The Health Information Governance Framework

Dr Inga HunterMember, HIGEAG

i.hunter@massey.ac.nz

HINZ conference

19-22 October 2015, Christchurch

Today’s discussion

• What is HIGEAG?

• Why a Health Information Governance Framework (HISF)?

• What is it?

• How is it relevant to you?

• What next?

•

What isHIGEAG?

HIGEAG

• Health Information Expert Advisory Group

• Established to develop a HIGF for the New Zealand Health sector and reports to the National Health IT Board

• Current members and the organisations they represent:Dr Sandra Hicks (NZMA), Denise Irvine (NZNO and NZCOM), Sebastian Morgan-Lynch (Office of the Privacy Commissioner), Stephanie Fletcher (Chair, NHITB Consumer Panel), Dr Inga Hunter (RNZCGP), Fiona Thompson, (CEO GPNZ), Julia Fomison (Privacy Officer for CDHB), Dr Lyndy Matthews (Council of Medical Colleges), Phil Knipe (Chief Legal Officer and Chief Privacy Officer for MOH).

• Supported by Tony Cooke and Lucy Curtis in an ex-officio capacity

Why a Health Information Governance

Framework (HISF)?

Why does New Zealand need a Health Information Governance Framework?

To achieve better quality care, health information needs to be shared in an appropriate way. However where health information is scattered across systems that care may be compromised.

• Unfortunately health information is currently fragmented and managed differently depending on:

• What PHO the patient is enrolled in

• What IT application is being used to store the health information

• How many health providers (including primary and secondary) the patient has seen

• Whether the patient has used other health services (eglaboratories, pharmacy etc)

HIGEAG

Different ways of storing health information:

•Point of care systems

•Shared care systems

•Summary care systems

•Decision support systems

•Personal health record systems

•Healthline (advice and support) systems

HIGEAG

Different systems trying to address this separately, eg:

• HealthOne

• Testsafe

• Medtech – Manage My Health

• HSAGlobal – long term conditions / shared care planning

• My Practice – My Connection Portal

• Maternity Information Systems Programme

HIGEAG

Additional issues:

• Cloud computing for storage of information – the international arena

• Role Based Access Control (RBAC)

• Proximity based access control

• Audit Logs

Existing legislation and best practice - privacy & security

What is the Framework?

17

The underlying principles:

• High quality health information supports high quality health care.

• Maintaining trust between consumers and health agencies requires the safe sharing of health information.

• Consumers may withhold from sharing part, or all, of any of their health information that is not required to be disclosed by law.

• A health agency may use or disclose a consumer’s health information if they have been granted authorised access to do so or for purposes that have been communicated to the consumer.

• Health agencies must establish reasonable safeguards to monitor and protect health information

HIGEAG

The principles were pulled together under four sections which in turn became the backbone of the Framework:

• Maintaining Quality and Trust

• Upholding Consumer Rights and Maintaining Transparency

• Appropriate Disclosure and Sharing

• Ensuring Security and Protection of Personal Health Information

HIGF cont. - Requirements

1. Maintaining Quality and Trust

• This section sets out ways the framework will support information sharing so that health practitioners have all relevant information at point of care and, at the same time, assuring consumers that their personal health information is held securely and treated confidentially.

• Covers

• Data quality

• Confidentiality and Non Disclosure Agreement

• Codes of Conduct

• Privacy Impact Assessments

HIGF cont. - Requirements

2.Upholding Consumer Rights & Maintaining Transparency

• This section sets out consumers’ privacy rights in regard to their personal health information (PHI) & the requirement that all health agencies maintain transparency in their use of PHI.

• Covers

• Rights of access and correction

• Opt on and opt off

• Training education and culture

• Leadership

• Patient notification and consent

• Disclosure of breaches

HIGF cont. - Requirements

3. Appropriate Disclosure and Sharing

• Sets out the rules around information sharing and disclosure

• Covers

• Access control (Role based Access control, proximity audits, Authorised Access)

• Disclosure to Police and other Government or Sector Agencies

• Information Matching

• AISA

• Disclosure of personal health information for secondary use

• Sanctions

HIGF cont. - Requirements

4. Ensuring Security & Protection of PHI

• This section links this Framework to the Health Information Security Framework which sets out the technical requirements in regard to holding personal health information.

• Covers

• Storage of personal health information overseas

• Retention and disposal

• Audit and monitoring

• HISF

• Safe transmission of electronic communication

Relevance

Relevance:

The national standard expectation for sharing health information in a shared health information environment

and will support compliance with legislation

• better support health practitioners to meet their requirements in providing health care

• maintain public trust in the health system use of health information

• provide specific pragmatic advice, eg:

• audit logs are to be kept for 2 years

• how to best manage sensitive health information in a shared health information environment

• how to deal with requests for information from third parties

• compliance checklists

What next?

How you can have your say......................

Is there anything else that should be included in a Health Information

Governance Framework?

Released for consultation next year

Please flag this as we want your feedback

Questions or Comments?