first nations, privacy of health information &...

First Nations, Privacy of Health Information & OCAP

Elaine Sawatsky, ConsultantValerie Richer, AFN

2

Overview

Approaching information sharing from a First Nations perspective

• OCAP & CSA Model Code• Healthcare Delivery Context &

Data Sharing• Change Management• Questions and answers

FNHM 2009 Conference

3

OCAP & Fair Information Principles

“First, Do No Harm”Harm can be caused by sharing

information without addressing:• Issues around obtaining informed consent or

providing notice• Failure to protect community and individual

confidentiality, data integrity and availability

• Lack of control over Data collection, use and Disclosure (and retention)


4

OCAP: Ownership, Control, Access and Possession

Self-Governance of First Nations Information• First Nations have always had rules about

how information is owned, used and shared.• The rules for sharing information grow out

of traditions that were designed to protect communities and individual citizens.

• Similar to other international principle; have a common basis in human rights & respect.


5

Basic Principles for Information C,U,D

• Typical Issues ….–Informed consent, or notice and

voluntary participation,–Protection of privacy and

confidentiality,–Risk-benefit assessment,–Valid system design (security)


6

Ownership, Stewardship & Possession

• The relationship of a First Nation to its cultural knowledge/data/information.

• The Nation owns their information collectively, as individuals own their personal information.

• This is distinct from possession • Possession is related to Stewardship


7

Control: Rights & Responsibilities

• Reflects aspirations & inherent rights to control all aspects of our lives including control of data.

• Organizations/Communities have ‘control responsibilities’ which they fulfill on behalf of individuals and themselves.

• Decide when & How control passes to a new entity.

• Control mechanisms include resources, policy, review processes, conceptual frameworks, data management.

• Control supports business goals & data protectionFNHM 2009 Conference

8

Access to and Use of, Data

• You must have access to or use of information, data about yourselves and your communities, wherever it is held, i.e. who ever has ‘custody’. But possession of all data is not necessarily the answer.

• First Nations’, their communities and organizations have a right to manage use of their collective information and control over who and how it is accessed.


9

Possession & Asserting Control

• Possession is one mechanism to assert control.

• ‘Ownership’ means something different when speaking of information.

• When First Nations data is in the possession of others (e.g. government, academia), there is often little to no FN control over use of data as a result of policy and legislation.

• But agreements can set control expectations


10

OCAP & Privacy

There are many similarities between the OCAP principles and the Privacy principles that underlie Canadian Privacy Legislation.

• Canada’s Interpretation of “Fair Information Practices” are expressed as 10 Principles or the “10 Commandments of Privacy”

• These “Commandments” form the foundation of Canadian Privacy legislation

• Available from www.csa.ca


11

CSA ~ 10 Commandments of Privacy

1. Accountability2. Identify Purposes3. Consent4. Limiting Collection5. Limiting Use, Disclosure and Retention.6. Accuracy7. Safeguards8. Openness9. Individual Access10. Challenging Compliance


12

CSA Model Code Interpreted for OCAP

CSA Principle OCAP Principle Comments and Context

Accountability Ownership, Control Puts in place a foundation for all principles. May be easier to understand if one is in “possession’ of the data.

Identifying Purposes Control, Access Can be put in effect as a result of Possession and/or Ownership but must be done regardless of where the data is held

Consent Control, Access Can be put in effect as a result of Possession and/or Ownership but must be done regardless of where the data is held. Is both in individual and community concept.


13



Limiting Collection Control Collect only what is needed after identifying the Purposes

Limit Use, Disclosure, Retention

Control Use data only for what it was intended. Disclose it only for what was intended.Retain only as long as necessary.Relates also to Intellectual Property rights.Relates also to rights of Use in Data.

Accuracy Control Accurate data is required for Decision Making


14



Safeguards (aka Security) Possession Data in one’s possession must be safeguarded. Data out of one’s possession must also be safeguarded.

Individual Access Control, Access Individual versus community rights. Complimentary & conflicting.

Openness Control, Access Typically a responsibility rather than a right. The rights accrue to the individual, and perhaps the community.

Challenging Compliance Control, Access A right of the citizens, patient or a FN Community.


15

OCAP & Privacy Principles

.OCAP

PrincipleCSA Principle Comments & Context

OwnershipAccountability AKA Stewardship, Trusteeship, Custodianship

CSA Principles speak of responsibilities of the Organization rather than rights of the person. Rights of data use, Intellectual Property Rights

Control Accountability & all other Principles Organizations have Control responsibilities for all 10 principles

Access Define Purposes, Limit Use, Limit Disclosure, Individual Access, Openness, Challenging Compliance

Access can mean more than one thing. It can simply be a mechanism or can be a concept

Possession Accountability, Limit Collection, Use, Disclosure, Retention, Safeguards, Individual Access, Openness

Defined by Rights in use of data, intellectual property Rights.FNHM 2009 Conference

16

AFN Position on OCAP

• OCAP compliance is determined by the Nation affected.

• OCAP is not a new concept but rather a definition created to address unethical and perhaps unlawful practices of information collection, use, disclosure and management.

• Understanding how OCAP principles can be related to other fair information principles will enable a common understanding.


17

OCAP as an enabler

• OCAP is not a barrier to data collection and management. It is simply a duty that many choose to ignore, as are other privacy protections.

• It may not be well understood• It may not be seen as relevant in a legal sense• Among other things OCAP is about

– Building First Nation capacity,– Quality Assurance of data– Due Diligence to ensure accurate information

for decision making.FNHM 2009 Conference

18

CHI & EHR Infostructure

• Canada Health Infoway has a mandate to facilitate the development of a Pan-Canadian Electronic Health Record.– Must respect jurisdictions unique needs and

environments.– Must communicate information across

jurisdictions while respecting individual privacy.

– Learned quickly that a National solution would not be feasible and have adopted a Standards and Integration approach


ERHSJURISDICTIONAL INFOSTRUCTURE

Ancillary Data& Services

Registries Data& Services

EHR Data& Services

DataWarehouse

OutbreakManagement

PHSReporting

SharedHealth Record

DrugInformation

DiagnosticImaging Laboratory Health

Information

POINT OF SERVICE

Hospital, LTC,CCC, EPR

PhysicianOffice EMR EHR Viewer

Physician/Provider

BusinessRules

EHRIndex

MessageStructures

NormalizationRules

Security MgmtData Privacy Data Configuration

Physician/Provider

Physician/Provider

Lab System(LIS)

Lab Clinician

RadiologyCenter

PACS/RIS

Radiologist

PharmacySystem

Pharmacist

Public HealthServices

Public Health Provider

Longitudinal Record Services

HIALCommunication Bus

Common Services

ClientRegistry

ProviderRegistry

LocationRegistry

TerminologyRegistry

19FNHM 2009 Conference

EHRS Serving Healthcare ServicesEHR SOLUTION (EHRS)

EHR INFOSTRUCTURE (EHRi)

EHR ViewerPoint of Service

ApplicationPoin of Service

Application

AncillaryData &

Services

HealthInformation

DataWarehouse

EHRData &Services

RegistriesData &

Services


Health Information Access Layer

EHR SOLUTION (EHRS)



ApplicationPoint of Service

Application

AncillaryData &

Services

HealthInformation

DataWarehouse

EHRData &Services

RegistriesData &

Services


Diagnostic

Hospital Emergency

Specialist Clinic

Homecare

Clients/Patients

Community Care Center

Emergency Services

Pharmacy

Laboratory

Diagnostic

Hospital Emergency

Specialist Clinic

Homecare

Clients/Patients

Community Care Center

Emergency Services

Pharmacy

Laboratory



EHRSEHRS EHRSEHRS EHRS EHRSEHRS

EHRS Recommended Approach: Pan-Canadian EHR Service

EHR SOLUTION (EHRS)




Application

AncillaryData &Services

HealthInformation

DataWarehouse

EHRData &Services

RegistriesData &Services



EHR SOLUTION (EHRS)




Application

AncillaryData &Services

HealthInformation

DataWarehouse

EHRData &Services

RegistriesData &Services




22

Complexity and Change

• Its about better healthcare, better planning and predicated on better data, more available to the right person at the right place at the right time.

• The complexity comes from the need to integrate data, to provide integrated Services to an ‘integrated’ Individual

• An integrated ‘system’ includes: data, technology, people and processes – within a defined scope.


23

How We Approach Privacy Needs to Change

– Often previous approach has failed

– Privacy is a societal construct

– Cannot build a new concept with outdated methods

– Privacy as an industry is not yet well evolved. (what is a PIA for anyway?)

• A task on a project plan?

• An exam at the end of your project?

• A risk management exercise?


24

DATA: Privacy is About Data

Data represents a person or community, in a certain way. It can be:– Complete, or not–Accurate, or not–Relevant, or not–Unbiased, or not– from a number of perspectives


25

Understand Where P/S fits

– Interleaved, Integrated–Privacy is a risk like any other–Begin addressing it at the beginning–Differentiate between risk to the

project and other risk e.g. privacy–Mitigating one risk can create more

elsewhere–Understand your business


26

The Unknown: Change

• A privacy protective culture is an organizational cultural change

• Privacy is a societal construct.• It is different because of different perspectives:

– Personal– Professional– Risk taking/aversion– Political– Cultural


27

Why is Change Needed?

• Previous approaches: system –oriented, project oriented and low level – have failed

• Privacy is not a barrier and is often blamed for other failures:– Not understanding legal requirements– Not understanding how strong the feelings are– Not understanding that it is a major change


28

Processes & Change

• Accept what you Must do, and use a strong process to achieve it.

• Assume that you can, but be open as to how• Flexibility to brainstorm; Open to ideas• It won’t happen overnight• Identify requirements• Identify the risks to success• Define the business goals


29

Getting it Done

• OCAP not a show- stopper:to be discussed.• FPT governments have a fiduciary

responsibility to work towards Pan-Canadian solutions, inclusive of First Nation governments.

• Inter-jurisdictional solutions between FPT sub-jurisdictions can be used as models.

• The biggest issues are Capacity and Willingness to work together.


30

Questions

?????


31

Contact Information

• Elaine Sawatsky [email protected]

• Valerie Richer• [email protected]


32

Additional Resources

OnlineTo be provided as

handouts

OthersTo be provided as

handouts


first nations, privacy of health information &...

Documents