privacy impact assessment for individual health identifier · final version for publication page |...

FinalVersionforPublication P a g e |1

28January2016

A Privacy Impact Assessment for the Individual Health Identifier (IHI)


28January2016

TableofContents

1 PurposeoftheDocument..............................................................................................................4

2 PIAMethodologyandApproach....................................................................................................5

2.1 WhatisaPrivacyImpactAssessment?..................................................................................5

2.2 Stage1–ThresholdAssessment...........................................................................................8

2.3 Stage2–IdentificationofPrivacyRisks.................................................................................9

2.3.1 EvaluationofPrivacyRisks...........................................................................................10

2.4 Stage3–IdentificationofArrangementsandControlstoMitigateRisks...........................10

2.5 Stage4–DocumentationofthePrivacyImpactAssessment..............................................11

3 EstablishmentofaNationalRegisterofIndividualHealthIdentifiers.........................................12

3.1 Background..........................................................................................................................12

3.2 TheBenefitofImplementinganIndividualHealthIdentifier..............................................12

3.3 LegalBasisfortheestablishmentoftheIndividualHealthIdentifierRegister....................14

3.3.1 AssignmentofaUniqueIdentifier...............................................................................14

3.3.2 EstablishmentandMaintenanceofaNationalRegister..............................................15

3.3.3 UseandProvisionoftheIdentifyingInformation........................................................15

3.3.4 AccesstotheNationalRegisterofIndividualHealthIdentifiers..................................16

3.3.5 OffencesRelatingtoIndividualHealthIdentifiers.......................................................16

3.4 LegalBasisforUsingtheDepartmentofSocialProtectiondatabasetopopulatetheNationalRegister.............................................................................................................................17

3.4.1 DataHeldbytheDepartmentofSocialProtection.....................................................17

3.4.2 ProvisionundertheIndividualHealthIdentifiersAct..................................................17

3.4.3 ProvisionundertheSocialWelfareConsolidationAct................................................17

4 SpecificationfortheIndividualHealthIdentifierandtheNationalRegister...............................19

4.1 FormatoftheIndividualHealthIdentifier...........................................................................19

4.2 ContentoftheNationalRegister.........................................................................................20

4.3 CreationoftheIndividualHealthIdentifierRegister...........................................................21

4.3.1 ImplementationoftheIndividualHealthIdentifierRegister.......................................21

4.3.2 MaintenanceoftheNationalRegister.........................................................................24

4.3.3 BusinessOperationsUnit.............................................................................................24

4.3.4 AccesstotheNationalRegister...................................................................................25


28January2016

4.3.5 IHIProofofConceptRegister......................................................................................27

5 PrivacyIssuesassociatedwiththeIndividualHealthIdentifier...................................................29

5.1 HIQAInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIreland..........................................................................................................................29

5.2 SummaryofPrivacyIssues,RiskScoresandMitigations.....................................................30

5.2.1 PrivacyIssuesassociatedwiththeestablishmentofaNationalRegisterofIndividualHealthIdentifiers.........................................................................................................................31

5.2.2 PrivacyIssuesassociatedwiththeongoingtransferofdatafortheupdateandmaintenanceoftheNationalRegisterofIndividualHealthIdentifiers.......................................32

5.2.3 PrivacyIssuesassociatedwithmanagementoftheregisterbyHSEPrimaryCareReimbursementService(HSEPCRS)............................................................................................33

5.2.4 PrivacyIssuesassociatedwiththeproposeddataset..................................................35

5.2.5 PrivacyIssuesassociatedwithprovisionofIndividualHealthIdentifierstoEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)system)andschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme).........................................................................................................37

5.2.6 PrivacyIssuesassociatedwiththeongoinginclusionanduseoftheIndividualHealthIdentifierinEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)..................................................................40

5.2.7 IndividualHealthIdentifierPrivacyIssuesassociatedwiththefutureusesoftheIndividualHealthIdentifier..........................................................................................................42

5.3 GovernanceFramework......................................................................................................43

5.4 AssignmentofResponsibilityforPrivacyMitigationSafeguardsorControls......................43

5.5 MitigationImplementationResponsibilityandTimescales.................................................43

5.6 AppendixA–HIQAproposalsforInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIreland.......................................................................................50

5.7 APPENDIXB:OrganisationsWeHaveConsultedtoDate....................................................52


28January2016

1 PURPOSE OF THE DOCUMENT ThepurposeofthisdocumentistoprovidethefindingsofthePrivacyImpactAssessmentfortheestablishmentofaNationalRegisterofIndividualHealthIdentifiersthathasbeenconductedbytheHealthServiceExecutiveinIreland.

TheNationalRegisterofIndividualHealthIdentifierswillholdanIndividualHealthIdentifierforeverypersonwhohasused,isusingormayuseahealthandsocialcareserviceinIreland.

ThePrivacyImpactAssessmentalsoconsiderstheprivacyimplicationsofaccesstoandadoptionoftheIndividualHealthIdentifierbythefirstsystemsthatwillaccesstheregisterandusetheIHI:

• EpilepsyElectronicPatientRecord(EPR)

• selectedGPpracticesystemsand

• aHospiceElectronicMedicalRecord(EMR)system

• schemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)

EachfuturechangeintheuseoftheIndividualHealthIdentifier,adoptioninothersystemsoraccesstotheNationalRegisterbyotherbodieswillarenotwithinthescopeofthisPrivacyImpactAssessment.TheimpactofsuchchangeswillbereviewedagainstthisPrivacyImpactAssessmenttoensurethatanyadditionalprivacyissuesarisingareconsideredandadditionalsafeguardsputinplaceifrequired.

WewillmakesurethatasothersystemsstarttousetheIndividualHealthIdentifierandaccesstheIHIRegisterwewillcheckthattherearenonewprivacyimplicationsthatwehaven’tconsideredinthisdocumentandiftherearewewilladdtothePrivacyImpactAssessmentdocumenttocoverthemtoo.


28January2016

2 PIA METHODOLOGY AND APPROACH

2.1 WHAT IS A PRIVACY IMPACT ASSESSMENT?

Privacycanbedefinedastherightofanindividualtokeepinformationaboutthemselvesfrombeingdisclosed.Provisionofeffective,safehealthandsocialcarerequirespersonalhealthinformationtobeprocessedwhichcanpresentsignificantriskstoprivacywhichmustbeappropriatelymanaged.

Anindividual’srighttoprivacyisprotectedunderIrishlegislationbytheDataProtectionActs1988and2003

andwithinArticle8oftheEuropeanHumanRightsAct.

TheIrishlegislationoutlinestherightsofindividualsundereightkeyprinciplesofdataprotectionandtheresponsibilitiesofthosewhoholdandprocesspersonalinformation.CompliancewithdataprotectionlegislationisregulatedbytheDataProtectionCommissionerwhoisresponsibleforupholdingtherightsofindividualsassetoutintheDataProtectionActsandforenforcingtheobligationsonthoseholdingandprocessingpersonalinformation.

Theneedtoprotectandrespectpatients’andserviceusers’dignity,privacyandautonomyhasalsobeenreflectedinkeyhealthinformationstrategiessuchastheeHealthStrategyforIreland,2013andtheKnowledgeandInformationPlan,2015.

Promotionofpatientandserviceusers’privacyisembeddedwithintherolesandresponsibilitiesoftheHealthInformationandQualityAuthority(HiQA)1.InrespectoftheirroleinthisregardHiQAhavepublishedGuidanceonPrivacyImpactAssessmentinHealthandSocialCarewhichhasbeenfollowedinthedevelopmentofthisPrivacyImpactAssessment.TheprocessofconductingaPrivacyImpactAssessmenthasissummarisedinFigure1below.

APrivacyImpactAssessmentinvolvesevaluationoftheprivacyimplicationsofprojectsandassessmentoftheircompliancewithrelevantlegislation.Wherepotentialprivacyrisksareidentifieditshouldbepossible,inconsultationwithstakeholders,toidentifysafeguardsorcontrolstomitigateorreducetheseriskswithoutimpactingontheobjectivesorrealisationofthebenefitsoftheinitiative.Anappropriateseniormanagershouldbeidentifiedtobeaccountableandresponsiblefordeliveryoftheagreedsafeguardsorcontrols.

PrivacyImpactAssessmentsshouldbeusedwhereverpersonalinformationisprocessedbutareparticularlyimportantinthehealthandsocialcaresectorwheretheinformationisconsideredtobesensitiveinformation.CompletionofaPrivacyImpactAssessmentforaprojectsuchastheimplementationoftheIndividualHealthIdentifierensuresthatthattheproposedprocessesandproceduresforhandlingpersonalhealthinformationarereviewedtoensurethattheycomplywithlegislationandbestpractice.Further,stakeholderinvolvementinthePIAprocessincreasesawarenessamongprofessionalsandcreatesaculturewheremaintainingpersonalhealthinformationprivacyisapriority.

1MoredetailsaboutTheHealthInformationandQualityAuthoritycanbefoundathttp://www.hiqa.ie/


28January2016

AlthoughaPrivacyImpactAssessmentisnotalegalrequirement,itisaneffectivewaytodemonstratehowtheprocessingofpersonaldatacomplieswithdataprotectionlegislation.

PatientsandServiceUserscanbereassuredthattheHealthServiceExecutivehasfollowedbestpractice.ThePrivacyImpactAssessmentshouldensurethattheimplementationoftheIndividualHealthIdentifierislessprivacyintrusiveandthereforelesslikelytoaffecttheminanegativeway.Inaddition,publicconsultationonthefindingsofthePrivacyImpactAssessmentwillimprovetransparencyandshouldmakeiteasierforthepublictounderstandhowandwhytheirinformationisbeingused.

ByconductingaPrivacyImpactAssessmentontheimplementationoftheIndividualHealthIdentifier,theHealthServiceExecutivewillbeinformedofpotentialimpactsonindividualprivacyandactionsthatshouldbetakentomitigateanyimpact.Thisshouldinturnreducethelikelihoodoftheorganisationfailingtomeetitslegaldataprotectionobligations.Further,consistentuseofPrivacyImpactAssessmentsforallrelevantprojectswillincreasetheawarenessofprivacyanddataprotectionissueswithintheHealthServiceExecutiveandwillensurethatstaffinvolvedindesignconsiderprivacyissuesintheearlystagesofaproject.


28January2016


28January2016

2.2 STAGE 1 – THRESHOLD ASSESSMENT

ThefirststageoftheprocessistheThresholdAssessment.ThisinvolvesidentificationofwhethertheimplementationoftheIndividualHealthIdentifierpresentsanypotentialprivacyissues.Thisrequiresresponsestoaseriesof11questionsinrelationtotheproject.AYESresponsetoanyoneofthesequestionsindicatestheneedforaPrivacyImpactAssessmenttobeconducted.

TheIndividualHealthIdentifierandassociateddatasetcanbeconsideredtobePersonalHealthInformation.Itconsistsofpersonaldemographicinformationthathasbeencollectedandusedforthepurposeofdeliveringhealthandsocialcare.However,itdoesnotincludeanySENSITIVEPersonalHealthInformationwhichrelatestothecondition,careandtreatmentofanindividual.

Doestheprojectinvolveanyofthefollowing?

• Thecollection,useordisclosureofpersonalhealthinformation?

YES:Itinvolvestheallocation,processinganddistributionofanIndividualHealthIdentifierandassociateddemographicdata

• AnewuseforpersonalInformationthatisalreadyheld?

YES:PersonaldemographicinformationfromtheDepartmentofSocialProtectionandthePCRSwillbeusedtocreateandmaintaintheNationalRegister.

• Thelinking,matchingcrossreferencingofpersonalhealthinformationalreadyheld?

YES:TheIHIRegisterwilllinkdatafromDSPwithdatafromthePCRSwhereappropriate

• Establishingoramendingaregisterordatabasecontainingpersonalhealthinformation?

YES:TheIHIRegisterwillbeestablishedusingdatacurrentlyheldbyPCRS.Thiswillonlyholddemographicinformationandwillnotincludesensitivehealthinformation.

• Thecollectionuseordisclosureofadditionalpersonalhealthinformationheldbyanexistingsystemorsourceofhealthinformation?

YES:PopulationoftheIndividualHealthIdentifiersintotheEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)willrequiredisclosureoftheirmasterpatientindex(personaldataonly,notsensitivepersonaldata)formatching.

• Sharingofpersonalhealthinformationbetweenorganisations?

YES:IndividualHealthIdentifiersandassociatedpersonalinformationwillbesharedacrossconsumersystemswithinotherorganisations

• Thecreationofanewortheadoptionofanexistingidentifierforserviceusers:for

YES:Theprojectwillcreateanewuniquepersonalidentifier(theIndividualHealth


28January2016

exampleusinganumberorbiometric? Identifier)forpatientandserviceusers

• ExchangingortransferringpersonalhealthInformationoutsidetherepublicofIreland?

NO:NotwithinthescopeofthisPIA,however,subjecttorelevantnationalauthority,futureusesoftheIHImayincludesharingwiththeUKforIrishpatientstreatedwithintheirjurisdictionandmaybesharedwithotherEUcountriesaspertheEUDirectiveontheapplicationofpatients'rightsincross-borderhealthcareDirective2011/24/EU,Article14.SuchuseswillbethesubjectofamendmenttothisPIA.

• Theuseofpersonaldataforresearchorstatisticswhetherde-identifiedornot?

NO:AlthoughtheHealthIdentifierActallowsfortheIndividualHealthIdentifiertobeusedforthedefinedsecondarypurposesincludingresearchandanalysisanyfutureuseoftheIndividualHealthIdentifierforsecondarypurposeswillbesubjectofanamendmenttothisPrivacyImpactAssessment.

• Anyothermeasurethatmayaffectprivacyorthatcouldraiseprivacyconcerns?

NO:

• Aneworchangedsystemofdatahandling;forexamplepoliciesorpracticesaroundaccess,security,disclosureorretentionofpersonalhealthinformation?

YES:ForExample-rulesrelatingtotheprovisionofinformationwhentracinganindividual’sIndividualHealthIdentifierontheNationalRegister

AsaresultoftheresponsestothesethresholdquestionstheneedforaPrivacyImpactAssessmentwasclearlyestablished.

ToensurethatallprivacyimplicationsandpossibleprivacyenhancementopportunitieswereconsideredduringthefollowingStages2and3ofthePrivacyImpactAssessmentwidespreadconsultationhasbeenconductedwithstakeholdersintheHealthServiceExecutive,VoluntaryHospitals,apatientrepresentativebody,theDepartmentofHealth,theDepartmentofSocialProtection,theOfficeoftheDataProtectionCommissionerandHiQA.AlistofthosethathavebeenconsultedhasbeenincludedasAppendixB.

2.3 STAGE 2 – IDENTIFICATION OF PRIVACY RISKS

Thesecondstageoftheprocessinvolvesidentifyingtheprivacyrisksbyexploringthescope,informationflowsandsecurityarrangementsoftheproject.ThisstageinvolvedestablishinghowtheinformationwillbeusedtocreatetheIHIRegister,howitwillbemaintainedthroughupdatesfromotherdatasources,thefunctionalitythatwillbeavailabletotheBusinessOperationsUnitandhow


28January2016

itwillinteractwiththe‘consumersystems’includedwithinthePrivacyImpactAssessment,EpilepsyElectronicPatientRecord,selectGPpracticesystems,aHospiceElectronicMedicalRecordandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)

AninitialcheckwasconductedtoensurethattheplannedimplementationcompliedwiththerelevantlegislationsuchastheHealthIdentifiersActandtheDataProtectionActs.

TheriskstotheprivacyofindividualshavealsobeenconsideredincludingthecorporateimpactsthatmightarisesuchasactionbytheDataProtectionCommissioner,reputationaldamageandlossofpublictrustweretheriskstomaterialise.TheseriskshavethenbeenscoredandcategorisedasHigh,MediumorLow.

2.3.1 Evaluation of Pr ivacy Risks

Eachprivacyriskwillbeevaluatedtoassesstheprobabilityoftheriskoccurring(likelihood)andtheconsequence(impact)ifitweretooccur.Thecorrespondingriskscorewillidentifywhethertheriskishigh,mediumorlowassetoutinthefollowingtable.

Likelihood

Impact Rare1

Unlikely2

Possible3

Likely4

Highly Likely5

Negligible - 1 1 2 3 4 5Minor - 2 2 4 6 8 10Moderate - 3 3 6 9 12 15Major - 4 4 8 12 16 20Critical - 5 5 10 15 20 25

LOW (1-7) MEDIUM (8-14) HIGH (15-25)

2.4 STAGE 3 – IDENTIFICATION OF ARRANGEMENTS AND CONTROLS TO MITIGATE

RISKS

Stage3addressestheprivacyrisksidentifiedinStage2.Theaimofthisstageistoseeksafeguardswhichwilleliminatetheprivacyriskswhereverpossibleorreducethembyimplementingmeasuresthatproviderobustcontrolsinthehandlingofthepersonaldataandreducetherisktoprivacy.NotallprivacyriskscanbeeliminatedbutitisimportanttoensurethattheriskcanbereducedasfaraspossiblewhilestillachievingtheaimsandobjectivesoftheimplementationoftheIndividualHealthIdentifier.

Thisstagecreatesaseriesofactionsthatmustbeincorporatedwithintheprojectplan.Eachaction(whichmayaddressoneormoreoftheprivacyrisks)willbeassignedtoabusinessownerandwillbegivenatargetdeliverydate.


28January2016

Theseactionswillbeincorporatedintotheprojectdeliveryplanandimplementationmonitoredaspartoftheoverallmanagementoftheproject.

2.5 STAGE 4 – DOCUMENTATION OF THE PRIVACY IMPACT ASSESSMENT

Thefinalstage,Stage4,istheproductionofaPrivacyImpactAssessmentReportwhichdetailsthefindingsoftheassessment.ThereportmusthaveappropriatesignofffromwithintheHealthServicesExecutiveandwillbemadepublic.


28January2016

3 ESTABLISHMENT OF A NATIONAL REGISTER OF INDIVIDUAL

HEALTH IDENTIFIERS

3.1 BACKGROUND

TheeHealthStrategyforIrelandDecember2013identifiedtheprovisionofhealthidentifiersforindividualsandhealthserviceprovidersasakeyenablertothesuccessofthestrategy.

TheHealthIdentifiersAct,enactedinJuly2014,allowedforthe“establishmentandmaintenanceof”

• ANationalRegisterofIndividualHealthIdentifiers

• ANationalRegisterofHealthServiceProvidersIdentifiers

TheimplementationandoperationofHealthIdentifiersmustbeinlinewiththeprovisionsoftheActinaccordancewithcommencementorders,delegationordersandregulationstobemadebytheMinisterforHealth.TheMinisterforHealthsignedaninitialcommencementorderinSeptember2015fortheprovisionsintheactrelatingtotheassignmentoftheIndividualHealthIdentifier,theestablishmentoftheIHIRegisterandadelegationorderprovidingtheHSEwiththeauthorityforthesefunctions.

TheMinistermay,afterconsultationwiththeDataProtectionCommissioner,establishregulationsundertheAct.AllregulationsrelatingtotheprovisionsoftheActmustnotbemadeunlesstheMinisterissatisfiedtheyareinthepublicinterestwithdueregardtotheprivacyandtheeffectiveachievementofoneormorepurpose.

RegulationsmadeundertheActaretobelaidbeforeeachhouseoftheOireachtasassoonastheyaremade.Ifaresolutionannullingtheregulationsispassedbyeitherhousewithin21daystheregulationwillbeannulled.

ThisPIAisconcernedsolelywithIndividualHealthIdentifiers.APIAfortheNationalRegisterofHealthServiceProviderIdentifierswillfollowatalaterdate.

3.2 THE BENEFIT OF IMPLEMENTING AN INDIVIDUAL HEALTH IDENTIFIER

ThemainbenefitofhavinganIndividualHealthIdentifieristoensurepatientsafety.Beingabletouniquelyidentifyeachuserwillimprovepatientsafetybyreducingthenumberofadverseeventsthatmayhappen,suchasgivingthepatientthewrongmedicationorvaccinationoradmittingthewrongpersonforsurgery.TheIndividualHealthIdentifierhasthefollowingbenefits:

• PatientSafety

– Reducedlikelihoodofprovidingtreatmenttowrongpatient

– Enhancedabilitytoreliablyassociateallrecordsforthesamepatienttherebyprovidingamorecompletepictureavailabletoprofessionals

• Efficiency


28January2016

– Reducedeffortincollectingthesameinformationmultipletimes

– Obviatingtheneedforsomerepeateddiagnostics

– Enhancedabilitytoreliablyassociateallrecordsforthesamepatienttherebyprovidingamorecompleteprofileavailableforadministrationpurposes

• EnablingeHealthapplications

– Akeyenablerintheimplementationofelectronichealthrecords

– Akeyenablerinoverallinformationsharingrequiredacrossthehealthsystem

• Privacy

– Reducestheneedforidentifyinginformationtobeincludedwithelectronicpatientorserviceuserinformation

Thebenefitsforserviceusersare:

• Improvedaccuracyinidentifyingtheserviceuserandtheirmedicalrecordswillleadtosaferandbettercarebeingprovided.

• ServiceUser’srecordsindifferenthealthcareorganisationsmaybeaccuratelyassociatedwiththecorrectserviceuser

• Healthinformationcanbesharedsafelyandseamlesslybetweenpublicandprivatehealthserviceproviders,forexamplereferralletterssentfromapublichospitaltoaprivatesectorGP

• IndividualHealthIdentifiersenableelectronictransferofserviceuserhealthinformation,whichresultsinfastercare.

ThebenefitsforhealthcarepractitionersarethatIndividualHealthIdentifiers:

• Accuratelylinkserviceuserstotheirrecords

• Identifypatientsinallcommunicationswithotherhealthandsocialcareproviders

• Enablesafetransferofpatientrecordselectronically

• Enableelectronicreferrals,dischargesummariesandelectronicprescriptionstobesentwhichresultsinamoretimelyexchangeofinformation.

ThebenefitsforhealthcareprovidersarethatIndividualHealthIdentifiers

• Helptocreateandmaintainacompleterecordforeachpatient

• Enablepatientinformationtobesharedsafelywithinandacrossorganisationalboundaries

• Improveefficiencyinadministrativetasks

ThebenefitsforsocialcareprovidersarethatIndividualHealthIdentifiers

• Accuratelyandsafelyidentifypeoplewhousesocialcareservices


28January2016

• Helptocreateacompleterecordofaperson’scarebyinclusionofrecordsthatmayspandifferenthealthandsocialcareorganisations

• Facilitatesafeandefficientcoordinationofsocialcarewithhealthcare.

3.3 LEGAL BASIS FOR THE ESTABLISHMENT OF THE INDIVIDUAL HEALTH IDENTIFIER

REGISTER

ThelegislationtoallowthecreationoftheIndividualHealthIdentifierRegisterandthedatafieldstobecontainedthereinissetoutintheHealthIdentifiersAct2014:

TheelementsofHealthIdentifiersActthatrelatetotheuniquenumbersforapersonororganisationthatprovidesahealthservicearenotincludedwithinthisPrivacyImpactAssessment.

InrelationtotheuniquehealthidentifierthereforetheActprovidesthelegalbasisfor:

• Theassignmentofauniquenumbertoeveryindividualtowhomahealthserviceisbeing,hasbeen,ormaybeprovided.

• TheestablishmentandmaintenanceofaNationalRegisterofindividualhealthidentifiersandinformationrelatingtotheindividualstowhomthenumbersareassigned.

• ThebasisonwhichtheNationalRegistermaybeaccessedandthepersonaldatawithinitmaybeprocessed.

• ThedelegationofcertainfunctionsconferredontheMinisterofHealthtotheHealthServiceExecutive.

• AmendmenttootherActsrequiredasaconsequenceoftheHealthIdentifiersAct.

3.3.1 Assignment of a Unique Identif ier

TheActallowstheMinistertoassignanIndividualHealthIdentifierto:

• anylivingindividual,whetherornottheyareresidentinIreland,towhomahealthserviceisbeing,hasbeenormayhavebeenprovided

• anindividualwhohasdiedbeforetheActcomesintooperation.


28January2016

TheActrequiresthattheIndividualHealthIdentifiershouldnotcontainanypersonaldataforexampleitmustnotcontaintheindividualsdateofbirthandidentifiesthatpossessionofauniqueidentifierisnotofitselfanindicationofentitlementtohealthservices.

TheActalsomakesprovisionfortheIndividualHealthIdentifiertobemadeavailabletotheindividualorwherethepersonisdeceasedorlackscapacity,theirpersonalrepresentative,iftheMinisterwishestodoso.

3.3.2 Establ ishment and Maintenance of a National Register

TheActmakesprovisionforaNationalRegisterofIndividualHeathIdentifierstobeestablishedwhichwillholdtheIndividualHealthidentifierandotheridentifyingparticularswheretheyareknown.TheNationalRegistercancontinuetoholdinformationrelatingtodeceasedpersonsandcanannotatetheirrecordstoindicatethattheyaredeceasedandthedateoftheirdeath.

Theregistermustonlycontainthefollowingpersonaldata:

• surname

• forename

• dateofbirth

• placeofbirth

• sex

• allformersurnames

• mother‘ssurnameandallformersurnamesofhisorhermother(includingmotherssurnameatmother’sbirth)

• address

• nationality

• personalpublicservicenumber

• dateofdeathinthecaseofadeceasedindividual

• signature

• photograph

• andanyotherparticularsasdeterminedbytheMinistertoberelevanttoidentifyingtheindividual

3.3.3 Use and Provis ion of the Identify ing Information

TheActmakesprovisionsforthecollectionofhistoricaldatarelatingtoanindividualwithaUniqueHealthIdentifier.

TheActalsomakesprovisionfororganisationsthatareprovidingorhaveprovidedhealthservicestoanindividualtorequestthattheindividualorwhereappropriatetheirpersonalrepresentativeshouldprovideinformationtoallowthemtobeidentified.ThiswillbeprovidedtotheMinister


28January2016

within30daysandiftheserviceproviderfindsthemtobeinaccuratewillbecorrectedwithin30daystoallowcorrectionstobemade.

TheActenablesanyotherMinisteroftheGovernmenttoprovideidentifyinginformationtotheMinisterandenablesatARD-Chlaraitheoir(aregistrarofbirthsdeathsandmarriages)toprovideinformationrelatingtoanindividual’sbirthordeathinorderthattheministercanestablishormaintaintheaccuracyoftheNationalRegister

Therearealso,withintheAct,clearrestrictionsinrelationtohowconsumerssystems(inthefirstinstancethisreferstoEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)system)andschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)caninterfacewiththeNationalRegistertoobtainIndividualHealthIdentifiersforinclusionwithintheirsystems.Theconsumersystemswillprovideacopyoftheirlocalmasterpatientindex(MPI)totheNationalRegisterandwillbeprovidedwithanIndividualHealthIdentifierforallpatients.Atnostagewillacopyoftheregisterbeprovidedtoanythirdparty.IndividualHealthIdentifierdatawillonlybeprovidedbythesubmissionofknownindividualpatient\clientdetailsbyanauthorisedHealthserviceprovidertotheHSEfortheprovisionofanIndividualHealthIdentifierandtheotherIndividualHealthIdentifierdataasoutlinedinthelegislation.

3.3.4 Access to the National Register of Indiv idual Health Identif iers

TheActrequirestheMinistertoputarrangementsinplacefortheNationalRegistertobeaccessedbyrelevantpersonsforarangeofrelevantpurposesandtobeprotectedfrombeingaccessedinappropriately.

TheActalsomakesaseriesofprovisionsforhealthserviceproviderstorequestinformationfrompersonstheyareprovidingservicestothatwillenabletheirIndividualHealthIdentifiertoberecordedortracedforandtoberecordedintheindividual’srecordsandusedinappropriatecommunications.

3.3.5 Offences Relat ing to Indiv idual Health Identif iers

TheActmakesitanoffenceforanindividualtoprovidefalseinformationinordertobeassignedanIndividualHealthIdentifier.AnyonefoundguiltyofsuchanoffencewillbeliableonsummaryconvictiontoaclassBfineoronconvictionorindictmenttoafinenotexceeding€100,000.

TheActsetsoutthepurposesforwhichapersonmayaccesstheNationalRegisterorprocessanindividual’sIndividualHealthIdentifierandestablishesthatitisanoffencetoknowinglycontravenetheseprovisions.AnyonefoundguiltyofsuchanoffencewillbeliableonsummaryconvictiontoaclassBfineoronconvictionorindictmenttoafinenotexceeding€100,000.

ItisanoffenceforapersontoimpersonateanotherpersoninordertoaccesstheNationalRegister.AnyonefoundguiltyofsuchanoffencewillbeliableonsummaryconvictiontoaclassBfine.


28January2016

3.4 LEGAL BASIS FOR USING THE DEPARTMENT OF SOCIAL PROTECTION DATABASE

TO POPULATE THE NATIONAL REGISTER

3.4.1 Data Held by the Department of Socia l Protection

TheDepartmentofSocialProtectionissuesauniquePersonalPublicServicenumbertoassistindividualsinaccessingbenefitsandinformationfrompublicservicesagenciesinIrelandsuchasSocialWelfare,RevenuePublicHealthcareandEducation.

APersonalPublicServicenumberisissuedto:

• AnyoneborninIrelandsince1971

• AnyonewhohasworkedinIrelandsince1979

• AnyonereceivingaSocialWelfarepayment

• AnyoneparticipatingintheDrugsPaymentScheme.

ThePublicServiceIdentitydatabaseistheNationalRegisterofPersonalPublicServicenumbersandtheassociatedpersonalidentifyinginformation

ItisintendedthattheNationalRegisterofIndividualHealthIdentifierswillbecreatedandmaintainedbydatasuppliedfromthePublicServiceIdentityregister.

3.4.2 Provis ion under the Indiv idual Health Identif iers Act

Asreferredtoabove,theHealthIdentifiersAct(Part2Section8)makesspecificprovisionforanothergovernmentMinistertoprovideinformationrelatingtoindividualssolelyforthepurposeofestablishingormaintainingtheNationalRegister.TheActthereforemakesprovisionforindividuals’datatobeobtainedfromtheDepartmentofSocialProtectioninordertoestablishtheNationalRegister.

3.4.3 Provis ion under the Social Welfare Consol idation Act.

InorderfortheDepartmentofSocialProtectiontohavealegalbasistoprovidedatatotheNationalRegistertherealsoneedstobeprovisionsundertheSocialWelfareConsolidationAct2005.


28January2016

Section262(6)oftheSocialWelfareConsolidationAct,2005statesthat:

(6)(a)Whereaspecifiedbodyhasatransactionwithaperson,theMinistermaysharetheperson’spublicserviceidentitywiththespecifiedbodytotheextentnecessaryinrespectofthattransaction*forauthenticationbythespecifiedbodyoftheperson’spublicserviceidentity.

(b)Aspecifiedbodymayuseaperson’spublicserviceidentityinperformingitspublicfunctionsinsofarasthosefunctionsrelatetothepersonconcerned.

(*Insertedbys.32(a)(iii)SocialWelfare&PensionsAct2007).

Section262alsoprovidesthata“transaction”means—

(a)anapplication,

(b)aclaim,(c)acommunication,(d)apayment,or(e)asupplyofaservice,relatingtoapublicfunctionofaspecifiedbodywhichrelatestoanaturalperson.”.

TheseprovisionsintheSocialWelfareConsolidationAct2005allowtheDepartmentofSocialProtectiontoprovidedatarelatingtothepopulationofIreland(includingdeceasedpatients)totheHealthMinisterfortheestablishmentoftheNationalRegisterofIndividualHealthIdentifiers.


28January2016

4 SPECIFICATION FOR THE INDIVIDUAL HEALTH IDENTIFIER

AND THE NATIONAL REGISTER

4.1 FORMAT OF THE INDIVIDUAL HEALTH IDENTIFIER

TheIndividualHealthIdentifierwillbeauniquenumberusedforthepurposesofidentificationofindividualpatientsandserviceuserswithinhealthandsocialcareservicesandwillbebasedupontheNHS’sNationalPatientIdentifiermodel,adaptedforusewithintheIrishhealthenvironment.

KeycriteriausedtoselectthefinalstructureandcontentoftheIndividualHealthIdentifierwere:

• TheformatofthenumbermustsupportusabilityintheHealthsector

• Theproposednumberrangemustprovideamorethanadequatevolumeofnumbersforexistingandfuturepopulation

• ThedevelopmentcostrequiredforthecentralIndividualHealthIdentifiersystemmustbesignificantlylessthanalternativeoptions

• Thereshouldbepre-existingfunctionalityinmanyconsumersystemsforsupportofthenumberintheproposedformat,significantlyreducingthecostofanydevelopmentrequiredforconsumersystems

• Theprescribedstandardsmustbemet(HiQA,ASTMUHID-1995)

• Thenumberformatandstandardcanbesharedworld-wideinclusiveofNorthernIrelandinparticular.

• Thenumbermustbecompatiblewithdevicessuchasscanners,bar-codereadersandotherdevices.

AsaresultithasbeenexpectedthattheIndividualHealthIdentifierwillbecomprisedof3items;a7digitGS1standardprefix;a10digitcorenumber(thefinaldigitbeingamodulus11checkdigit);andafinalcheckingdigit.Atotalof18digits.

ItisproposedthattheGS1healthcarestandard,alreadyinusewithintheHSE,willformapre-fixtothecoreIndividualHealthIdentifier.TheformatofthecorenumberisthesameasthatusedfortheNHSNumberintheUKandmayuseoneofabankofnumbersreservedfortheRepublicOfIrelandwhichare800000000to859999999.

Asanexamplethenumberbelowshowstherelativecomponentsofitsconstruct;

5393-014 -999-999-999 -9 -7

[GS1GSRNPrefixnumberwithnocheck-digit]

[CoreIHInumberwith check-digit] [FinalGS1checkdigit]


28January2016

4.2 CONTENT OF THE NATIONAL REGISTER

TheDatasetitemstobeheldontheNationalRegisterweredefinedintheHealthIdentifierActas:

• surname

• forename

• dateofbirth

• placeofbirth

• sex

• allformersurnames

• mother‘ssurnameandallformersurnamesofhisorhermother(includingmotherssurnameatmother’sbirth)2

• address

• nationality

• personalpublicservicenumber

• dateofdeathinthecaseofadeceasedindividual

• signature

• photograph

• SAFElevelofregistration–thishasbeendefinedbytheMinisteras‘otherparticularsrequired’

• PersonalServiceCardNo.–thishasbeendefinedbytheMinisteras‘otherparticularsrequired’

SAFElevelofregistrationreferstotheStandardAuthenticationFrameworkEnvironmentdesignedtoassignalevelofcertaintytotheinformationheldaboutanindividual–e.g.informationaboutaclientisonlyassignedSAFELevel2afteraface-to-faceinterviewweretheclientisrequiredtoproducedocumentary,includingphotographic,evidenceofidentity.

TheIHIwillutilisetheSAFE*PublicServiceCardinfrastructureoperatedbytheDepartmentofSocialProtection.Inthisway,theIndividualHealthIdentifierwillleveragethesignificantinvestmenttodateandtheongoingworkbytheDepartmentofSocialProtection(DSP).ItisnotintendedtoreplicatetheDSPdatacollectionandverificationprocess,exceptforthesmallnumberofpatientswheretheDSPdoesnothaveinformationabouttheindividualsconcernedbecausetheywouldnotnormallybeissuedwithaPPSNe.g.touristsortemporaryresidents.Thisapproachwillensure

2InfactthedatathatwillbeheldontheIHIRegisterwillbemother’ssurnameatbirthonlyasthereisnoavailablesourceforothersurnamestobecollected.


28January2016

maximumleveragingofthepublicservicedataset(operatedbyDSP)whileenablingthehealthsectortooperateasectoralidentifier.Inmanyrespects,thehealthservicewilloperatefromacarboncopyofthepublicserviceidentitydatasetandthiswillsignificantlyreducethecostoftheinitiative

4.3 CREATION OF THE INDIVIDUAL HEALTH IDENTIFIER REGISTER

4.3.1 Implementation of the Indiv idual Health Identif ier Register

ThefollowingdiagramsetsoutthewayinwhichtheIHIRegisterwillbegeneratedandmaintained

Figure1–GenerationandMaintenanceoftheIHIRegister

1. IHIRegister:TheexistingHSEPCRSindexwillbedevelopedtobecometheNationalIHIRegisterandPCRSSchemeswillprovideupdatesasatrusteddatasourcebasedonbusinesslogicputinplace.

2. DepartmentofSocialProtectionPublicServiceIdentity:DSP-PSIwillbetreatedasatrusteddatasourceandwillfeeddataviaanappropriateinterfacewhichwillbeputinplace.


28January2016

3. ConsumerSystems:Consumersystems(includingPCRSschemesystems)willbeinterfacedtoaccessIHInumbersonaplannedandphasedbasisviaastandardisedinterfacewhichwillcontrolaccess.UpdatestoIHIrecorddatamaybefacilitatedwherepermittedbythebusinesslogicputinplace.

Note:Thelistofconsumersystemsinthediagramareforillustrativepurposesonly.Theactualroadmapforconnectivitywilldependonlegalcommencement,technicalandbusinessreadiness,andstrategicplanning.

Onceestablished,theIHIRegisterwillbeheldinanencryptedenvironment.

TheHSE’sPrimaryCareReimbursementServicesupportsthedeliveryofawiderangeofprimarycareservicestothegeneralpublic,throughover6,600primarycarecontractorsacrossarangeofcommunityhealthschemes.Theseservicesareprovidedtomorethan3.4millionpeopleintheircommunitybydoctors,pharmacists,dentistsandoptometrists.

ThePrimaryCareReimbursementServiceMasterPatientIndex(OHMPI)willbeleveragedtosupporttherequirementsoftheIndividualHealthIdentifier,utilisingexistinghardwareandsoftwareinfrastructureandwillbemodifiedandadoptedtobecometheNationalRegister.

ThePrimaryCareReimbursementServiceMasterPatientIndexonlyholdsrecordsforindividualsthatareinreceiptofpublicallyfundedprimarycareschemes.InorderfortheIndividualHealthIdentifierProjecttomeetitsobjectivesandrealisethepotentialbenefitsinfull,itisimperativethattheNationalRegistercontainsarecordforallindividualswhohavepreviouslyaccessedormayneedtoaccessahealthserviceinIreland,irrespectiveofwhethertheserviceisprovidedpublicallyorprivately.

TheDepartmentforSocialProtectionoperateadatabasewhichholdsPublicServiceIdentityrecordsforallmembersofthepopulationwhotransactwithpublicservicedepartmentsoragencies.AllindividualsareprovidedwithaPersonalPublicServiceNumberfortransactingwithpublicservicedepartments,whentheyareregisteredatbirthoruponimmigrationtoIreland.ThisdatabaseaggregatesinformationfromwithintheDepartmentofSocialProtectionandotherchannels,forexampletheGeneralRegistrationsOffice.

ThePublicServiceIdentitydatabaseisthemostcompleteregisterofthepopulationofIreland.

Utilising PSI data as the source of the IHI register leverages awell-managed, quality assured androbust registerprovidinga significant levelofassurance that there isaunique identifier, correctlyassigned, foreach individual. Inaddition,theDSParecurrentlyundertakingaregistrationprocessforPSIclientswhichwillprovideanevenhigherlevelofassuranceinrelationtotheidentitydataforindividualsonthePSIregisterandconsequentlyfortheIHIregister.

ThereforeitisproposedthattheDepartmentofSocialProtection’sPublicServiceIdentityrecordswillbecomethemainsourceforthecreationoftheIndividualHealthIdentifierregisterwithadditionaldataprovidedbyPCRSwhereavailable.

ThisissubjecttoaMemorandumofAgreementbetweentheDepartmentofSocialProtection,theDepartmentofHealthandtheHSE,whichoutlineshowinformationgovernanceandcompliancewillbeappliedbytheHSEfortheuseofPSIdatainthecontextoftheIndividualHealthIdentifier.


28January2016

AsecureinterfacebetweentheHSEandDSPwillbeimplementedinordertofacilitateon-goingrecordmaintenanceviatheprovisionofnewandupdatedPSIdetails.

ThePrimaryCareReimbursementServiceMasterPatientIndexalreadyholdsasignificantsubsetofthePublicServiceIdentitydatabaserecordsasthePersonalPublicServiceNumberisrequiredfortheprocessingofschemessuchastheMedicalCardandDrugPaymentRefundbothofwhicharepublicallyfunded.

PriortothematchingofDSPPSIandHSEPCRSrecords,abodyofworkwillbeundertakentoassessandremediateanylegacyororganicdatavariancesinthePCRSMasterPatientIndex.AppropriatecleansingwillbeundertakentoensurePSIrecordsarebeingcomparedagainstcleanandvaliddata,forthepurposesofcreatingtheIHIRecord.

TofacilitatecreationoftheIHIRecord,relevantPublicServiceIdentitydatafields(asauthorisedbytheHealthIdentifiersAct)willbeprovidedbytheDepartmentofSocialProtection.Arobustmatchingandrecordjoiningtriageprocess(asdevelopedandtestedduringtheIHIRegister’sDesignandDevelopmentstages)willresultinafinalIHIRecord.AnIndividualHealthIdentifierwillthenbegeneratedandassignedtoeachIHIRecord.

EachIndividualHealthIdentifiermustbegeneratedinamannertoensurethat:

• itisunique

• itisrandomlygenerated

• hasnoassociationtoanyattributebelongingtothepersonitisgeneratedfor

• itisnotgeneratedinanidentifiablesequencewithotherIHInumbers

• isappliedtoasingleindividual

• NoindividualhasmorethanoneIHI

• Itisneverrecycledorre-used

• Itiscomprisedofandformattedtothespecifiedparametersofcreation

ThePSIdatawillbematchedagainstexistingPrimaryCareReimbursementServiceMasterPatientIndexrecords.ForuniquelymatchedrecordsthePrimaryCareReimbursementServiceMasterPatientIndexwillbeupdatedwiththerelevantPSIdetailsandtherecordswillbeassignedIndividualHealthIdentifiers.AnyrecordscurrentlyheldbytheDepartmentofSocialProtectionthatdonotalreadyexistonthePrimaryCareReimbursementServiceMasterPatientIndexwillbeaddedtotheNationalIndividualHealthIdentifierRegisterandassignedIndividualHealthIdentifiers.


28January2016

Figure2-ExampleofcreatingtheSBRfrommultiplerecords3

ThematchingalgorithmusedtomatchrecordsfromthePublicServiceIdentitydatabaseandthePrimaryCareReimbursementServiceMasterPatientIndexwillbedesignedtomaximisethenumberofrecordsthatcanbecorrectlymatchedautomaticallybutminimisethenumberofrecordsthatrequiremanualinterventionbytheBusinessOperationsUnit.Thiswillensurethatthenumberoffalsepositivematches(recordsthatarematchedbutarenotforthesameperson)andfalsenegativematches(recordsthatareforthesamepersonbuthavenotbeenmatchedautomatically)arekepttoaminimum.

Developmentofthematchingandupdateruleswilltakeplaceduringthedesign.Anyrulesforupdateandmatchingwillbethoroughlytestedpriortofinalisation.

4.3.2 Maintenance of the National Register

Oncecreated,ongoingmaintenanceoftheNationalRegisterwilloccurthroughroutineupdates(ataminimumdailyfrequency)fromtheDepartmentofSocialProtection.Theupdateswillprovidedetailsofchangestoexistingrecordsandinsertionsofnewrecords:newrecordswillbeassignedanindividualHealthIdentifier.

4.3.3 Business Operations Unit

GiventhecurrentroleofthePrimaryCareReimbursementServiceinmanaginganexistingMasterPatientIndexfortheHSEwithmanyofthetechnicalandoperationalaspectsalreadyinplace,thePrimaryCareDirectoratehasbeenappointedbytheHSEtoestablishtheIHIBusinessServiceUnitthatwillberesponsiblefortheoperationoftheIndividualHealthIdentifierservice.

3takenfromHealthIT2presentation


28January2016

TheresponsibilitiesoftheBusinessOperationsUnitwillinclude:

• IHIRegisterDataManagementfromAutomatedFeeds–themanualactivitiesnecessarytoresolveanyissuesidentifiedthroughautomateddatamatchingprocesses

• IHIRegisterDataManagementfromServiceProviderRequests–themanualprocessestodealwithrequeststochangedataheldintheCentralIHIRegister

• ServiceProviderAccessManagement–themanualprocessestogrant/update/removeaccessforusersoftheCentralIHIRegister

• ServiceProviderRelationshipManagement–theprocessesrequiredtosuccessfullymanagetherelationshipbetweentheBusinessSupportTeamandServiceProviderstoensureallstakeholdersthattheyaresupported

• ComplianceManagement–theprocessestoensurethattheoperationoftheCentralIHIRegisterisincompliancewithalllegislativeandstandardsguidelines,andtoreportsuchcompliance

• CentralIHIRegisterSystemMaintenance–theprocessesthatsupporttheongoingtechnicalmaintenanceoftheCentralIHIRegister

• BusinessSupportTeamManagement–theprocessestoensurethesuccessfuloperationoftheBusinessSupportTeam

• PublicRequestsforInformation–theprocessestoprovidemembersofthepublicdetailsabouttheIHInumber,ifrequested

4.3.4 Access to the National Register

“InformationSecurity”fortheIHIRegisterisalargerconsiderationthanjustprotectionfromunauthorisedaccess,whichisjustoneareaofmajorconsideration.InformationSecuritycanbeviewedinthemainasensuringConfidentiality,Integrity,andAvailabilityofdata,howeverfortheIHIprojectitwillbeconsideredinallareasrelatingto:

• Securityatatechnicallevel

• Securityatapolicy/governancelevel

• Thepracticalimplicationsofimplementationwhichmustbebothappropriateandfeasible

AccesstotheIHIRegisterwillthereforebedrivenfromanumberoffocusareasofwhichsomewillbedrivenfrom:

• Businessdecisionsdeterminingwhatisrequiredfromasecurityperspective

• Technicaldecisionsdetermininghowsecurityisimplemented

AccesstotheIHIRegisterwillbedeterminedbasedontheextenttowhichinternalandexternalpartiesareviewedas“untrustednetworks”.The“level”ofaccessavailablewillbebaseduponthis,forexampledifferentmethodsofaccesscontrolmaybeappropriatefore.g.:

• PCRSinternalsystem

• Previouslyinterfacedsystem

• Brandnewconsumersystem

AtaminimumbothAuthorisationandAuthenticationwilltakeplace.


28January2016

AuthorisationcanbeconsideredasboththebusinessperspectiveintermsofhavinganassessmentframeworkandprocessinplaceaswellasthetechnicalimplementationsfacilitatingthatsuchasRoleBasedAccessControl(RBAC)andappropriateauditandtrackingtechnologies.

Authenticationcanbeconsideredastheprocessofensuringaccountabilityfordataaccess./management/handlingonceauthorisedandwilllargelybetechnologydrivenutilisingappropriatetechnologycontrols.

FordirectIHIAccess,theBusinessServiceTeamwill(ascontrolledthroughRBAC)beabletoperformfunctionssuchas:

• SearchorFinddataitems

• Traceactivityanddataitems

• Addnewdataitems

• Updateexistingdataitems

• Mergedataitems

• Un-MergeorSplitdataitems

ThesefeatureswillonlybeavailableorusedasdefinedinspecificUseCases(forexamplewhentheautomatedmatchingalgorithmcannot100%determinewhethertomergearecordornotandsothecaseisaddedtoaworklistfortheIHIBusinessServiceTeamtoreviewandresolve).

ThecontentsoftherecordsvisibletotheIHIBusinessServiceTeamwillbelimitedtothedemographicsasspecifiedintheHealthIdentifiersAct,andtherewillbenopossibilityofaccesstoclinicalorotherassociatedinformation(asitwillnotbeheldintheIHIRegister).

Consumersystemswillbesimilarlyrestrictedinhowthey“access”datawithintheIHIRegister,andinreality,willnothavedirectaccess,butwillbereturnedcontrolleddataviaastandardisedinterfacewhichwillsitbetweentheconsumersystemandIHIRegister.Requestsfordatabasedonalimitedsetoffunctionalityfordifferentusecases(forexampleTraceIHIforanewpatient)willbeprocessedbytheinterfaceandresponsesreturnedasappropriate.Forexampleifforsomereasonarecordhasbeenmarkedas“sensitive”foranyreasonintheIHIRegister,aconsumersystemrequestingthatrecordmaynotbeabletoretrievethedemographicdetailsandmayinsteadberespondedtowithanappropriateinformationmessagehighlightingthattherecordcannotbereturned.

Thesecontrolswillensure“accessabuse”isrobustlymanaged.Additionally,aswellasperforminga“controlledmessagebroker”role,thestandardisedconsumersysteminterfaceandIHIRegisterwillfullytrackconsumersystemaccessactivity,withalertsorloggingtakingplacesasappropriate.

Connectiontothisstandardisedinterfacewillonlybepermittedoncetheconsumersystemshasfullycompletedallnecessaryactivities(e.g.implementationofrequiredtechnicalchanges,signingofnecessarydocumentation)andhasbeenverifiedbytheBusinessServiceteamasreadytoconnect.

Section4.2aboveliststhedataitemsthatwillbeincludedontheNationalRegister.Althoughthesedataitemscanbeusedforsearchpurposesalltheitemsmaynotbereturnedtotheuserortoconsumersystems.


28January2016

Inadditiontothestandardisedinterfacebeingdesignedground-up,anyexistingorlegacysysteminterfacesalreadyconnectedtotheMasterPatientIndexwillbeidentified,assessed,andmodifiedasrequiredtoensurecompliancewithIHIInformationSecuritybeforebeingpermittedtoreadanydatacontainedwithintheRegister.ThiswillensurethatconsistentBusinessLogicforaccesscontrolisappliedacrossallchannels.

InlinewiththisrequirementexistinginterfacesbetweenthePCRSregisterforPCRSschemescanonlycontinuetoaccesstheIHIregisterwhenthesamecontrolsareinplace.

Anassessmentoftheagreedstandardisedinterfacefunctionalityandcontrolstogetherwiththebusinesscomplianceprocesswillbeundertakenbeforeimplementationoftheconsumersysteminterface.

FollowingthecreationoftheNationalRegister,accesstoanduseoftheIndividualHealthIdentifierwillbeintegratedwithinatargetedsetofexternalconsumersystems(EpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)),withtherequisiteinterfacesandprocessesalsoputinplacetomaintaintheseinterfacesgoingforward.

Typically,duetobirthregistrationprocessing,newbornbabiesarenotassignedwithaPersonalPublicServiceNumberandassociatedPublicServiceIdentitydatasetuntiltheyareapproximately28daysold.ToensurethatanIndividualHealthIdentifiercanbeavailabletobabiesatbirth.TheIHIwillbeallocatedtobabiesviaaseparateprocessbasedonthebirthnotificationsysteminhospitalswhichwillthenbereconciledwiththeirPublicServiceIdentityrecordonceitisavailable.

Thesystemsandprocessestomaintainthisforthecurrentandfuturepopulationwillalsobeputinplace.

FunctionalitytoprovidenewbornbabieswithanIndividualHealthIdentifieratbirthanduseofthenumberwithinadditionalconsumersystemswillbeaddedasacapabilityinthefuture.TheprivacyimplicationsofallsuchfurtherexpansionsofthefunctionalityanduseassociatedwiththeIndividualHealthIdentifierwillbeconsideredwithinseparatePIAsasappropriate.

4.3.5 IHI Proof of Concept Register

TheexpectedleadtimeforthedevelopmentandsubsequentintegrationoftheIHIRegisterwithconsumersystemsdrovetheneedtogeneratepracticallearningsearlysothatlessonsandunderstandingcouldbederivedandsubsequentlyappliedtothedevelopmentoftheIHIRegister.

Tothisend,anIHIProofofConcept(IHI-POC)RegisterwascreatedtofacilitatedirectpracticalexperienceandinsightinpreparingdataandproducingIHInumbers,forboththedevelopmentteamandbusinessserviceteammembers.TheoutputofthisactivitywilldirectlyfeedintotheIHIRegisterprojectdesignanddevelopmentactivities.

TheIHIProofofConceptRegisterwasintroducedafterworkonthePrivacyImpactAssessmentwasalreadynearingcompletionandasaresultthedevelopmentteamwereabletoimplementappropriateprivacycontrolsasrecommendedfortheIHIregister.


28January2016

TheIHIProofofConceptRegisterwork-streamutilisedadedicatedSQL-baseddatabasefromwhichdatawasstoredandanalysed.Thisdatabaseisencryptedandhasstrictaccesscontrolsattached,withformalauthorisationrequiredforanyprojectresourcesrequiringaccessforanalysispurposes.Inaddition,fullauditingofaccesseswasimplemented.AnauditofaccessestotheIHIProofofConceptregisterwasrecentlycompletedtotesttheauditprocessandtoestablishthatnounauthorisedaccesseshavebeenmadetotheIHIProofofConceptRegister.

ThefirstphaseoftheIHI-POCwastocreatethedatabaseandloadthedata.Algorithmswereproducedfordataimport,cleansingandreporting;IHIgenerationandallocation

DatacleansingactionsenabledassessmentofpotentialscenariostobeconsideredfortheIHIRegister.

FurthervalidationchecksweremadebyaccessingPSIrecords.

PSIrecordswerematchedagainstHSErecords,onthebasisthatthefinalIHIRegisterwillbeutilisingPSIasaprimarytrustedsource.

Theapproachtodatavalidationbroadlytookthefollowingsteps:

• TheexistingencryptedIHI-POCSQLdatabasewasusedasthesourceofdatatobematchedagainstthePSIrecords

• AbespokeJavamodulewithappropriatesecuritypermissionswasdevelopedto:

o ReadandretrievePCRSandPSIdatarespectively

o ParseandperformanumberofmatchingscenarioswhichwouldresultinasetofvalidatedIHI-POCrecords

• TheSingleCustomerViewXMLAPIwasusedasthesecurechannelfordataretrievalbytheJavamodule

• TheJavamodulewashostedwithinthesameHSEenvironmentastheIHI-POCRegisterandaccessedtheIHI-POCRegisterusingasecurecertificateandauthenticationprocess

• Theprocesswassplitintotwodistinctphases:

o Retrieveandstoreallnecessaryinformation

o Usetheretrieveddatatoperformvalidation/analysis/reportingasrequired

SubsequentanalysisoftheparseddatahasinformedappropriatematchingrulesfortheIHIRegisterOHMPImatchingengineintheIHIRegisterdevelopment.

ThedataretrievedwasrestrictedtothatspecifiedintheHealthIdentifiersActandwasusedsolelyforthepurposesofdevelopingtheIHIRegisterdatamodelandprocessingrulesandhasneverbeenaccessedorusedbyanyconsumersystem.

TheIHIProofofConceptdatabaseandassociateddatawillbesecurelydisposedofassoonastheprojectnolongerrequirestheseentitiesforanalysis.


28January2016

5 PRIVACY ISSUES ASSOCIATED WITH THE INDIVIDUAL HEALTH

IDENTIFIER ThissectiondescribestheprivacyissuesassociatedwiththeestablishmentofanIndividualHeathIdentifierandNationalRegisterandproposescontrolsandmitigationactionsforthosethatposeaprivacyrisk.

ItshouldbenotedthatsomeaspectsoftheimplementationoftheNationalRegistermaypresentaprivacyprotectionorenhancingopportunity,notallissuesleadtoanegativeprivacyrisk.

5.1 HIQA INFORMATION GOVERNANCE AND MANAGEMENT STANDARDS FOR THE

HEALTH IDENTIFIERS OPERATOR IN IRELAND

InAugust2015,TheHealthInformationandQualityAuthority,HIQA,followingonfromapublicconsultation,publishedInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIreland.ThesestandardsrelatetoarangeofinformationgovernanceandmanagementstandardstobeimplementedbytheBusinessOperationUnit(s)withintheHealthServiceExecutivethatwillberesponsibleforestablishingandmaintainingtheNationalRegisterofIndividualHealthIdentifiersandtheNationalRegisterofHealthServiceProvidersIdentifiers.HiQArefertotheseBusinessOperationUnitsastheHealthIdentifiersOperator.

ImplementingthesestandardswillpromotetrustamongserviceusersandhealthserviceprovidersthattheNationalRegistershavebeenestablishedinaccordancewiththelawandinlinewithbestpractice.Inturn,thiscreatesconfidencethathealthserviceproviderscanbeuniquelyidentifiedandcanuniquelyidentifytheserviceuserstowhomtheyareprovidingservices,whichultimatelyleadstoimprovementsinpatientsafety.

TheHiQAInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIrelandstandards,whichwillbereferredtointhisdocumentattheHiQAstandards,aresummarisedinAppendixA.

DetailsoftheHiQAstandardsandtheconsultationprocesscanbefoundathttp://www.hiqa.ie/publications/information-governance-and-management-standards-health-identifiers-operator-ireland

TheseHiQAstandardsprovideasetofgovernancecontrolsthatwillhelptomitigatemanyoftheprivacyissuesthathavebeenidentifiedandarelistedassuchinthefollowingtables.


28January2016

5.2 SUMMARY OF PRIVACY ISSUES, R ISK SCORES AND MITIGATIONS

ThissectionsetsouttheprivacyissuesassociatedwiththeimplementationofanIndividualHealthIdentifieraswellastheproposedmitigatingsafeguardsorcontrolsthathavebeenidentified.

ItshouldberecognisedthattherearealsoprivacyadvantagesassociatedwiththeimplementationofanIndividualHealthIdentifierthatshouldnotbeoverlooked.Forexample,sharingpatientinformation,whichalreadyhappens,willbecomemorereliablethroughtheuseofanIndividualHealthIdentifier,therightrecordbeingsharedfortherightpatient.Itmayalsobepossibletoreducetheamountofidentitydataneededwithinelectroniccommunicationswhichwillimproveprivacy.

HiQAstandardsmitigationsandcontrols,whereapplicable,arereferredtobytheirHiQAreferencenumbersandappearfirstinthefollowingtables.ToremainconsistentwiththeterminologyadoptedbyHIQAstandards,theIHIBusinessOperationsUnitisreferredtoastheHealthIdentifiersOperator.


28January2016

5.2.1 Privacy Issues associated with the establ ishment of a National Register of Indiv idual Health Identif iers

PrivacyIssue Probab

ility

Impact Risk

Score

Proposedmitigation:safeguardsorcontrols Prob’y Impact Risk

Score

Informationaboutyouthat

isheldontheIHIRegister

maybeaccessedillegally

(e.g.foridentitytheft,sold

orotherwisemisusedby

commercialorganisations)

4 5 20 HIQA2.4-TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthservice

providersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationand

standards.

HIQA2.5-TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsources

thatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeof

establishingandmaintainingtheNationalRegisters.

HIQA4.1.TheHealthIdentifiersOperatordeliversregularevidence-basedtraining

programmesforitsownworkforceinrelationtoestablishing,maintainingandusingthe

NationalRegisters.

1 5 5

TheHealthIdentifiersOperatorhassafeandeffectiverecruitmentpracticesinplace.

TheHealthIdentifiersOperatorlogsalldataaccessestotheIHI,traceabletoanaccountable

individual’saccount.

TheHeathIdentifiersOperatorroutinelyandrandomlyauditsaccessbyitsstafftotheIHI

registertoensureaccesswasforbusinesspurposesonly.

TheHealthIdentifiersOperatorseekstoprosecutethose(bothinternalstaffandexternal

organisations)thatknowinglyaccessorprocesstheIndividualHealthIdentifierdata

inappropriatelyasprovidedforwithintheprovisionsoftheAct.

TheHealthIdentifiersOperatorincorporateslessonslearnedfromtheexperienceof

managingnationaldemographicsystemsintotheestablishmentofitsproceduresand

processes.

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundtheIHI


28January2016

PrivacyIssue Probab

ility

Impact Risk

Score


Score

registerwillminimisetheriskofunlawfulaccessandhacking

TheIHIRegisterisonlyheldonserversphysicallylocatedwithinIreland.

Thetransferofdatafrom

trusteddatasources

(includingtheDSP)tothe

IHItoestablishtheIHI

registerresultsinpersonal

informationbeingaccessed

illegally(e.g.identitytheft,

soldorotherwisemisused

bycommercial

organisations)

4 4 16 TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsestablishedforthe

transferofdatabetweentrusteddatasourcesandtheIHIregisterwillminimisetheriskof

unlawfulaccess,datalossandhacking.

1 4 4

5.2.2 Privacy Issues associated with the ongoing transfer of data for the update and maintenance of the National Register of Indiv idual Health Identif iers

PrivacyIssue Prob’y Impact Risk

Score


Score

Transferofdatafrom

trustedsources(including

theDSP)totheIHIto

4 4 16 TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthe

ongoingtransferofdatabetweentrustedsourcesystemsandtheIHIregisterwillminimise

theriskofunlawfulaccess,datalossandhacking

1 4 4


28January2016


Score


Score

maintaintheIHIregister

resultsinpersonal




bycommercial

organisations))

5.2.3 Privacy Issues associated with management of the register by HSE Pr imary Care Reimbursement Service (HSE PCRS)

TheappointmentoftheHSEPrimaryCareReimbursementServiceastheHealthidentifiersoperatorfortheNationalRegisterprovidespositiveprivacyimpacts:theHSEisa

statutoryauthoritywithlimitsonwhatitcandodefinedinlegislation.Inaddition,theHSEPrimaryCareReimbursementServiceareanestablishedorganisationwithinthe

HSE;theyareexperiencedinhandlingpersonalhealthinformation;theyhaveagoodsecurityrecordandrobustincidentmanagementprocesses.


Score

Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk

Score

Thepubliclosetrustinhow

theIHIbusinessservice

operates,howtheIHI

registerisusedand

managedbecauseofalack

4 4 16 HIQA1.1-TheHealthIdentifiersOperatorconductsprivacyimpactassessmentsatcritical

pointsduringtheestablishmentandoperationoftheNationalRegisters.

AllHIQAstandardsinTheme2:Leadership,governanceandmanagement

HIQA3.1-TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealth

identifierrecordscontainedintheNationalRegisters.

2 3 6


28January2016


Score


Score

ofindependentscrutiny.HiQAdevelopauditproceduresandconductauditsinlinewiththeInformationand

GovernanceStandardsfortheoperationoftheHealthIdentifierRegisters.

TheDataProtectionCommissioner,theControllerandAuditorGeneralandHSEinternal

auditfunctionprovideoversightoftheHealthIdentifierOperator.

PoordataqualityontheIHI

Registerleadstoduplicate

numbers/twoormoreIHI

recordsbecomingmixed

up.

4 4 16 HIQA3.2-TheHealthIdentifiersOperatormaintainsandreviewsthequalityofdata

containedintheNationalRegisters.

1 3 3

DataQualitychecksareundertakenintheconstructionandmaintenanceoftheIndividual

HealthIdentifierRegister.

Lackofappropriate

governancecontrolswithin

theIHIBusinessService

Teamleadstoaccidentalor

deliberatebreachorlossof

data.

5 5 25 AllHIQAstandardsinTheme2:Leadership,governanceandmanagement 2 3 6

TheHealthidentifiersoperatorhassafeandeffectiverecruitmentpracticesinplace.

TheHealthidentifiersoperatorseekstoprosecutethose(bothinternalstaffandexternal

organisations)thatknowinglyaccessorprocesstheIndividualHealthIdentifierdata

inappropriatelyasprovidedforwithintheprovisionsoftheAct.

TheHealthIdentifiersOperatorincorporateslessonslearnedfromtheexperienceof

managingnationaldemographicsystemsintotheestablishmentofitsproceduresand

processes.

TheHealthIdentifiersOperatorisrequiredtocomplywiththeHSEIGpoliciesand

procedures.


28January2016

5.2.4 Privacy Issues associated with the proposed dataset

TheIndividualHealthIdentifierdatasetdoesnotincludeanysensitivehealthinformationwhichshouldbeseenasapositiveprivacyimpact.


Score


Score

Theformatorallocationof

theIHIdisclosespersonal

informationaboutyou.

2 3 6 TechnicalSpecificationfortheallocationofanIndividualHealthIdentifierincludes

requirementsthat:

• EachIndividualHealthIdentifiermustbeunique

• IndividualHealthIdentifiersmustberandomlygeneratedwithnoassociationtothe

personitisgeneratedfor.

• IndividualHealthIdentifiersmustnotbegeneratedinanidentifiablesequence.

1 2 2

InclusionofthePersonal

PublicServiceNumber

(PPSN)intheIHIRegister

resultsininappropriate

disclosureofinformation

aboutyouheldbythe

DepartmentofSocial

Protection(DSP)

3 4 12 StandardOperatingProceduresincluderestrictionsontheuseandavailabilityofthe

PersonalPublicServiceNumberwhichmustprovideequalorbetterprotectionasprovided

bytheDepartmentofSocialProtection

TechnicalSpecificationrequiresthataPersonalPublicServiceNumbercanbeusedtoassist

inobtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorservice

userbutwillonlybeprovidedbackwithinthetraceddatasetinlinewithSocialWelfare

legislation.

TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthePersonalPublic

ServiceNumberandmustprovideequalorbetterprotectionasprovidedbytheDepartment

ofSocialProtection.

1 3 3

InclusionofMother’s

surnameatbirthintheIHI

registerdiscloses

1 5 5 StandardOperatingProceduresincluderestrictionsontheuseandavailabilityofthePSIdata

andmustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocial

Protection

1 3 3


28January2016


Score


Score

relationshipdetails TechnicalSpecificationrequiresthataMother’ssurnameatbirthcanbeusedtoassistin

obtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorservice

userbutmustneverbeprovidedbackwithinthetraceddataset.

TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthemother’s

surnameandmustprovideequalorbetterprotectionasprovidedbytheDepartmentof

SocialProtection

Statutoryresponsibilityfor

respondingtoaDataAccess

RequestmadetotheIHI

Registerresultsinpersonal

informationbeinggivento

anapplicantthatwasnot

entitledtoit.

3 5 15 TheHealthIdentifiersOperatorprocedureforrespondingtoDataAccessRequestsshould:

• BeatleastasrobustasthatoftheDepartmentofSocialProtection,requiringevidence

ofidentityoftheapplicant.Includingproofoflatestaddressdetails,photoid(passport,

publicservicescard,ordriverslicence)andutilitybill

• Ensurethatparentalrequestsonbehalfofchildrenaremadejointlyorrequireproofof

legalguardianship

• Ensurethat‘assisteddecisionmaking’proceduresareimplementedinlinewiththe

AssistedDecision-Making(Capacity)Bill2013.

• Ensurethatrequesthandlingsupportsprovisionsmadeunderrecentlegislationin

respectofadoptedchildren.

1 3 3


28January2016

5.2.5 Privacy Issues associated with provis ion of Indiv idual Health Identif iers to Epi lepsy Electronic Pat ient Record (EPR), selected GP pract ice systems, a Hospice Electronic Medical Record (EMR) system) and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme)

ThissectionidentifiestheprivacyimpactsarisingspecificallyasaresultofthedeliveryofIndividualHealthIdentifierstothesesystems.


Score


Score

ProvisionoftheIndividual

HealthIdentifiertothe

consumersystemresultsin

personalinformationbeing

accessedinappropriatelyor

beinginappropriately

shared

2 4 8 TheHealthidentifiersoperatorstandardoperatingprocedureswillensurethatany

applicationforaccesstotheNationalRegisterisfromthelistof“specifiedpersons”as

definedintheHealthIdentifiersAct.

TheHealthidentifiersoperatorwillensurethatconsumersystemsarepopulatedbyonly

performingamatchusingthoserecordswhichareheldbytheconsumersystemmaster

patientindex(MPI).

TheHealthidentifiersoperatorwillqualityassuretheassignmentofIndividualHealth

IdentifierstorecordsontheconsumersystemMPItoastandardthatwillminimiseriskof

falsepositiveandfalsenegativematchestoensurethatthecorrectIndividualHealth

Identifierisreturned.

TheHealthidentifiersoperatorwillensurethatacopyoftheNationalRegisterwillneverbe

providedtothirdpartyconsumersystems.

Technicalspecificationoftheinterfacewithconsumersystemswillminimisetheriskof

inappropriatedisclosureofanIHIbyrequiringaminimumofdatatobeingprovidedandwill

controlthedatabeingreturnedtotheconsumersystem.

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthe

transferofdatabetweentheconsumersystemandtheIHIregisterwillminimisetheriskof

unlawfulaccess,datalossandhacking.

1 3 3


28January2016


Score


Score



consumersystemresultsin

personalinformationbeing

accessedwithout

knowledgeorconsentof

patients.

3 4 12 HIQA1.2-TheHealthIdentifiersOperatordevelops,implementsandreviewsa

communicationsplanthateffectivelyengageswithhealthserviceprovidersandserviceusers

inrelationtotheuseoftheNationalRegisters.

HIQA2.2-TheHealthIdentifiersOperatormaintainsapubliclyavailablestatementof

purpose

HIQA2.3-TheHealthIdentifiersOperatorcomplieswithrelevantIrishandEuropean

legislationandstandardswhenestablishingandmanagingtheNationalRegisters

HIQA2.4-TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthservice

providersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationand

standards.

1 2 2

Transferofdatafromthe

consumersystemtotheIHI

forthepurposeofproviding

theconsumersystemwith

IHIdataresultsinpersonal




bycommercial

organisations))

4 4 16 TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthe

transferofdatabetweentheconsumersystemandtheIHIregisterwillminimisetheriskof

unlawfulaccess,datalossandhacking

TheHealthidentifiersoperatorisrequiredtoestablishappropriateInformationGovernance

controlsforconsumersystemorganisationstomeetbeforeinterfacingwiththeIHI

TheHealthidentifiersoperatorisrequiredtoestablishappropriatetechnicalstandardsfor

consumersystemstomeetbeforeinterfacingwiththeIHI.

1 3 3



consumersystemincreases

theriskofpersonal

2 4 8 PriortoreceiptofIndividualHealthIdentifiers,thehealthserviceproviderresponsiblefor

theconsumersystemdemonstratesthattheyarecompliantwiththeInformation

GovernancepoliciesandproceduresestablishedbytheHealthIdentifiersOperator.[Non

HSEserviceproviderswillberequiredtodemonstrateequivalentInformationGovernance

1 4 4


28January2016


Score


Score




bycommercial

organisations)

controls].

InappropriateaccesstoIHI

Registerauditrecordsof

accesstopatientrecordsby

consumersystemsdiscloses

clinicalinformation(e.g.

recordaccessesbyepilepsy

EPRwouldindicatethat

individualmaysufferfrom

Epilepsy)

3 4 12 TheHealthIdentifiersoperatorensuresstrictaccesscontrolsonauditrecords.

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundaudit

recordswillminimisetheriskofunlawfulaccess,datalossandhacking.

1 4 4

DataQualityissuesarising

fromtranscriptionerrorsin

theIHIresultin

inappropriateaccessto

incorrectIHIrecords

3 3 9 TheHealthIdentifiersoperatorprovidesclearguidancetoproviderswhenimplementingthe

IHIwithintheirsystemstoensure:

• TheIHIisprintedbytheconsumersystemwhenlabellingisrequiredforpaper

recordsgeneratedbytheconsumersystem

• ProceduresavoidtheneedtowritetheIHImanually

• ElectronicmessagesbetweensystemsincorporatetheIHI

1 3 3


28January2016

5.2.6 Privacy Issues associated with the ongoing inclusion and use of the Indiv idual Health Identif ier in Epi lepsy Electronic Pat ient Record (EPR), selected GP pract ice systems, a Hospice Electronic Medical Record (EMR) system and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme)

ThissectionidentifiestheprivacyimpactsarisingspecificallyasaresultoftheongoinginclusionanduseoftheIndividualHealthIdentifierwithinthesesystems.

GiventhattheIndividualHealthIdentifierisanotherdataitemontheconsumersystemmasterpatientindex(MPI)itcouldbearguedthatthereisnoincreasedprivacy

issuesrelatedtotheholdingandprocessingoftheIndividualHealthIdentifierthroughouttheorganisation.Nonethelessthisservesasanopportunitytoensurethatgood

practiceinformationgovernance(IG)isimplemented.


Score


Score

OngoinguseoftheIHI

withinconsumersystems

resultsinpersonal


2 4 8 HIQA2.5-TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsources

thatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeof

establishingandmaintainingtheNationalRegisters.

1 4 4


28January2016


Score


Score



bycommercial

organisations)

Thehealthserviceproviderresponsiblefortheconsumersystemwilldemonstratecontinued

compliancewiththeInformationGovernancepoliciesandproceduresestablishedbythe

HealthIdentifiersOperator.[NonHSEserviceproviderswillberequiredtodemonstrate

continuedcompliancewithequivalentInformationGovernancecontrols].

TheIHIBusinessUnitManagerdevelopsstandardsforInformationGovernancecontrols

withinconsumersystemstobemetbeforethesystemcanreceiveIHIinformation.

TheHealthServiceProviderresponsiblefortheconsumersystemwilldeliverregular

evidencebasedtrainingprogrammeforitsworkforceinrelationtoaccessanduseofthe

consumersystem

TheHealthIdentifiersOperatorandtheconsumersystemorganisationmustensurethat

appropriatesecuritymeasuresareadoptedfortheinterfacesprovidingmaintenancetothe

consumersystem.

ConsumersystemshaveappropriateRoleBasedAccesscontrolswithinthemtominimisethe

riskofinappropriateaccesstorecordsandwillensurethataccesstoauditlogsissufficientto

identifyinappropriateaccessbyamemberofstaff.

TheHeathServiceProviderroutinelyandrandomlyauditsaccesstotheIHIregisterbyits

stafftoensureaccesswasforbusinesspurposesonly.

TheHealthIdentifiersOperatorwillensurethatanyuseoftheIHIforpurposesotherthan

thoseforwhichitwassharedarerigorouslyinvestigatedandmisuseisprosecutedwhere

appropriateasperthetermsoftheHealthIdentifiersAct.


28January2016

5.2.7 Indiv idual Health Identif ier Pr ivacy Issues associated with the future uses of the Indiv idual Health Identif ier

ThisPIAisrestrictedtotheestablishmentoftheregisterandusewithinEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedical

Record(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme).However,itisappropriatetoflaguppotential

privacyissuesconcernedwithasyetunknownfutureusesandestablishcontrolstomanageandpreventfutureprivacyimpacts.


Score


Score

Futureexpansionofthe

IndividualHealthIdentifier

datasettoincludefurther

personaldetailsincreases

privacyimpact

2 3 6 BothHIQAstandardsinTheme1:PersonCentred


HIQA3.1-TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealth

identifierrecordscontainedintheNationalRegisters.

1 3 3

TheHealthIdentifiersOperatorensuresthatdatacollectedintheIHIregisterislimitedto

thatspecifiedintheHealthIdentifierAct.

UnauthoriseduseoftheIHI

byotheruserorganisations

2 4 8 BothHIQAstandardsinTheme1:PersonCentred


1 4 4


28January2016

5.3 GOVERNANCE FRAMEWORK

Compliancewithcurrentlegislation(DPAs,theHealthIdentifiersActandthefutureHealthInformationBill)willbeattheheartofmanagingtheprivacyimpactsassociatedwiththeestablishmentoftheIndividualHealthIdentifierNationalRegisteranditsuses.HowevertheGovernanceFrameworksetoutwithinTheme2oftheHIQAstandardsprovidesopportunitiesforfurtherpositiveprivacyimpacts.ThegovernancearrangementsfortheNationalRegistershouldfurtherdefine:

• TheuserorganisationsthathavebeengrantedaccesstotheNationalRegister• TheorganisationsthatwillbeprohibitedfromaccesstotheNationalRegister• ThepermissibleusesoftheIndividualHealthIdentifierandtheinformationintheIndividual

HealthIdentifierDataset• Whethercontrolsrequirefurtherlegislationordatasharinganduseagreements(inparticular

penaltiesassociatedwithimproperuseordatabreaches)• RegulatoryoversightoftheBusinessOperationsUnit

Theneedforthesegovernancearrangementstoincludeanindependentoversightpanelwillbeexploredinthenextstagesofstakeholderengagement.

5.4 ASSIGNMENT OF RESPONSIBILITY FOR PRIVACY MITIGATION SAFEGUARDS OR

CONTROLS

Thefollowingtablesummarisestheprivacyriskmitigationsafeguardsandcontrolsandidentifiesthebusinessownerwhowilltakeresponsibilityforimplementingtheactionwithintheidentifiedtimescale.

Monitoringoftheimplementationofthesesafeguardswillbeincorporatedintotheoverallprojectmanagement:thebusinessownerwillberequiredtoreportonimplementationprogressonaregularbasistotheprojectboard.

5.5 MITIGATION IMPLEMENTATION RESPONSIBILITY AND TIMESCALES

Action BusinessOwner DeliveryDate

HIQA1.1-TheHealthIdentifiersOperatorconductsprivacyimpactassessmentsatcriticalpointsduringtheestablishmentandoperationoftheNationalRegisters.

HeadofIHIBusinessService

AsRequired

HIQA1.2-TheHealthIdentifiersOperatordevelops,implementsandreviewsacommunicationsplanthateffectivelyengageswithhealthserviceprovidersandserviceusersinrelationtotheuseoftheNationalRegisters.


InadvanceoftheIHIServicebecomingoperational.

HIQA2.1-TheHealthIdentifiersOperatorhaseffectiveleadership,governanceandmanagementarrangementsinplace

NationalDirectorforPrimaryCare

InadvanceoftheIHIServicebecoming


28January2016


withclearlinesofaccountability. orHealthIdentifiersSteeringGroup

operational.

HIQA2.2-TheHealthIdentifiersOperatormaintainsapubliclyavailablestatementofpurpose.



HIQA2.3-TheHealthIdentifiersOperatorcomplieswithrelevantIrishandEuropeanlegislationandstandardswhenestablishingandmanagingtheNationalRegisters.


Ongoing

HIQA2.4-TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthserviceprovidersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationandstandards.


InadvanceofprovidingtheIHIServicetohealthserviceprovidersystems.

HIQA2.5-TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsourcesthatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeofestablishingandmaintainingtheNationalRegisters.


InadvanceoftransferringdataforestablishingandmaintainingtheIHINationalRegister.

HIQA2.6-Thehealthidentifieroperatormonitors,reviews,evaluatesandimprovestheserviceitprovidesonanongoingbasis.


Ongoing

HIQA3.1-TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealthidentifierrecordscontainedintheNationalRegisters.


Ongoing

HIQA3.2-TheHealthIdentifiersOperatormaintainsandreviewsthequalityofdatacontainedintheNationalRegisters.


Ongoing

HIQA4.1-TheHealthIdentifiersOperatordeliversregularevidence-basedtrainingprogrammesforitsownworkforceinrelationtoestablishing,maintainingandusingtheNationalRegisters.


InadvanceofIHIServicebecomingoperationalandongoingthereafter

TheHealthidentifiersoperatorhassafeandeffectiverecruitmentpracticesinplace.


Ongoing

TheHealthIdentifiersOperatorlogsalldataaccessestotheIHI,traceabletoanaccountableindividual’saccount.



TheHeathIdentifiersOperatorroutinelyandrandomlyauditsaccessbyitsstafftotheIHIregistertoensureaccesswasfor


Ongoing


28January2016


businesspurposesonly.

TheHealthidentifiersoperatorseekstoprosecutethose(bothinternalstaffandexternalorganisations)thatknowinglyaccessingorprocessingtheIndividualHealthIdentifierdatainappropriatelyasprovidedforwithintheprovisionsoftheAct.


Ongoing

TheHealthIdentifiersOperatorincorporateslessonslearnedfromtheexperienceofmanagingnationaldemographicsystemsintotheestablishmentofitsproceduresandprocesses.


Ongoing

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundtheIHIregister(includingtransferofdatafromtrustedsourcesandconsumersystems)willminimisetheriskofunlawfulaccessandhacking

ChiefInformationOfficer

DuringtheimplementationoftheIHIRegisterandongoingthereafter

TheNationalRegisterisonlybeheldonserversphysicallylocatedwithinIreland



HiQAdevelopauditproceduresandconductauditsinlinewiththeInformationandGovernanceStandardsfortheoperationoftheHealthIdentifierRegisters–inclusiveoftheIHIRegister.

HiQA Ongoing

TheDataProtectionCommissioner,theControllerandAuditorGeneralandHSEinternalauditfunctionprovideoversightoftheHealthidentifieroperator.

DPC,

Controller&AuditorGeneral

HSEinternalaudit

Ongoing

DataQualitychecksareundertakenintheconstructionandmaintenanceoftheIndividualHealthIdentifierRegister

ChiefInformationOfficerduringimplementation

HeadofIHIBusinessServiceonceoperational


TheHealthIdentifiersoperatorisrequiredtocomplywiththeHSEIGpoliciesandprocedures.


Ongoing

TechnicalSpecificationfortheallocationofanIndividualHealthIdentifierincludesrequirementthat:

• EachIndividualHealthIdentifiermustbeunique

• IndividualHealthIdentifiersmustberandomlygeneratedwithnoassociationtothepersonitisgeneratedfor.

• IndividualHealthIdentifiersmustnotbegeneratedinan


InadvanceoftheimplementationofthetechnicalsystemthatwillsupporttheIHIService.


28January2016


identifiablesequence.

StandardOperatingProceduresincluderestrictionsontheuseandavailabilityofthePersonalPublicServiceNumbermustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection



TechnicalSpecificationrequiresthataPersonalPublicServiceNumbercanbeusedtoassistinobtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorserviceuserbutwillonlybeprovidedbackwithinthetraceddatasetinlinewithSocialWelfarelegislation.



TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthePersonalPublicServiceNumbermustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection.



StandardOperatingProceduresincludesrestrictionsontheuseandavailabilityofthemother’ssurnamemustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection



TechnicalSpecificationrequiresthataMother’ssurnamescanbeusedtoassistinobtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorserviceuserbutmustneverbeprovidedbackwithinthetraceddataset.



TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthemother’ssurnamemustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection



TheHealthidentifiersoperatorprocedureforrespondingtoDataAccessRequestsshould:

• BeatleastasrobustasthatoftheDepartmentofSocialProtection,requiringevidenceofidentityoftheapplicant.Includingproofoflatestaddressdetailsphotid(passportordriverslicence)andutilitybill

• Ensurethatparentalrequestsonbehalfofchildrenaremadejointlyorrequireproofoflegalguardianship

• Ensurethat‘assisteddecisionmaking’proceduresareimplementedinlinewiththeAssistedDecision-Making(Capacity)Bill2013

• Ensurethatrequesthandlingsupportsprovisionsmadeunderrecentlegislationinrespectofadoptedchildren.




28January2016


TheHealthidentifiersoperatorstandardoperatingprocedureswillensurethatanyapplicationforaccesstotheNationalRegisterisfromthelistof“specifiedpersons”asdefinedintheHealthIdentifiersAct.


Ongoing

TheHealthidentifiersoperatorwillensurethatconsumersystemsarepopulatedbyonlyperformingamatchusingthoserecordswhichareheldbytheconsumersystemMPI.


Outlineprocedurepriortoconsumersystemimplementation

TheHealthidentifiersoperatorwillqualityassuretheassignmentofIndividualHealthIdentifierstorecordsontheconsumersystemMPItoastandardthatwillminimiseriskoffalsepositiveandfalsenegativematchestoensurethatthecorrectIndividualHealthIdentifierisreturned.



TheHealthidentifiersoperatorwillensurethatacopyoftheNationalRegisterwillneverbeprovidedtothirdpartyconsumersystems.


Ongoing

TechnicalspecificationoftheinterfacewithconsumersystemswillminimisetheriskofinappropriatedisclosureofanIHIbyrequiringaminimumofdatatobeingprovidedandwillcontrolthedatabeingreturnedtotheconsumersystem


Priortoconsumersystemimplementation

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthetransferofdatabetweentheconsumersystemandtheIHIregisterwillminimisetheriskofunlawfulaccess,datalossandhacking



TheHealthidentifiersoperatorisrequiredtoestablishappropriateIGcontrolsforconsumersystemorganisationtomeetbeforeinterfacingwiththeIHI



TheHealthidentifiersoperatorisrequiredtoestablishappropriateTechnicalstandardsforconsumersystemtomeetbeforeinterfacingwiththeIHI.



PriortoreceiptofIndividualHealthIdentifiers,thehealthserviceproviderresponsiblefortheconsumersystemdemonstratesthattheyarecompliantwiththeInformationGovernancepoliciesandproceduresestablishedbytheHealthIdentifiersOperator.[NonHSEserviceproviderswillberequiredtodemonstrateequivalentIGcontrols].



TheHealthIdentifiersoperatorensuresstrictaccesscontrolsonauditrecords.


Ongoing

TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundauditrecordswillminimisetheriskofunlawful

ChiefInformation Ongoing


28January2016


access,datalossandhacking. Officer

TheHealthIdentifiersoperatorprovidesclearguidancetoproviderswhenimplementingtheIHIwithintheirsystemstoensure:

• TheIHIisprintedonallpaperrecordsgeneratedbytheconsumersystem

• ProceduresavoidtheneedtowritetheIHImanually

• ElectronicmessagesbetweensystemsincorporatetheIHI


Outlineprocedure1monthpriortoconsumersystemimplementation

ThehealthserviceproviderresponsiblefortheconsumersystemwilldemonstratecontinuedcompliancewiththeHSEIGpoliciesandprocedures.[NonHSEserviceproviderswillberequiredtodemonstratecontinuedcompliancewithequivalentIGcontrols].

HealthServiceProvider

Asrequired

TheHealthidentifiersoperatordevelopsstandardsforIGcontrolswithinconsumersystemstobemetbeforethesystemcanreceiveIHIs.



TheHealthServiceProviderresponsiblefortheconsumersystemwilldeliverregularevidencebasedtrainingprogrammeforitsworkforceinrelationtoaccessanduseoftheconsumersystem


Asrequired

TheHealthIdentifiersOperatorandtheconsumersystemorganisationmustensurethatappropriatesecuritymeasuresareadoptedfortheinterfacesprovidingmaintenancetotheconsumersystem.

HeadofIHIBusinessService/HealthServiceProvider


ConsumersystemshaveappropriateRoleBasedAccesscontrolswithinthemtominimisetheriskofinappropriateaccesstorecordsandwillensurethataccesstoauditlogsissufficienttoidentifyinappropriateaccessbyamemberofstaff.


Asrequired

TheHeathServiceProviderroutinelyandrandomlyauditsaccesstotheIHIregisterbyitsstafftoensureaccesswasforbusinesspurposesonly.


Ongoing

TheHealthIdentifiersOperatorwillensurethatanyuseoftheIHIforpurposesotherthanthoseforwhichitwassharedarerigorouslyinvestigatedandmisuseisprosecutedwhereappropriateasperthetermsoftheHealthIdentifiersAct.


Asrequired

TheHealthIdentifiersOperatorensuresthatdatacollectedintheIHIregisterislimitedtothatspecifiedintheHealthIdentifierAct.


Ongoing


28January2016


28January2016

5.6 APPENDIX A – HIQA PROPOSALS FOR INFORMATION GOVERNANCE AND

MANAGEMENT STANDARDS FOR THE HEALTH IDENTIFIERS OPERATOR IN

IRELAND

Theme1-Person-centred

Standard1.1 TheHealthIdentifiersOperatorconductsprivacyimpactassessmentsatcriticalpointsduringtheestablishmentandoperationoftheNationalRegisters.

Standard1.2 TheHealthIdentifiersOperatordevelops,implementsandreviewsacommunicationsplanthateffectivelyengageswithhealthserviceprovidersandserviceusersinrelationtotheuseoftheNationalRegisters.

Theme2-Leadership,governanceandmanagement

Standard2.1 TheHealthIdentifiersOperatorhaseffectiveleadership,governanceandmanagementarrangementsinplacewithclearlinesofaccountability.

Standard2.2 TheHealthIdentifiersOperatormaintainsapubliclyavailablestatementofpurpose.

Standard2.3 TheHealthIdentifiersOperatorcomplieswithrelevantIrishandEuropeanlegislationandstandardswhenestablishingandmanagingtheNationalRegisters.

Standard2.4 TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthserviceprovidersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationandstandards.

Standard2.5 TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsourcesthatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeofestablishingandmaintainingtheNationalRegisters.

Standard2.6 Thehealthidentifieroperatormonitors,reviews,evaluatesandimprovestheserviceitprovidesonanongoingbasis.


28January2016

Theme3-Useofinformation

Standard3.1 TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealthidentifierrecordscontainedintheNationalRegisters.

Standard3.2 TheHealthIdentifiersOperatormaintainsandreviewsthequalityofdatacontainedintheNationalRegisters.

Theme4-Workforce

Standard4.1 TheHealthIdentifiersOperatordeliversregularevidence-basedtrainingprogrammesforitsownworkforceinrelationtoestablishing,maintainingandusingtheNationalRegisters.


28January2016

5.7 APPENDIX B: ORGANISATIONS WE HAVE CONSULTED TO DATE

HealthServiceExecutive(HSE)

DepartmentofHealth(DOH)

DepartmentofSocialProtection(DSP)

OfficesoftheDataProtectionCommissioner(DPC)

HealthInformationandQualityAuthority(HiQA)

BeaumontHospital

TheCouncilofClinicalInformationOfficers(CCIO)

IrishPlatformforPatients’Organisations,Science&Industry(IPPOSI)

privacy impact assessment for individual health identifier · final version for publication page |...

Documents