Larger Text Smaller Text

COMPETE III Privacy and Confidentiality Code of Conduct

Vision

Research in healthcare and medicine is one of the cornerstones of the Canadian Healthcare system and has helped to make it one of the best in the world. Healthcare in Canada is considered to be a public good and is an important part of Canadian culture and Canadian identity. To make progress and improvements to our healthcare system and to maintain its premier status, on-going research in healthcare and medicine is required.

Research requires retrieval and analysis of information that might not otherwise be gathered. Research sometimes also brings us into contact with information that may compromise people's privacy and confidentiality. A careful balance between the advancement of healthcare through research and respect for people's privacy and confidentiality is essential.

People have a right to keep their healthcare information private and confidential. They also have a right to know what is done with their health information.

The COMPETE III project is dedicated to improving knowledge about healthcare, to bring the latest and best information on disease and therapy to the point of care while safe guarding the rights of patients.

Code of Conduct

Appendix A: Canadian Standards Association Model Code for the Protection of Personal Information (CAN/CSA-Q830-96)

The COMPETE III project, its employees, advisory panel members, partners and investigators will adhere to the following code of conduct in carrying out this research project.1

[1] This Code of Conduct adheres to the Model Code for the Protection of Personal Information developed by the Canadian Standards Association (CAN/CSA-Q830-96). See Appendix A.

Principle 1 - Accountability

COMPETE II and its contracted CHIPP partners/contractors are responsible for the physician and clinical information that they collect and retain. An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.

  1. Clinical and research partners will be governed by their own site-specific privacy and confidentiality rules. This will apply to University of Ottawa and Sault Ste. Marie sites.
  2. Vendor partners will conform to the COMPETE III Code of Conduct.
  3. Authorized users of the research databases will be expected to conform to the Code of Conduct..

Principle 2 - Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

  1. Definition: "Personal information" -- information that can uniquely identify the patient.
  2. COMPETE III data will consist of the following:
    1. A clinical data repository of patient information, with a minimum of patient identifying information. This information will only be used to provide physicians and patients with clinical decision support tools that are of potential benefit to the patient and physician.
    2. A research data repository of patient information, with all patient identifiers removed. This database will be used for research studies.
    3. Physician data will be stored in both the clinical and research databases.
    4. Physician identifying information will be collected for the following purposes:
    1. In the clinical data repository, physician data will be used to ensure that guideline information is sent to the correct physician.
    2. In the research database, data will be analyzed to provide feedback to physicians about th4 care they provide to their patients in comparison with their peers and compared to the guidelines.
    3. Data in the research database will also be analyzed to provide physicians with feedback on the effectiveness, benefits, and impact of the COMPETE III technology implemented in their offices.
Principle 3 - Consent (& Knowledge)

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

  1. We will collect the name and telephone number of the patient to provide the COMPETE III Vascular Tracker (decision support) services. Patients will be asked to provide written consent by their physicians for thier participation in the study.

Physician consent will be obtained during the process of signing a contract with the COMPETE III project.

Principle 4 - Limited Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

  1. The COMPETE III project will obtain only that personally identifying information that is required to complete its research (approved by the St. Joseph's Hospital Research Ethics Committee) as identified in paragraph 2.1, which is required to meet its obligations for the conduct of the study; e.g. providing feedback to individual physicians about their own prescribing practices.
    1. In order to facilitate tracking patient data over a period of time, one unique identifier will be encrypted in a reproducible way, and will be collected as part of the study. This encrypted identifier will prevent researchers, COMPETE III staff and others who may have access to the research data from determining the identity of the individual.
  2. COMPETE III will extract data in conformance with Ministry of Health CDS standards. Patient identifying information will be stripped off at the COMPETE II Data Repository. Patient name and phone number will be maintained only for the purposes of providing decision support to patients and physicians.
  3. The COMPETE III project will obtain health information through its designated chart reviewers and through electronic downloading of information. Information will be encrypted to prevent unauthorized use of sensitive information.

Principle 5 - Limiting Use, Disclosure and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

  1. The COMPETE III project will only use personally identifying information in the manner stated above. Should there be changes in the research requirements, participating physicians will be informed and consent will be obtained from them for the new use of data.
  2. Should a patient withdraw from the study, all the information will be removed from the COMPETE III database. If the study is ended prematurely for any reason, patients will be informed of the ending of the study and their data will be removed from the COMPETE III clinical data repository.
  3. Data will be collected for 6 months from patient enrollment. Patient consent will be obtained annually for on-going participation in the study.

Principle 6 - Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

  1. All information will be extracted from the physician's EHR as entered by the physician. Data will be evaluated for quality and reports on data quality will be provided to participating physicians.
  2. All information to be downloaded from the physician’s site will be encrypted before downloading to ensure its integrity.
  3. Information will be downloaded from the physician’s site in a timely manner in order to ensure that research data collected is as up-to-date as is necessary for the research it supports.

Principle 7 - Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

  1. The COMPETE III project will endeavour to use appropriate safeguards for the protection of sensitive information.
    1. All Servers and computers will be maintained in physically secure premises.
    2. All access to databases will be limited through the use of passwords and other electronic techniques only to authorized members of the COMPETE III project.
    3. All information to be downloaded from the physician’s site will be encrypted before downloading.
    4. All information to be exchanged with Tagge Medical Systems will be encrypted before its transmission.
    5. All information to be downloaded to the research database will be stripped of all patient identifiers before downloading. COMPETE III will not disclose analyses if aggregated statistics are derived from the data of less than 6 [six] unique patients.
    6. Names of participating physicians will not be made public in any list form without the express permission of participating physicians.
    7. COMPETE III will not try to contact any individual to whom the anonymous information relates directly or indirectly.
    8. Any analyses of the COMPETE III databases destined for presentation or publication that result in a small sub-set of five [5] or less shall be suppressed. Information in sparse cells may be combined with other cells to avoid cell counts of five [5] or less.
    9. All COMPETE III research personnel and vendor partners will be required to sign an agreement requiring them to comply with the terms of this Code of Conduct, and to acknowledge that a breach of the provisions of thies Code of Conduct is grounds for dismissal or termination of their contract.
    10. Firewalls, user identifications and passwords are used to prevent unauthorized access to the data.
    11. Regular reviews of COMPETE III agreements and proposals are done internally and with clients to ensure standardization. This reinforces COMPETE III's commitment to the overall importance of privacy and confidentiality.

Principle 8 - Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

  1. The COMPETE II project will commission an external audit of its privacy and confidentiality processes, procedures and compliance on an annual basis for the duration of the study. This audit will be available to any member of the public who asks for it.
  2. This Code of Conduct will be made available to all physicians who participate in the study and to any member of the public who wishes to obtain a copy. Additional information, including a description of the types of clinical data gathered and answers to frequently asked questions, will be provided to anyone who wishes to obtain a copy.
  3. All physicians participating in COMPETE II will be notified in writing of any changes to COMPETE II policies or procedures (including this code) that would affect the protection of privacy and confidentiality.

Principle 9 - Individual Access

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

  1. All physicians in the study will be given access to the information collected about them and will be given the opportunity to amend incomplete or erroneous information.
  2. Patients in the study will be given access to the information collected about them. They will have an opportunity to address corrections with their physician.
  3. Denominalized data stored in a separate server for secondary research purposes will be exempted from this requirement, as it is not possible to identify individuals from this database.

Principle 10 - Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

  1. If any individual or participating physician believes that these guidelines have been violated, or has any questions, they may contact the COMPETE II Principal Investigator, Dr. Anne Holbrook, who will be responsible for managing compliance with this policy. All complaints will be investigated and, if a complaint is found to be justified, appropriate action will be taken. The complainant will be notified of the results of the investigation and any actions taken.

Appendix A: Canadian Standards Association Model Code for the Protection of Personal Information
(CAN/CSA-Q830-96)

Principles in Summary

Ten interrelated principles form the basis of the CSA Model Code for the Protection of Personal Information. Each principle must be read in conjunction with the accompanying commentary.

  1. Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
  2. Identifying Purposes: The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
  3. Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
  4. Limiting Collection: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
  5. Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
  6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
  7. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
  8. Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
  9. Access: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  10. Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.


| Privacy Policy | Contact Us |