AOHC Privacy MeetingJan. 30th, 2013

Security Roles

AOHC Standard User Roles• Nightingale has worked with AOHC to create a list of

standard user roles (Administrator; Super User; Ordering; Non-Ordering)

• Nightingale creates these initial user roles and assigns to each active provider based on the Needs Analysis completed by each centre.

• Administrators at each centre are trained on how to create additional user roles and alter existing user roles and assign to users accordingly.

• Enterprises with multiple locations can grant a user access to the multiple locations with varying user roles, as well as restrict access to the multiple locations.

User Role

Client ConsentClient consent can be recorded as a CPP medical alert

• Information is visible on first opening the client’s chart.

•Always available in the chart header

• • Updates to the medical alerts are tracked in the audit log, who updated, when and what was the update.

Client Consent

•Medical alerts can also be updated by moving the current alert to past history and creating a new CPP Alert.•Moving previous versions of the consent to past history will keep a historical record of the changes to consent.

•Both options are tracked in the client’s security audit log.

Consent audit log

OLIS Consent

OLIS consent• Client are able to block their data, remove consent, or require consent from a provider to access their data through OLIS.•Client can remove consent at the test result level or report level.•Providers will be identified on the lab reports, if requesting provider is not the ordering, attending, admitting or copy-to provider then they will not see the result unless client gives consent.

Providers can send a consent override by selecting the Consent Override check box, Choose whether consent was from patient or substitute decision maker. This activity is tracked in the OLIS Query Audit Log.

OLIS Consent

OLIS Report Blocked

Before Consent Override

After Consent Override

OLIS Lab Result Blocked

Before Consent Override

After Consent Override

OLIS Query Activity Log

OLIS activity log within NOD can be searched by provider, user, or type of query.

System Audit Log

Access User/Client audit logs

• Administrators are given the access rights to run audit logs• User audit log

•Client audit log

System Audit Log

Print/fax Log• Printing Rx, Labs and Referrals letters show in the audit log as additions to the client’s chart.

•

Data Extract when you run a data export from NOD the user and date the export took place is tracked in the audit log.

Release of Information

Tracking the release of information Written Consent is scanned into the client’s chart

Verbal Consent• Note verbal consent on a referral letter within the Consultant Notes of the letter template.

Lock Box

CHC EnterpriseEach CHC is set up as their own NOD Enterprise and does not have access to other NOD Enterprises. Each Enterprise has access to the charts within their Enterprise only.

Masking a client record Users who have the user rights to mask data can access the record locking feature. Individual sections of the clients chart can be locked

Lock Box

Users can mask the data element from all users except self ; mask from specific user roles; or individual users.

Lock Box cont

Only users with the ability to unmask can unmask data.

If unmasking data it is required to enter the length of time to unmask and a reason.

Masking and unmasking is tracked in the client’s audit log or a user audit log.

Masking cont

Masking and BIRT If data is masked from any user within the CHC

Enterprise that data will not be sent to BIRT.

Updating Client Data

Client requests an update to their chart Addendums can be added to a clinical note. Deleting data from a client’s chart requires a reason

for deletion. All tracked in the audit log.

Communication between a Centre and a client can be logged with the phone icon.

System Security

Each user has the ability to set their NOD Dashboard settings to automatically log off after so many minutes.

Clinical lists created per provider are managed per provider, if one provider updates their list this does not affect the other providers.

Privacy/Security Incident Management

Question and Answer