The Guelph and Area OHT has completed a review of the current state of information flows between its core member organizations with respect to sharing accountability for Personal Health Information. This review includes analysis of how privacy is managed in the current state and how privacy would be managed in an optimized future state (from an information management perspective) with the G&A OHT being a single entity. In summary:
- Personal Health Information and Protection Act (PHIPA) compliance – There are currently varying degrees of compliance to PHIPA across our partner organizations. In the ideal future state (from a privacy/information flow perspective) where Guelph and Area OHT is a single entity, compliance would be consistent, standardized, and a common experience for the individual client/family.
- PHIPA notice for clients – Currently, several member organizations do not reference PHIPA and/or do not have a fully compliant PHIPA notice i.e. naming the Privacy Officer/IPC for complaints. In the future G&A OHT, utilization of one standardized PHIPA notice which could be electronically displayed on the Guelph OHT entity, and understood by all agencies.
- Health Data Governance and Accountability – Currently, the only data governance entity is CMHAWW Mental Health and Addictions Portal (WW MHAP), whereby there are 10 MH&A organizations that have harmonized policies and procedures, and CMHAWW hosts and is responsible for the data repository. All other organizations work within their own individual agency’s Health Information Management (HIM) services (if they have an HIM department). In the mature G&A OHT, one consistent health data governance accountability model will increase the application of PHIPA and consent directives significantly. Our local approach will interface with provincial centralized consent management application.
- Health Information Custodian (HIC), Agent, Service Provider or Health Information Network Provider (HINP) – Not all member organizations have a full understanding, resulting in variable application of the legislation. In the mature G&A OHT, there is opportunity to have one single HINP entity if all health information software is interoperable using eHealth Ontario technology standards (HL7, FHIR).
- Health Information Management (HIM)/Experienced IT professionals within the healthcare environment – Currently, acute care has robust HIM/IT infrastructure but few community agencies have an HIM/IT infrastructure to support compliance to PHIPA. In a mature G&A OHT, there is the opportunity to have a system-wide HIM infrastructure with increased resources i.e. shared HIM resources across all providers.
- Ownership of Personal Health Information (PHI and Health Record – Supreme Court of Canada has established that any PHI collected, used, and disclosed is part of an agency’s record. This standard is not currently well understood in the use of an individual’s PHI across the continuum of care for health and risk purposes. In the mature G&A OHT, a formalized data governance entity will clarify and provide shared accountability for personal health information.
- Security – If you are hosting one or more databases (e.g. FHT) the importance of having a Privacy Impact Assessment (PIA) and Threat Risk Assessment (TRA) is key. In the mature G&A OHT, shared back-office and IT support will optimize consistency and efficiency of compliance.
- Consent Management – In the current state there is opportunity to strengthen compliance with PHIPA with respect consent management functionality within EMRs. Currently, there is an inconsistent approach to consent for the purposes of healthcare i.e. implied consent with notice, express verbal, express written, etc. There is a lack of understanding of applying PHIPA Circle of Care. The ability to proactively receive, apply, and forward a consent directive is only available within a HINP model, such as CMHAWW. As a fully mature OHT, we will have the opportunity to apply a consistent, pro-active consent directive process across all Guelph OHT providers. Once our databases/platforms are interchangeable, this will be centrally managed. Alternatively, clinical connect and/or another provincial entity could perform this function provincially for sharing between/across all OHTs.
- Audits – Currently, acute care and some community agencies have the functionality to conduct regular audits to comply with PHIPA. In the mature G&A OHT, centralized data governance model audits will be consistently, accurately applied, and potentially prevent breaches, data errors, etc.
- Harmonized Policies and Procedures to comply with PHIPA – Currently, only agencies who have a Data Sharing Agreement (DSA) and/or are a Health Information Network Provider (HINP) are equipped to develop, implement and apply standardized, harmonized privacy and security policies and procedures to meet PHIPA. Access to one’s PHI processes is also inconsistent and common information overlaps across agencies, which results in confusion around ownership of an individual’s complete electronic client record. The mature G&A OHT governance model will support more efficient and better-understood common policies to comply with PHIPA across the system of care increased ability to monitor, keep current and evaluate efficacy of procedures.
- Agent and Vendor Accountability – Currently, acute care and some community agencies do have robust policies and procedures to ensure agent and vendor accountability. The G&A OHT will ensure consistency among agents and vendors across the system of care. Back office shared services will reduce costs when buying in bulk.
- Privacy and Security Training – Acute care and some community agencies have an onboarding and ongoing training and process to ensure dynamic privacy and security training, along with annual signing of privacy pledges. The G&A OHT will reduce costs and standardized onboarding, orientation and ongoing training for all providers e.g. some agencies are using online modules and tracking training session electronically, which can be shared across the system to support defense of any PHIPA breaches at IPC.
- Privacy Complaint and/or Incident Management – Currently this is not formalized between the potential OHT partners. Consistent approach to privacy complaints and incident management will ensure consistency in application of PHIPA across the healthcare system. Use of a tool like RL6 among partners will increase real time learning.
- Decision Support / Health Informatics – Currently there is inconsistent decision support / health informatics specialist knowledgeable across providers. In the mature G&A OHT, a consistent approach and centralized infrastructure for decision support/HI will ensure accuracy and reliability of system-wide health care stats. Also, centralized decision support/HI infrastructure will reduce costs in training, and increase knowledge translation across the system.
- Non-identified data for evaluation and research – Currently inconsistent across all agencies – limited local Research Ethics Board (REB) and only 1-2 organizations have an ethicist; few have an ethics committee to ensure compliance to PHIPA. By having all G&A OHT providers participate in a joint REB and shared Ethics Board, partners will benefit from, among other things, reduced costs for application to the Integrated Decision Support (IDS) program.
As a next step, the G&A Area OHT will complete a comprehensive review of how patient information is shared within our team (as per categories in analysis above), will identify gaps in information flows between member organizations/providers and develop an action plan to mitigate the identified gaps in information flows between member organizations/providers.
Additionally, we will complete an inventory of existing data sharing agreements and platforms that are currently being leveraged to share this information. Data sharing agreements currently exist between providers to support specific programs and functions (e.g. Emergency Mental Health Service, Health Links, home & community care Hospital Discharge Care Coordinators). As gaps in information flows are identified, we will look to existing and/or create new agreements to support the required flow of information.
A Health Information Network Provider Agreement exists between CMHAWW and all current LHIN-funded community mental health and addiction agencies (including hospital outpatient) across Waterloo Wellington LHIN geography. As part of this HINP, there is a governance structure, shared privacy and security policies and procedures, and shared data (including referral information and waitlist management) through the Waterloo Wellington Mental Health and Addictions Portal (WWMHAP), hosted by CMHAWW on the CaseWORKS platform. Opportunities to add additional Guelph and Area providers to this existing agreement will be explored. Additionally, the expertise and structure that are supporting this agreement will be leveraged to explore similar agreements between other providers.