1
Healthcare Interoperability
Between Canada and the United
States
Rick Shields - nNovation LLP and
Joan Roch – Canada Health Infoway
A Presentation to IAPP Canada – Privacy Symposium
2
3
Our Agenda
• Meet the panel
• EHR backgrounder
• Canadian health information privacy/security setting
• What does “HIPAA-compliant” mean?
• Buying/selling EHR technology in Canada: “Canadianizing” the product
• Canada Health Infoway: Canada’s EHR quarterback
4
EHR - What is it?
• …An EHR refers to the systems that make up the
secure and private lifetime record of a person’s
health and health care history. These systems store
and share such information as lab results, medication
profiles, key clinical reports (e.g., hospital discharge
summaries), diagnostic images (e.g., X-rays), and
immunization history. The information is available
electronically to authorized health care providers.
©Canada Health Infoway 2014 5
EHR – A National Plan
In Canada, EHR development is being guided
by Canada Health Infoway
With its partners, Infoway helps accelerate
the development, adoption and effective use
of digital health solutions across Canada
Each jurisdiction has its own EHR
− Common architecture is accepted across Canada
• Architecture includes privacy and security requirements
− Standards resources, tools and education for stakeholders and implementers
6
EHR or EMR?
• Typically, an EMR is an electronic version of the traditional paper records used to capture patient data
• Can be quite simple (e.g., geared to a single doctor’s office) or more complex (e.g., used by a group medical practice; health facility) • A ‘point of service’ (POS) in the EHR system
©Canada Health Infoway 2014 7
EHR or EMR?
• …an electronic medical record (EMR) is an office-based system that enables a health care professional, such as a family doctor, to record the information gathered during a patient’s visit. This information might include a person’s weight, blood pressure and clinical information, and would previously have been hand-written and stored in a file
folder in a doctor’s office. Eventually the EMR will allow the doctor to access information about a patient’s complete
health record, including information from other health care providers that is stored in the EHR…
8
EHR – Data Sources
• EHRs will make personal health information
(PHI) from points of service (POS) available
to health information custodians/trustees.
POS can include:
– Clinical information systems (CIS)/electronic medical records (EMR)
– Hospital information systems (HIS) – Pharmacy information systems (PIS) – Laboratory information systems (LIS)
– Digital image/picture archiving and communications systems (DI/PACS)
©Canada Health Infoway 2014 9
©Canada Health Infoway 2014 10
Points of care
HomecareEmergency Services Pharmacy Laboratory Diagnostic Hospital Emergency Specialist Clinic Community Care Centre Clinic
©Canada Health Infoway 2014 11
One patient, one record
Results and images Patient information Medical alerts
Medication history
Interactions
Immunization Problem list
12
EHR – Interoperability
• Goal is to have systems that are interoperable and that conform with applicable privacy and security standards imposed/suggested by
Canadian law/best practices
• HIPAA-compliant technology is fine, as long as it can meet privacy/security obligations of
Canadian customer
• Many overlaps between US and Canadian privacy and security requirements for PHI
13
Canadian PHI Privacy Setting
• Many laws potentially in play:
– 7 provincial PHI laws in force (AB, SK, MB, ON, NB, NS and NL); 2 territorial PHI laws passed but not yet in
force (YT and NWT); PHI law for PEI introduced April 22, 2014
– EHR-specific laws in BC and QC
– NS law governing international disclosures of PI – similar to limitations in BC’s FIPPA
– Provincial/federal public sector laws (all jurisdictions) – PIPEDA (note “substantial similarity” issue)
– Provincial private sector laws (BC, Alta. and QC) – Provincial/territorial health sector laws
14
Privacy and health information laws
NL NS PE NB QC ON MB SK NT YK NU BC AB LEGEND
Provincial health information protection laws/provisions
Provincial private sector privacy laws (deemed ‘substantially similar’ to PIPEDA)
Federal private sector privacy law (‘PIPEDA’)
Federal public sector access to information and privacy laws Provincial public sector freedom of information and privacy laws Provincial health information laws (deemed ‘substantially similar’ to PIPEDA)
* ON - Bill 78 – second reading November 20, 2013 • YK - Bill 61 –assented December 12, 2013
• NWT - Bill 4 – assented March 13, 2014
• PEI - Bill 42 – first reading April 22, 2014 April 2014
15
Canadian PHI Privacy Setting
(cont’d)
• Inter-jurisdictional efforts being made to
harmonize rules governing electronic PHI, but no uniform law(s) on horizon
• As result, regional variations exist that can impact relationship between custodian/trustee and
technology providers
• Key is to know and apply relevant laws in jurisdiction(s) in which you operate
• Privacy/security obligations of technology
vendors/agents/”information managers” should be established by contract
16
US PHI Privacy Rules
• Focus on federal laws/rules – pre-emption of conflicting State laws
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
– The Privacy Rule (2003) – as amended – The Security Rule (2003) – as amended
– The Enforcement Rule (2006) – as amended
• Privacy section of the Health Information Technology for
Economic and Clinical Health Act (HITECH) (2009)
– The Breach Notification Rule (2009) – as amended – The Final Omnibus Rule (2013)
• Complex rules applicable to “covered entities” and “business associates”/subcontractors
17
Meaning of “HIPAA-compliant”
• “HIPAA-compliant” refers to systems that
possess certain administrative, physical and
technical features/safeguards as specified in
the Rules made under HIPAA/HITECH:
– Access control (access levels and user roles) – Password management
– Log-in monitoring
– Unique user identification – Automatic logoff
18
Meaning of “HIPAA-compliant”
(cont’d)
– Audit logging/reporting – Security incident tracking – PHI backup/storage
– Encryption/decryption – PHI integrity controls
– Emergency access procedure – Disaster recovery plan
– Network/transmission security features
19
Meaning of “HIPAA-compliant”
(cont’d)
• If processing data for covered entity/business associate:
– Facility security plan, including facility/system access controls
– Business associate agreement and downstream agreement with subcontractor(s)
– Security incident response and reporting process – Workforce authorization/clearance, supervision and
termination procedures
– Electronic media re-use/disposal
20
Canadian EHR Contracts
• In Canada, rules/policies/best practices
typically key on same features as those
required under HIPAA, so those features
should be reflected in contract with vendor
• But may also want/need to contract for
additional features or functionalities:
– Express consent capture feature
– Documentation and management of patient privacy preferences and a related data
21
Canadian EHR Contracts
(cont’d)
– Capacity to display/print entire patient record chronologically and produce same in readily comprehensible format if requested
– Jurisdiction-specific retention/disposal controls – PHI accuracy/correction/annotation/notification
feature
– Data redaction capability
– ISO 27002/ISO 27799/ISO 27789 conformity – Training module(s)
22
Canadian EHR Contracts
(cont’d)
– Confidentiality acknowledgement/notices at initial log-in, at periodic intervals and/or on printed reports
– Regional/facility limits on access to PHI within defined user roles
– Enhanced threat detection/protection features – Means of preventing unauthorized copying of
PHI to portable media
– In some jurisdictions (e.g., BC and NS), limits on international disclosure of PHI
23
Canadian EHR Contracts
(cont’d)
– Interoperability with specified existing/planned jurisdictional EHRs to facilitate PHI transfers – Can produce electronic signatures as per
applicable Canadian law – Audit features that
• Capture date, time, user identity re. PHI access, input, amendment
• Preserve original content of record
• Permit printing of patient-specific audit report that doesn’t include other PHI from patient file
24
Other Considerations
• May need to perform/participate in PIA • Focus on present and future needs for
interoperability with other systems (e.g., EHRs) – don’t want to have to replace expensive system prematurely
• Define all key terms – e.g., PHI, EMR, EHR, etc. • Always confirm ownership and/or control of PHI • Address PHI sharing, service levels,
installation-related impacts on operations
• Lots of guidance materials available: CHI, COACH, CMPA, Commissioners
©Canada Health Infoway 2014 25
Infoway as ‘Quarterback’
Project Agreements
Privacy Impact Assessment policy for
Infoway funded programs
Certification Services
• 9 program areas
• Privacy and security are key components
©Canada Health Infoway 2014 26
Infoway as ‘Quarterback’
EHR Blueprint
• Privacy & Security Requirements − 2014 refresh – underway
• Privacy & Security Conceptual Architecture
Emerging Technology Group (ETG)
• Cloud computing
• 2 papers on mobile computing • Big Data
− Each paper addresses P&S Projects
• Consent Management solutions
©Canada Health Infoway 2014 27
Infoway as ‘Quarterback’
“Privacy and EHR Information Flows in Canada: Common
Understandings of the Pan-Canadian Health Information Privacy Group”
V1 released June 2010 V2 released July 2012
Bringing people together to find potential solutions - The Privacy Forum
28
Resources
• Canada Health Infoway, Electronic Health Records Privacy and
Security Requirements; online: https://www.infoway-inforoute.ca/
• Canada Health Infoway, v1.1, 2005, Electronic Health Record
Infostructure (EHRi) Privacy and Security Conceptual Architecture;
online: https://www.infoway-inforoute.ca/
• Canada Health Infoway, 2008, A Conceptual Privacy Impact
Assessment (PIA) on Canada’s Electronic Health Record Solution (EHRS) Blueprint Version 2; online:
https://www.infoway-inforoute.ca/
• Canada Health Infoway, 2012, Business and Architecture
Considerations for Interoperable Consent Solutions – A Discussion Document; online:
https://www.infoway-inforoute.ca/index.php/resources/reports/privacy/doc_download/2 055-business-and-architecture-considerations-for-interoperable-consent-solutions-a-discussion-document
29
Resources
• Canada Health Infoway, 2012, Privacy and EHR Information Flows
in Canada, Version 2; online:
https://www.infoway-inforoute.ca/index.php/resources/reports/privacy/doc_download/6 26-privacy-and-ehr-information-flows-in-canada-version-2-0
• Canada Health Infoway, 2010, Privacy and EHR Information Flows
in Canada, Version 1; online:
https://www.infoway-inforoute.ca/index.php/resources/reports/privacy/doc_download/7 6-privacy-and-ehr-information-flows-in-canada
• Canadian Health Informatics Association (COACH), Putting It into
Practice: Privacy and Security for Healthcare Providers
Implementing Electronic Medical Records: 2013 Guidelines;
online:
http://www.ehealthontario.on.ca/images/uploads/pages/documen ts/Putting-it-into-Practice_PrivacySecurityHealthcareProviders.pdf
30
• Canadian Medical Protective Association (CMPA), Electronic
Records Handbook; online:
https://oplfrpd5.cmpa-acpm.ca/documents/10179/24937/com_electronic_records _handbook-e.pdf
• Cavoukian, A. & Rossos, P., Personal Health Information: A
Practical Tool for Physicians Transitioning from Paper-Based Records to Electronic Health Records; online:
http://www.ipc.on.ca/images/Resources/phipa-toolforphysicians.pdf
• Sawatsky, E., Information Sharing Agreements for
Disclosure of EHR Data within Canada; online:
31
32
