Clinical Administrative Databases June 2005
Discharge Abstract Database (DAD) Hospital Morbidity Database (HMDB) National Ambulatory Care Reporting System (NACRS)
P r i v a c y
I m p a c t
A s s e s s m e n t
�Contents of this publication may be reproduced in whole or in part provided the intended use is for non-commercial purposes and full acknowledgement is given to the Canadian Institute for Health Information. Canadian Institute for Health Information 495 Richmond Road Suite 600 Ottawa, Ontario K2A 4H6 Telephone: (613) 241-7860 Fax: (613) 241-8120 www.cihi.ca
2005 Canadian Institute for Health Information
TM
Registered Trademark of the Canadian Institute for Health Information
Cette publication est disponible en français sous le titre : Bases de données clinico-administratives
2005-2006, Évaluation des incidences sur la vie privée.
�Clinical Administrative Databases
Privacy Impact Assessment
Prepared By: • • • Jaimini Thakore, Consultant, CIHI (Clinical Administrative Databases); Joan Roch, Former Chief Privacy Officer, CIHI (Privacy Secretariat); and David H. Flaherty, CIHI Chief Privacy Advisor, (David H. Flaherty Inc., Privacy and Information Policy Consultants, Victoria, British Columbia V8P 1R1).
��Privacy Impact Assessment Clinical Administrative Databases
Table of Contents
1. Introduction and Overview ................................................................................... 1 1.1 The Canadian Institute for Health Information (CIHI)......................................... 1 1.2 Clinical Administrative Databases .................................................................. 1 1.3 The Discharge Abstract Database (DAD) ........................................................ 1 1.4 Hospital Morbidity Database (HMDB) ............................................................. 2 1.5 National Ambulatory Care Reporting System (NACRS)...................................... 2 2. Description ........................................................................................................ 2 2.1 Need for the Clinical Administrative Databases (CAD) ...................................... 2 2.2 General Purposes ........................................................................................ 3 2.3 Current Scope of the CAD Databases ............................................................ 3 2.4 Database Architecture.................................................................................. 4 3. Data Collection for CAD ...................................................................................... 5 3.1 Statutory Authorities for the Collection, Use, and Disclosure of Information for CAD ..................................................................................................... 5 3.2 Limits on Data Collected for CAD Databases................................................... 6 3.3 Data Accuracy for CAD Databases ................................................................ 6 3.4 Sources of Data for CAD Databases .............................................................. 8 3.5 Personal Information in the CAD Databases .................................................... 8 3.6 Data Retention/Destruction ......................................................................... 10 3.7 Consent Issues ......................................................................................... 10 4. Uses and Disclosures of Data ............................................................................. 11 4.1 Uses of Data ............................................................................................ 11 4.2 Disclosures of Information .......................................................................... 11 4.2.1 Data Requests................................................................................. 12 4.2.2 Disclosure to Data Providers ............................................................. 12 4.2.3 Disclosures Under Agreements .......................................................... 13 4.3 Access Rights for Individuals to Their Personal Information in CAD Databases... 13 5. Privacy Standards: Concerns and Security Measures for CAD Databases ................. 14 5.1 Record Level Linkages for CAD Databases .................................................... 14 5.2 Disclosure Avoidance Practices for CAD....................................................... 14 5.3 Security Safeguards................................................................................... 15 5.3.1 Data Submission and Processing Safeguards ....................................... 15 5.3.2 External Users................................................................................. 16 5.3.3 Access Procedures for CIHI Employees............................................... 16 6. Conclusions: A Privacy Report Card for CAD ........................................................ 17 7. Resources........................................................................................................ 20
�Privacy Impact Assessment Clinical Administrative Databases
Table of Contents (cont'd)
Appendix A: Data Elements .................................................................................... 21 Appendix B: Information Flow in DAD-HMDB and NACRS ........................................... 29 Appendix C: Summary of Database Versions Available Internally in CIHI ....................... 32 Appendix D: Reason for Collection of Personal Information Elements in CAD ................. 33 Appendix E: Public Sector Privacy Legislation References............................................ 37 References ........................................................................................................... 39
�Clinical Administrative Databases: Privacy Impact Assessment
1. Introduction and Overview
1.1 The Canadian Institute for Health Information (CIHI)
The Canadian Institute for Health Information is mandated to coordinate the development and maintenance of a comprehensive and integrated health information system for Canada. It is responsible for providing and coordinating the provision of accurate and timely information necessary to establish sound health policies, manage the Canadian health system effectively, and generate public awareness of factors affecting good health. Since respecting personal privacy, safeguarding the confidentiality of individual records, and system security are critical to successfully meeting its mandate, CIHI has created a Privacy Secretariat reporting to the CEO and has established principles and policies for the protection of health information (which continue to undergo revision and enhancement in a rapidly changing field).1 As part of this initiative, CIHI is committed to conducting a privacy impact assessment (PIA) on each of its data holdings. It is a tool used to assess the possible privacy-related consequences of systems and practices for the collection, use, and disclosure of personal information.
1.2 Clinical Administrative Databases
There are three databases covered in this privacy impact assessment: the Discharge Abstract Database (DAD), the Hospital Morbidity Database (HMDB) and the National Ambulatory Care Reporting System (NACRS). The three databases are related in that they each are repositories of clinical, demographic and administrative data that were originally collected by hospitals and health care facilities during the normal course of patient care and administration. Many of the same data elements are captured in the all three databases. Throughout this document the term Clinical Administrative Databases (CAD) will refer to these three databases. CIHI’s Steering Committee for National Clinical Administrative Databases guides ongoing maintenance and enhancements of all the CAD databases. It discusses and makes recommendations to CIHI on operational or strategic issues related to the DAD, HMDB, and NACRS Databases. Each province or territory appoints a member to the committee, with a requirement that the member possesses decision-making authority on matters related to the CAD databases in their province or territory.
1.3 The Discharge Abstract Database (DAD)
The DAD was originally developed in 1963 to collect data on hospital discharges in Ontario and to provide a centralized data processing system. Over time, more provinces opted to use the services of this centralized data processing system; this resulted in increased efficiency and standardization among the participating provinces.2 The DAD currently collects information on acute, day surgery, chronic and rehabilitation events from participating facilities in Canada. DAD has coverage for all acute care discharges in Canada, except Quebec. Each record in the DAD captures a standard clinical, demographic, and administrative data set.
CIHI 2005–2006
1
�Clinical Administrative Databases: Privacy Impact Assessment
1.4 Hospital Morbidity Database (HMDB)
The HMDB was developed by the Dominion Bureau of Statistics (now Statistics Canada) to collect and publish national hospital morbidity statistics. Statistics Canada was responsible for the HMDB for the data years 1960 to 1993–1994.3 As of the 1994–1995 data year, responsibility for the database was transferred to CIHI. The HMDB is a national data holding that captures administrative, clinical, and demographic information on hospital inpatient events. It provides national discharge statistics from Canadian health care facilities by diagnoses and procedures. Discharge data are received from all acute care facilities and some chronic care and rehabilitation facilities across Canada, including Quebec. Discharge data from psychiatric facilities, as well as day procedures (e.g. day surgeries) and Emergency Department visits, are not captured in this database. The HMDB is populated by a subset of DAD data for those provinces and territories that submit discharge statistics to the DAD.
1.5 National Ambulatory Care Reporting System (NACRS)
Ambulatory care has grown significantly in recent years to become the largest volume of patient activity in Canadian health care. The NACRS was created to capture clinical, administrative and demographic information from all hospital-based and community-based ambulatory care: day surgery, outpatient clinics and emergency departments. NACRS received its first full year of usable data in FY 2001–2002. Some data elements are specific to emergency activity, while others are from day surgery and/or clinic visits. NACRS currently collects ambulatory care events from all facilities in Ontario and from a few facilities in the rest of Canada.
2. Description
2.1 Need for the Clinical Administrative Databases (CAD)
DAD, HMDB, and NACRS databases were created in response to a need for standardized clinical administrative health services data that permits comparisons across the country. Data from the CAD databases are needed for planning, evaluation, and hospital funding. Hospitals use the data to support facility-specific utilization management decisions and administrative analysis as well as research. Governments use the data for funding, system planning and evaluation. The DAD was originally created to capture hospital discharge information and provide a centralized data processing system. HMDB was created to produce comparable hospital morbidity statistics at the national level. Increasing ambulatory care activity in Canada was the primary reason for the creation of NACRS. The DAD and NACRS databases also contain measures calculated by CIHI, such as Case Mix Groups (or CMG™), Comprehensive Ambulatory Classification System (CACS), and Resource Intensity Weighting (or RIW™).4
2
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
2.2 General Purposes
The purposes of the CAD databases are to: • • • • • • • • Collect, process, and analyze summaries of hospital discharges and ambulatory care events; Support management decision making at the hospital, regional, and provincial/territorial levels; Facilitate provincial and national comparative reporting, including longitudinal analysis; Support the development and use of analytical tools, such as case grouping methods, length of stay analysis, and resource utilization analysis; Support analysis and research;5 Streamline data collection and reduce duplication between provinces; Provide data to Statistics Canada and Health Canada; and Provide data for international comparative reporting to Organization for Economic Cooperation and Development (OECD).
Information collected in the CAD databases is used to create parts of other CIHI databases: Table 1. CAD Data Used in Other CIHI Databases
CIHI Database Hospital Mental Health Database (HMHDB)6 Ontario Trauma Registry Minimal Data Set (OTR-MDS)7 Therapeutic Abortions Database (TADB)8 National Trauma Registry Minimal Data Set (NTR-MDS)9 OECD Database10 Information Collected From DAD HMDB NACRS Level of Information Provided From the Main Holding Record level Record level Aggregate data Record level Aggregate data
Information in the DAD is also used in the creation of the DAD-HMDB merged dataset, explained in more detail under Sections 2.3 and 2.4. A complete list of DAD and NACRS elements is presented in Appendix A.
2.3 Current Scope of the CAD Databases
The DAD contains demographic, administrative, and clinical data for hospital discharges (inpatient including acute, chronic, rehabilitation) and day surgeries. With the exception of Quebec, all acute discharges in Canada are submitted to the DAD. In 2003–2004, over 3 million records were submitted to the DAD. This included close to 2.4 million acute care records, representing approximately 80% of acute care discharges in Canada.
CIHI 2005–2006
3
�Clinical Administrative Databases: Privacy Impact Assessment
The HMDB database contains demographic, administrative, and clinical data on hospital inpatient events from all acute facilities and a number of chronic care and rehabilitation facilities across Canada. The HMDB does not contain discharges from psychiatric facilities. Stillborn and cadaveric donor abstracts are excluded from the HMDB. In 2002–2003, 3.1 million records were submitted to the HMDB. The NACRS database contains demographic, administrative, and clinical data for ambulatory care (emergency, day surgery and outpatient clinics). Currently, Ontario is the only province that submits all its emergency and day surgery events to NACRS. In 2003–2004, over 8 million records were submitted. In an effort to streamline data collection and reduce duplication, CIHI uses DAD data to create parts of the HMDB database. Redevelopment of the DAD was proposed in 1999 to accommodate the implementation of a new classification system, add/delete data elements, and improve data comparability. As part of the redevelopment, a technical merge of the DAD and HMDB assisted in achieving these goals as well as improving data quality and comparability. Each record in the DAD, HMDB, and NACRS refers to one episode of care. In other words, if an individual was admitted to hospital five (5) times over the course of the year, this would result in five (5) separate records. A mandatory field is one that all provinces have agreed to submit and includes information that is core to analyses or case mix grouping, such as Date of Birth or Gender. The rest of the fields are optional in that information is not collected from all provinces or facilities. CIHI continues to encourage greater consistency in the definition and in the list of data elements submitted to national data holdings in order to enhance their analytical value. Data quality efforts are under way to this end. In the DAD and NACRS, provinces also have the option to submit province specific information, e.g. special project fields, to support province specific initiatives.
2.4 Database Architecture
All three databases reside at the CIHI office in Toronto. DAD data are received directly from submitting facilities, with the exception of Alberta and Manitoba. In Alberta and Manitoba, hospitals submit the data to the provincial Ministry of Health, which then, in its role as a custodian or trustee, submits the data to CIHI. As Quebec does not participate in the DAD, its Ministry of Health and Social Services submits data annually to CIHI specifically for the HMDB. All NACRS data are received directly from the submitting facilities. See Appendix B for visual representations of the flow of data. In 2003, the DAD and HMDB were integrated to form the DAD-HMDB. Though merged, both databases are still capable of retaining their individual characteristics and identity for reporting and analysis. To do this, Quebec data for the HMDB are appended to the DAD database, and HMDB specific information in the DAD is flagged. The resulting merged physical database is called DAD-HMDB.
4
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
Incoming DAD, HMDB, and NACRS data are processed and validated (i.e. run through edit checks) on central data servers. At this point CIHI applies various formulae to the data to create CMG, CACS, and RIW to make the data nationally comparable and meaningful for utilization analysis by Ministries of Health and facilities. Batches of data are then loaded on relational database management systems used for reporting and analysis. All three databases utilize industry standard safeguards to restrict access to authorized CIHI personnel only.
3. Data Collection for CAD
3.1 Statutory Authorities for the Collection, Use, and Disclosure of Information for CAD
Although CIHI is responsible for coordinating, maintaining, and ensuring specific data collection standards for the CAD databases, the individual Ministries of Health and/or hospitals decide what to collect to comply with the requirements and laws in place in their jurisdiction. The data that hospitals and other health care facilities submit to DAD, HMDB, and NACRS are originally collected as part of the patient record that health facilities create during the course of hospital admission, discharge, and patient care. All provinces and territories now have “Freedom of Information and Protection of Privacy Acts” (or their equivalents), and Alberta, Saskatchewan, Manitoba, and Ontario also have health information specific legislation. The privacy acts generally include clauses that permit bodies covered by the Acts to disclose person identifiable data for the purpose of research and analysis. Specific health information acts may also include clauses that permit the use and disclosure of personal information for the purpose of utilization analysis and management of the health system. Appendix E provides more detail on provincial and territorial privacy legislation. CIHI was specifically created by the federal/provincial/territorial governments to be a central repository for administrative health data, to streamline the health information system in Canada, and to provide timely information for the purposes of analysis, management, and planning of the healthcare system, as well as increasing the public’s awareness of the factors affecting health. These arrangements are supported and set out in Bilateral Agreements between CIHI and each province (except Ontario) and territory. In Ontario, CIHI is recognized as a “prescribed entity” in the regulations to Ontario's Personal Health Information Protection Act, which authorizes CIHI to collect person identifiable data for the purpose of planning and management of the health system.
CIHI 2005–2006
5
�Clinical Administrative Databases: Privacy Impact Assessment
3.2 Limits on Data Collected for CAD Databases
Data elements collected in all three databases are considered essential by stakeholders to satisfy the purposes of each data holding. A complete list of data elements for FY 2004–2005 DAD and NACRS databases is presented in Appendix A. The National Steering Committee for Clinical Administrative Databases reviews data elements for addition as well as deletion. This committee is composed of representatives from all provinces/territories as well as Health Canada and Statistics Canada. The decision to add or delete a data element involves a number of factors, including CIHI’s mandate to maintain the longitudinal integrity of the database and to facilitate national reporting. Over time, the data collected in each database evolve to reflect the identified health information needs of the stakeholders. No patient or provider (physicians and other health care professionals) names or street addresses are collected for the DAD, HMDB, or NACRS.
3.3 Data Accuracy for CAD Databases
Coding standards and education sessions are important in maintaining data accuracy in the CAD databases. The Classifications department provides substantial support to maintain national coding standards. CIHI staff also provides extensive education sessions to data providers on coding and abstracting health information for submission to these data holdings. CIHI conducts edit checks on the data transmitted from facilities to identify duplicate records, missing and/or invalid data, and inconsistencies in data transmissions. If errors are found, facilities are notified and are given an opportunity to submit corrected abstracts, delete duplicates, or submit additional abstracts missing at the time of initial submission.
6
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
Table 2. Edits and Error Reports to Improve Data Accuracy on CAD DAD
Number of edit checks Error Reports Over 70011 Error reports are sent to the client immediately after data submission and prior to year-end. Abstracts with errors are accepted and marked for correction. Over 70012 Error checking for all provinces except Quebec is done through the DAD. The Ministry of Health in Quebec performs error checking before sending their data to HMDB. CIHI then performs further error checking (in collaboration with Statistics Canada), mapping of similar elements and application of the DAD edit checks on Quebec data. Error reports on Quebec data are not managed by CIHI. Data from all other provinces are managed by the DAD.
HMDB
NACRS
Over 33013 Abstracts are rejected by CIHI if an error is found. Errors reports are sent to the client immediately after data submission and prior to year-end.
Mode of Error Report Delivery
Paper based via courier*. All client contacts receiving reports are registered and verified by CIHI.
Error reports are handled electronically using industry standard safeguards. They are encrypted, and password protected. All client contacts receiving reports are registered and verified by CIHI.
* Paper based reports will be discontinued in FY 2005–2006 and replaced by an encrypted, password protected electronic mode of delivery similar to NACRS.
CIHI continues to redesign processes to optimize the privacy and confidentiality of data. In the past, CIHI accepted faxes from DAD clients submitting correction files. Although the fax machine was in a secure area and constantly monitored, this practice has been stopped and institutions are encouraged to follow their own privacy policies. Clients are now required to submit correction files electronically. Additionally, as of FY 2005–2006, error reports on specific abstracts sent to hospital clients will be in an electronic format, instead of their current paper format. This is important for enhancing data protection. All three databases are subject to CIHI’s Data Quality Framework, which is a corporate continuous quality improvement program that has ongoing documentation and assessment requirements. The focus of the framework is on accuracy, timeliness, comparability, usability, and relevance of the data to users. This process promotes privacy interests in ensuring accurate personal information. Further information on Data Quality of the CAD databases can be found on CIHI’s Web site.
CIHI 2005–2006
7
�Clinical Administrative Databases: Privacy Impact Assessment
DAD, HMDB, and NACRS contain clinical administrative data, which are coded and abstracted before they are sent to CIHI. CIHI has completed a special DAD Data Quality Study to evaluate the accuracy of this coding. The study involves re-coding the original sources of information (i.e. patient charts) and comparing this information with what exists in the DAD database.14 The results of these studies can be found on the CIHI Web site.15 CIHI allows institutions to correct erroneous DAD and NACRS data during the entire submitting year and up to the closing date. This includes errors detected by the CIHI, the institution, or a patient. Errors detected after the closing date are generally not corrected, although this is of relatively minor significance in the CAD databases because the data are not being used to treat individual patients. More details on broader DAD and HMDB quality assurance practices are available in the document Quality Assurance Processes Applied to the Discharge Abstract and Hospital Morbidity Databases, available on the CIHI Web site.
3.4 Sources of Data for CAD Databases
A hospital or clinic chart (e.g. Patient History, Discharge Summary, Operative Reports and Diagnostic Test Results) is patient-specific information hospitals are legally required to collect during a hospital or clinic visit. The information in abstracts supplied to DAD, HMDB and NACRS is a coded subset of the information collected during a patient’s visit. Health records personnel use the DAD or NACRS manual16,17 to abstract specific data elements from the hospital’s records. Expert advisory groups across the country have identified DAD, HMDB, and NACRS data elements as being important to measure hospital activity and health care status. As mentioned previously, data for DAD and HMDB are submitted directly from health care facilities to CIHI, with the exception of Alberta, Manitoba and Quebec. Currently, Alberta, Manitoba and Quebec facilities submit data to their Ministry of Health, which then send the data to CIHI.
3.5 Personal Information in the CAD Databases
CAD databases do not collect information that directly identifies any person, such as name, address, and telephone number. CAD databases do collect data elements that could, in combination with other information, lead to the identification of an individual. These elements include the health care number, postal code, and numbers assigned by the facility. However, CIHI does not have access to the key that associates a health number with a particular person. CIHI applies disclosure avoidance practices, such as masking, aggregating, and truncating information, as well as requiring confidentiality agreements, to minimize the possibility of re-identification.
8
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
CAD databases also collect personal health information related to diagnoses and procedures performed in the health care facility. Classification of these diagnoses and procedures is a World Health Organization initiative that classifies morbidity and mortality information for statistical purposes, for the indexing of hospital records by disease and operations, and for the appropriate storage and retrieval of data. The data are collected in coded form and require keys to the codes, as well as special training, to render them meaningful. When not attached to potentially identifying personal information, such as the health care number or postal code, this information, though sensitive, is not person identifiable. Following is a list of data elements collected in CAD databases that are particularly sensitive or could, in combination with other elements, lead to identification of an individual. A full description of each data element and the rationale for its collection are provided in Appendix D.
Facility Assigned Identifiers:
• • • • Chart Number (DAD, HMDB, NACRS); Register Number (DAD, NACRS)—not collected in all provinces; Second Chart/Register Number/Sequence Number (DAD, NACRS)—not collected in all facilities; and Maternal/Newborn Chart or Register Number (DAD, HMDB)
EMS Assigned Identifiers:
• Ambulance Call Number (NACRS)—not collected in all facilities.
Personal Attributes/Identifiers:
• • • • • Health Care Number (DAD, HMDB, NACRS); Date of Birth (DAD, HMDB, NACRS)—age collected in Quebec for HMDB in lieu of Date of Birth; Living Arrangement (NACRS)—not collected in all facilities; Residence Type (NACRS)—not collected in all facilities; and Highest level of education (NACRS)—not collected in all facilities.
Geographic Attributes:
• Postal Code (DAD, HMDB, NACRS).
Clinical Attributes
• Diagnoses and Interventions (DAD, HMDB, NACRS): The main clinical information in CAD databases is classified into diseases or health problems (diagnoses) and the procedures or treatments applied (interventions). Diagnostic and intervention information collected in the CAD databases are comprehensive and detailed. The information is recorded using alphanumeric codes in accordance with international coding classification systems. There are over 16,000 diagnosis codes and over 16,000 intervention codes in the most recent version of the international coding classification system. Interpreting these codes requires expertise in this coding system or access to the specialized manuals.
CIHI 2005–2006
9
�Clinical Administrative Databases: Privacy Impact Assessment
• •
Reproductive Care Information (DAD, NACRS): Supplemental information specifically for reproductive care related records—not collected in all provinces; and Mental Health information (DAD): Supplemental information specifically for mental health or psychiatric related records—not collected in all provinces.
Information that cannot reasonably lead to the identification of an individual, such as province, residence code, and gender, has not been listed in this section. A full list of data elements in DAD and NACRS databases is in Appendix A.
3.6 Data Retention/Destruction
Consistent with CIHI’s mandate and purposes for data collection, CIHI will maintain CAD data for as long as necessary to facilitate statistical reporting and analysis of inpatient trends. This includes retrospective, longitudinal studies that involve historical DAD records. Table 3 outlines the retention of data at CIHI. Table 3. Data Retention of CAD Databases
Data Retention Production/on site Archived/off site DAD 1994–2004 1979–1993 HMDB 1994–2003 N/A* NACRS 2001–2004 1997–2000
*HMDB was the responsibility of Statistics Canada prior to 1994
•
Paper submissions were discontinued after 2003 in the DAD-HMDB. Paper submissions previously sent to CIHI were inputted into the system and subsequently destroyed within 3 months. CIHI restricts access to patient sensitive elements by creating two versions of each data set: one with patient sensitive elements necessary for analysis, and one without patient sensitive elements. Strict guidelines and an approval process controls access to data sets with patient sensitive elements. Data prior to 1994 are archived and kept in a secure location that can only be prepared for use by three people at CIHI.
•
•
3.7 Consent Issues
CIHI is a secondary data collector for CAD data. CIHI relies on primary data collectors (in this case, the individual facilities and clinics) to comply with the requirements and laws in place in their jurisdiction for the collection, use and disclosure of personal health information from patients to CIHI. CIHI’s Privacy Secretariat carried out a national consultation process in 2001 with Provincial/Territorial Ministries of Health. Discussions included the importance of ensuring appropriate legal authority for disclosing data to CIHI and of meeting consent and/or notice requirements under relevant legislation (which CIHI supports).
10
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
4. Uses and Disclosures of Data
4.1 Uses of Data
Subsets of DAD, HMDB, and NACRS data are extracted and used to create parts of CIHI’s Hospital Mental Health Database (HMHDB), National Trauma Registry (NTR), Ontario Trauma Registry (OTR), and Therapeutic Abortions Database (TADB) (see Table 1). Each of these separate program areas has Privacy Impact Assessments in place and may release their own reports and handle requests for data. All data requests or reports are subject to CIHI’s general privacy and confidentiality policies. As a result of the technical merge (Section 2.4), a subset of the DAD data is also now part of the HMDB. CIHI has authorization for this purpose from all jurisdictions. DAD and NACRS data are used in the weighting methodologies to create CMG™, RIW™, etc. that are used by hospitals and ministries to study health system utilization and resource allocation. DAD, HMDB, and NACRS are used by CIHI’s Health Reports and Analysis (HRA) branch, Health Indicators, and Health Services Research Branch for analyses to create reports and to undertake special studies. Annual CIHI reports using CAD data include Health Care in Canada, Benchmarking Comparison of Canadian Hospitals and Comparable Health Indicators. CAD data also provides aggregate statistics to Maclean’s magazine and other media for their requests on health and health care. Internal users are only given access to information that is necessary for their jobs. For example, the Health Reports and Analysis Branch performs analyses on patient outcomes, which in some cases require having direct access to individual records. Analysis on individual records is crucial for visit-based statistics, such as those based on case mix groups, and person-based statistics, e.g. cardiac readmission rates. Refer to Section 5.3 for more information on access permissions.
4.2 Disclosures of Information
DAD, HMDB, and NACRS are key sources of information for hospitals, ministries, agencies and researchers. All disclosures of information are subject to CIHI’s privacy and confidentiality policies. The reader is directed to that document for the full description of CIHI’s disclosure policies.18 CIHI’s general approach is to mask, aggregate, and truncate information to a level that allows the recipients to conduct research and analyses, while protecting privacy. Following are key aspects of CIHI’s disclosures in DAD, HMDB, and NACRS.
CIHI 2005–2006
11
�Clinical Administrative Databases: Privacy Impact Assessment
4.2.1
Data Requests
CIHI data disclosures are made at the highest degree of anonymity possible to meet the needs of the request. This means that, whenever possible, data are aggregated. Where aggregate data are not sufficiently detailed for the purpose, identifiers are removed, and data that would lead to possible re-identification are truncated. For example, postal codes and birth dates are truncated. Personal health numbers, full birth date, and full postal code are not released, unless there is consent from the patient, or the information is being provided to bodies that originally collected the data. Requests for data must be made using CIHI’s Client Information Request Form.19 This is a two-part form. Part 1 requires information on the proposed analysis, the individuals involved, and the data being requested. Part 2 is a Non-Disclosure/Confidentiality Agreement.20 The Agreement details the limits for the use of the data and binds the researcher to properly protect the information, to respect the sensitivity and confidentiality of the data, and not to attempt to re-identify anyone in the dataset. Media requests always involve aggregate unidentifiable data and are managed through CIHI’s media relations department. In FY 2003–2004, a variety of data requests were filled (see Table 4): Table 4. Number of Completed CAD Ad-hoc Requests for data by Requestor, FY 2003–2004
Type of Requestor Hospitals Researchers Ministries of Health Other Health Canada Internal CIHI Media TOTAL # of Requests 31 34 19 8 7 38 12 139
4.2.2
Disclosure to Data Providers
Individual Provincial/Territorial Ministries of Health control the collection of data elements. CIHI provides copies of the data from the DAD and NACRS holdings back to the data providers. The provincial dataset, including CIHI value-added elements, is released on a monthly basis to the respective Ministries of Health. CIHI provides a processing service for the Ministries in that data are provided in a specific, standardized, usable format with valueadded data elements, consistent with the purpose of the DAD and NACRS databases.
12
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
CIHI also creates and discloses electronic online hospital-specific reports. These are facilityspecific reports made available only to authorized and registered users in facilities that participate in the DAD. The reports do not contain any person-identifying information. Section 5.3 describes the security mechanisms in place for these reports. Paper reports are also available for provinces still using the ICD-9 classification system. As of FY 2005–2006, paper reports will no longer be issued. Electronic Comparison of Hospital Activity Program (eCHAP) and eNACRS reports provide registered clients with an online means (in the form of statistical tabulations) of assessing the use of their beds and ambulatory services compared with other hospitals, clinics and centres of similar size and type. The reports do not contain any person-identifying information. The reports are available only to authorized and registered users in facilities that participate in the DAD or NACRS. This set of reports is available quarterly. Section 5.3 describes the security mechanisms in place for eCHAP and eNACRS reports. There are approximately 550 participating hospitals and 200 ambulatory care centres across Canada.
4.2.3
Disclosures Under Agreements
CIHI provides a copy of the HMDB data holding to Statistics Canada on an annual basis. Statistics Canada, which maintained the HMDB until entering into an agreement with CIHI in 1994, requires HMDB data to continue its role in publishing national hospital morbidity statistics. These data are protected under the federal Statistics Act. CIHI also provides de-identified copies of the DAD and HMDB to Health Canada for analysis and to support public health activities, including health protection, health surveillance, disease and injury prevention, population health assessment, health promotion, and disaster response. As detailed in a data sharing agreement and authorized by the Ontario Personal Health Information Protection Act, CIHI provides relevant Ontario DAD and NACRS data to Cancer Care Ontario (CCO) to support their role in cancer care.
4.3 Access Rights for Individuals to Their Personal Information in CAD Databases
Patients discharged from Canadian hospitals have a right of access to their personal information held in each CAD database. As CAD databases held at CIHI often do not contain sufficient person identifiers (i.e. name, address, etc.) to accurately identify an individual, requests from an individual for access to his/her specific information are referred to the data provider (i.e. province/territory or facility, depending on which supplied CIHI with the data) .21 If the data provider is required to correct its data on the basis of an access request, it can send the correction to CIHI as part of the normal processing procedures outlined in Section 3.3.
CIHI 2005–2006
13
�Clinical Administrative Databases: Privacy Impact Assessment
5. Privacy Standards: Concerns and Security Measures for CAD Databases
5.1 Record Level Linkages for CAD Databases
CIHI undertakes record linkages for analytical purposes. Linked data are not used to make decisions that affect an individual’s care, treatment, or entitlement to benefits. At CIHI record linkage is conducted to process data, develop indicators, and conduct analyses. For example, record linkage is required to calculate readmission rates. Readmission rates are used as indicators for measuring quality of care. Record linkage analyses at CIHI require prior approval by CIHI’s Privacy, Confidentiality and Security Team. Such approval normally requires consent from the patient, or meeting all of the following 5 criteria:22 • • • • • The purpose of the linkage must be consistent with CIHI’s mandate; The public benefits of the linkage must offset privacy interests; The results of the linkage must not be used for any purpose that would be detrimental to the individuals in the study; The linkage must be time-limited and for a specific project; and The linkage must be the only practical alternative.
5.2 Disclosure Avoidance Practices for CAD
In its preparation of statistical tabulations and ad hoc tabulations (aggregate data), CIHI follows its standard rules for disclosure avoidance with CAD data. CIHI requires that data be suppressed when any of the following apply: • • • Record counts are fewer than 5; Fewer than 2 institutions are reported; and Fewer than 2 providers are reported.
In every record level disclosure, CIHI applies encryption and suppression routines to protect the confidentiality of the data. Authorized CIHI staff can access CAD data at either the restricted or unrestricted level, depending on the nature of the work they are required to perform. Users who obtain this access are made aware of their obligations and responsibilities for privacy and confidentiality. • The unrestricted data set contains de-identified data that requires encrypting the health care number, truncating the postal code to the forward sortation area (first 3 digits of postal code), substituting age for date of birth and excluding elements such as chart number. The restricted data set contains the full complement of data elements.
•
14
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
5.3 Security Safeguards
5.3.1 Data Submission and Processing Safeguards
Data are sent to CIHI in electronic form either directly or via diskette/CD-ROM: Table 5. Methods of Data Submission
Database DAD NACRS HMDB Direct (IDSS/EDSS) Mostly IDSS/EDSS Mostly IDSS/EDSS N/A Diskette/CD-ROM Very few diskettes Very few diskettes CD-ROM
The most common and secure method is the direct method, which involves submitting encrypted files to CIHI using the Interactive Data Submission Service (IDSS) application. Starting in FY 2005–2006, all clients will be moved to an updated version of IDSS called EDSS. IDSS/EDSS facilitates the establishment of a secure 128-bit encrypted session between CIHI and its clients for the purpose of data transfer. This level of encryption is considered industry standard and it is used for most Internet banking and e-commerce applications.23 The encrypted file transmission from IDSS/EDSS is received on a file transfer protocol (FTP) server, residing in the external zone24 of the CIHI network, and moved promptly into the internal zone,25 where it is decrypted. CIHI also accepts data via diskette or CD-ROM. The small percentage of hospital and clinic clients that choose to send their monthly data via diskettes will be moved over to the EDSS submission method in FY 2005–2006. HMDB annually receives encrypted Quebec data on CD-ROM sent by courier. The CIHI mailroom has a mailbox for every hospital’s communications, including diskettes. All CIHI staff are well-versed in privacy practices and sign confidentiality agreements, and the office is only accessible by security card. Nonetheless, security will improve in FY 2005–2006, when the data submission and reports dissemination are fully electronic. The source data for DAD, HMDB and NACRS are validated and processed in the protected area for analytical purposes. Automatic routines tightly control the data being uploaded and processed. Once the data are uploaded and processed, the application automatically erases the source file, leaving the only copy of the information on the secure database server. For the HMDB the source Quebec data on CD-ROM are destroyed after they uploaded and processed into the DAD-HMDB. The mainframe and relational database management systems have sophisticated security features that restrict access for processing and analysis purposes to authorized CIHI production staff. One teleworking staff member manages DAD production activities remotely. This arrangement, made by exception, is required, since the staff member has very specialized knowledge that is critical for DAD operations. This staff member must follow CIHI’s teleworking and remote access policies and is protected by several technical security features.26
CIHI 2005–2006
15
�Clinical Administrative Databases: Privacy Impact Assessment
Backups of the DAD, HMDB, and NACRS databases are created using CIHI’s standard of daily incremental backups (capturing changes made for the day) and full weekly backups. Once a month, tape backups are sent offsite for storage with a bonded, secure data storage company.
5.3.2
External Users
Only authorized and registered external users are able to access electronic reports, such as Hospital-Specific Reports (eHSRs), electronic Comparison of Hospital Activity Program (eCHAP) and eNACRS Reports, which do not contain identifiable personal information. These reports are accessed via industry standard encrypted secure sessions.27 To become a registered user, a CEO, or designate, the hospital must authorize and sign a Service Agreement to govern the use of the data. Original signed copies of the Service Agreement are returned to CIHI before user profiles are set up and access is granted. Initial access to the reporting application is governed by the use of a 16-digit randomly generated application access code. User profiles are set up to limit access to the statistics and reports. With each use of the reporting application, the user must agree to the online privacy, confidentiality, and security statement. CIHI intends to conduct semi-annual audits of user profiles (e.g. examining access patterns, access rights). Within one business day, CIHI can revoke access and terminate the passwords enabling access.
5.3.3
Access Procedures for CIHI Employees
CIHI offices have controlled physical access by requiring pass cards to enter the working areas. Technical security is protected by CIHI’s privacy and security procedures that include standards for user names and requirements for passwords to be changed on a regular basis. CIHI staff sign a confidentiality agreement as a condition of employment. Staff acknowledges that breaches are grounds for dismissal and possible legal action. CIHI staff attends mandatory privacy, confidentiality, and security training. CIHI does not allow confidential records to be removed from its offices. In order for a CIHI employee to access any of the CAD datasets, the employee’s manager must complete and sign a data access authorization form and justification which specifies:28 • • • Why access is required for the employee’s job responsibilities; Whether the requirement is short-term or on-going; and Type of access required (restricted or unrestricted).
This form must be approved by the Manager, Clinical Administrative Databases, before access is given.
16
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
Data cannot be used for analytical or reporting purposes until they are collected and processed by authorized production and program area staff. Once the data processing has been completed for a particular fiscal year of the database, access is made available within CIHI via the Query and Analysis (Q&A) application and via SAS data sets. The type of data set used depends on the type of analysis being performed. Both types of data sets limit access by providing restricted and unrestricted access as described in Section 5.2. Refer to Appendix C for a summary of the versions of the CAD databases available within CIHI.
6. Conclusions: A Privacy Report Card for CAD
The practices of CAD in relation to the ten privacy principles in CIHI’s Principles and Policies for the Protection of Personal Health Information are summarized below. CIHI’s Privacy Principles (as quoted below) are based on Schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA). CAD contains identifiable personal information in the form of a Health Card Number, the patient’s date of birth, and a six-digit Postal Code. CIHI thus treats the contents of DAD as sensitive personal information. The data are coded, and access is limited. The data are received from hospitals and ministries for the purposes of analysis and management of the health system. CIHI informs its stakeholders of the security and disclosure practices regarding its databases. I. • Accountability for Personal Health Information; CIHI’s President and Chief Executive Officer is accountable for ensuring compliance with CIHI’s Privacy and Confidentiality of Health Information at CIHI: Principles and policies for the protection of health information; CIHI has a Chief Privacy Officer (with dedicated staff), a Chief Privacy Advisor (external), and a corporate Privacy, Confidentiality and Security Team to manage privacy matters at CIHI; CIHI also has a Privacy Subcommittee of its Board of Directors that oversees an annual program of privacy auditing, which includes a report to the Board; and The CAD Privacy Impact Assessment will also be posted on CIHI’s publicly accessible Web site: www.cihi.ca. Identifying the Purposes for Personal Health Information; • • The intended purposes and scope of CAD databases are clearly identified in this Privacy Impact Assessment, on the CIHI Web site, and in relevant publications; and CIHI depends on Ministries of Health and individuals hospitals across Canada to inform patients that their personal health information will be collected and used to prepare abstracts for CAD databases.
•
• • II.
CIHI 2005–2006
17
�Clinical Administrative Databases: Privacy Impact Assessment
III. •
Consent for Personal Health Information; CIHI is a secondary collector of data captured in CAD databases. It does not have direct contact with the data subjects. It must rely on the primary data collectors to meet their data collection, use, and disclosure rules and responsibilities, including those related to consent and notification; and CIHI’s focus is on transparency of its purposes for data collection, its data protection practices, and ensuring only authorized uses for all data holdings. Limiting Collection for Personal Health Information; • Each of the CAD databases collects the least amount of data possible in order to fulfill its mandate. The data elements included in each database are based on consultations with key stakeholders with final decisions based on recommendations made by the National Steering Committee for Clinical Administrative Databases. This committee contains representatives from all provinces/territories as well as Health Canada and Statistics Canada. The National Steering Committee for Clinical Administrative Databases reviews data elements for addition as well as deletion. Limiting Use, Disclosure and Retention of Personal Health Information; • • • The permitted uses and disclosures of CAD data are set out in this Privacy Impact Assessment, on the CIHI Web site, and in relevant publications; Each CAD database is also subject to CIHI’s Privacy Program, which sets out strict policies and procedures surrounding data disclosure; The intent of the each CAD database is to facilitate statistical reporting and analysis of inpatient and ambulatory care information. This may include retrospective, longitudinal studies. CIHI will maintain CAD data for as long as necessary to support this requirement; and CIHI can undertake record linkages for analytical purposes. Record linkage activity at CIHI is very controlled and limited. CIHI’s Privacy, Confidentiality and Security Team must approve all record linkages; Accuracy of Personal Health Information; • Coding standards and education sessions are key to maintaining data accuracy in the CAD databases. The classifications department provides substantial support to maintain national coding standards. CIHI staff also provides extensive education sessions to data providers on topics such as coding and abstracting; CIHI routinely applies and maintains edit checks on data transmitted from data suppliers and performs timely data quality analyses to investigate and resolve potential issues; and Each CAD database is subject to CIHI’s Data Quality Framework, part of a corporate program that has ongoing documentation and assessment requirements.
• IV.
• V.
•
VI.
•
•
18
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
VII. •
Safeguards for Personal Health Information; Physical, technological, and administrative safeguards are in place to protect CAD data during transmission, to securely store them, and to limit access to authorized staff within CIHI. Openness about Personal Health Information; Information about CAD data is set out in this document, is available on CIHI’s Web site, and CIHI’s Products and Services Catalogue, as well as from CAD program area staff; and CIHI also provides information on corporate privacy policies, data practices, programs and uses of information on its corporate Web site. Individual Access to Personal Health Information; and • Patients discharged from Canadian hospitals have a right of access to their personal information held in each CAD database. However, as CAD databases often do not contain sufficient person identifiers (i.e. name, address, etc.) to accurately identify an individual, requests are referred to the data provider (i.e. province/territory or facility, depending on who supplied CIHI with the data); and If the data provider is required to correct its data on the basis of an access request, it can send the correction to CIHI as part of the normal processing procedures. Challenging Compliance with CIHI’s Privacy Policy. • The public may challenge CIHI’s compliance with its Privacy and Confidentiality of Health Information at CIHI: Principles and policies for the protection of health information. All privacy complaints are handled by the Privacy Secretariat and the Chief Privacy Advisor; and If an individual does not believe that a challenge has been satisfactorily resolved, he or she may appeal to CIHI’s Chief Privacy Advisor, who will report his findings to CIHI’s President and Chief Executive Officer.
VIII. •
• IX.
• X.
•
CIHI 2005–2006
19
�Clinical Administrative Databases: Privacy Impact Assessment
7. Resources
CIHI (2005), DAD Abstracting Manual (ICD-10-CA/CCI, and ICD-9/ICD-9-CM available), www.cihi.ca. CIHI (2005), NACRS Manual (ICD-10-CA/CCI), www.cihi.ca. CIHI (2005), Database Background Documentation: Discharge Abstract Database 2003–2004, www.cihi.ca. CIHI (2005), Database Background Documentation: NACRS 2003–2004, www.cihi.ca. CIHI (2005), Database Background Documentation: HMDB 2001–2002, www.cihi.ca. CIHI (2004), Products and Services Catalogue, www.cihi.ca. CIHI (2002), Discharge Abstract Database Data Quality Re-Abstraction Study: Combined Findings for Fiscal Years 1999–2000 and 2000–2001, www.cihi.ca. CIHI (2002), Privacy and Confidentiality of Health Information at CIHI: Principles and Policies for the Protection of Health Information and Policies for Institution-Identifiable Information, 3rd ed., www.cihi.ca. CIHI (2002), Quality Assurance Processes Applied to the Discharge Abstract and Hospital Morbidity Databases, www.cihi.ca. CIHI (2000), Improving Timeliness of the Discharge Abstract Database Data, www.cihi.ca CIHI (2000), Discharge Abstract Database (DAD)/Morbidity Database Redevelopment Project: New Abstract. Draft Interim Progress Report, www.cihi.ca.
20
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
Appendix A: Data Elements
DAD Data Elements, 2004–2005
(Reference: DAD Abstracting Manual 2004–2005)
Group # 01—Abstract Identification Field # 01 03 04 05 06 08 09 10 11 12 02—Calculated Length of Stay 03—Patient Demographics 02 01 02 03 04 05 06 08 09 11–27 Field Description Institution Number Batch Year Batch Period Batch Number Abstract Number Coder Number Chart Number Register Number Second Chart/Register Number Maternal/Newborn Chart of Register Number Derived Calculated Length Of Stay Health Care Number Postal Code Residence Code Gender Province/Territory Issuing HCN Responsibility for Payment Birthdate Birthdate is Estimated Province/Territory Ancillary Data Derived Age 04—Admission Data 01 02 04 05 06 07 Admission Date Admission Time Institution From Admit Category Entry Code Admit by Ambulance
CIHI 2005–2006
21
�Clinical Administrative Databases: Privacy Impact Assessment
Group #
Field # 08 11 12 13 14
Field Description Readmission Code ER Decision to Admit Date ER Decision to Admit Time Date Patient Left ER Time Patient Left ER Derived Wait Time in ER
05—Discharge Data
01 02 04 05
Discharge Date Discharge Time Institution To Discharge Disposition Main Patient Service Patient Sub-Service Weight Abstract Overflow Transfer Service Transfer Sub-Service Transfer Days Provider Type Provider Number Provider Service Diagnosis Prefix Diagnosis Code Diagnosis Type Cancer Staging: Clin. Tumour Cancer Staging: Clin. Node Cancer Staging: Clin. Met Cancer Staging: Path. Tumour Cancer Staging: Path. Node Cancer Staging: Path. Met. Cancer Staging: Summary Staging
07—Patient Service Information
01 02 03 04
08—Service Transfers (3 occurrences)
01 02 03
09—Provider Information (8 occurrences)
01 02 03
10—Diagnosis Information (25 occurrences)
01 02 04 05 06 07 08 09 10 11
22
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
Group # 11—Intervention Information (20 occurrences)
Field # 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16
Field Description Intervention Date Intervention Code Status Attribute Location Attribute Extent Attribute Intervention Provider Number Intervention Provider Service Intervention Tissue Intervention Time Intervention Location Anesthetist Anesthetist Technique OOH Indicator OOH Institution Number Unplanned Return to OR Died in OR Death in SCU SCU Number SCU Admit Date SCU Admit Time SCU Discharge Date SCU Discharge Time Derived SCU Hours
13—Special Care Information (6 occurrences)
01 02 03 04 05 06
09 14—Basic Options 01–16 17 18 19
Glasgow Coma Scale One Digit Boxes Two Digit Box Two Digit Box Four Digit Box
CIHI 2005–2006
23
�Clinical Administrative Databases: Privacy Impact Assessment
Group # 15—Mental Health Indicators
Field # 02 03 04 05 06 07 08 09 10 12 13 14
Field Description MH: Source of Referral MH: Admit Method MH: Change in Legal Status MH: AWOL MH: Suicide MH: Previous Psych Admission MH: Referred to MH: ECT Treatment MH: Number of ECT TX MH: Education MH: Employment MH: Financial Support One Digit Boxes Two Digit Box Two Digit Box Three Digit Box Three Digit Box Project Number (3 Digit Box) Blood Transfusion Indicator Red Blood Cells Platelets Plasma Albumin Other Blood Products Auto Transfusion Indicator
16—Project Information
01–13 14 15 16 17 18
17—Blood Information
01 02 03 04 05 06 07
24
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
Group # 18—Reproductive Care Information
Field # 01 02 03 04 05 06 07 08 09
Field Description Number of Previous Deliveries Number of Previous Pre-Term Deliveries Number of Previous Spontaneous Abortions Number of Previous Therapeutic Abortions Number of Previous Live Births Gestational Age Delivery Time Date of Last Menses Breastfeeding on Discharge MCC CMG Plx RIW DPG Vendor ID
19—Licensed Vendor Assigned Values
01 02 03 04 05 06
*HMDB data elements are a subset of the DAD data elements.
CIHI 2005–2006
25
�Clinical Administrative Databases: Privacy Impact Assessment
NACRS Data Elements, 2004–2005
(Reference: NACRS Manual 2004—2005)
Field # 00A 00B 00C 00D 00E 00F 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Field Description Submitting Facility’s Province/Territory Submitting Facility’s Ambulatory Care Number Submission Fiscal Year Submission Period Abstract Identification Number Coder Number Chart Number Health Care Number Provincial/Territory Issuing Health Care Number Responsibility for Payment Postal Code Residence/Geographic Code Gender Birth Date Birth Date is Estimated Family Physician Flag Ambulatory Registration Number Ambulatory Registration/Encounter Sequence Number Visit MIS Functional Center Account Code Admit Via Ambulance Ambulance Call Number Living Arrangement Residence Type Visit Type Ambulatory Visit Status Mode of Visit/Contact Highest Level of Education Arrival Date Arrival Time Triage Date Triage Time
26
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
Field # 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43–43a–i 44 45a–i 46 47a–i 48 49 50 51 52 53 54 55 56 57 58–63
Field Description Triage Level CAEP 5 Level Triage System: CTAS or PCTAS Date of Registration/Visit Time of Registration/Visit Date of Physician Initial Assessment Time of Physician Initial Assessment Referral Source Prior to Ambulatory Care Visit Institution From Decision to Admit Date Decision to Admit Time Visit Disposition Date Visit Completed Time Visit Completed Referred to After Completion of Ambulatory Care Visit Institution To Provider Type Service Provider Service Provider Identification Number Main And Other Problem Prefix (Up to 10 Occurrences) Main Problem Other Problems (9 Occurrences) Main Intervention Other Intervention(s) Main and Other Attributes (A-I) that accompany relevant CCI Codes: 48 = Status; 49 = Location; and 50 = Extent. Duration of Ambulatory Care Intervention for Main and Other Interventions (A–I) Intervention Location for Main and Other Interventions (A–I) Anaesthetic Technique Died During Intervention Flag Out of Hospital Indicator Out of Hospital Institution Number Blood Transfusion Indicator Blood Components/Products
CIHI 2005–2006
27
�Clinical Administrative Databases: Privacy Impact Assessment
Field # 64–68 69 70 71 72 73 74 75 79 80–92 93–94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111(a–i) 112(a–i)
Field Description Units of Blood Transfused Number of Previous Term Deliveries—Therapeutic Abortion Number of Previous Pre-Term Deliveries—Therapeutic Abortion Number of Previous Spontaneous Abortions—Therapeutic Abortion Number of Previous Therapeutic Abortions—Therapeutic Abortion Gestational Age–Therapeutic Abortion Date of Last Menses–Therapeutic Abortion MIS Functional Center Account Code Project Number—Special Projects Single Character Alpha-Numeric Fields—Special Projects Double Character Alpha Numeric Fields—Special Projects Triple Character Alpha Numeric Field—Special Projects 4 Character Alpha Numeric Field—Special Projects PCTAS Indicator Program Area Scheduled ED Visit Indicator Glasgow Coma Scale Seatbelt Indicator Helmet Indicator Level Of Care/Service Recipient Referral Date Vendor MAC Vendor CACS Vendor ACW Complete Record Main Intervention Date Main Intervention Start Time Other Intervention Date Other Intervention Start Time
28
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
Appendix B: Information Flow in DAD-HMDB and NACRS
Discharge Abstract Database—Hospital Morbidity Database (DAD-HMDB) 2004–2005 Data Flow Diagram
f iable de nti
Prepare National Reports
Non-I
Public
Mainframe Processing Back-up tapes Prepare Standard DAD Reports
t -Ide n Non if iab
le
Hospitals participating in the DAD
d Non-I
ble e ntif ia
Hospitals participating in the benchmarking study Public
if nt de n-I No le i ab
Hospitals: BC, SK, ON, NB, PE, NS, NL, YT, NT, NU
See Note 1 DAD-HMDB Processes Data Quality Checks and follow-up with data providers Apply grouping and weighting methodology
Prepare Hospital Reports - Annual Benchmarking Comparison of Canadian Hospitals (in collaboration with partners) - Hospital Report Acute Care (ON only) (in collaboration with partners)
Hospitals: QC
Se
e
te No
2
Ministry of Health, QC Hospitals: MB, AB
No te 3
Ministry of Health, MB, AB
Ad hoc releases; aggregate data Therapeutic Abortions Database
(AB inpatient only, SK, ON Inpatient only, NB, NS, NL, YT, NT, NU)
de Non-i
Se
b nti f ia
e
le
Hospitals Researchers Media Private sector organizations Non-profit organizations Researchers Hospitals
See Note 4
Ontario Trauma Registry
(ON)
Ad hoc releases; record level data
-I Non
de n
ble t if ia
Identifiable
Researcher with consent or releases required by law
National Trauma Registry
Hospital Mental Health Database
Recurring record level releases by agreement
Non-Identifiable
Health Canada (DAD & HMDB) ON data only to Cancer Care Ontario (DAD) Statistics Canada (HMDB) Ministries of Health (excl. QC) (monthly, annually)
March 2005
Identi fia bl e
Ide nti
fia ble
Ide n
ti f ia
bl e
Note 1: Data submission/correction via DAD: coded summary not including name or street address Note 2: Data submission via HMDB: coded summary not including name or street address Note 3: Data submission/correction via DAD (MB, AB): coded summary not including name or street address Note 4: Registry/database specific subset of data = CIHI
CIHI 2005–2006
29
�Clinical Administrative Databases: Privacy Impact Assessment
National Ambulatory Care Reporting System (NACRS) 2004–2005 Data Flow Diagram
le i ab nt if
Public
Prepare Public Reports
-Ide Non
Back-up tapes
t if en -Id le i ab
NACRS participating hospitals
Prepare Standard Reports eNACRS
n No
All Hospitals
n-I No de nt b if i a le
NACRS Hospitals: ON, BC, PE,NS,YT
Note1
Note 2
Processes Data Quality Checks and follow-up with providers Apply grouping and weighting methodology
Prepare Special Reports (Hospital Report via Hospital Report Research Collaborative)
Review ad hoc releases; aggregate data
Non-i de
le nti fia b
Researchers Media Private sector organizations Non-profit organizations
Researchers Hospitals
nt if -Ide Non iable
TADB
(ON)
Review ad hoc releases; record level data
Identifiable
Researcher with consent or releases required by law
Recurring record level releases by agreement
Identifiable
Ministries of Health, Cancer Care Ontario
Note 1: Coded summary; no name or street address Note 2: Submission Status Report and Electronic Rejection/Data Quality Warning File = CIHI
January 2005
30
CIHI 2005–2006
�Clinical Administrative Databases: Privacy Impact Assessment
Patient Information Flow in DAD and NACRS
Discharge Abstract Database Information Flow
Patient Flow
Patient
Admission
Health Record
Discharge
Hospital Information Flow Information Flow at CIHI
Note: Elapsed days are from end of period
Diagnosis & Interventions Review Corrections Submitted Reports to Clients
Coding & Abstracting Abstract to CIHI
4425 days
Physician
Hospital-Specific Quarterly Reports - 37 days after last monthly reports are run
Corrections Applied Re-Edit
Cut-off - 85 days Distribution - 95 120 days
Subsequent Reporting Comparative Reporting
Hosp.-spec. 1.5 10.0 days Reports CMG™/DPG™ RIW™ Editing
NACRS Information Flow
Patient Flow
Patient
Registration
Health Record
Visit Ends
Hospital Information Flow Information Flow at CIHI
Coding & Abstracting Corrections Applied and Subm itted Reports to Clients Abstract to CIHI
Review
Subsequent Reporting eNACRS Comparative Reporting
Re-Edit (loop)
Rejection Reports CACS™ ACW™
Editing
CIHI 2005–2006
31
�Clinical Administrative Databases: Privacy Impact Assessment
Appendix C: Summary of Database Versions Available Internally in CIHI
CIHI maintains different versions of these files for processing the data and reporting. Data cannot be used for analytical or reporting purposes until it is collected and processed by authorized production and program area staff. Some data listed below may not be readily accessible, as it has been archived.
Name Mainframe Description Availability—DAD Availability—HMDB N/A Availability—NACRS N/A
Database used for 1981–2004: All data elements. data collection and processing.
SQL Server Database used for 1994–2003: All data elements. data collection and processing. Oracle Server and SAS Database used for 2001–2004: All processing related data elements. SAS: Restricted activities. and Unrestricted versions.
1994–2002: All data elements. 2001–2003: All data elements. SAS: Restricted and Unrestricted versions.
1997–2000: All data elements. 2000–2004: All data elements. SAS: Restricted and Unrestricted versions. SAS data is only available from 2002–2004. 2001: Subset of data elements. Restricted and Unrestricted versions.
Q&A and Q&A SAS
Data used for reporting and analysis.
1994–2003: Subset of data elements. Restricted and Unrestricted versions.
1994–2002: Subset of data elements. Restricted and Unrestricted versions.
32
CIHI 2005–2006
�CIHI 2005–2006 33
Appendix D: Reason for Collection of Personal Information Elements in CAD
(M) = Field is mandatory for collection and is collected by all facilities in all provinces. (O) = Field is optional for collection and is collected by only some provinces or some facilities. For more information, refer to the DAD Abstracting Manual or the NACRS Manual on CIHI’s Web site. = Field is not collected in this database.
Element Type Facility Assigned Identifiers Element Name Chart Number Description A facility assigns this number to uniquely identify a patient chart within that facility. Field Use DAD (M) HMDB NACRS (M) (M) Reason for Collection CIHI retains this number primarily to enable re-abstraction studies. The chart number is one of the primary ways to identify a chart within a particular facility. The facility can use the number to locate a physical file. CIHI collects this number and includes it for some Provincial/Territorial Ministry of Health data cuts.
Clinical Administrative Databases: Privacy Impact Assessment
Register Number
The register number is assigned to each patient visit by the facility at the time of registration. In the same facility, a patient has one chart number but could have several register numbers. A second chart number or register number.
(O)
(O)
Second Chart Number/Register Number/Sequence Number
(O)
(O)
This number is an optional field that can be used to cross-reference patients.
�34 CIHI 2005–2006
Clinical Administrative Databases: Privacy Impact Assessment
Element Type
Element Name Maternal/Newborn Chart Number
Description Newborn Chart Number or Register Number on the mother’s chart and vice versa.
Field Use DAD (M) HMDB NACRS (M)
Reason for Collection This field is used to record mother and newborn chart or register number in order to link a newborn with the mother for cross-reference purposes. It is valuable for research purposes and data quality purposes.
EMS Assigned Identifiers Personal Attributes/ Identifiers
Ambulance Call Number
The number found on the ambulance record.
(O)
Important to analyze ambulatory continuum of care, such as the effects of pre-hospital care on emergency departments and inpatient care. Since health care number is the primary way to identify an individual person, CIHI retains this number for data quality and research purposes. For instance, in combination with other data elements such as date of birth, it can be used to identify potential duplicate abstracts or track readmissions, e.g. readmission within 12 hours following acute myocardial infarction. Date of birth is required to derive patient’s age, which is necessary for clinical analyses, case mix grouping and resource weights. This field is critical for analyses involving patients under the age of 1 year. CIHI also retains date of birth for data quality purposes, such as to help identify duplicate records in the database. Used for determinants of health analyses. Note that this field is optional.
Health Card Number
The health care number is the patient’s medical (insurance) number as assigned by the provincial/territorial government of the patient’s home residence.
(M)
(M)
(M)
Date of Birth
The patient’s birth date in year, month and day order.
(M)
(M)
(M)
Living Arrangement The living arrangement applicable to the client at the time of visit.
(O)
�CIHI 2005–2006 35
Element Type
Element Name Residence Type
Description The type of residence that the client is living in at the time of the visit. The highest level of education reported by the client. The 6-digit postal code is a basic, relatively stable geographic unit that is mandatory for all provinces. The provider number is a 15-digit code used to identify specific providers. These numbers are assigned by the hospital or the province. The intervention provider number is a 15-digit code used to identify specific health care providers associated with the interventions. These numbers are assigned by the hospital or the province. The anesthetist’s number is a 15-digit code used to identify specific doctors associated with the anesthesia. These codes are assigned by the hospital or the province.
Field Use DAD HMDB NACRS (O)
Reason for Collection Used for determinants of health analyses. Note that this field is optional. Used for determinants of health analyses. Note that this field is optional. This field is necessary for geographic analysis and can be combined or grouped to permit analysis by city, health region, census district, enumeration area or other geographic boundary. This field is used for physician activity analysis within the facility or the province.
Highest Level of Education Geographic Postal Code Attributes
(O) (M) (M) (M)
Provider Attributes
Provider Number/ Service Provider Number
(M)
(M)
Clinical Administrative Databases: Privacy Impact Assessment
Intervention Provider
(O)
This field is used for physician activity analysis within the facility or the province.
Anesthetist
(O)
This field is used for physician activity analysis within the facility or the province.
�36 CIHI 2005–2006
Clinical Administrative Databases: Privacy Impact Assessment
Element Type Clinical Attributes
Element Name Diagnoses and Interventions
Description Coded information on the medical diagnoses and interventions associated with a patient visit
Field Use DAD (M) HMDB NACRS (M) (M)
Reason for Collection This information is essential for the analysis of morbidity, the delivery and utilization of health care services, outcomes of care, patient safety and a host of other issues relating to health and health care. Data are collected to support analyses and inform the public debate on issues relating to reproductive health, abortion and perinatal health.
Reproductive Care Fields
Date of last menses; Number of Previous Therapeutic Abortions; Number of Previous Deliveries; Gestational Age for Therapeutic Abortion Cases, Breastfeeding on discharge . . . etc. Source of patient referral; Method of patient admission; Previous psychiatric admission to this or another facility; Patient education level; Employment status; Suicide . . . etc.
(O)
(O)
Mental Health Indicator Fields
(O)
CIHI collects this information for some Provincial/Territorial Ministries of Health to support analyses of issues and trends in the area of mental health.
*Table based on information available as of the 2004–2005 fiscal year.
�Clinical Administrative Databases: Privacy Impact Assessment
Appendix E: Public Sector Privacy Legislation References
Provincial Privacy Acts
Province/ Territory BC Act/Legislation Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c.165 Freedom of Information and Protection of Privacy Act, S.A. 1994, c.F-18.5 Freedom of Information and Protection of Privacy Act, S.S. 1990–1991, c.F-22.01 The Freedom of Information and Protection of Privacy Act, R.S.M. c.F-175 Freedom of Information and Protection of Privacy, R.S. 1990, c.F.31 Act respecting Access to documents held by public bodies and the protection of personal information, R.S.Q. c.A-2.1 Protection of Personal Information Act, S.N.B. 1998, c.P-19.1 (Assented to 26 February 1998— not yet proclaimed in force.) Freedom of Information and Protection of Privacy Act, S.N.S. 1993, c.5 Bill 81, Freedom of Information and Protection of Privacy Act, 1st Sess., 60th General Assembly, P.E.I. 1997 Access to Information and Protection of Privacy Act s.29 Section s.35 Reference Freedom of Information and Protection of Privacy Act Freedom of Information and Protection of Privacy Act Freedom of Information and Protection of Privacy Act Freedom of Information and Protection of Privacy Act Freedom of Information and Protection of Privacy Bills; and Freedom of Information and Protection of Privacy Act. Act respecting access to documents held by public bodies and the protection of personal information Protection of Personal Information Act
AB
s.42
SK
s.29(k)
MB
s.47(e)
ON
Reg.10
QC
s.21
NB
NS
Freedom of Information and Protection of Privacy Act
PE
s.39–40 Freedom of Information and Protection of Privacy Act s.41 Access to of Privacy Access to of Privacy Information and Protection Act; and Information and Protection Act.
NL
NU
Access to Information and Protection of Privacy Act
s.49
Access to Information and Protection of Privacy Act
CIHI 2005–2006
37
�Clinical Administrative Databases: Privacy Impact Assessment
Province/ Territory NT YT Federal
Act/Legislation Access to Information and Protection of Privacy Act Access to Information and Protection of Privacy Act Privacy Act, R.S.C. 1985, c.P-21 Protection of Personal Health Information; Privacy Act Regulations, S.O.R./83-508
Section s.49 s.38 s.8(2)
Reference Access to Information and Protection of Privacy Act Access to Information and Protection of Privacy Act Privacy Act
Specific Health Information Acts
Province/ Territory AB Act/Legislation Health Information Act Section 49–56 Part 5 Div. 3 s.24 s.29 Reference Health Information Act (HIA)
SK MB ON
Health Information Protection Act Personal Health Information Act Personal Health Information Protection Act
Health Information Protection Act (HIPA) Personal Health Information Act (PHIA)
s.45 and Personal Health Information Protection Reg. 18 Act (PHIA)
38
CIHI 2005–2006
�References
References
1. CIHI. Privacy and Confidentiality of Health Information at CIHI: Principles and policies for the protection of health information and policies for institution-identifiable information, 3rd Edition, Ottawa: CIHI, 2002, www.cihi.ca. Statistics Canada, “Hospital Morbidity”, last updated February 23, 2005 from . Ibid. For more information on these elements refer to: . CIHI, “Discharge Abstract Database”, last updated August 5, 2004 from . For more information, refer to the Privacy Impact Assessment for this database available on CIHI’s Web site: . Ibid. Ibid. Ibid. Ibid. CIHI, Database Background Documentation: Discharge Abstract Database, 2003–2004, p. 8. Ibid. CIHI, Database Background Documentation: NACRS, 2003–2004. This work is done by consultants from the Canadian Health Information Management Association (CHIMA), who are required to sign confidentiality agreements. For more information, refer to: . CIHI, DAD Abstracting Core Manual (ICD-10-CA/CCI, and ICD-9/ICD-9-CM available), www.cihi.ca. CIHI, NACRS Manual (ICD-10-CA/CCI), www.cihi.ca. CIHI, Privacy and Confidentiality of Health Information at CIHI: Principles and Policies for the Protection of Health Information and Policies for Institution-Identifiable Information, (April, 2002, 3rd ed.), www.cihi.ca. Form is available at: . Ibid.
2. 3. 4. 5. 6.
7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18.
19. 20.
CIHI 2005–2006
39
�References
21.
CIHI. Privacy And Confidentiality of Health Information at CIHI: Principles and Policies for the Protection of Health Information and Policies for Institution-Identifiable Information, 3rd Edition, Ottawa: CIHI, 2002, www.cihi.ca. Policy 9.1. Ibid., Policy 5.7. Secure Sockets Layer (SSL) technology is today’s Internet standard for secure communications and e-commerce transactions. The Secure Sockets Layer protocol uses digital certificates to create a secure, confidential communications "pipe" between two entities. Data transmitted over an SSL connection cannot be tampered with or forged without the two parties becoming immediately aware of the tampering. Area protected by firewalls that is accessible via the Internet. Area protected by additional firewalls that is not accessible via the Internet. Access is via a virtual private network (VPN). The session is encrypted using 128-bit SSL and IKE technology. The connection is authenticated by two CIHI firewalls. Access via a pre-registered IP address for this terminal only is allowed into CIHI and frequent password change policies are in place. Sessions are encrypted and protected using Secure Sockets Layers (SSL) technology. CIHI, Privacy, Confidentiality and Security Communiqué: 2001–2002 Employee Access to CIHI Data Holdings, (Internal Document), March 30, 2001.
22. 23.
24. 25. 26.
27. 28.
40
CIHI 2005–2006
�www.cihi.ca www.icis.ca
Taking health information further Á l’avant-garde de l’information sur la santé
�