Annual Report - Saskatoon Health Region

Privacy & Access Annual Report
Prepared by Privacy & Access Department
September 24, 2014
2013-2014
Table of Contents
Introduction ......................................................................................................... 3
Activities of the Privacy and Access Office ..................................................... 3
Education ................................................................................................................................... 3
Complaints / Breaches ............................................................................................................. 3
Access Requests....................................................................................................................... 5
Consultations ............................................................................................................................ 6
Key Themes ............................................................................................................................... 6
Provincial Involvement ....................................................................................... 6
Privacy and Access Office
Annual Report April 1, 2013 to March 21, 2014
2
Introduction
Saskatoon Health Region’s Privacy and Access Office (PAO) was opened in the fall of 2005 with
the addition of managing Freedom of Information (The Local Authority Freedom of Information
and Protection of Privacy Act) processes to an existing function of managing health information
processes (The Health Information Protection Act).
Crucial to the success of the PAO was developing processes to manage complaints, breaches
and consultations that would be aligned and integrated with other regional processes. Wherever
possible, complaints and consultation requests are dealt with informally, invoking formal and
sometimes legislatively prescribed processes on a required basis only.
Activities of the Privacy and Access Office
Education
Education focused on privacy and access compliance is a major function of the PAO. Privacy
education occurs online at new employee orientation, staff education days, and on a request
basis. Other examples include education sessions that are offered to regional sites and affiliates,
University of Saskatchewan partners and community based partners, and First Responders
(education sessions, brochures, consultations and videos). This is provided upon request as
resources permit.
The PAO delivered 31 education sessions in the 2013/14 fiscal year.
Awareness also occurs through website (both external and internal to the Health Region), and
Privacy Matters which are privacy alerts created based on common issues or incidents that have
come to our attention.
An appointed PAO staff member attended three educational opportunities: Western Canada
Health Information Privacy Symposium in Winnipeg, May 2013, The Medical Records Law
Workshop in Saskatoon, Jan 2014 and LAFOIP training, May 2013. Both Privacy Officers and
Privacy and Access Coordinator are working towards the Information and Privacy Protection
Certificate through the University of Alberta.
Complaints / Breaches 2013/14
The following statistics are from the PrivaSoft tracking system. Privacy complaints/breaches are
taken very seriously by the PAO and fall into four categories: Level 1, Level 2, Level 3 and
unsubstantiated.
*Note: From October 2013 – March 2014 there were a total of 219 misdirected faxes reported to the PAO which are Level 1 violations.
Privacy and Access Office
Annual Report April 1, 2013 to March 21, 2014
3
The following chart is Appendix B from the SHR Privacy and Confidentiality Policy which
describes the violation levels, examples of violations and the recommended actions for breaches
at each level.
Appendix B
Privacy Violations - Recommended Actions
Violation Level
Examples of Violations
Recommended Actions
Level 1 - Unintentional
• Disclosing without verifying
identity of requestor
• Leaving PHI/SHR business
information unattended or
in public area
• Failing to log off or lock
computer that holds
PHI/SHR business
information
• Inadvertently sending
PHI/SHR business
information via fax to
incorrect fax number
• Accessing PHI/SHR business
information without
professional need to know
• Discussion of PHI/SHR
business information with
someone who does not
have a legitimate need to
know without consent
• Allowing another individual
to use your SHR computer
account
• Repeated Level 1 violations
• Accessing PHI/SHR business
information without
professional need to know
for personal gain or to
cause harm to another
• Using another employees
computer account for
personal gain or to cause
harm to another
• Intentionally altering data
or removing PHI/SHR
business information from
SHR
• Repeated Level 1 or 2
violations
• Discussion of applicable SHR
policies and procedures
• Privacy training and / or
letter of expectation
• Sign or re-sign confidentiality
agreement
Carelessness in handling
personal health information/
SHR business information or in
maintaining adequate security
levels
Level 2 – Intentional, nonmalicious/multiple level 1
Breaching policies or
legislation surrounding the
collection, use and disclosure
of PHI/SHR business information
Level 3 – Intentional and
malicious/multiple levels 1 & 2
Knowingly breaching policies
or legislation surrounding the
collection, use and disclosure
of PHI/SHR business information
for personal benefit* or to
harm** another person(s)
• Discussion of applicable SHR
policies and procedures
• Privacy training
• Sign or re-sign confidentiality
agreement
• Discipline, up to and
including suspension
• May notify Office of
Saskatchewan Information
and Privacy Commissioner
(OIPC)
• Suspension or termination of
employment (employee
ineligible for future rehire), as
determined by
management
• Revocation of Medical Staff
privileges
• Revocation of access to
region applications.
• Automatic reporting to
professional body (if
applicable)
• Automatic reporting to OIPC
• Report to Ministry of Justice
for consideration of charges
and/or fines under HIPA
*Personal Benefit: collecting, using, or disclosing information with a motive that primarily benefits the individual. This includes but
is not limited to favors, economic gain, and use for social and personal interests.
**Harm: negative impact to another individual(s) physically, emotionally, socially, or financially.
Privacy and Access Office
Annual Report April 1, 2013 to March 21, 2014
4
Privacy Breach Examples:
1) Level 2 – Intentional, non-malicious/multiple level 1 - An employee looks up a family
member’s personal health information.
2) Level 2- Intentional, non- malicious/multiple level 1- An employee posts de-identified
information about a patient on Facebook.
3) Level 3 Intentional and malicious/multiple levels 1 & 2 – An employee discloses a
patient’s personal health information to create harm to someone.
Access Requests
Access requests fall into 4 categories:
1) An individual’s request for their own personal information or personal health
information - these are mainly managed by either the point of care service provider or by
Health Records staff but the PAO manages requests that have been either denied or
issues arise.
2) Request for an individual’s personal health information by another person/agency
– the PAO regularly works with law enforcement agencies and government agency who
are requesting personal health information. A policy and supporting forms have been
developed to facilitate these requests. The PAO also works with family members and
others requesting personal health information for loved ones or others.
3) Amendment Requests – individuals have the right to request an amendment to a record
containing their own personal health information, as prescribed in HIPA. A policy and
supporting form has been developed to facilitate these requests.
4) Freedom of Information Requests - through regular consultation, the PAO assists in
determining what information can be shared with media/public. The number of formal
Freedom of Information requests for the fiscal year 2013/14 is 6.
Privacy and Access Office
Annual Report April 1, 2013 to March 21, 2014
5
Consultations 2013/2014
One of the main activities of the PAO is consultations about operationalizing privacy and access
legislation. The PAO provides advice on a regular basis to staff members, affiliates, other
agencies, and to our patients/clients/ residents and families.
Internal Consults
External Consults
Total
174
27
201
*note: Consultations have been underreported into PrivaSoft. Additional training on the use of the PrivaSoft and its
reporting utility has occurred and will result in more accurate reporting in 2014/15.
Key Themes
•
Misdirected faxes were highlighted as a large concern by the Saskatchewan Privacy
Commissioner in January 2014. The PAO has been working very hard to establish root
cause of misdirected faxes. For example faxing to wrong physician with same last name
or faxing to wrong family physician because the family physician wasn’t updated in the
registration system to reflect current family physician.
•
SHR Employees and Physicians accessing databases without a “need-to-know”.
Quarterly auditing and education will continue to be a focus of the PAO.
Provincial Involvement
The PAO is a member of the Saskatchewan Health Sector Privacy and Access Forum, which is
governed by the privacy officers from participating members and is advisory in nature. This group
is currently comprised of representatives from each of the 12 Regional Health Authorities in
Saskatchewan, the Saskatchewan Cancer Agency, 3S Health, eHealth Saskatchewan, Ministry of
Health, and other organizations as deemed appropriate to attend.
Structure and Shared Services
In 2013/14 the Privacy and Access office was within the People and Partnerships portfolio with
Bonnie Blakley as Vice President and as of November 2013 moved to the Finance and Corporate
Services portfolio with Nilesh Kavia as Vice President. The PAO team reports to Enterprise Risk
Management (ERM) reporting to Lori Frank, Director – ERM. The roles within the PAO team
were redefined in March 2013, with the elimination of the Privacy Consultant position and the
addition of a second Privacy Officer both of which are supported by the Privacy and Access
Coordinator.
Wenda Atkinson
Theresa Aubin-Singh
Christa Sather
Daniel Pierrard
Privacy Officer – April 1, 2013 - March 31, 2014
Privacy Officer – April 1, 2013 – March 31, 2014
Privacy and Access Coordinator– April 2013 – March 2014
Privacy and Access Coordinator – March 2014
The Privacy Officer position is a shared service between Saskatoon Health Region (as lead
agency) and Kelsey Trail Health Region. The Privacy Officer has consulted on 45 privacy related
issues in Kelsey Trail Health Region during this fiscal year.
Privacy and Access Office
Annual Report April 1, 2013 to March 21, 2014
6

Download Report