Canada
HIPAAT Inc. was founded in 2002 to develop patient consent management and auditing software. Our technology enables consumers to establish health information privacy policies and allows health information sharers – physicians, hospitals, pharmacies, government, etc. – to implement and enforce those policies through privacy-based access control.
Ontario sets the stage
In 2004, we aligned the core design of our consent software with the Ontario Personal Health Information Protection Act (PHIPA) requirements, as PHIPA Lock-box provisions were considered to be the most stringent privacy requirements of any jurisdiction. These provisions put individuals in the driver’s seat with respect to control over their personal health information (PHI).
What we do
Having built our software around the Lock-box philosophy, we empower individuals to decide who shall have access to their personal health information (PHI), which PHI may be collected, used and disclosed, and under what circumstances (where these choices are permitted by legislation). We also enable health information custodians (HICs) to have ‘break the glass’ access to locked PHI when needed and where permitted by law, to ensure proper patient care in an emergency.
These capabilities form the foundation of our software.
We accommodate various levels of consumer, organization and jurisdictional privacy requirements, from the very general (e.g. jurisdictional ‘implied consent’ policy – allow HICs to collect, use or disclose PHI for treatment purposes) to the detailed (e.g. consumer policy – do not share my lab reports with Dr. Jon Smith).
So how does it work?
Patient Scenarios
 |
Scenario 1 – controlling who can access PHI |
|
Scenario 2 – controlling what PHI is accessed |
|
Scenario 3 – controlling access to PHI based on timeframe |
Health Information Custodian Scenarios
|
Scenario 1 – Patient arrives at hospital incapacitated; has consent directives |
|
Scenario 2 – Physician’s office |
|
Scenario 3 – Hospital privacy officer |
-----------
Patient Scenarios
Scenario 1 – controlling who can access PHI
Juanita and Oliver are both clinicians at Toronto and District Hospital. Juanita periodically enters the hospital as a patient, and does not want Oliver, her co-worker, to access her PHI. Using HIPAAT software, she establishes a consent directive to block Oliver. So, although Oliver would typically be able to access Juanita’s PHI because of his role in the hospital, the consent management solution steps in to block access.
Juanita arrives at the hospital for treatment in May 2008 and Oliver is not part of her care team. He hears that she is there and is curious about her condition, so he inappropriately attempts to access her record. He is prompted with a message advising that access to Juanita’s record has been restricted, and he is unable to proceed.
Although Oliver does not gain access to Juanita’s record, his attempt generates a secure audit trail in the background and can be searched and reported on by the privacy officer.
Scenario 2 – controlling what PHI is accessed
Patient Simon has recently been diagnosed with a sexually-transmitted disease, and would like to keep the lab results confidential. HIPAAT software enables him to block access to the lab report, providing emergency override access when necessary.
Scenario 3 – controlling access to PHI based on timeframe
Patient Ellen had an abortion in October of 2007, and she wishes to keep the details – reports, associated medications, etc. – surrounding that medical visit private. She is able to block access to her PHI based on specific date range.
Health Information Custodian Scenarios
Scenario 1 – Patient arrives at hospital incapacitated; has consent directives
Susan Tang works as a critical care nurse in the Emergency Department at Maritimes Central Hospital. Patient William Underhill arrives by ambulance, incapacitated. Susan needs to review his medication history in order to check for potential harmful drug interactions when treating him.
When Susan tries to access William’s electronic medical record she receives a warning message advising that some or all of his record has been sealed and that she may proceed but a privacy/security alert will be generated. Susan quickly enters a reason for overriding the restriction, and then has full access to the information she needs to properly treat William.
An email or pager alert is immediately sent to the hospital’s privacy officer and/or the patient so that William can subsequently be made aware of the “breach” and the reason for it.
In the background, a secure audit trail is created that can be searched and reported on by the privacy officer.
Scenario 2 – Physician’s office
Morris Goldman and Arthur Snedker are general practitioners in a group clinic. Their office has an Electronic Medical Record (EMR) system and consent management capabilities.
Patient Samantha Jones has restricted Dr. Snedker, her neighbour, from accessing her record, but will allow access by her own physician, Dr. Goldman. When Dr. Goldman accesses her record, he can do so without interruption.
When Dr. Snedker attempts access, he receives a warning message advising that he is not authorized. He can choose to override the alert and have access to Samantha’s record (with an alert immediately sent to Samantha by email), or abandon the snooping. An audit trail is generated in either case.
Scenario 3 – Hospital privacy officer
George Stewart, privacy officer at Mountain General Hospital, is advised by Rhonda Smith that she is an in-patient at the hospital and that she would like to restrict her abusive ex husband, Jon Robertson (a lab technician at the hospital) from accessing her record. George advises her that he will enter the consent restriction on her behalf, and that he will keep Rhonda informed of any suspicious activity related to her PHI.
Ex-husband Jon hears that Rhonda is in the hospital and attempts to access her electronic medical record. He receives a warning message advising that some or all of her record has been sealed and – as Mountain General permits ‘break the glass’ access to PHI – he may proceed but a privacy/security alert will be generated. Jon then has two options:
Option A: Jon enters a reason for overriding the restriction, and then has access to Rhonda’s PHI. An email or pager alert is immediately sent to George and/or Rhonda so that Rhonda can be made aware of the breach and the reason for it.
Option B: Jon decides to cancel the search so that the privacy office isn’t alerted of his actions. In the background, a secure audit trail is created that can be searched and reported on by the privacy officer.
In this case, George, aware of the sensitivity of Rhonda’s situation, does a straightforward search of electronic audit logs to see who accessed – or tried to access – her record. He is able to see that Jon did indeed attempt to access her file, and advises Rhonda accordingly.
