IAR_PS_DSA_V3.4a - CCIM

DSA and Privacy andSecurity Process OverviewIAR Privacy and Security (P&S) Implementation

Objectives• Provide an overview of the Data SharingAgreement (DSA)• Acquire an understanding of DSA review /approval processes• Provide information and tools for you tocommunicate DSA and Common PrivacyFramework within your organization3

What is the Integrated AssessmentRecord (IAR)?The IAR is an application that allows assessmentinformation to move with the client from one healthservice provider to another.Health service providers (HSPs)can use the IAR to viewtimely client assessmentinformation:• electronically• securely• accuratelyCommunitySupportServicesAddictionsCommunity CareAccess CentresCommunity MentalHealthLong-TermCare HomesOthersInpatientMental Health4

Main Tasks to Use the IARMonitor IARAssess Clients, Submit DataAx AxAx AxGather Consent Regularly Integrity & UsageAssessmentHINPSoftwareUse the IAR inCare ProvisionHINPAx AxAssessmentEnterAssessmentsUploadAssessmentsHINPViewAssessmentsSoftwareBusiness and Permissions RolesHSP A HSP B HSP COptions for assessment entry:• Local software installations• Shared software used bymultiple HSPsTwo upload methods:• Manual uploads• Automated webservices uploadsHSP responsibilities:• Manage user access• Review audit logs• Leverage reports• Clarify client records (EMPI)• Advise HINP of HSPchanges• Manage privacy, securityand consent5Include IAR into processes to:• Support client-centric approachto care• Enhance and inform careplanning• Ensure secure transfer ofpersonal health information(PHI)

IAR Project Overview andDevelopment20092010201120122013August 2009 – IAR pilot launched in Erie St. Clair LHIN with a focuson RAI-MH and OCAN assessmentsFebruary 2010 – IAR pilot launched in Central West LHIN with afocus on RAI-MH and OCAN assessmentsJune 2010 – An Addictions Pilot launched with three addictionsservices organizations from the South West, North West and NorthEast LHINsNovember 2010 – A four-LHIN implementation of the ProvincialSolution went live with North West, North East, North SimcoeMuskoka and Champlain LHINsJanuary 2011 – The five GTA LHIN Chief Executive Officersendorsed the implementation and rollout of the IARMarch 2011 – Erie St. Clair transitioned to the full IAR solutionNovember 2011 – The five-LHIN implementation of the IAR in theGTA went liveMarch 2012 – Target date for all LHINs to implement the IAR with thecommon assessments currently defined in scopeApril 2012 – March 2013 – IAR transition to “steady state”6

IAR Governance StructureIAR Provincial Steering CommitteeData AccessImplementationService UsersPrivacy andSecurityIAR Governance operates within project scope and budget as approved by MOHLTC7

IAR Privacy & Security Implementation FrameworkDATA SHARING AGREEMENT (DSA)IncidentManagementConsentManagementClientPrivacyRightsSupportAuditLogReviewPrivacyReviewUserAccountManagementEnterpriseMasterPatientIndexCommunication ● Awareness and TrainingPrivacy and Security SupportThe Privacy and Security Implementation framework hashelped many HSPs successfully implement the IAR8

9What is a DataSharing Agreement?

A Data Sharing Agreement Is…• A formal agreement between parties who willparticipate in this project– Describes accountabilities, obligations and rights ofeach participant– Prescribes rules and protocols related to the sharingof PHI– Defines terms and conditions governing the project• Establishes standard practices to instil trustamong participants to enable data sharing10

DSA Structure - Articles• Article 1 – Definitions and Interpretation• Article 2 – Purpose and Application of Agreement• Article 3 – Statutory Compliance• Article 4 – Personal Health Information• Article 5 – Management and Coordination• Article 6 – Participant Obligations• Article 7 – Participant Privacy and Security Practices• Article 8 – Term and Termination• Article 9 – Liability and Indemnification• Article 10 – Dispute Resolution• Article 11 – General11

DSA Structure - Schedules• Schedule A – Parties to the Agreement• Schedule B – Existing Agreements• Schedule C – Provincial Integrated Assessment Record Solution• Schedule D – Form of Adhesion• Schedule E – Plain Language Description of Network Services and Security• Schedule F – Safeguards Regarding Confidentiality; IAR Confidentiality and Security• Schedule G – Enterprise Master Patient Index System• Schedule H – Reporting Services• Schedule I – Consent Call Centre Services• Schedule J – The Privacy and Security and Data Access Committees12

13DSA Key Content

DSA Key Content• Purpose of the Agreement– To outline responsibilities, obligations and rights of eachparticipant for sharing client / patient PHI through shared system– To outline role and responsibilities of the Health InformationNetwork Provider (HINP) with respect to PHI• Participants of the Agreement– Health service providers (HSPs) – Health Information Custodian(HIC)– Osler and HSN as IAR HINP and Agents– CHIS as IAR HINP, EMPI HINP and Agent14

DSA Key Content• Authority to Upload Assessment– Each participant that collects data to be uploaded to the sharedsystem acknowledges they are authorized by law to collect andupload it• Data Custodian– Personal Health Information belongs to the client / patientregardless of which HSP submitted it to the shared system– The HSP who submits assessments is the health informationcustodian (HIC) for the assessments– The HINP provides electronic services to enable the datasharing and is NOT the owner / custodian of the assessments15

DSA Key Content• Integrated Assessment Record (IAR) System– A sharing system that allows care providers to shareassessment data to facilitate collaborative client/patient care– Provides a central repository for assessment data– Permits participants to upload assessment data– Permits authorized users to view assessment data• Enterprise Master Patient Index (EMPI) System– An electronic system to store and manage client / patientinformation from multiple source systems through multiple IARinstances– Identifies and links records across these source systems– Allows participants to uniquely identify client records17

DSA Key Content• Reporting Services– Sets out that a Reporting Environment will be established and maintained atCHIS, who will provide Reporting Services as directed by the governance bodies– Reporting Services consist of production of reports for HICs, fulfillment ofpermitted data transfers (i.e. transfers under enabling legislation), and possiblytrue secondary uses or research uses– Allows IAR HINPs as Agents to allow transfer of assessment data to CHIS,where it is staged and the reports/transfers are performed– Permits authorized users to view assessment data• Consent Call Centre (CHIS)– Clients call to make IAR level consent directives– Operatives use the EMPI for authentication– Results in messages to the IAR HINP Privacy Officers to apply directives– No access to assessment data and can’t change assessment level directives– Do collect PHI (HCN and directive) so act as Agents18

DSA Key Content• Data Access Committee– Reviews and provides recommendations onsecondary uses or transfers of data– Operates under Terms of Reference from the IARProvincial Steering Committee– Logs and publishes all uses– If a use involves PHI and is not permitted by enablinglegislation, HICs may “opt-out” their data from suchuses– Research would need pre-approved REB approvalfrom an appropriate REB19

DSA Key Content• Permitted Use– Only authorized users from each participant mayaccess client / patient assessment data on a need toknow basis for the purpose of providing health care– Any secondary use of the assessment data must bereviewed by the Data Access Committee andapproved and the IAR Provincial Steering Committee20

DSA Key Content• Sharing Demographic Information through EMPI• The EMPI solution exchanges Client/Patient informationwith multiple instances of the IAR solution in Ontario• Client/Patient information stored in the EMPI is used byall HSPs that are participating in multiple instances of theIAR• In exchanging Client/Patient information with the EMPI,each HIC must have the implied or express consent ofthe Client/Patient to collect, use and disclose PHI for thepurposes of providing health care or assisting with theprovision of health care21

DSA Key Content• Participants’ Obligations– HSPs must implement processes to manage privacyin a collaborative way including:• Consent management• Incident management• Client privacy right support• Audit log review• User account management– HINPs must provide support for IAR privacymanagement (as listed above)22

DSA Key Content• Ensuring Compliance with the Agreement– Each participant must conduct a privacy self-assessment annuallyfor review by the Privacy and Security Committee– IAR Provincial Steering Committee may request an audit on non-HSPs with unaddressed gaps• Subpoena– In the event that the HINP receives a court order (or similarrequest) requiring the disclosure of some or all of a Participant’sConfidential Information, the HINP shall work with the HIC todetermine how to respond to the request• General Legal Terms23

IAR Privacy & Security Implementation FrameworkDATA SHARING AGREEMENT (DSA)IncidentManagementConsentManagementClientPrivacyRightsSupportAuditLogReviewPrivacyReviewUserAccountManagementEnterpriseMasterPatientIndexCommunication ● Awareness and TrainingPrivacy and Security SupportThe Privacy and Security Implementation framework hashelped many HSPs successfully implement the IAR24

Purpose of the Processes• Support participating HSPs in fulfilling theirobligations under the Data Sharing Agreement(DSA)• Facilitate compliance with privacy legislation• Enable HSPs to collaborate in supporting clientprivacy25

Common Approach• Leverage participating HSP’s existing processes• Minimize changes to participating HSP’s existingprocesses• Introduce only the necessary steps to interfacewith the existing processes within the HSP• HINP coordinates and facilitates collaborationand cooperation among HSPs26

Next StepsSigning the DSA

Obtain the DSA• Download the DSA from the CCIM website at:https://www.ccim.on.ca/IAR/Private/Pages/Security%20and%20Privacy%20ToolKit.aspx• Privacy and Security Lead should brief the HSP’s seniormanagement on the DSA• Organization’s signing authority or the individual who is authorizedto bind the HSP signs the DSA28

Sign the DSA• Sign Schedule D - Form of Adhesion• Do not sign Schedule A or page 18 of the Agreement• Agreements must be completed with the signing authoritysignature, contact information and Privacy Officer contactinformation• The signed DSA should be sent by registered mail to:Attention: Integrated Assessment RecordCCIM21 College Street, 3rd FloorToronto, ON M5G 2B329

Support CentreMonday toFriday8:30 am ― 4:30 pm1.866.909.5600 option 8Emailiar@ccim.on.ca30

Thank You!