Electronic Health Records - User Access

Electronic Health Records User Access PHC Remote Guideline Target Audience

All Employees

Jurisdiction

Primary Health Care Remote CAHS; Primary Health Care Remote TEHS

Jurisdiction Exclusions

N/A

Document Owner

Kerrie Simpson Atlas Development Officer Primary Health Care Remote CAHS

Approval Authority

Refer to Policy Guideline Centre NT Quality and Safety Manager Primary Health Care

Author

PHC Safety and Quality Team

The attributes in the above table will be auto-filled from the PGC System. Do not update in this document.

Purpose To provide Primary Health Care Remote staff with a guideline detiling the requirments, including the application process and training, to obtain the authority to utilise Electronic health Records used for clients in remote health services.

Guideline

1.

General Information

There are multiple Electronic Health Record Systems used throughout the Department of Health. Electronic Health Record (EHR) User Access is granted to individuals with a legitimate requirement to access or contribute to Department of Health (DoH) Remote Primary Health Care (PHC) client health records. Within Remote PHC the primary EHR systems are the Primary Care Information System (PCIS) and the East Arnhem Communicare System (EACS). See definitions for further information. Different levels of access are available according to the role of the applicant. Security settings will be allocated that assist an individual in their work, and protect against inappropriate or unnecessary access to information. Level of access alone, however, does not ensure that use of confidential client information is fully safeguarded, and Users must adhere to expected ethical standards. Prospective Users are required to complete and sign the EHR Application for User Access Form (PCIS / EACS) to indicate correct user information has been submitted and that the DoH Privacy Policy and related access obligations are fully understood. A specific RMP EHRS User Access Form has been developed for Rural Medical Practitioners (RMPs) in PHC - Remote who require individual access to a range of EHR Systems. This single form streamlines the process for RMP to access the appropriate EHR Systems throughout the Department. EHR Users will also be granted access to the My eHealth Record (MeHR). Further client specific access to the NT Rheumatic Heart Disease Register and the Northern Territory (NT) Childhood Immunisation Program databases is available via the MeHR for registered clients only. Note: only the records of clients registered with MeHR will be accessible to Users. Users can make separate application for access to the Northern Territory (NT) Rheumatic Heart Disease Register and the NT Childhood Immunisation Program if required. Title: Electronic Health Records User Access PHC Remote Guideline HPRM Approval No: EDOC2017/43956 | Version: 2.0 | Doc ID: HEALTHINTRA-1880-12315 | Approved: 30/06/2015 | Last Updated: 30/06/2015 Page 1 of 9

DEPARTMENT OF HEALTH Any individual user will be subject to having their use of these EHRs audited on a routine basis and to possible ad hoc scrutiny. Information in this document includes: - Applicant Identification - Application for User Access – Information Required - Submission of Application - Electronic Health Record - Training - Query Group Access – PCIS only - Use and Monitoring of Electronic Health Records - Access to My eHealth Record - Access to Linked Databases - WebClient Access - Extension, Termination or Change to User Access - Non-clinical Staff access to Health Information & Records - Business Rules Related to Access

2.

Definitions

User: an authorised User of a PHC Remote EHR system. Electronic Health Record (EHR): a systematic collection of electronic health information about individual clients. The EHR is the primary health record into which client personal and health data must be entered. Two EHR systems are used within PHC Remote, namely: - Primary Care Information System (PCIS) - East Arnhem Communicare System (EACS). This is a version of Communicare which is specifically adapted to meet the needs of DoH East Arnhem North clients and health centres. My eHealth Record (MeHR): a secure, electronic record of an individual’s medical history stored and shared in a network of connected systems so that vital health information can be securely exchanged between different health care providers such as medical practitioners, specialists, pharmacists and hospitals. The EHRs interface with MeHR. Rheumatic Heart Disease Register: a Northern Territory (NT) register of those with Acute Rheumatic Fever or with Rheumatic Heart Disease. Childhood Immunisation Database: a NT Centre for Disease Control (CDC) immunisation database that links to the Australian Childhood Immunisation Register (ACIR). It is the primary source of NT childhood immunisation records for PHC Remote clinical staff.

3.

Responsibilities

3.1

Electronic Health Record User

       

Complete the Application for EHR Access (PCIS / EACS / RMP EHRS) Complete the EHR User Access Cessation / Change Request Form (PCIS/ EACS) if a role change requires modified access Sign the applicant declaration to acknowledge that the DoH Privacy Policy and related access obligations are fully understood Fully engage in training on EHR systems Use the EHR to record all relevant client personal and health information Use EHRs to access client records only as necessary in the course of duty Protect client information from inappropriate access Prevent use of personal User Access by any other party Title: Electronic Health Records User Access PHC Remote Guideline HPRM Approval No: EDOC2017/43956 | Version: 2.0 | Doc ID: HEALTHINTRA-1880-12315 | Approved: 30/06/2015 | Last Updated: 30/06/2015 Page 2 of 9

DEPARTMENT OF HEALTH

3.2      

3.3     

3.4     

3.5    

4.

Electronic Health Record Helpdesks Accept correctly completed applications for new or modified EHR access Forward application forms to the relevant line manager / authorised delegate for signature Initiate ePASS registration for non-PHC Remote applicants as appropriate Forward RMP EHRS User Access applications to each EHRS relevant to the application Establish access appropriate to the role of the applicant Notify applicant when access has been established

Line Manager / Authorised Delegate Ensure ePASS registration is current or initiate ePASS registration as required Check and endorse signed EHR User Access applications Submit endorsed EHR User Access applications with the ePASS Id to the relevant Helpdesk Facilitate training for new employees Notify relevant EHR Helpdesk when changes to User access are required

Quality and Safety Manager Assess relevant applications received from the EHR Helpdesk and approve or reject each application Return User applications to the EHRS Helpdesk Authorise ePASS registration for relevant applicants as appropriate Retain all applications on file Terminate User Access as directed

Electronic Health Record Educator Arrange training at a mutually convenient time Provide training for appropriate level of access for new and reactivated Users Provide ongoing training for Users who request it Provide training sessions when EHR system upgrades occur

Procedure

The majority of EHR Users will be required to complete a PCIS or EACS User Access Form and other related access forms as appropriate. RMPs in PHC Remote who require access to a range of Electronic Health Record Systems may complete the RMP EHRS User Access Form, which is a single form facilitating access to multiple EHR Systems. The Information Sheet - RMP - Multiple Electronic Health Record Systems User Access provides guidance for the use of a single form and should be used in conjunction with the information in this document as appropriate.

4.1

Applicant Identification and ePASS Registration

A personal ePASS User Id is required by all employees to obtain EHR User Access, even though the DoH network may be accessed through the generic health centre G70 log-on utilised in all remote health centres. This requirement applies to DoH employees, agency staff and non-government authorised personnel. It is important to recognise that once an individual has been registered with ePASS, the User Id that has been initially designated should be re-used for any subsequent reactivation of their account. Therefore ePASS registration of a new applicant should be approached in the following way: 1) Current or past ePASS registration should be checked 2) If current registration is in place, user details should be updated on ePASS, and the User Id utilised on the EHR application form Title: Electronic Health Records User Access PHC Remote Guideline HPRM Approval No: EDOC2017/43956 | Version: 2.0 | Doc ID: HEALTHINTRA-1880-12315 | Approved: 30/06/2015 | Last Updated: 30/06/2015 Page 3 of 9

DEPARTMENT OF HEALTH 3) If the applicant has a ‘terminated’ account, the account should be reactivated to ensure continuity of the same User Id 4) If no previous ePASS registration is evident, My eHealth Record registration should be checked. If MeHR registration has previously been granted, the same User Id should be used for the new ePASS Id. Managers may contact the My eHealth Record Helpdesk on 1800 247 430 to check on User Id information. 5) If no previous registration is evident for either My eHealth Record or ePASS, then a new User Id can be created either by manual or system generation. The persons User Id should then be noted in the appropriate field on the User Access Application Form (PCIS / EACS / RMP EHRS). Without exception, every individual who intends to use an EHR must submit a suitably completed User Access Application Form and must have a personal ePASS User Id before accessing any client record. Features of each aspect of the application form are detailed below. 4.1.1

Healthcare Provider Identifier – Individual (HPI-I) Number

A national eHealth initiative is being implemented. This includes a personally controlled electronic health record system which supports secure electronic sharing of health information across Australia’s healthcare system. Three types of Healthcare identifiers have been designed: for the individual (IHI), the health care provider organisation (HPI-O) and the individual health care provider (HPI-I). A HPI-I is allocated to healthcare providers and provides a unique way of identifying the healthcare provider on client records that the provider creates or updates. Health practitioners registered under national law with the Australian Health Practitioner Regulation Authority (AHPRA) can access their 16 digit HPI-I number by contacting: - Medicare on phone: 1300 361 457, or - the Healthcare Identifier Service on phone: 1300 419 495, or - by signing in to ‘your account’ on the AHPRA website and the HPI-I number is recorded in the ‘your details’ section For further information see eHealth NT - What is a HPI-I (intranet), the National E-Health Transition Authority (NEHTA) website, and specifically for HPI-I details the Healthcare Identifiers (HI) webpage.

4.2

Application for User Access – Information Required

4.2.1

Role

Level of access is adjusted according to the role of the applicant. In most cases, it is reasonable that an individual will require security settings that are generic to a given role, and the appropriate role should be nominated on the application form. A relatively large number of EHR functions have security settings and these may be configured on an individual basis. However, any departure from generic security settings requires the specific written request of the applicant, with approval from the line manager / authorised delegate, and the record of this request is filed with the individual’s User Access application. The Quality and Safety Manager will arbitrate on any debatable requests. 4.2.2

Title

Selecting a title for the applicant’s position is requested. This effectively applies a title against all the entries a User will make in the EHR. Commonly used titles are listed for quick selection, but a User may suggest a preferred alternative title. Not all requested alternative titles will be used where existing titles already exist that would be appropriate for that User.

Title: Electronic Health Records User Access PHC Remote Guideline HPRM Approval No: EDOC2017/43956 | Version: 2.0 | Doc ID: HEALTHINTRA-1880-12315 | Approved: 30/06/2015 | Last Updated: 30/06/2015 Page 4 of 9

DEPARTMENT OF HEALTH 4.2.3

Duration of Access

The duration of access that is applied for must not exceed contracted dates of employment, or other anticipated time limits on the requirement to access the EHR. Only permanent employees may nominate an open end date. Future amendments to access extension dates or type may be requested using the EHR User Access Cessation / Change Request Form (PCIS / EACS). 4.2.4

Selecting Health Centre/s

Applicants must nominate the anticipated usual health centre/s on the application form. Multiple sites or regional use may be nominated where this is necessary to perform the User’s role. It is not helpful to nominate additional sites on the off chance they may be used. For EHR Users limiting the number of usual work locations does not prevent accessing the client records from other locations using the same EHR. Rather, it promotes simpler use of EHR for the User and easier administration processes. It also reduces the risk of data entry mistakes. It is simple to add another work unit at a later date if the User begins work in a new location. This must be requested via Helpdesk. EACS User access is limited to the four East Arnhem North health centres. If clients of other non-Departmental health services have registered with MeHR, Users are able to access their MeHR records. 4.2.5

Telehealth Converge NT - Interface

Health centre facilities have video conferencing hardware and software installed on some computer assets to enable video conferencing capability. Similarly Medical Practitioners or staff requiring individual access may have this installed an NTG computer asset or personal computer depending on individual circumstances. Individual access is obtained by completing the Video Conference – Desktop Client and Peripheral Equipment Application. The Telehealth Converge NT provides information and contact details regarding practitioners or health facilities with video conferencing capability. Access to Telehealth Converge NT is a component of the default profile given to RMPs when they complete the EHRS – RMP User Access Form. For more information on Telehealth Converge NT contact the NT TeleHealth Helpdesk - phone: 1300 762 249 or e-mail: [email protected]. 4.2.6

Prescriber and Medicare Provider Numbers

Only medical practitioners and other health professionals who hold Provider Numbers are required to complete and submit Page 2 of the Application for Access Form (PCIS / EACS / RMP EHRS). This page seeks information on Prescriber and Medicare Provider Numbers. Medical Practitioners working for PHC Remote must obtain a separate Medicare Provider Number for each community in which they consult. See Medicare Provider Numbers. 4.2.7

Applicant Declaration Signature

An applicant declaration signature is necessary to confirm that the applicant acknowledges the requirement to comply with the DoH Privacy Policy and their responsibility to limit their use of EHRs to the role for which they have been granted User access. It also means that they are aware that they will be subject to having their use of these EHRs audited. Line managers / authorised delegates must ensure the applicant has signed this declaration before authorising access. The signature may be obtained at the time of training, but only under circumstances where it has not been possible to obtain it at an earlier stage.


DEPARTMENT OF HEALTH 4.2.8

Authorisation

Authorisation for User access is twofold for DoH staff from PHC Remote, Police Watch House and Corrections, Renal Services and Alcohol Mandatory Assessment /Treatment and threefold for applicants external to the above listed DoH services and non-government applicants: - applicants authorise their own application, vouching for accuracy of submitted information - the applicant’s line manager is required to endorse the application and thereby acknowledge the appropriateness, legitimacy and accuracy of the application. Details of who is appropriate to endorse an application are described on Page 4 of the EHR Application for User Access Form. Applicants external to the above listed DoH services and non-government applicants, with the exception of some EACS sites, will have their application reviewed by the Quality and Safety Manager. This enables PHC Remote monitoring of external Users being granted access. In some instances, external applicants will be asked to provide supporting documentation. Researchers will only be granted the relevant EHR access in relation to research activities that have been previously authorised by PHC and the requirement for EHR access is warranted. See Research Proposals for more information.

4.3

Submission of Applications

Applicants submit their completed application to the relevant EHR Helpdesk by e-mail or fax. See Contact Details. If a form is submitted to the EHR Helpdesk with incomplete information, the Helpdesk staff will return the form for amendment. The Helpdesk will forward applications for authorisation as follows: - for DoH staff from PHC Remote, Police Watch House and Corrections, Renal Services, Alcohol Mandatory Alcohol Assessment/Treatment, to the line manager / authorised delegate - for applicants external to the above listed DoH services and non-government applicants (with the exception of some EACS sites), to the Quality and Safety Manager

4.4

Electronic Health Record - Training

Users are required to undertake initial and ongoing EHR training. See Electronic Health Record – Training & Resources for more information.

4.5

Query Group Access – PCIS Only

Query Group Access provides functionality that allows customised and comprehensive report queries to be built by the User. This additional level of access must be applied for separately using the PCIS Query Group Access form. This functionality is granted as per the requirements of the User’s role, usually for those in management or regional clinical positions. Primary Health Care Managers are entitled to request this access, but in this case use may be restricted to local searches only. The Query Group Access form further details the responsibilities imposed in using Query Group Access. Note: EACS does not have this functionality.

4.6

Use and Monitoring of Electronic Health Record

The use of EHRs is at all times limited to legitimate purposes for each User. This means: - only accessing client information pertaining to the User’s rightful terms of duty - only utilising the User’s personal User Access - ensuring client information is not disclosed for any other purpose without the client’s consent - ensuring accurate data entry. Routine auditing of the use of EHRs is conducted. Specific and ad hoc auditing may also occur for a variety of reasons. Title: Electronic Health Records User Access PHC Remote Guideline HPRM Approval No: EDOC2017/43956 | Version: 2.0 | Doc ID: HEALTHINTRA-1880-12315 | Approved: 30/06/2015 | Last Updated: 30/06/2015 Page 6 of 9

DEPARTMENT OF HEALTH

4.7

Access to My eHealth Record

All DoH employed clinical staff automatically receive access to the records of MeHR registered clients when PCIS or EACS User Access is granted. However, it should be noted that this is a distinct application and as such access privileges assume relevant obligations for responsible use. EHR Helpdesk staff will facilitate dual access on receipt of relevant endorsed applications. User Id and temporary passwords will match for both applications.

4.8

Access to Linked Databases

The Northern Territory (NT) Rheumatic Heart Disease Register and the NT Childhood Immunisation Program database can be accessed through both EHR systems. Authorised Users may access records of individual clients on these two databases. PHC Remote clinical staff who have a legitimate reason for accessing the records of all clients on the Rheumatic Heart Disease Register or the NT Childhood Immunisation Database must complete the RHD Register application form or the Immunisation Database application form and submit these to their line manager / authorised delegate for endorsement.

4.9

WebClient Access

In general, PCIS and EACS will be accessed via departmental computers. However, it is possible to arrange web based access for individual Users via a Citrix interface. WebClient Access is applied for using the PCIS User Access and WebClient Application Form, EACS Application for WebClient Access Form or as a component of the default profile provided on the RMP EHRS Application Form. Users applying for WebClient Access must have an ePASS account and be Local Area Network (LAN) enabled. Nomination of a cost centre and authorisation by the cost centre manager is required to assign costs, as well as authorise the appropriateness of the access. The role of the User must provide a specific and legitimate reason for needing access to EHRs via a web connection. Examples include a medical practitioner on call in a non-DoH location or a researcher working at research institution. Most employees do not require this access to fulfil employment obligations. Also see Getting Started - WebClient Access - Windows (PCIS / EACS) and Getting Started - WebClient Access - Mac Computers (PCIS / EACS). 4.9.1

WebClient Access – End of Contract

WebClient Users are reminded that their ePASS account (and therefore access to PCIS or EACS) will generally be terminated when their contract ends. If a contract is extended, WebClient Users are responsible for completing the relevant User Access Cessation / Change Request form (PCIS / EACS) and sending the endorsed form to the PCIS Helpdesk.

4.10

Extension, Termination or Change to User Access

It is the responsibility of line managers / authorised delegates to notify the EHR Helpdesk in writing of EHR Users who no longer require User Access or whose role has changed. The relevant User Access Cessation / Change Request Form (PCIS / EACS) must be used to facilitate this notification. Notify PCIS / EACS Helpdesk when: - the User terminates employment or no longer requires User Access for the role for which access was granted. - the User’s temporary contract is extended - when the default messaging provider is absent for a period (PCIS only) - when the default provider or usual Medical Practitioner is absent from a health centre for a period of time. Title: Electronic Health Records User Access PHC Remote Guideline HPRM Approval No: EDOC2017/43956 | Version: 2.0 | Doc ID: HEALTHINTRA-1880-12315 | Approved: 30/06/2015 | Last Updated: 30/06/2015 Page 7 of 9

DEPARTMENT OF HEALTH User access may be terminated in the event of inappropriate use of an EHR.

4.11

Non-clinical Staff Access to Health Information and Records

Health records should only be accessed where it is necessary for the performance of an employee’s normal duties. The procedure for recording this information is described in Electronic Health Records – Overview. 4.11.1 Electronic Health Record – Administration Staff Access The role of the health centre Administrative Officer is intended to support the clinical workforce and health centre workflow by ensuring the maintenance of client demographic information, maintaining Wait Lists and processing of client correspondence from external service providers such as specialists. As the role already involves dealing with confidential information, the standard level of access granted to administration staff may be extended at the discretion of the relevant line manager / authorised delegate.

4.12

Business Rules related to Access

Business Rules governing access to EHRs are located in Getting Started – Access and Training (PCIS / EACS).

4.13

Contact Details

Helpdesk

Phone

Fax

E-mail

PCIS

08 8999 2855

08 8980 0730

[email protected]

EACS

08 8924 7173

08 8923 7603

[email protected]

MeHR

1800 247 430

-

TeleHealth Helpdesk

1300 762 249

08 8980 0730

[email protected] [email protected]

Document Quality Assurance Method Implementation

Responsibility

Document will be accessible via the Policy Guidelines Centre and Remote Health Atlas

Health Policy Guidelines Program

Review

Document is to be reviewed within 3 years, or as changes in practice occur

Atlas Development Officer, Primary Health Care CAHS

Evaluation

Evaluation will be ongoing and informal, based on feedback.



Key Associated Documents Forms

PCIS User Access and WebClient Application Form Application for EACS User Access EACS WebClient Access PCIS User Access Cessation / Change Request


DEPARTMENT OF HEALTH EACS User Access Cessation / Change Request PCIS Query Group Access Rural Medical Practitioner (RMP) Electronic Health Record Systems User Access Form Rheumatic Heart Disease Register Application form Childhood Immunisation Records – Internet Access Disease Control User and Provider Access form Video Conference – Desktop Client and Peripheral Equipment Application Key Legislation, By-Laws, Standards, Delegations, Aligned & Supporting Documents

Section 7 – Health Records Research Proposals Medicare Provider Numbers Telehealth – Specialist Consultation Information Sheet: RMP - Multiple Electronic Health Record Systems User Access My eHealth Record (MeHR) eHealth NT - What is a HPI-I Information Act DoH Freedom of Information and Privacy ePASS DoH Telehealth intranet site: Telehealth Converge NT Interface PCIS Website Access webpage URG Getting Started – User Access and Training URG WebClient Access - Windows URG WebClient Access - Mac Computers EACS Website Access web page

References

As above

Evidence Table Reference

Method

Evidence level (I-V)

Summary of recommendation from this reference

N/A

N/A

N/A

N/A
