Table of Contents. Acknowledgement



Similar documents
Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Procedure for Managing a Privacy Breach

Issue #5 July 9, 2015

Personal Information Protection Act Information Sheet 11

HIPAA and Mental Health Privacy:

Privacy Incident and Breach Management Policy

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Brian Beamish. Commissioner (Acting) Ontario Information and Privacy Commission. Cyber Risk National Conference February 9, 2015

Cyber Risk in Healthcare AOHC, 3 June 2015

Health Care Provider Guide

Jeff M. Bauman, Psy.D. P.A. and Associates FLORIDA-HIPAA PRIVACY NOTICE FORM

Privacy and Electronic Communications Regulations

Clinical Solutions. 2 Hour CEU

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

Privacy Law in Canada

HIPAA Compliance Annual Mandatory Education

Privacy Breach Protocol

How To Ensure Health Information Is Protected

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Electronic Health Record Privacy Policies

SUBJECT: VOYAGEUR TRANSPORTATION CORPORATE POLICIES/PROCEDURES TITLE: PRIVACY OF PERSONAL HEALTH INFORMATION

HIPAA: Bigger and More Annoying

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

Prepare for the Worst: Best Practices for Responding to Cybersecurity Breaches Trivalent Solutions Expo June 19, 2014

Privacy and Management of Health Information: Standards for CARNA s Regulated Members

plantemoran.com What School Personnel Administrators Need to know

BUSINESS ASSOCIATE ADDENDUM

Closing or Moving a Physician Practice

Helpful Tips. Privacy Breach Guidelines. September 2010

Cloud Computing: Privacy and Other Risks

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Acceptable Use of ICT Policy For Staff

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance

Moving Information: Privacy & Security Guidelines

Organizational Policy

California State University, Sacramento INFORMATION SECURITY PROGRAM

Taking care of what s important to you

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

Responsibilities of Custodians and Health Information Act Administration Checklist

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA PRIVACY AND SECURITY AWARENESS

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Ann Cavoukian, Ph.D.

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Personal Information Protection Act ( PIPA ) Privacy-Proofing Your Retail Business Tips for Protecting Customers Personal Information 1

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

By the end of this course you will demonstrate:

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

Administrative Procedures Memorandum A1452

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Protection of Privacy

Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA)

Overview of the HIPAA Security Rule

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

Guidelines on Data Protection. Draft. Version 3.1. Published by

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mohawk DI-r: Privacy Breach Management Procedure Version 2.0. April 2011

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Guidelines for Self-Employed Dietitians and Nutritionists

PHI- Protected Health Information

HIPAA BUSINESS ASSOCIATE AGREEMENT

Why Lawyers? Why Now?

Privacy Law in Canada

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

University Healthcare Physicians Compliance and Privacy Policy

The potential legal consequences of a personal data breach

BUSINESS ASSOCIATE AGREEMENT

HIPAA Security Rule Compliance

This form may not be modified without prior approval from the Department of Justice.

Privacy Update Recent Updates in Privacy Law

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Understanding Your Health Record Information

The Basics of HIPAA Privacy and Security and HITECH

Additional Information

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Applying the legislation

EHR Contributor Agreement

PRIVACY POLICY. Last updated February 2, 2009 INTRODUCTION

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

PHIA GENERAL INFORMATION

Access and Privacy Considerations

Access & Correction Policy

Information Governance Framework. June 2015

Privacy and Security Incident Management Protocol

PHIPA Potpourri. Judith Goldstein, Legal Counsel Information and Privacy Commissioner/Ontario. IPC Mediators April 21, 2015

Personal Health Information Privacy Policy

Montclair State University. HIPAA Security Policy

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

The Impact of HIPAA and HITECH

Business Associate Agreement

Transcription:

OPA Communications and Member Services Committee February 2015

Table of Contents Preamble... 3 General Information... 3 Risks of Using Email... 4 Use of Smartphones and Other Mobile Devices... 5 Guidelines... 5 Email... 5 Web- Based Email Services... 6 Security... 6 Informed Consent... 6 IT Services... 7 Resources... 9 Appendix A Privacy Legislation... 11 Acknowledgement The OPA Communications and Member Services Committee would like to acknowledge with thanks the contributions of Drs. Amber Smith and Jane Storrie in the development of this Guidelines document.

Guidelines for Best Practices in Electronic Communications Preamble Technology has been changing communication between psychological service providers and patients, referral sources, other healthcare providers and third- party payers. Members may be aware of websites, applications, and email communication tools that can be used to improve the delivery of patient care. Many of us use email extensively because it is fast, reliable, and convenient. These same characteristics, however, bring legal and liability risks, including a higher potential for privacy breaches. As regulated health professionals, we have an obligation to maintain the confidentiality of our patients' personal health information (PHI) and to comply with privacy regulations (see Appendix A). Members need to consider how to communicate with and about patients while still protecting patient privacy. While email is fast and convenient, it also is often the least secure and the least private way to communicate. We are aware that many larger healthcare and academic settings now have policies stating that email should not be used to transmit any PHI. We are also aware that general guidelines for use of email suggest that it is not a secure form of communication for any personal information. Most guidelines for general email use suggest that information that is sensitive, confidential, potentially embarrassing, proprietary, personal, or classified should never be sent through email. While members practicing within healthcare and academic settings may be familiar with their institution s policies, those in community- based practice may not be as familiar with regulations and expectations regarding electronic communication. To clarify the responsibilities of members, the Ontario Psychological Association s Communication and Member Services Committee is providing the following Guidelines for Best Practices in Electronic Communications. General Information Email is not guaranteed to be private. Email is not an appropriate substitute for face-to-face clinical assessment and treatment. Email is not always sent and received instantly; messages can arrive several hours or days after they are sent. As a result, email is not an appropriate method for exchanging time-sensitive information. Emails are considered to be records. Therefore, they should be retained in the same way in a patient s clinical file as are records of other forms of communication, such as letters, faxes, and phone calls. Members should be aware that there is a possibility that emails related to a patient s health care can be disclosed in response to an access request. Privacy legislation generally requires that custodians adopt safeguards to protect the personal health information under their control. Despite the typical disclaimer seen at the bottom of some emails, health care providers remain responsible for protecting their patients health information and the disclaimer is likely not sufficient for avoiding liability in the event of a privacy breach. 3

Guidelines for Best Practices in Electronic Communications The Information and Privacy Commissioner of Ontario (IPCO) has indicated the use of unencrypted email and messaging to communicate personal health information should be avoided. The IPCO has indicated that even when patients state that they are willing to accept the risk of unauthorized access or disclosure of their PHI, and have provided informed consent to communicate by email, it is still the health care provider s responsibility to safeguard the PHI that is in your custody. Members who communicate via email or web portals need to be mindful that they are governed by the same legal and professional standards as would apply in other professional settings (e.g. a hospital, family practice, or clinic). All PHI is covered under the same privacy legislation, regardless of whether it is contained in an email or some other format. As a result, confidentiality and privacy are important to consider if email is being used to communicate PHI to recipients who are not part of a secure internal network. Be aware that when using an employer's or a third party's email system (e.g. hospitals and clinics), these parties may have the right to access the email communications. If the third party is subject to federal or provincial privacy legislation, emails sent from the third party's computer system may also be at risk of being disclosed in the context of an access request, or privacy commissioner or College investigation. They may also be subject to disclosure in the context of litigation. Risks of Using Email Risks associated to using email include, but are not limited to: The privacy and security of email communication cannot be guaranteed. It is impossible to verify the true identity of the sender and guarantee that only the intended recipient will read the email once it has been sent. Emails can introduce viruses that damage or disrupt a computer or system. Email messages can be modified, forwarded, intercepted and shared, without your knowledge or permission, making it particularly vulnerable to fraud, privacy breaches, and unintended disclosures to third parties. The risks of interceptions or errors in sending email or text messages can be significant. Email messages are permanent. Even after deleting copies of the email, back-up copies may exist on a computer, with an Internet Service Provider (ISP), on a server in another country, or elsewhere in cyberspace. Your employer may have a legal right to inspect and keep emails that pass through their system if you use a work computer or mobile phone for communicating with patients. Email messages may be subject to access requests and used as evidence in a court of law. 4

Guidelines for Best Practices in Electronic Communications Use of Smartphones and Other Mobile Devices Advancements in technology are prompting many healthcare providers to communicate via mobile device. We are aware that use of mobile devices such as smartphones and tablets can improve communication and provide quick, easy access information, but they also increase the risk of a privacy breach. To that end: Exercise caution when using mobile devices to communicate in public places, as others may eavesdrop or be able to see these communications. Further, mobile devices can be lost or stolen. Ensure that PHI stored on mobile devices is encrypted. Unless you have specific security features, messages from most mobile devices should be avoided since they are more vulnerable to interception. Guidelines Email Keep separate work and personal email addresses. If you need to use email to communicate sensitive personal information, consider using a personal email account accessed from a computer you control rather than your work email, an account that is accessed from your place of employment, or a computer that is shared with others. PHI should not be transmitted via email without appropriate safeguards such as encryption or transmission within a secured, firewalled environment. Emails sent between accounts within private, secured network environments are relatively secure, if they are protected by appropriate firewalls and virus protection. Transmission of information by email from private, firewalled networks to external addresses usually is not confidential or secure. Email transmission outside firewalled environments is open and available to others to intercept. Members are advised to exercise extreme caution when emailing personal information (and other information of a confidential or sensitive nature) to outside email addresses, and to do so only if the information is encrypted in compliance with the Information and Privacy Commissioner s recommendations for secure encryption. Members should inform patients of the risks if they plan to communicate PHI by email outside a secure internal network. Check email addresses carefully before sending any information, and confirm that the intended recipient is authorized to receive the information and is the only one with access to the email address. If communicating PHI, do so in an encrypted attachment rather than in the body of an email. Members should limit distribution of emails with patient information to individuals who are on a need to know basis, or within the patient s circle of care. 5

Guidelines for Best Practices in Electronic Communications Use patient initials or ID numbers to de- identify patient information in all un- protected email communications. Use common language. Avoid using acronyms and medical terms that can be misunderstood. Ensure your consultants, referral sources, and employees are informed of the risks associated with inappropriate email communication. Messages received from or about the patient containing any details related to diagnosis or treatment should be printed in full and made part of their health record. Members should not forward emails from patients to third parties without the patient s prior written consent, except as authorized or required by law. Web- Based Email Services Avoid using web- based email services (Gmail, Hotmail, etc.) for communication of PHI and other sensitive work matters. In general, these services are less secure and more vulnerable; they do not provide the kind of security features needed to be appropriate for transmission of sensitive information. If you intend to use email to communicate PHI about patients, use a dedicated and firewalled internal email system. Security Privacy regulators agree that the use of encryption software to protect electronic messages is a reasonable safeguard. PHI should not be transmitted via email without appropriate safeguards such as encryption or transmission within a secured, firewalled environment. Keep your security systems, firewalls, filters, and virus protection software up- to date. Even within a secure internal network, special software may be needed to protect the server and all devices connected to a network (e.g. desktop computers, laptops, smartphones, etc.) if you intend to use them all in a connected, protected way to communicate PHI seamlessly. Informed Consent Patients should be informed about the risks of using email, and their agreement and the discussion should be documented in the record. Informed consent to electronic communication should be obtained and documented, either through a notation in the patient's health record or by a signed consent form or terms of use agreement, and include information about who will have access to emails, how they are processed, who will reply, and when and how any reply can be expected. Members should consider using a written consent form to document the patient's consent to using email communication and to acknowledge the associated risks. Ensuring you use such a form could decrease the risk that the patient might make a complaint or bring an action for breach of confidentiality or invasion of privacy. 6

Guidelines for Best Practices in Electronic Communications IT Services If you are responsible for your own IT services, obtain an agreement in writing from your IT service provider that your email system meets regulatory requirements for transmission of PHI. Digital Privacy Act The Federal Digital Privacy Act, known as Bill S- 4, became law on 18 June 2015. This Act amends the Personal Information Protection and Electronic Documents Act (PIPEDA), and underscores the necessity of having top- notch security for all digital and electronic information. There are several sections which may impact psychological practice: Mandatory Notification Provisions for Breaches of Security Safeguards There is a requirement to provide notification of any breach of security safeguards involving personal information which creates a real risk of significant harm to an individual. Breaches are broadly defined to include any loss of, unauthorized access to, or unauthorized disclosure of personal information. This expressly includes both failures of existing security safeguards and failure to establish adequate safeguards in the first place. In the event of a breach, organizations would have to conduct a risk assessment of the likelihood of significant harm, which is an open concept defined to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. If a risk of significant harm is identified, the breach must be reported to both the Privacy Commissioner and the individual(s) at risk. Required reports must be provided as soon as feasible upon learning of the breach unless there is a request from law enforcement to delay notification to protect a criminal investigation relating to the breach. Failure to provide the required reports or to keep the required records would be an offence subject to fines of up to $100,000 per affected individual. Records of Breaches of Security Safeguards Whether or not any notification is necessary, organizations would be required to keep records of all security breaches involving personal information. The Privacy Commissioner retains the right to request and review these records at any time. Valid Consent for the Collection of Personal Information According to the Act, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. We believe that members already meet this requirement under the College of Psychologists of Ontario s Standards of Professional Conduct. 7

Guidelines for Best Practices in Electronic Communications It should be noted, however, that the Act states that an organization may disclose personal information without the knowledge and consent of the individual if the disclosure is made to another organization, the government institution or the part of a government institution that was notified of the breach under subsection and if the disclosure is made solely for the purposes of reducing the risk of harm to the individual that could result from the breach or mitigating that harm. We believe that we would still need to obtain informed consent to meet the requirements of the College s Standards. 8

Guidelines for Best Practices in Electronic Communications Resources Using Email Communication With Your Patients: Legal Risks (Canadian Medical Protective Society) http://www.hamiltonfht.ca/docs/public/using- email- communication- with- your- patients- legal- risks Mobile Devices in the Workplace and the Legal Risks of Email (Canadian Nurses Protective Society) http://www.cnps.ca/upload- files/pdf_english/email1.pdf Communicating with Clients via Email (College of Dietitians) http://www.collegeofdietitians.org/resources/document- Type/E- Learning- Modules/Member- Learnign- Modules/Communicating- with- Clients- Via- Email/Communicating- with- Clients- via- Email.aspx Psychotherapy Documentation and Communication Guidelines (University of Toronto) http://psychiatry.utoronto.ca/wp- content/uploads/2011/01/psychotherapy- Charting- and- Communication- March- 26-2013- Pfn.pdf Medical Records Policy (College of Physicians and Surgeons of Ontario) http://www.cpso.on.ca/policies- publications/policy/medical- records Email Use Best Practices (University of Alberta) http://www.vpit.ualberta.ca/encryption/docs/email%20best%20practices- Jan- 2012.pdf Privacy Fact Sheet: Privacy of Email Systems (UBC Office of the University Counsel Access and Privacy Manager) http://universitycounsel.ubc.ca/files/2012/11/fact- Sheet- Privacy- of- Email- Systems.pdf Email and Text Messaging (Interior Health) http://www.interiorhealth.ca/aboutus/policies/documents/email%20and%20text%20messag ing.pdf Security and Storage of Personal Health Information (Winnipeg Regional Health Authority Policy) http://www.wrha.mb.ca/about/policy/files/10.40.120.pdf Help Desk Support (London Health Sciences Centre/ St. Joseph s Health Care) 9

Guidelines for Best Practices in Electronic Communications https://www.londonhospitals.ca/departments/medical_affairs/post_grad/documents/helpdesk Support.pdf Tips & Best Practices: Email Management System (University of Ottawa) http://www.ccs.uottawa.ca/email/overview.html#tips IPC Fact Sheet- Health Care Requirement for Strong Encryption. 2010. https://www.ipc.on.ca/images/resources/fact- 16- e.pdf IPC Fact Sheet- Safeguarding PHI https://www.ipc.on.ca/images/resources/fact- 01- e.pdf IPC Fact Sheet- Encrypting Personal Health Information on Mobile Devices https://www.ipc.on.ca/images/resources/up- fact_12e.pdf IPC Fact Sheet- Wireless Communication Technologies: Safeguarding Privacy and Security https://www.ipc.on.ca/images/resources/up- 1fact_14_e.pdf IPC Fact Sheet- The Secure Transfer of PHI https://www.ipc.on.ca/images/resources/fact- 18- e.pdf 10

Guidelines for Best Practices in Electronic Communications Appendix A Privacy Legislation Federal Privacy Legislation Privacy Act, 1985 http://laws- lois.justice.gc.ca/eng/acts/p- 21/ Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA) http://laws- lois.justice.gc.ca/eng/acts/p- 8.6/ Provincial Privacy Legislation Freedom of Information and Protection of Privacy Act, 1990 http://www.e- laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm Personal Health Information Protection Act, 2004 http://www.e- laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information