Session Name: Data Sharing Policies and Protocols
Time / Room: 9:30 - 10:30 Faru
Presenter:Brian Dixon; Terry Cullen
Attendees: ( please sign up if you want to be on a policy workgroup)
What did people want from the session:
- standard approach to sharing
security within /for OpenHIE
data sharing policies /data exchange/ data sharing template
MoH guidance
what are the 'best practices' that can be evaluated and re-used
what is the/ a policy development process that can be invoked
what are the policy gaps (TC added this)
Notes:
- Introduction and desired outcomes for the session
- Not everything is going to be addressed unfortunately
- Tech implementation usually runs ahead of policy
- Nobody is doing data sharing policies very well in our review of the data policies and procedures
- India just published national guidelines, link to be provided by Terry
- india is assuming the development of a 'policy engine' and policy repository
- Most countries assume that a patient presenting for treatment counts as consent to use data, very few implement explicit patient consent systems
- There has been some work on creating a standard template for consent forms
- Robust consent forms have granular selection of data usage (e.g. Clinical care, research, 3rd party health systems, clinical quality and dta aggregation)
- Countries involved have all signed consent to use the contents of this resource
- Tech ops: to say how the organization will manage the data center where data willbe stored
- keep data safe, show the process management to the partners
- purpose of use and users:
- define the use cases, permitted purposes
- identify permitted users and their roles; it will allow to know who to give data access
- governance charter, partners to agree to share data for specific use cases, data sharing agreement
- How to keep data confident, secured and accessible at the same time
- Clinical team has access to admitted patient's data for 72 hours
- 6 mths for patient who scheduled appointment with GP
- and 3mths to nurse epidomiologists for patient with notifiable disease
Questions:
- how do you engage citizens
- have people on the governing board
- public advertisement- here is what we do and why it is important
- 'lay people' have some concerns about sharing my data
- monitoring for appropriate use
- specific queries that have been developed
- patients can get transcribed auditlog for their patient data use (and notification to partners that a patient has requested it)
- thresh holds of queries and use of the data
- opting out of the HIE
- if you opt out, you dont get any data shared
- granular access is tricky (patients dont want to give access to specific data information sets)
- phased approach to patient consent
- how do we atart a consent maturity process
- not necessary because patients 'are happy to get care'
- health sector
- legal framework and policy network
- implement from where the patient is
- information security- less granluar and then move and evolve over time
- legislation that reflects the reality of where we are
- maturity model that is developed
- lag in policy- 'pilot policy' development and evaluation
- test and implement policies
- use cases
- what is our responsibility as HIS people
- policies, procedures, governance and security- policies may be delayed as the technology advances
- HIPAA/GDPR- and what to do with GDPR
- comparison of GDPR and HIPAA
- Policies developed-- who is policy meant for? (guidance and how we learn/how to move forward)
- usually not based on reality
- organizational capacity/reality (institution that starts implementing)
- patient and infrastructure- doesnt allow things to happen
- use this within an entire health system context
Next Steps:
- balance practical experiences with the realities on the ground
practical guidance to countries
looking at what is available; different laws and studies
implement and learn from the guidance
risks and risk assessment/ risk tolerance
cross border sharing of data
how do we help each other move forward
what is everyone doing and how are they implementing it
what are the best practices
capability maturity model that is based on reality
where are we, and how do we move forward
SIGN UP FOR MORE INFO/COMMS: