currently not turned on for the NSIR pilot, but will be turned on when the system is rolled out across Canada, which is planned for winter 2009 2010. - Login access to the NSIR logged by user ID, time and date; - Incident reporting tool sessions disconnect after a set period of inactivity; - Analytical tool sessions disconnect after a set period of inactivity; - An intrusion prevention system (IPS) that monitors networks in real time and blocks malicious or unwanted activity. In addition: - The analytical tool will lock out users after a pre-determined number of failed login attempts; - The incident reporting tool will lock out users after a pre-determined number of failed login attempts. Ethical Hacks: CIHI conducts an annual vulnerability assessment and penetration testing of select information systems (ethical hack). The intent of the assessment is to gather information on the selected systems and applications, and then examine this information for weaknesses that could ultimately be used to compromise the underlying system. An assessment was conducted on the pilot system in 2008. All recommendations resulting from the assessment have been integrated. Privacy Risk Lack of Control of Usernames and Passwords by the NSIR Users, Including Active Passwords That Were Assigned to Users Who Are No Longer Employed by the Participating Organization Mitigation Measures Currently in Place In order to access the NSIR system, participating organizations must first sign an NSIR service agreement with CIHI that sets out specific requirements and responsibilities with respect to user access. In addition to the requirement to keep usernames and passwords strictly confidential, participants agree to immediately notify CIHI of any unauthorized use of any users means of access or any other breach of confidentiality or security of which they become aware. 18 CIHI 2010

Additionally, as part of CIHI s education session, individual users within participating organizations learn about security and privacy issues; in addition, each user must read and accept the terms of use every time they log in and before accessing the NSIR system. 3.8 Principle 8: Openness About the Management of Personal Health Information CIHI makes information available about its privacy policies, data practices and programs relating to the management of personal health information on its corporate website (www.cihi.ca). 3.9 Principle 9: Individual Access to, and Amendment of, Personal Health Information The data in the NSIR does not contain any personal identifiers (such as name, address or health card number). The NSIR staff would refer the requester back to the original data provider. 3.10 Principle 10: Complaints About CIHI s Handling of Personal Health Information CIHI has an internal mechanism for handling and investigating complaints. If an individual does not believe that his or her challenge has been satisfactorily resolved, he or she may appeal to CIHI s external chief privacy advisor, who will report his or her findings to CIHI s president and chief executive officer. If a complaint is found to be justified, CIHI takes appropriate corrective measures. 4 Conclusion This PIA summarizes CIHI s assessment of the privacy implications of the NSIR. A number of potential privacy risks were identified; however, this assessment concludes that the mitigation measures currently in place are such that CIHI is prepared to accept and manage any remaining risks. CIHI 2010 19

Appendix A National System for Incident Reporting Minimum Data Set 1.0 Incident Impact 1.1 Degree of Harm 1.2 Potentially Severe Medication Incident 2.0 Incident Discovery 2.1 Date Incident Was Detected 2.2 Time Incident Was Detected Data Element 2.3 Time Period When Incident Was Detected 2.4 Date Incident Occurred 2.5 Time Incident Occurred 2.6 Time Period When Incident Occurred 2.7 Functional Area(s) Within Hospital 2.8 Health Care Provider(s) and/or Others Who Detected Incident 2.9 Health Care Provider(s) and/or Others Who Were Involved in Incident 3.0 Patient Characteristics 3.1 Month and Year of Birth 3.2 Patient Sex 4.0 Medication Incident Details 4.1 Process in Medication-Use System 4.2 Medication/IV Fluid Incident Problem 4.3 Repeated Administrations 4.4 Contributing Factors 4.5 Multiple Patients Involved 4.6 Description of the Medication Incident 5.0 Drug Product Information 5.1 Type of Drug Product 5.2 Drug Identification Number (DIN) 5.3 Generic Name of Drug Product 5.4 Brand Name of Drug Product 5.5 Special Drug Product Name 5.6 Extemporaneous Preparation Ingredients 5.7 Correct or Incorrect Drug Product 20 CIHI 2010

Data Element 5.8 Dosage Form 5.9 Incorrect Dosage Form 5.10 Strength 5.11 Route of Administration 5.12 Incorrect Route of Administration 5.13 Batch Number/Lot Number 6.0 Investigation and Findings 6.1 Likelihood of Recurrence 6.2 Intervention(s) Required 6.3 Extended Length of Stay 6.4 Unplanned Admission/Readmission to Hospital 6.5 Root Cause Analysis Status 6.6 Preventive Actions/Strategies/Recommendations 6.7 Actions or Circumstances That Prevented Patient Harm 6.8 Patient Informed of Incident CIHI 2010 21

www.cihi.ca www.icis.ca Taking health information further À l avant-garde de l information sur la santé