Policy Reference Guide

(1)

eHealth Ontario | EHR Access and Correction Request for Service Form - cGTA 1

Policy Reference Guide

Electronic Health Record (EHR) -

connectingGTA

(2)

Trademarks

Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

(3)

Approval History

APPROVER(S) APPROVED DATE

Abigail Carter-Langford 2014-26-03

Revision History

VERSION NO. DATE

yyyy-mm-dd

SUMMARY OF CHANGE CHANGED BY

1.0 2014-11-26 Final Version Urooj Kirmani, Senior

Privacy Analyst

0.1 2014-11-25 Initial draft Urooj Kirmani, Senior

(4)

eHealth Ontario | EHR Access and Correction Request for Service Form - cGTA 4 Contents

1 Purpose/ Objective 5

2 Access and Correction Policy 5

3 Consent Management Policy 6

4 Inquiries and Complaints Policy 7

5 Privacy Breach Management Policy 8

6 Requesting DI Common Service Audit Log 9

(5)

1 Purpose/ Objective

The purpose of this reference guide is to highlight key points from the following policies:  Access and Correction Policy

 Consent Management Policy  Inquiries and Complaint Policy  Privacy Breach Management Policy

This reference guide will assist you in fulfilling your obligations under these policies as well as provide you with pertinent contact information.

2 Access and Correction Policy

This policy outlines eHealth Ontario and the Health Information Custodian (HIC) obligations in fulfilling requests for access and corrections with respect to the connectingGTA (cGTA) Solution.

cGTA Solution Specific Instructions If you receive the Access Request:

1. Respond to the request if it relates to PHI that you contributed or collected (i.e., viewed).

2. If it does not pertain to you, ask the individual to contact eHealth Ontario Business Service Desk at: 1-866-250-1554.

If eHealth Ontario receives the Access Request:

1. Where the access request relates only to information you have contributed. eHealth Ontario will forward the request to your hospital. Please respond directly to the requestor.

2. If the request relates to multiple HICs, eHealth Ontario will facilitate communication with the involved hospitals and coordinate the response to the individual.

3. eHealth Ontario will also fulfill requests for access to logs and respond to the requestor directly (e.g., who accessed my PHI?). This process is described in greater detail on page 9.

If eHealth Ontario receives a Correction Request:

1. eHealth Ontario will forward the request to the HIC(s) that contributed the PHI. The HIC(s) are then to respond directly to the requestor.

For Access and Correction Request contact the eHealth Ontario Business Service Desk 1-866-250-1554

Forms:

(6)

3 Consent Management Policy

This policy outlines eHealth Ontario and the HIC’s obligations in managing consent directives with respect to the cGTA Solution.

cGTA Solution Specific Instructions Obtaining Consent:

1. Follow your existing policies and procedures to obtain consent from the individual. Managing Consent Directives:

1. For Records Contributed by Your Hospital:

 Complete the Electronic Health Record Consent Form - ConnectingGTA and fax it to eHealth Ontario. The number to fax is noted on the Electronic Health Record Consent Form – ConnectingGTA form.  eHealth Ontario will send you confirmation that the directive has been applied. When you receive

confirmation from eHealth Ontario, provide the confirmation notice to your patient. 2. For Records Contributed by Multiple Hospitals:

 If the request to place consent is for records contributed by multiple hospitals, then direct the Individual to eHealth Ontario’s Business Service Desk at: 1-866-250-1554

On Consent Directive Override:

1. eHealth Ontario will send you a notice indicating override of consent directive by your hospital. 2. Provide notice of override to your patient upon receipt of override confirmation from eHealth Ontario.

For Consent Management queries contact the eHealth Ontario Business Service Desk 1-866-250-1554

Forms:

(7)

4 Inquiries and Complaints Policy

This policy outlines eHealth Ontario and the HIC’s obligations in responding to inquiries and complaints with respect to the cGTA Solution.

cGTA Solution Specific Instructions If you receive the inquiry or complaint:

1. Respond to the inquiry/complaint if it relates solely to your hospital’s records in cGTA Solution.

2. Refer the patient to eHealth Ontario for response if the inquiry/complaint does not relate to your hospital. If eHealth Ontario receives the inquiry or complaint:

1. If inquiry/complaint relates solely to cGTA Solution (as a system or service of eHealth Ontario), eHealth Ontario will respond directly to the individual making the inquiry/complaint.

2. If the inquiry/complaint relates to your hospital, eHealth Ontario will forward the inquiry/complaint to your hospital. You will respond directly to the individual making the inquiry/complaint.

3. If inquiry/complaint relates to multiple hospitals, eHealth Ontario will facilitate communication with the hospitals and draft a response for the individual.

 In those instances where eHealth Ontario is responsible for coordinating the response, you are requested to provide a response within 14 days to eHealth Ontario.

 In the event that your response is not received within 14 days, eHealth Ontario will respond to the individual with what information has been received from hospitals subject to the inquiry/complaint. eHealth Ontario will refer the individual directly to you to obtain a response as well as provide them with the IPC contact information.

For Inquires and Complaints, contact the eHealth Ontario Business Service Desk 1-866-250-1554

Forms:

(8)

5 Privacy Breach Management Policy

This policy outlines eHealth Ontario and the HIC’s obligations in identifying, reporting, containing, notifying, investigating, and remediating Privacy Breaches in respect to the cGTA Solution.

cGTA Solution Specific Instructions Privacy Breaches

1. All privacy breaches and suspected privacy breaches involving the cGTA Solution must be reported as soon as possible, but in any event no later than the end of the next business day after making the determination that a Privacy Breach has occurred by calling the eHealth Ontario Business Service Desk at: 1-866-250-1554

2. All impacted HICs will be notified of the breach. If the breach relates to your information

1. If the breach relates only to your information, then you will investigate the breach as per your internal policy and procedures.

If the breach involves multiple HICs

1. If the breach involved multiple HICs, then the HIC who identified the breach will be the breach investigator, unless assistance from eHealth and/or HICs impacted by the breach is requested.

2. The breach investigator will complete the breach report; impacted HICs will have an opportunity to make comments.

3. eHealth Ontario will provide the report to the cGTA Privacy and Security Committee and cGTA Steering Committee for review and approval of remediation activities.

In the event of a privacy breach or suspected breach, call the eHealth Ontario Business Service Desk 1-866-250-1554

(9)

6 Requesting DI Common Service Audit Log

You can request the following audit logs from eHealth Ontario:

 Audit logs of what a staff from your organization accessed in the cGTA Solution.  Audit log of who from your organization accessed a certain patient record

cGTA Solution Specific Instructions

To request an audit log, contact the eHealth Ontario Business Service Desk at: 1-866-250-1554

7 Patient Requesting cGTA Audit Log

Patients can request the following audit logs:

 Records of all instances where all or part of the PHI of the individual is viewed, handled or otherwise dealt with by HICs or their agents and Electronic Service Providers;

 Records of all instances where a consent directive is made, withdrawn or modified by the individual; and  Records of all instances where a consent directive made by the individual is overridden and the purpose for

which the consent directive is overridden.

cGTA Solution Specific Instructions

If eHealth Ontario receives an audit log request directly from the individual for records you contributed:

1. eHealth Ontario will respond directly to the individual. 2. eHealth Ontario will inform you once the request is fulfilled.

If you receive an Audit Log request from a patient and you are unable to generate the reports: 1. Immediately notify the individual that you are unable to process the request.

2. Ask the individual to contact the eHealth Ontario Business Service Desk at: 1-866-250-1554

To request audit logs, call the eHealth Ontario Business Service Desk 1-866-250-1554

(10)

eHealth Ontario | EHR Access and Correction Request for Service Form - cGTA 10 INSTRUCTIONS TO THE PERSON MAKING THE REQUEST:

 Please complete this form with as much information as possible. Fields indicated with an asterisk (*) are mandatory fields. This will help eHealth Ontario fulfill your request.

 eHealth Ontario only accepts requests from the patient or someone authorized to make the request for the patient (i.e., substitute decision maker). You will need to:

o Provide proof of your identity (please see attached instructions for valid forms of identification)

o If you are not the patient, prove that the patient has allowed you to view his or her information (please see attached instructions for valid forms of identification)

 Ontario’s privacy law, Personal Health Information Protection Act, 2004(PHIPA) allows a health care organization to charge administrative fees to an individual who wants a copy of his or her records. If the organizations that put your information in the electronic health record charge a fee, we will ask you to pay before fulfilling your request.

 Mail or fax the completed form to:

o Mail: eHealth Ontario Privacy Office, P.O. Box 148, 777 Bay Street, Suite 701, Toronto, Ontario, M5G 2C8 o Fax: (416) 586-4397 or 1 (866) 831-0107

 Please do not use email to submit this form.

 If you have questions about this form, contact the eHealth Ontario Privacy Office at 416-946-4767 or email contact [email protected] with your name and phone number.

Type of Request:

Access Request Correction Request

REQUESTOR’S CONTACT INFORMATION

(To be completed by person making the request)1

*First name: *Last name:

*Mailing address: *Title:

*City: *Province: *Postal code:

*Preferred phone (daytime):

Relationship: Patient Substitute decision maker:

Preferred method of contact: Mail Telephone Permission to leave voicemail Yes No

PATIENT INFORMATION

*Gender: Male Female *Date of birth: MM/DD/YYYY *Health card number/**Medical record number:

*Name of hospital/clinic that issued the medical record number:

*Mailing address: *Preferred phone (day time):

*City *Province: *Postal Code:

1_{If a HIC is making the request please leave the}_{Requestor’s Contact Information}_{section blank and complete the}_{HICs Only}_{section on page 3.} **_{Medical record number is only required if the health card number is not available.}

(11)

eHealth Ontario | EHR Consent Form 11 ACCESS REQUEST:

All health information about you in the ConnectingGTA (cGTA)

Some health information about you in the cGTA (complete relevant information below).

Information entered by the following health care organizations:_____________________________________

Information entered in the last: 3 months 6 months 12 months 3 years 5 years All information Type of information:

Hospital notes (e.g., doctor’s assessment of you while in hospital)

Community notes (e.g., doctor’s assessment of you while at a clinic outside the hospital)

Diagnostic images (e.g., X-Ray, ultrasound)

Labs and pathology (e.g., blood test, tissue sample) Other results (e.g., ECG, neurological reports) Allergies

Medications List of all people that have viewed information about you in the cGTA, or

List of some people that have viewed information about you in the cGTA (complete relevant information below). A certain person (provide name and where s/he works):_________________________________________

Everyone from the following organizations:___________________________________________________

People who viewed your record in the past: 3 months 6 months 12 months 3 years 5 years All records List of consent instructions that you have provided for the cGTA and changes you have made to them.

List of all times when someone has overridden your consent instructions in the cGTA, or

List of some times when someone has overriden your consent instructions in the cGTA (complete relevant information below). Done by a certain person (provide name and where s/he works):__________________________________

Everyone from the following organizations:___________________________________________________ Only overrides in the past:

3 months 6 months 12 months 3 years 5 years All overides Specify time range for this request (if applicable): Start date: MM/DD/YYYY End date: MM/DD/YYYY

(12)

eHealth Ontario | EHR Consent Form 12 CORRECTION REQUEST (Indicate details of corrections below):

Describe the information that you feel is not correct or out -of-date, and the suggested correction. Provide as much detail as possible.

.

IDENTIFICATION

Please include a photocopy of:  Your identification

 If you are asking for health information about someone else, proof that he or she has allowed you to see the information Please see the identification requirements at the end of this form for acceptable forms of ID and documentation.

SIGNATURE

Name (print) : Date: MM/DD/YYYY

Signature:

FOR HEALTH CARE CUSTODIANS (HICS) ONLY

*Facility name: *Site/hospital name:

*Patient medical record number: *Requestor’s job title:

*Title: *Business phone (include ext.): *Business email: Special instructions:

FOR eHEALTH ONTARIO OFFICE USE ONLY

Form Completed: Yes No Remedy Ticket #

Identity Verfied: Yes No Notes:

FOR UHN USE ONLY

Logs produced and delivered to eHealth Ontario Date: MM/DD/YYYY

Before sending this form to eHealth Ontario, make sure you have included:

☐ Completed form ☐ Photocopy of identification

☐ If you are asking for someone else, proof that you have permission from the patient.

(13)

eHealth Ontario | EHR Consent Form 13 Identification Requirements

Please include photocopies of the relevant document(s) below to confirm your identity and your authority to view the health information if you are asking for health information that is not yours.

If you have trouble obtaining the documents, you may also ask your health care provider to contact eHealth Ontario to confirm your identity and authority.

1. If you are asking for health information about yourself, you must include a photocopy of one of the documents from list A. 2. If you are asking for health information about another person, you must include a photocopy of one document from list A and one photocopy of a document from list B.

LIST A: Proof of Identity

LIST B: Proof of Authority

Patient Is: One of the following sets of documentations  Identification

from a federal, provincial, municipal or state authority  Student card (if

18 years or younger)  Letter from a health care organization that confirms the requestor’s identity (i.e., that the individual is who they say that they are)

11 years or

younger  Birth certificate for the individual Identification for both parents from a federal, territorial / provincial, municipal, or state authority

 Signatures from both parents appearing in the birth certificate

 A legal document demonstrating that the individual has sole custody or guardianship for the patient

 Letter from a health care organization that confirms the requestor has the authority to view the health information

Individual is 12 to

18 years old  Signed letter from the individual indicating the requestor has the authority to view his or her health information  Student card or identification from a federal, territorial / provincial, municipal or state

authority for the individual

 A legal document demonstrating that the Requestor has sole custody or guardianship for the individual

 Letter from a healthcare organization that confirms the Requestor has the authority to view the health information

Individual is 19

years or older  Signed letter from the individual indicating the requestor has the authority to view his or her health information  Identification from a federal, territorial / provincial, municipal or state authority for the

individual

 A legal document demonstrating that the requestor has sole custody or guardianship for the individual

 Letter from a health care organization that confirms the requestor has the authority to view the health information

Examples of Documents

Document Example

Identification from a federal, territorial / provincial,

municipal, or state authority Driver’s license, passport, citizenship card, certificate of Indian status, Ontario photo card Student card Howard Park Public School, St. Vincent Academy, Parkdale Collegiate Letter from a health care organization in Ontario Letter from Mount Sinai Hospital saying that you are Jane Doe or that you are

(14)

eHealth Ontario | EHR Consent Form 14 INSTRUCTIONS TO THE PERSON MAKING THE REQUEST:

 eHealth Ontario only accepts requests from the patient or someone authorized to make the request for the Patient (i.e., substitute decision maker). You will need to:

o Provide proof of your identity (please see attached instructions for valid forms of identification)

o If you are not the patient, prove that the patient has allowed you to view his or her information (please see attached instructions for valid forms of identification)

(To be completed by person making the request)2

*First name: Middle initial(s): *Last name:

*Preferred phone (daytime):

Relationship: Patient Substitute decision maker

Preferred method of contact: Mail Telephone Permission to leave voicemail Yes No

*Gender: Male Female *Date of birth: MM/DD/YYYY *Health card number/** Medical record number:

*Mailing address: * Preferred phone (daytime):

2_{If a HIC is making the request please leave the}_{Requestor’s Contact Information}_{section blank and complete the}_{HICs Only}_{section on page 3.} **_{Medical record number is only required if the health card number is not available.}

Restrict or reinstate access to information in the

(15)

eHealth Ontario | EHR Consent Form 15 CONSENT DIRECTIVE REQUEST

*Type of Request *Description of request

Create a consent directive (Note: By selecting this box, your electronic health record, e.g., assessment information, X-ray report, will not be available to health care providers, and may impact your care.)

Modify an existing consent directive Remove an existing consent directive *Consent Directive Details Global consent directive Domain consent directive

domain name: HIC–records consent directive

HIC name: HIC–agents consent directive

HIC name: Agent-level consent directive: First name: License number: Organization: Organization: Organization: Organization: Last name: College name: Organization ID: Organization ID: Organization ID: Organization ID:

Other information (address, contact information):

(16)

eHealth Ontario | EHR Consent Form 16

IDENTIFICATION

Please include a photocopy of:  Your identification

 If you are asking for health information about someone else, proof that he or she has allowed you to see the information Please see the identification requirements at the end of this form for acceptable forms of ID and documentation.

SIGNATURE

Signature:

MUST BE COMPLETED BY HEALTH CARE CUSTODIANS (HICS) ONLY

HIC to complete when making the consent directive request on behalf of the patient

*Facility name: *Site/hospital name:

*Patient medical record number: *Requestor’s job title:

*Title: *Business phone (include ext.): *Business email: Special instructions:

FOR eHEALTH ONTARIO OFFICE USE ONLY

Form completed: Yes

No Identity verfied: Yes

No

Remedy ticket #:

FOR UHN USE ONLY

Consent directive request form validation Patient/client found in client registry

Patient/client is created in client registry If selected, patient’s ECID in CR: Agent is found in provider registry If selected, agent’s UPI in PR: Agent is created in provider regsitry

HIC is a participating organization Consent directive registration

Consent directive is registered By: Date: MM/DD/YYYY

Consent directive is verified and tested By: Date: MM/DD/YYYY

eHealth Ontario is notified By: Date: MM/DD/YYYY

Notes:

Before sending this form to eHealth Ontario, make sure you included: ☐ Completed form

☐ Photocopy of identification

☐ If you are asking for someone else, proof that you have permission from the patient.

(17)

If you have trouble obtaining the documents, you may also ask your health care provider to contact eHealth Ontario to confirm your identity and authority.

1. If you are asking for health information about yourself, you must include a photocopy of one of the documents from list A: 2. If you are asking for health information about another person, you must include a photocopy of one document from list A and one photocopy of a document from list B:

LIST A: Proof of Identity

LIST B: Proof of Authority

Patient Is: One of the following sets of documentations  Identification

from a federal, provincial, municipal or state authority  Student card (if

18 years or younger)  Letter from a health care organization that confirms the requestor’s identity (i.e., that the individual is who they say that they are)

11 years or

younger  Birth certificate for the individual Identification for both parents from a federal, territorial provincial, municipal, or state authority

 Signatures from both parents appearing in the birth certificate

 A legal document demonstrating that the individual has sole custody or guardianship for the patient

 Letter from a health care organization that confirms the requestor’s has the authority to view the health information

Individual is 12 to

18 years old  Signed letter from the individual indicating the requestor has the authority to view his or her health information  Student card or identification from a federal, territorial provincial, municipal or state authority

for the individual

 A legal document demonstrating that the Requestor has sole custody or guardianship for the individual

 Letter from a healthcare organization that confirms the Requestor’s has the authority to view the health information

Individual is 19

years or older  Signed letter from the individual indicating the requestor has the authority to view his or her health information  Identification from a federal, territorial provincial, municipal or state authority for the

individual

 A legal document demonstrating that the requestor has sole custody or guardianship for the individual

 Letter from a health care organization that confirms the requestor’s has the authority to view the health information

Examples of Documents

Document Example

Identification from a federal, territorial provincial,

municipal, or state authority Driver’s license, passport, citizenship card, certificate of Indian status, Ontario photo card Student Card Howard Park Public School, St. Vincent Academy, Parkdale Collegiate Letter from a health care organization in Ontario Letter from Mount Sinai Hospital saying that you are Jane Doe or that you are

(18)

DI Common Service Policy Reference Guides / v1.0 18 INSTRUCTIONS TO THE PERSON MAKING THE REQUEST:

(To be completed by requester)

*Preferred phone:

Relationship: Patient Substitute decision maker

Preffered method of contact: Mail Telephone Permission to leave voicemail Yes No

*Gender: Male Female *Date of birth: MM/DD/YYYY *Health card number:

CONSENT

Allow patient’s personal health information to be shared with other health care providers that contributed to your records in order to respond to your inquiry or complaint.

I consent to the sharing of my personal health information with other health care providers to obtain information from the electronicc health record.

I do not want my personal health information to be shared with other health care providers.

(19)

DI Common Service Policy Reference Guides / v1.0 19 COMPLAINT(Indicate details of complaint):

SIGNATURE

Signature:

FOR OFFICE USE ONLY (Do Not Complete)

Form Completed: Yes

No Remedy Ticket #