Protecting Privacy While Managing Health Information

This presentation will describe the approach to building a privacy and security incident management program within eHealth Ontario. Attendees will find the session useful in considering the distinctions between incidents and breaches; the strategic and tactical approaches to such a program, how to manage incident responses and build incident response teams and a model to consider in maturing an incident management program. It will also highlight messages to communicate in breach incidents and how to address incident management with service vendors.

Michael Power
Vice President, Privacy and Security
Smart Systems for Health Agency

Michael Power leads the privacy and security function at eHealth Ontario with a mandate to ensure we stay at the forefront of best practice, and comply with all pertinent legislation and regulation. He has over 20 years of experience addressing legal, privacy and security issues. He was recently a partner at Gowling Lafleur Henderson LLP where he also acted as the firm’s Chief Privacy Officer. In his public sector career he was Deputy Director of the PKI Secretariat at the Treasury Board of Canada Secretariat, and held various senior positions at the Federal Department of Justice. He is a member of the Nova Scotia Barristers Society and the Law Society of Upper Canada. Michael writes and speaks extensively on privacy and security issues. He is the author of the Access and Privacy Title of Halsbury’s Laws of Canada, co-author of the American Bar Association best-seller Sailing in Dangerous Waters: A Director’s Guide to Data Governance, and serves on the editorial board of the IEEE magazine Security & Privacy.

Join Ruby Miller, Director of Health Services with Six Nations of the Grand River, who will outline unique personal health information issues facing the Six Nations Community. You will hear about:

• Introduction to Six Nations Health Services and Community
• Personal Health Information in a First Nations community
• PHI Challenges of Health Professionals
• Unique Approaches

Ruby Miller
Director
Six Nations Health Services

The Registered Nurses Association of Ontario (RNAO) leads a world renowned Best Practice Guidelines Program that incorporates rigorous guideline development, dissemination, implementation and evaluation processes. The program is focused on both clinical and healthy work environment best practice guidelines. Through a variety of successful implementation strategies focused on individuals, organizations and systems, guidelines have been implemented across all sectors of health care nationally and internationally.

In order to facilitate point of care access, we have embarked on a government funded initiative, to develop evidence based decision supports and quick reference guides available through web based technology. These resources are based on the guidelines and can be loaded onto Personal Digital Assistants (PDAs) or tablets for use by nurses at the point of care.

This presentation will provide an overview of the stages of a project for developing condensed versions of selected evidence based guidelines to assist nurses with clinical decision making at the point of care. Lessons learned about best approaches to developing useful web based clinical decision supports and quick reference guides for point of care clinical decision making and supporting nurses through education will be shared.

Irmajean Bajnok
Director, International Affairs and Best Practice Guidelines Programs
Co-Director, Nursing Best Practice Research Unit (NBPRU)
Registered Nurses Association of Ontario

Dr. Irmajean Bajnok is currently the Director of International Affairs and Best Practice Guidelines Programs at RNAO. In this role she oversees the development, dissemination, and evaluation of the RNAO Best Practice Guidelines in both the clinical nursing and healthy work environment areas of focus for best practice guidelines. Irmajean has had considerable experience in teaching about knowledge based practice, and in conducting workshops related to all areas of evidence based nursing. In her roles with RNAO she has developed a number of creative approaches to support knowledge transfer activities, in particular in relation to healthy work environment best practice guidelines and implementing clinical guidelines. Irmajean has worked with a number of professionals and organizations both in Canada and internationally, supporting knowledge based practice in order to foster positive health outcomes for patients.

Section 17 of PHIPA authorizes health information custodians to permit their agents to collect, use, disclose, retain or dispose of personal health information on the custodian's behalf, based on certain conditions. This general authority allows custodians to use various third parties to help them perform any number of tasks that involve access to and, more broadly, the management of personal health information in one way or another. However, aside from section 17, PHIPA is silent as to what restrictions, limitations, and safeguards custodians should impose on their agents when they let them deal with personal health information for which the custodian is ultimately responsible under PHIPA. The need for such restrictions and safeguards, and the need to monitor agents' compliance with them, is evident from the Orders the IPC has issued under PHIPA. Almost all the Orders deal with the mismanagement of personal health information by agents.

The purpose of this session is to provide technical guidance and practical tips on the following:

• recognizing when third parties who operate outside the custodian's facility are acting as agents;
• reducing the privacy risks posed by "rogue" agents;
• drafting provisions that should be included in PHIPA Agent Agreements;
• monitoring your agents' use of personal health information
• providing your agent with privacy protocol to follow in the event that a breach occurs on the agent's watch

We will rely on real life examples of successful and unsuccessful custodian-agent relationship, and may discuss relevant IPC Orders, if time permits.

Lise Hendlisz
Legal Counsel, Legal Services Branch
Ministry of Health and Long-Term Care

Jane Speakman
Solicitor
City of Toronto

This presentation will cover the fundamentals of consent as it relates to health privacy, including: when consent is (and when it is not) required for the collection, use and disclosure of personal health information; what is required for consent to be valid and knowledgeable; who can provide consent, and in what circumstances; and the differences between express and implied consent and when each can be used. Attend this session to have all of your questions about consent under PHIPA answered.

Lonny Rosen
Partner
Health Law Group
Gardiner Roberts LLP

Lonny is a partner in the Health Law Group of Gardiner Roberts LLP. He has been certified by the Law Society as a Specialist in Health Law. Lonny practices health law and civil litigation, providing opinions and advice to health care professionals, administrators of health care facilities, professional associations, and other individuals with respect to health care legislation and policies, including compliance with the Personal Health Information Protection Act, 2004 In that regard, Lonny regularly attends clients’ offices and facilities to review and assess their privacy and information practices, and to advise them with respect to the steps required to comply with their obligations. Lonny worked with the Information and Privacy Commissioner/Ontario on behalf of the Ontario Bar Association to assist health professionals to work with this legislation, and Lonny has frequently written and spoken on this topic. Lonny is Chair of the Canadian Bar Association Health Law Section, a past chair of the Ontario Bar Association Health Law Section, and an active member of the Advocates' Society and the Medico-Legal Society of Toronto. He frequently speaks and writes on health law issues.

In this session, the focus will be the types of processes of audit and review in place at the Institute for Clinical Evaluative Sciences in the context of ICES privacy program. Related security issues will be discussed by ICES' Chief Information Security Officer on Day 2, using case studies in the context of ICES security governance program.

Pam Slaughter
Chief Privacy Officer
Institute for Clinical Evaluative Sciences (ICES)

Pam Slaughter is a clinical epidemiologist who currently holds the position of Chief Privacy Officer at the Institute for Clinical Evaluative Sciences (ICES) in Toronto. Her more than 25-year career in health research has been concentrated in the areas of cardiovascular disease and health services research. Her current research focus is privacy protection in Health Services and Policy Research; she is particularly interested in the operationalization of statute-based, harmonized national privacy standards for this type of research.

This presentation focuses on the intersection of privacy and mental health, through the lens of PHIPA, the Mental Health Act and the rules specific to the collection, use and disclosure of health information for clients of mental health facilities. This session offers practical examples of issues important to mental health and addictions providers and clients, as well as how to respond to some of the requests made by clients vis a vis their information.

Mary Jane Dykeman
Barrister & Solicitor

Mary Jane is a Toronto health lawyer who advises health sector clients on matters relating to privacy, health research, mental health, consent and capacity, clinical, systemic and enterprise risk management, corporate governance and regulation of the health professions. She currently acts as Legal Counsel and Corporate Privacy Officer to Mount Sinai Hospital, as well as in the role of external counsel to a number of health care organizations, including teaching hospitals, community hospitals, long-term care facilities, and community mental health agencies. She offers strategic and policy advice to government on a range of health policy matters through Dykeman Consulting Inc. Effective January 1, 2009, she will join her practice with that of Kate Dewhirst, to form Dykeman Dewhirst LLP.

Mary Jane is a frequent writer and speaker on health law topics and the author of a number of books, book chapters and articles in health law. She is the Program Director of Osgoode Hall Law School's new certificate program in mental health law, and teaches mental health in Osgoode's professional development LL.M. program; she previously taught mental health in Queen's Faculty of Law to LL.B. students. Mary Jane sits as the lawyer member on the research ethics board at Canadian Blood Services in Ottawa, and formerly at Rouge Valley Health System in Scarborough (2005-08). In June 2008, she was recognized by Osgoode Hall Law School for excellence in continuing legal education.

Despite a high desire to cooperate with law enforcement agencies, health care professionals are not required to, and therefore should not, provide information about patients to law enforcement agents, unless there is a clear legal duty to report. Disclosing information may be a breach of confidentiality. This is a challenge in Emergency and Urgent Care Departments with police in regular attendance. The aim of this session is to outline what can be disclosed and when.

Wendy Komar
Privacy Manager
London Health Sciences Centre

Wendy Komar, is currently the Privacy Manager for the London Health Sciences Centre (LHSC) and St Joseph's Health Care, London (SJHC). Prior to that, she was the Coordinator of Risk Management, Patient Relations and Policy Development at London Health Sciences Centre. Wendy has clinical, research, and administrative background including being the Nurse Clinician for the Acute Pain Service at the University Campus of LHSC, the Coordinator of the Recovery Room at LHSC and has participated in research in the fields of Anaesthesia and Pain Management.

We will review the current state and future trends of privacy enhancing technologies (PETs) and the opportunities, impacts and risks they present for the Health Sector. Each participant in the circle of care has individual privacy needs and rights which impacts the privacy of others and how and when care is provided. Depending on how and when PETs are introduced, the balance of effectiveness, efficiency and privacy shifts. We will discuss how these technologies could impact the Circle of Care.

Fred Nagy
President
Solutions In Context Inc.

Fred Nagy is a Certified Management Consultant (CMC) with over twenty-five years experience in online privacy and security solutions and has been working with the Health Sector since 1991. His focus is helping clients define service requirements and designing architecture, infrastructure and solutions to meet those requirements. Fred is president of Solutions in Context which is a management consulting firm incorporated in 2001to focus on end to end Business and IT Integration. Fred’s experience includes over twenty years managing technology consulting practices for Xpedior, Deloitte/DRT Systems and Polaris which provided architecture and implementation for enterprise infrastructure and application solutions to the Ontario Public, Health, Financial, Retail and Manufacturing sectors.

Ms. Clarke will address legal issues facing CCACs with a particular focus on the challenge of obtaining consent and understanding the rules of substitute decision making. The presentation will teach participants the basics of the law of consent and will outline the considerations necessary to obtain a valid substitute consent. The presentation will review the documentation and evaluation involved in the consent process and will include a detailed discussion of how to evaluate whether a power of attorney for personal care is valid and reliable. Actual case scenarios will be reviewed and discussed.

Cindy Clarke
Partner
Health Law Group
Borden Ladner Gervais LLP

Cynthia (Cindy) Clarke is a Partner practicing in BLG's Health Law Group. She graduated from the University of Western Ontario Law School in 1997 and was admitted to the Ontario Bar in 1999. The primary focus of Ms. Clarke’s practice is defending hospitals, community care access centres and their employees in medical malpractice claims. She has appeared before Coroner's Inquests and administrative tribunals, including the Consent and Capacity Board and Health Professions Appeal and Review Board. She represented the Etobicoke-York CCAC in the El Roubi/Lopez Inquest and has specialized knowledge of the legal issues involved in caring for geriatric patients across the health care system. Ms. Clarke regularly presents and provides advise to hospitals and CCACs on issues such as consent and capacity matters, substitute decision making, privacy, release of medical information and responding to adverse events.

One of the most challenging issues identified by privacy and security professionals is how to manage risk in outsourcing arrangements. This session will examine two aspects of 'Security Considerations in Outsourcing' which, if appropriately managed, will mitigate the security risks associated with the provision of personal health information to an outsourcer. The first aspect will be the 'big picture' - the high-level steps involved in the outsourcing process. Security issues must be addressed early in the process and tracked through to the drafting of the contract, implementation and monitoring of the outsourcer to ensure that the expectations of both parties are clearly defined. The 'details' of security considerations will then be reviewed to provide a checklist of the risk management tools that may be implemented in the outsourcing arrangement. An extensive list of resources will be provided.

Anita Fineberg
Barrister & Solicitor

Anita is a seasoned privacy professional with over 30 years of experience providing advice on complex information privacy issues to the private sector, government and the Office of the Information and Privacy Commissioner/Ontario. Her area of specialization is health information privacy.

Most recently Anita was the Corporate Counsel and Chief Privacy Officer for IMS Health Canada, the Canadian affiliate of a multi-national health information and consulting company. In this role she was responsible for the development and implementation of all privacy policies and processes for the Canadian and Latin American businesses. As Acting Chief Privacy Officer for IMS U.S., Anita advised on several matters related to the application of U.S. privacy law. A member of IMS' Global Privacy Council, she was actively involved in structuring international data transfers related to IMS business processes.

Anita has also worked as counsel to the Ontario Ministry of Health and Long-Term Care, and held several positions during her seven years with the Office of the Information and Privacy Commissioner/Ontario. She holds a B.A. (Hons.) degree in psychology from Queen's University and an LL.B. from the University of Toronto.

This presentation focuses on tips and strategies for preventing and responding to privacy breaches: how to educate staff in advance about their obligations under PHIPA, and how to deal effectively with a breach should it occur. Through the lens of some recent notable breaches from across the sector, an analysis of both low tech and high tech solutions is provided.

Mary Jane Dykeman
Legal Counsel and Corporate Privacy Officer
Mount Sinai Hospital

Mary Jane is a Toronto health lawyer who advises health sector clients on matters relating to privacy, health research, mental health, consent and capacity, clinical, systemic and enterprise risk management, corporate governance and regulation of the health professions. She currently acts as Legal Counsel and Corporate Privacy Officer to Mount Sinai Hospital, as well as in the role of external counsel to a number of health care organizations, including teaching hospitals, community hospitals, long-term care facilities, and community mental health agencies. She offers strategic and policy advice to government on a range of health policy matters through Dykeman Consulting Inc. Effective January 1, 2009, she will join her practice with that of Kate Dewhirst, to form Dykeman Dewhirst LLP.

Mary Jane is a frequent writer and speaker on health law topics and the author of a number of books, book chapters and articles in health law. She is the Program Director of Osgoode Hall Law School's new certificate program in mental health law, and teaches mental health in Osgoode's professional development LL.M. program; she previously taught mental health in Queen's Faculty of Law to LL.B. students. Mary Jane sits as the lawyer member on the research ethics board at Canadian Blood Services in Ottawa, and formerly at Rouge Valley Health System in Scarborough (2005-08). In June 2008, she was recognized by Osgoode Hall Law School for excellence in continuing legal education.

The healthcare system is beginning to provide patients access to their own health information, primarily within Electronic Health Records (EHRs) and Patient Health Records (PHRs). As these systems start to be implemented, many questions arise regarding content, support, access and security. As a result, patients must be involved in the process of designing, developing, implementing and evaluating EHRs so as to ensure their success. One major concern relates to personal health data and information. In this talk, we will present research findings pertaining to the patient perspective and conclude with recommendations for on-going research and development. One recurring observation is that as more and more patient health information becomes available, additional education programs will have to be developed to safely activate and empower patients as partners in their care.

Dr. Kevin J. Leonard
Associate Professor
Dept. of Health Policy, Management & Evaluation
University of Toronto

Kevin received his Ph.D. from the Joint Doctoral Program in Montreal where he specialized in Statistics and Information Systems Theory for Business. In 1996, Kevin joined the Department of Health Policy Management and Evaluation at the University of Toronto. He has two primary areas of research: (i) the implementation of electronic health records (EHRs) along with researching issues pertaining to the development and implementation of patient focused information technology (Patient Health Records -PHRs); (ii) the creation and implementation of metrics for performance measurement of the Information Technology investment within healthcare (Improve-IT).

In this session a discussion of the governance programs that have been developed at ICES will be described with particular focus on the Security Quality Assurance program. Examples will be used to illustrate the usefullness of the programs and how they support Security and Privacy objectives.

Derek Browne
Chief Information Security Officer
Institute for Clinical Evaluative Sciences (ICES)

Derek Browne has been involved in the security industry since 1989. Throughout this 18 year career Derek has work in physical security, software development and everything to internal audit and compliance and web application penetration testing. Currently Derek is tasked with the Chief Information Security Officer responsibilities for ICES and has begun to implement technical and governance programs to provide assurance to ICES stakeholders of the high security posture of ICES overall.

There are increasing demands for data from electronic medical records for research. Most often the patients did not consent for the data to be used for research and it is impractical to retroactively obtain consent. A practical way to move forward is to de-identify this data. This talk will present a risk management framework to decide how and how much de-identification is necessary. The framework takes into account the sensitivity of the data and the safeguards that the researcher has in place to protect the data. Applications of the framework in multiple secondary use contexts will also be presented.

Dr. Khaled El Emam
Associate Professor
University of Ottawa

Dr. Khaled El Emam is an Associate Professor at the University of Ottawa, Faculty of Medicine and the School of Information Technology and Engineering. He is a Canada Research Chair in Electronic Health Information at the University of Ottawa. Previously Khaled was a Senior Research Officer at the National Research Council of Canada, and prior to that he was head of the Quantitative Methods Group at the Fraunhofer Institute in Kaiserslautern, Germany. In 2003 and 2004, he was ranked as the top systems and software engineering scholar worldwide by the Journal of Systems and Software based on his research on measurement and quality evaluation and improvement, and ranked second in 2002 and 2005. He holds a Ph.D. from the Department of Electrical and Electronics, King's College, at the University of London (UK).

In May of this year, the National Association for Information Destruction (NAID) released its Information Destruction Policy Compliance Toolkit (Toolkit), a first of its kind, comprehensive workbook designed to assist organizations in developing written policies and procedures to deal with this important responsibility in a manner consistent with privacy requirements among all developed nations. In the session, Mario Skopek, President of Blue-Pencil Mobile Shredding Services and Director of NAID Canada will orient attendees on the proper use of the Toolkit, including the many sample forms and resources it contains. NAID's mission is to raise awareness and understanding of the importance of secure information and document destruction. In doing so, NAID wants to ensure that private personal and business information is not used for purposes other than originally intended.

Mario Skopek
President
Blue Pencil Shredding Solutions Inc.

Mario Skopek is the president and founder of Blue-Pencil Mobile Shredding Services Inc. Mario has over 13 years of experience in the document destruction industry and assisting organizations of all sizes in implementing secure document disposal programs which help eliminate confidential and sensitive information from falling into wrong hands. His professional mission and initiative is to crack down on corporate espionage and identity theft which in many crime cases starts right from your paper recycling bin. In addition to being a business executive, Mr. Skopek serves on the board with the National Association for Information Destruction.