1
Healthcare Interoperability Between Canada and the United
States
Rick Shields - nNovation LLP
and
Joan Roch – Canada Health Infoway
A Presentation to IAPP Canada – Privacy Symposium
May 9, 2014
2
This is not legal advice...
3
Our Agenda
• Meet the panel
• EHR backgrounder
• Canadian health information privacy/security setting
• What does “HIPAA-compliant” mean?
• Buying/selling EHR technology in Canada: “Canadianizing” the product
• Canada Health Infoway: Canada’s EHR quarterback
• Q & A
4
EHR - What is it?
• …An EHR refers to the systems that make up the secure and private lifetime record of a person’s health and health care history. These systems store and share such information as lab results, medication profiles, key clinical reports (e.g., hospital discharge summaries), diagnostic images (e.g., X-rays), and immunization history. The information is available electronically to authorized health care providers.
Canada Health Infoway
©Canada Health Infoway 2014 5
EHR – A National Plan
In Canada, EHR development is being guided by Canada Health Infoway
With its partners, Infoway helps accelerate the development, adoption and effective use of digital health solutions across Canada
Each jurisdiction has its own EHR
− Common architecture is accepted across Canada
• Architecture includes privacy and security requirements
− Standards resources, tools and education for stakeholders and implementers
• Infoway Standards Collaborative
6
EHR or EMR?
• Typically, an EMR is an electronic version of the traditional paper records used to capture patient data
• Can be quite simple (e.g., geared to a single doctor’s office) or more complex (e.g., used by a group medical practice; health facility)
• A ‘point of service’ (POS) in the EHR system
©Canada Health Infoway 2014 7
EHR or EMR?
• …an electronic medical record (EMR) is an office-based system that enables a health care professional, such as a family doctor, to record the information gathered during a patient’s visit. This information might include a person’s weight, blood pressure and clinical information, and would previously have been hand-written and stored in a file folder in a doctor’s office. Eventually the EMR will allow the doctor to access information about a patient’s complete health record, including information from other health care providers that is stored in the EHR…
Canada Health Infoway
8
EHR – Data Sources
• EHRs will make personal health information (PHI) from points of service (POS) available to health information custodians/trustees. POS can include: – Clinical information systems (CIS)/electronic medical
records (EMR)
– Hospital information systems (HIS)
– Pharmacy information systems (PIS)
– Laboratory information systems (LIS)
– Digital image/picture archiving and communications systems (DI/PACS)
©Canada Health Infoway 2014 9
EHR Architecture
©Canada Health Infoway 2014 10
Points of care Homecare
Emergency Services
Pharmacy
Laboratory
Diagnostic Hospital Emergency
Specialist Clinic
Community Care Centre
Clinic
©Canada Health Infoway 2014 11
One patient, one record
Results and images Patient information Medical alerts
Medication history
Interactions
Immunization Problem list
12
EHR – Interoperability
• Goal is to have systems that are interoperable and that conform with applicable privacy and security standards imposed/suggested by Canadian law/best practices
• HIPAA-compliant technology is fine, as long as it can meet privacy/security obligations of Canadian customer
• Many overlaps between US and Canadian privacy and security requirements for PHI
13
Canadian PHI Privacy Setting
• Many laws potentially in play: – 7 provincial PHI laws in force (AB, SK, MB, ON, NB, NS
and NL); 2 territorial PHI laws passed but not yet in force (YT and NWT); PHI law for PEI introduced April 22, 2014
– EHR-specific laws in BC and QC
– NS law governing international disclosures of PI – similar to limitations in BC’s FIPPA
– Provincial/federal public sector laws (all jurisdictions)
– PIPEDA (note “substantial similarity” issue)
– Provincial private sector laws (BC, Alta. and QC)
– Provincial/territorial health sector laws
14
Privacy and health information laws
NL
NS
PE
NB
QC
ON
MB SK
NT
YK
NU
BC
AB
LEGEND
Provincial health information protection laws/provisions
Provincial private sector privacy laws (deemed ‘substantially similar’ to PIPEDA)
Federal private sector privacy law (‘PIPEDA’)
Federal public sector access to information and privacy laws
Provincial public sector freedom of information and privacy laws
Provincial health information laws (deemed ‘substantially similar’ to PIPEDA)
* ON - Bill 78 – second reading November 20, 2013
• YK - Bill 61 –assented December 12, 2013
• NWT - Bill 4 – assented March 13, 2014
• PEI - Bill 42 – first reading April 22, 2014 April 2014 ©Canada Health Infoway 2014
15
Canadian PHI Privacy Setting (cont’d)
• Inter-jurisdictional efforts being made to harmonize rules governing electronic PHI, but no uniform law(s) on horizon
• As result, regional variations exist that can impact relationship between custodian/trustee and technology providers
• Key is to know and apply relevant laws in jurisdiction(s) in which you operate
• Privacy/security obligations of technology vendors/agents/”information managers” should be established by contract
16
US PHI Privacy Rules
• Focus on federal laws/rules – pre-emption of conflicting State laws
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
– The Privacy Rule (2003) – as amended
– The Security Rule (2003) – as amended
– The Enforcement Rule (2006) – as amended
• Privacy section of the Health Information Technology for Economic and Clinical Health Act (HITECH) (2009)
– The Breach Notification Rule (2009) – as amended
– The Final Omnibus Rule (2013)
• Complex rules applicable to “covered entities” and “business associates”/subcontractors
17
Meaning of “HIPAA-compliant”
• “HIPAA-compliant” refers to systems that possess certain administrative, physical and technical features/safeguards as specified in the Rules made under HIPAA/HITECH:
– Access control (access levels and user roles)
– Password management
– Log-in monitoring
– Unique user identification
– Automatic logoff
18
Meaning of “HIPAA-compliant” (cont’d)
– Audit logging/reporting
– Security incident tracking
– PHI backup/storage
– Encryption/decryption
– PHI integrity controls
– Emergency access procedure
– Disaster recovery plan
– Network/transmission security features
– Facilitated access by individuals to PHI in EHR
19
Meaning of “HIPAA-compliant” (cont’d)
• If processing data for covered entity/business associate:
– Facility security plan, including facility/system access controls
– Business associate agreement and downstream agreement with subcontractor(s)
– Security incident response and reporting process
– Workforce authorization/clearance, supervision and termination procedures
– Electronic media re-use/disposal
– PHI retention, disposal/return processes
20
Canadian EHR Contracts
• In Canada, rules/policies/best practices typically key on same features as those required under HIPAA, so those features should be reflected in contract with vendor
• But may also want/need to contract for additional features or functionalities:
– Express consent capture feature
– Documentation and management of patient privacy preferences and a related data masking/”lock-box” feature
21
Canadian EHR Contracts (cont’d)
– Capacity to display/print entire patient record chronologically and produce same in readily comprehensible format if requested
– Jurisdiction-specific retention/disposal controls
– PHI accuracy/correction/annotation/notification feature
– Data redaction capability
– ISO 27002/ISO 27799/ISO 27789 conformity
– Training module(s)
22
Canadian EHR Contracts (cont’d)
– Confidentiality acknowledgement/notices at initial log-in, at periodic intervals and/or on printed reports
– Regional/facility limits on access to PHI within defined user roles
– Enhanced threat detection/protection features
– Means of preventing unauthorized copying of PHI to portable media
– In some jurisdictions (e.g., BC and NS), limits on international disclosure of PHI
23
Canadian EHR Contracts (cont’d)
– Interoperability with specified existing/planned jurisdictional EHRs to facilitate PHI transfers
– Can produce electronic signatures as per applicable Canadian law
– Audit features that
• Capture date, time, user identity re. PHI access, input, amendment
• Preserve original content of record
• Permit printing of patient-specific audit report that doesn’t include other PHI from patient file
24
Other Considerations
• May need to perform/participate in PIA
• Focus on present and future needs for interoperability with other systems (e.g., EHRs) – don’t want to have to replace expensive system prematurely
• Define all key terms – e.g., PHI, EMR, EHR, etc.
• Always confirm ownership and/or control of PHI
• Address PHI sharing, service levels, installation-related impacts on operations
• Lots of guidance materials available: CHI, COACH, CMPA, Commissioners
©Canada Health Infoway 2014 25
Infoway as ‘Quarterback’
Project Agreements
Privacy Impact Assessment policy for Infoway funded programs
Certification Services
• 9 program areas
• Privacy and security are key components
©Canada Health Infoway 2014 26
Infoway as ‘Quarterback’
EHR Blueprint
• Privacy & Security Requirements
− 2014 refresh – underway
• Privacy & Security Conceptual Architecture
Emerging Technology Group (ETG) • Cloud computing
• 2 papers on mobile computing
• Big Data
− Each paper addresses P&S
Projects
• Consent Management solutions
©Canada Health Infoway 2014 27
Infoway as ‘Quarterback’
“Privacy and EHR Information Flows in Canada: Common Understandings of the Pan-Canadian Health Information Privacy Group”
V1 released June 2010 V2 released July 2012
Bringing people together to find potential solutions
- The Privacy Forum
- The Health Information Privacy Group
28
Resources
• Canada Health Infoway, Electronic Health Records Privacy and Security Requirements; online: https://www.infoway-inforoute.ca/
• Canada Health Infoway, v1.1, 2005, Electronic Health Record Infostructure (EHRi) Privacy and Security Conceptual Architecture; online: https://www.infoway-inforoute.ca/
• Canada Health Infoway, 2008, A Conceptual Privacy Impact Assessment (PIA) on Canada’s Electronic Health Record Solution (EHRS) Blueprint Version 2; online: https://www.infoway-inforoute.ca/
• Canada Health Infoway, 2012, Business and Architecture Considerations for Interoperable Consent Solutions – A Discussion Document; online: https://www.infoway-inforoute.ca/index.php/resources/reports/privacy/doc_download/2055-business-and-architecture-considerations-for-interoperable-consent-solutions-a-discussion-document
29
Resources
• Canada Health Infoway, 2012, Privacy and EHR Information Flows in Canada, Version 2; online: https://www.infoway-inforoute.ca/index.php/resources/reports/privacy/doc_download/626-privacy-and-ehr-information-flows-in-canada-version-2-0
• Canada Health Infoway, 2010, Privacy and EHR Information Flows in Canada, Version 1; online: https://www.infoway-inforoute.ca/index.php/resources/reports/privacy/doc_download/76-privacy-and-ehr-information-flows-in-canada
• Canadian Health Informatics Association (COACH), Putting It into Practice: Privacy and Security for Healthcare Providers Implementing Electronic Medical Records: 2013 Guidelines; online: http://www.ehealthontario.on.ca/images/uploads/pages/documents/Putting-it-into-Practice_PrivacySecurityHealthcareProviders.pdf
30
• Canadian Medical Protective Association (CMPA), Electronic Records Handbook; online: https://oplfrpd5.cmpa-acpm.ca/documents/10179/24937/com_electronic_records_handbook-e.pdf
• Cavoukian, A. & Rossos, P., Personal Health Information: A Practical Tool for Physicians Transitioning from Paper-Based Records to Electronic Health Records; online: http://www.ipc.on.ca/images/Resources/phipa-toolforphysicians.pdf
• Sawatsky, E., Information Sharing Agreements for Disclosure of EHR Data within Canada; online: https://www.infoway-inforoute.ca/
31
Q & A
32
Contact
Rick Shields
Partner
nNovation LLP
613.656.1293
Joan Roch
Chief Privacy Strategist
Canada Health Infoway
jroch@infoway-
inforoute.ca
514-397-7978