Organizational Privacy Transformation: A case study from Critical Issues to Award Winning Success

Transcription

1 Organizational Privacy Transformation: A case study from Critical Issues to Award Winning Success Norine Primeau-Menzies VP Customer Services, Chief Privacy Officer May 2012

2 Agenda Overview of OTN Setting the Stage The Transformation The Outcome & Moving Forward Lessons Learned

3 OVERVIEW OF OTN

4 What is OTN? OTN is one of the largest Telemedicine networks in world >1200 sites We help deliver clinical care and professional education among health care providers and patients An independent, not-forprofit organization, funded by the Government of Ontario

5 What does OTN do? A collaborative health care enabler, OTN uses videoconferencing and store forward technology to extend and enhance access to clinical care and professional education among healthcare providers and patients. OTN has the capacity to bring healthcare to virtually any patient, anywhere at anytime

6 Who uses OTN? Physicians & Allied HCPs Healthcare Organizations & Network Partners Patients & Families In 2010/11, telemedicine supported health care delivery and education for over 390,000 people

7 OTN Utilization /12 > 158,000 events Clinical Educational Administrative *2006/2007 was a transition year--not all utilization data available /07* 2007/ / / /11

8 Privacy at OTN OTN protects all personal health information consistent with the requirements of the Personal Health Information Protection Act, Our primary role is a Health Information Network Provider (HINP) OTN also acts as an agent, handling PHI when facilitating scheduling services on behalf of our members (HICs)

9 OTN s Privacy Program - Our Mandate Foster a privacy culture at OTN to ensure that members and their patients have confidence that PHI is protected during a clinical encounter through the network Clinical videoconferencing Store and forward services Telehomecare Personal Videoconferencing

10 SETTING THE STAGE

11 Where OTN was 3 years ago Privacy identified as one of top three risks for the organization Privacy incidents and breaches were rising Network growth of >30% annually Company employee base doubling in 3 years and tripling in 5 years

12 2009/10 Status Reported 30 breaches 1 high, 7 medium rated risks OTN shares/ transmits a significant amount of PHI to facilitate activity 90,000 clinical events 60 health disciplines Mitigating these risks was paramount to the ongoing success of the network

13 THE TRANSFORMATION

14 Moving Forward with Privacy by Design Moving the Organization forward Proactive Not Reactive; Preventative not Remedial Privacy as a Default Setting Privacy Embedded into the Design Full Functionality Positive-Sum, not Zero-Sum End to End Security Full lifecycle protection Visibility and Transparency Keep it Open Respect for User Privacy Keep it User Centric

15 Moving the Organization Forward - The Plan Leveraged the sense of urgency Board/Senior Leadership awareness Lobbied to get privacy identified as a key priority in the corporate objectives of the operating plan Transformed the team to be seen as colleagues working with the team/departments Created a privacy scorecard to highlight critical areas (2008/09) Engaged all the staff across the organization

16 Proactive not Reactive; Preventative not Remedial Conducted analysis of three years of breaches Root cause analysis demonstrated 3 primary causes responsible for 87% of breaches: 1. Manual bridge programming 2. Faxing of patient referral information 3. Member/staff knowledge Developed a 2-year plan to address the issues Continued PIA process prior to new service launches

17 Issue #1 Automate Bridge Programming 21% of breaches The connection to bring together an event was manually programmed onto the bridge Volume growth (from 20 events a day to >200) Estimated 35,000 sites programmed into large events annually (2009/10) Developed a project to transition manual work to an automated solution Launched automated solution March 2010

18 Issue # 2 Member Best Practice Tool Kit 33% of breaches in 09/10 Survey and analysis of the OTN membership base Based on findings and analysis of 3 years of member breaches OTN developed and launched the Member Best Practice Tool Kit in July 2010 ( Maintenance strategy in place to keep current

19 Privacy Fact Sheet Example

20 Issue #3 Fax Over Internet Protocol (FOIP) 33% of all breaches OTN was using manual faxing as a secure means to transmit PHI for Referral Management (original solution built in 2001) OTN Launched Fax Over Internet Protocol (FOIP) in March 2011 FOIP eliminated manual transmission of 250,000+ faxes annually and was built into our scheduling service processes Note: OTN is currently developing an on-line portal that will use a secure ereferral form (expected to launch in 2012/13)

21 Privacy as a Default Setting Organizational commitment starting with the CEO and the Board Chief Privacy Officer leadership at a senior level Organizational awareness through training including project teams Partnership with business leads and the software development team in all projects

22 Privacy Embedded into the Design Embedding the privacy team into all OTN projects from the beginning Privacy Threshold assessment screening by project teams Automating the Privacy Impact Assessment process and outcomes monitoring within the organization

23 Privacy Embedded into the Design Privacy is part of all project teams at the conceptual stage Privacy facilitates reviews or PIA/LPSA work Work plans developed for project teams to address/mitigate risks and recommendations Risk tolerance: high/medium risks are addressed before project goes live Risks documented, monitored & tracked in privacy risk register and/or escalated to enterprise risk register

24 Full Functionality Positive-Sum, not Zero-Sum Relationship building is key Partnership/working together, compromising and coming up with solutions together that meet user, organizational and privacy needs Building team s visibility and credibility within the organization was important

25 End-to-end Security Full Lifecycle Protection Privacy & Security teams align goals and objectives to ensure maximum impact on the organization 1. Privacy and Security Lateral Committee Co-chaired by CPO and CIO Representation from across the organization 2. Privacy & Security Team relationships CPO/CIO work together Privacy Specialists/Corporate Security Officer work together Communicate on common issues; update each other on operating plans status etc.

26 Visibility and Transparency Keep it Open OTN Corporate Scorecard Effectiveness Area Area of Focus Measure 2010/11 Yearend Baseline (actual) Date Month Year to 2011/12 Target (preliminary) # % # % # % # % Privacy & Security Privacy Confirmed privacy breaches % 2 * 26 * 30 N/A On-target Status Comments or Reason for Variance (if required) Privacy Indicators shared with Senior Leadership Team Governance Scorecard Effectiveness Area Focus Measure Customer Service Excellence Privacy Confirmed privacy breaches (medium and high severity) 10/11 Baseline Privacy Indicators shared with the Board of Directors FY 2011/12 Targets FY 2011/12 (YTD) # % # % # % Status 4 N/A 0 N/A 4 N/A a Variance

27 April May June July Aug Sept Oct Nov Dec Jan Feb Mar Visibility and Transparency Keep it Open OTN Privacy Scorecard Quadrant Focus Indicator Q1 Q2 Q3 Q4 Year to Date Target Status Comments 1) Incident History 1. Incident management & identification of operational systemic improvements 2. Monitor & track incidents that result in non-compliance with PHIPA # of privacy investigations initiated monthly # of privacy investigations completed monthly % of privacy breaches compared to overall total events <0.05on target Avg turn around time (days) from initiation to response to individual requesting investigation on target Avg turn around time (days) from initiation to PI file closed n/a n/a n/a n/a n/a 6 45 dayson target # of investigations which resulted in non-compliance with PHIPA % of PI which resulted in non-compliance with PHIPA as a result of OTN 43% 0% 67% 0% 66 % 50 % 60 % % % % 33 % % % % % 0% 43 % 0% 67 % 0% #% of PI which resulted in non-compliance with PHIPA as a result member action 33% 0% % % 0% % % % # of PI assessed at low severity level # of PI assessed at medium severity level # of PI assessed at high severity level % 46% 50%on target 50 % 58% 50%on target 33 % 0% 0% 42% 50%on target

28 Visibility and Transparency Keep it Open Privacy Risk Register ID# Risk Description Source Document IPIA_01 The OTN has not adopted an organizationwide security policy and supporting procedures that describe the administrative, technical, and physical safeguards it employs to protect personal health information. OTN Integration PIA Sept 07 IPIA_02 The OTN does not have a consistent method of advising and training staff of their privacy and security responsibilities. OTN Integration PIA Sept 07 IPIA_03 OTN is not currently fulfilling all its health information network provider requirements. IPIA_05 The TSM patient registry search feature may enable unauthorized access to personal health information. OTN Integration PIA Sept 07 OTN Integration PIA Sept 07 Risk Rating High High High Risk Champion Risk Owner Status Update CIO and Corporate Security Officer Complete Update notes CPO and Privacy Specialist CPO and Privacy Specialist Complete Complete CIO and Corporate MediumSecurity Officer Complete Update notes.

29 Respect for User Privacy Keep it User Centric Respect the business owners and the need to develop services for our users compromise without losing integrity of privacy principles Incorporate business owners into the process of embedding privacy into the design, the PIA review and addressing findings Develop and deliver on-line privacy training

30 Staff On-line Training Module

31 OUTCOME & MOVING FORWARD

32 Outcome and Moving Forward Privacy breaches decreased.06% / event total in 09/10.05% in 10/11.02% in 11/12 Member awareness and resources 100% of staff trained Privacy embedded into our technology and process development Privacy Threshold Assessment Automate PIA process Automate privacy investigation process

33 Past Present Privacy Investigations/Breaches INCIDENTS BREACHES

34 IAPP HP Innovation Award 2011

35 Organizational Privacy by Design Ambassadorship In the fall of 2011, OTN was awarded an Organizational Privacy by Design Ambassadorship in recognition of it s effort to embed Privacy by Design principles into the infrastructure of the organization

36 LESSONS LEARNED

37 Lessons Learned Life is a million shades of grey and it s all about compromise Raising staff awareness in a meaningful way Leverage the bad Believe that people come to work every day to good work Be passionate about what you do!

38 Acknowledgements The success at OTN is a team effort Special acknowledgement to the Privacy Team who worked diligently over the past 3 years Sylvie Gaskin, Manager Privacy and Risk Michelle MacMillan, Privacy Specialist Crystal Olive, Privacy Operations Support

39 Thank you! For additional information please contact Norine Primeau-Menzies Or please visit