I was offered the job of Regional Access and Privacy Manager at Eastern Health! Ahhhhhhh! I was excited about starting the position and curious about the new environment I was entering. Given my background and the nature of the job, my senses went on high alert to everything related to privacy. I was curious as to how privacy would be emphasized as I started my role as a new Eastern Health employee.
Right away, I noticed how my letter of offer was crafted to include completing the Personal Health Information Act (PHIA) online training as a condition of my employment. This training session outlined the legislation and the important role I would have to ensure that privacy and confidentiality is top of mind. Eastern Health is a custodian of personal health information so privacy and confidentiality is imperative. The training session even included a quiz to make sure that the basic concepts were absorbed. In order to start working at Eastern Health, you must show proof of having successfully completed this training session.
Before I started work I had to meet with an occupational health nurse. When I sat down for my appointment, he kindly introduced himself and informed me the information I was about to disclose to him would be kept confidential. He gave me confidence that employees at Eastern Health are very aware of the importance of the Personal Health Information Act and the need to ensure we each treat privacy with the utmost regard. He did it with the same level of compassion and confidence he used to calm me down before inserting the TB test needle into my arm. Phew!
Day one of work for me was orientation, a full day of presentations on topics all Eastern Health employees need to be aware of, including strategic issues, safety protocols….and privacy and confidentiality! I sat in the room unassumingly, feeling excited to be a part of an organization that emphasized the importance of confidentiality in a similar manner to how they expressed their vision. Before lunch a number of Commissioners of Oaths set up shop at the back of the room so that each employee could have their Oath of Confidentiality witnessed. This oath means that I needed to read the organization’s policy on Privacy and Confidentiality and, among other things, I had to sign the oath indicating that I will comply with all obligations related to privacy laws and that I will protect the confidentiality of all information. Clearly, the importance of privacy and confidentiality is emphasized for all new employees!
I did not have computer access… and I crave access to technology, electronic files, the internet and electronic communication! No one at Eastern Health gets access to information electronically until a Healthcare Technology and Data Management (HTDM) computer password form is completed and processed. It’s a form where employees request access to all things electronic to support them in their jobs. Employees have to sign the form which indicates that any abuse of their electronic privileges will be considered a security breach. Then it has to be signed off by the employee’s manager to ensure they are only requesting access to the information and programs they need to do their job and then further reviewed by the HTDM Department so that role-based access to information and programs can be assigned. This is a small stepping stone with a large organizational effect in that security and privacy are so closely intertwined.
Employees are given appropriate access to personal health information according to their “need to know” and their job requirements. Depending upon what access to software an employee has, the organization undergoes substantial auditing processes. The Security Audit Manager Package (SAM) allows Eastern Health to perform real time audits based on rules it has determined such as identifying links between employee and patient names, street addresses and the length of time an employee has accessed a record. As an additional security feature, is an employee accesses a health record, a prompt will ask the employee whether he/she should be looking into that particular record. Eastern Health also runs random audits.
Every day after
After the initial few days, I felt like I was in the right place. I was warmly welcomed by my co-workers and I was asked challenging questions. This helped me to identify my role and relate to the purpose of my job. Identifying a purpose and working based on that purpose to create trust is a foundational concept in privacy; it was a concept woven into the initial stages of employment to set a great tone for all employees to move forward with.
My first few weeks of work at Eastern Health are around working on Privacy Impact Assessments (PIA). Eastern Health has a policy whereby PIAs are required when Eastern Health undertakes a new program, project and/or activity or if there is a significant change to a program, project and/or activity that involves the collection, use and disclosure of personal information and/or personal health information.
I’m thrilled, now that I have gone through a process that emphasizes privacy and confidentiality, that I am now contributing to ensure that we continue to offer privacy and confidentiality to our patients, clients and residents. ■
This story was written by Sarah Wickham, Regional Access and Privacy Manager with Eastern Health.