Health Care Provider Guide Diagnostic Imaging Common Service Project, Release 1 Version: 1.4
Copyright Notice Copyright 2014, ehealth Ontario All rights reserved No part of this document may be reproduced in any form, including photocopying or transmission electronically to any computer, without prior written consent of ehealth Ontario. The information contained in this document is proprietary to ehealth Ontario and may not be used or disclosed except as expressly authorized in writing by ehealth Ontario. Trademarks Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. ii Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
Document Control The electronic version of this document is recognized as the only valid version. Document ID 3598 Document Sensitivity Level Low Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. iii
Contents General Information 2 Purpose and Scope... 2 Audience... 2 Related Documents... 2 Glossary... 3 Service Description 4 Overview... 4 Benefits... 5 Benefits to You... 5 Benefits to Your Patients... 5 ehealth Ontario Responsibilities... 5 Diagnostic Imaging Information Publisher Responsibilities... 6 Diagnostic Imaging Information Consumer Responsibilities... 7 Privacy and Security Considerations 8 Patient Consent... 8 Background... 8 Overriding a consent directive... 8 Applying consent directives to Diagnostic Imaging data... 9 Access Requests... 9 Access requests made by patients for Diagnostic Imaging data... 9 Requests for audit logs... 9 Correction Requests...10 Privacy Complaints and Inquiries...10 Privacy Breach Management...10 Security Incident and Breach Management...11 Instructions for Health Care Providers...12 Instructions for Privacy Officers...12 Privacy-related questions from Health Care Provider sites...13 Summary of Security Safeguards in Place at ehealth Ontario 14 Administrative Safeguards...14 Technical Safeguards...15 Physical Safeguards...15 iv Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
General Information Purpose and Scope The Diagnostic Imaging Health Care Provider Guide describes the functions and associated benefits provided by ehealth Ontario Diagnostic Imaging Common Service application and the Privacy and Security Considerations, which health care providers and organizations that use the ehealth Ontario Diagnostic Imaging Common Service application must adhere to. Audience The primary audience for this document includes health care providers and organizations across the health care sector that use ehealth Ontario Diagnostic Imaging Common Service application to access Ontario patients DI Results. Related Documents The Diagnostic Imaging Service Guide should be read in conjunction with the following information found at ehealthontario.on.ca: ONE Portal Product Sheet ONE ID Registrant Reference Guide ehealth Ontario Personal Health Information Privacy Policy ehealth Ontario Privacy Complaints and Inquiries Procedure 2 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
Glossary Term CPS DI DI CS DI-r ENITS HN IHF LRA MRN ONE ID ONE Portal PACS RA SDM Definition Certification Practices Statement Diagnostic Imaging ehealth Ontario Diagnostic Imaging Common Service Regional diagnostic imaging repository Emergency Neuro Image Transfer System Health (Card) Number Independent Health Facility Local Registration Authority Medical Record Number. Patient identifier unique within an issuer site. Set of systems and processes for the assignment and management of electronic identities to allow secure access to ehealth services. ehealth Ontario Portal provides secure access to collaboration tools, content management and health care applications such as Diagnostic Imaging Common Service. Picture Archiving and Communications Systems Registration Authority Substitute Decision Maker Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 3
Service Description Overview Diagnostic Imaging (DI) Common Service is an initiative that supports the sharing and viewing of DI results across Ontario to all hospital and community-based health care providers anytime, anywhere. DI Common Service gives health care providers important information to make better decisions about a patient s treatment. Prior to DI Common Service, authorized health care providers could share images and reports securely with other providers only within their respective Diagnostic Imaging Repositories (DIrs). Now, with the first installment of DI Common Service, diagnostic reports can be shared across the entire province and future releases will enable sharing of diagnostic images and other types of DI information across Ontario. The diagnostic images and corresponding reports are stored in repositories from which they can be retrieved in digital format. This capability is providing physicians with faster access to information resulting in faster diagnosis. ehealth Ontario DI Program is committed to delivering health care providers in Ontario with secure electronic access to their patients comprehensive diagnostic images and reports from anywhere at any time, resulting in improved patient care. The program is achieving this through a number of initiatives in addition to the DI Common Service, which include hospital Diagnostic Imaging Repositories (DI-rs), integration of Independent Health Facilities (IHFs) and the Emergency Neuro Image Transfer System (ENITS). ehealth Ontario DI program is part of the agency s overall strategy to improve access to safe patient care. By putting in place a stable technical infrastructure, it guarantees that health care providers have access to vital clinical activity information when they need it. 4 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
Benefits Benefits to You Access to diagnostic reports across Ontario Faster and easier access to images 1 and reports 24/7 Remote access to diagnostic imaging reports for off-hours coverage Real-time clinical collaboration, increasing access to a broader range of specialists Benefits to Your Patients Eliminates unnecessary patient travel Reduces wait times and lengths of stay thanks to faster exam reports and clinical decisions by physicians and specialists Reduces duplicate and unnecessary exams Eliminates the need to physically transfer images or CDs to the specialist ehealth Ontario Responsibilities ehealth Ontario shall comply with the following obligations: Provide Diagnostic Imaging Common Service application functionalities as described below, for registered health care providers 24/7. 1 The initial release of Diagnostic Imaging Common Service will enable provincial sharing of diagnostic reports, while future releases will enable provincial sharing of diagnostic images and other types of DI information. Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 5
Provide alternative ways to search for a patient of interest within the Diagnostic Imaging Community of the Electronic Health Record Enable access to the patient s diagnostic imaging reports 2 that have been submitted by health care providers to the regional Diagnostic Imaging Repositories. Do not provide access to diagnostic imaging information that has been restricted by one or more consent directives issued by the patient. Temporarily reinstate access to diagnostic imaging information restricted by consent directives when the health care provider indicates that the patient s or his/her substitute decision maker s approval has been obtained. Provide general support for the application during standard business hours as described in the Support section of this guide. Update the application to expand and enhance the functionalities provided. Create and maintain a certification practices statement (CPS) that describes the practices followed by ehealth Ontario certification authority when issuing public key infrastructure certificates and keys. Conduct privacy and security assessments to ensure that the collection, storage, use and disclosure of personal identity information related to registration comply with legislative and privacy protection requirements. Assist providers in meeting their legislative obligation on responding to individual s access and correction requests. Diagnostic Imaging Information Publisher Responsibilities Health care providers that publish diagnostic imaging information shall comply with the following obligations: 2 The initial release of Diagnostic Imaging Common Service will enable provincial sharing of diagnostic reports, while future releases will enable provincial sharing of diagnostic images and other types of DI information. 6 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
Provide timely, complete and accurate diagnostic imaging order information to the regional Diagnostic Imaging Repository. Provide all diagnostic imaging reports, complete and accurate information associated with each report, all report addendums and all report replacements to the regional Diagnostic Imaging Repository on a timely basis. Diagnostic Imaging Information Consumer Responsibilities Health care providers that use diagnostic imaging information shall comply with the following obligations: Register as user of a portal hosting the Electronic Health Record Diagnostic Imaging application. Enrol in the Electronic Health Record Diagnostic Imaging application to access diagnostic imaging information submitted to the Diagnostic Imaging Repositories across Ontario. Follow the requirements of the ehealth Ontario Identity Provider Standard. Agree to follow ehealth Ontario acceptable use policy available at http://www.ehealthontario.on.ca/docs. Review the reference information listed above and learn how to protect privacy and security when using ehealth Ontario products. Use Diagnostic Imaging Common Service application s functionalities only for approved clinical purposes. Always indicate the person or the organization that the user represents when accessing diagnostic imaging information. Diagnostic Imaging Common Service application to locate the electronic health record for the patient under your care. Obtain the patient s or the substitute decision maker s consent prior requesting temporary reinstatement of consent to access diagnostic imaging information restricted by consent directives. Use Diagnostic Imaging Common Service application to display, print or save diagnostic imaging reports. When support is required, follow the troubleshooting process as described in the Support section below. Implement and assist users to follow privacy and security policies, where applicable. Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 7
Privacy and Security Considerations Patient Consent Background As custodians of patient personal health information (PHI), health care providers working at sites have obligations under PHIPA and Ontario Regulation 329/04 (the regulation) for protection of PHI. Patient Consent Model DI Common Service data has a consent directive capability, which gives patients or their substitute decision maker (SDM) the option to restrict access to patient data in DI Common Service. A patient may restrict access to either: All of his/her diagnostic imaging results in DI Common Service (Domain consent directive); or A particular diagnostic imaging result.(hic Record consent directive) Not in Place in the first release In other words, if a patient restricts access to his/her results in DI Common Service, health care providers querying DI Common Service data will not be able to access any patient information that has been, or will be, submitted into DI Common Service. Overriding a consent directive In special cases (with consent from the patient or the patient s SDM) the patient directive restricting access to the test may temporarily be overridden by a provider. Health care providers may request to temporary override a consent directive applied to data when access has been granted directly by a patient or the patient s SDM (express consent). No health care provider using DI Common Service should override a consent directive applied to DI Common Service data without the patient s or SDM s express consent. Therefore, health care providers using DI Common Service are permitted to override consent directives applied to DI Common Service data only where permission to do so has been expressly authorized by the patient or the patient s SDM prior to performing the consent directive override. Overriding a patient s consent directive for DI Common Service data without express consent from the patient or the patient s SDM will constitute a breach of the EHR Access Services Schedule, and will be subject to the remedies available under the agreement. Temporary override will be logged in DI Common Service application interface, along with the identity of the overriding health care provider. 8 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
Applying consent directives to Diagnostic Imaging data If a patient contacts a health care provider and wishes to place a restriction on access to his/her information in DI Common Service, or wishes to reinstate access (remove the restriction), the HIC should Capture the patient and consent directive information on the DI CS Consent Form, and submit the patient and consent directive information to ehealth Ontario by faxing it to (416) 586-4397 or 1-866-831-0107, In instances where a patient wants to issue consent directives on records contributed by more than one HIC, the provider can direct the individual to contact ehealth Ontario at 1-866-250-1554 to apply consent directives as per the consent management policy. Access Requests Access requests made by patients for Diagnostic Imaging data Under PHIPA, patients or their SDMs have a right to access the patient s data held by a HIC about the patient. Where provider receives a request for records collected, created and contributed by the provider to DI CS, the provider shall follow their Part V of PHIPA and its internal policies, procedures and practices to respond directly to the individual in respect of the Request for Access. In instances where request for access involve information contributed by another HIC or by multiple HICs, the provider shall Notify the individual that the Request for Access involves PHI not within the custody or control of the HIC that received the Request for Access; and Direct individual to contact ehealth Ontario at 1-866-250-1554 to make the Request for Access As per the DI CS Access and Correction policy, ehealth Ontario may seek assistance from you when responding to access requests received directly by ehealth Ontario. Requests for audit logs Where a provider receives a Request for Access directly from an individual related to the audit logs for records stored in DI CS the HIC shall Notify the individual that the HIC is unable to process the Request for Access; and Direct individual to contact ehealth Ontario at 1-866-250-1554 to make the Request for Access to logs Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 9
As per the DI CS Access and Correction policy, ehealth Ontario may seek assistance from you when responding to access requests received directly by ehealth Ontario. Correction Requests Where a HIC receives a Request for Correction directly from an individual related to records of PHI that were created and contributed to the DI CS solely by that HIC, the HIC shall follow Part V of PHIPA and its internal policies, procedures and practices to respond directly to the individual in respect of the Request for Correction. Where a HIC receives a Request for Correction directly from an individual related to records of PHI that were created and contributed to the DI CS solely by another HIC or by more than one HIC, the HIC that received the Request for Correction shall as soon as possible, but in any event no later than 2 days after receiving the Request for Correction: Notify the individual that the Request for Correction involves PHI not within the custody or control of the HIC that received the Request for Correction; and Direct individual to contact ehealth Ontario at 1-866-250-1554 to make the correction request As per the DI CS Access and Correction policy, ehealth Ontario may seek assistance from you when responding to access requests received directly by ehealth Ontario. Privacy Complaints and Inquiries Where a HIC directly receives an Inquiry/complaint related to DI CS and solely to the HIC and its agents and service providers, the HIC shall follow its own internal policies, procedures, and practices to address the Inquiry as per the DI CS Inquiries and Complaints policy. Where a HIC directly receives an Inquiry that it is unable to address and respond to related solely to DI CS or to the agents or Electronic Service Providers of ehealth Ontario, the HIC receiving the Inquiry as per the DI CS Inquiries and Complaints policy shall as soon as possible: Notify the person that the HIC is unable to respond to the Inquiry because DI CS is the subject of the Inquiry; and Direct individual to contact ehealth Ontario Privacy Office at (416) 946-4767 for complaints and inquiries. Privacy Breach Management The DI CS Privacy Breach Management policy describes detailed steps to be taken in the event of the privacy breach/incident. 10 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
A HIC shall report an actual or suspected Privacy Breach to ehealth Ontario by calling the 24/7 available Service Desk/ONE Support at 1-866-250-1554 as soon as possible, but in any event no later than the end of the next business day after the person at the HIC responsible for reporting actual or suspected Privacy Breaches to ehealth Ontario has become aware of an actual or suspected Privacy Breach caused or contributed to by: Another HIC or the agents or Electronic Service Providers of another HIC; More than one HIC or the agents or Electronic Service Providers of more than one HIC; ehealth Ontario or the agents or Electronic Service Providers of ehealth Ontario; or Any other unauthorized persons who are not agents or Electronic Service Providers of ehealth Ontario or any other HIC. In instances where breach is caused by HIC who solely created and contributed the data to DI CS, the HIC shall follow its internal policies, procedures, and practices to notify the individual(s) to whom the PHI relates at the first reasonable opportunity in accordance with PHIPA and to contain, investigate and remediate the Privacy Breach. In instances where breach is where the Privacy Breach was solely caused by a HIC that did not solely create and contribute the PHI to the DI CS, the HIC in consultation with other HICs (who contributed data) and ehealth Ontario identify the individual to investigate the breach. The specific roles for each party involved in the privacy breach are noted in the DI CS Privacy Brach Management policy. Security Incident and Breach Management This section includes instructions for providers at clinics and privacy officers at organizations to report to ehealth Ontario any security incidents or breaches (defined below) by you or your organization, including health care providers, agents, employees or service providers. A security incident is an unwanted or unexpected situation that results in: Failure to comply with the organization s security policies, procedures, practices or requirements. Unauthorized access, use or probing of information resources. Unauthorized disclosure, destruction, modification or withholding of information. A contravention of agreements with ehealth Ontario by your organization, users at your organization, or employees, agents or service providers of your organization. An attempted, suspected or actual security compromise. Waste, fraud, abuse, theft, loss of or damage to resources. Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 11
Instructions for Health Care Providers If you become aware of, or suspect, a security incident or breach of the Diagnostic Imaging Common Service system or data by you or any of your employees, agents, or service providers, you must immediately report the incident or breach to your privacy office. If you do not have a privacy office, or you are unable to reach your privacy office or support team to report a breach, please contact the ehealth Ontario service desk at 1-866-250-1554 and advise the ehealth Ontario agent that you would like to open a security incident ticket. You are expected to cooperate in any incident or breach containment activities or with any investigation undertaken by ehealth Ontario. During the investigation by ehealth Ontario, you may be required to provide additional information which may include personal health information or personal information, in order to contain or resolve the incident or breach. Note: It is extremely important that you do not disclose any patient personal health information and/or personal information to the ehealth Ontario agent when initially reporting a security incident or breach. Instructions for Privacy Officers If you become aware of, or suspect, an incident or breach related to Diagnostic Imaging Common Service system or data by any of your organization s staff members, including employees, agents or service providers, you must immediately report the incident or breach to the ehealth Ontario service desk at 1-866-250-1554 and advise the ehealth Ontario agent that you would like to open a security incident ticket. Note: It is extremely important that you do not disclose any patient personal health information and/or personal information to the ehealth Ontario agent when initially reporting a privacy or security incident or breach. Further, you may not contact any patient or SDM directly, unless expressly instructed to do so in writing by ehealth Ontario. It is expected that you and the organization s staff members will cooperate with any investigations conducted by ehealth Ontario in respect of any privacy or security incidents or breaches related to Diagnostic Imaging Common Service data. When reporting a confirmed or suspected privacy or security incident, please have the following information ready: 1) If possible, a description of the situation and condition that led to the incident. 2) Who was involved (name and role)? 3) Where did the incident happen? 4) When and at what time was the incident noticed? 5) If possible, describe how the incident was detected. 6) If possible, provide information on the most likely cause for example: a) Human error b) Negligence c) Technical failure, caused by failure of an application or system to maintain privacy 12 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
d) Process failure, caused by not following a process e) Wilful wrongdoing f) Act of nature 7) Describe the type of PI/PHI involved in the incident. 8) If possible, list measures taken to contain the incident or breach or any risks that could eventually result in an incident or breach. 9) If possible, list any corrective measures taken or additional controls applied. 10) What services, if any, are impacted? 11) Are ehealth Ontario s services impacted or involved? Once a call has been logged with the ehealth Ontario service desk, the ehealth Ontario privacy and security teams will be engaged to deal with the situation. Privacy-related questions from Health Care Provider sites If a health care provider has any questions regarding the privacy-related processes described above, including how to respond to individual access requests, consent obligations or incident/breach management processes, please contact the ehealth Ontario privacy operations department, at privacyoperations@ehealthontario.on.ca. or (416) 946-4767. Please ensure that you do not include any personal information or personal health information in any emails to ehealth Ontario. Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 13
Summary of Security Safeguards in Place at ehealth Ontario Administrative Safeguards ehealth Ontario has a Chief Privacy Officer and Chief Security Officer; these individuals are accountable for health information privacy and security All providers who use DI Common Services must sign a data access agreement with ehealth Ontario, which, among other things, spells out their responsibilities regarding privacy and security. ehealth Ontario requires its representatives to implement privacy and security safeguards, as appropriate to the service being provided. ehealth Ontario regularly reviews and enhances its privacy and security policies. Staff and contractors are required to read the relevant policies and acknowledge in writing that they have read and understood them. All staff and contractors must sign confidentiality agreements and undergo criminal background checks prior to joining or providing services to ehealth Ontario. ehealth Ontario has a security screening policy that requires staff to have an appropriate level of clearance for the sensitivity of the information they may access. ehealth Ontario staff and contractors generally have no ability or permission to access personal health information. If access to personal health information is required in the course of providing ehealth Ontario services, individuals are required to follow the access request process and are prohibited from using or disclosing such information for other purposes. ehealth Ontario ensures, through contracts, that any third party it retains to assist in providing services to health information custodians will comply with the restrictions and conditions necessary for ehealth Ontario to fulfill its legal responsibilities. ehealth Ontario has developed a full privacy and security incident management system. ehealth Ontario has mandatory privacy and security awareness and training programs for all staff and contractors. ehealth Ontario staff, contractors, suppliers and clients must promptly report any privacy and/or security breaches to ehealth Ontario for investigation. ehealth Ontario conducts privacy and security risk assessments for both product/service development and client deployments. Mitigation activities are well established and tracked as part of each assessment. 14 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
ehealth Ontario provides a summary of the results of privacy and security risk assessments to the affected health information custodians. ehealth Ontario ensures all operational and systems changes follow the agency s change management procedures. Technical Safeguards Authorization and authentication (i.e. confirming who each user is, and what he/she is permitted to do) controls limit access to DI Common Services to only those individuals who require it to perform their job function. DI Common Services users are authenticated each time they access the system. Information about each data request is recorded in an audit trail maintained by DI Common Services, in compliance with PHIPA. Patients can expressly withhold or withdraw their consent to use or disclose information related to their diagnostic imaging information. The DI Common Services verifies all inbound messages to ensure that they are well formed. Personal health information is transmitted to and from DI Common Services securely using a mutually authenticated tunnel. Networks are protected by devices (firewalls and routers) which limit access to and from systems. The systems are kept up-to-date by installing software updates on a regular basis. Security agents are installed on each system to protect DI Common Services from malware and detect intrusions. ehealth Ontario s hosting environment provides continuous secure data backup and immediate failover capabilities for all system components. Physical Safeguards DI Common Services resides in a specially-built facility that is physically secured against unauthorized access. Biometrics, secure cabinets and access cards control physical access to facilities and equipment. The facilities are staffed and monitored continuously by security staff/employees. The facility is protected against environmental issues such as power outages and extreme weather. Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 15