first nations, privacy of health information &...
TRANSCRIPT
First Nations, Privacy of Health Information & OCAP
Elaine Sawatsky, ConsultantValerie Richer, AFN
2
Overview
Approaching information sharing from a First Nations perspective
• OCAP & CSA Model Code• Healthcare Delivery Context &
Data Sharing• Change Management• Questions and answers
FNHM 2009 Conference
3
OCAP & Fair Information Principles
“First, Do No Harm”Harm can be caused by sharing
information without addressing:• Issues around obtaining informed consent or
providing notice• Failure to protect community and individual
confidentiality, data integrity and availability
• Lack of control over Data collection, use and Disclosure (and retention)
FNHM 2009 Conference
4
OCAP: Ownership, Control, Access and Possession
Self-Governance of First Nations Information• First Nations have always had rules about
how information is owned, used and shared.• The rules for sharing information grow out
of traditions that were designed to protect communities and individual citizens.
• Similar to other international principle; have a common basis in human rights & respect.
FNHM 2009 Conference
5
Basic Principles for Information C,U,D
• Typical Issues ….–Informed consent, or notice and
voluntary participation,–Protection of privacy and
confidentiality,–Risk-benefit assessment,–Valid system design (security)
FNHM 2009 Conference
6
Ownership, Stewardship & Possession
• The relationship of a First Nation to its cultural knowledge/data/information.
• The Nation owns their information collectively, as individuals own their personal information.
• This is distinct from possession • Possession is related to Stewardship
FNHM 2009 Conference
7
Control: Rights & Responsibilities
• Reflects aspirations & inherent rights to control all aspects of our lives including control of data.
• Organizations/Communities have ‘control responsibilities’ which they fulfill on behalf of individuals and themselves.
• Decide when & How control passes to a new entity.
• Control mechanisms include resources, policy, review processes, conceptual frameworks, data management.
• Control supports business goals & data protectionFNHM 2009 Conference
8
Access to and Use of, Data
• You must have access to or use of information, data about yourselves and your communities, wherever it is held, i.e. who ever has ‘custody’. But possession of all data is not necessarily the answer.
• First Nations’, their communities and organizations have a right to manage use of their collective information and control over who and how it is accessed.
FNHM 2009 Conference
9
Possession & Asserting Control
• Possession is one mechanism to assert control.
• ‘Ownership’ means something different when speaking of information.
• When First Nations data is in the possession of others (e.g. government, academia), there is often little to no FN control over use of data as a result of policy and legislation.
• But agreements can set control expectations
FNHM 2009 Conference
10
OCAP & Privacy
There are many similarities between the OCAP principles and the Privacy principles that underlie Canadian Privacy Legislation.
• Canada’s Interpretation of “Fair Information Practices” are expressed as 10 Principles or the “10 Commandments of Privacy”
• These “Commandments” form the foundation of Canadian Privacy legislation
• Available from www.csa.ca
FNHM 2009 Conference
11
CSA ~ 10 Commandments of Privacy
1. Accountability2. Identify Purposes3. Consent4. Limiting Collection5. Limiting Use, Disclosure and Retention.6. Accuracy7. Safeguards8. Openness9. Individual Access10. Challenging Compliance
FNHM 2009 Conference
12
CSA Model Code Interpreted for OCAP
CSA Principle OCAP Principle Comments and Context
Accountability Ownership, Control Puts in place a foundation for all principles. May be easier to understand if one is in “possession’ of the data.
Identifying Purposes Control, Access Can be put in effect as a result of Possession and/or Ownership but must be done regardless of where the data is held
Consent Control, Access Can be put in effect as a result of Possession and/or Ownership but must be done regardless of where the data is held. Is both in individual and community concept.
FNHM 2009 Conference
13
CSA Model Code Interpreted for OCAP
CSA Principle OCAP Principle Comments and Context
Limiting Collection Control Collect only what is needed after identifying the Purposes
Limit Use, Disclosure, Retention
Control Use data only for what it was intended. Disclose it only for what was intended.Retain only as long as necessary.Relates also to Intellectual Property rights.Relates also to rights of Use in Data.
Accuracy Control Accurate data is required for Decision Making
FNHM 2009 Conference
14
CSA Model Code Interpreted for OCAP
CSA Principle OCAP Principle Comments and Context
Safeguards (aka Security) Possession Data in one’s possession must be safeguarded. Data out of one’s possession must also be safeguarded.
Individual Access Control, Access Individual versus community rights. Complimentary & conflicting.
Openness Control, Access Typically a responsibility rather than a right. The rights accrue to the individual, and perhaps the community.
Challenging Compliance Control, Access A right of the citizens, patient or a FN Community.
FNHM 2009 Conference
15
OCAP & Privacy Principles
.OCAP
PrincipleCSA Principle Comments & Context
OwnershipAccountability AKA Stewardship, Trusteeship, Custodianship
CSA Principles speak of responsibilities of the Organization rather than rights of the person. Rights of data use, Intellectual Property Rights
Control Accountability & all other Principles Organizations have Control responsibilities for all 10 principles
Access Define Purposes, Limit Use, Limit Disclosure, Individual Access, Openness, Challenging Compliance
Access can mean more than one thing. It can simply be a mechanism or can be a concept
Possession Accountability, Limit Collection, Use, Disclosure, Retention, Safeguards, Individual Access, Openness
Defined by Rights in use of data, intellectual property Rights.FNHM 2009 Conference
16
AFN Position on OCAP
• OCAP compliance is determined by the Nation affected.
• OCAP is not a new concept but rather a definition created to address unethical and perhaps unlawful practices of information collection, use, disclosure and management.
• Understanding how OCAP principles can be related to other fair information principles will enable a common understanding.
FNHM 2009 Conference
17
OCAP as an enabler
• OCAP is not a barrier to data collection and management. It is simply a duty that many choose to ignore, as are other privacy protections.
• It may not be well understood• It may not be seen as relevant in a legal sense• Among other things OCAP is about
– Building First Nation capacity,– Quality Assurance of data– Due Diligence to ensure accurate information
for decision making.FNHM 2009 Conference
18
CHI & EHR Infostructure
• Canada Health Infoway has a mandate to facilitate the development of a Pan-Canadian Electronic Health Record.– Must respect jurisdictions unique needs and
environments.– Must communicate information across
jurisdictions while respecting individual privacy.
– Learned quickly that a National solution would not be feasible and have adopted a Standards and Integration approach
FNHM 2009 Conference
ERHSJURISDICTIONAL INFOSTRUCTURE
Ancillary Data& Services
Registries Data& Services
EHR Data& Services
DataWarehouse
OutbreakManagement
PHSReporting
SharedHealth Record
DrugInformation
DiagnosticImaging Laboratory Health
Information
POINT OF SERVICE
Hospital, LTC,CCC, EPR
PhysicianOffice EMR EHR Viewer
Physician/Provider
BusinessRules
EHRIndex
MessageStructures
NormalizationRules
Security MgmtData Privacy Data Configuration
Physician/Provider
Physician/Provider
Lab System(LIS)
Lab Clinician
RadiologyCenter
PACS/RIS
Radiologist
PharmacySystem
Pharmacist
Public HealthServices
Public Health Provider
Longitudinal Record Services
HIALCommunication Bus
Common Services
ClientRegistry
ProviderRegistry
LocationRegistry
TerminologyRegistry
19FNHM 2009 Conference
EHRS Serving Healthcare ServicesEHR SOLUTION (EHRS)
EHR INFOSTRUCTURE (EHRi)
EHR ViewerPoint of Service
ApplicationPoin of Service
Application
AncillaryData &
Services
HealthInformation
DataWarehouse
EHRData &Services
RegistriesData &
Services
Longitudinal Record Services
Health Information Access Layer
EHR SOLUTION (EHRS)
EHR INFOSTRUCTURE (EHRi)
EHR ViewerPoint of Service
ApplicationPoint of Service
Application
AncillaryData &
Services
HealthInformation
DataWarehouse
EHRData &Services
RegistriesData &
Services
Longitudinal Record Services
Diagnostic
Hospital Emergency
Specialist Clinic
Homecare
Clients/Patients
Community Care Center
Emergency Services
Pharmacy
Laboratory
Diagnostic
Hospital Emergency
Specialist Clinic
Homecare
Clients/Patients
Community Care Center
Emergency Services
Pharmacy
Laboratory
Health Information Access Layer
20FNHM 2009 Conference
EHRSEHRS EHRSEHRS EHRS EHRSEHRS
EHRS Recommended Approach: Pan-Canadian EHR Service
EHR SOLUTION (EHRS)
EHR INFOSTRUCTURE (EHRi)
EHR ViewerPoint of Service
ApplicationPoint of Service
Application
AncillaryData &Services
HealthInformation
DataWarehouse
EHRData &Services
RegistriesData &Services
Longitudinal Record Services
Health Information Access Layer
EHR SOLUTION (EHRS)
EHR INFOSTRUCTURE (EHRi)
EHR ViewerPoint of Service
ApplicationPoint of Service
Application
AncillaryData &Services
HealthInformation
DataWarehouse
EHRData &Services
RegistriesData &Services
Longitudinal Record Services
Health Information Access Layer
21FNHM 2009 Conference
22
Complexity and Change
• Its about better healthcare, better planning and predicated on better data, more available to the right person at the right place at the right time.
• The complexity comes from the need to integrate data, to provide integrated Services to an ‘integrated’ Individual
• An integrated ‘system’ includes: data, technology, people and processes – within a defined scope.
FNHM 2009 Conference
23
How We Approach Privacy Needs to Change
– Often previous approach has failed
– Privacy is a societal construct
– Cannot build a new concept with outdated methods
– Privacy as an industry is not yet well evolved. (what is a PIA for anyway?)
• A task on a project plan?
• An exam at the end of your project?
• A risk management exercise?
FNHM 2009 Conference
24
DATA: Privacy is About Data
Data represents a person or community, in a certain way. It can be:– Complete, or not–Accurate, or not–Relevant, or not–Unbiased, or not– from a number of perspectives
FNHM 2009 Conference
25
Understand Where P/S fits
– Interleaved, Integrated–Privacy is a risk like any other–Begin addressing it at the beginning–Differentiate between risk to the
project and other risk e.g. privacy–Mitigating one risk can create more
elsewhere–Understand your business
FNHM 2009 Conference
26
The Unknown: Change
• A privacy protective culture is an organizational cultural change
• Privacy is a societal construct.• It is different because of different perspectives:
– Personal– Professional– Risk taking/aversion– Political– Cultural
FNHM 2009 Conference
27
Why is Change Needed?
• Previous approaches: system –oriented, project oriented and low level – have failed
• Privacy is not a barrier and is often blamed for other failures:– Not understanding legal requirements– Not understanding how strong the feelings are– Not understanding that it is a major change
FNHM 2009 Conference
28
Processes & Change
• Accept what you Must do, and use a strong process to achieve it.
• Assume that you can, but be open as to how• Flexibility to brainstorm; Open to ideas• It won’t happen overnight• Identify requirements• Identify the risks to success• Define the business goals
FNHM 2009 Conference
29
Getting it Done
• OCAP not a show- stopper:to be discussed.• FPT governments have a fiduciary
responsibility to work towards Pan-Canadian solutions, inclusive of First Nation governments.
• Inter-jurisdictional solutions between FPT sub-jurisdictions can be used as models.
• The biggest issues are Capacity and Willingness to work together.
FNHM 2009 Conference
30
Questions
?????
FNHM 2009 Conference
31
Contact Information
• Elaine Sawatsky [email protected]
• Valerie Richer• [email protected]
FNHM 2009 Conference
32
Additional Resources
OnlineTo be provided as
handouts
OthersTo be provided as
handouts
FNHM 2009 Conference