Personal tools
 

Integration of Role based Access

Integration of Role based Access - requirements and documents related to this.

Introduction to Integration of Role based Access

One of the overarching privacy principles in the CAISI Project is that agency staff only have access to records that are relevant to the care that they provide. This is true to the information accessed by a provider in their local agency, but it also extends to information viewed from a remote agency.

 High Level Requirements

  1.  A community of agencies will possess a community list of staff roles. An agency can define any role it wishes to, however in order for a staff person to have access to integrated information, they must have one of the agreed upon community roles.
  2. A provider can view remoite records only according to their community role and the rules that the community sets for what records a provider with that role can view.
  3. A local agency can freely define roles within their agency and what those roles can or cannot view of their local information.
  4. Health Information Custodian (HIC) status can be defined in the integrator (centrally)
  5. Rules governing which community roles in which agencies can see what information can be controlled centrally in the integrator.

 

Definitions

Local (e.g. agency)

This refers to the agency where the staff person is currently working. The staff person is presumed to be logged into the agency where he/she is currenlty working, this is the local agency.

 

Remote (e.g. agency):

This refers to the non-local agency whose data the local agency staff person is able to view. Remote agency data is viewed through the integrator.

 


 

Background

Community Roles and access rights

Community Role Category
Community Roles
Access to remote PHI
Comments
Health Care Team

- Psychiatrist
- Doctor
- Registered Nurse
- Clinical Social Worker
- nurse (don't use this role)
- recreation therapist
- Registered Practical Nurse
- Nurse Manager
- Clinical Case Manager
Yes
Access for the provision of health care


Clinical Support Staff

- Clinical Assistant
- Medical Secretary
Yes
Access for the provision of health care


Support staff

- Secretary
- Receptionist
- Support Worker
- Client Service Worker
- Property Staff
- CSW
- Support Counsellor
No

Social Services Team
- Housing Worker
- Counsellor
- Case Manager
- Waitlist operator
No

Technical/IT support staff

- System  Administrator Conditional
IT staff may require access to data for the purpose of providing technical support or systems maintenance


Agency’s Privacy Officer


Conditional
Privacy Officers may require access to data for the purpose of auditing compliance and following-up on requests for access, requests for corrections, complaints and breaches.

Ombudsperson
Conditional
No access to data from CAISI system.  May have information received directly from client.

 

 

Integration Rules for Progress Notes

The following table indicates which role category can see notes written by which remote role category.

Table 1.2 Rules for viewing remote progress notes

Role Based access Chart Progress Notes 3 (Jan 14 2010 typo fixed April 13 2010)

How to read table 1.2:

  1. HIC and Non-HIC agency staff role categories are listed down the left column
  2. If you follow a staff role category across from left to right you can see which progress notes written by which role category from a remote agency can be viewed by this staff role. For example:
    • HIC health care team staff can read notes written by: HIC health care team, clinical support staff, support staff, social services staff, agency privacy officer and non-HIC support staff, social services staff, agency privacy officer
    • non-HIC social services staff can read notes written by: HIC clinical support staff, support staff, social services staff, agency privacy officer and non-HIC support staff, social services staff, agency privacy officer
    • HIC agency support staff cannot read PHI written by HIC health care team
    • none of the non-HIC staff can read any progress notes written by any of the HIC health care team staff. They can however read notes written by HIC non health care team staff. E.g. a non health care team social worker at a non-HIC can read progress notes written by non-health care team social worker in a HIC.

 

Integration Rules for Issues

Table 1.3 Rules for viewing remote issues

 Role Based access of Issues 2

How to read table 1.3:

  1. As background one must note that issues in and of themselves regardless of who assigned them are characterized by role type classes: e.g. issues are categorised as doctor issues (e.g. ICD-10 codes), nurse issues (e.g. Street Health nurse codes) or counsellor issues (e.g. City of Toronto Case Management Manual issues).
  2.  HIC and Non-HIC agency staff role categories are listed down the left column
  3. If you follow a staff role category across from left to right you can see which types of remote issues can be seen by which role category at the local agency. For example:
    • HIC health care team staff can read doctor, nurse and counselor issues
    • HIC social service team staff can read only remote counselor issues
    • non-HIC social service team staff can read only remote counselor issues

Comments

  • In this scenario, it would be possible for a doctor to note that a client has a 'housing issue' and for a remote HIC non health team counselor to see this 'housing issue' but not see any notes related to it. Presumably that would be acceptable as that HIC counselor would be able to see counselor issues written by a doctor at that site even though they are not part of the health team.

 

Integration Rules for Prescribed Medications

Table 1.4 Rules for viewing remote MD Prescribed Medications/Prescription and Prevention Data

Role Based access Chart Medications and Preventions

Comments

1. An other agency privacy officer (non-HIC Agency) may need to have access to medication or health information in the event of a breach that results in health information being wrongly available in the other agency.


How to read table 1.4:

  1. This table can be read in the same manner as table 1.2
  2. Here we see that for example information on medications that have been prescribed by physicians in remote agencies can only be seen by the health care team staff and the Clinical Support Staff.

 

Integration Rules for Remote Referrals

 Table 1.5 Rules for viewing remote Referrals

Role Based access Chart Referrals

 

 

How to read table 1.5:

  1. This table can be read in the same manner as table 1.2
  2. Here we see that referrals can be seen by all staff that are able to view remote data. That is Health care team, Clinical Support staff, and  Support Staff, and Social Services staff in both HIC's and non-HIC's.

 

 

Integration Rules for Searches of clients

Table 1.6 Rules for viewing remote client search results

Integration of role based access searches 2

How to read table 1.6:

  1. This table can be read in the same manner as table 1.2
  2. Here we see that searches can be seen by all staff that are able to view remote data. That is Health care team, Clinical Support staff, and  Support Staff, and Social Services staff in both HIC's and non-HIC's.

Requirements

  1. It should be possible to label or categorize agencies as HIC's or non-HIC's centrally within the integrator. Editing of this should only be possible by an authorised person.  This might be done in a configuration file or some other place that can be set up by an IT person with the aim that perhaps later it could be done through a user interface by an integrator administrator.
  2. Viewing of remote records should be governed by the rules described in table 1.2. This should be controlled by the integrator. It should be possible to change these rules periodically. The rules can be done by a programmer within the code base (e.g. with if statements) but preferably in a configuration file that can be changed without releasing new code with the view that it might eventually lead to an administrator user interface.
  3. Hierarchy of role based access governed by integrator:
    1. integrator separates integration of information between HIC's and non-HIC's. Information cannot be viewed between HIC's and non-HIC's.
    2. specific role based access described in table 1.2-1.5 between HIC and non-HIC agencies will be allowed. 
  4. Agencies must use commonly agreed upon role names in order for integration to work through the integrator. These roles are defined here: Detailed Lists of Role Based Information
  5. A HIC could allow social services staff to view local health team records, or to otherwise follow different role based access rules, however remote record viewing will be forced to follow the rules as set in table 1.2. E.g. a HIC agency might allow social services staff to view local health team records from that agency, howevever the social services staff would never be allowed to view remote health team records.

Document Actions

« May 2020 »
May
MoTuWeThFrSaSu
123
45678910
11121314151617
18192021222324
25262728293031