Managing Change and Security

HLST 204016-11-2012

1

Video on security

• Please watch the two videos on security. • They are available on the moodle course page

Healthcare Business Environment

• Pg.304• Cost Efiiciency• Communication poses barriers to achieving

desired Health outcomes• Traditionally how much money does healthcare

business invest in technical training?• Communication is an important part of

healthcare

Theories about change

• In the very first lecture, we saw theories of change

• Kurt Levin’s change theory was covered• Organization theory – pg. 305• Another theory that explains why and how

organizations change• It looks at them at a macro level

Organizational Behavior Theory

• What is the difference between Organization theory and Organizational behavior theory (OB)?

• Focus on small groups and individuals – pg. 306

• OB provides deeper understanding of why, when and how the advances in IT are adopted by , or are not adopted by, an organization

Realities of our Heathcare Environment

• Cost is rising every year• We are spending more then 40% of our

budget on healthcare across Canada• Emphasis on teamwork- FHT• Consumers and governments are looking at

performance measures more keenly

Performance Measures

• See pg. 307• Customer Satisfaction• Clinical Productivity and efficiency per

physician• Financial cost per relative value unit of service• Employee satisfaction

IT challenges

• How to continually update HW and SW? System downtime?

• Can they develop IT systems jointly?• What is the role of standards?• What is the role of organizations like COACH,

CHI and the provincial governments?• Example is EMR adoption by GPs in Ontario• Limited IT dept. resources

Dangerous choice

• Neglecting the need to invest time for motivating people to use the new technology

• Not just money, but other incentives• Box 14-2, right things to do• Pg. 315 – how to implement change while

implementing EMR?

Capability of IT systems in Healthcare

• Pg. 308• Transfer information across settings for each

encounter• Standardize the way in which records are

stored• Provide feedback, immediate and meaningful

feedback

Encouraging Change

• Champion Users• Normative pressures – pg. 311• Policies that encourage change• Who should make those policies?• Workflow changes• Formal informatics education• Avoid the cascade effect – pg.314

Role of the Leader

• Administrator, or manager, own behavior and IT skill level – pg. 314

• How persistent is the administrator in the face of problems?

What happens when CPOE is implemented?

• Pg. 313• Acceptance of change has varied from

reluctance to whole-hearted acceptance• Involve users from the start for greater

success• Find Champions while rolling out• Use bench-marking?

How to do conversions?

• What is a conversion?• Difference between place and method• Could be a mix• Pilot• Parallel• Cold Turkey or direct

Case Study

• You are implementing a telemedicine project at your hospital, what are the issues?

Privacy and Security

Privacy and Confidentiality

• Pg. 439• Privacy refers to an individual’s desire to limit

disclosure of personal information• Confidentiality deals with whether the

information is released or not• Security is the measures that are taken to

protect privacy and confidentiality

Access

• Ability to obtain data and information for specific purposes by specific users

• Many measures are afoot to control access• Technical measures• Policy measures which may be non-technical• In the last few years, eHealth and mHealth

have made security and access complex issues

Integrity

• Pg.439• Integrity deals with completeness AND

accuracy of data and information as well as protecting them from processes that would invalidate them

• Accidental entry of incorrect information or data is a threat to the integrity of the patient’s record

Changing Data and Information

• Can be accidental like transcription errors• Can be intentional like deliberate erasure• Computer viruses and worms – pg. 440

Availability

• The ability of the information users to easily access data and information appropriate to their authorization level when needed

• How will you implement security measures?• User roles will be explained by Sai• Archiving• Tradeoff between security and availability

Transition from a Paper Record

• Both good and bad• Sharing• Security• Cost• Usage popularity by providers and patients• Change management

Legislative protection of Privacy• Assures that patient records will not be

disclosed to third parties without patient consent.

• Done both at Federal and Provincial levels• PROVINCIAL/TERRITORIAL LEGISLATION– Health-specific legislation: Manitoba, Alberta and

Saskatchewan, Ontario– If there is no provincial rule then Federal laws

apply

23

Legislative protection of Privacy• FEDERAL LEGISLATION– Statistics Act

• applies to collected patient-identifiable health information.

– Personal Information Protection and Electronic Documents Act (PIPEDA)(2002)• applies to personal health information collected, used, or

disclosed in the course of commercial activities across provincial/territorial and national boundaries.

• Applies to all kind of customer information, not just healthcare• Will apply to healthcare if there is no provincial law like PHIPA

24

Personal Health Information Protection Act 2004

• The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s health-specific privacy legislation.

• Came into effect on Nov. 1,2004

Prof. Sai Vemulakonda

What it does?

• New rules allow individuals greater control over how their personal health information is collected, used or disclosed.

• PHIPA provides health care professionals with a flexible framework to access and use health information as necessary in order to deliver adequate and timely health care.

• Sourec: http://www.ipc.on.ca/index.asp?navid=63&fid1=28

Prof. Sai Vemulakonda

Links for PHIPA

• http://www.ipc.on.ca/index.asp?navid=63&fid1=28

• http://www.health.gov.on.ca/english/media/articles/archives/ar_04/103004a_ar.html

Prof. Sai Vemulakonda

Electronic Tools used for Security

• Firewall• Authentication – UID and PW• Biometric identification pg. 447• Locks, Physical and otherwise – pg. 446• Disabling single sign on• Audit Trails• Fencing depth

28

Implied Consent

• PHIPA acts on the concept of implied consent• What does it mean?

Prof. Sai Vemulakonda

Informed Consent• It is a basic rule that in all research involving

persons a prerequisite is that each person sign an Informed Consent form prior to the study done.

• Various Bioethics bodies and professional associations have outlined whatis required of the research person and the participant in order to make the informed consent valid.

• Release of information consent30

Assumed Consent

• Exceptions to the basic rule where informed consent applies:– Reporting communicable diseases, imunizations,

traumas– Data for administrative purposes, financial audits– data from medical charts or large databanks used

for research • approved by a bioethics committee• stripped of patient identifiers

31

Privacy vs. access of EHR

• It is not possible to achieve both perfect confidentiality and perfect access.

• Need-to-know assessment– for healthcare professionals– for patients

• How much info should be send from one provider to another?

• Access health data by insurers32

Summary

• Change• Managing it and policies• Security, Privacy and confidentiality