Topic 10 Information Management, Security, & Integrity PDF

Topic 10 Information Management, Security, & Integrity 1 1. Learn and explain the provincial and national laws that ensure integrity and confidentiality of patient’s data by public and private health care institutions 2. Explain the OTIMROEPMQ Codes of Ethics applicable to confidentiality and Integrity of patient’s information 3. Describe image managing workflows that prioritize departmental resources and patient care. 4. Describe and apply, if applicable, the recommendations by the OTIMROEPMQ “Standards of Practice” in preserving the integrity and confidentiality of data – Section: “Management of Computerized Systems” 5. Functions of IHE 2 CONFIDENTIALITY AND PRIVACY OF PATIENT’S PERSONAL INFORMATION THE PRIVACY ACT (FEDERAL) The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information. Privacy Act (justice.gc.ca) 3 THE PRIVACY ACT (FEDERAL) CONFIDENTIALITY AND PRIVACY OF PATIENT’S DATA  Section 4: No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.  Section 5: A government institution shall, wherever possible, collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates. Except where the individual authorizes the institution to collect it from elsewhere.  Section 6: Personal information shall be retained by the institution for such period after it is used. The individual to whom it relates should have a reasonable opportunity to obtain access to the information  Section 7: Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained 4  Section 12 Access to Personal Information (Right of Access): every individual who is a Canadian citizen or a permanent resident within the meaning of subsection 2 of the Immigration and Refugee Protection Act has a right to and shall, on written request, be given access to:  any personal information about the individual contained in a personal information bank  any other personal information about the individual under the control of a government institution with respect to which the individual can provide sufficiently specific information on the location of the information as to render it reasonably retrievable by the government institution  The institution will have 30 days to inform the individual if the request to access the information will be granted or not. 5 CONFIDENTIALITY AND PRIVACY OF PATIENT’S DATA PROVINCIAL ACT: Chap. a-2.1: ACT RESPECTING ACCESS TO DOCUMENTS It provides the guidelines and regulations on how to protect patient’s confidential information by healthcare institutions http://www2.publicationsduquebec.gouv.qc.ca/dynamicSearch/telecharge.php?type=2&file=/A_2_1/A2_1_A.html 6 It mainly amends the "protection of personal information" component of the Act respecting Access to documents held by public bodies and the Act respecting the protection of personal information in the private sector. The amendments enhance the powers of the Commission d'accès à l'information (CAI), as well as the measures taken by government institutions to preserve confidentiality and transparency Loi 25 expliquée simplement: Les nouvelles règles sans jargon (juridik.ca) Échox | Septembre 2023 | Volume 44, Numéro 3 by OTIMROEPMQ - Issuu 7  Quebec government agency responsible for the implementation of the Act respecting Access to documents held by public and private sector bodies and the Protection of personal information  It has two main functions: o monitor the application of laws in the field of information o Settle disputes and impose penalties 8 OTIMROEPMQ CODE OF ETHICS ON CONFIDENTIALITY DIVISION VI PROFESSIONAL SECRECY 23. A MIT is bound by professional secrecy, in accordance with section 60.4 of the Professional Code (chapter C-26).  Do not reveal to the patient or another individual information of exam performed  Confidentiality is the cardinal rule in all codes of ethics relating to healthcare  Betrayals of confidence may prevent the patient from divulging real important facts about their health 24. Where an MIT asks a client to reveal to him confidential information or allows such information to be entrusted to him, he shall ensure that the client knows the reasons for it and the use that will be made of the information. 25. A MIT shall not reveal that a person has used his services. OTIMROEPMQ CODE OF ETHICS ON CONFIDENTIALITY 26. A MIT shall avoid indiscreet conversations with anyone concerning a client and the services rendered. 26.1. A MIT shall take reasonable measures to ensure that the secrecy of all confidential information obtained in the practice of his profession is preserved by any employee or person who collaborates with him or carries on his activities within the partnership or joint-stock company where he carries on his professional activities. 27. A MIT shall not make use of confidential information to the detriment of a client or with a view to obtaining, either directly or indirectly, an advantage for himself or another person. OTIMROEPMQ CODE OF ETHICS ON CONFIDENTIALITY 27.1. A MIT who, pursuant to the 3rd paragraph of section 60.4 of the Professional Code communicates info. protected by professional secrecy to prevent an act of violence shall: 1. communicate the information immediately (supervisor, dept. manager) 2. if the information is communicated orally, confirm the information in writing ASAP 3. enter the following in the patient’s medical file ASAP: A- the date and time of the communication B- the reasons supporting the decision to communicate the information including the name of the person who caused the MIT to communicate the info. & the name of the person or group of persons exposed to the danger C- the content of the communication, the mode of communication and the name of the person to whom the information was given OTIMROEPMQ CODE OF ETHICS ON CONFIDENTIALITY 4. ASAP, send the syndic a notice of the communication that includes the reasons supporting the decision to communicate the information and the date and time it was communicated In addition, if it is necessary the MIT shall consult a member of the order, another professional order member, or any other qualified person, provided the consultation will not negatively delay the communication of the information OTIMROEPMQ CODE OF ETHICS ON ACCESS TO INFORMATION DIVISION VII ACCESSIBILITY AND CORRECTIONS TO RECORDS 28. Where an MIT practises his profession in a public body governed by the Act respecting Access to documents held by public bodies and the Protection of personal information (chapter A-2.1), the Act respecting health services and social services (chapter S-4.2) or the Act respecting health services and social services for Cree Native persons (chapter S-5), the MIT shall observe the rules respecting the accessibility and correction of records provided for in those statutes. 29. For the purposes of the first paragraph of section 60.5 of the Professional Code (chapter C-26), access to the information contained in a record shall be free of charge. Notwithstanding the foregoing, fees not exceeding the cost of transcribing, reproducing or forwarding the information may be charged to the client. Where an MIT intends to charge fees under this section, he shall inform the client of the approximate amount exigible before transcribing, reproducing or forwarding the info. OTIMROEPMQ CODE OF ETHICS ON INFORMATION ACCESS & INTEGRITY 30. For the purposes of section 60.6 of the Professional Code (chapter C-26), an MIT who grants an application for correction shall issue to the client, free of charge, a copy of any information amended or added or an attestation that information has been deleted. The client may require the MIT to forward a copy of the information to the person from whom he obtained the information or to any other person to whom the information has been communicated. 31. Where an MIT holds information regarding an application for access or correction has been made, he shall, if he refuses to grant the application, conserve the information for as long as necessary to allow the client to exhaust the recourses provided for by law. The SoP are a privileged communication tool and should guide professionals with a view to continuous improvement of services provided to patients and the protection of the public. Section: “Management of Computerized Records” standards governing the professional practice of all technologists working with digital systems that allow archiving of patient information (e.g., PACS, RIS, HIS, RID) Normes de pratique et lignes directrices | OTIMROEPMQ 15 16 ACT ON CONSERVATION OF HEALTH INFORMATION ACT RESPECTING THE SHARING OF CERTAIN HEALTH INFORMATION, CQLR C P-9.0001 CHAPTER II - CONSERVATION OF HEALTH INFORMATION  Section 110 Health information held in a health information bank in a clinical domain is used throughout the period specified in a regulation of the Minister, which may vary according to the case, conditions and circumstances, the information identified in the regulation, and the clinical domain concerned  Section 111 Health information held in a health information bank in a clinical domain must be destroyed five years after the period of use determined under section 110 ends CQLR c P-9.0001 | Act respecting the sharing of certain health information | CanLII 17 Standards of Practice Section: “Management of Computerized Records” It deals with the various aspects related to the management of computerized records : o Communication, processing & archiving systems (e.g., RIS & PACS), including digital images, reports & all administrative confidential data Addresses responsibilities of particularly the managers who are mandated to implement and ensure smooth operation systems It may be used as reference for departments planning to integrate or upgrade data storage systems 18 Management of Computerized Records  The patient may or may not consent to share medical information through the DSQ  The refusal to share information must be expressed in writing & can at any time change  The Health Information Access Agency (Commission d'Accès à l'Information - CAI) is a government agency that ensures or oversees that the patient's consent has been given to allow access to an exam or results and that the Law 25 is applied.  For pre-fetching, mediator servers automatically share information to the DSQ without the patient’s consent.  What is pre-fetching? Automated mechanism that allows for previous exams to be downloaded from the DSQ to a hospital PACS system 19 Responsibilities of the AUTHORITIES (Dep. Manager) Develop & update system access policies regarding the use of the components, thus ensuring the integrity and confidentiality of the data, while respecting the laws and regulations in force Make available to the SYSTEM MANAGER (PACS Administrator) the resources (equipment and personnel) to ensure the security, confidentiality and integrity of the data Provide the system manager with a certified list of authorized personnel who will use the systems, as well as the level of privileges to be granted 20 Responsibilities of the SYSTEM MANAGER (PACS Admin) Contribute to the policy development regarding system access Participate in creating & updating the list of users & privileges Grant to authorized users access according to their role and tasks Give access and privileges based on security criteria Implement rules of password change & complexity according to recommendations Implement security procedures to protect and ensure availability of confidential information such as automatic locking and unlocking system screens or by manual closing instructions 21 Responsibilities of the SYSTEM MANAGER (PACS Admin) Only access confidential data needed for his work (e.g., correction, tests) Configure RIS/PACS anatomical codes to optimize the search of previous exams Inform users of system changes/issues that may affect the integrity of exams backup servers’ configuration in case of failures Establish a procedure for merging or erasing patient data Prioritize corrections that otherwise could lead to medical errors or inaccessibility to an exam or other patient data, e.g., spelling errors, missing hospital number, etc... Ensure that an exam has not been reported by the radiologists before modifying the content, otherwise: o the report must be amended because modifications to the exam were made after dictation o if applicable, all MDs who consulted the report must be informed that the report was amended 22 Responsibilities of the SYSTEM MANAGER (PACS Admin) Make corrections requested by users (MITs, MDs) (RIS & PACS) o Verify and confirm the information with the technologist who performed the examination before making a correction or modification to an archived examination o Make corrections to an examination only in case of absolute certainty o Act with caution when removing and deleting an examination or examination part to avoid any harm to the patient or professional person involved o notify all users who viewed the images before modifications were made Notify authorities/professionals concerned of any suspected, unreported, exam- related abnormalities Protect systems and the confidentiality of patient data accessed outside the facility Ensuring the integrity of the data from the acquisition station to the image display workstations, archiving systems, and RID 23 Specific responsibilities of the RID ADMINISTRATOR - READ Make corrections requested by hospital system managers ASAP o Prioritize requests for corrections that could lead to a medical error or inaccessibility of an examination or patient data (e.g., name or letter) Perform data monitoring of all the facilities archiving to RID Report to hospital system managers the corrections to be made to an exam ASAP Notify users when a problem that affects archiving at RID, DSQ occurs 24 Responsibilities of the TECHNOLOGIST  Respect policies on system-access and proper use of the system components  Ensure access codes confidentiality  Promote the use of a complex password  if needed, anonymize or encrypt data before transferring to external storage media or personal devices for use outside of the institution  Dispose of confidential digital or paper data securely - Example: do not throw out paper copies of reports, queries printed on paper or any document (digital or paper) containing confidential info. e.g., demographic data, examination results, interventions or treatment plans, requisition  Ensure that the exam has been archived in PACS with integrity and that it is complete  e.g., # of images, annotation, markers, correct presentation & images stored in corresponding exam 25 Responsibilities of the TECHNOLOGIST  Complete and finalize documentation in the patient’s file (RIS & imaging modality)  Notify the system manager, ASAP on a signed form, of any changes needed to be made on an archived exam in PACS  The MIT should verify that the corrections were made correctly  In the situation where the MIT has access to making changes to archived images/exams, the MIT must notify the PACS manager of any changes made, so that the PACS manager informs all users who viewed it before the modification  Follow the established procedure to avoid wrong interpretation/consultation of an exam before it is corrected or removed from the system, in the manager’s absence  Notify the manager of any problems within a reasonable time 26 The authorities in collaboration with the system manager determine the privileges granted to the users according to their tasks and responsibilities  Access to exams  Access to printing of reports (RIS & PACS) (RIS, HIS & PACS)  Access to transcribed reports  The possibility of annotating exams (RIS, HIS & PACS)  Dictation of exams to Radiologists  Access to voice (verbal) reports (RIS & PACS) (RIS, HIS & PACS)  image manipulation, reconstruction & archiving (PACS) 27 Privileges Specific to RIS  access exam reports  Create an exam requisition  modify or cancel an exam that has not yet been signed by the MIT  To modify/delete data from an exam performed & signed by another user  To sign an exam (MIT)  To sign a report (Radiologist)  to print a report (MIT and Radiologist) 28 Specific Access Privileges to computer workstations  before archiving on imaging modality console o Adjust the quality of the images o Remove images o Add digital annotations o Correct examination data  Modify an archived exam  Update the exam status  Access to workstations that allow copying of images on different types of physical media available  Access to workstations allowing the scanning and archiving of documents and specific examinations 29 Modification of data and images Requests for examination corrections (data or images) must be made on a form (paper or electronic). This form must contain the information following:  Name and file number of the patient(s)  Requisition number of the examination  Name and date of the examination to be corrected  Nature of the correction to be made  Name and signature of the person requesting the correction  Date of the correction made  Name and signature of the manager who made the correction  This form must be retained as it is an integral part of examination. It should be scanned into the patient file (e.g., RIS, PACS) as it is required by the provincial law: Act respecting the legal framework of information technology (CQLR, C-1.1), s. 21 30 31 32 ACCESS LOGGING keeping track of who accessed the system and what actions were made each access event to the system must be recorded including the following information: ❑ identity of the user ❑ name of the file accessed by user ❑ transaction code ❑ date and time of the access ❑ action taken by user, such as creation, consultation, reading, printing, modification or destruction of an examination or file 33 34 TRANSACTION LOG The system (RIS, PACS) must have an unalterable log file of all transactions, the date, the time of these transactions and the identity of the person having made these transactions In the absence of such a file, the system must keep and display in the patient file, an unalterable trace of all modifications made and the identity of the person who executed these modifications. 35 36  Exam reproduction must ensure the integrity of patient and image data as well as the quality of the images. If, however, the integrity cannot be guaranteed, it should be indicated it on the medium  For example, when making a CD, if the system cannot save digital annotations, or key images a note should be placed on the pouch  Each image archived in PACS is identified using unique identifiers (UID). These are generated automatically by the PACS. This unique image ID is necessary not only for medico-legal reasons, but also to allow better management of images by the RID 37  If exams uploaded to the PACS from the RID or a CD have a risk of not being copied with full integrity (images or annotations missing) the exams should be copied at the place where they were made  To protect the confidentiality of the data and images, the system manager must obtain the written consent of the patient or the legal guardian before transmitting data or images to a third party (e.g.: CD, USB key , network link), except for certain exceptions. Only the data needed for the purpose of the request can be communicated.  Act respecting the sharing of certain health information (CQLR, cP-9.0001), s. 100 and 124 38 Teleradiology Transmission of image data from one location to another  The integrity of the examinations transmitted must comply with the standards and laws in force relating to the transmission of documents  Must preserve integrity of documents (original & transmitted)  Appropriate means must be used to protect confidentiality allowing secure exchanges and to ensure the confidentiality of information  registered and traceable transactions  Patient’s consent – some exceptions apply Act respecting access to documents held by public bodies & the protection of personal info (CQLR, vs. A-2.1), art. 59 & 59.1 39 Patient’s consent The authorization form (AH-216) to disclose Information must contain the following information: ✓ Name of the establishment ✓ Data or images to be transmitted ✓ Date of examination or intervention ✓ Term of validity of the consent ✓ Signature of the patient ✓ MINISTRY OF HEALTH AND SOCIAL SERVICES. Authorization to Disclose Information on file (AH-216) 40 Pages 16 & 17 - Read 41  A data (images) backup and recovery plan must be developed and reviewed periodically to address  frequency of data back ups  storage location  persons responsible  established schedules  Management of the Servers’ Databases or directories Back up copies of the servers’ databases directories must be done daily and stored in a secure location separate from the server’s management and accessible to authorized persons only.  Terms & Conditions of the Modalities’ Databases  Depending on the needs of the service, the retention period of examinations in the database of each modality must be sufficiently long to avoid premature erasure of images  A procedure must be established and respected so that the archiving of the exams is properly done before automatic or manual deletion of images saved in the database of each modality 42 Short-term archiving – read Responsibilities of the SYSTEM MANAGER ensure optimal functioning of the short-term archiving systems It is always operational, & that server data storage space is sufficient for daily archiving Develop an emergency plan to avoid any loss of exams in the event of a system breakdown and provide a temporary solution to access archived exams o This plan must be applicable to breakdowns lasting up to several days, without harming the services offered to the population Ensure the backup of data and images in long-term archives before they are deleted from the short-term archives Notify the authorities & stakeholders of any problems regarding short-term archiving 43 Long-term Archiving MS x Bit Depth = Image File size Responsibilities of the SYSTEM MANAGER ensure optimal functioning of long-term archival system and retrieval system of previous exams Use a redundancy mechanism of archiving systems Ensure that long-term units and all offline exams are in a safe place Make a backup copy of all the exams contained in the long-term archiving unit. This back up must be identified, stored in a safe place, separate from the original, and accessible to authorized people only Ensure that sufficient storage media (e.g., DLT, DVD, cloud), is always available & accessible Anticipate the long-term archiving needs for storage space to plan for increased capacity Advise the authorities and stakeholders of any problems with long-term archiving Retention of long-term archived exams according to the period provided by law LIBRARY AND NATIONAL ARCHIVES OF QUÉBEC. Collection of rules for the preservation of documents health and social services institutions in Quebec, p. 174 – 5 years 44 QC OF ALL COMPUTERIZED SYSTEMS (READ) Responsibilities of the SYSTEM MANAGER A procedure must be established to regularly verify that the transmission of images/reports to archive is working properly Ensure equipment calibration and regular maintenance are performed on: o Scanners o Long & short-term archive units o diagnostic workstations create a maintenance/repair record of each device covered by the QC program share any information which may contribute to the maintenance and improvement of the quality of examinations 45 QC OF ALL COMPUTERIZED SYSTEMS (READ) TELERADIOLOGY - Responsibilities of the SYSTEM MANAGER Perform data monitoring and corrections using the tools provided Perform other quality checks as recommended by the supplier. Follow up with internal or external service providers. 46 Standards for Interoperability of systems - an initiative by healthcare professionals and industry to improve the way computer systems in healthcare share information. IHE promotes the coordinated use of established standards such as DICOM and HL7 to address specific clinical needs in support of optimal patient care. https://vimeo.com/462717964 47 48 IHE Benefits: Systems developed in accordance with IHE communicate with one another better, are easier to implement, and enable care providers to use information more effectively. Integrating the Healthcare Enterprise (IHE) (infoway-inforoute.ca) 49

Topic 10 Information Management, Security, & Integrity PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue