Personal Health Information

1

• Personal Health Information
• Task Force Presentation
• Andrea Seymour
• Vice President Health Information CIO
• River Valley Health
• June 8, 2007

2
Topics

• Context
• Privacy Definition
• Patients Privacy Rights
• Strengths - PHI Legislation
• Response to Consultation Questions
• Concluding Remarks

3
Health Care Context

• Consumer Attitudes
• Active participant in care
• Control over personal information
• Privacy aware
• Health Reform
• Information intensive
• Collaborative, team based, care delivery models
• Continuum of care
• Centres of excellence
• Disease prevention, wellness focus
• Genetics

4
Health Care Context

• Technological advances
• Telehealth (including telehomecare)
• One patientone record
• Portable computing
• Internet

5
Privacy

• The right to be left alone, free from intrusion
  or interruption
• Includes elements of
• Security - protection from unauthorized loss,
  theft, access, use, modification, disclosure
• Communications privacy - confidentiality to
  keep secret
• Information privacy

6
Information Privacy

• The right of an individual to control the
  collection, use and disclosure of personal
  information about themselves.
• Personal information is information about an
  identifiable individual recorded in any form
• Protecting personal information means following
  fair information practices.

7
In the beginning there was security and
confidentiality. Then came privacy
THE IMPACT OF NEW PRIVACY PRINCIPLES
New Obligations for Government and Business New
Accountabilities Define Purposes Limiting
Collection Limiting Use, Disclosure
Retention Openness
Security and Confidentiality Some
Accountability Safeguards Accuracy
New Rights for Consumers Consent Individual
Access Challenging Compliance
1996 CSA Code
(Source Priva_C, 2003)
8
Patients Privacy Rights

• Patients have the right to
• Know how their health information will be used
  and disclosed
• Ask questions about privacy and have these
  questions clearly and promptly answered

9
Patients Privacy Rights

• Patients have the right to
• Know who has seen their personal information and
  for what purpose
• See and obtain a copy of their records
• Amend or include a statement of disagreement for
  anything in the record they believe to be in
  error

10
Patients Privacy Rights

• Patients have the right to
• Expect that their health information will be kept
  secure, and provided to only those who need to
  know
• Agree or object to disclosure of their
  information to visitors, clergy and others not
  involved in care delivery

11
Patients Privacy Rights

• Patients have the right to
• Authorize or refuse additional uses of their
  information - such as fundraising, marketing,
  research
• Complain if they believe their rights have been
  violated
• Have their complaint escalated if they believe
  their rights have been violated

12

• Personal Health
• Information
• Response to Questions in Consultation Guide

13
Scope of PHI Legislation

• Whom
• Legislation should apply to all people, agencies
  or organizations who hold, contribute to, or
  require access to an individuals personal health
  information

14
Scope of PHI Legislation

• What
• Legislation should cover personal information
  about an identifiable individual recorded in any
  form.

(Source, POPIA, 2001)
15
Scope of PHI Legislation

• Identifiable individual means the individual can
  be identified by the contents of the information
  because the information
• Contains the individuals name
• Makes the individuals identity obvious
• Is likely in the circumstances to be combined
  with other information that includes the
  individuals name or makes the identity of the
  individual obvious.

(Source, POPIA, 2001)
16
Scope of PHI Legislation

• What
• The PHI legislation should emphasize the
  requirement to use non-identifiable information
  whenever possible
• Once deemed non-identifiable, the information
  falls outside the scope of this legislation

17
Collection

• The collection of personal health information
  should be guided by the following
• Limit collection to what is required for defined
  purpose
• Purpose may include improving health care system
  management or broadening understanding of
  population health/determinants of health

18
Consent

• Implied knowledgeable consent should be the
  standard in New Brunswick within the circle of
  care
• Express consent should be the standard in New
  Brunswick whenever personally identifiable
  information is shared outside the circle of
  care

19
Disclosure

• Exceptions to requiring express consent when
  disclosing personal health information
• Threat to health and/or safety of public at large
• Court order
• Compliance with New Brunswick and Canadian laws
• Planning, monitoring and evaluating the health
  system when fraud or criminality is suspected
• Determining eligibility to receive health service
  
• Whenever possible the patient should be notified
  that their information has been shared
• Note Clarify relationships between Personal
  Health Information legislation and other
  legislation e.g. Mental Health Act

20
Access

• Patients should be able to
• Access their personal health information
• Request an addendum or amendment to their
  personal health information
• Note
• Recognize the need to harmonize Right to
  Information Act with Personal Health Information
  legislation

21
Denial of Access

• Denial of access to personal health information
  could occur if
• Knowledge could endanger patients mental or
  physical health,
• Access reveals information about another person,
  who has not given consent (de-identification not
  possible)
• A review and appeal process is in place

22
Independent Oversight

• A Privacy Commissioner for New Brunswick will
• Focus and prioritize privacy
• Improve public confidence
• Create capacity for education and advice to
  public and data custodians
• Advance the NB eHealth direction
• Provides capacity to monitor and enforce
  compliance

23
Safeguards

• The safeguard section of the proposed PHI
  legislation can be strengthened with more focus
  on
• Monitoring and measurement of compliance
• Adherence to security standards
• Mandatory privacy awareness training and education

24
Concluding Remarks

• A collaborative approach to implementation among
  NB data custodians is required to ensure
• Common interpretation of legislation, and
• Standard adherence to privacy principles
• Consistent implementation approach
• Public trust and confidence
• It is important that NB look at and learn from
  the experiences of other national and
  international health jurisdictions

25
Concluding Remarks

• Data custodians from both the public and the
  private sector are covered by the same
  legislation and this will facilitate sharing of
  information among the circle of care
• Personal Health Information Privacy legislation
  will strengthen the NB approach to an electronic
  health record

26
For more information
Andrea Seymour Vice President Health Information
CIO River Valley Health P.O. Box
9000 Fredericton New Brunswick Andrea.Seymour_at_rvh
.nb.ca Tel 452-5204 Fax 452-5670