1 / 47

Managing Patient Information

Managing Patient Information. Professional Staff Development Series February 15, 2013. Learning Objectives. To understand: privacy legislation and how to comply in practice, clinically and academically; t he process involved when there is a privacy complaint or breach;

adelle
Télécharger la présentation

Managing Patient Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Patient Information Professional Staff Development Series February 15, 2013

  2. Learning Objectives To understand: • privacy legislation and how to comply in practice, clinically and academically; • the process involved when there is a privacy complaint or breach; • documentation requirements and the integrity of the health record; • documentation requirements from a Royal College perspective.

  3. Ontario has a law that governs health information: Personal Health Information Protection Act - PHIPA • Provincial law - enacted Nov/04 • Governs obligations of HICs on the: • collection, use, disclosure and protection of personal health information (PHI), as well as the right of a patient/SDM to: • access their PHI • request to correct PHI • challenge a HIC’s privacy practices • restrict collection, use and disclosure of PHI (lockbox)

  4. What the heck is a HIC and are you one? Short answer – not in your professional staff role. • LHSC andSt Joseph’s are the Health Information Custodian (HIC) and have custody and control of PHI on a patient who has a registered visit to the hospital • whether the PHI is used for health care, research, education, etc. • staff, physicians, students, volunteers employed/granted privileges/affiliated through a HIC are “agents” of the HIC

  5. Mrs. Jones arrives for a first visit to your clinic Mrs. Jones reports a history of previous visits to the hospital and to the regional hospitals who share the EPR. • Can you access Mrs. Jones hard copy record and/or the EPR to get her historical information? • What type of consent do you need to collect and use her information from this point onwards?

  6. Mrs. Jones arrives for a first visit to your clinic…cont. Unless the patient has told you not to, you can assume “implied consent” to: • collect; • access/use; • share information within the “circle of care”. *Take reasonable steps to inform the patient about how LHSC/St Joseph’s collects, uses, and discloses their PHI.

  7. Implied consent  no consent Reasonable steps: • posters, brochures, web site - make sure your office, clinic has these; • talk to the patient e.g. you are consulting a specialist or asking the family MD to follow up post discharge – it is implied that you will share information to facilitate that referral unless the patient objects; • make Privacy aware of any restrictions.

  8. Who is in and out of the Circle of Care? In the circle of care… • those providing or facilitating health care for that patient within the hospital and in the community • can rely on “implied” consent to use and/or disclose within circle of care, e.g. family MD, CCAC Not within circle = express consent required, (company supplying services or home equipment but not providing care, lawyers, insurers)

  9. You are not in the circle of care for… Family, friends, colleagues, etc. • because you have access to the entire EPR system does not mean you have the right to access any information or record, even if you keep it confidential If you wish to access your own health recordcontact HIM for information on hospital process. Privacy Office audits EPR to determine compliance

  10. Mrs. Green… You go to the clinic desk to review information on your next patient. When you arrive, the computer is logged into PowerChart – how convenient! You search for her information and notice that there is a flag (“Lockbox Restriction”).

  11. Mrs. Green cont… Is it OK to use someone else’s log in? What does this Lockbox Restriction flag mean and does it affect you?

  12. Mrs. Green cont… You should: • close that access and log in under your own user name/password; • remind user that he/she left log in open and unattended; • not share your user name/password nor allow others to use your account; • not use an access left unattended; • not leave your own access open and unattended. You are responsible for all activity under your login

  13. Mrs. Green cont… PHIPA grants patients the right to restrict use and/or disclosure of their PHI, even for health care. Without the patient’s consent, you cannot access lockboxedPHI unless specific situations exist. Policy and process at LHSC and St Joseph’s…options: • discuss with patient – is PHI critical for ongoing care or does lockbox apply to isolated PHI/visit? • determine if you can provide care with lockbox in place • discuss with Chief, VP Medicine, Risk and/or Privacy if considering refusing elective care

  14. What If a Patient Requests a New Lockbox? Begin the discussion, use lockbox brochure • what are the concerns • explain risks Notify Privacy Office - work with patient to: • review request to ensure patient is requesting lockbox, or 1-1 denial; • review risks; • complete request form, validate ID; • apply lockbox to record. • hard copy • limited ability in EPR

  15. What Cannot Be Lockboxed? Patient will be informed that lockbox does not apply: • to use for administrative purposes, (billing, risk management, quality assurance); • to PHI collected during an active IP visit; • when the use/disclosure is permitted or required by law; • permitted – to PHIPA- recognized registry, (CCO etc.); • required – mandatory disclosure, (child abuse, MTO); • in an emergency situation where the information is necessary for eliminating or reducing significant risk of harm to patient or other person/s = override.

  16. You Are An ED MD and a Patient Arrives From a MVC - VSA The ED clerk calls HIM and they say you cannot get the record as it is lockboxedin both hard copy and EPR. Having the PHI may raise the chance of a positive outcome for the patient – what do you do?

  17. Lockbox override PHIPA permits an override of a lockbox if: • patient consents (must be considered first) • risk of significant harm to patient (applies in this situation) • PHIPA permitted or required use Complete override form declaring what situation exists, fax to HIM: • HIM will release record or enable access to EPR (Pilot e-lockbox – access may take time – may get hard copy of printed EPR) • Privacy Office audits all overrides

  18. Lockbox example • patient seen in surgeon’s office and booked for Sx • patient asks Privacy Office for lockbox restrictions to her PHI for any reason • patient visit in Pre Admit – tried to get record from HIM – denied, so PAC staff asked for surgeon’s office file • patient furious that office file released Privacy andSurgeon had to negotiate an agreement to get surgery done – challenges: • originally, patient didn’t want anyone but surgeon to access hard copy record during IP stay • didn’t want pre-op assessment used for IP stay Not all lockbox requests are this complex, but important to make Privacy aware and respect restrictions

  19. Mrs. Jones You think that Mrs. Jones would be a good case to take to Grand Rounds so start to prepare the presentation…what information can be shared without violating the patient’s privacy, corporate policy and PHIPA?

  20. Use of PHI for education De-identify information: • totally when using PHI for external presentations; • as much as possible, for internal teaching rounds; • bedside rounds – be aware of other patients. But what is considered identifiable – new rules since PHIPA Which of the following are considered identifiable: • name • Initials • hospital PIN/J# • postal code • all of the above • none of the above

  21. Use of PHI for education All of the above (on the previous slide) Rules have changed since PHIPA: • Identifiable = information used alone or in combination to identify the patient Contrary to popular belief, “identifiable” includes: • initials, postal code, HC#, PIN/J#… • unusual condition in small population/study size

  22. Mrs. Jones After the discussion about Mrs. Jones at Grand Rounds you and your colleagues realize that there is a group of patients with similar issues that would lend itself to a publication. What steps are needed to use this information for publication or for research?You start to create: • a database with all the patient information – this looks interesting and may make a good research project • a summary document with all the patients’ PHI and load it onto your laptop so that you can work on it at home…what do you need to pay attention to?

  23. Can You Use PHI for Research? Short answer – yes….under rules set by PHIPA To use PHI for research, you must: • have UWO REB and Lawson approval; • follow policy and submit completed form to HIM for chart pulls or to use PHI regardless of the format; • submit any changes to the protocol or to who is accessing the PHI for the project to REB; • protect the PHI, e.g. do not save information on portable devices or hard drives unless strongly encrypted; • databases – need REB approval at beginning – even if no specific research is planned.

  24. Information Security Avoid storing identifiable PHI on a hard drive of any device e.g. PC, laptop, Blackberry, home computer, memory stick…store on hospital network. If you must use a hard drive or portable device: • encrypt – hospital encryption system – HelpDesk; • store minimum information; • for as short a time as possible; • back up on network drive; • physical security of the device. Avoid taking identifiable information out of the hospital in any format

  25. Information Security You would like to send that identifiable research data to the co-investigator at UHN. What are the options to send it to ensure its security? • e-mail • fax • Canada Post • courier

  26. Information Security NOT E-mail • only to accounts within secure system -@lhsc, @sjhc, @londonhospitals, @lawson @schulich – nothing else is secure, including @uwo, @hotmail, @yahoo etc You can: • Fax – use care when entering fax #, always use cover page with your own contact information on it – breaches from human error; • Canada Post; • courier $$ • consider Secure File Transfer

  27. Information Security Breach examples: • 2007 – theft of non-encrypted hard drives storing research databases • 270 patients notified • 2009 – EPR patient lists: • found in MasonvilleMall – very sensitive PHI, e.g. erectile dysfunction - 20 patients notified; • found flying around schoolyard – 16 patients notified • 2009 – employee e-mailed Excel file to Resident’s Hotmail account – against hospital policy, and entered wrong e-mail address • 33 patients notified • 2009 Durham Region – loss of memory stick – notification of >83,000 patients – directive from IPC to all HICs – ENCRYPT!!

  28. Monitoring and Auditing for Privacy Compliance You receive a call from the Privacy Office • a patient had called and asked for an audit of his/her chart; • the audit shows that your (privately hired) secretary accessed the EPR record, however this patient has never been a patient of your service nor have you been consulted about this patient …what next?

  29. EPR & PACS Audits Performed: • at request of patient/SDM or leader; • on randomly selected staff/affiliates, high profile patients, deceased or hospitalized staff/affiliates. Breaches being detected – mainly on family, friends, co-workers, high profile patients: • Misconception re “authorized use”; • PHIPA requires HICs to notify patients if their PHI is lost, stolen or accessed without authority; • if asked, we tell the patient who committed the breach.

  30. As the Employer of the Secretary, You Are Required To: • Follow direction of Privacy Office (HR if hospital is employer) • Investigate…was a referral sent to you, but patient never seen, has employee done P and C Education? • If you cannot validate reason for access: • meet with employee (with HR if hospital is employer) and ask to validate reason for access, relationship to patient • If found to be a breach, possible outcomes include: • education • verbal warning • written warning • suspension • termination

  31. Correction of PHI You are contacted by a Privacy Specialist/Consultant who received a request from a patient to correct his record. The PHI challenged is in your admission history. It reports that he is diabetic – patient challenges the accuracy of this. He says he has been tested for low blood sugar, but he was told he was not diabetic. What do you do? • nothing – your documentation is correct; • get the record & black out the entry; • if you recall the patient reporting diabetes, not change the entry; • if you cannot recall, correct the entry.

  32. Correction of PHI Patient has right to request change if they feel PHI is incorrect or incomplete. Key points: • PHIPA timeline – notify Privacy asap • we are not required to change if: • professional opinion/observation made in good faith; • patient does not provide the information necessary to make the correction; • record was not made by agent of HIC • HIC /agent does not have the knowledge or expertise to make correction If HIC refuses correction, patient has right to: • place Statement of Disagreement on record • appeal to Privacy Commissioner of Ontario – this has occurred

  33. Physician Billing As a new physician to LHSC/St Joseph’s, you need to have someone do your billing. You know of external agencies who do this. You also know of a secretary in another department who does billing on off hours. What do you need to consider when having someone other than your secretary do your billing?

  34. Physician Billing Guidelines Helps protect you, the hospital and the confidentiality/ security of the PHI. If you use someone other than your secretary or other hospital employee whose hospital role is to do your billing: • have a written contract with external agency/person that binds the agent; • to the confidentiality of the PHI & MD information • to put security measures in place - both physical and technical; • avoid taking PHI out of organization; • P&C education and agreement; • actions in case of a breach.

  35. Watch where you have clinical discussions:

  36. Privacy Breaches are: Distressing for patients: • fears of identify theft, impact on their care; • anger that we have not taken precautions; • time consuming, costly for you, and the hospital Breaches can result in: • letter to file; • suspension or termination of privileges; • report to CPSO; • complaints to the Information & Privacy Commissioner.

  37. Mrs. Jones Mrs. Jones is ready for discharge and discharge documentation is required…what are the obligations for completion?

  38. The Hybrid Record LHSC and St. Joseph’s have a Hybrid Record … documents and results that are available electronically in the EPR are not found filed on the paper record. You will need to refer to both the paper and the electronic portions of the record to obtain a full documentation history for the patient.

  39. Clinical Documentation • The timely completion and authentication of all required Clinical Documentation is important for the following reasons: • To facilitate accurate communication among health care providers for continuing patient care, • Properly done, to manage risk for all medical and non-medical professional staff as well as the hospital, • To facilitate appropriate hospital funding, and • In order to comply with legislation and accreditation standards • All patient visits must be registered • All visits to the hospital or any remote site of the hospital require clinical documentation

  40. Clinical Documentation Requirements • To support patient safety and ensure that clinical documentation at our hospitals complies with legislation, the hospital identifies clinical documentation and document authentication requirements for Professional Staff • ALL CHART COMPLETION REQUIREMENTS ARE TO BE MET WITHIN 14 DAYS FOLLOWING DISCHARGE. • Your signature is your authentication • All electronically documented clinical reports will be distributed to the author (as well as internal cc’s) using “message centre” and require your review and electronic signature to trigger external distribution

  41. Audited Clinical Documentation • ALL Inpatient Discharges require an authenticated Discharge Summary • ALL Deaths require an authenticated Death Summary • ALL procedures carried out in the Operating Room require an authenticated OR Report and Anaesthesia Report • ALL major procedures require an authenticated Procedure Report • ALL births require an authenticated Delivery Summary

  42. Alternative Documentation Strategies • Central Dictation/Transcription services are available • Does your office assistant transcribe clinical reports for you ? Ask about receiving Cerner’s transcription module from Helpdesk. • Do you have high keyboarding skills or prefer to enter your own reports electronically ? Ask about access and training for Advanced Clinical Notes (ACN). • Do you prefer to use central dictation and transcription resources, but want to save time and help to reduce the workload on transcription ? Ask about establishing templates for some of your clinical reports from Transcription.

  43. Chart Completion Process • Health Records will send the responsible Professional Staff a reminder notices of chart deficiencies at 7, 14 and 21 days post separation • The notice at 21 days reminds you that you have just 7 additional days before the hospital will suspend privileges. Privileges will be reinstated upon completion of all outstanding deficiencies. • If you know you are going to be away from the hospital for 7 days or longer … let Health Records know. They will ‘stop the clock’ and resume it upon your return • If the chart becomes required for continuing care and is not available for you to complete your documentation in Health Records for a period of time … the ‘clock’ will also stop and resume upon the return of the chart to Health Records • Suspension of privileges 3 times in the same appointment year will be reported to the CPSO

  44. Mrs. Jones • Mrs. Jones is admitted to your service with you as the MRP. The nurse calls you to advise that Mrs. Jones is having pain and you provide a verbal order for some analgesics. Later that morning you are doing rounds with the medical student and you review the investigations that need to be ordered for this patient. The medical student documents the orders. That afternoon you ask when the CT scan will be done on Mrs. Jones and discover that the order has not been processed…why?

  45. Verbal and Telephone Orders • Telephone orders may only be accepted in situations where the prescriber is not present and there is a need for direction with patient care. • In this example: • the prescriber (MRP) is not present • Mrs. Jones is experiencing pain • The nurse, being authorized under the RHPA & Regs and hospital policy may transcribe the order • Telephone order for Dr. Smith/Jane Doe RN2230 hrs. May 15, 2009 • The order for analgesia may now be acted upon • Follow up is then required by the MRP (the prescriber or delegate) to: • Sign the order within 24 hours (acute care) • Sign the order on the next working day (RMHC) and • Sign the order at the next visit to the unit (Parkwood Hospital and Mount Hope).

  46. Verbal and Telephone Orders • Verbal orders may only be accepted in emergency situations when the prescriber is physically unable to write his or her own orders and a delay in treatment would not be in the best interest of the patient. • So, in this example: • Conditions were not met for accepting verbal orders • A senior medical student may write orders … but the orders must be countersigned before they can be processed or acted on (Scope of activities for Senior Medical Students Policy) • In this example, the MRP should have written the orders him/herself … or at the very least, countersigned the orders so that they could be acted upon.

  47. Resources: LHSC/St. Joseph’s Privacy Office 32996 Health Information Management 64296 Medical Affairs Contact 75125

More Related