overview of otn...otn launched fax over internet protocol (foip) in march 2011 foip eliminated...
TRANSCRIPT
Organizational Privacy Transformation: A case study from Critical Issues to Award Winning Success
Norine Primeau-Menzies
VP Customer Services, Chief Privacy Officer
May 2012
Agenda
Overview of OTN
Setting the Stage
The Transformation
The Outcome & Moving Forward
Lessons Learned
OVERVIEW OF OTN
What is OTN?
OTN is one of the largest
Telemedicine networks
in world >1200 sites
We help deliver clinical
care and professional
education among health
care providers and
patients
An independent, not-for-
profit organization,
funded by the
Government of Ontario
What does OTN do? A collaborative health care
enabler, OTN uses
videoconferencing and
store forward technology to
extend and enhance access
to clinical care and
professional education
among healthcare providers
and patients.
OTN has the capacity to bring
healthcare to virtually any patient,
anywhere at anytime
Who uses OTN?
Physicians & Allied HCPs
Healthcare Organizations
& Network Partners
Patients & Families
In 2010/11, telemedicine
supported health care
delivery and education for
over 390,000 people
0
20000
40000
60000
80000
100000
120000
140000
2006/07* 2007/08 2008/09 2009/10 2010/11
Clinical
Educational
Administrative
OTN Utilization 2011/12 > 158,000 events
*2006/2007
was a transition
year--not all
utilization data
available.
Privacy at OTN
OTN protects all personal health information
consistent with the requirements of the Personal
Health Information Protection Act, 2004.
Our primary role is a Health Information Network
Provider (HINP)
OTN also acts as an ‘agent’, handling PHI when
facilitating scheduling services on behalf of our
members (HICs)
OTN’s Privacy Program - Our
Mandate Foster a privacy culture at OTN to ensure that members and their
patients have confidence that PHI is protected during a clinical
encounter through the network
• Clinical videoconferencing
• Store and forward services
• Telehomecare
• Personal Videoconferencing
SETTING THE STAGE
Where OTN was 3 years ago
Privacy identified as one of top three risks for
the organization
Privacy incidents and breaches were rising
Network growth of >30% annually
Company employee base doubling in 3 years
and tripling in 5 years
2009/10 Status
Reported 30 breaches
– 1 high, 7 medium rated risks
OTN shares/ transmits a significant amount of
PHI to facilitate activity
– 90,000 clinical events
– 60 health disciplines
Mitigating these risks was paramount to the
ongoing success of the network
THE TRANSFORMATION
Moving Forward with Privacy by Design®
Proactive Not Reactive;
Preventative not Remedial
Privacy as a Default Setting
Privacy Embedded into the Design
Full Functionality – Positive-Sum, not
Zero-Sum
End to End Security – Full lifecycle
protection
Visibility and Transparency – Keep it Open
Respect for User Privacy – Keep it
User Centric
Moving the Organization forward
Moving the Organization Forward - The Plan
Leveraged the sense of urgency
– Board/Senior Leadership awareness
– Lobbied to get privacy identified as a key priority in the
corporate objectives of the operating plan
Transformed the team to be seen as colleagues
working with the team/departments
Created a ‘privacy scorecard’ to highlight critical
areas (2008/09)
Engaged all the staff across the organization
Proactive not Reactive; Preventative not Remedial
Conducted analysis of three years of breaches
Root cause analysis demonstrated 3 primary
causes responsible for 87% of breaches:
1. Manual bridge programming
2. Faxing of patient referral information
3. Member/staff knowledge
Developed a 2-year plan to address the issues
Continued PIA process prior to new service
launches
Issue #1 Automate Bridge Programming
21% of breaches
The ‘connection’ to bring together an event was
manually programmed onto the ‘bridge’
– Volume growth (from 20 events a day to >200)
– Estimated 35,000 sites programmed into large events
annually (2009/10)
Developed a project to transition manual work to
an automated solution
Launched automated solution March 2010
Issue # 2 Member Best Practice Tool Kit
33% of breaches in 09/10
Survey and analysis of the OTN membership
base
Based on findings and analysis of 3 years of
member breaches OTN developed and
launched the Member Best Practice Tool Kit in
July 2010 (http://www.otn.ca/en/privacy-toolkit/resource-library)
Maintenance strategy in place to keep current
Privacy Fact Sheet Example
Issue #3 Fax Over Internet Protocol (FOIP)
33% of all breaches
OTN was using manual faxing as a secure means to transmit PHI for Referral Management (original solution built in 2001)
OTN Launched Fax Over Internet Protocol (FOIP) in March 2011
FOIP eliminated manual transmission of 250,000+ faxes annually and was built into our scheduling service processes
Note: OTN is currently developing an on-line portal that will use a secure eReferral form (expected to launch in 2012/13)
Privacy as a Default Setting
Organizational commitment starting with the
CEO and the Board
Chief Privacy Officer leadership at a senior level
Organizational awareness through training
including project teams
Partnership with business leads and the
software development team in all projects
Privacy Embedded into the Design
Embedding the privacy team into all OTN
projects ‘from the beginning’
Privacy Threshold assessment screening by
project teams
Automating the Privacy Impact Assessment
process and outcomes monitoring within the
organization
Privacy Embedded into the Design
Privacy is part of all project teams at the conceptual
stage
Privacy facilitates reviews or PIA/LPSA work
Work plans developed for project teams to
address/mitigate risks and recommendations
Risk tolerance: high/medium risks are addressed before
project goes live
Risks documented, monitored & tracked in privacy risk
register and/or escalated to enterprise risk register
Full Functionality – Positive-Sum, not Zero-Sum
Relationship building is key
Partnership/working together, compromising and
coming up with solutions together that meet
user, organizational and privacy needs
Building team’s visibility and credibility within the
organization was important
End-to-end Security—Full Lifecycle Protection
Privacy & Security teams align goals and
objectives to ensure maximum impact on the
organization
1. Privacy and Security Lateral Committee
• Co-chaired by CPO and CIO
• Representation from across the organization
2. Privacy & Security Team relationships
• CPO/CIO work together
• Privacy Specialists/Corporate Security Officer work together
• Communicate on common issues; update each other on
operating plans status etc.
Visibility and Transparency—Keep it Open
OTN Corporate Scorecard
Effectiveness Area Area of Focus Measure
2010/11 Year-end Baseline
Month (actual)
Year to Date
2011/12 Target
(preliminary) Status
Comments or Reason
for Variance (if required) # %∆ # %∆ # %∆ # %∆
Privacy & Security Privacy Confirmed privacy breaches 57 0.04% 2 * 26 * 30 N/A On-target
Privacy Indicators shared with Senior Leadership Team
Governance Scorecard
Effectiveness Area Focus Measure 10/11 Baseline
FY 2011/12 Targets
FY 2011/12 (YTD) Status Variance
# %∆ # %∆ # %∆
Customer Service Excellence
Privacy Confirmed privacy breaches (medium and high severity)
4 N/A 0 N/A 4 N/A a
Privacy Indicators shared with the Board of Directors
Visibility and Transparency—Keep it Open
Quadrant Focus Indicator
Q1 Q2 Q3 Q4 Year
to Date Target Status Comments
Ap
ril
May
Jun
e
July
Au
g
Sep
t
Oct
No
v
De
c
Jan
Feb
Mar
1) Incident History
1. Incident management & identification of operational systemic improvements
# of privacy investigations initiated monthly 7 1 6 5 4 10 7 3 7 3 4 57 # of privacy investigations completed monthly 5 1 3 4 2 4 9 6 5 1 0 40 % of privacy breaches compared to overall total events
0.03 0 0.0
3 0.0
3 0.0
2 0.0
3 0.0
3 0.0
1 0.0
2 0 0.02 <0.05 on target Avg turn around time (days) from initiation to response to individual requesting investigation 1 1 1 1 1 1 1 1 1 1 1 1 1 on target
Avg turn around time (days) from initiation to PI file closed n/a n/a n/a n/a 2.5 4.5 9 17 2 1 n/a 6 45 days on target
2. Monitor & track incidents that result in non-compliance with PHIPA
# of investigations which resulted in non-compliance with PHIPA 43% 0%
66%
60%
50%
40%
57%
33%
43% 0%
50% 46% 50% on target
% of PI which resulted in non-compliance with PHIPA as a result of OTN 67% 0%
50%
66%
100%
50%
25% 0%
67% 0%
50% 58% 50% on target
#% of PI which resulted in non-compliance with PHIPA as a result member action 33% 0%
50%
33% 0%
50%
75%
100%
33% 0% 0% 42% 50% on target
# of PI assessed at low severity level 1 0 4 3 2 4 2 1 3 0 2 22 # of PI assessed at medium severity level 2 0 0 0 0 0 2 0 0 0 0 4 # of PI assessed at high severity level 0 0 0 0 0 0 0 0 0 0 0 0
OTN Privacy Scorecard
Visibility and Transparency—Keep it Open
ID# Risk Description Source Document
Risk Rating
Risk Champion Risk Owner
Status Update
IPIA_01 The OTN has not adopted an organization-wide security policy and supporting procedures that describe the administrative, technical, and physical safeguards it employs to protect personal health information. OTN Integration PIA Sept 07 High
CIO and Corporate Security Officer Complete Update notes
IPIA_02 The OTN does not have a consistent method of advising and training staff of their privacy and security responsibilities.
OTN Integration PIA Sept 07 High CPO and Privacy Specialist Complete
IPIA_03 OTN is not currently fulfilling all its health information network provider requirements.
OTN Integration PIA Sept 07 High CPO and Privacy Specialist Complete
IPIA_05 The TSM patient registry search feature may enable unauthorized access to personal health information.
OTN Integration PIA Sept 07 Medium
CIO and Corporate Security Officer Complete Update notes.
Privacy Risk Register
Respect for User Privacy—Keep it User Centric
Respect the business owners and the need to
develop services for our users
– compromise without losing integrity of privacy
principles
Incorporate business owners into the process of
embedding privacy into the design, the PIA
review and addressing findings
Develop and deliver on-line privacy training
Staff On-line Training Module
OUTCOME & MOVING
FORWARD
Outcome and Moving Forward
Privacy breaches decreased • .06% / event total in 09/10
• ↓ .05% in 10/11
• ↓ .02% in 11/12
Member awareness and resources
100% of staff trained
Privacy embedded into our technology and process development
Privacy Threshold Assessment
Automate PIA process
Automate privacy investigation process
Privacy Investigations/Breaches
0
10
20
30
40
50
60
70
2008-2009 2009-2010 2010-2011 2011-2012
INCIDENTS
BREACHES P
ast
Pre
sen
t
IAPP HP Innovation Award 2011
Organizational Privacy by Design®
Ambassadorship
In the fall of 2011, OTN was awarded an Organizational Privacy by Design® Ambassadorship in recognition of it’s effort to embed “Privacy by Design” principles into the infrastructure of the organization
http://privacybydesign.ca/organizations/
LESSONS LEARNED
Lessons Learned
Life is a million shades of grey and it’s all about
compromise
Raising staff awareness in a meaningful way
Leverage the bad
Believe that people come to work every day to
good work
Be passionate about what you do!
Acknowledgements
The success at OTN is a ‘team’ effort
Special acknowledgement to the Privacy Team
who worked diligently over the past 3 years
– Sylvie Gaskin, Manager Privacy and Risk
– Michelle MacMillan, Privacy Specialist
– Crystal Olive, Privacy Operations Support
Thank you!
For additional information please contact
Norine Primeau-Menzies
Or please visit
www.otn.ca