Privacy Frameworks for Health Care Nigel Brown Senior

Privacy – an inhibitor to IT adoption in Health Care? “Health care is down there with mining as the most techno-phobic industry ” (John Chambers, Cisco, The Economist – April 20, 2005) § Complexity of Players: – Provincial Health Ministries – Regional Health Authorities – Acute Care / Hospitals – Community Care Clinics – Physician Offices – Professional Colleges and Medical Associations – Testing Labs – Pharmacies § Complexity of Legislation 2 – Players cross public and private sectors – Provincial “FOIP” legislation for public sector – Provincial “PIPA” legislation – Provincial Health legislation – PIPEDA, HIPAA etc. for cross boarder flows © 2005 IBM Corporation

Privacy – an inhibitor to IT adoption in Health Care? § Whose legislation applies and who interprets it? – Substance often not that different but can be a source of endless debate – Different bodies have different interpretations or practices § Electronic Health Records – Many input information, many use it – who manages it? – Controller-Controller vs. Controller-Processor relationships § First Mover Dilemma – The health system needs to be integrated - straw models not hard to build but what if other players don’t follow? 3 © 2005 IBM Corporation

Privacy – an inhibitor to IT adoption in Health Care? § Scalability – Technical/security resources of a Hospital vastly different from a single physician practice – But we need to connect them all together to share information § Context Sensitivity – Not just roles but roles in context of current patient care – Many potential “patient privacy options” – no standards § Health Trumps Privacy – Need overrides for emergencies etc. – Hard to list all access rules deterministically 4 © 2005 IBM Corporation

VCH Primary Care IT Strategy – Privacy Framework Privacy Checklist – identify potential issues at the concept stage How do we optimize PC IT initiatives for Privacy? Privacy Primer – Privacy 101 – the basics Privacy Design Guidance – tips and rules for IT Developers Privacy Impact Assessment – review and approval process How do we design Privacy in from the start? ISO 17799 Security Framework Privacy Standards for Vendor Software and Services – future Privacy Framework Solution Provider View BCMA 10 Steps – a framework for closing the gaps How do we get users ready to meet Privacy and Security requirements ? Privacy Toolkit Solution User View Privacy Issue List Ongoing monitoring, feedback, Stakeholder Consultation and Communication Program - future 5 CMA Privacy Wizard – a self assessment and policy building kit How do we keep the Framework in synch and current? Program Management View Practical Security – getting ready for the technology assisted practice Situation Based Guidance © 2005 IBM Corporation

Simple approaches to real problems… Professional Ethics as an Assurance Factor for Health Care Privacy § High degree of professional ethics and accountability can be leveraged as a privacy control – To control need-to-know access across a range of records: – Challenge with a question the first time access is requested for a particular patient, ex: “Please confirm you are requesting access to assist in providing care to this patient” – To control export of data from a system – Printouts of medical information would include name, user id, time and date as part of the printed record 6 © 2005 IBM Corporation