Agenda

Ontario's Community Health Centres (CHC) are deeply committed to keeping people well by making sure that the clients gets the right care, at the right time, delivered by the most appropriate provider. In keeping with this commitment, CHCs are planning the implementation of a full electronic record for all CHCs in Ontario. The Association of Ontario Health Centres, (AOHC) Electronic Client Record Operational Strategy consists of critical functions and activities, many of which continue throughout the implementation, for becoming fully electronic. This strategy is extremely adaptable and can be used by any healthcare organization to implement a full electronic record. The Privacy Impact Assessment is embedded in this strategy because it is seen as crucial in an environment where the electronic record is the legal record.

This presentation will detail the strategy for ECR Adoption along with lessons learned, challenges and solutions from 8 of the early adopter CHCs and 2 CHCs that are currently in the adoption process.

Topic headings in this presentation are:

1. Making the Case
2. Operational Issues
3. Why conduct a PIA
4. What's Next - The Ongoing ECR Journey

Brian Sankarsingh
Clinical Management Systems Lead
Education and Development Team
Association of Ontario Health Centres

Brian Sankarsingh is the Clinical Management Systems Lead with the Association of Ontario Health Centres. He is responsible for managing the transition of the 62 Community Health Centres from a mixed electronic and paper environment to a fully electronic environment. CHCs are able to take advantage of Brian’s extensive background in Corporate Trust management, Information Technology, Change Management and Training as they navigate the ongoing eHealth journey.

Do your Privacy Officer and Information Security Officer talk?

At The Ottawa Hospital, we took a holistic approach to Information Security and Privacy. The merger of the offices was a key element to start a new movement of "Information Protection" at the Hospital. There is a lot of overlap between Information Security and Privacy, merging the offices allowed for a unified front in ensuring that our data is protected. Come and learn what we are doing and how it is working. Our new program evolves around people, processes and technology and is designed to enable the organization and not inhibit it. We will share with you our structure, strategies and operations. Is it time to start your movement?

Anne Lavigne
Privacy Officer
Privacy and Information Security Office
The Ottawa Hospital

Anne Lavigne is the Privacy Officer at The Ottawa Hospital (TOH) and has been at the hospital for 7 years. Anne has her CIPP/c certification and is completing her Information Access and Protection of Privacy certificate from the University of Alberta. In 2004, in order to comply with the new health legislation PHIPA, Anne played a pivotal role in the development and implementation of a new Privacy Program at TOH. Today, Anne is responsible for TOH's privacy strategies and ensuring compliancy with the Act. Anne also plays an active role in regional privacy initiatives. A noted accomplishment for TOH's Privacy Program was the recognition of its Privacy Video by the HCPRA for Excellence in Health Care Communications.

Susan Berezny has been with The Ottawa Hospital for 16 years, most recently in the role of Information Security Officer. Susan has a mathematics degree from McGill University, several security and privacy certifications and over 20 years experience in Information Technology. For many years Susan spearheaded TOH's portal and identify and access management strategies. In her new role, Susan is leading TOH’s security strategies and building a security program that is discreet, effective and embedded into the hospital’s operations, projects and culture.

One of the most significant challenges in creating a culture of privacy within a health organization, regardless of its size, is ensuring that all agents are aware of their obligations related to privacy and confidentiality, and aware of the organization’s responsibilities related to complex privacy situations e.g. correction, access, disclosure and patients' restrictions to use and disclosure of personal health information. The presentation will share highlights from the LHSC and St Joseph's experience identifying and implementing various methods to raise awareness and educate about privacy and confidentiality and ultimately to influence the development of a privacy culture.

This presentation will share:

• information about some of the additional measures taken by our organizations,
• what we have found to be successful influencers of a culture of privacy and
• an outline of our plans for future strategies.

Wendy Komar
Privacy Manager
London Health Sciences Centre

Wendy has worked in healthcare since 1974, beginning her career as a Registered Nurse specializing in cardiac care, critical care and post anesthesia care. Wendy has clinical, research, and administrative background with experience as the Nurse Clinician for the Acute Pain Service at the University Campus of the London Health Sciences Centre (LHSC), the Coordinator of the Recovery Room at LHSC, Coordinator of Risk Management, Patient Relations and Policy Development at LHSC and has participated in research in the fields of Anesthesia and Pain Management. Wendy is currently the Privacy Manager for LHSC and St Joseph's Health Care, London, a position she has held since early 2004.

Judy has worked within health care for many years, beginning her career as a Registered Nurse specializing in cardiac nursing , critical care and transplant nursing. She received both her BSc in Nursing and MScN from the University of Western Ontario. Since 1990, Judy has held a variety of both clinical and support service Leadership roles in the areas of Transplantation, Emergency Services, Health Information, Patient Registration, Privacy and Risk Management for London Health Sciences Centre and St. Joseph’s Health Care, London. In her current position as Director, Health Information and Privacy, which she has held since June 2003, Judy provides leadership with respect to the health information teams as well as the integrated citywide privacy team at London Health Sciences Centre and St. Joseph’s Health Care, London. Within this role, Judy has led the development of policies and practices related to the management of personal health information in the era of privacy legislation, and worked with staff, leadership and senior administration at these large academic health care organizations to influence the development of an evolving privacy culture. Throughout the collaborative development and implementation of a single multi regional PACS system and a region-wide electronic patient record (EPR) Judy has provided leadership related to privacy, and gained significant learning from the challenges and the opportunities that arise while integrating privacy principles into the establishment and ongoing management of a shared electronic patient record.

Creating Electronic Health Records (EHRs) that will improve health care delivery will require more than just a financial commitment. Health system administrators want access to data in EHRs to promote systemic improvements. Health care providers and patients want reassurances that patient information will not be compromised in the electronic environment. The presentation will discuss whether PHIPA provides the appropriate regulatory framework to achieve these goals.

The presentation will review recent initiatives in B.C. and Alberta and how these initiatives may affect health care providers. The presentation will discuss whether Ontario can learn from the models being used in B.C. and Alberta.

The presentation will assist attendees to:

-Become familiar with existing provisions in PHIPA application to managing EHRs and where possible gaps exist

-Become familiar with recent EHR initiatives in B.C. and Alberta

-Learn strategies on how to ensure PHIPA permits proper functioning of EHRs, in a way that protects privacy and that is practical for health care providers.

Maureen Murphy
Partner
Gowling Lafleur Henderson LLP

Maureen L. Murphy is a Partner at Gowling Lafleur Henderson LLP in Ottawa, Ontario. She practices in the areas of medical law and privacy law. She has experience representing clients before the Federal Court, Superior Court of Justice, provincial and federal Privacy Commissioners, as well as various administrative tribunals. Maureen has a particular interest in information technology and privacy law issues that affect medical professionals.

Maureen provides businesses with advice on how to comply with Canada's privacy laws. She assists clients in developing privacy policies and responding to access requests. Maureen also has experience advising clients on how best to respond to a privacy breach within their organization.

Maureen serves on the Ontario Bar Association Health Law Section Executive. Maureen is an instructor for the Osgoode Hall Law School LLM course on Information Technology and Privacy in Health Law. She regularly speaks on medical-legal issues arising from the use of information technology in the practice of medicine.

Maureen obtained her law degree from the University of Ottawa, and holds a BSc in Biochemistry from the University of Guelph.

This presentation will provide an overview of the obligations on health information custodians with respect to the collection, use, disclosure, protection, retention, transfer and disposal of personal health information. An explanation of how and from whom custodians can obtain knowledgeable consent, and the circumstances under which personal health information can be collected, used and disclosed without consent and with implied or express consent will be briefly reviewed. Finally, the first six orders under PHIPA will be summarized.

Lonny Rosen
Partner
Health Law Group
Gardiner Roberts LLP

Lonny is a partner in the Health Law Group of Gardiner Roberts LLP. He has been certified by the Law Society as a Specialist in Health Law. Lonny practices health law and civil litigation, providing opinions and advice to health care professionals, administrators of health care facilities, professional associations, and other individuals with respect to health care legislation and policies, including compliance with the Personal Health Information Protection Act, 2004 In that regard, Lonny regularly attends clients' offices and facilities to review and assess their privacy and information practices, and to advise them with respect to the steps required to comply with their obligations, and to provide training to staff who work with personal health information. Lonny worked with the Information and Privacy Commissioner/Ontario on behalf of the Ontario Bar Association to assist health professionals to work with this legislation., and Lonny has frequently written and spoken on this topic. Lonny is immediate past Chair of the Canadian Bar Association Health Law Section, a past chair of the Ontario Bar Association Health Law Section, and an active member of the Advocates' Society and the Medico-Legal Society of Toronto. He frequently speaks and writes on health law issues.

Canadian healthcare organizations are in the midst of developing strategies and programs to manage the anticipated resurgence of the H1N1 Virus in Fall, 2009. Among other matters, successful pandemic management will require timely sharing and exchanges of personal health information to track and monitor the spread, severity, geographic locale and other relevant attributes of the disease.

As a result of the perception, if not the fact, that the law inhibited disclosure of information necessary to manage the 2003 spread of SARS, PHIPA was amended to clarify the authority of health information custodians to disclose personal health information for public health purposes. However, during the initial H1N1 outbreak in the spring/summer of 2009, questions were still being asked regarding appropriate information sharing.

This presentation will:

• Address the relevant provisions of PHIPA that authorize the collection, use and disclosure of personal health information for public health purposes
• Explore the relationship between PHIPA and the Health Protection and Promotion Act (the HPPA)
• Through the use of a case study, a syndromic surveillance system using emergency department electronic health records that is operational in Ottawa, illustrate the privacy issues that needed to be addressed, their resolution, the project template developed, including a model data sharing agreement
• Query whether such a model is feasible in the event of urgent information disclosures in the midst of a pandemic
• Examine the proactive steps that should be taken to ensure timely data flows in the face of potential concerns of health information custodians re: loss of control over personal health information
• Benefit the audience by alerting them to data exchange issues that will inevitably rise in the face of the pandemic, how they may be managed and proactive steps that they should immediately consider as part of their strategic planning

Anita Fineberg
Barrister & Solicitor

Anita is a seasoned privacy professional with over 30 years of experience providing advice on complex information privacy issues to the private sector, government and the Office of the Information and Privacy Commissioner/Ontario. Her area of specialization is health information privacy.

Most recently Anita was the Corporate Counsel and Chief Privacy Officer for IMS Health Canada, the Canadian affiliate of a multi-national health information and consulting company. In this role she was responsible for the development and implementation of all privacy policies and processes for the Canadian and Latin American businesses. As Acting Chief Privacy Officer for IMS U.S., Anita advised on several matters related to the application of U.S. privacy law. A member of IMS' Global Privacy Council, she was actively involved in structuring international data transfers related to IMS business processes.

Anita has also worked as counsel to the Ontario Ministry of Health and Long-Term Care, and held several positions during her seven years with the Office of the Information and Privacy Commissioner/Ontario. She holds a B.A. (Hons.) degree in psychology from Queen's University and an LL.B. from the University of Toronto.

Dr. Khaled El Emam is an Associate Professor at the University of Ottawa, Faculty of Medicine and the School of Information Technology and Engineering. He is a Canada Research Chair in Electronic Health Information at the University of Ottawa. Previously Khaled was a Senior Research Officer at the National Research Council of Canada, and prior to that he was head of the Quantitative Methods Group at the Fraunhofer Institute in Kaiserslautern, Germany. In 2003 and 2004, he was ranked as the top systems and software engineering scholar worldwide by the Journal of Systems and Software based on his research on measurement and quality evaluation and improvement, and ranked second in 2002 and 2005. He holds a Ph.D. from the Department of Electrical and Electronics, King's College, at the University of London (UK).

The public has an interest in seeing maximum utility derived from health data collected with public funds. Currently, almost all administrative data used for Health Services Research (HSR) in Ontario occurs within a prescribed entity like the Institute for Clinical Evaluative Sciences (ICES). This results in barriers of time, cost, and geography for some investigators, particularly new investigators and trainees. In other jurisdictions, similar data have been successfully de-identified and made available to researchers in their own institutions without experiencing privacy breaches, thereby facilitating research.

Craig Earle
Director of Health Services Research
Cancer Care Ontario
Ontario Institute for Cancer Research

Dr. Earle is a health services researcher and medical oncologist who is currently Director of the Health Services Research Program for Cancer Care Ontario (CCO) and the Ontario Institute for Cancer Research (OICR). Prior to the summer of 2008, Dr. Earle spent 10 years in Boston at Harvard Medical School and the Harvard School of Public Health, with his clinical practice at Dana-Farber Cancer Institute and Brigham & Women’s hospital. His personal research interests focus on evaluating and improving the quality of care received by patients with advanced cancer and cancer survivors.

Despite increasing volumes and complexity of patient and research activity, increasing cost pressures, and growing public awareness of privacy rights, St. Michael's Hospital in downtown Toronto has experienced a steady decline in privacy incidents. We do not know comprehensively why this is so, but we have identified some factors that we believe have directly contributed to this improvement.

The purpose of this session is to share what we have learned about improving protection, and to compare notes on this topic with others.

This presentation and discussion will include:

• Background
• Incident Experience to Date
• Key Factors Contributing to a Favourable Trend
• Lessons from Others
• Next Steps

Peter Lambert
Manager
Information Privacy and Security
St. Michael's Hospital

Since 2001, Peter Lambert has been responsible for development, implementation and support of the information privacy and security program at St. Michael's Hospital in Toronto. Peter's experience in information management spans more than 30 years, including work in both the private and public sectors. For the past 17 years, he has held management positions in healthcare, with responsibilities that have included information privacy and security, health records, patient registration and information technology. He has overseen implementation of a hospital-based electronic health record and operation of a nationally recognized health information website. In the mid-90's, he served as Vice-Chair of the InfoHealth Alliance—then Southeastern Ontario’s regional healthcare information organization. Peter holds an Honours B.Sc. in Mathematics from Queen's University, and an M.B.A. from McMaster University.

As more government health care programs focus on the area of prevention and treatment for chronic disease we examine the role that a Prescribed Health Registry can play in educating and connecting the public with providers. With more healthcare organizations preparing to become Prescribed Health Registries, it is important to understand the purpose and distinct attributes of this designation under PHIPA. What are the steps an organization should take to become a Prescribed Registry? While the Act includes requirements a prescribed registry must meet, it does not outline the series of steps that should be taken to become a prescribed registry.

This presentation will highlight important considerations, along with providing a step by step guide for health care organizations interested in obtaining a PHIPA Prescribed Registry designation. The ColonCancerCheck program will be reviewed as an example of why a health care organization would seek a Prescribed Registry designation and how to go about doing so. ColonCancerCheck operates and manages the Colorectal Cancer Screening Registry which collects the personal health information of Ontarians in order to facilitate appropriate colorectal cancer screening and follow up.

The presentation will examine the following high-level agenda items:

• What is a Prescribed Registry? What is its purpose?
• Distinction between a prescribed health registry, a health registry and other prescribed persons
• Steps to becoming a Prescribed Registry:
  • Amending the PHIPA Regulation
  • Identifying key stakeholders / Establishing the appropriate relationships
  • Preparing the required documentation: a. Privacy Impact Assessment b. Data Sharing c. MOHLTC Submissions d. Information Privacy Commissioner Submissions

Pamela Spencer
VP Corporate Services
General Counsel & Chief Privacy Officer
Cancer Care Ontario

Ms. Spencer graduated from Osgoode Hall Law School in 1987 and was admitted to the Ontario Bar in 1989. In addition to her law degree, Ms. Spencer holds a Bachelor in Social Sciences from the University of Ottawa, and a Masters in Health Science in Health Administration/Collaborative Program in Bioethics from the University of Toronto, Faculty of Medicine, Department of Health Policy, Management and Evaluation. Prior to joining Cancer Care Ontario in 2003, Ms. Spencer practiced corporate commercial law, specializing in the health sector, at Fraser Milner Casgrain LLP where she was Chair of the Toronto Health Law Group and co-Chair of the Toronto Privacy Law Group. Ms. Spencer is responsible for a diverse portfolio at Cancer Care Ontario including Legal, Procurement, Facilities, Privacy and the Board Secretariat. She is also co-Executive Sponsor of the Ontario Health Study, a provincial population-based cohort study which has as its goal the enrollment of 150,000 health Ontario participants by 2012 for baseline data collection.

Ms. Spencer is a member of the Canadian Bar Association and the Medico-Legal Society of Toronto. She is former Chair of the Ontario Bar Association, Health Law Executive and former Chair of the Law Society of Upper Canada, Health Law Specialist Certification Committee.

Ms. Spencer has written and lectured widely on many aspects of health law and health privacy.

Melissa Tamblyn is Cancer Care Ontario's Director, Screening Information Program. Melissa has more than 13 years experience as a program leader and management consultant with global consulting firms KPMG and Fujitsu Consulting. Melissa is a certified Project Management Professional with a Master of Public Administration from Queen's University.

In order to improve the quality and timeliness of health care decision-making, and to enhance access to medical consultations in remote locations, the hospitals in the Hamilton Niagara Haldimand Brant Local Health Integration Network (LHIN 4) and the Waterloo Wellington LHIN (LHIN 3) have chosen to participate in a regional diagnostic imaging repository ("DI-r") hosted by London Health Sciences. Once fully implemented, the DI-r will contain Diagnostic Imaging images and reports to be viewed by health care providers in LHINs 1 & 2, and LHINs 3 & 4.

This presentation will discuss the privacy challenges associated with merging personal health information from multiple LHINs, and representing dozens of hospitals, in a single DI-r. Specifically, the presentation will address the PHIPA challenges encountered and addressed by the initiative, the processes undertaken to ensure consistent information practices across participating organizations, and technical strategies to ensure the security of personal health information. A few highlights of the presentation will include:

• How to employ agreements to navigate privacy challenges;
• How to perform a standardized, collaborative due diligence "Privacy Review" of each organization's information practices;
• How to apply PHIPA's "health information network provider" rules to a DI-r initiative; and
• How to integrate local information systems with DI-r information systems, in a manner which ensures the privacy and security of personal health information.

Diane Larwood
Project Director
Mohawk Diagnostic Imaging Repository

Marnie Fletcher
Director
Health Information Services & Chief Privacy Officer
St. Joseph's Healthcare

Don MacPherson
Parnter
Anzen Consulting Inc.

Don is a partner at Anzen and a graduate in Health Information Science from the University of Victoria. Don specializes in providing clients with strategic privacy, information governance, data protection, and risk management advice. As a nationally recognized information privacy advisor, Don has co-authored several privacy reference documents for the health care sector, including Canada Health Infoway’s Interoperable Electronic Health Record Privacy and Security Requirements, Privacy and Security Conceptual Architecture, White Paper on Information Governance, and a Conceptual Privacy Impact Assessment on a Pan-Canadian Interoperable Electronic Health Record. Don has completed numerous privacy impact assessments and developed several privacy programs for regional, provincial, and national e-Health initiatives.

Don began his privacy career as a Privacy Specialist at University Health Network, where he worked with the hospital's Corporate Privacy Officer to conduct privacy impact assessments on the hospital’s various clinical and business information systems, investigated staff and patient privacy complaints, implemented a patient communications and education strategy on privacy, and worked jointly with the Information and Privacy Commissioner/Ontario on an independent assessment of privacy practices at the hospital.

This presentation will outline how an enterprise-wide security assessment, presented as security health check, can be a valuable instrument for defining and validating reasonable security. A security health check is an important element of a comprehensive privacy and security program, providing key baseline and benchmark information.

The presentation will also discuss the approach, as taken by Cancer Care Ontario, to conduct a security health check, addressing the following topics:

• Choosing an industry framework – the benefits and limitations of using security frameworks such as ISO 27001/27002 and COBIT
• Benchmarking against peers – harvesting the power of social proof
• Going beyond reasonable security – when and how to move to an increased security stance
• Developing effective action plans – how to secure support to improve and mature your security and privacy programs

Ken Sutcliffe
Director IT Operations
Cancer Care Ontario

Ken Sutcliffe is the Director of Information Technology (IT) Operations at Cancer Care Ontario (CCO). Ken has over 30 years experience in health care – beginning in Australia and for the past 20 years in Ontario. Before joining CCO, Ken had an accomplished career as Director of IT Services at the Ontario Association of Community Care Access Centres (OACCAC). Ken holds a Bachelor of Health Sciences in Nursing and more recently, he has completed a Certificate in Business Information Systems from the University of Victoria. In addition to these accreditations, Ken holds a variety of process and technology certifications including the Certified Information Systems Security Professional (CISSP).

Lyndon Dubeau is the Manager, Enterprise Information Security Office at Cancer Care Ontario (CCO). Lyndon has over 10 years experience in health care technology and data protection. Before joining CCO, Lyndon held a number of progressive information security positions within the Community Care sector.

Lyndon holds a Bachelor of Business Administration degree and is a recent graduate of the University of London's Masters of Information Security program.

In addition to these academic accreditations, Lyndon is a Certified Information Privacy Professional/Canada (CIPP/C), Certified Information Systems Security Professional (CISSP), and Certified Information Systems Auditor (CISA).

The Toronto Central LHIN Privacy Working Group (PWG) was several years ago and has developed with the law to serve as a strong privacy community for it’s diverse members. A committed collaborative, the PWG brings together legal, health records, security, risk management, and patient relations expertise to tackle the current challenges in managing privacy in Ontario healthcare organizations.

The presentation highlights key recent initiatives as well as the structure and function of the working group. By sharing expertise and resources, the PWG has leveraged the strengths of its individual members to participate in the privacy policy dialogue at a local, provincial and national level.

Initiatives include the development of common eHealth policies and agreement templates, shared educational resources and impact assessment tools.

Abigail Carter-Langford
orporate Privacy Officer
Shared Information Management Services
University Health Network

Abigail Carter-Langford is the Corporate Privacy Officer of Shared Information Management Services and the University Health Network (UHN), one of Canada’s largest teaching hospitals, located in Toronto, Ontario. UHN is a founding partner in Shared Information Management Services (SIMS), the information management and technology group that is shared between seventeen health care organizations in the Greater Toronto Area

In this role, she is responsible for overseeing all activities related to the development, implementation, maintenance of, and adherence to the hospital’s policies and procedures covering the privacy and confidentiality of personal information. A particular area of professional interest for Abigail is privacy in the context of emerging technology.

Abigail is a Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP/C) and a member of the Canadian Advisory Board of the International Association of Privacy Professionals.

Jodi L.H. Butts is Legal Counsel and Corporate Privacy Officer at Mount Sinai Hospital, where she has been employed since 2004. Prior to assuming her position at MSH, Ms. Butts was one of the founding partners of the boutique litigation firm, Brannan Meiklejohn Butts LLP, where she practiced in the areas of employment, insurance and personal injury disputes, with a special focus on health law matters. She represented individuals, employers and institutional clients before all levels of the Ontario courts. Ms. Butts graduated from the University of Toronto, Faculty of Law, with her Bachelor of Laws, in 1999. She was admitted to the Ontario Bar in 2000.

Prior to entering law, Ms. Butts obtained a joint Honours Bachelor of Arts degree in the fields of History and English Literature from the University of Windsor. She holds a Masters of History, with a specialization in Canadian history, conferred by the University of Toronto in 1995.

Ms. Butts is currently the Co-Chair of the Toronto Central LHIN Privacy Working Group.