Privacy Policy and Operating Practices Manual

Privacy Policy and Operating Practices Manual

Organization Name>

Version: 3.1

Date: March 2017

Table of Contents

Privacy Policy and Operating Practices Manual

Audience

Overview

Instructions on Adopting these Policies and Operating Practices for Your Organization

Access and Correction Policy and Operating Practices

1. Policy Statements

2. Operating Practices

When the <patient/client> asks a Clinician

When the <patient/client> asks an administrative staff member or makes a written request

Charging Fees

Correcting the Medical Record

Receiving Requests for Access or Correction related to Shared Systems (e.g., ConnectingOntario)

Inquiries and Complaints Policy and Operating Practices

1. Policy Statements

2. Operating Practices

Inquiries or Complaints

When an Inquiry or Complaint Identifies a Breach

Inquiries and Complaints Related to Shared Systems

Privacy Breach Management Policy and Operating Practice

1. Policy Statements

2. Operating Practices

Responding to a Breach

Disciplinary Action

Notification to the Impacted <patient/client>(s)

Breaches Related to Shared Systems

Privacy and Security Training Policy and Operating Practice

1.Policy Statements

2. Operating Practices

Training Clinical and Administrative Staff Members of Their Obligations

Before Accessing New Systems or Information

Contents of Training Materials

Consent Management Policy and Operating Practice

1.Policy Statements

2. Operating Practices

Getting Consent

Blocking the <patient/client> Medical Record

Blocking Medical Records in Shared Systems

Overriding <patient/client> Blocks

Logging and Auditing Policy and Operating Practice

1. Policy Statements

2. Operating Practices

Logging Access and <patient/client> Blocks

Auditing Staff Members’ Access to <organization name>’s Systems

Auditing Staff Members’ Access to Shared Systems

Retention Policy and Operating Practice

1. Policy Statements

Supporting Operating Practices

Identity Verification

Verifying <patient/client> Identity

Confirming that the Person is a Substitute Decision Maker for the <patient/client>

Supporting Tools and Templates

Access and Correction

Request for Access Form

Request for Access Log

Request for Access Response Template

Request for Correction Form

Request for Correction Log

Request for Correction Response Template

Notice to HIC of a Correction to PHI Template

Inquiries and Complaints

Inquiry and Complaint Log

Inquiry or Complaint Response Template

Privacy Breach Management

Privacy Breach Log

Privacy Breach Report

Training

Privacy eLearning Modules

Training Log

Consent Directives

Consent Directives Log

Request for Consent Directive Response Template

Notice of Consent Override

Notice of Consent Override to IPC

Consent Directives Override Log

Template of Messages to Discuss with <patient/client> when Creating or Removing a Block

Template of Messages to Discuss with <patient/client> when an Override Occurs

Identity Verification

Identity Verification Standards

SDM Log

Glossary

Privacy Policy and Operating Practices Manual

Audience

This manual is intended for use by Health Information Custodians (HICs) that may require assistance in creating and maintaining a basic privacy program in order to comply with the ConnectingOntarioEHR Privacy Policies requirements.

Overview

This manual contains the following sections:

1. Policies – Six policies, including the supporting operating practices, that outline the elements of a basic privacy program and how to meet them
2. Supporting Operating Practices – Procedures that support a privacy program but that are not necessarily guided by policy (e.g., identity verification)
3. Supporting Tools and Templates – The tools, templates, and forms referenced in the policies

Instructions on Adopting these Policies and Operating Practices for Your Organization

These policies and operating practices provide organizations with the basic steps and associated tools and templates required to manage <patient/client> privacy rights[1]. When completing the Readiness Assessment for ConnectingOntario, health service providers indicated in many instances that they did not have processes to perform a particular privacy activity (e.g., no process to receive a <patient/client>’s request to view his or her medical record). Adopting the policies and operating practices outlined in this manual will give the organization the process if they do not have one.

The steps are focused on an organization’s internal processes. Therefore, the steps can be used by health service providers in meeting the privacy rights of any of its <patients/clients>, not just those whose medical record is in shared systems such as ConnectingOntario. However, the steps do mention where the policies and procedures of shared systems would take over.

To adopt these policies, follow the steps below:

Step 1:Read the policies and operating practices to become familiar with them. Do not worry about reading the tools or templates yet.

Step 2:Using MS Word’s “Find and Replace” feature, replace the following terms with the term appropriate to your organization:

Step 3:Edit any steps that your organization does differently.

Step 4:Identify the colleague(s) in your organization who must approve the policy and operating practices. Review them with that person or group and ask them to approve the policies.

Step 5:Using MS Word’s “Find and Replace” feature, replace the following terms with the term appropriate to your organization:

Step 6:Extract the updated policies and save the updated documentas your organization’s new privacy policies and practices manual in the template folder referenced above in Step 2.

Step 7:Provide copies of your policies and operating practices manual to clinical and administrative staff members, and schedule a training session to review the content of the manual with staff. What does the staff member need to know about the policies? What do they need to do?

Step 8:Reference the policies and operating practices when a privacy request or issue emerges.

Access and Correction Policy and Operating Practices

• Request for Access Form
• Request for Access Log
• Response to a Request for Access Form
• Request for Correction Form
• Request for Correction Log
• Response to a Request for Correction Form
• Notification of a Request for Correction to other HICs Template

1. Policy Statements

1. <patients/clients> may ask to see or get copies of their medical records. They can ask us verbally or make a written request.
2. <patients/clients> may ask <organization name> to correct their medical records if the information is out-of-date, inaccurate, or incomplete.
3. <organization name> must respond to all requests to see, get a copy of, or to correct the medical record within 30 calendar days. <organization name> must notify the <patient/client> that we require an additional 30 calendar days to respond if:
4. Responding within 30 calendar days would interfere with normal clinic functioning because finding or compiling the medical record is very complex; or
5. More time is needed to confirm whether some of the medical record should be withheld.
6. <organization name> may decide not to make a correction to a medical record if:
7. The information was received from another organization and <organization name> does not have enough information to know whether it should be corrected;
8. The correction is frivolous, vexatious, or requested in bad faith;
9. The medical record is not incorrect or incomplete; or
10. The information represents a clinical opinion that was made in good faith.
11. If the <patient/client> asks, <organization name> must note in the medical record if the <patient/client> asked for a correction but <organization name> refused to make the correction.
12. <organization name> may decide not to release some or all of the medical record if there is a good reason. The reason must be consistent with PHIPA s52.

2. Operating Practices

When the <patient/client> asks a Clinician

Step 1.When a <patient/client> asks a clinician to see or get a copy of the medical record, the clinician should show or create a copy the medical record if it is easy to do (e.g., showing the <patient/client> your screen, printing the medical record from the electronic medical record).

Step 2.If the clinician cannot show or give a copy of the record to the <patient/client>, the clinician must give the request to <name of privacy contact>.

When the <patient/client> asks an administrative staff member or makes a written request

Step 1.The administrative staff member who receives the request must:

1.1.Try to get enough information from the <patient/client> to be able to identify the medical record he or she needs; and

1.2.Give the request to <name of privacy contact>.

Step 2.Before giving the <patient/client> his or her medical record, <name of privacy contact> must:

2.1.Write in Request for Access Log that the request was made;

2.2.Verify the identity of the <patient/client> by asking for photo identification or by asking another member of the clinic, if <name of privacy contact> does not know the <patient/client>;

2.3.Confirm that the person is indeed the substitute decision maker for the <patient/client>, if applicable, by following the Guidelines for Identifying a Substitute Decision Maker;

2.4.Identify any location or system (e.g., paper, EMR) where the <patient/client>’s medical record exists;

2.5.Confirm with the <patient/client>’s clinicians whether any information in the medical record should not be given to the <patient/client> (see the possible reasons in Policy #6 above);

2.6.Tell the <patient/client> how much they will be charged, if any, to give him or her a copy of the medical record; and,

2.7.Direct the <patient/client> to contact relevant program office (e.g. eHealth Ontario) to make the Request for Access if the medical record involves PHI contributed by another organization, or involves logs to which the HIC has no access.

Step 3.When responding to the <patient/client>, <name of privacy contact> must do one of the following:

3.1.Give a complete copy of the medical record;

3.2.Give only some of the medical record if PHI (see the possible reasons in Policy #4 above for not giving all of the information);

3.3.Not give any information from the medical record (see the possible reasons in Policy #4 above for not giving all of the information); or

3.4.Notify the <patient/client> in writing that <organization name> needs another 30 days to respond (see the possible reasons in Policy #3 above for needing more time).

Step 4.If <organization name> only releases some information or needs more time, <name of privacy contact> must complete the relevant Request for Access Response Template.

Step 5.<name of privacy contact> must meet with the <patient/client> to explain any abbreviations, terminology, or codes if the <patient/client> asks.

Step 6.<name of privacy contact> must log the results of the request using Request for Access Log.

Charging Fees

Step 1.<name of privacy contact> must:

1.1.Decide whether to charge or waive a fee to cover the cost of preparing and printing the medical record.

1.2.Not charge more than the lesser of:

1.2.1.The cost of preparing the medical record; or

1.2.2.According to the fee schedule established by the OMA.

1.3.Tell the <patient/client> the fee before preparing the medical record and not change it after the <patient/client> has agreed to the fee.

Correcting the Medical Record

Step 1.The <patient/client> must:

1.1.Complete the Request for Correction Form to ask to correct his or her medical record.

Step 2.<name of privacy contact> must:

2.1.Help the <patient/client> to complete the form if necessary;

2.2.Discuss the correction with the appropriate clinician(s) to determine whether to change the information; and

2.3.Respond to the request within 30 days of having received the request.

Step 3.When responding to the <patient/client>, <name of privacy contact> must do one of the following:

3.1.Make the correction;

3.2.Notify the <patient/client> that the request has been refused (see the possible reasons in Policy #4 above for not making a correction); or

3.3.Inform the <patient/client> that an additional 30 days is required to respond to the request.

Step 4.If the correction is granted, <name of privacy contact> must:

4.1.Strike out the previous information in the medical record (leaving it readable) and record the new information as soon as possible.

4.2.Upon request from the patient, inform any other clinics or healthcare providers to which <organization name> disclosed the information of the change if it may impact the <patient/client>’s care[2].

Step 5.If the correction is refused, <name of privacy contact> or more time is required, <name of privacy contact> must complete the Request for Correction Response Template and ask the <patient/client> whether they would like to attach a note to his or her medical record explaining that he or she disagrees with the accuracy of the information.

Receiving Requests for Access or Correction related to Shared Systems (e.g., ConnectingOntario)

Step 1.If the <patient/client> requests to view or get a copy of their medical record in a shared system, <name of privacy contact> must:

1.1.Follow these procedures (i.e., starting at number 1 of this operating practice) if the medical record was contributed by the clinic; or

1.2.Give the <patient/client> contact information within 30 days for the program office responsible for the shared system (e.g., eHealth Ontario) if the medical record was contributed by another or multiple clinics.

Step 2.If the <patient/client> asks for a correction to a medical record in a shared system, <name of privacy contact> must:

2.1.Follow these procedures (i.e., starting at number 1 of this operating practice) if the medical record was contributed by the clinic; or

2.2.Give the <patient/client> contact information within 30 days for the program office responsible for the shared system (e.g., eHealth Ontario) if the medical record was contributed by another or multiple clinics.

Step 3.If <organization name> receives a request from the program office on behalf of a <patient/client>, it must follow instructions from the program office on whether to follow <organization name>’s policies and operating practices to address the request or the policies and procedures governing the shared system.

Inquiries and Complaints Policy and Operating Practices

• Inquiry and Complaints Log
• Inquiry or Complaint Response Template

1. Policy Statements

1. <organization name> allows <patients/clients> to ask questions or make a complaint about its PHI handling practices or its compliance with PHIPA and the associated regulations. Inquiries or complaints may be verbal or in writing.
2. <organization name> must respond to all inquiries or complaints within 30 calendar days. In limited circumstances, <organization name> can notify the <patient/client> that it requires an additional time to respond to an inquiry or complaint.

2. Operating Practices

Inquiries or Complaints

Step 1.When a staff member receives a privacy-related question that is easy to answer, s/he should answer it.

Step 2.If the staff member is unable to answer the question or the question:

2.1.Tell the <patient/client> that s/he will give the question to <name of privacy contact> and that <name of privacy contact> will respond within 30 days; and

2.2.Give the Inquiry to <name of privacy contact>

Step 3.If a clinical or administrative member receives a privacy-related complaint:

3.1.Tell the <patient/client> that s/he will forward the complaint to <name of privacy contact> and that <name of privacy contact> will respond within 30 days; and

3.2.Give the Inquiry to <name of privacy contact>

Step 4.When receiving the question or complaint, <name of privacy contact> must:

4.1.Contact the person within X days and ask for clarification if the question or complaint is unclear;

4.2.Ask the person to contact the appropriate organization if the question or complaint relates to them; and

4.3.Log that the inquiry or complaint was received using the Inquiries and Complaints Log.

Step 5.When responding to the question or complaint, <name of privacy contact> must:

5.1.Write a response to the question or complaint;

5.2.Circulate the response to other members of the clinic if required;

5.3.Respond to the question or complaint within 30 days or inform the person that an additional 30 days is needed; and

5.4.Update the Inquiries and Complaints Log when the response is sent.

When anInquiry or Complaint Identifies a Breach

Step 1.If a question or complaint causes <organization name> to identify a privacy breach, it must follow Privacy Breach Management Policy.

Inquiries and Complaints Related to Shared Systems

Step 1.If a person has a question or complaint related to a shared system, <name of privacy contact> must: