James Williams Ontario Telemedicine Network

Similar documents
Privacy & Security Requirements: from EHRs to PHRs

Title Draft Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 2.0 Data Extract Specifi cation Business View

HEALTH INFORMATION ACT (HIA) BILL QUESTIONS AND ANSWERS

National Association of Pharmacy Regulatory Authority s Privacy Policy for Pharmacists' Gateway Canada

SUBJECT: VOYAGEUR TRANSPORTATION CORPORATE POLICIES/PROCEDURES TITLE: PRIVACY OF PERSONAL HEALTH INFORMATION

For ONC S&I DS4P. Dennis Giokas Chief Technology Officer Canada Health Infoway Inc. January 25, 2012

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS

Towards a Hippocratic Log File Architecture

Ownership, Storage, Security and Destruction of Records of Personal Health Information STANDARD OF PRACTICE S-022 INTENT DESCRIPTION OF STANDARD

Empowering Patients and Enabling Providers

New Ross Credit Union Web Site Statement

ChangeIt Privacy Policy - Canada

How To Understand The Health Care System In Canada

Data Sharing Agreements: Principles for Electronic Medical Records/Electronic Health Records

Privacy Law in Canada

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

INFOWAY EHRI PRIVACY & SECURITY CONCEPTUAL ARCHITECTURE V1.1

SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION)

Best Practices for Protecting Individual Privacy in Conducting Survey Research

PRIVACY POLICY. Consent

1.1.3 Professional Conduct and Ethics

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

INSTITUTE FOR SAFE MEDICATION PRACTICES CANADA

Personal Health Information Privacy Policy

SCHEDULE "C" ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL

BUSINESS ASSOCIATE AGREEMENT

The Journey to Create Document Standards and Guidelines for Occupational Therapists. Christine Fleming Legislation and Bylaws Committee

The Manitoba Child Care Association PRIVACY POLICY

Table of Contents. Preface CPSA Position How EMRs and Alberta Netcare are Changing Practice Evolving Standards of Care...

Guidelines for Self-Employed Registered Nurses

ORDER MO-2554 Appeal MA Town of Iroquois Falls

EHR Contributor Agreement

Funding Privacy Commissioner of Canada: Secondary use of data from the EHR current governance challenges & potential approaches

The Youth Drug Detoxification and Stabilization Act

How To Ensure Health Information Is Protected

Accounting for Disclosure Requirements Summary of Changes Included in the Proposed Rule 76 Federal Register May 31, 2011

Taking care of what s important to you

The text boxes in this document are for explanatory purposes only and are not part of the Instrument or the Companion Policy.

A Guide to Ontario Legislation Covering the Release of Students

VICTIMS OF CRIME ACT

Privacy and Security within an Interoperable EHR

Privacy Policy for Bell s Finder Services & Business Tracking Services

The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law. It establishes a floor of Federal privacy

GUIDELINE No. 117 THE PHYSICIAN MEDICAL RECORD*

NATIONAL INSTRUMENT USE OF CLIENT BROKERAGE COMMISSIONS

LEGISLATURE OF THE STATE OF IDAHO Sixty-second Legislature First Regular Session IN THE HOUSE OF REPRESENTATIVES HOUSE BILL NO.

K-12 International Student Homestay Guidelines

Guide for Developing Personal Information Sharing Agreements. Revised October 2003 (updated to reflect A.R. 186/2008)

ROLE OF THE AGENCY IN THE DISTRIBUTION OF LIFE/HEALTH INSURANCE PRODUCTS

Department of Homeland Security Web Portals

Data Breach, Electronic Health Records and Healthcare Reform

Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA)

7. PROTECTION OF PRIVACY

INDEX NO.: Consultation Policy Released December CP - Management and Retention of Pension Plan Records by the Administrator - PBA s.

Privacy Reference Monitor A Computer Model for Law Compliant Privacy Protection

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

NOTICE OF PRIVACY PRACTICES Walter Chiropractic Clinic, 5219 Peters Creek Rd Ste 5, Roanoke VA 24019

Preventing Information Inference in Access Control

3. Consent for the Collection, Use or Disclosure of Personal Information

Electronic Health Record Privacy Policies

DIRECTORS AND OFFICERS LIABILITY INSURANCE INCLUDING CORPORATE INDEMNITY POLICY APPLICATION PROFIT CORPORATIONS

Understanding Your Health Record Information

M&T BANK CANADIAN PRIVACY POLICY

ELECTRONIC TRANSACTIONS ACT

e-health: Privacy Compliance and the Electronic Health Record

CHAPTER 116. C.12A:12-1 Short title. 1. This act shall be known and may be cited as the "Uniform Electronic Transactions Act."

COMPLYING WITH THE PERSONAL HEALTH INFORMATION ACT

INTRODUCTION. The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Policy Brief: Protecting Privacy in Cloud-Based Genomic Research

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

Electronic Health Record (EHR) Privacy and Security Requirements

Distributel Communications Limited. c/o Privacy Officer 177 Nepean St. Suite 300, Ottawa, ON, K2P 0B4. January 20, 2014

Kaiser Permanente Affiliate Link Provider Web Site Application

The HIPAA Privacy Rule: Overview and Impact

A Guide. Personal Health Information Protection Act. to the. December Ann Cavoukian, Ph.D Commissioner

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

Ann Cavoukian, Ph.D.

CORE 573. Community Rehabilitation and Disability Studies. Disability and the Law. Calendar Description. Content/Objectives. Outcomes/Competencies

Privacy Policy on the Responsibilities of Third Party Service Providers

NOTICE OF PRIVACY PRACTICES

Provider secure web portal & Member Care Information portal Registration Form

NOTICE OF PRIVACY PRACTICES

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Privacy Rights Management Using DRM Is this a good idea?

A Formalization of HIPAA for a Medical Messaging System

Privacy and EHR Information Flows in Canada. EHIL Webinar Series. Presented by: Joan Roch, Chief Privacy Strategist, Canada Health Infoway

The United States Federal Trade Commission ("FTC") and the Office of the Data Protection Commissioner of Ireland (collectively, "the Participants"),

HIPAA BUSINESS ASSOCIATE AGREEMENT

Closing or Moving a Physician Practice

Table of Contents. Page 1

Health Information Privacy Refresher Training. March 2013

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Access & Correction Policy

-1- PERSONNEL CERTIFIED / NON-CERTIFIED /

Safeguarding Personal Data using Rights Management in Distributed Applications

Transcription:

James Williams Ontario Telemedicine Network

Objec&ves: 1. Review policy constraints for EHR systems. 2. Traditional approaches to policies in EHRs. 3. CHI consent management architecture. 4. Current research.

Focus: Policies pertaining to personal health information. Policies may touch upon: Consent directives. Acceptable uses. Permissible disclosure. Appropriate safeguards. Emergency overrides. Retention.

Sources of Policy: 1. Statutes and regulations 2. Case law 3. Codes of conduct 4. Corporate bylaws 5. Professional guidelines / best practices 6. First Nations Sovereignty

Statutes: Privacy The most important legislative instruments are the various privacy and health information statutes. Privacy legislation in Canada is based on a set of fair information practices: 1) Accountability 6) Accuracy 2) Identifying purposes 7) Safeguards 3) Consent 8) Openness 4) Limiting collection 9) Individual access 5) Limiting use, disclosure, retention. 10) Challenging compliance

Statutes: Establish a basic rule, and then add exceptions. For example, express consent is generally required in order to disclose information to a third party. But: Emergency situations. Law enforcement. Public health. Eligibility for benefits. Risk to third party.

Statutes: Private sector privacy laws

Statutes: Health informa&on laws

Statutes: addi&onal laws Federal: Statistics Act. Quarantine Act. Provincial: Child Protection Act. Communicable Disease Act. Health Act. Worker s Compensation Act. Mental Health Act.

Other sources Case Law: Eg: Patient has right of access to their own health record. (McInerney v MacDonald). Codes of Conduct: Eg: Canadian Medical Association, Health Information Privacy Code (1998). Corporate bylaws: Hospital policies and procedures. Municipal Information Acts. Best Practices COACH Guidelines for the Protection of Health Information.

Sources: OCAP Ownership: information is owned collectively by the Nation. Control: the Nation retains control over all aspects of information management. Access: the Nation has a right to manage and make decisions regarding access to their collective information. Possession: a mechanism to assert ownership.

The inter- provincial view:

Interoperability:

Some Issues: Custodians disclosing PHI are generally under a duty to ensure that the receiving jurisdiction has comparable safeguards. Patients may issue consent directives. Ontario imposes a duty to notify receiving custodians about these. Patients should be able to avail themselves of additional protections in the new jurisdiction. Who now has control of the information? Consent directives are also sensitive.

More issues: Even if we have a way to solve these issues, one of the major problems is that laws (etc) are dynamic.

Challenge: How do we manage policies in a multi- EHR setting? Traditional route has been to either purchase COTS products, or to develop systems for a particular jurisdiction. (Hard coded business rules).

CHI s Consent Direc&ves Management System Applies constraints prior to providing access or transmitting PHI. Allows consent directives at various levels of granularity. Relies on common privacy vocabulary to apply consent requirements. Can store with EHRi data, or in consolidated form.

Processing Consent Direc&ves in a Jurisdic&on 1. Transfer consent directives from clinical applications to the EHR. 2. Let either the EHR or (sending clinical application) process consent directives prior to disclosing a patient s PHI. 3. Transfer consent directives from EHR to clinical applications whenever PHI is disclosed from the EHR. Want to avoid having too many consent directives management systems.

Interjurisdic&onal Transfer Consent directives will be processed whether an access request is received from a POS system, or clinical portal, or from an EHR in another jurisdiction. Jurisdictions need to agree upon and set policies as to how consent directives made in one jurisdiction will be managed following disclosure to another. A nationally adopted messaging schema is required for conveying consent directives between jurisdictions.

Interjurisdic&onal Transfer (2) Several goals must be achieved before policy enforcement can be automated by a policy management service: Jurisdictional policies must be harmonized. Rules must be captured and codified. Special support for changes to rules. Common vocabultary. Data containing consent directives may flow from one jurisdiction to another, but policy related data does not.

Can we do beker? The inter- jurisdictional data transfer problem is complex. Can we bring some technical tools to bear on the problem? Representing policy rules. Operationalizing the representations. Storing and securing the representations. Managing the representations through their lifecycle. Verification and validation.

Current work: There has been quite a bit of work on representing policies and regulations. L.Cranor, M. Langehreich, M. Marchiori, J. Reagle, The Platform for Privacy Preferences (P3P 1.0) Specification. R. Agrawal, J. Kiernan, R. Srikant, Y. Xu, An Xpath based preference language for P3P. N. Li, T. Yu, A.I. Anton, A semantics based approach to privacy languages. (2006)

Current Work P. Ashley, S. Hada, G. Karjoth, C. Powers, M. Schunter, Enterprise Privacy Authorization Language (EPAL 1.1). A. Barth, J.C. Mitchell, J. Rosenstein, Conflict and combination in privacy policy languages (2004). (DPAL) extensible Access Control Markup Language. (XACML)

Current Work The above frameworks provide a formalism to specify data protection policy. They provide methods for evaluating and enforcing policies. Drawback: they are built to manage policies within single organizations. (Guarda, Zannone, Toward the Development of Privacy Aware Systems, 2008)

Current Work Recent efforts: Extend XACML with algorithms addressing issue of policy similarities and integration across organizations. (Mazzoleni et al, XACML policy integration algorithms, 2008). Distributed temporal logic. (Hilty et al, On obligations, 2005). Privacy in Peer to Peer Networks. Automated policy enforcement. (Weber, Obry).

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information