Ontario Laboratories Information System Electronic Medical Records Initiative. Privacy Impact Assessment Summary



Similar documents
Ontario Laboratories Information System ConnectingGTA Integration. Delta Privacy Impact Assessment Summary

ONE Mail Direct. Privacy Impact Assessment Summary

Personal Health Information Privacy Policy

Electronic Health Record Privacy Policies

Privacy Policy on the Responsibilities of Third Party Service Providers

Privacy Incident and Breach Management Policy

Health Care Provider Guide

ehealth Ontario Ontario Lab Data and Your EMR

Access & Correction Policy

OntarioMD Inc. Electronic Medical Records EMR SPECIFICATION FINAL. Date: January 17, 2011 Version: OntarioMD Inc. All rights reserved

Electronic Medical Records

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

ehealth Policy Paper September 2013

Policy Reference Guide

EHR Contributor Agreement

BORN Ontario: Best Possible Beginnings for Lifelong Health. September 2011

Terms and Conditions

Request for Service. Business and Technical Consulting Services Senior Business Analyst OntarioMD EMR Physician Dashboard

Common Privacy Framework CCIM Assessment Projects

Request for Proposal. Hypertension Management Program: Requirements Gathering and Options Analysis

PHIPA Potpourri. Judith Goldstein, Legal Counsel Information and Privacy Commissioner/Ontario. IPC Mediators April 21, 2015

ehealth Ontario Site Support Guide

Medical records - Summary of the Physicians Health Information System

Alberta Electronic Health Record Regulation Section 5 Framework September 2011 Version 1.1

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

GOVERNANCE OPTIMIZATION

PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS

EMR Lessons Learned from Ontario and British Columbia Demonstration Projects and the PHC Voluntary Reporting System (PHC VRS)

ONE Mail Service Availability and Support

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

INSTITUTE FOR SAFE MEDICATION PRACTICES CANADA

Privacy Practices for Frontline Health Care Workers. RNN Workshop June 5, 2015 Erin McLean, RN, BNSc Staff Development Coordinator

Table of Contents. Acknowledgement

ONE Mail Direct for Desktop Software

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010

Closing or Moving a Physician Practice

Privacy Toolkit for the. Quality Improvement Decision Support Program. in Family Health Teams. Written by: Kate Dewhirst

Record keeping 3. Fees and services 4. Using, recommending, providing, or selling client-care products 4. Medication 5

Guide to. Information Security for the Health Care Sector

e-health and Family Medicine 0 Discussion Document: e-health and Family Medicine

Ownership, Storage, Security and Destruction of Records of Personal Health Information STANDARD OF PRACTICE S-022 INTENT DESCRIPTION OF STANDARD

OSCAR OLIS (Ontario Laboratory Information System)

Ann Cavoukian, Ph.D.

Improved Patient Outcomes Through Meaningful Use of EMRs by Ontario Physicians

Personal Health Information Protection Act

Expression of Interest

e-health: Privacy Compliance and the Electronic Health Record

MANDATORY EMR FUNDING ELIGIBILITY SCHEDULE

A Guide. Personal Health Information Protection Act. to the. December Ann Cavoukian, Ph.D Commissioner

ONE Mail Direct for Mobile Devices

Privacy Breach Protocol

Protecting your privacy

SUBJECT: VOYAGEUR TRANSPORTATION CORPORATE POLICIES/PROCEDURES TITLE: PRIVACY OF PERSONAL HEALTH INFORMATION

HEALTH INFORMATION ACT (HIA) BILL QUESTIONS AND ANSWERS

Privacy and Security Framework, February 2010

SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION)

In the event of any inconsistency between this standard and any legislation that governs the practice of physiotherapists, the legislation governs.

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

Are you a registered member of a provincial CGA Canadian affiliate? YES NO Firm #: (if applicable) NEW RENEWAL. Phone Fax

INVESTMENT ADVISORY AGREEMENT

Privacy Services in Ontario - What Are the Benefits of Copying Files?

Data Management Handbook. Revised September 2013

REGULATORY PROPOSALS FOR PUBLIC COMMENT REAL ESTATE REGULATIONS INCREASING TRANSPARENCY IN MULTIPLE OFFER TRANSACTIONS

Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act. Ann Cavoukian, Ph.D. Commissioner October 2005

CA Cloud Service Delivery Platform

How To Ensure Health Information Is Protected

PERSONAL INFORMATION. Name: NOTE TO STUDENT AND HEALTH CARE PROVIDER (HCP)

Privacy and Security within an Interoperable EHR

How To Consent To A Disability Care Program

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

TechNote. Enterprise EMR Integration. 1 Overview. 2 DR Systems Integration with Referring Physician EMR Systems

BACKGROUND CHECK POLICY

Data Sharing Agreements: Principles for Electronic Medical Records/Electronic Health Records

Primary Health Care Voluntary Reporting System Privacy Impact Assessment, January 2013

FREQUENTLY ASKED QUESTIONS

OTN Personal Videoconferencing Service for Healthcare Providers

Privacy and Management of Health Information: Standards for CARNA s Regulated Members

GROUP LIFE / ACCIDENTAL DEATH NOTICE OF CLAIM

Brian Beamish. Commissioner (Acting) Ontario Information and Privacy Commission. Cyber Risk National Conference February 9, 2015

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

Taking care of what s important to you

Keweenaw Holistic Family Medicine Patient Registration Form

Record Keeping. Guide to the Standard for Professional Practice College of Physiotherapists of Ontario

Title Draft Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 2.0 Data Extract Specifi cation Business View

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice

debt collection software PRIVACY POLICY

WHEN BUSINESS GETS PERSONAL A QUICK GUIDE TO THE PERSONAL DATA PROTECTION ACT 2012 FOR ORGANISATIONS PERSONAL DATA PROTECTION COMMISSION

Central Ontario Electronic Health System

Information Folder and Annuity Policy Client Document Package M.V.P. - RIF. insured by Sun Life Assurance Company of Canada

REQUEST FOR INTEGRATED SERVICES

Best Practices for Protecting Individual Privacy in Conducting Survey Research

Critical Illness Claim Form

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH

Panel Presentation: econsult. Dr. Rob McFadden, Chief of Respirology and Hospital Chief of Medicine, St. Joseph s Health Care

Little League International

6.0 ehealth Readiness

NADD

Privacy and EHR Information Flows in Canada. EHIL Webinar Series. Presented by: Joan Roch, Chief Privacy Strategist, Canada Health Infoway

1.2: DATA SHARING POLICY. PART OF THE OBI GOVERNANCE POLICY Available at:

Transcription:

Ontario Laboratories Information System Electronic Medical Records Initiative Privacy Impact Assessment Summary

Copyright Notice Copyright 2011, ehealth Ontario All rights reserved Trademarks No part of this document may be reproduced in any form, including photocopying or transmission electronically to any computer, without prior written consent of ehealth Ontario. The information contained in this document is proprietary to ehealth Ontario and may not be used or disclosed except as expressly authorized in writing by ehealth Ontario. Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Introduction As required under Ontario Regulation (O.Reg.) 329/04 under the Personal Health Information Protection Act, 2004 (PHIPA), and by ehealth Ontario s Personal Health Information Privacy Policy, ehealth Ontario completed a Delta Privacy Impact Assessment (PIA) on ehealth Ontario s Ontario Laboratories Information System-Electronic Medical Records (OLIS-EMR) initiative in October 2011. The OLIS-EMR Delta PIA addresses only the changes in the OLIS initiative for OLIS-EMR, including Practitioner access to the OLIS system via Certified Electronic Medical Record (EMR) systems. Please see the OLIS Physical PIA Summary for information on the PIA conducted for the OLIS initiative. The OLIS-EMR Delta PIA found that ehealth Ontario has the authority as an agent of the Ministry of Health and Long-Term Care (MOHLTC), under PHIPA, and under section 6.2 of O.Reg. 329/04 for OLIS-EMR, as ehealth Ontario is receiving personal health information (PHI) from the MOHLTC for the purpose of creating or maintaining one or more electronic health records, and providing Practitioner access to the OLIS data via a Certified EMR. The following is a summary of the Delta PIA, including a brief background on the OLIS-EMR initiative, key findings, and ehealth Ontario s progress in implementing the recommendations identified in the Delta PIA. Background OLIS is a cornerstone information system that connects hospitals, community laboratories, public health laboratories and practitioners to facilitate the secure electronic exchange of laboratory test orders and results. The ability to electronically share laboratory test information through OLIS supports health care providers in making decisions on patient care and treatment. An EMR is a computer-based medical record that is specific to one health care practitioner, practice or organization. The purpose of the OLIS-EMR initiative is to allow practitioners at Physician Practices to collect OLIS data through an EMR system that has been certified ( Certified EMR ) according to the OntarioMD (OMD) EMR Specification version 4.0 or future OMD specifications. The EMR vendor that the Physician Practice has selected configures the Certified EMR interface to access OLIS. OLIS requires EMR systems to use an ehealth Ontario-issued Public Key Infrastructure (PKI) certificate to connect securely to OLIS. The PKI certificate is maintained by the EMR vendor and not by the Physician Practice. However, the PKI certificate used to connect to OLIS is always linked to a Physician Practice. OLIS includes the test results of individuals in Ontario who have had a laboratory test processed at one of the laboratories participating in OLIS. Individuals may withdraw consent to the use and disclosure of their PHI within OLIS. Withdrawal of consent may be applied to all of an individual s lab information in OLIS, or only to tests on a specific lab order. If an individual s consent has been withdrawn, only the health care provider(s) identified on the lab order(s) can access the applicable lab test information via a Certified EMR. In December 2010, the MOHLTC, a health information custodian (HIC) under PHIPA assumed custody and control of patients' laboratory test results in OLIS. The MOHLTC published a notice to inform the public that the MOHLTC was assuming custody and control of OLIS. The notice included information on how individuals can withdraw or reinstate their consent for their PHI in OLIS. A PIA was already completed on the OLIS initiative. However, because PHI in OLIS is being shared with enduser Practitioners, that are collecting via a Certified EMR system, ehealth Ontario policies and O.Reg. 329/04 require that a Delta PIA of the initiative be undertaken.

Summary of Privacy Impact Assessment The OLIS-EMR Delta PIA considers the OLIS-EMR initiative as of October, 2011. Specifically, the scope of the OLIS-EMR Delta PIA includes the delivery of OLIS data to Practitioners, via a Certified EMR, the purposes and processes for sharing the OLIS data with Practitioners at the Physician Practices, and the legislative authority under which ehealth Ontario may share OLIS data with Physician Practices, via a Certified EMR. The PIA also considers the technical, administrative and physical safeguards which have been put in place to ensure that all flows of PHI occur in a secure and privacy-protective manner, and are in compliance with legislative requirements, relevant agreements, best practices as represented in the Canadian Standards Association Privacy Code and ehealth Ontario s privacy policies. The Delta PIA concludes that ehealth Ontario has the overall PHIPA authorities for operating and managing OLIS-EMR. Additionally, ehealth Ontario has a robust infrastructure for the processing and sharing of sensitive PHI, with policies and practices to protect the privacy of Ontarians and the security of the information retained by ehealth Ontario. The Delta PIA recommends several measures to ensure that, for the OLIS-EMR initiative, ehealth Ontario is in compliance with applicable legislation, as well as ehealth Ontario policies, procedures and privacy best practices. Summary of the Implementation Plan for the Delta Privacy Impact Assessment Recommendations The Delta PIA provides a number of recommendations associated with the OLIS-EMR initiative, as summarized below: 1. MOHLTC and ehealth Ontario to amend the PHIPA Agent Agreement to permit ehealth to act as a PHIPA Agent of the MOHLTC in respect of the transfer of OLIS data to ehealth Ontario, under s.6.2 for the purpose of OLIS-EMR. 2. ehealth Ontario determine its role, for the flow of OLIS data to Practitioners named on a laboratory order, where there s a consent directive in place. 3. ehealth to review its agreements with the EMR vendors to ensure terms and conditions are included in the agreement which take into account the role of the vendors under s.6.2, if any, and the role of the vendor in respect of OLIS-EMR generally. 4. ehealth to implement an OLIS enhancement to improve notice to the Practitioners named on a lab order regarding consent directives. 5. ehealth Ontario to implement a process to verify alignment between recorded Physician Practice information in the OLIS permissions table and Practice registration by EMR vendors. 6. ehealth Ontario to address any risks identified in the OLIS Physical PIA, per the established risk treatment plan. ehealth Ontario is currently in the process of implementing each of the recommendations identified in the 2011 OLIS-EMR Delta PIA.

Glossary EMR electronic medical record HIC health information custodian MOHLTC Ministry of Health and Long-Term Care OLIS Ontario laboratories information system OMD OntarioMD O.Reg. Ontario Regulation PHIPA Personal Health Information Protection Act, 2004 PHI personal health information PIA Privacy Impact Assessment PKI Public Key Infrastructure Contact Information Please contact the ehealth Ontario privacy office should you have any questions about the OLIS-EMR Delta PIA Summary: ehealth Ontario Privacy office 777 Bay Street, Suite 701 Toronto Ontario M5B 2E7 Tel: (416) 946-4767 privacy@ehealthontario.on.ca

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information