Do you have Netcare?

Posted on September 22, 2014 by Jean Eaton in Blog

Netcare's PIA Process

When we provide our personal and sensitive information to a healthcare provider, we want assurances that the confidential information will be respected. We expect that our information will only be shared with people who need to know the information to provide health services to us. Alberta's Health Information Act requires healthcare providers (custodians) to put appropriate safeguards in place to protect the privacy, confidentiality, and security of health information.

Alberta Netcare, also known as the Alberta Electronic Health Record (EHR), is a network of information systems that allows authorized users to see prescriptions, lab results, diagnostic images (e.g. x-rays and ultrasounds) and hospital reports (e.g. hospital discharge summaries). Netcare is used throughout Alberta in hospitals run by Alberta Health Services and Covenant Health and in medical clinics and pharmacies. This is managed by Alberta Health, Government of Alberta. Alberta Health Services (regional health authority), community pharmacies, labs and diagnostic imaging centres and other agencies upload patient information to Netcare.

Netcare Portal PIA

Each custodian is required by Health Information Act to submit a Privacy Impact Assessment to the OIPC. Alberta Health submitted a Privacy Impact Assessment (H1124) in 2006 for Alberta Netcare Portal (ANP) and an updated Privacy Impact Assessment (H3879) in March 2013.

Healthcare providers (custodians) who request access to Alberta Netcare Portal (ANP) must submit a Privacy Impact Assessment to the OIPC that documents the healthcare providers’ computer systems integration with Alberta Netcare.

If you have a previous Privacy Impact Assessment that was accepted by the OIPC regarding your access to Alberta Netcare Portal and it is less than two years old, you can submit a Privacy Impact Assessment Addendum. If you have previously completed a Provincial Organization Readiness Assessement (pORA) you will need to review and update the pORA including completing “Section Two: Mandatory Security Requirements for S2S Sites” and return it to Alberta Health for review and approval.

If you have not yet submitted a Privacy Impact Assessment

You need to submit a PIA to the OIPC for acceptance. This must reference the ANP Privacy Impact Assessment (H3879). You must also complete and submit a pORA including “Section Two: Mandatory Security Requirements for S2S Sites”.

Questions to ask:

1) When was the last time we reviewed our PIA? (This should be reviewed annually.)

2) Do we have / do we want access to Alberta Netcare Portal (ANP)? If ‘yes’, then:

3) Was your Privacy Impact Assessment accepted more than two years ago (before August 2012)? If ‘yes’, then

Review and amend your PIA and submit to OIPC including reference to ANP Privacy Impact Assessment H3879 and
Review your pORA including “Section Two: Mandatory Security Requirements for S2S Sites”. You will likely need additional support from your computer network vendor and your EMR vendor.

4) If you are a Registered Nurse and work in occupational health, at a First Nations care centre, at a remote nursing station, for a federal jurisdiction or for an authorized homecare service or self employed, you may be eligible to apply for access to Netcare as a custodian. The above steps also applies to you.

Please share this information with colleagues and your computer network support, EMR vendor, and privacy officer in your organization.

PS

Not all healthcare providers are custodians as defined by Health Information Act. For more information, see our blog, HIA Amendments and Document Management Tip

For more information see:

Alberta OIPC. Bulletin Health Information Act Bulletin August 2014 Update.

Alberta Netcare, Your System Integration with Alberta Netcare.

CARNA Netcare Access to Registered Nurses as Custodians.

Need to do a Privacy Impact Assessment or a Privacy Impact Assessment amendment? We have a course for that!

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course

Alberta, E-course PIA; privacy impact assessment, HIA, Netcare, PIA, pORA, Practical Privacy Coach, privacy officer

Sharing Your EMR in a Group Practice PMN Replay

Posted on March 2, 2014 by Meghan Davenport in PMN Replay, Practice Management Nugget Interview

Sharing Your EMR in a Group Practice – an interview with Brandon Blanck & Rita Hielema of Microquest.

Recorded live on Thursday, April 24th

Our guests: Brandon Blanck is the Vice President and Fatima Haymour, Client Services Representative of Microquest. Microquest is today's leading practice management software.

Brandon and Fatima shared keys to sharing your EMR Database in a shared practice:

The importance of having a clear understanding of how patient records in a shared EMR database are controlled.
- Know that the Information Manager Agreement between the software vendor and the named individual on the contract are the only individuals that the software vendor can receive instructions on how to manage the records in the database.
- As a group healthcare practice, have a clear understanding and supporting documents that sets out how patient records will be collected, used, and disclosed during the group practice and whenever the membership of the group practice changes.
- Take a pro-active privacy role and inform patients how their information will be protected during the routine practice operations and when healthcare providers are added – or leave – the practice.
- Decide how you are going to decide about the on-going operational changes to how the software will be used in your practice.
Identify in the EMR software who is the primary (or default) healthcare provider for each patient. Talk with your software vendor how best to record this.
It's never too late to start! If you missed creating an Information Management Agreement or Data Sharing Agreement in your group practice, do it now! See the resources for samples that you can use.

You will also hear some stories from Brandon and Fatima about scenarios they have encountered in group practices – the good, the bad, and the ugly of a shared database when a physician leaves.

Resources:

Subscribe to Privacy Nuggets

Learning Resource Guide Sharing Your EMR

Document Management Tip Data Sharing Agreement Healthcare Providers

DT-In-Search-of-Plain-Language-Privacy Statements-in-Practice-Management

Executive SummaryIMA_PatientRecords_SAMPLE

Infographic – IMA Patient Records

Video – What is an IMA?

Replay Audio Only

Replay Audio and Slides

data sharing agreement, healthcare, HIA, IMA, information manager agreement, Microquest, Practice Management Mentor, Practice Management Nugget

Pharmacist Used Health Information for Personal Reasons

Posted on January 4, 2014 by Meghan Davenport in Blog

A Calgary pharmacist has been cited for using the health information of a patient in an attempt to establish a personal relationship with her.

The woman complained to the Information and Privacy Commissioner, alleging that the relief pharmacist employed at a pharmacy in Calgary, had contacted her twice by phone and attempted to “friend” her on Facebook.

The Health Information Act (HIA) prohibits employees from using health information for purposes not required to do their job. The investigation by the Privacy Commissioner found that the pharmacist misused health information, and that the pharmacy manager had failed to provide privacy and security training to the pharmacist.

The pharmacy had access to privacy policies and training but the pharmacist in question was not made aware of these policies by the pharmacist manager. The investigation concluded by reinforcing the need for following through on administrative and technical safeguards and training for all staff.

Do you provide privacy training for all of your staff – including professional healthcare service providers? How do you document that each staff has received the training? How often do you re-fresh or update the training? A privacy management program is an important part of your responsibility as a healthcare provider, practice management and business owner. See our training programs for additional resources you can use right away.

For more information, check out the full OIPC Investigation Report H2013-IR-02

You can also read the Calgary Herald article (Dec 17, 2013) here

Alberta, breach, complaint, Health Information Act, HIA, OIPC, privacy, privacy breach

Alberta’s Health Information Act (HIA) Amendment

Posted on October 3, 2013 by Jean Eaton in Blog

The Health Information Act (HIA) was amended was approved by Orders in Council on September 3, 2013.

The amendment includes:

Naming a non‑regional health authority Family Care Clinic approved by the Minister as a custodian. (HIA s2(1)(g)).

Disclosure of registration information – For the purposes of section 36(c) of the Act, a custodian may disclose individually identifying registration information about an individual without the consent of the individual

(a) to an ambulance attendant or ambulance operator under the Emergency Health Services Act,

(b) to the Minister of Health or Minister of Human Services for the purpose of administering the Aids to Daily Living Program, or

(c) to the Minister responsible for the Seniors Benefit Act and the Seniors’ Property Tax Deferral Act for the purpose of administering those Acts.

Remember to update your policies and procedures! See our Document Management Tip for a sample policy update that you can use to insert into your Health Information Management and Security Manual.

Alberta, Alberta HIA Amendment, amendment, custodian, Family Care Clinic, HIA, policies, templates

Charges laid under the Health Information Act

Posted on October 31, 2012 by Jean Eaton in Blog

A self-reported breach by an individual to the Office of the Information and Privacy Commissioner resulted in an offence investigation being opened into suspicious access to health information. The completed investigation, after being referred to Crown prosecutors at Alberta Justice, led to thirty-one charges under the Health Information Act being laid for improperly accessing other individuals’ health information. Another charge was laid for inappropriate use of health information, another for inappropriate disclosure of health information, and one more charge for knowingly falsifying a record. In addition to these thirty-four charges under the Health Information Act, six charges were also laid under the Criminal Code.

The Calgary Herald reports that Brian Hamilton, OIPC Director for the Health Information Act, would only confirm the accused is not a doctor or other medical professional. The matter will be heard in Airdrie Provincial Court on Thursday, October 18, 2012.

The Edmonton Journal also reported that, in addition to the charges under the Health Information Act, the accused may face up to six Criminal Code charges.

Each organization has a responsibility to ensure that their employees (affiliates) receive education and training in their roles and responsibilities under the HIA. Information Managers can help you by providing training on-site and now by webinar. Click here for more information.

For more information, see:
the OIPC Website (http://www.oipc.ab.ca/Content_Files/Files/News/NR_Oct_2012.pdf)

http://www.calgaryherald.com/health/Charges+laid+improper+access+health+files/7400003/story.html

http://www.edmontonjournal.com/health/Alberta+Justice+lays+charges+improperly+accessing+health+information/7399425/story.html

access, Alberta, complaint, disclosure log, Health Information Act, HIA, improperly accessing health information, OIPC, privacy, privacy breach, training

Calgary pharmacy found in violation of patient privacy rules

Posted on October 31, 2012 by Jean Eaton in Blog

Remember the Privacy Principles – least amount of information, on a need to know basis? This recent investigation report from the OIPC reminds us to review our practices to collect information from patients to ensure that we are meeting our best practice standards.

An investigation into a southwest Calgary Co-op pharmacy has found its practice of collecting information on the immune status of an individual when they seek administration of an injection contravenes the Health Information Act.

A patient of the pharmacy contacted the privacy commissioner in April 2012 after he was presented with a form that asked if he had a condition that affects the immune system when he went to the Co-op Shawnessy Centre Pharmacy to receive a vitamin B12 injection.

The patient feared being stigmatized due to an immune disorder that he suffered from, and felt that the amount of information being demanded was excessive. He filed a complaint after being refused treatment without providing the information.

The Health Information Act specifies that custodians must only collect the most limited amount of health information to carry out an intended purpose.

For more information, see:
http://www.calgaryherald.com/health/Calgary+Pharmacy+found+violation+patient+privacy+rules/7346243/story.html

complaint, Health Information Act, HIA, OIPC, privacy, privacy principles

1 2