FNHSO Privacy and Security Framework Forum Feb 16, 2016 BC First Nations Panorama Support

Agenda  Roll-call  General Updates  Access Audit Model  Round table discussion FNHSO P&S Framework Forum

Roll Call  Kwakiutl District Council Health Services  Seabird Island Band's Health Services Department  Three Corners Health Services Society  Tla’amin Community Health Services  Westbank First Nation Health and Wellness  Saulteau First Nation Health Services  Nuu-chah-nulth Tribal Council – Community and Human Services  Okanagan Indian Band Health Services  Cowichan Tribes - Ts’ewulhtun Health Services  Scw’exmx Community Health Service Society  Inter Tribal Health Authority  Pauquachin Health Centre  Nazko Health  Simpcw First Nation  Nak’azdli Health Centre  Ktunaxa Nation Council – Health Services  Splatsin Health Services  Sto:lo Service Agency Health FNHSO P&S Framework Forum

Context: Panorama Access Audit Program Objectives  Establish a robust access audit program that complies with the Panorama Access Audit requirements and includes the data in Panorama that is included in local systems (e.g. Mustimuhw)  Identify best practices for conducting user access audits in local systems (e.g. Mustimuhw)  Address the different service models:  Nurse works on their own or in a small community setting  Nurse works as part of a medium to large health program delivery team  Multiple sites within FNHSO  Define roles, responsibilities, processes, timelines, including escalation and disciplinary processes  Build capacity to support sustainability 4 FNHSO P&S Framework Forum

5 Staged Approach to Establish Access Audit Program Period 1 Validate & Refine Stage 1: Initial Audit Process Stage 0: Define Audit Program: Stages, RnR, etc. Validate & Refine Stage 2: Data Quality Audits Period 2Period 3 Validate & Refine Stage 3: Pattern-based Audits Validate & Refine Stage 4: Comprehensive Audit Program Period 4 5 FNHSO P&S Framework Forum

6 Period 1 2. Define Procedures / Forms Stage 1: Activities 1. Define Stage Objectives & Process 3. Validate Process / Procedures Period 2Period 3 4. Refine Policy / Process / Procedures Based on Lessons Learned 5. Refine Approach For Remaining Stages Based on Lessons Learned Period 4 6 Period 5 FNHSO P&S Framework Forum

Stage 1: Initial Access Audit Process √ Objectives established :  Develop capacity to:  Respond to user access complaints (reactive audit)  Inactivate user accounts that are not being used  Identify users that have accessed their own record or records of a family member with the same last name when not providing services  Monitor access to special clients 7 FNHSO P&S Framework Forum

8 Stage 1: 1. Define Process 8  Process defined √Respond to access complaints (reactive audit) √Inactivate user accounts that are not being used  Process topics for today:  Identify users that have accessed their own record or records of a family member with the same last name when not providing services  Monitor access to special clients FNHSO P&S Framework Forum

Identify User Accesses to Family Records  Context: Users are not allowed to review :  Their own records or  Records of a family member  unless they have a legitimate work-related reason to do so  Conformance Standard requirement  User is made aware that this is not allowed as part of Privacy Awareness training and when signing the Confidentiality and Acceptable Use Agreement FNHSO P&S Framework Forum

Identify User Accesses to Family Records  Investigation Process:  Execute Panorama report showing user activity against possible family members with same last name  Investigate whether access was inappropriate  Determine if the client had an appointment or other service event prior to the access event  Confirm that the user is part of client’s care team  Determine if the user viewed or updated the records  Other considerations? FNHSO P&S Framework Forum

Scenario 1: Nurse with access to a family member’s record provides lab results to family member Test for Inappropriate AccessAnswer Did the client have an appointment or other service event prior to the access event? Yes, lab work done Was the user is part of client’s care team? No, sister, not part of care team; CNRBC guidelines identify this as well; ethics Did the user view or update the client record? No, only printed lab result Was access appropriate?No FNHSO P&S Framework Forum

Scenario 2: Nurse provides immunization to a family member and charts service Test for Inappropriate AccessAnswer Did the client have an appointment or other service event prior to the access event? Yes Was the user is part of client’s care team? Yes, RN gave the imms Did the user view or update the client record? Yes, RN charted services Was access appropriate?Yes FNHSO P&S Framework Forum

Scenario 3: Nurse provides flu shot to a family member and then checks to see what STIs the family member has Test for Inappropriate AccessAnswer Did the client have an appointment or other service event prior to the access event? Yes Was the user is part of client’s care team? Yes Did the user view or update the client record? Both; sequence was chart the service, then view the record Was access appropriate?Depends on whether there is evidence of the need to go to STI documented in the chart FNHSO P&S Framework Forum

Scenario 4: Nurse accidently accesses a family member’s record – Test for Inappropriate Access Answer should you document this in the client record? Important to chart the access if something was added to the chart in error -Looking at something in error should be there for a short time – that would provide the hint that the access was in error w/o charting a note -Some FNHSOs document this with using Mustimuhw because duration is not available FNHSO P&S Framework Forum

Scenario 5: other scenarios? Test for Inappropriate AccessAnswer Did the client have an appointment or other service event prior to the access event? Was the user is part of client’s care team? Did the user view or update the client record? Was access appropriate? FNHSO P&S Framework Forum

Identify User Accesses to Family Records  Investigation Process (cont’d):  If warranted, review activity with user, user’s manager/supervisor  If access is confirmed to be inappropriate, determine disciplinary actions (e.g. Privacy refresher, review the Confidentiality & Acceptable Use Agreement) in conjunction with user’s manager/supervisor  If warranted Initiate Breach Management process or complete disciplinary actions  This access is not considered a breach unless the user continues to repeat this behavior after being reminded not to FNHSO P&S Framework Forum

 Trigger: A “special” client has received services  How would you define “special”? FNHSO P&S Framework Forum Deferred: Monitor Access to Special Clients

Monitor Access to Special Clients  Investigation Process:  Execute Panorama report showing user activity against a specific client  Review access to identify possible inappropriate activity  If warranted, review activity with user, user’s manager/supervisor  If access is confirmed to be inappropriate, determine disciplinary actions (e.g. Privacy refresher, review the Confidentiality and Acceptable Use Agreement)  If warranted Initiate Breach Management process or complete disciplinary actions FNHSO P&S Framework Forum

19 Period 1 2. Define Procedures / Forms Stage 1: Activities 1. Define Stage Objectives & Process 3. Validate Process / Procedures Period 2Period 3 4. Refine Policy / Process / Procedures Based on Lessons Learned 5. Refine Approach For Remaining Stages Based on Lessons Learned Period 4 19 Period 5 FNHSO P&S Framework Forum

What forms are required? Stage 1 AuditsForms (others)? Template Available/Required? Respond to access complaints (reactive audit) Complaint form Client Response Letter FNHSO P&S Framework Forum

What forms are required? Stage 1 AuditsForms (others)? Template Available / Required? Inactivate user accounts that are not being used Letter to manager that explains: - how to evaluate access requirements - what to do if access is required or no longer required - Timeframe when response back is expected - Consequences when timeframe passes FNHSO P&S Framework Forum

What forms are required? Stage 1 AuditsForms (others)? Template Available / Required? Identify User Accesses to Family Records Letter to manager that explains: - how to evaluate whether access was appropriate - possible remediation activities if access was not appropriate - Timeframe when response back is expected - Consequences when timeframe passes FNHSO P&S Framework Forum

What forms are required? Stage 1 AuditsForms (others)? Template Available / Required? Monitor Access to Special Clients Letter to manager that explains: - how to evaluate whether access was appropriate - possible remediation activities if access was not appropriate - Timeframe when response back is expected - Consequences when timeframe passes FNHSO P&S Framework Forum

24 Period 1 2. Define Procedures / Forms Stage 1: Activities 1. Define Stage Objectives & Process 3. Validate Process / Procedures Period 2Period 3 4. Refine Policy / Process / Procedures Based on Lessons Learned 5. Refine Approach For Remaining Stages Based on Lessons Learned Period 4 24 Period 5 FNHSO P&S Framework Forum Next Step: 1.Prepare process & procedure documentation 2.Validate

Roundtable Review  Any changes to Panorama users (add/remove) ?  Questions or concerns?  Mildred: FOB not working and takes along time to correct; working with Karl/Lisa to address  Agenda items for next meeting?  Mildred for April meeting TBC late March – Mustimuhw audit procedure and screen shots where relevant FNHSO P&S Framework Forum