privacy impact assessment for individual health identifier · final version for publication page |...
TRANSCRIPT
FinalVersionforPublication P a g e |1
28January2016
A Privacy Impact Assessment for the Individual Health Identifier (IHI)
FinalVersionforPublication P a g e |2
28January2016
TableofContents
1 PurposeoftheDocument..............................................................................................................4
2 PIAMethodologyandApproach....................................................................................................5
2.1 WhatisaPrivacyImpactAssessment?..................................................................................5
2.2 Stage1–ThresholdAssessment...........................................................................................8
2.3 Stage2–IdentificationofPrivacyRisks.................................................................................9
2.3.1 EvaluationofPrivacyRisks...........................................................................................10
2.4 Stage3–IdentificationofArrangementsandControlstoMitigateRisks...........................10
2.5 Stage4–DocumentationofthePrivacyImpactAssessment..............................................11
3 EstablishmentofaNationalRegisterofIndividualHealthIdentifiers.........................................12
3.1 Background..........................................................................................................................12
3.2 TheBenefitofImplementinganIndividualHealthIdentifier..............................................12
3.3 LegalBasisfortheestablishmentoftheIndividualHealthIdentifierRegister....................14
3.3.1 AssignmentofaUniqueIdentifier...............................................................................14
3.3.2 EstablishmentandMaintenanceofaNationalRegister..............................................15
3.3.3 UseandProvisionoftheIdentifyingInformation........................................................15
3.3.4 AccesstotheNationalRegisterofIndividualHealthIdentifiers..................................16
3.3.5 OffencesRelatingtoIndividualHealthIdentifiers.......................................................16
3.4 LegalBasisforUsingtheDepartmentofSocialProtectiondatabasetopopulatetheNationalRegister.............................................................................................................................17
3.4.1 DataHeldbytheDepartmentofSocialProtection.....................................................17
3.4.2 ProvisionundertheIndividualHealthIdentifiersAct..................................................17
3.4.3 ProvisionundertheSocialWelfareConsolidationAct................................................17
4 SpecificationfortheIndividualHealthIdentifierandtheNationalRegister...............................19
4.1 FormatoftheIndividualHealthIdentifier...........................................................................19
4.2 ContentoftheNationalRegister.........................................................................................20
4.3 CreationoftheIndividualHealthIdentifierRegister...........................................................21
4.3.1 ImplementationoftheIndividualHealthIdentifierRegister.......................................21
4.3.2 MaintenanceoftheNationalRegister.........................................................................24
4.3.3 BusinessOperationsUnit.............................................................................................24
4.3.4 AccesstotheNationalRegister...................................................................................25
FinalVersionforPublication P a g e |3
28January2016
4.3.5 IHIProofofConceptRegister......................................................................................27
5 PrivacyIssuesassociatedwiththeIndividualHealthIdentifier...................................................29
5.1 HIQAInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIreland..........................................................................................................................29
5.2 SummaryofPrivacyIssues,RiskScoresandMitigations.....................................................30
5.2.1 PrivacyIssuesassociatedwiththeestablishmentofaNationalRegisterofIndividualHealthIdentifiers.........................................................................................................................31
5.2.2 PrivacyIssuesassociatedwiththeongoingtransferofdatafortheupdateandmaintenanceoftheNationalRegisterofIndividualHealthIdentifiers.......................................32
5.2.3 PrivacyIssuesassociatedwithmanagementoftheregisterbyHSEPrimaryCareReimbursementService(HSEPCRS)............................................................................................33
5.2.4 PrivacyIssuesassociatedwiththeproposeddataset..................................................35
5.2.5 PrivacyIssuesassociatedwithprovisionofIndividualHealthIdentifierstoEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)system)andschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme).........................................................................................................37
5.2.6 PrivacyIssuesassociatedwiththeongoinginclusionanduseoftheIndividualHealthIdentifierinEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)..................................................................40
5.2.7 IndividualHealthIdentifierPrivacyIssuesassociatedwiththefutureusesoftheIndividualHealthIdentifier..........................................................................................................42
5.3 GovernanceFramework......................................................................................................43
5.4 AssignmentofResponsibilityforPrivacyMitigationSafeguardsorControls......................43
5.5 MitigationImplementationResponsibilityandTimescales.................................................43
5.6 AppendixA–HIQAproposalsforInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIreland.......................................................................................50
5.7 APPENDIXB:OrganisationsWeHaveConsultedtoDate....................................................52
FinalVersionforPublication P a g e |4
28January2016
1 PURPOSE OF THE DOCUMENT ThepurposeofthisdocumentistoprovidethefindingsofthePrivacyImpactAssessmentfortheestablishmentofaNationalRegisterofIndividualHealthIdentifiersthathasbeenconductedbytheHealthServiceExecutiveinIreland.
TheNationalRegisterofIndividualHealthIdentifierswillholdanIndividualHealthIdentifierforeverypersonwhohasused,isusingormayuseahealthandsocialcareserviceinIreland.
ThePrivacyImpactAssessmentalsoconsiderstheprivacyimplicationsofaccesstoandadoptionoftheIndividualHealthIdentifierbythefirstsystemsthatwillaccesstheregisterandusetheIHI:
• EpilepsyElectronicPatientRecord(EPR)
• selectedGPpracticesystemsand
• aHospiceElectronicMedicalRecord(EMR)system
• schemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)
EachfuturechangeintheuseoftheIndividualHealthIdentifier,adoptioninothersystemsoraccesstotheNationalRegisterbyotherbodieswillarenotwithinthescopeofthisPrivacyImpactAssessment.TheimpactofsuchchangeswillbereviewedagainstthisPrivacyImpactAssessmenttoensurethatanyadditionalprivacyissuesarisingareconsideredandadditionalsafeguardsputinplaceifrequired.
WewillmakesurethatasothersystemsstarttousetheIndividualHealthIdentifierandaccesstheIHIRegisterwewillcheckthattherearenonewprivacyimplicationsthatwehaven’tconsideredinthisdocumentandiftherearewewilladdtothePrivacyImpactAssessmentdocumenttocoverthemtoo.
FinalVersionforPublication P a g e |5
28January2016
2 PIA METHODOLOGY AND APPROACH
2.1 WHAT IS A PRIVACY IMPACT ASSESSMENT?
Privacycanbedefinedastherightofanindividualtokeepinformationaboutthemselvesfrombeingdisclosed.Provisionofeffective,safehealthandsocialcarerequirespersonalhealthinformationtobeprocessedwhichcanpresentsignificantriskstoprivacywhichmustbeappropriatelymanaged.
Anindividual’srighttoprivacyisprotectedunderIrishlegislationbytheDataProtectionActs1988and2003
andwithinArticle8oftheEuropeanHumanRightsAct.
TheIrishlegislationoutlinestherightsofindividualsundereightkeyprinciplesofdataprotectionandtheresponsibilitiesofthosewhoholdandprocesspersonalinformation.CompliancewithdataprotectionlegislationisregulatedbytheDataProtectionCommissionerwhoisresponsibleforupholdingtherightsofindividualsassetoutintheDataProtectionActsandforenforcingtheobligationsonthoseholdingandprocessingpersonalinformation.
Theneedtoprotectandrespectpatients’andserviceusers’dignity,privacyandautonomyhasalsobeenreflectedinkeyhealthinformationstrategiessuchastheeHealthStrategyforIreland,2013andtheKnowledgeandInformationPlan,2015.
Promotionofpatientandserviceusers’privacyisembeddedwithintherolesandresponsibilitiesoftheHealthInformationandQualityAuthority(HiQA)1.InrespectoftheirroleinthisregardHiQAhavepublishedGuidanceonPrivacyImpactAssessmentinHealthandSocialCarewhichhasbeenfollowedinthedevelopmentofthisPrivacyImpactAssessment.TheprocessofconductingaPrivacyImpactAssessmenthasissummarisedinFigure1below.
APrivacyImpactAssessmentinvolvesevaluationoftheprivacyimplicationsofprojectsandassessmentoftheircompliancewithrelevantlegislation.Wherepotentialprivacyrisksareidentifieditshouldbepossible,inconsultationwithstakeholders,toidentifysafeguardsorcontrolstomitigateorreducetheseriskswithoutimpactingontheobjectivesorrealisationofthebenefitsoftheinitiative.Anappropriateseniormanagershouldbeidentifiedtobeaccountableandresponsiblefordeliveryoftheagreedsafeguardsorcontrols.
PrivacyImpactAssessmentsshouldbeusedwhereverpersonalinformationisprocessedbutareparticularlyimportantinthehealthandsocialcaresectorwheretheinformationisconsideredtobesensitiveinformation.CompletionofaPrivacyImpactAssessmentforaprojectsuchastheimplementationoftheIndividualHealthIdentifierensuresthatthattheproposedprocessesandproceduresforhandlingpersonalhealthinformationarereviewedtoensurethattheycomplywithlegislationandbestpractice.Further,stakeholderinvolvementinthePIAprocessincreasesawarenessamongprofessionalsandcreatesaculturewheremaintainingpersonalhealthinformationprivacyisapriority.
1MoredetailsaboutTheHealthInformationandQualityAuthoritycanbefoundathttp://www.hiqa.ie/
FinalVersionforPublication P a g e |6
28January2016
AlthoughaPrivacyImpactAssessmentisnotalegalrequirement,itisaneffectivewaytodemonstratehowtheprocessingofpersonaldatacomplieswithdataprotectionlegislation.
PatientsandServiceUserscanbereassuredthattheHealthServiceExecutivehasfollowedbestpractice.ThePrivacyImpactAssessmentshouldensurethattheimplementationoftheIndividualHealthIdentifierislessprivacyintrusiveandthereforelesslikelytoaffecttheminanegativeway.Inaddition,publicconsultationonthefindingsofthePrivacyImpactAssessmentwillimprovetransparencyandshouldmakeiteasierforthepublictounderstandhowandwhytheirinformationisbeingused.
ByconductingaPrivacyImpactAssessmentontheimplementationoftheIndividualHealthIdentifier,theHealthServiceExecutivewillbeinformedofpotentialimpactsonindividualprivacyandactionsthatshouldbetakentomitigateanyimpact.Thisshouldinturnreducethelikelihoodoftheorganisationfailingtomeetitslegaldataprotectionobligations.Further,consistentuseofPrivacyImpactAssessmentsforallrelevantprojectswillincreasetheawarenessofprivacyanddataprotectionissueswithintheHealthServiceExecutiveandwillensurethatstaffinvolvedindesignconsiderprivacyissuesintheearlystagesofaproject.
FinalVersionforPublication P a g e |7
28January2016
FinalVersionforPublication P a g e |8
28January2016
2.2 STAGE 1 – THRESHOLD ASSESSMENT
ThefirststageoftheprocessistheThresholdAssessment.ThisinvolvesidentificationofwhethertheimplementationoftheIndividualHealthIdentifierpresentsanypotentialprivacyissues.Thisrequiresresponsestoaseriesof11questionsinrelationtotheproject.AYESresponsetoanyoneofthesequestionsindicatestheneedforaPrivacyImpactAssessmenttobeconducted.
TheIndividualHealthIdentifierandassociateddatasetcanbeconsideredtobePersonalHealthInformation.Itconsistsofpersonaldemographicinformationthathasbeencollectedandusedforthepurposeofdeliveringhealthandsocialcare.However,itdoesnotincludeanySENSITIVEPersonalHealthInformationwhichrelatestothecondition,careandtreatmentofanindividual.
Doestheprojectinvolveanyofthefollowing?
• Thecollection,useordisclosureofpersonalhealthinformation?
YES:Itinvolvestheallocation,processinganddistributionofanIndividualHealthIdentifierandassociateddemographicdata
• AnewuseforpersonalInformationthatisalreadyheld?
YES:PersonaldemographicinformationfromtheDepartmentofSocialProtectionandthePCRSwillbeusedtocreateandmaintaintheNationalRegister.
• Thelinking,matchingcrossreferencingofpersonalhealthinformationalreadyheld?
YES:TheIHIRegisterwilllinkdatafromDSPwithdatafromthePCRSwhereappropriate
• Establishingoramendingaregisterordatabasecontainingpersonalhealthinformation?
YES:TheIHIRegisterwillbeestablishedusingdatacurrentlyheldbyPCRS.Thiswillonlyholddemographicinformationandwillnotincludesensitivehealthinformation.
• Thecollectionuseordisclosureofadditionalpersonalhealthinformationheldbyanexistingsystemorsourceofhealthinformation?
YES:PopulationoftheIndividualHealthIdentifiersintotheEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)willrequiredisclosureoftheirmasterpatientindex(personaldataonly,notsensitivepersonaldata)formatching.
• Sharingofpersonalhealthinformationbetweenorganisations?
YES:IndividualHealthIdentifiersandassociatedpersonalinformationwillbesharedacrossconsumersystemswithinotherorganisations
• Thecreationofanewortheadoptionofanexistingidentifierforserviceusers:for
YES:Theprojectwillcreateanewuniquepersonalidentifier(theIndividualHealth
FinalVersionforPublication P a g e |9
28January2016
exampleusinganumberorbiometric? Identifier)forpatientandserviceusers
• ExchangingortransferringpersonalhealthInformationoutsidetherepublicofIreland?
NO:NotwithinthescopeofthisPIA,however,subjecttorelevantnationalauthority,futureusesoftheIHImayincludesharingwiththeUKforIrishpatientstreatedwithintheirjurisdictionandmaybesharedwithotherEUcountriesaspertheEUDirectiveontheapplicationofpatients'rightsincross-borderhealthcareDirective2011/24/EU,Article14.SuchuseswillbethesubjectofamendmenttothisPIA.
• Theuseofpersonaldataforresearchorstatisticswhetherde-identifiedornot?
NO:AlthoughtheHealthIdentifierActallowsfortheIndividualHealthIdentifiertobeusedforthedefinedsecondarypurposesincludingresearchandanalysisanyfutureuseoftheIndividualHealthIdentifierforsecondarypurposeswillbesubjectofanamendmenttothisPrivacyImpactAssessment.
• Anyothermeasurethatmayaffectprivacyorthatcouldraiseprivacyconcerns?
NO:
• Aneworchangedsystemofdatahandling;forexamplepoliciesorpracticesaroundaccess,security,disclosureorretentionofpersonalhealthinformation?
YES:ForExample-rulesrelatingtotheprovisionofinformationwhentracinganindividual’sIndividualHealthIdentifierontheNationalRegister
AsaresultoftheresponsestothesethresholdquestionstheneedforaPrivacyImpactAssessmentwasclearlyestablished.
ToensurethatallprivacyimplicationsandpossibleprivacyenhancementopportunitieswereconsideredduringthefollowingStages2and3ofthePrivacyImpactAssessmentwidespreadconsultationhasbeenconductedwithstakeholdersintheHealthServiceExecutive,VoluntaryHospitals,apatientrepresentativebody,theDepartmentofHealth,theDepartmentofSocialProtection,theOfficeoftheDataProtectionCommissionerandHiQA.AlistofthosethathavebeenconsultedhasbeenincludedasAppendixB.
2.3 STAGE 2 – IDENTIFICATION OF PRIVACY RISKS
Thesecondstageoftheprocessinvolvesidentifyingtheprivacyrisksbyexploringthescope,informationflowsandsecurityarrangementsoftheproject.ThisstageinvolvedestablishinghowtheinformationwillbeusedtocreatetheIHIRegister,howitwillbemaintainedthroughupdatesfromotherdatasources,thefunctionalitythatwillbeavailabletotheBusinessOperationsUnitandhow
FinalVersionforPublication P a g e |10
28January2016
itwillinteractwiththe‘consumersystems’includedwithinthePrivacyImpactAssessment,EpilepsyElectronicPatientRecord,selectGPpracticesystems,aHospiceElectronicMedicalRecordandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)
AninitialcheckwasconductedtoensurethattheplannedimplementationcompliedwiththerelevantlegislationsuchastheHealthIdentifiersActandtheDataProtectionActs.
TheriskstotheprivacyofindividualshavealsobeenconsideredincludingthecorporateimpactsthatmightarisesuchasactionbytheDataProtectionCommissioner,reputationaldamageandlossofpublictrustweretheriskstomaterialise.TheseriskshavethenbeenscoredandcategorisedasHigh,MediumorLow.
2.3.1 Evaluation of Pr ivacy Risks
Eachprivacyriskwillbeevaluatedtoassesstheprobabilityoftheriskoccurring(likelihood)andtheconsequence(impact)ifitweretooccur.Thecorrespondingriskscorewillidentifywhethertheriskishigh,mediumorlowassetoutinthefollowingtable.
Likelihood
Impact Rare1
Unlikely2
Possible3
Likely4
Highly Likely5
Negligible - 1 1 2 3 4 5Minor - 2 2 4 6 8 10Moderate - 3 3 6 9 12 15Major - 4 4 8 12 16 20Critical - 5 5 10 15 20 25
LOW (1-7) MEDIUM (8-14) HIGH (15-25)
2.4 STAGE 3 – IDENTIFICATION OF ARRANGEMENTS AND CONTROLS TO MITIGATE
RISKS
Stage3addressestheprivacyrisksidentifiedinStage2.Theaimofthisstageistoseeksafeguardswhichwilleliminatetheprivacyriskswhereverpossibleorreducethembyimplementingmeasuresthatproviderobustcontrolsinthehandlingofthepersonaldataandreducetherisktoprivacy.NotallprivacyriskscanbeeliminatedbutitisimportanttoensurethattheriskcanbereducedasfaraspossiblewhilestillachievingtheaimsandobjectivesoftheimplementationoftheIndividualHealthIdentifier.
Thisstagecreatesaseriesofactionsthatmustbeincorporatedwithintheprojectplan.Eachaction(whichmayaddressoneormoreoftheprivacyrisks)willbeassignedtoabusinessownerandwillbegivenatargetdeliverydate.
FinalVersionforPublication P a g e |11
28January2016
Theseactionswillbeincorporatedintotheprojectdeliveryplanandimplementationmonitoredaspartoftheoverallmanagementoftheproject.
2.5 STAGE 4 – DOCUMENTATION OF THE PRIVACY IMPACT ASSESSMENT
Thefinalstage,Stage4,istheproductionofaPrivacyImpactAssessmentReportwhichdetailsthefindingsoftheassessment.ThereportmusthaveappropriatesignofffromwithintheHealthServicesExecutiveandwillbemadepublic.
FinalVersionforPublication P a g e |12
28January2016
3 ESTABLISHMENT OF A NATIONAL REGISTER OF INDIVIDUAL
HEALTH IDENTIFIERS
3.1 BACKGROUND
TheeHealthStrategyforIrelandDecember2013identifiedtheprovisionofhealthidentifiersforindividualsandhealthserviceprovidersasakeyenablertothesuccessofthestrategy.
TheHealthIdentifiersAct,enactedinJuly2014,allowedforthe“establishmentandmaintenanceof”
• ANationalRegisterofIndividualHealthIdentifiers
• ANationalRegisterofHealthServiceProvidersIdentifiers
TheimplementationandoperationofHealthIdentifiersmustbeinlinewiththeprovisionsoftheActinaccordancewithcommencementorders,delegationordersandregulationstobemadebytheMinisterforHealth.TheMinisterforHealthsignedaninitialcommencementorderinSeptember2015fortheprovisionsintheactrelatingtotheassignmentoftheIndividualHealthIdentifier,theestablishmentoftheIHIRegisterandadelegationorderprovidingtheHSEwiththeauthorityforthesefunctions.
TheMinistermay,afterconsultationwiththeDataProtectionCommissioner,establishregulationsundertheAct.AllregulationsrelatingtotheprovisionsoftheActmustnotbemadeunlesstheMinisterissatisfiedtheyareinthepublicinterestwithdueregardtotheprivacyandtheeffectiveachievementofoneormorepurpose.
RegulationsmadeundertheActaretobelaidbeforeeachhouseoftheOireachtasassoonastheyaremade.Ifaresolutionannullingtheregulationsispassedbyeitherhousewithin21daystheregulationwillbeannulled.
ThisPIAisconcernedsolelywithIndividualHealthIdentifiers.APIAfortheNationalRegisterofHealthServiceProviderIdentifierswillfollowatalaterdate.
3.2 THE BENEFIT OF IMPLEMENTING AN INDIVIDUAL HEALTH IDENTIFIER
ThemainbenefitofhavinganIndividualHealthIdentifieristoensurepatientsafety.Beingabletouniquelyidentifyeachuserwillimprovepatientsafetybyreducingthenumberofadverseeventsthatmayhappen,suchasgivingthepatientthewrongmedicationorvaccinationoradmittingthewrongpersonforsurgery.TheIndividualHealthIdentifierhasthefollowingbenefits:
• PatientSafety
– Reducedlikelihoodofprovidingtreatmenttowrongpatient
– Enhancedabilitytoreliablyassociateallrecordsforthesamepatienttherebyprovidingamorecompletepictureavailabletoprofessionals
• Efficiency
FinalVersionforPublication P a g e |13
28January2016
– Reducedeffortincollectingthesameinformationmultipletimes
– Obviatingtheneedforsomerepeateddiagnostics
– Enhancedabilitytoreliablyassociateallrecordsforthesamepatienttherebyprovidingamorecompleteprofileavailableforadministrationpurposes
• EnablingeHealthapplications
– Akeyenablerintheimplementationofelectronichealthrecords
– Akeyenablerinoverallinformationsharingrequiredacrossthehealthsystem
• Privacy
– Reducestheneedforidentifyinginformationtobeincludedwithelectronicpatientorserviceuserinformation
Thebenefitsforserviceusersare:
• Improvedaccuracyinidentifyingtheserviceuserandtheirmedicalrecordswillleadtosaferandbettercarebeingprovided.
• ServiceUser’srecordsindifferenthealthcareorganisationsmaybeaccuratelyassociatedwiththecorrectserviceuser
• Healthinformationcanbesharedsafelyandseamlesslybetweenpublicandprivatehealthserviceproviders,forexamplereferralletterssentfromapublichospitaltoaprivatesectorGP
• IndividualHealthIdentifiersenableelectronictransferofserviceuserhealthinformation,whichresultsinfastercare.
ThebenefitsforhealthcarepractitionersarethatIndividualHealthIdentifiers:
• Accuratelylinkserviceuserstotheirrecords
• Identifypatientsinallcommunicationswithotherhealthandsocialcareproviders
• Enablesafetransferofpatientrecordselectronically
• Enableelectronicreferrals,dischargesummariesandelectronicprescriptionstobesentwhichresultsinamoretimelyexchangeofinformation.
ThebenefitsforhealthcareprovidersarethatIndividualHealthIdentifiers
• Helptocreateandmaintainacompleterecordforeachpatient
• Enablepatientinformationtobesharedsafelywithinandacrossorganisationalboundaries
• Improveefficiencyinadministrativetasks
ThebenefitsforsocialcareprovidersarethatIndividualHealthIdentifiers
• Accuratelyandsafelyidentifypeoplewhousesocialcareservices
FinalVersionforPublication P a g e |14
28January2016
• Helptocreateacompleterecordofaperson’scarebyinclusionofrecordsthatmayspandifferenthealthandsocialcareorganisations
• Facilitatesafeandefficientcoordinationofsocialcarewithhealthcare.
3.3 LEGAL BASIS FOR THE ESTABLISHMENT OF THE INDIVIDUAL HEALTH IDENTIFIER
REGISTER
ThelegislationtoallowthecreationoftheIndividualHealthIdentifierRegisterandthedatafieldstobecontainedthereinissetoutintheHealthIdentifiersAct2014:
TheelementsofHealthIdentifiersActthatrelatetotheuniquenumbersforapersonororganisationthatprovidesahealthservicearenotincludedwithinthisPrivacyImpactAssessment.
InrelationtotheuniquehealthidentifierthereforetheActprovidesthelegalbasisfor:
• Theassignmentofauniquenumbertoeveryindividualtowhomahealthserviceisbeing,hasbeen,ormaybeprovided.
• TheestablishmentandmaintenanceofaNationalRegisterofindividualhealthidentifiersandinformationrelatingtotheindividualstowhomthenumbersareassigned.
• ThebasisonwhichtheNationalRegistermaybeaccessedandthepersonaldatawithinitmaybeprocessed.
• ThedelegationofcertainfunctionsconferredontheMinisterofHealthtotheHealthServiceExecutive.
• AmendmenttootherActsrequiredasaconsequenceoftheHealthIdentifiersAct.
3.3.1 Assignment of a Unique Identif ier
TheActallowstheMinistertoassignanIndividualHealthIdentifierto:
• anylivingindividual,whetherornottheyareresidentinIreland,towhomahealthserviceisbeing,hasbeenormayhavebeenprovided
• anindividualwhohasdiedbeforetheActcomesintooperation.
FinalVersionforPublication P a g e |15
28January2016
TheActrequiresthattheIndividualHealthIdentifiershouldnotcontainanypersonaldataforexampleitmustnotcontaintheindividualsdateofbirthandidentifiesthatpossessionofauniqueidentifierisnotofitselfanindicationofentitlementtohealthservices.
TheActalsomakesprovisionfortheIndividualHealthIdentifiertobemadeavailabletotheindividualorwherethepersonisdeceasedorlackscapacity,theirpersonalrepresentative,iftheMinisterwishestodoso.
3.3.2 Establ ishment and Maintenance of a National Register
TheActmakesprovisionforaNationalRegisterofIndividualHeathIdentifierstobeestablishedwhichwillholdtheIndividualHealthidentifierandotheridentifyingparticularswheretheyareknown.TheNationalRegistercancontinuetoholdinformationrelatingtodeceasedpersonsandcanannotatetheirrecordstoindicatethattheyaredeceasedandthedateoftheirdeath.
Theregistermustonlycontainthefollowingpersonaldata:
• surname
• forename
• dateofbirth
• placeofbirth
• sex
• allformersurnames
• mother‘ssurnameandallformersurnamesofhisorhermother(includingmotherssurnameatmother’sbirth)
• address
• nationality
• personalpublicservicenumber
• dateofdeathinthecaseofadeceasedindividual
• signature
• photograph
• andanyotherparticularsasdeterminedbytheMinistertoberelevanttoidentifyingtheindividual
3.3.3 Use and Provis ion of the Identify ing Information
TheActmakesprovisionsforthecollectionofhistoricaldatarelatingtoanindividualwithaUniqueHealthIdentifier.
TheActalsomakesprovisionfororganisationsthatareprovidingorhaveprovidedhealthservicestoanindividualtorequestthattheindividualorwhereappropriatetheirpersonalrepresentativeshouldprovideinformationtoallowthemtobeidentified.ThiswillbeprovidedtotheMinister
FinalVersionforPublication P a g e |16
28January2016
within30daysandiftheserviceproviderfindsthemtobeinaccuratewillbecorrectedwithin30daystoallowcorrectionstobemade.
TheActenablesanyotherMinisteroftheGovernmenttoprovideidentifyinginformationtotheMinisterandenablesatARD-Chlaraitheoir(aregistrarofbirthsdeathsandmarriages)toprovideinformationrelatingtoanindividual’sbirthordeathinorderthattheministercanestablishormaintaintheaccuracyoftheNationalRegister
Therearealso,withintheAct,clearrestrictionsinrelationtohowconsumerssystems(inthefirstinstancethisreferstoEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)system)andschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)caninterfacewiththeNationalRegistertoobtainIndividualHealthIdentifiersforinclusionwithintheirsystems.Theconsumersystemswillprovideacopyoftheirlocalmasterpatientindex(MPI)totheNationalRegisterandwillbeprovidedwithanIndividualHealthIdentifierforallpatients.Atnostagewillacopyoftheregisterbeprovidedtoanythirdparty.IndividualHealthIdentifierdatawillonlybeprovidedbythesubmissionofknownindividualpatient\clientdetailsbyanauthorisedHealthserviceprovidertotheHSEfortheprovisionofanIndividualHealthIdentifierandtheotherIndividualHealthIdentifierdataasoutlinedinthelegislation.
3.3.4 Access to the National Register of Indiv idual Health Identif iers
TheActrequirestheMinistertoputarrangementsinplacefortheNationalRegistertobeaccessedbyrelevantpersonsforarangeofrelevantpurposesandtobeprotectedfrombeingaccessedinappropriately.
TheActalsomakesaseriesofprovisionsforhealthserviceproviderstorequestinformationfrompersonstheyareprovidingservicestothatwillenabletheirIndividualHealthIdentifiertoberecordedortracedforandtoberecordedintheindividual’srecordsandusedinappropriatecommunications.
3.3.5 Offences Relat ing to Indiv idual Health Identif iers
TheActmakesitanoffenceforanindividualtoprovidefalseinformationinordertobeassignedanIndividualHealthIdentifier.AnyonefoundguiltyofsuchanoffencewillbeliableonsummaryconvictiontoaclassBfineoronconvictionorindictmenttoafinenotexceeding€100,000.
TheActsetsoutthepurposesforwhichapersonmayaccesstheNationalRegisterorprocessanindividual’sIndividualHealthIdentifierandestablishesthatitisanoffencetoknowinglycontravenetheseprovisions.AnyonefoundguiltyofsuchanoffencewillbeliableonsummaryconvictiontoaclassBfineoronconvictionorindictmenttoafinenotexceeding€100,000.
ItisanoffenceforapersontoimpersonateanotherpersoninordertoaccesstheNationalRegister.AnyonefoundguiltyofsuchanoffencewillbeliableonsummaryconvictiontoaclassBfine.
FinalVersionforPublication P a g e |17
28January2016
3.4 LEGAL BASIS FOR USING THE DEPARTMENT OF SOCIAL PROTECTION DATABASE
TO POPULATE THE NATIONAL REGISTER
3.4.1 Data Held by the Department of Socia l Protection
TheDepartmentofSocialProtectionissuesauniquePersonalPublicServicenumbertoassistindividualsinaccessingbenefitsandinformationfrompublicservicesagenciesinIrelandsuchasSocialWelfare,RevenuePublicHealthcareandEducation.
APersonalPublicServicenumberisissuedto:
• AnyoneborninIrelandsince1971
• AnyonewhohasworkedinIrelandsince1979
• AnyonereceivingaSocialWelfarepayment
• AnyoneparticipatingintheDrugsPaymentScheme.
ThePublicServiceIdentitydatabaseistheNationalRegisterofPersonalPublicServicenumbersandtheassociatedpersonalidentifyinginformation
ItisintendedthattheNationalRegisterofIndividualHealthIdentifierswillbecreatedandmaintainedbydatasuppliedfromthePublicServiceIdentityregister.
3.4.2 Provis ion under the Indiv idual Health Identif iers Act
Asreferredtoabove,theHealthIdentifiersAct(Part2Section8)makesspecificprovisionforanothergovernmentMinistertoprovideinformationrelatingtoindividualssolelyforthepurposeofestablishingormaintainingtheNationalRegister.TheActthereforemakesprovisionforindividuals’datatobeobtainedfromtheDepartmentofSocialProtectioninordertoestablishtheNationalRegister.
3.4.3 Provis ion under the Social Welfare Consol idation Act.
InorderfortheDepartmentofSocialProtectiontohavealegalbasistoprovidedatatotheNationalRegistertherealsoneedstobeprovisionsundertheSocialWelfareConsolidationAct2005.
FinalVersionforPublication P a g e |18
28January2016
Section262(6)oftheSocialWelfareConsolidationAct,2005statesthat:
(6)(a)Whereaspecifiedbodyhasatransactionwithaperson,theMinistermaysharetheperson’spublicserviceidentitywiththespecifiedbodytotheextentnecessaryinrespectofthattransaction*forauthenticationbythespecifiedbodyoftheperson’spublicserviceidentity.
(b)Aspecifiedbodymayuseaperson’spublicserviceidentityinperformingitspublicfunctionsinsofarasthosefunctionsrelatetothepersonconcerned.
(*Insertedbys.32(a)(iii)SocialWelfare&PensionsAct2007).
Section262alsoprovidesthata“transaction”means—
(a)anapplication,
(b)aclaim,(c)acommunication,(d)apayment,or(e)asupplyofaservice,relatingtoapublicfunctionofaspecifiedbodywhichrelatestoanaturalperson.”.
TheseprovisionsintheSocialWelfareConsolidationAct2005allowtheDepartmentofSocialProtectiontoprovidedatarelatingtothepopulationofIreland(includingdeceasedpatients)totheHealthMinisterfortheestablishmentoftheNationalRegisterofIndividualHealthIdentifiers.
FinalVersionforPublication P a g e |19
28January2016
4 SPECIFICATION FOR THE INDIVIDUAL HEALTH IDENTIFIER
AND THE NATIONAL REGISTER
4.1 FORMAT OF THE INDIVIDUAL HEALTH IDENTIFIER
TheIndividualHealthIdentifierwillbeauniquenumberusedforthepurposesofidentificationofindividualpatientsandserviceuserswithinhealthandsocialcareservicesandwillbebasedupontheNHS’sNationalPatientIdentifiermodel,adaptedforusewithintheIrishhealthenvironment.
KeycriteriausedtoselectthefinalstructureandcontentoftheIndividualHealthIdentifierwere:
• TheformatofthenumbermustsupportusabilityintheHealthsector
• Theproposednumberrangemustprovideamorethanadequatevolumeofnumbersforexistingandfuturepopulation
• ThedevelopmentcostrequiredforthecentralIndividualHealthIdentifiersystemmustbesignificantlylessthanalternativeoptions
• Thereshouldbepre-existingfunctionalityinmanyconsumersystemsforsupportofthenumberintheproposedformat,significantlyreducingthecostofanydevelopmentrequiredforconsumersystems
• Theprescribedstandardsmustbemet(HiQA,ASTMUHID-1995)
• Thenumberformatandstandardcanbesharedworld-wideinclusiveofNorthernIrelandinparticular.
• Thenumbermustbecompatiblewithdevicessuchasscanners,bar-codereadersandotherdevices.
AsaresultithasbeenexpectedthattheIndividualHealthIdentifierwillbecomprisedof3items;a7digitGS1standardprefix;a10digitcorenumber(thefinaldigitbeingamodulus11checkdigit);andafinalcheckingdigit.Atotalof18digits.
ItisproposedthattheGS1healthcarestandard,alreadyinusewithintheHSE,willformapre-fixtothecoreIndividualHealthIdentifier.TheformatofthecorenumberisthesameasthatusedfortheNHSNumberintheUKandmayuseoneofabankofnumbersreservedfortheRepublicOfIrelandwhichare800000000to859999999.
Asanexamplethenumberbelowshowstherelativecomponentsofitsconstruct;
5393-014 -999-999-999 -9 -7
[GS1GSRNPrefixnumberwithnocheck-digit]
[CoreIHInumberwith check-digit] [FinalGS1checkdigit]
FinalVersionforPublication P a g e |20
28January2016
4.2 CONTENT OF THE NATIONAL REGISTER
TheDatasetitemstobeheldontheNationalRegisterweredefinedintheHealthIdentifierActas:
• surname
• forename
• dateofbirth
• placeofbirth
• sex
• allformersurnames
• mother‘ssurnameandallformersurnamesofhisorhermother(includingmotherssurnameatmother’sbirth)2
• address
• nationality
• personalpublicservicenumber
• dateofdeathinthecaseofadeceasedindividual
• signature
• photograph
• SAFElevelofregistration–thishasbeendefinedbytheMinisteras‘otherparticularsrequired’
• PersonalServiceCardNo.–thishasbeendefinedbytheMinisteras‘otherparticularsrequired’
SAFElevelofregistrationreferstotheStandardAuthenticationFrameworkEnvironmentdesignedtoassignalevelofcertaintytotheinformationheldaboutanindividual–e.g.informationaboutaclientisonlyassignedSAFELevel2afteraface-to-faceinterviewweretheclientisrequiredtoproducedocumentary,includingphotographic,evidenceofidentity.
TheIHIwillutilisetheSAFE*PublicServiceCardinfrastructureoperatedbytheDepartmentofSocialProtection.Inthisway,theIndividualHealthIdentifierwillleveragethesignificantinvestmenttodateandtheongoingworkbytheDepartmentofSocialProtection(DSP).ItisnotintendedtoreplicatetheDSPdatacollectionandverificationprocess,exceptforthesmallnumberofpatientswheretheDSPdoesnothaveinformationabouttheindividualsconcernedbecausetheywouldnotnormallybeissuedwithaPPSNe.g.touristsortemporaryresidents.Thisapproachwillensure
2InfactthedatathatwillbeheldontheIHIRegisterwillbemother’ssurnameatbirthonlyasthereisnoavailablesourceforothersurnamestobecollected.
FinalVersionforPublication P a g e |21
28January2016
maximumleveragingofthepublicservicedataset(operatedbyDSP)whileenablingthehealthsectortooperateasectoralidentifier.Inmanyrespects,thehealthservicewilloperatefromacarboncopyofthepublicserviceidentitydatasetandthiswillsignificantlyreducethecostoftheinitiative
4.3 CREATION OF THE INDIVIDUAL HEALTH IDENTIFIER REGISTER
4.3.1 Implementation of the Indiv idual Health Identif ier Register
ThefollowingdiagramsetsoutthewayinwhichtheIHIRegisterwillbegeneratedandmaintained
Figure1–GenerationandMaintenanceoftheIHIRegister
1. IHIRegister:TheexistingHSEPCRSindexwillbedevelopedtobecometheNationalIHIRegisterandPCRSSchemeswillprovideupdatesasatrusteddatasourcebasedonbusinesslogicputinplace.
2. DepartmentofSocialProtectionPublicServiceIdentity:DSP-PSIwillbetreatedasatrusteddatasourceandwillfeeddataviaanappropriateinterfacewhichwillbeputinplace.
FinalVersionforPublication P a g e |22
28January2016
3. ConsumerSystems:Consumersystems(includingPCRSschemesystems)willbeinterfacedtoaccessIHInumbersonaplannedandphasedbasisviaastandardisedinterfacewhichwillcontrolaccess.UpdatestoIHIrecorddatamaybefacilitatedwherepermittedbythebusinesslogicputinplace.
Note:Thelistofconsumersystemsinthediagramareforillustrativepurposesonly.Theactualroadmapforconnectivitywilldependonlegalcommencement,technicalandbusinessreadiness,andstrategicplanning.
Onceestablished,theIHIRegisterwillbeheldinanencryptedenvironment.
TheHSE’sPrimaryCareReimbursementServicesupportsthedeliveryofawiderangeofprimarycareservicestothegeneralpublic,throughover6,600primarycarecontractorsacrossarangeofcommunityhealthschemes.Theseservicesareprovidedtomorethan3.4millionpeopleintheircommunitybydoctors,pharmacists,dentistsandoptometrists.
ThePrimaryCareReimbursementServiceMasterPatientIndex(OHMPI)willbeleveragedtosupporttherequirementsoftheIndividualHealthIdentifier,utilisingexistinghardwareandsoftwareinfrastructureandwillbemodifiedandadoptedtobecometheNationalRegister.
ThePrimaryCareReimbursementServiceMasterPatientIndexonlyholdsrecordsforindividualsthatareinreceiptofpublicallyfundedprimarycareschemes.InorderfortheIndividualHealthIdentifierProjecttomeetitsobjectivesandrealisethepotentialbenefitsinfull,itisimperativethattheNationalRegistercontainsarecordforallindividualswhohavepreviouslyaccessedormayneedtoaccessahealthserviceinIreland,irrespectiveofwhethertheserviceisprovidedpublicallyorprivately.
TheDepartmentforSocialProtectionoperateadatabasewhichholdsPublicServiceIdentityrecordsforallmembersofthepopulationwhotransactwithpublicservicedepartmentsoragencies.AllindividualsareprovidedwithaPersonalPublicServiceNumberfortransactingwithpublicservicedepartments,whentheyareregisteredatbirthoruponimmigrationtoIreland.ThisdatabaseaggregatesinformationfromwithintheDepartmentofSocialProtectionandotherchannels,forexampletheGeneralRegistrationsOffice.
ThePublicServiceIdentitydatabaseisthemostcompleteregisterofthepopulationofIreland.
Utilising PSI data as the source of the IHI register leverages awell-managed, quality assured androbust registerprovidinga significant levelofassurance that there isaunique identifier, correctlyassigned, foreach individual. Inaddition,theDSParecurrentlyundertakingaregistrationprocessforPSIclientswhichwillprovideanevenhigherlevelofassuranceinrelationtotheidentitydataforindividualsonthePSIregisterandconsequentlyfortheIHIregister.
ThereforeitisproposedthattheDepartmentofSocialProtection’sPublicServiceIdentityrecordswillbecomethemainsourceforthecreationoftheIndividualHealthIdentifierregisterwithadditionaldataprovidedbyPCRSwhereavailable.
ThisissubjecttoaMemorandumofAgreementbetweentheDepartmentofSocialProtection,theDepartmentofHealthandtheHSE,whichoutlineshowinformationgovernanceandcompliancewillbeappliedbytheHSEfortheuseofPSIdatainthecontextoftheIndividualHealthIdentifier.
FinalVersionforPublication P a g e |23
28January2016
AsecureinterfacebetweentheHSEandDSPwillbeimplementedinordertofacilitateon-goingrecordmaintenanceviatheprovisionofnewandupdatedPSIdetails.
ThePrimaryCareReimbursementServiceMasterPatientIndexalreadyholdsasignificantsubsetofthePublicServiceIdentitydatabaserecordsasthePersonalPublicServiceNumberisrequiredfortheprocessingofschemessuchastheMedicalCardandDrugPaymentRefundbothofwhicharepublicallyfunded.
PriortothematchingofDSPPSIandHSEPCRSrecords,abodyofworkwillbeundertakentoassessandremediateanylegacyororganicdatavariancesinthePCRSMasterPatientIndex.AppropriatecleansingwillbeundertakentoensurePSIrecordsarebeingcomparedagainstcleanandvaliddata,forthepurposesofcreatingtheIHIRecord.
TofacilitatecreationoftheIHIRecord,relevantPublicServiceIdentitydatafields(asauthorisedbytheHealthIdentifiersAct)willbeprovidedbytheDepartmentofSocialProtection.Arobustmatchingandrecordjoiningtriageprocess(asdevelopedandtestedduringtheIHIRegister’sDesignandDevelopmentstages)willresultinafinalIHIRecord.AnIndividualHealthIdentifierwillthenbegeneratedandassignedtoeachIHIRecord.
EachIndividualHealthIdentifiermustbegeneratedinamannertoensurethat:
• itisunique
• itisrandomlygenerated
• hasnoassociationtoanyattributebelongingtothepersonitisgeneratedfor
• itisnotgeneratedinanidentifiablesequencewithotherIHInumbers
• isappliedtoasingleindividual
• NoindividualhasmorethanoneIHI
• Itisneverrecycledorre-used
• Itiscomprisedofandformattedtothespecifiedparametersofcreation
ThePSIdatawillbematchedagainstexistingPrimaryCareReimbursementServiceMasterPatientIndexrecords.ForuniquelymatchedrecordsthePrimaryCareReimbursementServiceMasterPatientIndexwillbeupdatedwiththerelevantPSIdetailsandtherecordswillbeassignedIndividualHealthIdentifiers.AnyrecordscurrentlyheldbytheDepartmentofSocialProtectionthatdonotalreadyexistonthePrimaryCareReimbursementServiceMasterPatientIndexwillbeaddedtotheNationalIndividualHealthIdentifierRegisterandassignedIndividualHealthIdentifiers.
FinalVersionforPublication P a g e |24
28January2016
Figure2-ExampleofcreatingtheSBRfrommultiplerecords3
ThematchingalgorithmusedtomatchrecordsfromthePublicServiceIdentitydatabaseandthePrimaryCareReimbursementServiceMasterPatientIndexwillbedesignedtomaximisethenumberofrecordsthatcanbecorrectlymatchedautomaticallybutminimisethenumberofrecordsthatrequiremanualinterventionbytheBusinessOperationsUnit.Thiswillensurethatthenumberoffalsepositivematches(recordsthatarematchedbutarenotforthesameperson)andfalsenegativematches(recordsthatareforthesamepersonbuthavenotbeenmatchedautomatically)arekepttoaminimum.
Developmentofthematchingandupdateruleswilltakeplaceduringthedesign.Anyrulesforupdateandmatchingwillbethoroughlytestedpriortofinalisation.
4.3.2 Maintenance of the National Register
Oncecreated,ongoingmaintenanceoftheNationalRegisterwilloccurthroughroutineupdates(ataminimumdailyfrequency)fromtheDepartmentofSocialProtection.Theupdateswillprovidedetailsofchangestoexistingrecordsandinsertionsofnewrecords:newrecordswillbeassignedanindividualHealthIdentifier.
4.3.3 Business Operations Unit
GiventhecurrentroleofthePrimaryCareReimbursementServiceinmanaginganexistingMasterPatientIndexfortheHSEwithmanyofthetechnicalandoperationalaspectsalreadyinplace,thePrimaryCareDirectoratehasbeenappointedbytheHSEtoestablishtheIHIBusinessServiceUnitthatwillberesponsiblefortheoperationoftheIndividualHealthIdentifierservice.
3takenfromHealthIT2presentation
FinalVersionforPublication P a g e |25
28January2016
TheresponsibilitiesoftheBusinessOperationsUnitwillinclude:
• IHIRegisterDataManagementfromAutomatedFeeds–themanualactivitiesnecessarytoresolveanyissuesidentifiedthroughautomateddatamatchingprocesses
• IHIRegisterDataManagementfromServiceProviderRequests–themanualprocessestodealwithrequeststochangedataheldintheCentralIHIRegister
• ServiceProviderAccessManagement–themanualprocessestogrant/update/removeaccessforusersoftheCentralIHIRegister
• ServiceProviderRelationshipManagement–theprocessesrequiredtosuccessfullymanagetherelationshipbetweentheBusinessSupportTeamandServiceProviderstoensureallstakeholdersthattheyaresupported
• ComplianceManagement–theprocessestoensurethattheoperationoftheCentralIHIRegisterisincompliancewithalllegislativeandstandardsguidelines,andtoreportsuchcompliance
• CentralIHIRegisterSystemMaintenance–theprocessesthatsupporttheongoingtechnicalmaintenanceoftheCentralIHIRegister
• BusinessSupportTeamManagement–theprocessestoensurethesuccessfuloperationoftheBusinessSupportTeam
• PublicRequestsforInformation–theprocessestoprovidemembersofthepublicdetailsabouttheIHInumber,ifrequested
4.3.4 Access to the National Register
“InformationSecurity”fortheIHIRegisterisalargerconsiderationthanjustprotectionfromunauthorisedaccess,whichisjustoneareaofmajorconsideration.InformationSecuritycanbeviewedinthemainasensuringConfidentiality,Integrity,andAvailabilityofdata,howeverfortheIHIprojectitwillbeconsideredinallareasrelatingto:
• Securityatatechnicallevel
• Securityatapolicy/governancelevel
• Thepracticalimplicationsofimplementationwhichmustbebothappropriateandfeasible
AccesstotheIHIRegisterwillthereforebedrivenfromanumberoffocusareasofwhichsomewillbedrivenfrom:
• Businessdecisionsdeterminingwhatisrequiredfromasecurityperspective
• Technicaldecisionsdetermininghowsecurityisimplemented
AccesstotheIHIRegisterwillbedeterminedbasedontheextenttowhichinternalandexternalpartiesareviewedas“untrustednetworks”.The“level”ofaccessavailablewillbebaseduponthis,forexampledifferentmethodsofaccesscontrolmaybeappropriatefore.g.:
• PCRSinternalsystem
• Previouslyinterfacedsystem
• Brandnewconsumersystem
AtaminimumbothAuthorisationandAuthenticationwilltakeplace.
FinalVersionforPublication P a g e |26
28January2016
AuthorisationcanbeconsideredasboththebusinessperspectiveintermsofhavinganassessmentframeworkandprocessinplaceaswellasthetechnicalimplementationsfacilitatingthatsuchasRoleBasedAccessControl(RBAC)andappropriateauditandtrackingtechnologies.
Authenticationcanbeconsideredastheprocessofensuringaccountabilityfordataaccess./management/handlingonceauthorisedandwilllargelybetechnologydrivenutilisingappropriatetechnologycontrols.
FordirectIHIAccess,theBusinessServiceTeamwill(ascontrolledthroughRBAC)beabletoperformfunctionssuchas:
• SearchorFinddataitems
• Traceactivityanddataitems
• Addnewdataitems
• Updateexistingdataitems
• Mergedataitems
• Un-MergeorSplitdataitems
ThesefeatureswillonlybeavailableorusedasdefinedinspecificUseCases(forexamplewhentheautomatedmatchingalgorithmcannot100%determinewhethertomergearecordornotandsothecaseisaddedtoaworklistfortheIHIBusinessServiceTeamtoreviewandresolve).
ThecontentsoftherecordsvisibletotheIHIBusinessServiceTeamwillbelimitedtothedemographicsasspecifiedintheHealthIdentifiersAct,andtherewillbenopossibilityofaccesstoclinicalorotherassociatedinformation(asitwillnotbeheldintheIHIRegister).
Consumersystemswillbesimilarlyrestrictedinhowthey“access”datawithintheIHIRegister,andinreality,willnothavedirectaccess,butwillbereturnedcontrolleddataviaastandardisedinterfacewhichwillsitbetweentheconsumersystemandIHIRegister.Requestsfordatabasedonalimitedsetoffunctionalityfordifferentusecases(forexampleTraceIHIforanewpatient)willbeprocessedbytheinterfaceandresponsesreturnedasappropriate.Forexampleifforsomereasonarecordhasbeenmarkedas“sensitive”foranyreasonintheIHIRegister,aconsumersystemrequestingthatrecordmaynotbeabletoretrievethedemographicdetailsandmayinsteadberespondedtowithanappropriateinformationmessagehighlightingthattherecordcannotbereturned.
Thesecontrolswillensure“accessabuse”isrobustlymanaged.Additionally,aswellasperforminga“controlledmessagebroker”role,thestandardisedconsumersysteminterfaceandIHIRegisterwillfullytrackconsumersystemaccessactivity,withalertsorloggingtakingplacesasappropriate.
Connectiontothisstandardisedinterfacewillonlybepermittedoncetheconsumersystemshasfullycompletedallnecessaryactivities(e.g.implementationofrequiredtechnicalchanges,signingofnecessarydocumentation)andhasbeenverifiedbytheBusinessServiceteamasreadytoconnect.
Section4.2aboveliststhedataitemsthatwillbeincludedontheNationalRegister.Althoughthesedataitemscanbeusedforsearchpurposesalltheitemsmaynotbereturnedtotheuserortoconsumersystems.
FinalVersionforPublication P a g e |27
28January2016
Inadditiontothestandardisedinterfacebeingdesignedground-up,anyexistingorlegacysysteminterfacesalreadyconnectedtotheMasterPatientIndexwillbeidentified,assessed,andmodifiedasrequiredtoensurecompliancewithIHIInformationSecuritybeforebeingpermittedtoreadanydatacontainedwithintheRegister.ThiswillensurethatconsistentBusinessLogicforaccesscontrolisappliedacrossallchannels.
InlinewiththisrequirementexistinginterfacesbetweenthePCRSregisterforPCRSschemescanonlycontinuetoaccesstheIHIregisterwhenthesamecontrolsareinplace.
Anassessmentoftheagreedstandardisedinterfacefunctionalityandcontrolstogetherwiththebusinesscomplianceprocesswillbeundertakenbeforeimplementationoftheconsumersysteminterface.
FollowingthecreationoftheNationalRegister,accesstoanduseoftheIndividualHealthIdentifierwillbeintegratedwithinatargetedsetofexternalconsumersystems(EpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedicalRecord(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme)),withtherequisiteinterfacesandprocessesalsoputinplacetomaintaintheseinterfacesgoingforward.
Typically,duetobirthregistrationprocessing,newbornbabiesarenotassignedwithaPersonalPublicServiceNumberandassociatedPublicServiceIdentitydatasetuntiltheyareapproximately28daysold.ToensurethatanIndividualHealthIdentifiercanbeavailabletobabiesatbirth.TheIHIwillbeallocatedtobabiesviaaseparateprocessbasedonthebirthnotificationsysteminhospitalswhichwillthenbereconciledwiththeirPublicServiceIdentityrecordonceitisavailable.
Thesystemsandprocessestomaintainthisforthecurrentandfuturepopulationwillalsobeputinplace.
FunctionalitytoprovidenewbornbabieswithanIndividualHealthIdentifieratbirthanduseofthenumberwithinadditionalconsumersystemswillbeaddedasacapabilityinthefuture.TheprivacyimplicationsofallsuchfurtherexpansionsofthefunctionalityanduseassociatedwiththeIndividualHealthIdentifierwillbeconsideredwithinseparatePIAsasappropriate.
4.3.5 IHI Proof of Concept Register
TheexpectedleadtimeforthedevelopmentandsubsequentintegrationoftheIHIRegisterwithconsumersystemsdrovetheneedtogeneratepracticallearningsearlysothatlessonsandunderstandingcouldbederivedandsubsequentlyappliedtothedevelopmentoftheIHIRegister.
Tothisend,anIHIProofofConcept(IHI-POC)RegisterwascreatedtofacilitatedirectpracticalexperienceandinsightinpreparingdataandproducingIHInumbers,forboththedevelopmentteamandbusinessserviceteammembers.TheoutputofthisactivitywilldirectlyfeedintotheIHIRegisterprojectdesignanddevelopmentactivities.
TheIHIProofofConceptRegisterwasintroducedafterworkonthePrivacyImpactAssessmentwasalreadynearingcompletionandasaresultthedevelopmentteamwereabletoimplementappropriateprivacycontrolsasrecommendedfortheIHIregister.
FinalVersionforPublication P a g e |28
28January2016
TheIHIProofofConceptRegisterwork-streamutilisedadedicatedSQL-baseddatabasefromwhichdatawasstoredandanalysed.Thisdatabaseisencryptedandhasstrictaccesscontrolsattached,withformalauthorisationrequiredforanyprojectresourcesrequiringaccessforanalysispurposes.Inaddition,fullauditingofaccesseswasimplemented.AnauditofaccessestotheIHIProofofConceptregisterwasrecentlycompletedtotesttheauditprocessandtoestablishthatnounauthorisedaccesseshavebeenmadetotheIHIProofofConceptRegister.
ThefirstphaseoftheIHI-POCwastocreatethedatabaseandloadthedata.Algorithmswereproducedfordataimport,cleansingandreporting;IHIgenerationandallocation
DatacleansingactionsenabledassessmentofpotentialscenariostobeconsideredfortheIHIRegister.
FurthervalidationchecksweremadebyaccessingPSIrecords.
PSIrecordswerematchedagainstHSErecords,onthebasisthatthefinalIHIRegisterwillbeutilisingPSIasaprimarytrustedsource.
Theapproachtodatavalidationbroadlytookthefollowingsteps:
• TheexistingencryptedIHI-POCSQLdatabasewasusedasthesourceofdatatobematchedagainstthePSIrecords
• AbespokeJavamodulewithappropriatesecuritypermissionswasdevelopedto:
o ReadandretrievePCRSandPSIdatarespectively
o ParseandperformanumberofmatchingscenarioswhichwouldresultinasetofvalidatedIHI-POCrecords
• TheSingleCustomerViewXMLAPIwasusedasthesecurechannelfordataretrievalbytheJavamodule
• TheJavamodulewashostedwithinthesameHSEenvironmentastheIHI-POCRegisterandaccessedtheIHI-POCRegisterusingasecurecertificateandauthenticationprocess
• Theprocesswassplitintotwodistinctphases:
o Retrieveandstoreallnecessaryinformation
o Usetheretrieveddatatoperformvalidation/analysis/reportingasrequired
SubsequentanalysisoftheparseddatahasinformedappropriatematchingrulesfortheIHIRegisterOHMPImatchingengineintheIHIRegisterdevelopment.
ThedataretrievedwasrestrictedtothatspecifiedintheHealthIdentifiersActandwasusedsolelyforthepurposesofdevelopingtheIHIRegisterdatamodelandprocessingrulesandhasneverbeenaccessedorusedbyanyconsumersystem.
TheIHIProofofConceptdatabaseandassociateddatawillbesecurelydisposedofassoonastheprojectnolongerrequirestheseentitiesforanalysis.
FinalVersionforPublication P a g e |29
28January2016
5 PRIVACY ISSUES ASSOCIATED WITH THE INDIVIDUAL HEALTH
IDENTIFIER ThissectiondescribestheprivacyissuesassociatedwiththeestablishmentofanIndividualHeathIdentifierandNationalRegisterandproposescontrolsandmitigationactionsforthosethatposeaprivacyrisk.
ItshouldbenotedthatsomeaspectsoftheimplementationoftheNationalRegistermaypresentaprivacyprotectionorenhancingopportunity,notallissuesleadtoanegativeprivacyrisk.
5.1 HIQA INFORMATION GOVERNANCE AND MANAGEMENT STANDARDS FOR THE
HEALTH IDENTIFIERS OPERATOR IN IRELAND
InAugust2015,TheHealthInformationandQualityAuthority,HIQA,followingonfromapublicconsultation,publishedInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIreland.ThesestandardsrelatetoarangeofinformationgovernanceandmanagementstandardstobeimplementedbytheBusinessOperationUnit(s)withintheHealthServiceExecutivethatwillberesponsibleforestablishingandmaintainingtheNationalRegisterofIndividualHealthIdentifiersandtheNationalRegisterofHealthServiceProvidersIdentifiers.HiQArefertotheseBusinessOperationUnitsastheHealthIdentifiersOperator.
ImplementingthesestandardswillpromotetrustamongserviceusersandhealthserviceprovidersthattheNationalRegistershavebeenestablishedinaccordancewiththelawandinlinewithbestpractice.Inturn,thiscreatesconfidencethathealthserviceproviderscanbeuniquelyidentifiedandcanuniquelyidentifytheserviceuserstowhomtheyareprovidingservices,whichultimatelyleadstoimprovementsinpatientsafety.
TheHiQAInformationGovernanceandManagementStandardsfortheHealthIdentifiersOperatorinIrelandstandards,whichwillbereferredtointhisdocumentattheHiQAstandards,aresummarisedinAppendixA.
DetailsoftheHiQAstandardsandtheconsultationprocesscanbefoundathttp://www.hiqa.ie/publications/information-governance-and-management-standards-health-identifiers-operator-ireland
TheseHiQAstandardsprovideasetofgovernancecontrolsthatwillhelptomitigatemanyoftheprivacyissuesthathavebeenidentifiedandarelistedassuchinthefollowingtables.
FinalVersionforPublication P a g e |30
28January2016
5.2 SUMMARY OF PRIVACY ISSUES, R ISK SCORES AND MITIGATIONS
ThissectionsetsouttheprivacyissuesassociatedwiththeimplementationofanIndividualHealthIdentifieraswellastheproposedmitigatingsafeguardsorcontrolsthathavebeenidentified.
ItshouldberecognisedthattherearealsoprivacyadvantagesassociatedwiththeimplementationofanIndividualHealthIdentifierthatshouldnotbeoverlooked.Forexample,sharingpatientinformation,whichalreadyhappens,willbecomemorereliablethroughtheuseofanIndividualHealthIdentifier,therightrecordbeingsharedfortherightpatient.Itmayalsobepossibletoreducetheamountofidentitydataneededwithinelectroniccommunicationswhichwillimproveprivacy.
HiQAstandardsmitigationsandcontrols,whereapplicable,arereferredtobytheirHiQAreferencenumbersandappearfirstinthefollowingtables.ToremainconsistentwiththeterminologyadoptedbyHIQAstandards,theIHIBusinessOperationsUnitisreferredtoastheHealthIdentifiersOperator.
FinalVersionforPublication P a g e |31
28January2016
5.2.1 Privacy Issues associated with the establ ishment of a National Register of Indiv idual Health Identif iers
PrivacyIssue Probab
ility
Impact Risk
Score
Proposedmitigation:safeguardsorcontrols Prob’y Impact Risk
Score
Informationaboutyouthat
isheldontheIHIRegister
maybeaccessedillegally
(e.g.foridentitytheft,sold
orotherwisemisusedby
commercialorganisations)
4 5 20 HIQA2.4-TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthservice
providersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationand
standards.
HIQA2.5-TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsources
thatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeof
establishingandmaintainingtheNationalRegisters.
HIQA4.1.TheHealthIdentifiersOperatordeliversregularevidence-basedtraining
programmesforitsownworkforceinrelationtoestablishing,maintainingandusingthe
NationalRegisters.
1 5 5
TheHealthIdentifiersOperatorhassafeandeffectiverecruitmentpracticesinplace.
TheHealthIdentifiersOperatorlogsalldataaccessestotheIHI,traceabletoanaccountable
individual’saccount.
TheHeathIdentifiersOperatorroutinelyandrandomlyauditsaccessbyitsstafftotheIHI
registertoensureaccesswasforbusinesspurposesonly.
TheHealthIdentifiersOperatorseekstoprosecutethose(bothinternalstaffandexternal
organisations)thatknowinglyaccessorprocesstheIndividualHealthIdentifierdata
inappropriatelyasprovidedforwithintheprovisionsoftheAct.
TheHealthIdentifiersOperatorincorporateslessonslearnedfromtheexperienceof
managingnationaldemographicsystemsintotheestablishmentofitsproceduresand
processes.
TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundtheIHI
FinalVersionforPublication P a g e |32
28January2016
PrivacyIssue Probab
ility
Impact Risk
Score
Proposedmitigation:safeguardsorcontrols Prob’y Impact Risk
Score
registerwillminimisetheriskofunlawfulaccessandhacking
TheIHIRegisterisonlyheldonserversphysicallylocatedwithinIreland.
Thetransferofdatafrom
trusteddatasources
(includingtheDSP)tothe
IHItoestablishtheIHI
registerresultsinpersonal
informationbeingaccessed
illegally(e.g.identitytheft,
soldorotherwisemisused
bycommercial
organisations)
4 4 16 TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsestablishedforthe
transferofdatabetweentrusteddatasourcesandtheIHIregisterwillminimisetheriskof
unlawfulaccess,datalossandhacking.
1 4 4
5.2.2 Privacy Issues associated with the ongoing transfer of data for the update and maintenance of the National Register of Indiv idual Health Identif iers
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigation:safeguardsorcontrols Prob’y Impact Risk
Score
Transferofdatafrom
trustedsources(including
theDSP)totheIHIto
4 4 16 TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthe
ongoingtransferofdatabetweentrustedsourcesystemsandtheIHIregisterwillminimise
theriskofunlawfulaccess,datalossandhacking
1 4 4
FinalVersionforPublication P a g e |33
28January2016
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigation:safeguardsorcontrols Prob’y Impact Risk
Score
maintaintheIHIregister
resultsinpersonal
informationbeingaccessed
illegally(e.g.identitytheft,
soldorotherwisemisused
bycommercial
organisations))
5.2.3 Privacy Issues associated with management of the register by HSE Pr imary Care Reimbursement Service (HSE PCRS)
TheappointmentoftheHSEPrimaryCareReimbursementServiceastheHealthidentifiersoperatorfortheNationalRegisterprovidespositiveprivacyimpacts:theHSEisa
statutoryauthoritywithlimitsonwhatitcandodefinedinlegislation.Inaddition,theHSEPrimaryCareReimbursementServiceareanestablishedorganisationwithinthe
HSE;theyareexperiencedinhandlingpersonalhealthinformation;theyhaveagoodsecurityrecordandrobustincidentmanagementprocesses.
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk
Score
Thepubliclosetrustinhow
theIHIbusinessservice
operates,howtheIHI
registerisusedand
managedbecauseofalack
4 4 16 HIQA1.1-TheHealthIdentifiersOperatorconductsprivacyimpactassessmentsatcritical
pointsduringtheestablishmentandoperationoftheNationalRegisters.
AllHIQAstandardsinTheme2:Leadership,governanceandmanagement
HIQA3.1-TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealth
identifierrecordscontainedintheNationalRegisters.
2 3 6
FinalVersionforPublication P a g e |34
28January2016
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk
Score
ofindependentscrutiny.HiQAdevelopauditproceduresandconductauditsinlinewiththeInformationand
GovernanceStandardsfortheoperationoftheHealthIdentifierRegisters.
TheDataProtectionCommissioner,theControllerandAuditorGeneralandHSEinternal
auditfunctionprovideoversightoftheHealthIdentifierOperator.
PoordataqualityontheIHI
Registerleadstoduplicate
numbers/twoormoreIHI
recordsbecomingmixed
up.
4 4 16 HIQA3.2-TheHealthIdentifiersOperatormaintainsandreviewsthequalityofdata
containedintheNationalRegisters.
1 3 3
DataQualitychecksareundertakenintheconstructionandmaintenanceoftheIndividual
HealthIdentifierRegister.
Lackofappropriate
governancecontrolswithin
theIHIBusinessService
Teamleadstoaccidentalor
deliberatebreachorlossof
data.
5 5 25 AllHIQAstandardsinTheme2:Leadership,governanceandmanagement 2 3 6
TheHealthidentifiersoperatorhassafeandeffectiverecruitmentpracticesinplace.
TheHealthidentifiersoperatorseekstoprosecutethose(bothinternalstaffandexternal
organisations)thatknowinglyaccessorprocesstheIndividualHealthIdentifierdata
inappropriatelyasprovidedforwithintheprovisionsoftheAct.
TheHealthIdentifiersOperatorincorporateslessonslearnedfromtheexperienceof
managingnationaldemographicsystemsintotheestablishmentofitsproceduresand
processes.
TheHealthIdentifiersOperatorisrequiredtocomplywiththeHSEIGpoliciesand
procedures.
FinalVersionforPublication P a g e |35
28January2016
5.2.4 Privacy Issues associated with the proposed dataset
TheIndividualHealthIdentifierdatasetdoesnotincludeanysensitivehealthinformationwhichshouldbeseenasapositiveprivacyimpact.
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk
Score
Theformatorallocationof
theIHIdisclosespersonal
informationaboutyou.
2 3 6 TechnicalSpecificationfortheallocationofanIndividualHealthIdentifierincludes
requirementsthat:
• EachIndividualHealthIdentifiermustbeunique
• IndividualHealthIdentifiersmustberandomlygeneratedwithnoassociationtothe
personitisgeneratedfor.
• IndividualHealthIdentifiersmustnotbegeneratedinanidentifiablesequence.
1 2 2
InclusionofthePersonal
PublicServiceNumber
(PPSN)intheIHIRegister
resultsininappropriate
disclosureofinformation
aboutyouheldbythe
DepartmentofSocial
Protection(DSP)
3 4 12 StandardOperatingProceduresincluderestrictionsontheuseandavailabilityofthe
PersonalPublicServiceNumberwhichmustprovideequalorbetterprotectionasprovided
bytheDepartmentofSocialProtection
TechnicalSpecificationrequiresthataPersonalPublicServiceNumbercanbeusedtoassist
inobtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorservice
userbutwillonlybeprovidedbackwithinthetraceddatasetinlinewithSocialWelfare
legislation.
TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthePersonalPublic
ServiceNumberandmustprovideequalorbetterprotectionasprovidedbytheDepartment
ofSocialProtection.
1 3 3
InclusionofMother’s
surnameatbirthintheIHI
registerdiscloses
1 5 5 StandardOperatingProceduresincluderestrictionsontheuseandavailabilityofthePSIdata
andmustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocial
Protection
1 3 3
FinalVersionforPublication P a g e |36
28January2016
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk
Score
relationshipdetails TechnicalSpecificationrequiresthataMother’ssurnameatbirthcanbeusedtoassistin
obtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorservice
userbutmustneverbeprovidedbackwithinthetraceddataset.
TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthemother’s
surnameandmustprovideequalorbetterprotectionasprovidedbytheDepartmentof
SocialProtection
Statutoryresponsibilityfor
respondingtoaDataAccess
RequestmadetotheIHI
Registerresultsinpersonal
informationbeinggivento
anapplicantthatwasnot
entitledtoit.
3 5 15 TheHealthIdentifiersOperatorprocedureforrespondingtoDataAccessRequestsshould:
• BeatleastasrobustasthatoftheDepartmentofSocialProtection,requiringevidence
ofidentityoftheapplicant.Includingproofoflatestaddressdetails,photoid(passport,
publicservicescard,ordriverslicence)andutilitybill
• Ensurethatparentalrequestsonbehalfofchildrenaremadejointlyorrequireproofof
legalguardianship
• Ensurethat‘assisteddecisionmaking’proceduresareimplementedinlinewiththe
AssistedDecision-Making(Capacity)Bill2013.
• Ensurethatrequesthandlingsupportsprovisionsmadeunderrecentlegislationin
respectofadoptedchildren.
1 3 3
FinalVersionforPublication P a g e |37
28January2016
5.2.5 Privacy Issues associated with provis ion of Indiv idual Health Identif iers to Epi lepsy Electronic Pat ient Record (EPR), selected GP pract ice systems, a Hospice Electronic Medical Record (EMR) system) and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme)
ThissectionidentifiestheprivacyimpactsarisingspecificallyasaresultofthedeliveryofIndividualHealthIdentifierstothesesystems.
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk
Score
ProvisionoftheIndividual
HealthIdentifiertothe
consumersystemresultsin
personalinformationbeing
accessedinappropriatelyor
beinginappropriately
shared
2 4 8 TheHealthidentifiersoperatorstandardoperatingprocedureswillensurethatany
applicationforaccesstotheNationalRegisterisfromthelistof“specifiedpersons”as
definedintheHealthIdentifiersAct.
TheHealthidentifiersoperatorwillensurethatconsumersystemsarepopulatedbyonly
performingamatchusingthoserecordswhichareheldbytheconsumersystemmaster
patientindex(MPI).
TheHealthidentifiersoperatorwillqualityassuretheassignmentofIndividualHealth
IdentifierstorecordsontheconsumersystemMPItoastandardthatwillminimiseriskof
falsepositiveandfalsenegativematchestoensurethatthecorrectIndividualHealth
Identifierisreturned.
TheHealthidentifiersoperatorwillensurethatacopyoftheNationalRegisterwillneverbe
providedtothirdpartyconsumersystems.
Technicalspecificationoftheinterfacewithconsumersystemswillminimisetheriskof
inappropriatedisclosureofanIHIbyrequiringaminimumofdatatobeingprovidedandwill
controlthedatabeingreturnedtotheconsumersystem.
TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthe
transferofdatabetweentheconsumersystemandtheIHIregisterwillminimisetheriskof
unlawfulaccess,datalossandhacking.
1 3 3
FinalVersionforPublication P a g e |38
28January2016
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk
Score
ProvisionoftheIndividual
HealthIdentifiertothe
consumersystemresultsin
personalinformationbeing
accessedwithout
knowledgeorconsentof
patients.
3 4 12 HIQA1.2-TheHealthIdentifiersOperatordevelops,implementsandreviewsa
communicationsplanthateffectivelyengageswithhealthserviceprovidersandserviceusers
inrelationtotheuseoftheNationalRegisters.
HIQA2.2-TheHealthIdentifiersOperatormaintainsapubliclyavailablestatementof
purpose
HIQA2.3-TheHealthIdentifiersOperatorcomplieswithrelevantIrishandEuropean
legislationandstandardswhenestablishingandmanagingtheNationalRegisters
HIQA2.4-TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthservice
providersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationand
standards.
1 2 2
Transferofdatafromthe
consumersystemtotheIHI
forthepurposeofproviding
theconsumersystemwith
IHIdataresultsinpersonal
informationbeingaccessed
illegally(e.g.identitytheft,
soldorotherwisemisused
bycommercial
organisations))
4 4 16 TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthe
transferofdatabetweentheconsumersystemandtheIHIregisterwillminimisetheriskof
unlawfulaccess,datalossandhacking
TheHealthidentifiersoperatorisrequiredtoestablishappropriateInformationGovernance
controlsforconsumersystemorganisationstomeetbeforeinterfacingwiththeIHI
TheHealthidentifiersoperatorisrequiredtoestablishappropriatetechnicalstandardsfor
consumersystemstomeetbeforeinterfacingwiththeIHI.
1 3 3
ProvisionoftheIndividual
HealthIdentifiertothe
consumersystemincreases
theriskofpersonal
2 4 8 PriortoreceiptofIndividualHealthIdentifiers,thehealthserviceproviderresponsiblefor
theconsumersystemdemonstratesthattheyarecompliantwiththeInformation
GovernancepoliciesandproceduresestablishedbytheHealthIdentifiersOperator.[Non
HSEserviceproviderswillberequiredtodemonstrateequivalentInformationGovernance
1 4 4
FinalVersionforPublication P a g e |39
28January2016
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk
Score
informationbeingaccessed
illegally(e.g.identitytheft,
soldorotherwisemisused
bycommercial
organisations)
controls].
InappropriateaccesstoIHI
Registerauditrecordsof
accesstopatientrecordsby
consumersystemsdiscloses
clinicalinformation(e.g.
recordaccessesbyepilepsy
EPRwouldindicatethat
individualmaysufferfrom
Epilepsy)
3 4 12 TheHealthIdentifiersoperatorensuresstrictaccesscontrolsonauditrecords.
TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundaudit
recordswillminimisetheriskofunlawfulaccess,datalossandhacking.
1 4 4
DataQualityissuesarising
fromtranscriptionerrorsin
theIHIresultin
inappropriateaccessto
incorrectIHIrecords
3 3 9 TheHealthIdentifiersoperatorprovidesclearguidancetoproviderswhenimplementingthe
IHIwithintheirsystemstoensure:
• TheIHIisprintedbytheconsumersystemwhenlabellingisrequiredforpaper
recordsgeneratedbytheconsumersystem
• ProceduresavoidtheneedtowritetheIHImanually
• ElectronicmessagesbetweensystemsincorporatetheIHI
1 3 3
FinalVersionforPublication P a g e |40
28January2016
5.2.6 Privacy Issues associated with the ongoing inclusion and use of the Indiv idual Health Identif ier in Epi lepsy Electronic Pat ient Record (EPR), selected GP pract ice systems, a Hospice Electronic Medical Record (EMR) system and schemes operated by the HSE Primary Care Reimbursement Service (e.g. Medical Card Scheme)
ThissectionidentifiestheprivacyimpactsarisingspecificallyasaresultoftheongoinginclusionanduseoftheIndividualHealthIdentifierwithinthesesystems.
GiventhattheIndividualHealthIdentifierisanotherdataitemontheconsumersystemmasterpatientindex(MPI)itcouldbearguedthatthereisnoincreasedprivacy
issuesrelatedtotheholdingandprocessingoftheIndividualHealthIdentifierthroughouttheorganisation.Nonethelessthisservesasanopportunitytoensurethatgood
practiceinformationgovernance(IG)isimplemented.
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk
Score
OngoinguseoftheIHI
withinconsumersystems
resultsinpersonal
informationbeingaccessed
2 4 8 HIQA2.5-TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsources
thatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeof
establishingandmaintainingtheNationalRegisters.
1 4 4
FinalVersionforPublication P a g e |41
28January2016
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk
Score
illegally(e.g.identitytheft,
soldorotherwisemisused
bycommercial
organisations)
Thehealthserviceproviderresponsiblefortheconsumersystemwilldemonstratecontinued
compliancewiththeInformationGovernancepoliciesandproceduresestablishedbythe
HealthIdentifiersOperator.[NonHSEserviceproviderswillberequiredtodemonstrate
continuedcompliancewithequivalentInformationGovernancecontrols].
TheIHIBusinessUnitManagerdevelopsstandardsforInformationGovernancecontrols
withinconsumersystemstobemetbeforethesystemcanreceiveIHIinformation.
TheHealthServiceProviderresponsiblefortheconsumersystemwilldeliverregular
evidencebasedtrainingprogrammeforitsworkforceinrelationtoaccessanduseofthe
consumersystem
TheHealthIdentifiersOperatorandtheconsumersystemorganisationmustensurethat
appropriatesecuritymeasuresareadoptedfortheinterfacesprovidingmaintenancetothe
consumersystem.
ConsumersystemshaveappropriateRoleBasedAccesscontrolswithinthemtominimisethe
riskofinappropriateaccesstorecordsandwillensurethataccesstoauditlogsissufficientto
identifyinappropriateaccessbyamemberofstaff.
TheHeathServiceProviderroutinelyandrandomlyauditsaccesstotheIHIregisterbyits
stafftoensureaccesswasforbusinesspurposesonly.
TheHealthIdentifiersOperatorwillensurethatanyuseoftheIHIforpurposesotherthan
thoseforwhichitwassharedarerigorouslyinvestigatedandmisuseisprosecutedwhere
appropriateasperthetermsoftheHealthIdentifiersAct.
FinalVersionforPublication P a g e |42
28January2016
5.2.7 Indiv idual Health Identif ier Pr ivacy Issues associated with the future uses of the Indiv idual Health Identif ier
ThisPIAisrestrictedtotheestablishmentoftheregisterandusewithinEpilepsyElectronicPatientRecord(EPR),selectedGPpracticesystems,aHospiceElectronicMedical
Record(EMR)systemandschemesoperatedbytheHSEPrimaryCareReimbursementService(e.g.MedicalCardScheme).However,itisappropriatetoflaguppotential
privacyissuesconcernedwithasyetunknownfutureusesandestablishcontrolstomanageandpreventfutureprivacyimpacts.
PrivacyIssue Prob’y Impact Risk
Score
Proposedmitigationsafeguardsorcontrols Prob’y Impact Risk
Score
Futureexpansionofthe
IndividualHealthIdentifier
datasettoincludefurther
personaldetailsincreases
privacyimpact
2 3 6 BothHIQAstandardsinTheme1:PersonCentred
AllHIQAstandardsinTheme2:Leadership,governanceandmanagement
HIQA3.1-TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealth
identifierrecordscontainedintheNationalRegisters.
1 3 3
TheHealthIdentifiersOperatorensuresthatdatacollectedintheIHIregisterislimitedto
thatspecifiedintheHealthIdentifierAct.
UnauthoriseduseoftheIHI
byotheruserorganisations
2 4 8 BothHIQAstandardsinTheme1:PersonCentred
AllHIQAstandardsinTheme2:Leadership,governanceandmanagement
1 4 4
FinalVersionforPublication P a g e |43
28January2016
5.3 GOVERNANCE FRAMEWORK
Compliancewithcurrentlegislation(DPAs,theHealthIdentifiersActandthefutureHealthInformationBill)willbeattheheartofmanagingtheprivacyimpactsassociatedwiththeestablishmentoftheIndividualHealthIdentifierNationalRegisteranditsuses.HowevertheGovernanceFrameworksetoutwithinTheme2oftheHIQAstandardsprovidesopportunitiesforfurtherpositiveprivacyimpacts.ThegovernancearrangementsfortheNationalRegistershouldfurtherdefine:
• TheuserorganisationsthathavebeengrantedaccesstotheNationalRegister• TheorganisationsthatwillbeprohibitedfromaccesstotheNationalRegister• ThepermissibleusesoftheIndividualHealthIdentifierandtheinformationintheIndividual
HealthIdentifierDataset• Whethercontrolsrequirefurtherlegislationordatasharinganduseagreements(inparticular
penaltiesassociatedwithimproperuseordatabreaches)• RegulatoryoversightoftheBusinessOperationsUnit
Theneedforthesegovernancearrangementstoincludeanindependentoversightpanelwillbeexploredinthenextstagesofstakeholderengagement.
5.4 ASSIGNMENT OF RESPONSIBILITY FOR PRIVACY MITIGATION SAFEGUARDS OR
CONTROLS
Thefollowingtablesummarisestheprivacyriskmitigationsafeguardsandcontrolsandidentifiesthebusinessownerwhowilltakeresponsibilityforimplementingtheactionwithintheidentifiedtimescale.
Monitoringoftheimplementationofthesesafeguardswillbeincorporatedintotheoverallprojectmanagement:thebusinessownerwillberequiredtoreportonimplementationprogressonaregularbasistotheprojectboard.
5.5 MITIGATION IMPLEMENTATION RESPONSIBILITY AND TIMESCALES
Action BusinessOwner DeliveryDate
HIQA1.1-TheHealthIdentifiersOperatorconductsprivacyimpactassessmentsatcriticalpointsduringtheestablishmentandoperationoftheNationalRegisters.
HeadofIHIBusinessService
AsRequired
HIQA1.2-TheHealthIdentifiersOperatordevelops,implementsandreviewsacommunicationsplanthateffectivelyengageswithhealthserviceprovidersandserviceusersinrelationtotheuseoftheNationalRegisters.
HeadofIHIBusinessService
InadvanceoftheIHIServicebecomingoperational.
HIQA2.1-TheHealthIdentifiersOperatorhaseffectiveleadership,governanceandmanagementarrangementsinplace
NationalDirectorforPrimaryCare
InadvanceoftheIHIServicebecoming
FinalVersionforPublication P a g e |44
28January2016
Action BusinessOwner DeliveryDate
withclearlinesofaccountability. orHealthIdentifiersSteeringGroup
operational.
HIQA2.2-TheHealthIdentifiersOperatormaintainsapubliclyavailablestatementofpurpose.
HeadofIHIBusinessService
InadvanceoftheIHIServicebecomingoperational.
HIQA2.3-TheHealthIdentifiersOperatorcomplieswithrelevantIrishandEuropeanlegislationandstandardswhenestablishingandmanagingtheNationalRegisters.
HeadofIHIBusinessService
Ongoing
HIQA2.4-TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthserviceprovidersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationandstandards.
HeadofIHIBusinessService
InadvanceofprovidingtheIHIServicetohealthserviceprovidersystems.
HIQA2.5-TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsourcesthatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeofestablishingandmaintainingtheNationalRegisters.
HeadofIHIBusinessService
InadvanceoftransferringdataforestablishingandmaintainingtheIHINationalRegister.
HIQA2.6-Thehealthidentifieroperatormonitors,reviews,evaluatesandimprovestheserviceitprovidesonanongoingbasis.
HeadofIHIBusinessService
Ongoing
HIQA3.1-TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealthidentifierrecordscontainedintheNationalRegisters.
HeadofIHIBusinessService
Ongoing
HIQA3.2-TheHealthIdentifiersOperatormaintainsandreviewsthequalityofdatacontainedintheNationalRegisters.
HeadofIHIBusinessService
Ongoing
HIQA4.1-TheHealthIdentifiersOperatordeliversregularevidence-basedtrainingprogrammesforitsownworkforceinrelationtoestablishing,maintainingandusingtheNationalRegisters.
HeadofIHIBusinessService
InadvanceofIHIServicebecomingoperationalandongoingthereafter
TheHealthidentifiersoperatorhassafeandeffectiverecruitmentpracticesinplace.
HeadofIHIBusinessService
Ongoing
TheHealthIdentifiersOperatorlogsalldataaccessestotheIHI,traceabletoanaccountableindividual’saccount.
HeadofIHIBusinessService
InadvanceoftheIHIServicebecomingoperational.
TheHeathIdentifiersOperatorroutinelyandrandomlyauditsaccessbyitsstafftotheIHIregistertoensureaccesswasfor
HeadofIHIBusinessService
Ongoing
FinalVersionforPublication P a g e |45
28January2016
Action BusinessOwner DeliveryDate
businesspurposesonly.
TheHealthidentifiersoperatorseekstoprosecutethose(bothinternalstaffandexternalorganisations)thatknowinglyaccessingorprocessingtheIndividualHealthIdentifierdatainappropriatelyasprovidedforwithintheprovisionsoftheAct.
HeadofIHIBusinessService
Ongoing
TheHealthIdentifiersOperatorincorporateslessonslearnedfromtheexperienceofmanagingnationaldemographicsystemsintotheestablishmentofitsproceduresandprocesses.
HeadofIHIBusinessService
Ongoing
TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundtheIHIregister(includingtransferofdatafromtrustedsourcesandconsumersystems)willminimisetheriskofunlawfulaccessandhacking
ChiefInformationOfficer
DuringtheimplementationoftheIHIRegisterandongoingthereafter
TheNationalRegisterisonlybeheldonserversphysicallylocatedwithinIreland
ChiefInformationOfficer
DuringtheimplementationoftheIHIRegisterandongoingthereafter
HiQAdevelopauditproceduresandconductauditsinlinewiththeInformationandGovernanceStandardsfortheoperationoftheHealthIdentifierRegisters–inclusiveoftheIHIRegister.
HiQA Ongoing
TheDataProtectionCommissioner,theControllerandAuditorGeneralandHSEinternalauditfunctionprovideoversightoftheHealthidentifieroperator.
DPC,
Controller&AuditorGeneral
HSEinternalaudit
Ongoing
DataQualitychecksareundertakenintheconstructionandmaintenanceoftheIndividualHealthIdentifierRegister
ChiefInformationOfficerduringimplementation
HeadofIHIBusinessServiceonceoperational
DuringtheimplementationoftheIHIRegisterandongoingthereafter
TheHealthIdentifiersoperatorisrequiredtocomplywiththeHSEIGpoliciesandprocedures.
HeadofIHIBusinessService
Ongoing
TechnicalSpecificationfortheallocationofanIndividualHealthIdentifierincludesrequirementthat:
• EachIndividualHealthIdentifiermustbeunique
• IndividualHealthIdentifiersmustberandomlygeneratedwithnoassociationtothepersonitisgeneratedfor.
• IndividualHealthIdentifiersmustnotbegeneratedinan
ChiefInformationOfficer
InadvanceoftheimplementationofthetechnicalsystemthatwillsupporttheIHIService.
FinalVersionforPublication P a g e |46
28January2016
Action BusinessOwner DeliveryDate
identifiablesequence.
StandardOperatingProceduresincluderestrictionsontheuseandavailabilityofthePersonalPublicServiceNumbermustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection
HeadofIHIBusinessService
InadvanceoftheIHIServicebecomingoperational.
TechnicalSpecificationrequiresthataPersonalPublicServiceNumbercanbeusedtoassistinobtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorserviceuserbutwillonlybeprovidedbackwithinthetraceddatasetinlinewithSocialWelfarelegislation.
ChiefInformationOfficer
InadvanceoftheimplementationofthetechnicalsystemthatwillsupporttheIHIService.
TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthePersonalPublicServiceNumbermustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection.
ChiefInformationOfficer
InadvanceoftheimplementationofthetechnicalsystemthatwillsupporttheIHIService.
StandardOperatingProceduresincludesrestrictionsontheuseandavailabilityofthemother’ssurnamemustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection
HeadofIHIBusinessService
InadvanceoftheIHIServicebecomingoperational.
TechnicalSpecificationrequiresthataMother’ssurnamescanbeusedtoassistinobtainingthecorrectIndividualHealthIdentifierwhenprovidedbythepatientorserviceuserbutmustneverbeprovidedbackwithinthetraceddataset.
ChiefInformationOfficer
InadvanceoftheimplementationofthetechnicalsystemthatwillsupporttheIHIService.
TechnicalSpecificationincludesrestrictionsontheuseandavailabilityofthemother’ssurnamemustprovideequalorbetterprotectionasprovidedbytheDepartmentofSocialProtection
ChiefInformationOfficer
InadvanceoftheimplementationofthetechnicalsystemthatwillsupporttheIHIService.
TheHealthidentifiersoperatorprocedureforrespondingtoDataAccessRequestsshould:
• BeatleastasrobustasthatoftheDepartmentofSocialProtection,requiringevidenceofidentityoftheapplicant.Includingproofoflatestaddressdetailsphotid(passportordriverslicence)andutilitybill
• Ensurethatparentalrequestsonbehalfofchildrenaremadejointlyorrequireproofoflegalguardianship
• Ensurethat‘assisteddecisionmaking’proceduresareimplementedinlinewiththeAssistedDecision-Making(Capacity)Bill2013
• Ensurethatrequesthandlingsupportsprovisionsmadeunderrecentlegislationinrespectofadoptedchildren.
HeadofIHIBusinessService
InadvanceoftheIHIServicebecomingoperational.
FinalVersionforPublication P a g e |47
28January2016
Action BusinessOwner DeliveryDate
TheHealthidentifiersoperatorstandardoperatingprocedureswillensurethatanyapplicationforaccesstotheNationalRegisterisfromthelistof“specifiedpersons”asdefinedintheHealthIdentifiersAct.
HeadofIHIBusinessService
Ongoing
TheHealthidentifiersoperatorwillensurethatconsumersystemsarepopulatedbyonlyperformingamatchusingthoserecordswhichareheldbytheconsumersystemMPI.
HeadofIHIBusinessService
Outlineprocedurepriortoconsumersystemimplementation
TheHealthidentifiersoperatorwillqualityassuretheassignmentofIndividualHealthIdentifierstorecordsontheconsumersystemMPItoastandardthatwillminimiseriskoffalsepositiveandfalsenegativematchestoensurethatthecorrectIndividualHealthIdentifierisreturned.
HeadofIHIBusinessService
Outlineprocedurepriortoconsumersystemimplementation
TheHealthidentifiersoperatorwillensurethatacopyoftheNationalRegisterwillneverbeprovidedtothirdpartyconsumersystems.
HeadofIHIBusinessService
Ongoing
TechnicalspecificationoftheinterfacewithconsumersystemswillminimisetheriskofinappropriatedisclosureofanIHIbyrequiringaminimumofdatatobeingprovidedandwillcontrolthedatabeingreturnedtotheconsumersystem
ChiefInformationOfficer
Priortoconsumersystemimplementation
TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundthetransferofdatabetweentheconsumersystemandtheIHIregisterwillminimisetheriskofunlawfulaccess,datalossandhacking
ChiefInformationOfficer
Priortoconsumersystemimplementation
TheHealthidentifiersoperatorisrequiredtoestablishappropriateIGcontrolsforconsumersystemorganisationtomeetbeforeinterfacingwiththeIHI
HeadofIHIBusinessService
Outlineprocedurepriortoconsumersystemimplementation
TheHealthidentifiersoperatorisrequiredtoestablishappropriateTechnicalstandardsforconsumersystemtomeetbeforeinterfacingwiththeIHI.
HeadofIHIBusinessService
Priortoconsumersystemimplementation
PriortoreceiptofIndividualHealthIdentifiers,thehealthserviceproviderresponsiblefortheconsumersystemdemonstratesthattheyarecompliantwiththeInformationGovernancepoliciesandproceduresestablishedbytheHealthIdentifiersOperator.[NonHSEserviceproviderswillberequiredtodemonstrateequivalentIGcontrols].
HeadofIHIBusinessService
Outlineprocedurepriortoconsumersystemimplementation
TheHealthIdentifiersoperatorensuresstrictaccesscontrolsonauditrecords.
HeadofIHIBusinessService
Ongoing
TheChiefInformationOfficerensuresthattechnicalandphysicalcontrolsaroundauditrecordswillminimisetheriskofunlawful
ChiefInformation Ongoing
FinalVersionforPublication P a g e |48
28January2016
Action BusinessOwner DeliveryDate
access,datalossandhacking. Officer
TheHealthIdentifiersoperatorprovidesclearguidancetoproviderswhenimplementingtheIHIwithintheirsystemstoensure:
• TheIHIisprintedonallpaperrecordsgeneratedbytheconsumersystem
• ProceduresavoidtheneedtowritetheIHImanually
• ElectronicmessagesbetweensystemsincorporatetheIHI
HeadofIHIBusinessService
Outlineprocedure1monthpriortoconsumersystemimplementation
ThehealthserviceproviderresponsiblefortheconsumersystemwilldemonstratecontinuedcompliancewiththeHSEIGpoliciesandprocedures.[NonHSEserviceproviderswillberequiredtodemonstratecontinuedcompliancewithequivalentIGcontrols].
HealthServiceProvider
Asrequired
TheHealthidentifiersoperatordevelopsstandardsforIGcontrolswithinconsumersystemstobemetbeforethesystemcanreceiveIHIs.
HeadofIHIBusinessService
Outlineprocedurepriortoconsumersystemimplementation
TheHealthServiceProviderresponsiblefortheconsumersystemwilldeliverregularevidencebasedtrainingprogrammeforitsworkforceinrelationtoaccessanduseoftheconsumersystem
HealthServiceProvider
Asrequired
TheHealthIdentifiersOperatorandtheconsumersystemorganisationmustensurethatappropriatesecuritymeasuresareadoptedfortheinterfacesprovidingmaintenancetotheconsumersystem.
HeadofIHIBusinessService/HealthServiceProvider
Outlineprocedurepriortoconsumersystemimplementation
ConsumersystemshaveappropriateRoleBasedAccesscontrolswithinthemtominimisetheriskofinappropriateaccesstorecordsandwillensurethataccesstoauditlogsissufficienttoidentifyinappropriateaccessbyamemberofstaff.
HealthServiceProvider
Asrequired
TheHeathServiceProviderroutinelyandrandomlyauditsaccesstotheIHIregisterbyitsstafftoensureaccesswasforbusinesspurposesonly.
HealthServiceProvider
Ongoing
TheHealthIdentifiersOperatorwillensurethatanyuseoftheIHIforpurposesotherthanthoseforwhichitwassharedarerigorouslyinvestigatedandmisuseisprosecutedwhereappropriateasperthetermsoftheHealthIdentifiersAct.
HeadofIHIBusinessService
Asrequired
TheHealthIdentifiersOperatorensuresthatdatacollectedintheIHIregisterislimitedtothatspecifiedintheHealthIdentifierAct.
HeadofIHIBusinessService
Ongoing
FinalVersionforPublication P a g e |49
28January2016
FinalVersionforPublication P a g e |50
28January2016
5.6 APPENDIX A – HIQA PROPOSALS FOR INFORMATION GOVERNANCE AND
MANAGEMENT STANDARDS FOR THE HEALTH IDENTIFIERS OPERATOR IN
IRELAND
Theme1-Person-centred
Standard1.1 TheHealthIdentifiersOperatorconductsprivacyimpactassessmentsatcriticalpointsduringtheestablishmentandoperationoftheNationalRegisters.
Standard1.2 TheHealthIdentifiersOperatordevelops,implementsandreviewsacommunicationsplanthateffectivelyengageswithhealthserviceprovidersandserviceusersinrelationtotheuseoftheNationalRegisters.
Theme2-Leadership,governanceandmanagement
Standard2.1 TheHealthIdentifiersOperatorhaseffectiveleadership,governanceandmanagementarrangementsinplacewithclearlinesofaccountability.
Standard2.2 TheHealthIdentifiersOperatormaintainsapubliclyavailablestatementofpurpose.
Standard2.3 TheHealthIdentifiersOperatorcomplieswithrelevantIrishandEuropeanlegislationandstandardswhenestablishingandmanagingtheNationalRegisters.
Standard2.4 TheHealthIdentifiersOperatorhasformalisedarrangementswithhealthserviceprovidersfortheeffectiveuseoftheNationalRegistersinlinewithrelevantlegislationandstandards.
Standard2.5 TheHealthIdentifiersOperatorhasformalisedarrangementswithtrustedsourcesthatprotectpersonalinformationanddefinewhichdatacanbesharedforthepurposeofestablishingandmaintainingtheNationalRegisters.
Standard2.6 Thehealthidentifieroperatormonitors,reviews,evaluatesandimprovestheserviceitprovidesonanongoingbasis.
FinalVersionforPublication P a g e |51
28January2016
Theme3-Useofinformation
Standard3.1 TheHealthIdentifiersOperatormaintainsandreviewstheprivacyofhealthidentifierrecordscontainedintheNationalRegisters.
Standard3.2 TheHealthIdentifiersOperatormaintainsandreviewsthequalityofdatacontainedintheNationalRegisters.
Theme4-Workforce
Standard4.1 TheHealthIdentifiersOperatordeliversregularevidence-basedtrainingprogrammesforitsownworkforceinrelationtoestablishing,maintainingandusingtheNationalRegisters.
FinalVersionforPublication P a g e |52
28January2016
5.7 APPENDIX B: ORGANISATIONS WE HAVE CONSULTED TO DATE
HealthServiceExecutive(HSE)
DepartmentofHealth(DOH)
DepartmentofSocialProtection(DSP)
OfficesoftheDataProtectionCommissioner(DPC)
HealthInformationandQualityAuthority(HiQA)
BeaumontHospital
TheCouncilofClinicalInformationOfficers(CCIO)
IrishPlatformforPatients’Organisations,Science&Industry(IPPOSI)