“Real-Life” Privacy Impact Assessments in an age of

PHIPA

November 3, 2005Miyo Yamashita, Ph.D.Anzen Consulting Inc.

Purpose

Discuss 3 case studies:

1. Ontario Tumour Bank Program (OCRN)

2. Clinical Management System for family physicians (xwave)

3. Laboratory Information System (CBS)

PIA Methodology

PIA Methodology• We employed a narrative methodology that

described:

1. The PHI in which the system dealt2. The sources from which this information was obtained3. The circumstances in which PHI collection took place4. The processing of that information5. The intended uses of the information6. The circumstances in which information processing, use and

disclosure took place7. Privacy risks related to unauthorized access, use, disclosure,

modification, or loss of PHI8. Our recommendations for mitigating these risks.

Case Study #1: Ontario Tumour Bank Program

About the OCRN• Launched in November 2001, the OCRN is a not-for-

profit corporation whose goal is to accelerate the development and testing of new cancer therapies in order to bring them to patients sooner.

• OCRN programs support research in the development of new cancer therapies and they also promote clinical trials of new cancer therapies to Ontario patients.

• OCRN has a provincial oncology research ethics board (OCREB), a Cancer Research Fund, a Clinical Trials Infrastructure Fund, a Clinical Trials Network Program, a website that helps patients to locate cancer clinical trials throughout Ontario, and an oncology tumour bank.

Ontario Tumour Bank• Provides a centralized inventory of high-quality blood,

tumour tissue and accompanying clinical data – called a “Class 2 Tumour Bank”. (By contrast, a Class 1 Tumour Bank consists of blood and tumour samples at a single site, and is usually only accessed by a small number of researchers).

• The Ontario Tumour Bank Program uses a commercial tissue banking application called TissueMetrix.

• TissueMetrix assists authorized application users in the management of blood and tissue samples obtained from consenting patients.

Ontario Tumour Bank• The lack of a provincial Class 2 Tumour Bank results in a

significant reduction in the number and types of cancer studies that can be conducted in Ontario as well as: – Increased administrative costs for researchers (since they must

apply to multiple sites across Ontario for access to tumour tissue)

– Potentially inconsistent tissue samples and accompanying clinical data (since sites may not follow the same standard operating procedures for obtaining, storing and distributing tissue samples)

– Delays in approved research studies (since researchers must wait to learn whether their requests to access tumour tissue at various sites have been approved)

Ontario Tumour Bank• The OCRN Tumour Bank network is a distributed system

with locally housed databases at each participating collection centre and a central database.

• The central database resides at Cancer Care Ontario (CCO) under terms and conditions established between the OCRN, CCO, and the TissueMetrix vendor.

• The collection centres are networked to the central database using the SSHA network.

Ontario Tumour Bank• There were 5 collection centres participating in the

program in March 2005:

1. Credit Valley Hospital

2. Hamilton Health Sciences Centre

3. Kingston General Hospital

4. London Health Sciences Centre

5. The Ottawa Hospital

Ontario Tumour Bank• Local TissueMetrix applications at collection centres

have the ability to receive, process or display patient data, including test results and information on an individual donor’s health history such as his or her age, weight, family history of cancer, or whether or not a patient is a smoker.

• However, the TissueMetrix application does not function as a clinical information system or electronic medical record for patients.

• There are also no data linkages between the TissueMetrix application and other health information systems.

PIA Findings• Potential privacy concerns with:

– Data purge functions for the TissueMetrix application

– Audit functions for the TissueMetrix application– The identification of potential donors using a

retrospective consent model

• The PIA also identified a need for the OCRN and collection centres to work jointly to develop a formal privacy management strategy for the program.

Case Study #2: CMS

About the CMS• The CMS was initiated by the MOHLTC with the OMA

through Ontario MD as part of the e-Physician Project.

• The goal of the CMS project is to allow the electronic communication and exchange of PHI between Ontario primary health care providers especially in the case of “family health networks” or “family health teams”.

• A family health network allows one or more family physicians working at different clinics or hospitals to provide health care to each other’s patients. The networks allow family doctors to reduce the number of days they are on-call and offer patients access to “round-the-clock” health care services.

About the CMS• xwave is working with General Electric Healthcare

Canada (GEHC) to customize the CMS software.

• The CMS application will be developed in 3 releases.

• Release 1 of the CMS application provides electronic access to information collected for the delivery of health care. This includes electronic access to test results from 3 external laboratories:– Canadian Medical Laboratories– Gamma-Dynacare Medical Laboratories– MDS Diagnostics.

PIA Findings• Legal status of xwave needed to be finalized (e.g. a

“service provider” or a “health information network provider”).

• Service agreements with SSHA needed to be finalized.

• The CMS application maintains a complete audit trail of modifications to and disclosures of PHI, but there was no ability to log all accesses to PHI.

• Lockbox functions exist both at the chart level and the report level but the vendor needed to provide information on how these functions support lockbox requirements under PHIPA for CMS users.

CMS – Lockbox Functionality

CMS – Lockbox Functionality

Case Study #3: LIS

About CBS• Is a national, not-for-profit charitable organization.

• Its mission is to manage the blood supply in a manner that gains the trust, commitment and confidence of Canadians by providing a safe, secure, cost-effective, affordable and accessible supply of quality blood, blood products and their alternatives.

• The provincial and territorial Ministers of Health are responsible for the overall expenditure of public funds by CBS and for selecting members of the CBS Board of Directors.

About CBS• Collects approximately 850,000 units of blood annually

and processes it into the components and products that are administered to thousands of Canadians each year.

• Screens every blood donor and tests each unit of blood or blood product collected for a variety of transmissible diseases.

• Operates 42 permanent collection sites and hosts approximately 15,000 clinic events and 11,000 mobile clinics annually.

About CBS• Manages the “Unrelated Bone Marrow Donor Registry”

whose mission is to secure, in an expeditious way, donors for Canadian bone marrow transplant patients and for patients abroad.

• Oversees scientific investigations to ensure Canada is on the forefront of blood safety research.

• Helps to educate health professionals and the public to ensure the Canadian blood supply is used wisely.

About the LIS• The PIA was commissioned in January 2005 to identify

and mitigate privacy risks related to the collection, use and disclosure of information for the new CBS national Laboratory Information System (LIS).

• The new LIS will replace an older laboratory information system known as the Laboratory Data Management System (LDMS).

• The LDMS collected blood test results through automated instrument interfaces and through labour-intensive manual data input.

About the LIS• The LDMS had limited functionality and the vendor had

notified CBS of its intention to discontinue supporting the application.

• The LDMS was also not capable of supporting donor testing needs for integrated information outputs from consolidated laboratories.

• As such, CBS purchased a new LIS, which is expected to be fully implemented by mid-2006.

Benefits of the LIS• Increased use of automated result transfer• Improved process flow• Automation of result reporting and upload to MAK-PROGESA for all

tests performed on automated instruments, including HIV and WNV• A standardized, supportable information system platform• Centralized test result data storage in one database• Data migration to the Data Warehouse• Enhanced user reporting functionality, including real time and

historical metrics• Facilitated tracking and trending of all areas of donor testing, e.g.

reagents and consumables, Initial Reactive (IR) and Repeat Reactive (RR) rates

• Reduced errors associated with manual result entry• Improved tracking of real costs associated with donor screening and

patient services.

PIA Findings• The Regulations under PHIPA specifically permit CBS to:

– Indirectly collect PHI if the information is needed to ensure the safety of the blood system;

– Use a donor’s PHI to ensure the safety of the blood system; and– Disclose PHI to HémaQuebec.

• CBS needed to inform the public about its ability and willingness to meet its privacy responsibilities as a HIC:– E.g. CBS already had updated policies as a result of PHIPA, but its

new written public statement was not available on its website.

• Minor recommendations around improving faxing practices and testing interfaces between the new LIS and other CBS information systems.

Other PIA Findings• The new LIS does not contain any PHI.

• However, the new LIS will support the day-to-day information handling practices of CBS through its interface to other CBS information systems.

• Some of these day-to-day information handling practices include:

– informing blood donors when their donations have tested positive for specific diseases

– notifying Medical Officers of Health of positive test results for specific diseases

– maintaining personal information about donors, their donation history, and the distribution of blood products.

Conclusion

Conclusion• As a general rule, we are not seeing a lot of organizations

conducting PIAs on existing information systems.• Most health care organizations are conducting PIAs

because they are:– Embarking on new systems or projects and want to

ensure they comply with PHIPA and other privacy laws– A “health information network provider” under PHIPA

and they are required to conduct a PIA (and TRA)– Have received funding from CHI and are required to

conduct a PIA.• As a general rule, most organizations are not making their

PIAs available to the public.

Conclusion• PIAs are increasingly seen as a standard privacy “best

practice” for many health care organizations

• PIAs are valuable instruments for revealing privacy risks related to a specific information system or project, but they are often difficult and time-consuming to write for many health care organizations.

• Privacy risks vary according to the given system or project.

How To Contact Us

Miyo Yamashita, Ph.D.

Anzen Consulting Ltd.

38 Elm Street, #1703

Toronto, Ontario

M5G 2K5

Tel: 416-274-3637

miyo.yamashita@anzen.ca