Organizational Privacy Transformation: A case study from Critical Issues to Award Winning Success

Norine Primeau-Menzies

VP Customer Services, Chief Privacy Officer

May 2012

Agenda

Overview of OTN

Setting the Stage

The Transformation

The Outcome & Moving Forward

Lessons Learned

OVERVIEW OF OTN

What is OTN?

OTN is one of the largest

Telemedicine networks

in world >1200 sites

We help deliver clinical

care and professional

education among health

care providers and

patients

An independent, not-for-

profit organization,

funded by the

Government of Ontario

What does OTN do? A collaborative health care

enabler, OTN uses

videoconferencing and

store forward technology to

extend and enhance access

to clinical care and

professional education

among healthcare providers

and patients.

OTN has the capacity to bring

healthcare to virtually any patient,

anywhere at anytime

Who uses OTN?

Physicians & Allied HCPs

Healthcare Organizations

& Network Partners

Patients & Families

In 2010/11, telemedicine

supported health care

delivery and education for

over 390,000 people

0

20000

40000

60000

80000

100000

120000

140000

2006/07* 2007/08 2008/09 2009/10 2010/11

Clinical

Educational

Administrative

OTN Utilization 2011/12 > 158,000 events

*2006/2007

was a transition

year--not all

utilization data

available.

Privacy at OTN

OTN protects all personal health information

consistent with the requirements of the Personal

Health Information Protection Act, 2004.

Our primary role is a Health Information Network

Provider (HINP)

OTN also acts as an ‘agent’, handling PHI when

facilitating scheduling services on behalf of our

members (HICs)

OTN’s Privacy Program - Our

Mandate Foster a privacy culture at OTN to ensure that members and their

patients have confidence that PHI is protected during a clinical

encounter through the network

• Clinical videoconferencing

• Store and forward services

• Telehomecare

• Personal Videoconferencing

SETTING THE STAGE

Where OTN was 3 years ago

Privacy identified as one of top three risks for

the organization

Privacy incidents and breaches were rising

Network growth of >30% annually

Company employee base doubling in 3 years

and tripling in 5 years

2009/10 Status

Reported 30 breaches

– 1 high, 7 medium rated risks

OTN shares/ transmits a significant amount of

PHI to facilitate activity

– 90,000 clinical events

– 60 health disciplines

Mitigating these risks was paramount to the

ongoing success of the network

THE TRANSFORMATION

Moving Forward with Privacy by Design®

Proactive Not Reactive;

Preventative not Remedial

Privacy as a Default Setting

Privacy Embedded into the Design

Full Functionality – Positive-Sum, not

Zero-Sum

End to End Security – Full lifecycle

protection

Visibility and Transparency – Keep it Open

Respect for User Privacy – Keep it

User Centric

Moving the Organization forward

Moving the Organization Forward - The Plan

Leveraged the sense of urgency

– Board/Senior Leadership awareness

– Lobbied to get privacy identified as a key priority in the

corporate objectives of the operating plan

Transformed the team to be seen as colleagues

working with the team/departments

Created a ‘privacy scorecard’ to highlight critical

areas (2008/09)

Engaged all the staff across the organization

Proactive not Reactive; Preventative not Remedial

Conducted analysis of three years of breaches

Root cause analysis demonstrated 3 primary

causes responsible for 87% of breaches:

1. Manual bridge programming

2. Faxing of patient referral information

3. Member/staff knowledge

Developed a 2-year plan to address the issues

Continued PIA process prior to new service

launches

Issue #1 Automate Bridge Programming

21% of breaches

The ‘connection’ to bring together an event was

manually programmed onto the ‘bridge’

– Volume growth (from 20 events a day to >200)

– Estimated 35,000 sites programmed into large events

annually (2009/10)

Developed a project to transition manual work to

an automated solution

Launched automated solution March 2010

Issue # 2 Member Best Practice Tool Kit

33% of breaches in 09/10

Survey and analysis of the OTN membership

base

Based on findings and analysis of 3 years of

member breaches OTN developed and

launched the Member Best Practice Tool Kit in

July 2010 (http://www.otn.ca/en/privacy-toolkit/resource-library)

Maintenance strategy in place to keep current

Privacy Fact Sheet Example

Issue #3 Fax Over Internet Protocol (FOIP)

33% of all breaches

OTN was using manual faxing as a secure means to transmit PHI for Referral Management (original solution built in 2001)

OTN Launched Fax Over Internet Protocol (FOIP) in March 2011

FOIP eliminated manual transmission of 250,000+ faxes annually and was built into our scheduling service processes

Note: OTN is currently developing an on-line portal that will use a secure eReferral form (expected to launch in 2012/13)

Privacy as a Default Setting

Organizational commitment starting with the

CEO and the Board

Chief Privacy Officer leadership at a senior level

Organizational awareness through training

including project teams

Partnership with business leads and the

software development team in all projects

Privacy Embedded into the Design

Embedding the privacy team into all OTN

projects ‘from the beginning’

Privacy Threshold assessment screening by

project teams

Automating the Privacy Impact Assessment

process and outcomes monitoring within the

organization

Privacy Embedded into the Design

Privacy is part of all project teams at the conceptual

stage

Privacy facilitates reviews or PIA/LPSA work

Work plans developed for project teams to

address/mitigate risks and recommendations

Risk tolerance: high/medium risks are addressed before

project goes live

Risks documented, monitored & tracked in privacy risk

register and/or escalated to enterprise risk register

Full Functionality – Positive-Sum, not Zero-Sum

Relationship building is key

Partnership/working together, compromising and

coming up with solutions together that meet

user, organizational and privacy needs

Building team’s visibility and credibility within the

organization was important

End-to-end Security—Full Lifecycle Protection

Privacy & Security teams align goals and

objectives to ensure maximum impact on the

organization

1. Privacy and Security Lateral Committee

• Co-chaired by CPO and CIO

• Representation from across the organization

2. Privacy & Security Team relationships

• CPO/CIO work together

• Privacy Specialists/Corporate Security Officer work together

• Communicate on common issues; update each other on

operating plans status etc.

Visibility and Transparency—Keep it Open

OTN Corporate Scorecard

Effectiveness Area Area of Focus Measure

2010/11 Year-end Baseline

Month (actual)

Year to Date

2011/12 Target

(preliminary) Status

Comments or Reason

for Variance (if required) # %∆ # %∆ # %∆ # %∆

Privacy & Security Privacy Confirmed privacy breaches 57 0.04% 2 * 26 * 30 N/A On-target

Privacy Indicators shared with Senior Leadership Team

Governance Scorecard

Effectiveness Area Focus Measure 10/11 Baseline

FY 2011/12 Targets

FY 2011/12 (YTD) Status Variance

# %∆ # %∆ # %∆

Customer Service Excellence

Privacy Confirmed privacy breaches (medium and high severity)

4 N/A 0 N/A 4 N/A a

Privacy Indicators shared with the Board of Directors

Visibility and Transparency—Keep it Open

Quadrant Focus Indicator

Q1 Q2 Q3 Q4 Year

to Date Target Status Comments

Ap

ril

May

Jun

e

July

Au

g

Sep

t

Oct

No

v

De

c

Jan

Feb

Mar

1) Incident History

1. Incident management & identification of operational systemic improvements

# of privacy investigations initiated monthly 7 1 6 5 4 10 7 3 7 3 4 57 # of privacy investigations completed monthly 5 1 3 4 2 4 9 6 5 1 0 40 % of privacy breaches compared to overall total events

0.03 0 0.0

3 0.0

3 0.0

2 0.0

3 0.0

3 0.0

1 0.0

2 0 0.02 <0.05 on target Avg turn around time (days) from initiation to response to individual requesting investigation 1 1 1 1 1 1 1 1 1 1 1 1 1 on target

Avg turn around time (days) from initiation to PI file closed n/a n/a n/a n/a 2.5 4.5 9 17 2 1 n/a 6 45 days on target

2. Monitor & track incidents that result in non-compliance with PHIPA

# of investigations which resulted in non-compliance with PHIPA 43% 0%

66%

60%

50%

40%

57%

33%

43% 0%

50% 46% 50% on target

% of PI which resulted in non-compliance with PHIPA as a result of OTN 67% 0%

50%

66%

100%

50%

25% 0%

67% 0%

50% 58% 50% on target

#% of PI which resulted in non-compliance with PHIPA as a result member action 33% 0%

50%

33% 0%

50%

75%

100%

33% 0% 0% 42% 50% on target

# of PI assessed at low severity level 1 0 4 3 2 4 2 1 3 0 2 22 # of PI assessed at medium severity level 2 0 0 0 0 0 2 0 0 0 0 4 # of PI assessed at high severity level 0 0 0 0 0 0 0 0 0 0 0 0

OTN Privacy Scorecard

Visibility and Transparency—Keep it Open

ID# Risk Description Source Document

Risk Rating

Risk Champion Risk Owner

Status Update

IPIA_01 The OTN has not adopted an organization-wide security policy and supporting procedures that describe the administrative, technical, and physical safeguards it employs to protect personal health information. OTN Integration PIA Sept 07 High

CIO and Corporate Security Officer Complete Update notes

IPIA_02 The OTN does not have a consistent method of advising and training staff of their privacy and security responsibilities.

OTN Integration PIA Sept 07 High CPO and Privacy Specialist Complete

IPIA_03 OTN is not currently fulfilling all its health information network provider requirements.

OTN Integration PIA Sept 07 High CPO and Privacy Specialist Complete

IPIA_05 The TSM patient registry search feature may enable unauthorized access to personal health information.

OTN Integration PIA Sept 07 Medium

CIO and Corporate Security Officer Complete Update notes.

Privacy Risk Register

Respect for User Privacy—Keep it User Centric

Respect the business owners and the need to

develop services for our users

– compromise without losing integrity of privacy

principles

Incorporate business owners into the process of

embedding privacy into the design, the PIA

review and addressing findings

Develop and deliver on-line privacy training

Staff On-line Training Module

OUTCOME & MOVING

FORWARD

Outcome and Moving Forward

Privacy breaches decreased • .06% / event total in 09/10

• ↓ .05% in 10/11

• ↓ .02% in 11/12

Member awareness and resources

100% of staff trained

Privacy embedded into our technology and process development

Privacy Threshold Assessment

Automate PIA process

Automate privacy investigation process

Privacy Investigations/Breaches

0

10

20

30

40

50

60

70

2008-2009 2009-2010 2010-2011 2011-2012

INCIDENTS

BREACHES P

ast

Pre

sen

t

IAPP HP Innovation Award 2011

Organizational Privacy by Design®

Ambassadorship

In the fall of 2011, OTN was awarded an Organizational Privacy by Design® Ambassadorship in recognition of it’s effort to embed “Privacy by Design” principles into the infrastructure of the organization

http://privacybydesign.ca/organizations/

LESSONS LEARNED

Lessons Learned

Life is a million shades of grey and it’s all about

compromise

Raising staff awareness in a meaningful way

Leverage the bad

Believe that people come to work every day to

good work

Be passionate about what you do!

Acknowledgements

The success at OTN is a ‘team’ effort

Special acknowledgement to the Privacy Team

who worked diligently over the past 3 years

– Sylvie Gaskin, Manager Privacy and Risk

– Michelle MacMillan, Privacy Specialist

– Crystal Olive, Privacy Operations Support

Thank you!

For additional information please contact

Norine Primeau-Menzies

nprimeau@otn.ca

Or please visit

www.otn.ca