SCHEDULE "C" ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL

Similar documents
SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION)

HEALTH INFORMATION ACT

Shared EMR Access Administrator (AA) Guide ~ External

The Health Information Protection Act

Table of Contents. Preface CPSA Position How EMRs and Alberta Netcare are Changing Practice Evolving Standards of Care...

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

The Health Information Act. Use and Disclosure of Health Information for Research

The Youth Drug Detoxification and Stabilization Act

Privacy and Management of Health Information: Standards for CARNA s Regulated Members

HEALTH INFORMATION ACT. Guidelines and Practices Manual

Table of Contents. Page 1

National Association of Pharmacy Regulatory Authority s Privacy Policy for Pharmacists' Gateway Canada

How To Ensure Health Information Is Protected

DATA USE AGREEMENT RECITALS

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

Electronic Health Record Privacy Policies

Business Associate Agreement

PUBLIC INTEREST DISCLOSURE (WHISTLEBLOWER PROTECTION) ACT

Personal Information Protection and Electronic Documents Act

CONTENT OF THE AUDIT LAW

Alberta Electronic Health Record (EHR) An Alberta Netcare Guide for Authorized Custodians and/or their Authorized Affiliates

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

CHARTER OF THE FINANCE AND AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF SPECTRAL DIAGNOSTICS INC.

The Mortgage Brokerages and Mortgage Administrators Act

Clearing and Settlement Procedures. New Zealand Clearing Limited. Clearing and Settlement Procedures

Closing or Moving a Physician Practice

B I L L. No. 183 An Act to amend The Saskatchewan Employment Act and The Saskatchewan Employment Amendment Act, 2014

STANDARDS OF PRACTICE (2013)

PERSONAL INFORMATION PROTECTION ACT

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Taking care of what s important to you

GENOA, a QoL HEALTHCARE COMPANY, LLC WEBSITE PRIVACY POLICY

The Manitoba Child Care Association PRIVACY POLICY

In the event of any inconsistency between this standard and any legislation that governs the practice of physiotherapists, the legislation governs.

STT ENVIRO CORP. (the Company ) CHARTER OF THE CORPORATE GOVERNANCE AND NOMINATING COMMITTEE. As amended by the Board of Directors on May 10, 2012

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Data Protection Policy.

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

DATA PROTECTION POLICY

Guidelines on Data Protection. Draft. Version 3.1. Published by

3. Consent for the Collection, Use or Disclosure of Personal Information

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010

PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS

PRIVACY NOTICE. In certain situations, we may also disclose patient information to another provider or health plan for their health care operations.

NORTHERN TERRITORY ELECTRICITY RING-FENCING CODE

The Archives and Public Records Management Act

PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS [ABC SCHOOL]

ENERGY MARKETING AND RESIDENTIAL HEAT SUB-METERING REGULATION

CREDIT REPORTING BILL EXPLANATORY NOTES

Corporate Policy. Data Protection for Data of Customers & Partners.

ELECTRONIC TRANSACTIONS ACT

Appendix : Business Associate Agreement

Electronic Health Record Sharing System Bill. Contents. Part 1. Preliminary. 1. Short title and commencement... C Interpretation...

HIPAA BUSINESS ASSOCIATE AGREEMENT

POLICY STATEMENT 5.17

Effective Date: March 23, 2016

KAISER PERMANENTE SOUTHERN CALIFORNIA REGION

ADMINISTRATIVE MANUAL Policy and Procedure

Important Disclosure Information

Privacy Statement Relating to the Collection, Use and Disclosure of Personal Data & Customer Information

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA

ISO LESO NETWORK PROVIDER AGREEMENT. Between: and. ISO LESO OPTICS LIMITED Registration number: 1999/13972/06 ("Iso Leso Optics")

Unofficial Consolidation

The United States Federal Trade Commission ("FTC") and the Office of the Data Protection Commissioner of Ireland (collectively, "the Participants"),

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION

CHAPTER 267. BE IT ENACTED by the Senate and General Assembly of the State of New Jersey:

Personal Data Protection Policy and Practices ( the Policy )

Best Practices for Protecting Individual Privacy in Conducting Survey Research (Full Version)

PROTECTION OF PERSONAL INFORMATION

Players Agent Registration Regulations

A Guide. Personal Health Information Protection Act. to the. December Ann Cavoukian, Ph.D Commissioner

NURSING HOMES OPERATION REGULATION

BUSINESS ASSOCIATE AGREEMENT

Mandatory Provident Fund Schemes Authority COMPLIANCE STANDARDS FOR MPF APPROVED TRUSTEES. First Edition July Hong Kong

EHR Contributor Agreement

Transcription:

SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING AMONG ALBERTA HEALTH SERVICES, PARTICIPATING OTHER CUSTODIAN(S) AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION) ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL (AHS, PARTICIPATING OTHER CUSTODIAN(S) AND PARTICIPATING PHYSICIANS USING AN AHS EMR SYSTEM) A DOCUMENT CONCERNING THE ACCESS TO, USE AND DISCLOSURE OF INFORMATION IN THE ELECTRONIC MEDICAL RECORD EMR IEP Jan 15-15 version as amended from time to time)

A.1 Purpose of This Document This document, the Electronic Medical Record Information Exchange Protocol (the Protocol ), establishes the specific rules for the access to, use, disclosure and protection of EMR Information contributed to and stored in an EMR System 1 that is owned and operated by AHS (in this Protocol, the EMR System ) including: EMR Information from Participating Physicians, Participating Other Custodian(s) and Alberta Health Services; EMR Information that is accessed by EMR Custodians in the EMR System; and, EMR Information that is used for Secondary Use and Disclosure purposes. These rules bind all EMR Custodians and EMR Affiliates utilizing the EMR System. Custodians who choose not to sign the Information Sharing Agreement (the ISA ) as amended from time to time, or other appropriate legal agreements may not access, use or disclose EMR Information in the EMR System. 1 1 The phrase located in an AHS facility was removed by Governance Committee motion on November 21, 2012. A.2 Why Rules Are Required The Health Information Act establishes the legal authority and limits for the exchange of health information. It makes each Custodian in the health system responsible for the collection, use and disclosure of health information. However, the Health Information Act recognizes that a wide variety of circumstances exist in the delivery of care. While the Health Information Act establishes general rules, it provides Custodians considerable latitude within those rules for discharging their responsibilities. An EMR is an electronic record of an individual's health information. An EMR typically records a history of clinical encounters maintained by Physicians and other health care providers in an electronic information system. Since health information is shared electronically in the EMR System by a large number of Physicians and other health services providers, it is necessary to establish clear and consistent rules for Custodians. The rules set forth in this Protocol define the expected use of EMR Information by EMR Custodians, thereby providing consistency within the larger context of Custodian activity and their obligations under the Health Information Act. Only those rules that are unique to the EMR context are contained within this Protocol. Rules for how information may be collected, used and disclosed in the context of the Alberta EHR may be found in the Alberta Netcare Information Exchange Protocol. EMR IEP Jan 15-15 version as amended from time to time 2

A.3 History of This Document This Protocol was created and first released under Version 1.0, February 2011. A.4 Revisions to This Document This Protocol may be revised from time to time by the Governance Committee with input from the EHRDSC as required. All revisions to this Protocol will be made available to EMR Custodians 30 days prior to the effective date of the revisions. By continuing to access EMR Information in the EMR System following the effective date, an EMR Custodian accepts and agrees to comply with the revisions. The Governance Committee may, at its ongoing meetings, make relatively minor revisions to this Protocol that do not materially affect the continued use of the EMR System. Rather than release continual revisions to the Protocol, these minor revisions will be consolidated and published in periodic updated releases. When published, these updated releases will become effective in the same manner as major revisions. They will be made available to EMR Custodians 30 days prior to the effective date of the revisions. By continuing to access the EMR System following the effective date, an EMR Custodian accepts and agrees to comply with the revisions. A.5 Guiding Legislation The rules outlined in this Protocol have been developed in consideration of the Health Information Act (and other applicable legislation) and serve as a vehicle for the clarification and the operational application of selected sections of that legislation, particularly as it relates to health information in the EMR System. Definitions of terms used in the Health Information Act also apply to those terms when used in this Protocol. A.6 Guiding Principles In its adoption and continuation of this Protocol, the Governance Committee will strive to maintain alignment with the following principles: Protocol rules will recognize and align with legislated and EMR Custodians ethical obligations. Protocol rules will be structured to assure the privacy and security of an individual s health information without placing onerous restrictions and processes on those who have a legitimate need to access and use information from the EMR System. The Protocol will not be a reiteration of the Health Information Act, but rather a document to highlight and clarify important aspects of the Health Information Act as it relates to the use and disclosure of health information in an EMR System. The Protocol will further elaborate on the use and disclosure of health information from the EMR System where the Act does not provide sufficient guidance. EMR IEP Jan 15-15 version as amended from time to time 3

Protocol rules will articulate EMR Custodian obligations but not necessarily the means by which EMR Custodians are to meet those obligations. In that regard, EMR Custodians should use their professional judgement or other guidelines that may be released from time to time by the Governance Committee. Information Exchange Protocol rules will articulate EMR Custodian obligations but will not provide guidance in matters where discretion may be exercised. Such guidance is expected to be provided through the CPSA and other applicable health professional bodies. A.7 Limitations of This Document This Protocol does not define the scope or necessarily represent the current architecture of the EMR System. In some cases, these rules may infer functionality which exceeds that of the EMR Systems. This approach has been taken to assist EMR Custodians in understanding the possible impacts of future functionality, and to recognize that the EMR System will continue to be an evolving tool for the use of health services providers in their delivery of health services to Alberta residents. A.8 Contact Information Questions regarding this Protocol or requests to contact the Governance Committee can be directed to the Information Stewardship Office ( ISO ) at 780-735-0655. EMR IEP Jan 15-15 version as amended from time to time 4

IEP Jan 15-15 (as amended from time to time 5

instructions of a Patient to his/her Physician, including individual data element masking or global person masking. Memorandum of Understanding Participating Other Custodian Participating Physician Primary use Secondary use Security Unmasking An agreement entered into between AHS and the AMA dated effective the 1st day of April, 2012, as amended from time to time, together with consequential amendments resulting from adding Participating Other Custodian(s)to the Memorandum of Understanding, establishing the Information Sharing Framework, and the Governance Committee. A Participating Other Custodian is a Custodian, other than AHS and Participating Physicians, that is authorized by AHS to use an EMR System within its facilities or otherwise, including through authorized network access, for use by that Participating Other Custodian and its affiliates; A Physician that signs a Participating Physician Agreement signifying his/her acknowledgement of the Memorandum of Understanding, and agreement with the terms of the ISF, including the ISA, IMA and this Protocol. The use of EMR Information for the purpose of providing Health Services to Patients and includes the reproduction of that information, but not the Disclosure of that information The use of EMR information by a Party for any purpose not directly related to the provision of Health Services to the Patient whom is the subject of that information including, without limitation, the provision of Health Services to Patient populations or to advance Patient safety, or health system management. The process of protecting EMR Information by assessing threats and risks to that EMR Information and implementing the procedures and systems to restrict access and maintain the integrity of that EMR Information. The temporary removal of Masking from EMR Information during a session of access to an Individual s EMR Information by an EMR Custodian. B.2 Glossary of Terms Used in This Document and Defined in the Health Information Act IEP Jan 15-15 (as amended from time to time 6

Affiliate Audit Collect In relation to a custodian, means (i) an individual employed by the custodian; (ii) a person who performs a service for the custodian as an appointee, volunteer or student or under a contract or agency relationship with the custodian; (iii) a health services participating custodian who has the right to admit and treat patients at a hospital as defined in the Hospitals Act; (iv) an information manager as defined in section 66(1); (v) a person who is designated under the regulations to be an affiliate; but does not include (vi) an agent as defined in the Health Insurance Premiums Act; or, (vii) a health information repository other than a health information repository that is designated in the regulations as an affiliate. A financial, clinical or other formal or systematic examination or review of a program, portion of a program or activity. To gather, acquire, receive or obtain health information. Custodian Means (i) (ii) (iii) (iv) (v) the board of an approved hospital as defined in the Hospitals Act other than an approved hospital that is (A) owned and operated by a regional health authority established under the Regional Health Authorities Act, the operator of a nursing home as defined in the Nursing Homes Act other than a nursing home that is owned and operated by a regional health authority established under the Regional Health Authorities Act; an ambulance operator as defined in the Emergency Health Services Act; a provincial health board established pursuant to regulations made under section 17(1)(a) of the Regional Health Authorities Act; a regional health authority established under the Regional IEP Jan 15-15 (as amended from time to time 7

(vi) Health Authorities Act; a community health council as defined in the Regional Health Authorities Act; (vii) a subsidiary health corporation as defined in the Regional Health Authorities Act; (viii) a board, council, committee, commission, panel or agency that is created by a custodian referred to in sub-clauses (i) to (vii), if all or a majority of its members are appointed by, or on behalf of, that custodian, but does not include a committee that has as its primary purpose the carrying out of quality assurance activities within the meaning of section 9 of the Alberta Evidence Act; (ix) (x) (xi) a health services provider who is designated in the regulations as a custodian, or who is within a class of health services providers that is designated in the regulations for the purpose of this sub-clause; a licensed pharmacy as defined in the Pharmacy and Drug Act; the Department; (xii) the Minister; (xiii) an individual or board, council, committee, commission, panel, agency or corporation designated in the regulations as a custodian; but does not include (xiv) a Community Board or a Facility Board, as those terms are defined in the Persons with Developmental Disabilities Community Governance Act other than a Community Board that is designated in the regulations as a custodian. Department Health information Health professional body Health service The Department administered by the Minister. One or both of the following: (i) (ii) diagnostic, treatment and care information; registration information. A body that regulates the members of a health profession or health discipline pursuant to an Act. A service that is provided to an individual for any of the following IEP Jan 15-15 (as amended from time to time 8

purposes: (i) (ii) (iii) (iv) (v) protecting, promoting or maintaining physical and mental health; preventing illness; diagnosing and treating illness; rehabilitation; caring for the health needs of the ill, disabled, injured or dying, but does not include a service excluded by the regulations. Health services provider Individually identifying Minister Non-identifying Record Research Research ethics board Use An individual who provides health services. When used to describe health information, means that the identity of the individual who is the subject of the information can be readily ascertained from the information. The Minister determined under section 16 of the Government Organization Act as the Minister responsible for this Act. When used to describe health information, means that the identity of the individual who is the subject of the information cannot be readily ascertained from the information. A record of health information in any form and includes notes, images, audiovisual recordings, x-rays, books, documents, maps, drawings, photographs, letters, vouchers and papers and any other information that is written, photographed, recorded or stored in any manner, but does not include software or any mechanism that produces records. Academic, applied or scientific health related research that necessitates the use of individually identifying health information. A body designated by the regulations as a research ethics board. To apply health information for a purpose and includes reproducing the information, but does not include disclosing the information. IEP Jan 15-15 (as amended from time to time 9

responsible to liaise with the EHRDSC for the purpose of ensuring The Governance Committee, or its representative, shall be Committee Information that is in the EMR System. Protocol pertaining to the access to, use and disclosure of EMR Governance 1.2.1 The Governance Committee establishes and amends rules in this Topic 1.2 Operation of the Information Exchange Protocol obligations under the Health Information Act. responsibility of each EMR Custodian to meet his/her or its compliance with the Health Information Act. It is the 1.1.6 Full compliance with this Protocol does not necessarily assure full Information Act the Health Act. Deference to 1.1.5 These rules neither replace nor supersede the Health Information Act. Information Health the of 32(2) and 32(1) sections under regulated is but Protocol this under covered not is System EMR an in information non-identifying of use and to Access 1.1.4 Protocol Information. EMR identifying individually of Application of disclosure and use and, to access the to only applies Protocol This 1.1.3 EMR the System Information in EMR Protocol. this of conditions and terms the to subject and access use is System EMR the in Information EMR all of use and to Access 1.1.2 to Authority Protocol 2012. 1, February on Committee of Currency this Steering the by approved was Protocol this of 0.3 Version 1.1.1 Protocol the of Authority 1.1 Topic IEP Jan 15-15 (as amended from time to time 10

continued consistency in their approach to health information sharing. Coming into effect EMR Custodian joint responsibility for accuracy and confidentiality of Health Information Physicians as EMR Custodians Alberta Health Services as an EMR Custodian Participating Other Custodian(s) as an EMR Custodian 1.2.2 Rules pertaining to the access to and, use and disclosure of EMR Information in the EMR System are documented in this Protocol and come into effect according to the terms of the Information Sharing Agreement. 1.2.3 In a shared EMR environment, it is recognized that there are multiple health service providers that add or modify Patient Health Information, each sharing responsibility for the accuracy and confidentiality of that information. Each EMR Custodian must make reasonable efforts to ensure that the Health Information that is under that EMR Custodian's custody or control is accurate, complete and that the confidentiality of that Health Information is maintained. 1.2.4 Any Physician who has signed the Physician Participation Agreement is considered to be an EMR Custodian. In his/her role as an EMR Custodian, a Participating Physician may only use and disclose EMR Information for authorized purposes in accordance with this Protocol and the Health Information Act. 1.2.5 Alberta Health Services is an EMR Custodian. In its role as an EMR Custodian (compared to its role as Information Manager for the EMR System), Alberta Health Services may only use and disclose EMR Information for authorized purposes as per this Protocol and the Health Information Act. 1.2.6 Each Participating Other Custodian is an EMR Custodian. In its role as an EMR Custodian, a Participating Other Custodian may only use and disclose EMR Information for authorized purposes as per this Protocol and the Health Information Act. Alberta Health Services as Information Manager for EMR Systems 1.2.7 Notwithstanding its role as an EMR Custodian, Alberta Health Services is the Information Manager of the EMR System. In its role as the Information Manager of the EMR System, Alberta Health Services is limited to only using and disclosing EMR Information in its capacity of an Information Manager as authorized by the Information Management Agreement and the Health Information Act. IEP Jan 15-15 (as amended from time to time 11

Role of the Information Manager 1.2.8 The Information Manager, in accordance with the Information Sharing Agreement and the Health Information Act, will, in addition to other obligations set forth in the Health Information Act and the Information Management Agreement: a. process, store, retrieve or dispose of EMR Information in the EMR System as required; b. provide information management services for the EMR System, as required; c. monitor and audit EMR Information in the EMR System on a continuing basis; and, d. where required, report to the ISO. 1.2.9 Should the role of Information Manager for the EMR System be transferred from Alberta Health Services to another organization, this Protocol will continue to guide the operation of sharing of EMR Information in the EMR System. General authority to access EMR Information General responsibilities of EMR Custodians 1.2.10 Any EMR Custodian requiring access to EMR Information in the EMR System may use the EMR Information in respect of which access has been granted, that is stored in the EMR System, where such access: a. has been granted to the EMR Custodian pursuant to the Information Sharing Agreement; b. is consistent with the authorization for access established in this Protocol and the Health Information Act; and, c. will be made through a unique system account and profile assigned to that EMR Custodian. 1.2.11 Each EMR Custodian has a duty pursuant to Section 60 of the Health Information Act to protect the confidentiality of EMR Information in the EMR System and to protect against any reasonably anticipated threat or hazard to the security of that EMR Information, or unauthorized use, disclosure, modification or unauthorized access to the EMR Information. 1.2.12 EMR Custodians are responsible for all EMR information accessed and used by the EMR Custodian and their EMR Affiliates in the EMR System or while such EMR Information falls under the authority of this Protocol. General responsibilities of EMR 1.2.13 Any EMR Affiliate of an EMR Custodian who requires access to the EMR System for the purpose of either providing EMR Information to or receiving EMR Information from the EMR IEP Jan 15-15 (as amended from time to time 12

Affiliates System must be authorized by an EMR Custodian for such access. 1.2.14 EMR Affiliates will retain full responsibility for all EMR Information they access from the EMR System. Responsibility is not restricted to EMR Information which EMR Affiliates or the EMR Custodians have contributed to the EMR System. 1.2.15 Notwithstanding 1.2.14, any use or disclosure of EMR Information by an EMR Affiliate is considered to be use or disclosure by the EMR Custodian. 1.2.16 An EMR Affiliate, who is authorized to access and use EMR Information in the EMR System, must do so in accordance with this Protocol. Responsibilities of ISO 1.2.17 The ISO may access, use and disclose EMR Information in the EMR System for any of the limited purposes authorized by this Protocol. 1.2.18 The ISO will, as directed by the Governance Committee, develop, implement and maintain policies and procedures relating to the privacy and Security of EMR Information in the EMR System in compliance with, but not limited to, the Health Information Act and this Protocol. Topic 2.1 Entry of Information as per the Information Sharing Agreement Authority to enter information Managing access rights and permissions 2.1.1 2.1.2 An EMR Custodian may enter EMR Information through the EMR System where functionality for the addition or modification of EMR Information in the EMR System has been enabled, and the EMR Custodian has been granted rights to do so. EMR Information entered into the EMR System by an EMR Custodian must align with Standards of Practice set by the CPSA or standards prescribed by other health professional bodies where applicable. The Information Manager must implement the necessary functionality within the EMR System to manage access rights and permissions as determined by the Information Sharing Agreement. IEP Jan 15-15 (as amended from time to time 13

Retention of EMR Information by the Information Manager 2.1.3 2.1.4 A Record of EMR Information that is entered into the EMR System must be retained by the Information Manager, so that where corrections and amendments are made to EMR Information, a Record of the original EMR Information persists, as it would for a paper-based Record. A Record of EMR Information that is entered into the EMR System must contain at least the following elements: a. identification of the EMR Custodian or EMR Affiliate who entered/modified the EMR Information; b. a date and time when the EMR Information was entered/modified; and, c. the EMR Information that was entered/modified. 2.1.5 A Record of EMR Information must be maintained in accordance with the Standards of Practice of the CPSA, the professional standards of other health professional bodies and/or in accordance with AHS or Participating Other Custodian(s) documentation standards, as applicable. Topic 3.1 Request to Access Information by Individual who is the Subject of the Information Right to access Sources of access Process for 3.1.1 Subject to the exceptions set out in the Health Information Act, an Individual has the right of access to that Individual s EMR Information stored in the EMR System. 3.1.2 An Individual may request his/her EMR Information from his/her EMR Custodian and the EMR Custodian will respond to a request for access to records that relate directly to Health Services provided only by that EMR Custodian. Broader requests for records that relate to Health Services provided by more than one EMR Custodian or Custodians must be referred to the Information Manager. In either event, the request for access to records will be tracked and recorded. 3.1.3 Requests must be responded to within 30 days after receipt of the request IEP Jan 15-15 (as amended from time to time 14

access 3.1.4 In response to a request for EMR Information, an EMR Custodian or the Information Manager, as applicable, will disclose only EMR Information about the requesting Individual, subject to any exceptions to access in the Health Information Act. 3.1.5 When requested by the Individual, and where practical, the EMR Custodian or Information Manager, as applicable, will provide an explanation of terms, codes or abbreviations used in any presented EMR Information. 3.1.6 When determining whether to provide an explanation of the EMR Information being presented to an Individual, or any additional explanation beyond that defined in section 3.1.5, the EMR Custodian or Information Manager, as applicable, will, where necessary, confer with other EMR Custodians that have contributed EMR Information to the Individual s Record to comply with the requirements for responding to an access request under the Health Information Act. 3.1.7 An Individual s request for EMR Information sent to an EMR Custodian must be in writing. 3.1.8 The EMR Custodian or ISO will verify the identity of the Individual making the request. 3.1.9 An Individual may be required to pay a fee stipulated by the EMR Custodian or Information Manager prior to receipt of the requested EMR Information. Fees for access requests are specified in the Health Information Regulation. Records of access 3.1.10 An Individual may request to receive a record of requests for accesses to EMR Information about that Individual. Such requests shall be made in writing to the Information Manager. IEP Jan 15-15 (as amended from time to time 15

Topic 3.2 Request to Correct or Amend EMR Information by Individual who is the Subject of the EMR Information Right to correction or amendment 3.2.1 An Individual has the right to request a correction or amendment to that Individual s EMR Information in the EMR System where the Individual believes there is an error or omission. 3.2.2 Where an Individual requests a correction or amendment to that Individual s EMR Information in the EMR System, the request must be made in writing to the EMR Custodian who entered the EMR Information where possible. Process for correction or amendment 3.2.3 Subject to the Health Information Act, a response to an Individual s request to correct or amend information in the EMR System must be provided to that Individual within 30 days. 3.2.4 If the EMR Custodian agrees to an Individual s request to make a correction or amendment to EMR Information in the EMR System, the EMR Custodian must give written notice to the applicant stating that the correction or amendment has been made, direct the Information Manager to make the correction or amendment, and the EMR Custodian must notify any person to whom that EMR Information has been disclosed during the one year period before the correction or amendment. IEP Jan 15-15 (as amended from time to time 16

4.0 Primary Uses of EMR Information Topic 4.1 Provision of Health Services Permissible primary uses 4.1.1 An EMR Custodian may access and use EMR Information in the EMR System for the provision of Health Services. 4.1.2 Use of EMR Information in the EMR System shall adhere to the principles of: a. using the least amount of EMR Information necessary for the purpose; and, b. using EMR Information only on a need to know basis. 4.1.3 EMR Custodians may access and use EMR Information in the EMR System when: a. they are providing Health Services to the Individual; and, b. their access to the EMR Information is necessary for the provision of the Health Service or for making a determination for a related Health Service. Scope of Information 4.1.4 Subject to the professional standards of practice of the CPSA and other professional bodies, non-identifying EMR Information in the EMR System may be used by an EMR Custodian for any purpose. 4.1.5 An EMR Custodian may access and use EMR Information available in the EMR System to the extent permitted under that EMR Custodian s system access profile. 4.1.6 Where EMR Information has been subjected to Masking, use of such EMR Information by an EMR Custodian will be subject to section 7.2 of this Protocol. IEP Jan 15-15 (as amended from time to time 17

5.0 Secondary Uses of EMR Information Topic 5.1 Secondary Use of EMR Information Guiding principles of secondary uses 5.1.1 Secondary use of EMR Information in the EMR System shall adhere to the principles of: a. using the least amount of EMR Information necessary for the intended purpose; b. using the highest degree of anonymity that is reasonable in the circumstances; and, c. using EMR Information based only on a need to know basis. 5.1.2 Non-identifying Health Information in the EMR System can be used by an EMR Custodian for any noncommercial purpose. Topic 5.2 Secondary Use of EMR Information for Conducting Practice Reviews Authority to use EMR Information for practice reviews 5.2.1 EMR Information in the EMR System may be used by an EMR Custodian for conducting practice reviews: a. for the purpose of self-audit to determine whether the Participating Physician s own standards and procedures are being effectively and efficiently executed; or, b. for the purpose of performance or periodic reviews as defined in AHS Medical Staff Bylaws and Participating Other Custodian(s) Medical Staff Bylaws, as applicable. Topic 5.3 Secondary Use of EMR Information for Conducting Investigations Authority to use EMR Information for Investigations 5.3.1 EMR Information in the EMR System may be used by the EMR Custodian for conducting investigations: a. to determine whether the Standards of Practice of the CPSA or standards of other IEP Jan 15-15 (as amended from time to time 18

applicable health professional bodies are being complied with; b. to determine whether the requirements of any other governance or oversight body are being maintained; c. if the EMR Custodian is a Participating Physician, to determine whether that Participating Physician s claims submissions are accurate and his/her claims practices are compliant with applicable requirements; d. for any other purpose essential to the EMR Custodian s effective provision of Health Services to Individuals; and, e. to investigate breaches of privacy obligations. Topic 5.4 Secondary Use of EMR Information for Research Conditions of secondary use of EMR Information for research 5.4.1 EMR Information in the EMR System may be eligible for use in research only where the research proposal has met the requirements set forth in this Protocol. EMR Custodians access to EMR Information for research purposes 5.4.2 A research applicant who is also an EMR Custodian (in this Protocol, the Researcher ) may be eligible to access EMR Information in the EMR System for research purposes where a. his/her research proposal has been approved by a research ethics board; b. his/her request for information has been accepted for review by the Information Stewardship Office; c. the request has been presented through a research protocol summary in a form acceptable by the Information Stewardship Office; and, d. the Researcher has entered into a formal research agreement with the Information Stewardship Office on behalf of the EMR Custodians. IEP Jan 15-15 (as amended from time to time 19

EMR Affiliates access to EMR Information for research purposes 5.4.3 An EMR Affiliate may be eligible to access EMR Information in the EMR System for research purposes where: a. the Researcher has the research proposal approved by a research ethics board; b. the Researcher s request for EMR Information has been accepted for review by the ISO; c. the Researcher s request has been presented through a research protocol summary in a form acceptable to the ISO; d. the Researcher has entered into a formal research agreement with the ISO on behalf of the EMR Custodians; and, e. the Researcher has identified the EMR Affiliate as part of the research team in the proposals to the research ethics board and the ISO. 5.4.4 EMR Information provided to a Researcher as a result of successful application under section 5.4 of this Protocol is for the exclusive use of the Researcher and where applicable, other members of the research team, for purposes of conducting the specified research and only for the duration of the research period, as stipulated in the research agreement signed by the ISO on behalf of the EMR Custodians and the Researcher. Role of the ISO 5.4.5 The ISO, upon receiving a written application from a Researcher wishing to use EMR Information in the EMR System for research, shall: a. make reasonable efforts to respond to an application within 30 days after receiving the request; b. confirm that the Researcher has had his/her research proposal approved by a research ethics board; c. review the research protocol summary; d. impose additional conditions upon the Researcher as deemed necessary; e. enter into a formal research agreement on behalf of the EMR Custodians with the IEP Jan 15-15 (as amended from time to time 20

Researcher; f. consult with the Information Manager to determine whether it is practical to fulfill the request from a technical, resource requirement and cost perspective; and, g. when the above conditions have been met, refer the research request to the Information Manager for processing. 5.4.6 The ISO may, at its discretion, impose additional conditions upon a Researcher, to ensure the protection of privacy for the EMR Information of Individuals that is available in the EMR System. Scope of access to EMR Information 5.4.7 A Researcher who has been approved to use EMR Information in the EMR System for research purposes must only access and use EMR Information described in the research agreement signed by the ISO on behalf of the EMR Custodians when accessing the EMR System for research purposes. 5.4.8 Where EMR Information has been created in the EMR System in the course of conducting research by a Researcher, that EMR Information may be accessed by that EMR Custodian for the purpose of continuing that research in accordance with section 5.4.2. 5.4.9 The ISO and Information Manager will not make EMR Information available that has been Masked in the EMR System except where the Individual has provided consent for the Unmasking of that EMR Information for the purpose of the specified research. 5.4.10 Where provision of additional EMR Information may be required by the Researcher, a revision to the research agreement may be necessary. Such revision may require the Researcher to submit a new proposal for research ethics board approval. Process for provision of EMR Information 5.4.11 The Researcher will submit to the ISO, in a form and manner prescribed by the ISO, a research protocol summary. 5.4.12 The ISO will review the research protocol summary and establish whether: a. the EMR Information being requested is IEP Jan 15-15 (as amended from time to time 21

available; b. it is willing to approve Secondary Use of EMR Information for research purposes; c. the request for and provision of the EMR Information is in compliance with the Health Information Act and other applicable legislation; and, d. the request for and provision of the EMR Information meets the condition established under section 5.4 of this Protocol. The research agreement 5.4.13 The ISO, in consultation with the EMR Custodians, will create the research agreement including the terms, conditions and restrictions of the Researcher s Secondary Use of EMR Information. 5.4.14 The ISO, on behalf of EMR Custodians, and Researcher will enter into a formal agreement by executing a research agreement. 5.4.15 The research agreement will stipulate: a. the scope of EMR Information to be made accessible; b. duration of EMR Information used; c. the names of research team members who are permitted access to the EMR Information; and, d. the terms, conditions and restrictions under which the provided EMR Information is to be used. Topic 5.5 Secondary Use of EMR Information for Provider Education 5.5.1 An EMR Custodian may use EMR Information for the purpose of educating other health services providers. Topic 5.6 Secondary Use of EMR Information for Quality Assurance and Quality Improvement 5.6.1 An EMR Custodian may use EMR Information for quality improvement and quality assurance purposes. IEP Jan 15-15 (as amended from time to time 22

Any report generated as a consequence of quality assurance purposes shall contain only non-identifying EMR Information, unless otherwise approved by the Governance Committee. Topic 5.7 Secondary Use of EMR Information for Auditing and Monitoring of the EMR 5.7.1 The Information Manager may use EMR Information in the EMR System for the purpose of auditing and monitoring access to and use of the EMR System. The Governance Committee, or its designate, may access and use EMR Information for the purpose of periodic/random audits and monitoring of compliance with the terms and conditions of this Agreement. Topic 5.8 Secondary Use of EMR Information for Internal Management Purposes 5.8.1 An EMR Custodian may use EMR Information for internal management purposes as described in Section 27(1) g of the Health Information Act. EMR Information used for this purpose should, where reasonably possible, be non-identifying. Topic 5.9 Secondary Uses of EMR Information for Billing Purposes. 5.9.1 EMR Custodians may use EMR Information for the purposes of submitting billing information to Alberta Health or other paying agency for the purpose of receiving payment for the provision of Health Services Topic 5.10 Additional Secondary Uses of EMR Information by Alberta Health Services and Participating Other Custodian(s) 5.10.1 In accordance with section 27(2) of the Health Information Act, Alberta Health Services and Participating Other Custodian(s) may use EMR Information in the EMR System to promote the IEP Jan 15-15 (as amended from time to time 23

following objectives for which it is responsible: a. planning and resource allocation; b. health system management; c. public health surveillance; and, d. health policy development. Alberta Health Services must not use EMR Information in its custody solely by reason of performing its responsibilities as Information Manager for any of these purposes. IEP Jan 15-15 (as amended from time to time 24

6.0 Disclosures of EMR Information Topic 6.1 Disclosure of EMR Information with consent Disclosure with consent Conditions of consent Revocation of consent 6.1.1 An EMR Custodian may disclose EMR Information in the EMR System for any purpose where the Individual who is the subject of the EMR Information has provided consent for that disclosure. 6.1.2 Consent must be in writing and meet the requirements of section 34(2) of the Health Information Act. 6.1.3 Disclosure of EMR Information with consent must be carried out in accordance with the terms of the consent and must cease if consent is revoked. Topic 6.2 Disclosure of EMR Information as Required or Authorized by the Health Information Act Permitted disclosures required or authorized by the Health Information Act 6.2.1 An EMR Custodian may disclose that specific EMR Information in the EMR System where expressly authorized or required by sections 35 or 37 of the Health Information Act or other legislative enactments of Alberta or Canada and only that EMR Information that is necessary to comply with the requirement or demand. Topic 6.3 Disclosure of EMR Information for Research Disclosure of EMR Information for research purposes 6.3.1 EMR Information from the EMR System may be eligible for disclosure for research only where the research proposal has been approved by a research ethics board. 6.3.2 The disclosure of EMR Information from the EMR System for research purposes is a discretionary service that may be provided by the ISO on behalf of all EMR Custodians. 6.3.3 EMR Information disclosed to a researcher as a result of successful application under section 6.3 of this Protocol is for the exclusive use of the researcher and IEP Jan 15-15 (as amended from time to time 25

where applicable, other members of the research team, for purposes of conducting the specified research and only for the duration of the research period, as stipulated in the research agreement. Authority to disclose EMR Information for research purposes 6.3.4 Any request for EMR Information made by a research applicant to an EMR Custodian must be forwarded to the ISO for consideration. 6.3.5 If the ISO accepts a proposal for research, the ISO will establish the eligibility of the research applicant when considering disclosure of EMR Information for research purposes. Conditions of disclosure for research 6.3.6 The ISO may disclose EMR Information to a researcher if: a. the disclosure of such EMR Information is in compliance with the Health Information Act and any other applicable legislation; b. the researcher has entered into a fully executed research agreement with the ISO on behalf of the EMR Custodians; c. the research agreement includes satisfaction of any and all terms, conditions and restrictions established by the research ethics board as a condition of its approval; d. the researcher has satisfied all the terms and conditions for information management and maintenance or other standards as established by the ISO in the research agreement; e. the EMR Information will be used exclusively for the purpose stipulated in the research agreement; f. the researcher has paid, or has agreed to pay, any fees stipulated by the ISO to cover the ISO s actual costs for provision of such service; g. the ISO has consulted with the Information Manager to determine whether it is practical to fulfill the request, from a technical, resource requirement and cost perspective; and, h. when the above conditions have been met, the ISO will forward the research request to the Information Manager for processing. IEP Jan 15-15 (as amended from time to time 26

6.3.7 The ISO will not provide the researcher with direct access to the EMR System. The ISO will direct the Information Manager to provide EMR Information to a researcher by paper copy or electronic copy, subject to section 6.3 of this Protocol. Scope of EMR Information 6.3.8 EMR Information disclosed to a researcher is restricted to: a. EMR Information that is necessary to answer the research question(s); and b. such EMR Information as has been explicitly included for access or disclosure in the research agreement. 6.3.9 The ISO will not release individually-identifiable EMR Information pertaining to an Individual where that EMR Information must be accessed by Unmasking except where the Individual who is the subject of the EMR Information has provided explicit consent that the information be Unmasked. 6.3.10 Where disclosure of additional EMR Information may be required by the researcher, and where the ISO has agreed to disclose such additional EMR Information, a revision to the research agreement may be necessary. Such revision may require the research applicant and the ISO to undertake a separate research application review, including review by a research ethics board, subject to the terms of section 6.3 of this Protocol, prior to revision. Process for disclosure of information 6.3.11 The research applicant will submit to the ISO, in a form and manner prescribed by the ISO, a research protocol summary. 6.3.12 The ISO will review the research protocol summary and establish whether: a. it has access to, and the right to disclose, the requested EMR Information; b. it is willing to disclose the requested EMR Information for research purposes; c. the request for and disclosure of the EMR Information is in compliance with the Health Information Act and other applicable IEP Jan 15-15 (as amended from time to time 27

legislation; and, d. the request for and disclosure of the EMR Information meets the conditions established under section 6.3 of this Protocol. The ISO will make reasonable efforts to respond to an application within 30 days after receiving the request. 6.3.13 Where the ISO agrees, in coordination with the Information Manager, to disclose EMR Information in response to a research request, the ISO may impose additional terms, conditions and restrictions. 6.3.14 The ISO will create the research agreement on behalf of the EMR Custodians including the terms, conditions and restrictions of the research applicant s use of EMR Information. The research agreement 6.3.15 The research agreement will be a formal agreement entered into between the researcher and the ISO, on behalf of the EMR Custodians. 6.3.16 The research agreement will stipulate: a. the scope of EMR Information to be disclosed; b. the duration for which EMR Information will be available for use; c. the names of research team members who are permitted access to the disclosed EMR Information; and, d. the terms, conditions and restrictions under which the disclosed EMR Information is to be used. Topic 6.4 Disclosure of EMR Information for Third Party Requests 6.4.1 EMR Information may be disclosed to third parties pursuant to duly and properly authorized requests in accordance with the HIA and this Protocol. The EMR Custodian will respond to a request for disclosure that relate directly to Health Services provided only by that EMR Custodian. Broader requests for records that relate to Health Services provided by more than one EMR Custodian or Custodians must be referred to the IEP Jan 15-15 (as amended from time to time 28

IEP Jan 15-15 (as amended from time to time 29 Information Manager.

Topic 7.1 Management and Maintenance of EMR Information Accuracy of Patient Information Protection of Patient Information 7.1.1 It is the responsibility of EMR Custodians to ensure accuracy of EMR Information when entering EMR Information into an EMR that is made available through the EMR System. 7.1.2 EMR Custodians must take reasonable steps to maintain, either directly or through the Information Management Agreement, safeguards to protect confidentiality and to protect against reasonably anticipated threats or hazards to the security, integrity, loss or unauthorized use, disclosure, modification or unauthorized access to EMR Information in the EMR System. 7.1.3 EMR Information in the EMR System must meet the requirements of the Standards of Practice of the CPSA or other health professional bodies and the AHS Medical Staff Bylaws and Rules or Participating Other Custodian(s) Medical Staff Bylaws and Rules, as applicable. Topic 7.2 Masking of EMR Information Right to request Accepting a request to Mask Use of Masked EMR Information in the EMR System 7.2.1 An Individual may request that an EMR Custodian limit the use and/or disclosure of EMR Information about him/her. 7.2.2 When deciding whether to Mask an Individual s EMR Information, an EMR Custodian will consider an Individual s request as an important factor in the EMR Custodian decision to Mask EMR Information. An EMR Custodian will agree to Mask that Individual s EMR Information in circumstances where the EMR Custodian believes it is appropriate. 7.2.3 Masked EMR Information in the EMR System can only be accessed by completing the Unmasking procedure. IEP Jan 15-15 (as amended from time to time 30

7.2.4 Recognizing that the EMR System may require a limited amount of EMR Information to uniquely identify an Individual, data fields containing such EMR Information cannot be Masked. The selection of identifying data fields will be limited to data fields containing the minimum amount of EMR Information required to uniquely identify an Individual (first name, last name, date of birth, gender and personal health number) Authority to Unmask EMR Information Authority to rescind Masking 7.2.5 An EMR Custodian who encounters Masked EMR Information while accessing the EMR System under the authority of section 7.2 of this Protocol has the authority to Unmask the EMR Information for the following: 1. Direct Patient care - clinical need; 2. Medical emergency; 3. Patient consented; 4. Public health follow-up; 5. Release of Patient information; and, 6. Required by law or health professional body. 7.2.6 The ISO may direct the Information Manager to rescind a Mask: a. at the request of the Individual; or, b. where an EMR Custodian or the ISO becomes aware of a change in circumstances since the Mask was applied such that a request to Mask the EMR Information would no longer meet the conditions for Masking established under this Protocol. 7.2.7 A decision to rescind a Mask under section 7.2.4 of this Protocol does not require the Individual s consent. 7.2.8 Where the ISO has directed the Information Manager to rescind Masking, it will notify the Individual who is the subject of the EMR Information of such action as well as the EMR Custodian(s) responsible for the Masking. 7.2.9 The ISO will advise of the right to request a review of this decision by the Information and Privacy Commissioner. IEP Jan 15-15 (as amended from time to time 31

8.0 Protocol Compliance and Enforcement Topic 8.1 Monitoring, Investigations and Audits Monitoring Complaints and Suspected breaches 8.1.1 In accordance with the Information Management Agreement, the Information Manager shall, subject to the oversight and approval of the ISO, monitor the EMR System for the purpose of identifying unauthorized access to, use and disclosure of EMR Information that is stored in the EMR System. 8.1.2 Any reasonable suspicion of unauthorized access to, use or disclosure of EMR Information in the EMR System by an EMR Custodian or EMR Affiliate (an Alleged Contravention ) and other contraventions of this Protocol shall immediately be reported to the ISO, where: a. such Alleged Contravention is identified by the Information Manager; b. an investigation is requested by an EMR Custodian; or, c. a complaint of an Alleged Contravention is made by an Individual. 8.1.3 Once notified about an Alleged Contravention, the ISO shall immediately notify the Information Manager, and the Information Manager shall investigate the Alleged Contravention. 8.1.4 Once an Alleged Contravention has been reported to the ISO, the ISO shall immediately inform the EMR Custodian whom or that is the subject of the Alleged Contravention and the Governance Committee shall be informed of Alleged Contraventions in a regular monthly report released to it. 8.1.5 An EMR Custodian that has identified an Alleged Contravention will immediately act to, where possible for it to do so: a. remedy the Alleged Contravention; b. manage and mitigate effects of the Alleged Contravention; and, c. collaborate with the ISO and Information Manager, as appropriate, in the development of IEP Jan 15-15 (as amended from time to time 32

a strategy for the prevention of a future Alleged Contravention under a similar circumstance. 8.1.6 The Governance Committee may decide to refer an Alleged Contravention regarding a Participating Physician, Participating Other Custodian, or other Health Service provider who is an EMR Custodian, and forward the related information that has been assembled, to the CPSA and any other health professional body associated with a person or entity named in the Alleged Contravention. The ISO in consultation with the Information Manager may decide to notify the Office of the Information and Privacy Commissioner about an Alleged Contravention by an EMR Custodian, and the EMR Custodian that is the subject of the Alleged Contravention will be notified at the same time. Audits 8.1.7 The Information Manager shall conduct an audit each month of the information logs of the EMR System to detect any Alleged Contravention. 8.1.8 The Information Manager may, from time to time, or as required on an exceptional basis by the Governance Committee, conduct an audit of an EMR Custodian s activity in the EMR System. Topic 8.2 Enforcement Authority for enforcement 8.2.1 The Governance Committee has the authority to review compliance by: a. the Information Manager; and, b. EMR Custodians, with this Protocol. 8.2.2 The Governance Committee has the authority to determine whether an EMR Custodian, EMR Affiliate or the Information Manager is in contravention of this Protocol. Custodial enforcement 8.2.3 The ISO will coordinate (i.e. with the Information Manager) or recommend certain actions or remedies be undertaken including resolution of the subject matter of the Alleged Contravention, internal policy or process changes, remedial education, disciplinary measures or referral to the CPSA in the case of a Participating IEP Jan 15-15 (as amended from time to time 33

Physician or Participating Other Custodian who is an EMR Custodian or other appropriate health professional body or the Office of the Information and Privacy Commissioner where a contravention of this Protocol by an EMR Custodian has been identified. The ISO will seek direction from the Governance Committee before undertaking or directing remedial action. 8.2.4 An EMR Custodian will comply with the appropriate remedies or recommendations determined by the ISO or Governance Committee including resolution of the subject matter of the Alleged Contravention, internal policy or process changes, remedial education, disciplinary measures or referral to the appropriate health professional body or the Office of the Information and Privacy Commissioner where a contravention of this Protocol by an EMR Affiliate has been identified. 8.2.5 Where a contravention of this Protocol is not remedied by the EMR Custodian within a reasonable period of time, the ISO may, a. at the direction of the Governance Committee; or, b. where circumstances require an immediate response, at its own discretion, direct the Information Manager to discontinue that EMR Custodian s access to the EMR System until such time as the contravention is remedied or until the ISO is satisfied that the EMR Custodian is not likely to contravene this Protocol in a similar manner in the future. Other enforcement 8.2.6 The Governance Committee may refer an Alleged Contravention of this Protocol to the CPSA or other appropriate health professional body for investigation and sanction where such action may be warranted under the Standards of Practice of the CPSA or charter or bylaws of the other health professional body, or the ISO in consultation with the Governance Committee may refer an Alleged Contravention of this Protocol to the Office of the Information and Privacy Commissioner for investigation and possible sanction. IEP Jan 15-15 (as amended from time to time 34

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information