MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

238
MINISTRY OF HEALTH MALAYSIA MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT TELEHEALTH DIVISION APRIL 2014

Transcript of MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

Page 1: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MINISTRY OF HEALTH MALAYSIA

MALAYSIA HEALTH INFORMATION

EXCHANGE (MyHIX)

TOOLKIT

TELEHEALTH DIVISION

APRIL 2014

Page 2: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

Copyright © 2014 Ministry of Health Malaysia

Information is correct and valid on the date of publication (Maklumat adalah betul dan sah pada tarikh cetakan)

All rights reserved.

No part of this publication may be reproduced in any form or by any electronic or mechanical means including information storage and retrieval systems, without permission in writing from the Director, Telehealth Division, Ministry of Health Malaysia.

ISBN 978-967-0399-98-0

ii

Page 3: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

PENDAHULUAN

Bahagian Telekesihatan dalam usaha melicinkan pelaksanaan projek MyHIX dengan menyediakan enjin integrasi yang membolehkan integrasi antara sistem IT fasiliti dengan MyHIX.

Toolkit MyHIX ini disedia untuk digunakan sebagai panduan kepada fasiliti dalam memastikan keperluan yang perlu disediakan sebelum pelaksanaan integrasi sistem IT fasiliti dengan MyHIX ini dapat dijayakan.

Dokumen yang terkandung di dalam toolkit ini, adalah:-

a) MyHIX Technical Documents i. Senarai Semak Kesediaan Pelaksanaan MyHIX Ibu Pejabat

a) Senarai semak kesediaan di Pusat Data b) Borang Stress Test MyHIX c) Borang Pengesahan Pengujian MyHIX

ii. Senarai Semak Kesediaan Pelaksanaan MyHIX di Fasiliti a) Keperluan Teknikal untuk Integrasi MyHIX dengan HIS b) Senarai Semak Kesediaan Teknikal dan Proses di Fasiliti c) Garispanduan Khidmat Bantuan MyHIX

b) MyHIX Policy and Guidelines c) MyHIX Standard Operating Procedure (SOP) d) MyHIX Change Management (CM)

i. ADKAR Model for CM ii. MyHIX CM Checklist

iii. MyHIX CM Plan Template e) MyHIX Supporting Documents / References

i. Change Management Toolkit for Health Information Technology ii. User Access Control Policy and Guidelines (UACP)

iii. Soalan lazim berkaitan MyHIX untuk anggota KKM (BM & BI) iv. Soalan lazim berkaitan MyHIX untuk orang awam (BM & BI)

iii

Page 4: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

PENGHARGAAN

Ucapan terima kasih diberikan di atas kerjasama yang ditunjukkan oleh penyumbang-penyumbang dalam memastikan kandungan toolkit ini adalah benar dan betul pada ketika ianya dicetak. Mereka yang terlibat adalah:-

a) Dr Amiruddin Hisan - Pengarah Bahagian Telekesihatan b) Encik Chan Peng Wah c) Encik Samsuil Fuad Munap d) Dr Sukdershan Singh Hazara Singh e) Dr Leela V Sabapathy f) Dr Dang Siew Bing g) Dr Shaifuzah Ariffin h) Dr Fazilah Shaik Allaudin i) Puan Zoraidah Ahmad j) Dr Nor Azhariah Noordin k) Dr Sam Pradeep Thillakkannu l) Puan Rohaidah Mat Johor m) Puan Noorhayati Kassim n) Puan Haniza Mohamad Hassan o) Puan Elniee Melson p) Encik Asraful Kamal Ariffin q) Puan Nor Asian Jamaludin r) Encik Mohd Norhisham Ismail s) Encik Mohd Khairuddin Mokhtar t) Cik Azilah Badaruzzaman u) Cik Nuraini Alias

Tidak lupa kepada mantan Ketua Unit Aplikasi, Puan Wan Roshidah Wan Ismail atas initiatif menyediakan toolkit ini.

iv

Page 5: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

Table of Content

A. MyHIX TECHNICAL DOCUMENTS ................................................................................ 6

i. SENARAI SEMAK KESEDIAAN PELAKSANAAN MyHIX DI IBU PEJABAT ....................................... 7

a) SENARAI SEMAK KESEDIAAN MyHIX DI PUSAT DATA ........................................................... 13

b) BORANG STRESS TEST ........................................................................................................... 15

c) BORANG PENGESAHAN PENGUJIAN MyHIX ......................................................................... 17

ii. SENARAI SEMAK KESEDIAAN PELAKSANAAN MyHIX DI FASILITI ............................................. 19

a) KEPERLUAN TEKNIKAL INTEGRASI SISTEM MyHIX DENGAN SISTEM HIS .............................. 25

b) SENARAI SEMAK KESEDIAAN TEKNIKAL DAN PROSES DI FASILITI ......................................... 29

c) SENARAI SEMAK KESEDIAAN TEKNIKAL DAN PROSES DI FASILITI ......................................... 34

B. MyHIX POLICY AND GUIDELINES .............................................................................. 36

C. MyHIX STANDARD OPERATING PROCEDURE (SOP) ................................................... 46

D. MyHIX CHANGE MANAGEMENT (CM) ...................................................................... 60

i. ADKAR MODEL FOR CM ........................................................................................................... 61

ii. MYHIX CM CHECKLIST .............................................................................................................. 63

iii. MYHIX CHANGE MANAGEMENT PLAN TEMPLATE .................................................................. 66

E. MyHIX SUPPORTING DOCUMENTS / REFERENCES ..................................................... 71

i. CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY ..................... 72

ii. USER ACCESS CONTROL POLICY ............................................................................................. 130

iii. SOALAN LAZIM UNTUK ANGGOTA KKM (BM & BI) ................................................................ 223

iv. SOALAN LAZIM UNTUK ORANG AWAM (BM & BI) ................................................................ 232

Page 6: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

A. MyHIX TECHNICAL DOCUMENTS

Page 7: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN MyHIX DI IBU PEJABAT

i. SENARAI SEMAK KESEDIAAN PELAKSANAAN MyHIX DI IBU PEJABAT

Tujuan : Senarai semak ini digunakan untuk memastikan perkara-perkara yang perlu dilakukan semasa pra pelaksanaan, fasa pengujian dan fasa pelaksanaan MyHIX di fasiliti baru dilaksanakan

Skop : Digunakan oleh BTK IPKKM dalam melaksanakan MyHIX

Objektif : Memastikan setiap pasukan/unit yang terlibat dalam pelaksanaan MyHIX mengambil tanggungjawab yang ditetapkan.

Rujukan bersama

: a) Senarai Semak Kesediaan MyHIX Di Pusat Data

b) Borang Stress Test

c) Borang pengesahan Pengujian

7

Page 8: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN MyHIX DI IBU PEJABAT

BAHAGIAN 1 (PRA PELAKSANAAN)

Bil Perkara / Aktiviti Ya Tidak Pegawai Bertanggungjawab

BUSINESS

1. Keluarkan arahan bertulis kepada fasiliti terlibat untuk melaksanakan MyHIX

Pengarah BTK

2. Keluarkan arahan bertulis pelaksanaan kepada fasiliti: a. arahan dan terma rujukan kepada fasiliti

untuk membentuk struktur organisasi pelaksanaan MyHIX peringkat fasiliti

o Pasukan Pelaksana, dan o Lantikan Champion

b. MyHIX Toolkit o MyHIX Technical Documents o MyHIX Policy & Guidelines o MyHIX Standard Operating

Procedure (SOP) o MyHIX Change Management (CM) o MyHIX Supporting

Documents/References

Pengurus Projek MyHIX, BTK

3. Menjalankan audit pematuhan kawalan akses di fasiliti mengikut - User Access Control Policy (UACP) - Akta / peraturan / pekeliling

KKM/MAMPU dan yang berkaitan

Pasukan UACP, BTK

4. Membantu menyediakan Standard Operating Procedure (SOP) bagi fasiliti

Pasukan Projek MyHIX, BTK (Polisi)

5. Memastikan fasiliti yang dipilih menyediakan - Ringkasan Discaj (RD) untuk setiap pesakit

dalam - Clinical Visit Summary untuk setiap

pesakit luar di hospital termasuk Day Care - Clinical Visit Summary untuk setiap

pesakit di klinik kesihatan *MyHIX Policy & Guidelines (para 4) adalah berkaitan.

Pasukan Projek MyHIX, BTK (Polisi)

6. Menyediakan profil integrasi (*) dan format Unit Opten, BTK

8

Page 9: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN MyHIX DI IBU PEJABAT

Bil Perkara / Aktiviti Ya Tidak Pegawai Bertanggungjawab

CDA bagi maklumat yang hendak dikongsi melalui MyHIX: a. Ringkasan Discaj b. E-referral (*) mengikut keperluan

7. Mengedarkan profil integrasi dan format CDA bagi maklumat yang hendak dikongsi melalui MyHIX

Unit Opten, BTK

TEKNIKAL

8. Menyediakan panduan keperluan kesediaan perkakasan bagi pelayan dan rangkaian di fasiliti.

Unit Rangkaian, BPM Unit Infrastruktur, BTK- Perkakasan

9. Mewujudkan kod-kod berikut dalam sistem MyHIX a. Nama Object Identification Domain (OID)

untuk Hospital/Klinik b. Kod Fasiliti (Klinik/Hospital) c. Kod Aplikasi (Kontraktor Aplikasi) d. Security ID Memaklumkan kepada kontraktor dan pasukan IT fasiliti mengenai kod-kod di atas.

Pasukan Projek MyHIX, BTK (Teknikal)

10. Memberi khidmat nasihat dan membantu fasiliti dalam penambahbaikan sistem HIS/CIS bersama kontraktor dan pegawai IT fasiliti

Pasukan Projek MyHIX, BTK (Teknikal)

PENGURUSAN PERUBAHAN

11. Melaksanakan pengurusan perubahan di fasiliti. Memberi taklimat pengenalan MyHIX kepada pihak pengurusan, pasukan pelaksana dan Champion di fasiliti

Pasukan Projek MyHIX, BTK (Pengurusan Perubahan & Promosi)

12. Menyediakan garis panduan / pelan pelaksanaan Pengurusan Perubahan di peringkat fasiliti

Pasukan Projek MyHIX, BTK (Pengurusan Perubahan & Promosi)

9

Page 10: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN MyHIX DI IBU PEJABAT

BAHAGIAN II (FASA PENGUJIAN)

Bil Perkara / Aktiviti Ya Tidak Pegawai Bertanggungjawab

BUSINESS

1. Memastikan fasiliti mengikut SOP yang telah dibangunkan

Pasukan Projek MyHIX, BTK (Polisi)

TEKNIKAL

2. Memastikan perkakasan, perisian dan rangkaian di Pusat Data berkeadaan baik dan bersedia untuk pelaksanaan MyHIX *Rujuk Senarai Semak Kesediaan MyHIX Di Pusat Data

Pasukan Projek MyHIX, BTK (Teknikal)

3. Perlu melaksanakan ujian Stress menggunakan Borang Stress Test terlebih dahulu (di Pusat Data & di Fasiliti) *Rujuk Borang Stress Test

Pasukan Projek MyHIX, BTK (Teknikal) , Vendor MyHIX, Unit Rangkaian BPM, Unit Pusat Data BPM.

4. Membantu fasiliti menjalankan pengujian sistem MyHIX berpandukan dokumen keperluan teknikal integrasi MyHIX-HIS/CIS yang telah dipersetujui sebelum pembangunan

Pasukan Projek MyHIX, BTK (Teknikal dan Polisi)

5. Membantu fasiliti membuat pemetaan data Ringkasan Discaj HIS kepada Ringkasan Discaj MyHIX mengikut format CDA

Pasukan Projek MyHIX, BTK (Teknikal dan Polisi)

10

Page 11: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN MyHIX DI IBU PEJABAT

BAHAGIAN III (FASA PELAKSANAAN)

Bil Perkara / Aktiviti Ya Tidak Pegawai Bertanggungjawab

BUSINESS

1. Menjalankan audit pematuhan pelaksanaan MyHIX Policy & Guidelines oleh fasiliti

Pasukan Projek MyHIX, BTK (Polisi)

TEKNIKAL

2. Menentusahkan proses pengujian antara fasiliti dan pusat data KKM sebelum MyHIX dilaksanakan secara live di fasiliti menggunakan Borang Pengesahan Pengujian.

* Rujuk Borang pengesahan Pengujian MyHIX

Pasukan Projek MyHIX BTK , Vendor MyHIX, Pasukan Projek MyHIX Fasiliti

3. Menyediakan laporan secara adhoc apabila diperlukan

Pasukan Projek MyHIX, BTK (Teknikal)

PENGURUSAN PERUBAHAN

4. Menyedia dan mengedarkan bahan promosi kepada fasiliti mengikut kesesuaian bahan dan peruntukan yang diberikan

Unit Opten, BTK

5. Mengedarkan Prosedur Helpdesk MyHIX (untuk aduan dari fasiliti ke pasukan MyHIX di Ibu Pejabat KKM)

Unit Opten, BTK

11

Page 12: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN MyHIX DI IBU PEJABAT

BAHAGIAN IV (FASA PEMANTAUAN)

Bil Perkara / Aktiviti Ya Tidak Pegawai Bertanggungjawab

BUSINESS

2 Menjalankan audit pematuhan pelaksanaan MyHIX Policy & Guidelines oleh fasiliti

Pasukan Projek MyHIX, BTK (Polisi)

TEKNIKAL

4. Menyediakan statistik penerimaan Ringkasan Discaj dari fasiliti dan memaklumkan prestasi kepada setiap fasiliti pada setiap bulan.

Pasukan Projek MyHIX BTK (Teknikal)

5. Memastikan infra MyHIX berada dalam kesediaan sepanjang masa.

Pasukan Projek MyHIX, BTK (Teknikal)

PENGURUSAN PERUBAHAN

6. Menyedia dan mengedar bahan promosi baru (jika ada) kepada fasiliti

Unit Opten, BTK

12

Page 13: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN MyHIX DI PUSAT DATA

a) SENARAI SEMAK KESEDIAAN MyHIX DI PUSAT DATA

Tujuan : Senarai semak ini digunakan untuk memastikan perkara-perkara yang perlu dilakukan untuk melaksanakan MyHIX di fasiliti baru

Skop : Digunakan semasa fasa pengujian oleh BTK IPKKM dalam melaksanakan MyHIX

Objektif : Memastikan infrastruktur sistem MyHIX di Pusat Data bersedia untuk pelaksanaan MyHIX

Pra-syarat

: Perlu digunakan bersama Senarai Semak Pelaksanaan MyHIX di Ibu Pejabat

Bil Perkakasan/ Services Ya Tidak Catatan

1. Pastikan perkakasan berikut boleh dihidupkan (power ON)

a. Server 1

b. Server 2

c. Load balancer 1

d. Load balancer 2

e. Storage Controller 1

f. Storage Controller 2

g. Switch 1

h. Switch 2

2. Pastikan service berikut berfungsi (up):

a. Registry & Repository Service

b. PIX PDQ Manager Service

c. Apache Tomcat Web Server

3. Pastikan port dan services berikut dibuka pada firewall

a. Port :8080 Services: Registry & Repository Service

b. Port :2575 Services : PIX PDQ Manager Service

c. SOAP (Application Layer) : Penghantaran

13

Page 14: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN MyHIX DI PUSAT DATA

Bil Perkakasan/ Services Ya Tidak Catatan RD

d. HL7 (Application Layer) : Pendaftaran pesakit

4. Pastikan perkakasan berikut boleh di PING :

a. myhix.moh.gov.my

b. Server 1

c. Server 2

d. Load balancer 1

e. Load balancer 2

f. Storage Controller 1

g. Storage Controller 2

h. Switch 1

i. Switch 2

Disahkan Oleh :-

………………………………………………………………………. (Tandatangan)

Nama : __________________________________

Jawatan : __________________________________

Tarikh : __________________________________

14

Page 15: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

BORANG STRESS TEST

b) BORANG STRESS TEST

Tujuan : Borang ini digunakan untuk menguji kebolehupayaan sistem dalam menampung permintaan yang diterima.

Skop : Digunakan oleh pasukan projek MyHIX IPKKM bersama vendor MyHIX dan dibuat dalam dua (2) peringkat iaitu :-

a) di pusat data - tidak melalui firewall dan rangkaian (bypass firewall & network) ;

b) di fasiliti - melalui firewall fasiliti dan firewall pusat data serta melibatkan rangkaian (ordinary network route)

Objektif : Memastikan had keupayaan sistem MyHIX yang dapat menampung permintaan global ID serta RD (penerimaan dan penghantaran) sama ada dipengaruhi oleh faktor rangkaian atau tidak bagi dijadikan panduan terhadap keupayaan sistem pada masa akan datang.

Pra-syarat

: Perlu digunakan bersama Senarai Semak Pelaksanaan MyHIX di Ibu Pejabat

Maklumat Fasiliti:-

Fasiliti

Nama Rangkaian

Kelajuan Rangkaian

Anggaran Pengguna HIS/CIS

Tarikh

15

Page 16: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

BORANG STRESS TEST

A. PIX-PDQ

Bilangan Data Jumlah tempoh

respon (saat)

Min tempoh respon (saat)/

data

Max tempoh respon (saat)/

data Catatan

B. Ringkasan Discaj (RD)

Bilangan Data Jumlah tempoh

respon (saat)

Min tempoh respon (saat)/

data

Max tempoh respon (saat)/

data Catatan

______________________________ (Tandatangan Penguji)

Nama : Jawatan : Unit/Jabatan : Tarikh :

16

Page 17: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

BORANG PENGESAHAN PENGUJIAN MyHIX

c) BORANG PENGESAHAN PENGUJIAN MyHIX

Tujuan : Borang ini digunakan untuk memastikan semua proses yang terlibat dalam pelaksanaan MyHIX berjalan lancar

Skop : Digunakan oleh pasukan projek MyHIX di IPKKM dan juga pasukan projek di fasiliti sebelum pelaksanaan MyHIX di fasiliti dimulakan.

Objektif : Bagi menentusahkan proses pengujian antara fasiliti dan pusat data KKM sebelum MyHIX dilaksanakan secara live di fasiliti

Pra-syarat

: Perlu digunakan bersama Senarai Semak Pelaksanaan MyHIX di Ibu Pejabat

Maklumat Fasiliti:

Fasiliti

Produk dan Versi HIS/CIS

Vendor HIS/CIS

Nama Penguji

Tarikh Pengujian

Bil. Semakan Pengujian Lulus /

Gagal Komen / Catatan

1. Proses penyediaan kes dan penghantaran kes ke

MyHIX.

2. Semak maklumat yang dihantar ke MyHIX dengan

menggunakan kaedah 'remote server' atau lain-lain

kaedah yang difikirkan perlu.

Semakan di pusat data

3. Boleh membuat pilihan untuk opt-out.

Berupaya untuk disable dan enable opt-out sebelum

maklumat dihantar.

4. Boleh melihat senarai ringkasan discaj sedia ada di

MyHIX.

17

Page 18: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

BORANG PENGESAHAN PENGUJIAN MyHIX

Bil. Semakan Pengujian Lulus /

Gagal Komen / Catatan

5. Mengambil kembali maklumat yang telah dihantar ke

MyHIX dan paparkan seperti apa yang dihantar pada

perkara 1.

6. Mengambil maklumat dari fasiliti lain yang telah

dihantar ke MyHIX dan paparkan.

7. Boleh paparkan laporan seperti yang dikehendaki.

ISU SEWAKTU PENGUJIAN (nyatakan, jika ada)

Bil. Perkara Komen

DISAHKAN OLEH:

_________________________ (Tandatangan) Nama : Jawatan : Unit/Jabatan : Tarikh :

18

Page 19: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK PELAKSANAAN MyHIX DI FASILITI

ii. SENARAI SEMAK KESEDIAAN PELAKSANAAN MyHIX DI FASILITI

Tujuan : Senarai semak ini digunakan untuk memastikan perkara-perkara yang perlu dilakukan semasa pra pelaksanaan, fasa pengujian dan fasa pelaksanaan MyHIX di fasiliti baru

Skop : Digunakan oleh pasukan projek di fasiliti dalam melaksanakan MyHIX

Objektif : Sebagai persediaan untuk melancarkan pelaksanaan MyHIX di fasiliti baru

Rujukan bersama

: a) Keperluan Teknikal Untuk Integrasi Sistem MyHIX dengan Sistem HIS

b) Senarai Semak Kesediaan Teknikal dan Proses Di Fasiliti

c) Garispanduan Khidmat Bantuan MyHIX

Maklumat Fasiliti Nama Fasiliti :

Nama produk HIS/CIS yang digunakan :

Pegawai untuk dihubungi :

Bil Nama /Jawatan Emel No. Telefon

19

Page 20: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK PELAKSANAAN MyHIX DI FASILITI

BAHAGIAN I (PRA PELAKSANAAN)

Bil Perkara / Aktiviti Ya Tidak Pegawai Bertanggungjawab

BUSINESS

13. Wujudkan struktur organisasi pelaksanaan MyHIX peringkat fasiliti c. Pasukan Pelaksana, dan d. Lantikan Champion

Pengarah (hospital) Pegawai Yang Menjaga (klinik)

14. Mematuhi kawalan akses mengikut - User Access Control Policy (UACP) - Akta / Peraturan / Pekeliling

KKM/MAMPU dan yang berkaitan

Pengurusan

15. Tarikh audit UACP dilaksanakan Pegawai IT

16. Sediakan Standard Operating Procedure (SOP) untuk pelaksanaan MyHIX

Domain

17. Ringkasan Discaj (RD) disediakan untuk setiap pesakit dalam di hospital *Rujuk dokumen MyHIX Policy & Guidelines (para 4) untuk pesakit pelbagai disiplin

18. Clinical Visit Summary disediakan untuk setiap pesakit luar di hospital termasuk Day Care

19. Clinical Visit Summary disediakan untuk setiap pesakit di klinik kesihatan

TEKNIKAL

20. Kapasiti server database mampu menampung pertambahan pelaksanaan MyHIX

Pegawai IT

21. Menyemak dan memberi maklumbalas dokumen keperluan teknikal integrasi MyHIX-HIS/CIS mengikut keperluan fasiliti *Rujuk Keperluan Teknikal Untuk Integrasi Sistem MyHIX dengan Sistem HIS

Domain, teknikal, vendor

PENGURUSAN PERUBAHAN

22. Penyediaan strategi Pengurusan Perubahan Pasukan pelaksana

20

Page 21: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK PELAKSANAAN MyHIX DI FASILITI

Bil Perkara / Aktiviti Ya Tidak Pegawai Bertanggungjawab

kepada warga fasiliti e. Pasukan pelaksana pengurusan

perubahan f. Gantt Chart

pengurusan perubahan

23. Penyediaan strategi untuk aktiviti promosi kepada pelanggan g. Bahan-bahan promosi h. Aktiviti-aktiviti

Pasukan pelaksana pengurusan perubahan

21

Page 22: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK PELAKSANAAN MyHIX DI FASILITI

BAHAGIAN II (FASA PENGUJIAN)

Bil Perkara / Aktiviti Ya Tidak Pegawai Bertanggungjawab

BUSINESS

1. RD MyHIX disediakan berdasarkan maklumat dan data RD PD302 (pemetaan data RD HIS kepada RD MyHIX mengikut format CDA)

Domain, teknikal, vendor

TEKNIKAL

2. Menjalankan pengujian kesediaan pelaksanaan MyHIX dari segi teknikal dan proses * Rujuk Senarai Semak Kesediaan Teknikal Dan Proses Di Fasiliti

Domain, teknikal, vendor

PENGURUSAN PERUBAHAN

3. Rujuk dokumen MyHIX Change Management Checklist dan MyHIX Change Management Plan Template

Pasukan pelaksana pengurusan perubahan

22

Page 23: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK PELAKSANAAN MyHIX DI FASILITI

BAHAGIAN III (FASA PELAKSANAAN)

Bil Perkara / Aktiviti Ya Tidak Pegawai Bertanggungjawab

BUSINESS

1. Penguatkuasaan penyediaan ringkasan discaj

Pengarah, Champion

TEKNIKAL

2. Memberikan maklumat/penerangan mengenai helpdesk MyHIX kepada pegawai IT dan vendor sistem di fasiliti. *Rujuk Garispanduan Khidmat Bantuan

MyHIX

Domain, teknikal, vendor

3. Menyediakan laporan yang berkaitan * Rujuk Keperluan Teknikal Untuk

Integrasi Sistem MyHIX dengan Sistem HIS

Domain, teknikal, vendor

PENGURUSAN PERUBAHAN

4. Menjalankan aktiviti pengurusan perubahan secara berterusan

Pasukan pelaksana pengurusan perubahan

5. Memberi taklimat kesedaran / awareness kepada staf baru fasiliti

Pasukan pelaksana pengurusan perubahan

6. Menjalankan latihan kepada pengguna secara berkala

Pasukan pelaksana pengurusan perubahan

23

Page 24: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK PELAKSANAAN MyHIX DI FASILITI

BAHAGIAN IV (FASA PEMANTAUAN)

Bil Perkara / Aktiviti Ya Tidak Pegawai Bertanggungjawab

BUSINESS

1. Memastikan MyHIX digunakan dan dipatuhi berdasarkan polisi/SOP yang telah disediakan.

Pengarah, Champion

TEKNIKAL

2. Menyemak bilangan Ringkasan Discaj yang dihantar ke MyHIX berbanding dengan statistik yang diterima dari BTK

Pegawai IT

3. Memastikan infra dan rangkaian berada dalam ketersediaan yang optimum.

Pegawai IT

24

Page 25: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

KEPERLUAN TEKNIKAL UNTUK INTEGRASI SISTEM MyHIX DENGAN SISTEM HIS

a) KEPERLUAN TEKNIKAL INTEGRASI SISTEM MyHIX DENGAN SISTEM HIS

Tujuan : Senarai semak ini digunakan untuk memastikan perkara-perkara yang perlu dilakukan untuk melaksanakan MyHIX di fasiliti baru

Skop : Digunakan oleh vendor bagi sistem HIS/CIS semasa pra pelaksanaan di fasiliti

Objektif : Memastikan sistem MyHIX di fasiliti bersedia bagi melancarkan pelaksanaan MyHIX

Pra-syarat

: Perlu digunakan bersama Senarai Semak Pelaksanaan MyHIX di Fasiliti

Bil Perkara / Aktiviti Ya Tidak Catatan

1. Pendaftaran ke MyHIX

• Pendaftaran pesakit ke MyHIX untuk mendapatkan Global ID di kaunter pendaftaran secara automatik (back end).

2. Pemetaan Data • HIS boleh mengekstrak data secara

automatik daripada Ringkasan Discaj (RD) HIS untuk menjana RD yang akan dihantar ke sistem MyHIX.

• RD HIS mungkin mempunyai maklumat terperinci yang lebih lengkap mengikut keperluan setiap fasiliti

• RD yang disediakan perlu mengikut format Clinical Document Architecture (CDA)

3. Pesakit Opt-Out • HIS berupaya untuk flag pesakit opt-out

membolehkan pemantauan dibuat. • HIS juga mesti berupaya disable pilihan

penghantaran ke MyHIX bagi pesakit yang memilih Opt-Out.

• Pilihan untuk menyemak rekod pesakit dari MyHIX mesti sentiasa enable

25

Page 26: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

KEPERLUAN TEKNIKAL UNTUK INTEGRASI SISTEM MyHIX DENGAN SISTEM HIS

Bil Perkara / Aktiviti Ya Tidak Catatan

supaya sejarah rawatan pesakit dari MyHIX boleh dicapai semasa rawatan diberikan tanpa mengira samada pesakit opt-out pada episod tersebut atau tidak.

Bil Perkara / Aktiviti Ya Tidak Catatan

4. Pemetaan Data • HIS boleh mengekstrak data secara

automatik daripada Ringkasan Discaj (RD) HIS untuk menjana RD yang akan dihantar ke sistem MyHIX.

• RD HIS mungkin mempunyai maklumat terperinci yang lebih lengkap mengikut keperluan setiap fasiliti

• RD yang disediakan perlu mengikut format Clinical Document Architecture (CDA)

5. Skrin Paparan Ringkasan Discaj dari MyHIX • Mempunyai kemudahan memaparkan

senarai kesemua RD pesakit yang diambil dari MyHIX dan doktor boleh memilih untuk membuka mana-mana RD dari senarai tersebut.

6. Susun atur skrin RD • Boleh disediakan mengikut kehendak

pengguna tetapi ianya juga perlu mempunyai kemudahan untuk membuat pilihan ‘edit’, ‘semak’, ‘sah’, dan ‘hantar’.

• Nama pilihan-pilihan ini diselaraskan dengan pilhan yang digunakan dalam HIS.

• Ianya juga perlu selaras dengan SOP yang disediakan.

26

Page 27: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

KEPERLUAN TEKNIKAL UNTUK INTEGRASI SISTEM MyHIX DENGAN SISTEM HIS

Bil Perkara / Aktiviti Ya Tidak Catatan

7. Kaedah penghantaran RD • HIS perlu mempunyai kaedah

penghantaran RD secara real time dan kelompok (batch).

• Pengguna akan menentukan kaedah penghantaran mengikut SOP fasiliti masing-masing.

• Sistem perlu menyediakan kemudahan untuk membuat setting penghantaran secara automatik.

• Aktiviti penghantaran RD tidak mengganggu operasi doktor dan sekiranya penghantaran Ringkasan Discaj ke sistem MyHIX gagal, HIS berupaya membuat penghantaran semula (re-send) secara automatik.

• HIS perlu memberi notifikasi kepada pengguna jumlah RD yang telah berjaya dan gagal dihantar ke MyHIX setiap hari

8. Laporan • HIS berupaya menjana laporan

penggunaan MyHIX: a. Bil. & % penghantaran rekod ke

MyHIX berbanding bil pesakit yang dirawat dan discaj. Kiraan berdasarkan bilangan pesakit.

i. Bil. & % pesakit yang memilih opt-out berbanding bil pesakit yang dirawat dan discaj.

ii. Bil. RD ulangan yang dihantar bagi pesakit yang sama (seperti RD addendum). Untuk menunjukkan perbezaan dengan (a.)

b. Bil dan % untuk pengiraan a, b dan c

27

Page 28: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

KEPERLUAN TEKNIKAL UNTUK INTEGRASI SISTEM MyHIX DENGAN SISTEM HIS

Bil Perkara / Aktiviti Ya Tidak Catatan

di atas perlu ditentukan oleh fasiliti. c. Laporan prestasi penggunaan akan

dibentangkan kepada pihak pengurusan tertinggi KKM.

9. Skrin Memantau Pendaftaran & Penghantaran Maklumat ke MyHIX (Global ID dan RD) • Perlu disediakan skrin untuk

memaparkan penghantaran data yang berlaku antara HIS/CIS dan MyHIX.

• Skrin ini akan membolehkan pengguna memantau traksaksi yang berlaku antara server di fasiliti dan di Pusat Data KKM

• Dapat mengesan punca masalah sekiranya pendaftaran pesakit atau penghantaran RD ke MyHIX gagal.

• Tindakan segera akan dapat dilakukan.

28

Page 29: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN TEKNIKAL DAN PROSES DI FASILITI

b) SENARAI SEMAK KESEDIAAN TEKNIKAL DAN PROSES DI FASILITI

Tujuan : Senarai semak ini digunakan untuk memastikan perkara-perkara yang perlu dilakukan semasa fasa pengujian dalam melaksanakan MyHIX di fasiliti baru

Skop : Digunakan oleh pasukan projek di fasiliti dalam melaksanakan MyHIX

Objektif : Memastikan sistem MyHIX di fasiliti bersedia sepenuhnya sebelum pelaksanaan MyHIX boleh diteruskan.

Pra-syarat

: Perlu digunakan bersama Senarai Semak Pelaksanaan MyHIX di Fasiliti

Maklumat Fasiliti :-

Nama Fasiliti :

Nama produk HIS/CIS yang digunakan :

Pegawai untuk dihubungi :

Bil Nama /Jawatan Emel No. Telefon

29

Page 30: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN TEKNIKAL DAN PROSES DI FASILITI

A. PRA PELAKSANAAN

1. Modul MyHIX berada dalam server Production /

Testing

Catatan

2. Konfigurasi pengenalan produk dan fasiliti perlu dibuat kepada HIS/CIS sebelum

penghantaran data dari fasiliti ke MyHIX dimulakan. Konfigurasi hanya perlu dibuat

sekali sahaja bagi setiap produk.

Adakah maklumat berikut sudah didaftarkan di HIS/CIS ?

Bil Perkara Ya Tidak Catatan

a. Nama Object Identification Domain (OID) untuk

Hospital/Klinik

b. Fasiliti Kod (Klinik/Hospital)

c. Kod Aplikasi

d. Security ID

Hubungi pegawai teknikal pasukan projek MyHIX di BTK IPKKM untuk mendapatkan

maklumat di atas.

30

Page 31: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN TEKNIKAL DAN PROSES DI FASILITI

Bil Service Ya Tidak Catatan

B. FASA PENGUJIAN

3. Pastikan port dan services berikut dibuka pada firewall

a. 8080

b. 2575

c. SOAP (Application Layer)

d. HL7 (Application Layer)

4. Lakukan semakan capaian ke pusat data MyHIX secara:

a. ‘PING’ domain MyHIX (myhix.moh.gov.my)

b. ‘TELNET’ ke port 2576

(telnet myhix.moh.gov.my 2576)

c. ‘TELNET’ ke port 8080

(telnet myhix.moh.gov.my 8080)

5. Pastikan sistem HIS/CIS mempunyai fungsi berikut:-

a. Register & Update Patient to MyHIX

b. Query Patient Identification from MyHIX

c. Query List of Discharge Summary/Clinical Visit Summary from MyHIX

d. Query Specific Discharge Summary/ Clinical Visit Summary from MyHIX

e. Submit Discharge Summary/ Clinical Visit Summary to MyHIX

f. Skrin pemantauan transaksi antara HIS/CIS dan MyHIX

*untuk memudahkan pegawai teknikal mengesan error yang berlaku

6. Pendaftaran pesakit ke MyHIX

a. Boleh mendaftar pesakit baru di MyHIX

b. Boleh mendapat global ID MyHIX

7. Proses opt-out (jika pesakit memilih untuk tidak menghantar RD ke MyHIX)

31

Page 32: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN TEKNIKAL DAN PROSES DI FASILITI

Bil Service Ya Tidak Catatan

a. Ada pilihan untuk opt-out (button, flag dll)

b. Sistem berupaya untuk enable atau disable opt-out sebelum RD dihantar ke MyHIX

8. Semakan Ringkasan Discaj melalui Sistem HIS/CIS

a. Boleh papar senarai RD yang sedia ada daripada MyHIX (view list)

b. Boleh pilih dan papar RD yang dikehendaki daripada senarai di atas (a)

c. Boleh papar senarai RD yang sedia ada daripada MyHIX (view list) jika pesakit memilih opt-out

d. Boleh pilih dan papar RD yang dikehendaki daripada senarai di atas (c) jika pesakit memilih opt-out

e. Boleh papar maklumat RD sebelum dihantar ke MyHIX

*untuk pastikan pemetaan data RD HIS kepada RD MyHIX mengikut format CDA

f. Boleh hantar RD yang baru ke MyHIX

9. Kaedah penghantaran Ringkasan Discaj dari Sistem HIS/CIS ke MyHIX

a. Penghantaran secara real-time

b. Penghantaran secara kelompok / batch

c. Sistem boleh memberi notifikasi dan nyatakan senarai RD yang gagal dihantar setiap hari

d. Bagi RD yang gagal dihantar, sistem berupaya menghantar semula RD tersebut secara automatik

e. Sistem boleh memberi notifikasi jumlah RD yang telah berjaya dihantar setiap hari

32

Page 33: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SENARAI SEMAK KESEDIAAN TEKNIKAL DAN PROSES DI FASILITI

Bil. Perkara Ya Tidak Catatan

C. FASA PELAKSANAAN

10. HIS/CIS berupaya menjana laporan berikut:

a. Bil dan % penghantaran rekod ke MyHIX berbanding bilangan pesakit yang dirawat dan discaj. Kiraan berdasarkan bilangan pesakit

b. Bil dan % pesakit yang memilih opt-out berbanding bilangan pesakit yang dirawat dan discaj.

c. Bil RD ulangan yang dihantar bagi pesakit yang sama (seperti addendum)

*untuk mendapatkan perbezaan antara bilangan pesakit yang discaj dan bilangan RD yang dihantar ke MyHIX

11. Pemantauan transaksi pendaftaran dan penghantaran maklumat ke MyHIX

a. Menyediakan skrin/kaedah yang boleh memaparkan transaksi yang berlaku antara HIS/CIS dan MyHIX

33

Page 34: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GARIS PANDUAN KHIDMAT BANTUAN (HELPDESK) MyHIX

c) SENARAI SEMAK KESEDIAAN TEKNIKAL DAN PROSES DI FASILITI

PENDAHULUAN Garis panduan ini disediakan untuk rujukan semua fasiliti yang terlibat dalam integrasi sistem IT fasiliti dengan MyHIX. PROSEDUR KERJA (Standard Operating Procedure) 1. Sebarang isu berkaitan MyHIX perlu disalurkan kepada Unit IT difasiliti masing-masing. 2. Isu tersebut akan melalui tiga (3) peringkat tindakan seperti berikut:-

a) Tindakan diperingkat fasiliti Unit IT di fasiliti mengambil tindakan sekiranya isu adalah berkaitan masalah IT di fasiliti. Sekiranya ia bukan isu setempat, isu tersebut akan dipanjangkan kepada Khidmat Bantuan / Helpdesk Bahagian Pengurusan Maklumat (BPM) melalui email di [email protected] atau melalui telefon 03-8883-3883.

b) Tindakan diperingkat BPM

i. BPM akan membuat saringan ke atas isu-isu yang diterima sama ada berkaitan dengan :

•Rangkaian dan pusat data; atau •Pengoperasian MyHIX

ii. BPM hanya mengambil tindakan ke atas isu-isu yang berkaitan dengan

masalah rangkaian dan pusat data sahaja

iii. BPM akan memanjangkan isu berkaitan dengan pengoperasian MyHIX kepada Bahagian Telekesihatan untuk tindakan seterusnya.

c) Tindakan diperingkat Bahagian Telekesihatan (BTK)

BTK bertanggungjawab untuk mengambil tindakan terhadap sebarang isu berkaitan pengoperasian MyHIX. (Rujuk carta aliran kerja diLampiran 1)

PIAGAM PELANGGAN Khidmat Bantuan MyHIX diperingkat BTK akan memberi respon dalam masa tiga (3) hari bekerja bagi sebarang isu MyHIX yang diterima. WAKTU OPERASI Waktu operasi Khidmat Bantuan MyHIX adalah pada setiap hari bekerja seperti berikut:

Isnin hingga Khamis 8.00 pagi hingga 12.30 petang 2.00 hingga 4.30 petang

Jumaat 8.00 pagi hingga 12.15 petang 2.45 hingga 4.30 petang

Garispanduan ini akan ditambah baik dan dikemaskini dari masa ke semasa secara berkala berdasarkan maklum balas yang diterima daripada semua pihak.

34

Page 35: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GARIS PANDUAN KHIDMAT BANTUAN (HELPDESK) MyHIX

Lampiran 1

CARTA ALIRAN KERJA KHIDMAT BANTUAN (HELPDESK) UNTUK SISTEM MyHIX

TIDAK

YA

Helpdesk BPM kenalpasti masalah dan bahagian yang perlu dirujuk

Penyelaras Aduan MyHIX boleh menjawab berdasarkan FAQ?

Penyelaras Aduan MyHIX terima soalan/aduan/maklumbalas dan kenalpasti soalan yang boleh dijawab berdasarkan FAQ

Unit berkaitan hantar penyelesaian kepada pengguna di fasiliti kesihatan dan memaklumkan kepada Penyelaras Aduan MyHIX &Helpdesk BPM

Hantar soalan kepada Unit yang berkaitan

YA

Unit berkaitan menjawab soalan / aduan / maklum balas dan mengambil tindakan yang sewajarnya.

Perlu tindakan BTK?

Helpdesk BPM hantar soalan/aduan ke Penyelaras Aduan MyHIX di BTK

TIDAK

Jawab atau ambil tindakan yang sewajarnya

Helpdesk BPM hantar soalan/aduan ke bahagian lain yang berkenaan

Penyelaras Aduan MyHIX dan Helpdesk BPM kemaskini Sistem Aplikasi Helpdesk BPM secara online dan sediakan laporan

Helpdesk BPM terima soalan/aduan daripada fasiliti kesihatan

Pengadu lapor kepada [email protected] @ 03-8883 3883

Nota: • Kenalpasti aduan rasmi

atau tidak rasmi (aduan rasmi bermaksud aduan telah dibuat melalui Helpdesk BPM)

• Nasihatkan pengadu untuk melapor kepada:

a) [email protected]

b) 03-88833883

35

Page 36: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

B. MyHIX POLICY AND GUIDELINES

Page 37: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX POLICY AND GUIDELINES

1. INTRODUCTION TO MyHIX

MyHIX is an integration engine to enable sharing of patient Discharge Summary or

Clinical Summary as an initial sharing of patient clinical information amongst various

healthcare facilities. The MyHIX Project is a basic and small component of the total

Lifetime Health Record (LHR) Project and its aim is to make Discharge Summary or

Clinical Summary available online, to be shared between healthcare facilities.

The proposal of MyHIX concept was approved at the 27th Flagship Coordination

Committee Meeting which was chaired by Y.Bhg. Tan Sri Mohd Sidek Hassan, Ketua

Setiausaha Negara on the 25th June 2008. The scope of implementation was approved at

the Telehealth Steering Committee Meeting which was chaired by Y.Bhg. Tan Sri Dato’

Seri Dr. Hj. Mohd Ismail Merican, Ketua Pengarah Kesihatan on the 18th November 2008.

MyHIX Policy comprises of:

i. MyHIX Data Collection

ii. MyHIX Access Guideline

2. MYHIX DATA COLLECTION

2.1. MyHIX DATA

2.1.1. The patient clinical data (hereinafter referred as “the Data”), to be shared is in the form of Discharge Summary or Clinical Summary which comprises of two elements:

i. Demographics

ii. Clinical information

2.1.2. The Codes of the Data are as follows (as per HL7 standards):

N – Normal (patient demographic)

R – Restricted by default

V – Very restricted (Classified information Medico-legal of special cases, VIP as

per MOH list)

37

Page 38: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX POLICY AND GUIDELINES

2.1.3. For the patient seen at Outpatient facility, the Data shall be extracted from the clerking note as follows:

i. Problem list

ii. Diagnosis, if available

iii. Orderables (e.g. Laboratory ,Radiology investigations, etc,)

iv. Medications and other relevant treatments.

2.1.4. Ministry Of Health shall be assigned as the Custodian of MyHIX Data.

2.2. REGISTRATION TO MyHIX

2.2.1. An implied consent is applicable every time a patient is registered with the healthcare facilities that have implemented MyHIX (hereinafter referred as “the Facilities”).

2.2.2. Patients who choose not to participate in MyHIX must sign an ‘Opt Out’ form. The Data shall not be sent to MyHIX repository.

2.2.3. Data that has been sent to the MyHIX Central Repository cannot be retracted should the patient wish to opt out retrospectively for an earlier admission.

2.2.4. Data cannot be sent retrospectively to MyHIX Central Repository should the patient wish to reverse his opt out for an earlier admission.

2.2.5. *All Data of babies born in the Facilities shall be sent to MyHIX and therefore ‘Registration number (RN)’ shall be created for the baby.

*This will come in place when registration of all newborn babies becomes a

policy.

2.3. QUERY TO MyHIX

2.3.1. The Data shall be sent to MyHIX only if identification of the patient is known. Therefore a unique identifier of the individual and the following biodata are required:

i. Personal ID number :

a) Identification Card (IC) number

b) Birth Certificate number

38

Page 39: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX POLICY AND GUIDELINES

c) Passport number

d) Army or police number

e) Registration number for newborn baby

ii. Name

iii. Gender

iv. Date of Birth

2.3.2. The information belonging to a patient classified as ‘V’ (very restricted) are to be accessed according to Information System policy of the Facilities.

2.4. STORING DATA IN MyHIX

2.4.1. The name, designation, professional registration number of the healthcare professional that has created the summary shall be stated in the Data.

2.4.2. The integrity, accuracy and completeness of the Data shall be the responsibility of the source facility.

2.4.3. The Data received from the source facility shall be maintained at the MyHIX repository and the receiving facility without being changed, added or deleted.

2.4.4. Nonetheless, the source facility can make addendums to the Data which shall be updated into MyHIX repository. Any addendum made must go through the Medical Record Officer.

2.4.5. Whenever the patient is managed by multiple disciplines, each discipline within the Facilities will produce an encounter summary which will be encapsulated in the Data. It is the responsibility of the last point of care in the hospital to send the Data to MyHIX.

2.4.6. The Data is not required for patients seen at Emergency & Trauma Department (ETD) prior to ward admission, but if the patient is discharged after being seen at ETD the Data shall be submitted to MyHIX by the ETD attending healthcare professional. This shall also include Ambulatory Care Patients.

2.4.7. The Data shall be kept at the MyHIX repository indefinitely and shall be archived after patient’s death.

2.4.8. In the event of system downtime, the Data shall be submitted to MyHIX when the system is functioning again.

2.4.9. The requirements for the verification of the Data shall be determined in accordance to the Facilities Information System’s operational policy as follows:

39

Page 40: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX POLICY AND GUIDELINES

i. The Head of the Facilities shall assign officers to verify the Data.

ii. The name, designation and professional registration number of the verifying

officer shall be stated in the Data.

iii. The Data sent shall be stored in the MyHIX repository regardless of its

verification status.

iv. The quality of the Data is the responsibility of the source facilities.

2.4.10. For in-patient, usage of ICD10 classification in the diagnosis is encouraged before Data is submitted to MyHIX repository. It should be noted that usage of ICD10 classification in diagnosis maybe made mandatory in the near future.

2.4.11. The Data shall be sent to MyHIX repository when a patient is being discharged from the healthcare facility. The time frame for the Data to be sent to MyHIX shall follow the hospital NIA (National Indicator Approach) standard. The MyHIX system shall acknowledge all the discharge summaries received.

2.4.12. The local system shall have the ability:

i. To indicate whether the Data has been sent to MyHIX.

ii. To highlight outstanding Data to be sent to MyHIX.

2.5. REQUESTING AND VIEWING MyHIX DATA

2.5.1. The Data shall be accessible to healthcare professionals as determined by the individual healthcare facility according to the MOH’s User Access Control Policy (UACP)

2.5.2. Any queries or retrieval of the Data shall be allowed upon registration in the presence of the patient at the facility.

2.5.3. The Data from MyHIX can selectively be kept in the local system and the original source (healthcare facility) identified.

2.5.4. The Facilities shall have the following mechanism to monitor unethical access:

i. Audit trail

ii. Enforcement of access policy.

40

Page 41: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX POLICY AND GUIDELINES

MyHIX ACCESS GUIDELINE

(To be read with the UACP) This Guideline was drafted using the Following Documents as References:

a. The Medical Act 1971,

b. The Malaysian Medical Council (MMC) Ethical Codes and Guidelines:

• Code of Professional Conduct

• Duties of a Doctor

o Good Medical Practice

o Patient Confidentiality

c. Ministry of Health Circulars and Guidelines:

• Management of Patient Medical Records in Hospitals and Medical

Institutions (2010)

• ICT Security Policy (2010)

d. Guidelines issued by other health care professional bodies

41

Page 42: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX POLICY AND GUIDELINES

1. PURPOSE

The purpose of this guideline is to ensure that the confidentiality and privacy of the

patients’ information shared in MyHIX is maintained at all times. The Facilities involved

in MyHIX are required to abide by this guideline.

It is categorically stated here that the responsibility to ensure the confidentiality and

privacy of the patients’ information, within the facility, rests solely with the Facility.

2. GENERAL GUIDELINES

2.1. Each healthcare facility must have in place its overall Information Security Policy statement defining how it manages the security of its medical records. This policy shall be readily available to all staff at all levels of the organization.

2.2. It is important that all staff members are aware of and comply with all policies, procedures and security measures that have been put in place to protect patients’ medical records.

2.3. Sanctions shall be established for unauthorized or inappropriate access, in line with existing laws and regulations.

2.4. Disciplinary action shall be taken according to the current guidelines on this issue.

2.5. All efforts will be taken by the facility to ensure that all staff is aware of all of the above. (E.g. during induction course, posting orientation or refresher training.)

3. SPECIFIC GUIDELINES

3.1. Facility

3.1.1. The healthcare facility shall determine and make a registered list of healthcare professional who are given the authority to access. These healthcare providers shall be listed in accordance to the department/unit they are placed in.

3.1.2. Each healthcare facility shall have appropriate workflow and procedures regarding discharge summary (entry, verification, submission to MyHIX, addendum made, retrieval, etc.)

42

Page 43: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX POLICY AND GUIDELINES

3.2. System

3.2.1. The Information System (IS) at the healthcare facility shall ensure that the authorized user updates his/her password every 3 months/90 days.

3.2.2. An inactive computer shall have an auto system screen saver activated after 2 minutes.

3.2.3. An inactive computer shall be automatically logged-out after remaining idle for more than 15 minutes

3.2.4. Any inactive user of more than one month duration will be automatically deactivated. He/she needs to reactivate his/her account in order to login into the system.

3.2.5. The System Alert shall be as follows:

i. Reminders before access (Reason for access)

ii. Access level (Provider patient relationship)

iii. Irrelevant access (wrong / different discipline / category staff)

iv. Printing / copying / saving / any other means of duplicating

v. Which username / password / PC over accesses

3.2.6. The system shall have an auto system lock :

i. After third incorrect attempt of entering username and / or password.

ii. For an attempt to download to any removable media (e.g. pen-drive).

iii. For an attempt to access from unauthorized location.

3.2.7. The system shall restrict care provider who is not in the explicit provider-patient relationship.

3.2.8. The system shall not allow printing/duplicating of discharge summary retrieved from MyHIX.

3.2.9. The system will have audit trail to record the time and date of discharge summary (entry, verification, submission to MyHIX, addendum done, retrieval) of user.

3.2.10. The provider who is no longer the staff of the facility shall have his/her user account status change to “inactive” immediately.

43

Page 44: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX POLICY AND GUIDELINES

3.3. User / Health care provider

3.3.1. Authorized users shall have access to the system based on defined role or function. No back-door access by staff which do not have explicit provider-patient relationship.

3.3.2. Users must have valid user name & password. (Only authorized users will be given individual username and password).

3.3.3. On application for username and password, the authorized users shall sign a statement which requires only they alone will use the assigned username and password.

3.3.4. All users must sign the “Surat Akuan Pematuhan Dasar Keselamatan ICT Kementerian Kesihatan Malaysia” to always maintain the confidentiality and privacy of patient information obtained from the system.

3.3.5. All users must:

i. Always log out of the system when work has finished.

ii. Not leave the terminal unattended and logged in.

iii. Not share log in with other people.

iv. Not reveal password to others.

v. Change password at regular intervals to prevent anyone else using

them.

vi. Avoid using short password, or using name or word that are known to

be associated with them. (e.g. Children’s names or birthdates)

vii. Always clear the screen of a previous patient‘s information before

seeing another.

3.3.6. Break-the-glass mechanism to be provided to override access restrictions in emergency situation.

3.4. Monitoring

3.4.1. Audit trail shall be monitored and reported regularly. Any discrepancy shall be investigated immediately.

3.4.2. The permanent agenda in “Mesyuarat Jawatankuasa Keselamatan Teknologi Maklumat” and ”Jawatankuasa Keutuhan” or any other relevant committee of the Facility shall include :

44

Page 45: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX POLICY AND GUIDELINES

i. Number of user access ( authorised and unauthorised) per patient

record per day

ii. Number of unauthorized printing / copying / saving / any other means

of duplicating discharge summary

iii. Random audits (10% per month)

iv. Numbers / list of Computer locations with frequent unauthorized

access

v. Spot checks

3.4.3. Audit trail of routine maintenance shall also be available.

3.4.4. Audit trails are in place to monitor vendor staff activity.

3.4.5. The healthcare facility shall monitor complaints received regarding unauthorized access to MyHIX and do the necessary investigation immediately.

3.5. Others

3.5.1. The offences of unlawfully gaining access to the computer programme under the relevant law include:

i. Unauthorized access to computer material

ii. Unauthorized access intent to commit or cause commission of further

offences

iii. Unauthorized modification of computer material

45

Page 46: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

C. MyHIX STANDARD OPERATING PROCEDURE (SOP)

Page 47: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

MyHIX STANDARD OPERATING PROCEDURE (SOP)

A. INTRODUCTION TO MyHIX

MyHIX is an integration engine to enable sharing of patient Discharge Summary or Encounter Summary as an initial sharing of patient clinical information amongst various healthcare facilities. MyHIX is a basic and small component of the total Lifetime Health Record (LHR). MyHIX is to make Discharge Summary or Encounter Summary available online to be shared between healthcare facilities.

B. MyHIX BACKGROUND

The proposal of MyHIX was approved at the 27th Flagship Coordination Committee Meeting which was chaired by Y.Bhg. Tan Sri Mohd Sidek Hassan, Ketua Setiausaha Negara on the 25th June 2008. The scope of implementation was approved at the Telehealth Steering Committee Meeting which was chaired by Y.Bhg. Tan Sri Dato’ Seri Dr. Hj. Mohd Ismail Merican, Ketua Pengarah Kesihatan on the 18th November 2008.

C. OBJECTIVES OF THE DOCUMENT

The purpose of this Standard Operating Procedure (SOP) is to establish a uniform procedure at the healthcare facilities that participate in MyHIX implementation which is the procedure of sharing Discharge Summary or Encounter Summary between these facilities. This involves sending and retrieval of Discharge Summary or Encounter Summary to and from MyHIX central repository. The work flow process in this SOP is in accordance with MyHIX Policy and should be read in tandem with MyHIX Policy for Data Collection and Access Control Guidelines.

D. MyHIX DATA

The patient clinical data to be shared is in the form of Discharge Summary or Encounter Summary which comprises of two elements1:

i. Patient Demographics ii. Patient Clinical Information which can be either Inpatient Data (Discharge

Summary) or Outpatient Data (Encounter Summary). The information includes: a) problem lists b) diagnosis c) procedure d) medication e) laboratory result

47

Page 48: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

f) radiological report g) management plan

Discharge Summary to be sent to MyHIX is an extract of Discharge Summary in Hospital Information System (HIS) whilst Encounter Summary is an extract of clinical note in Clinical Information System (CIS). Other clinical information such as referral note, radiological images and order request including drug prescription will be available in the future once the development of the respective integration profiles and Clinical Document Architecture (CDA) body have been completed.

48

Page 49: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

E. MyHIX WORK FLOW CHART FOR DISCHARGE SUMMARY

Back end process MRO: Medical Record Officer

2. Consultation

Opt Out?

YES NO

MyHIX

1. Registration

End

Start

Request & retrieve previous summary

Query MyHIX for global ID

Legend:

ICD 10 Diagnosis?

NO

YES

ICD 10 Coding by MRO

4. Opt Out Process

3. Creation of Discharge Summary

Discharge Summary kept in local server

5. Sending Discharge Summary to MyHIX

Extraction of Discharge Summary

Discharge

Addendum by Authorized

Doctor

49

Page 50: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

F. MyHIX WORK PROCESS FOR DISCHARGE SUMMARY

1. PATIENT REGISTRATION 1.1. Patient admission procedure and registration into HIS are done by Registration

Counter Personnel (Petugas Kaunter) at the Admission Counter2. 1.2. Charges or Deposit will be collected based on patient’s entitlement and

categories. 1.3. An Implied Consent for MyHIX is applicable every time patient is registered in

health care facilities involved in MyHIX1. 1.4. Query MyHIX for Global ID is a back end process by the system.

2. CONSULTATION

2.1. Consultation is performed by the health care provider (HCP) who attends and provides health care to the patient.

2.2. The attending HCP can request and retrieve previous discharge or Encounter Summary(s) from MyHIX if available to ensure continuity of care. The accessibility of the data is determined by the individual health care facility according to the Ministry of Health User Access Control Policy (UACP).

3. DISCHARGE PROCESS AND CREATION OF DISCHARGE SUMMARY

3.1. Discharge is defined as the departure from the hospital, either alive or dead, of a patient who has undergone admission procedure3.

3.2. The patient is discharged with the order from the Specialist or Medical Officer depending on the operational policy of the health care facility.

3.3. The Discharge Summary is completed by the attending doctor within 72 hours of discharge2.

3.4. The integrity, accuracy and completeness of the data in the Discharge Summary are the responsibility of the facility1. Data verification is determined by the facility operational policy1 for example the Discharge Summary which is created by the House Officer must be verified by the Medical Officer.

3.5. ICD 10 coding of the diagnosis before Discharge Summary is submitted to MyHIX is encouraged. It should be noted that ICD 10 coding may be made mandatory in the future. ICD 10 coding after Discharge Summary has been sent to MyHIX can be done as addendum by the Medical Record Officer (MRO).

3.6. Addendum to the Discharge Summary that has been sent to MyHIX can be done if deemed necessary1. 3.6.1. The authorised doctor must first make the Addendum to patient’s

Electronic Medical Record (EMR) and the Discharge Summary Addendum will be auto generated from this. The doctor must view and confirm the addendum made before it is sent to MyHIX.

50

Page 51: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

4. OPT OUT PROCESS 4.1. It begins when patient opts out from participating in health information

exchange that is when patient chooses not to send his / her health information to MyHIX. For patient who is not able to make a sound decision such as an underage or unconscious patient, the decision to opt out can be made by his / her legal guardian or carer.

4.2. System is updated on the OPT OUT once decision to opt out is made. 4.3. The patient / guardian / carer who have decided to opt out are required to

complete and sign the Opt Out form1. The completion and signing of the form can be done at any time prior to patient discharge. Prior to signing of the form, the attending HCP must counsel the patient / guardian / carer about MyHIX and the benefits of health information exchange as well as inform them that the decision to opt out is per encounter.

4.4. The in-charge nurse must ensure that the Opt Out form has been completed. This is done as one of the discharge checklist activities.

4.5. Documentation of the signed Opt Out form depends on the facility. It can either be kept in the patient’s folder or scanned into the system.

5. SENDING DISCHARGE SUMMARY TO MyHIX

5.1. All Discharge Summaries except for Discharge Summary of Opt Out patient will be sent to MyHIX1.

5.2. Discharge Summary will be extracted from local server and sent to MyHIX. 5.3. Sending will be done automatically either by batches or real time depending on

the capacity of the facility ICT infrastructure. However, option for manual sending is available if deemed necessary.

G. SIMPLIFIED MyHIX PROCEDURAL MATRIX FOR DISCHARGE SUMMARY

TASK / PROCESS ROLE DESCRIPTION

1. Patient Registration

Registration Counter

Personnel

Query MyHIX for Global ID is a back end process.

2. Consultation Attending HCP Retrieve and review previous discharge summary(s) if available.

51

Page 52: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

TASK / PROCESS ROLE DESCRIPTION

3. Creation of Discharge Summary

Attending Doctor Create Discharge Summary and verified if necessary within 72 hours.

4. Opt Out Process

Attending HCP i. Counsel patient / guardian / carer. ii. Opt Out Form for patient / guardian /

caretaker to sign. iii. Keep form in patient’s folder or scan into the

system. iv. System is updated on the OPT OUT.

5. Sending Discharge Summary to MyHIX

Automatically by system or manually

Submission of Discharge Summary by system.

52

Page 53: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

H. MyHIX WORK FLOW CHART FOR ENCOUNTER SUMMARY

2. Consultation

Opt Out?

YES

NO

MyHIX

1. Registration

End

Start

Request & retrieve previous summary

Query MyHIX for global ID

4. Opt Out Process

3. Creation of Encounter Summary

5. Sending Encounter Summary to MyHIX

Back end process Legend: Addendum by

authorized HCP

53

Page 54: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

I. MyHIX WORK PROCESS FOR ENCOUNTER SUMMARY

1. PATIENT REGISTRATION 1.1. Patient is registered into CIS or HIS by Registration Counter Personnel at:

i. Clinic Registration Counter ii. Registration Counter of Ambulatory Care Centre

iii. Registration Counter of Emergency and Trauma 1.2. Charges will be collected based on patient’s entitlement and categories. 1.3. An Implied Consent for MyHIX is applicable every time patient is registered in

health care facilities involved in MyHIX1. 1.4. Query MyHIX for Global ID is a back end process by the system.

2. CONSULTATION

2.1. Consultation is performed by the HCP who attends and provides health care to the patient.

2.2. The attending HCP can request and retrieve previous discharge or Encounter Summary(s) from MyHIX if available to ensure continuity of care. The accessibility of the data is determined by the individual health care facility according to the Ministry of Health User Access Control Policy (UACP).

3. CREATION OF ENCOUNTER SUMMARY

3.1. Encounter Summary is auto generated from the clinical note created by the attending HCP and submitted to MyHIX within 24 hours of patient encounter.

3.2. The integrity, accuracy and completeness of the data in the Encounter Summary are the responsibility of the facility. Verification of the data is done if necessary1.

3.3. Addendum to the Encounter Summary that has been sent to MyHIX can be done if deemed necessary by the authorised HCP1.

4. OPT OUT PROCESS 4.1. It begins when patient decides not to send his / her health information to

MyHIX. For patient who is not able to make a sound decision such as an underage patient, the decision to opt out can be made by his / her legal guardian or carer.

4.2. System is updated on the OPT OUT once decision to opt out is made. 4.3. The patient / guardian / carer who have decided to opt out are required to

complete and sign the Opt Out form1. Prior to signing of the form, the attending HCP must counsel the patient / guardian / carer about MyHIX and the benefits of health information exchange as well as inform them that the decision to opt out is per encounter.

54

Page 55: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

4.4. The in-charge nurse must ensure that the Opt Out form has been completed before patient leaves the clinic.

4.5. Documentation of the signed Opt Out form depends on the facility. It can either be kept in the patient’s folder or scanned into the system.

5. SENDING ENCOUNTER SUMMARY TO MyHIX

5.1. All Encounter Summaries except for Encounter Summary of patient who chooses to OPT OUT will be sent to MyHIX1.

5.2. Sending will be done automatically either by batches or real time depending on the capacity of the facility ICT infrastructure. However, option for manual sending is available if deemed necessary

55

Page 56: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

GLOSSARY

Clinical Information System

Integrated computer-assisted system designed to store, manipulate and retrieve information concerned with the administrative and clinical aspects of providing services within the clinic.

Encounter Summary

A summary on the management of a patient during a clinic visit for purpose of continuation of patient care.

Discharge Summary

A summary on the management of a patient at the point of discharge for purpose of continuation of patient care.

Health Care Provider

An individual who is authorised to provide health care to a patient. This includes medical practitioner, nurse, medical assistant and allied health personnel.

Hospital Information System

Integrated computer-assisted system designed to store, manipulate and retrieve information concerned with the administrative and clinical aspects of providing services within the hospital.

Inpatient A patient who is admitted to the hospital ward to receive health care.

*Patient who is admitted to the Observation Ward in the Emergency Department is not counted as an admission3.

Outpatient A patient who receives health care at the outpatient clinic, specialist clinic, health clinic, dental clinic, Ambulatory Care Centre and Emergency Department.

56

Page 57: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

APPENDIX 1a: OPT OUT FORM (BAHASA MALAYSIA VERSION)

57

Page 58: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

APPENDIX 1b: OPT OUT FORM (ENGLISH VERSION)

58

Page 59: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX STANDARD OPERATING PROCEDURE (SOP)

REFERENCES

1. MyHIX Policy for Data Collection and Access Control Guidelines 2012.

2. General Hospital Operational Policy First Edition August 2013.

3. Buku Panduan Sistem Maklumat Rawatan Pesakit dan Rawatan Harian 2010.

4. Code of Ethics for Medical Assistants (Assistant Medical Officer) 1997 (reprinted Dec 2007).

5. Buku Kerjaya Penolong Pegawai Perubatan.

6. Garispanduan Pengendalian dan Pengurusan Rekod Perubatan Pesakit bagi Hospital-Hospital dan Institusi Perubatan; Pekeliling Ketua Pengarah Kesihatan Bil. 17/2010.

59

Page 60: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

D. MyHIX CHANGE MANAGEMENT (CM)

Page 61: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX CHANGE MANAEMENT CHECKLIST & TEMPLATE

i. ADKAR MODEL FOR CM

ADKAR Model for FCM in MyHix is include:

• Awareness – of why the change is needed • Desire – to support and participate in the change • Knowledge – of how to change • Ability – to implement new skills and behaviors • Reinforcement – to sustain the change

These building blocks are crucial in assessing the level of change and setting the stage to happen in an individual and subsequently in the organization as a whole:

i. Awareness represents a person’s understanding of the nature of the change, why the change is being made and the risk of not changing. It also includes information about the internal and external drivers that created the need for change as well as “what’s in it for me”.

ii. Desire represents the willingness to support and engage in a change, by an individual’s personal situation as well as the intrinsic motivators that are unique to each person.

iii. Knowledge represents the information, training and education necessary to know how to change. it includes information about behaviors , processes, tools, systems, skills, job roles and techniques that are needed to implement the change.

iv. Ability represents the realization or execution of the change. Ability is turning knowledge into action and is achieved when a person or group has the demonstrated capability to implement the change at the required performance levels.

v. Reinforcement represents those internal and external factors that sustain a change. External reinforcement could include recognition, rewards and celebrations that are tied to the realization of the change. Internal reinforcements could be a person’s internal satisfaction with his or her achievement or other benefits derived from the change on a personal level.

The building blocks of the Change Management Model embedded the best practice perspectives that examine the influences and interactions among:

• The organization structure; • Its people;

61

Page 62: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX CHANGE MANAEMENT CHECKLIST & TEMPLATE

• The processes; and • The technology

62

Page 63: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX CHANGE MANAEMENT CHECKLIST & TEMPLATE

ii. MYHIX CM CHECKLIST

Tujuan : Senarai semak ini digunakan untuk memastikan perkara-perkara yang perlu dilakukan sebelum dan semasa fasa pelaksanaan MyHIX di fasiliti.

Skop : Digunakan oleh pasukan CM di fasiliti

Objektif : Bagi melancarkan pelaksanaan CM MyHIX di fasiliti

1. COMMUNICATIONS

NO SUPPORT REQUIRED YES NO

1.1 Do you have a Communications Plan?

To facilitate communication which is timely, consistent and coordinated and delivers the key messages to specified audiences within (CME sessions/Ahli Lembaga Pelawat/ Permanent Agenda meetings)

1.2 Have you identified your key stakeholders?

To engage with your stakeholders and increase their understanding and adoption of MyHix

1.3 Have you identified your different stakeholder groups?

1.3.1 Direct Users

1.3.2 Keeping Momentum

1.3.3 Indirect users

1.3.4 Keeping Informed

1.3.5 Adhoc Users eg Visiting Consultants/Specialist/Allied Services

1.3.6 Engage to make aware

1.4 Do you have a nominated communications leader?

To plan and manage the communications, to all key stakeholders.

1.5 Are you familiar with the communication channels available to you?

1.5.1 Face to face

63

Page 64: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX CHANGE MANAEMENT CHECKLIST & TEMPLATE

NO SUPPORT REQUIRED YES NO

1.5.2 Hospital website Internet / web/ Bulk emails to key players

1.5.3 Printed material/ fliers/Buntings

2. CHANGE MANAGEMENT PLAN

NO SUPPORT REQUIRED FROM THE VARIOUS FACILITIES YES NO

2.1 Do you have a Change Management Plan?

eg Timeline etc

2.2 Is your Governance structure in place?

2.2.1 Project Board/Project Manager/Change team

2.2.2 Building a “Guiding team” to agree change management activities

2.3 Are your change activities included in your project plan and aligned with project milestones and benefits trajectories?

Right information / activity at the right time

2.4 How will you communicate the change to your staff?

2.4.1 Raising awareness

2.4.2 Stakeholder mapping / stakeholder groups

2.4.3 Understanding the need for change

2.5 Are your IT teams briefed and on-board?

2.5.1 Raising Awareness

2.5.2 Understanding the change

2.6 Do you know how the new IT system / process will impact on Your Business / Your Staff / The Patient

2.6.1 Business case – understanding the change / benefits

2.7 Do you know what changes are required to your current working practices?

2.7.1 Analyze your processes - As-Is Process mapping

64

Page 65: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX CHANGE MANAEMENT CHECKLIST & TEMPLATE

NO SUPPORT REQUIRED FROM THE VARIOUS FACILITIES YES NO

2.7.2 Local scenarios to assess the impact of changes on people /process

2.7.3 Identify barriers

2.7.4 Support required?

2.8 Are all those staff impacted by the change engaged and aware and involved in developing the new processes?

2.8.1 Keeping momentum

2.8.2 Resolving issues / barriers

2.9 Have you documented your new processes and working practices?

2.9.1 To-Be processes – implement change

2.10 Have you developed a training plan?

2.10.1 Implementing and sustaining change

2.11 Are all your key users on-board with the new IT system / process?

2.11.1 Taking Stock

2.11.2 What’ s been achieved

2.11.3 What’s left to do

2.11.4 Addressing issues /barriers

2.12 Post Implementation -

How successful has your Implementation had been?

2.12.1 Key successes

2.12.2 Key Barriers

2.12.3 Lessons learned

2.12.4 Moving forward

65

Page 66: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX CHANGE MANAEMENT CHECKLIST & TEMPLATE

iii. MYHIX CHANGE MANAGEMENT PLAN TEMPLATE

Tujuan : Digunakan untuk memastikan perkara-perkara yang perlu dilakukan sebelum dan semasa fasa pelaksanaan MyHIX di fasiliti.

Skop : Digunakan oleh pasukan CM di fasiliti

Objektif : Bagi melancarkan pelaksanaan CM MyHIX di fasiliti

GENERAL INFORMATION

Hospital’s name

Project’s detail

PROJECT CONTACTS DETAIL

MOH Putrajaya Hospital Vendor

Name

Address

Phone Number

Fax Number

E-mail

PROJECT KEY STAKEHOLDERS (MOH Putrajaya & HOSPITAL)

Name Position

66

Page 67: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX CHANGE MANAEMENT CHECKLIST & TEMPLATE

PROJECT KEY STAKEHOLDERS (MOH Putrajaya & HOSPITAL)

Name Position

CHANGE MANAGEMENT TEAM (at facility)

Name Position

Manager

Agent

PHASE 1 : PREPARING FOR CHANGE

1.1 TYPE OF CHANGE

Policy changes

Yes No Process changes

Yes No

Change of job roles

Process change

1.2 CHANGE SCOPE (As is/Current status)

People

Process

67

Page 68: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX CHANGE MANAEMENT CHECKLIST & TEMPLATE

Technology

PHASE 2: MANAGING CHANGE

2.1 CHANGE TACTIC

e.g Focus group training/discussions

e.g Retraining/ Continuous training

2.2 PROCESS CHANGE

2.3 PEOPLE CHANGE

2.4 POLICY CHANGE

2.5 COST OF CHANGE ( Money/deployment)

68

Page 69: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX CHANGE MANAEMENT CHECKLIST & TEMPLATE

PHASE 2: MANAGING CHANGE

2.6 PROJECT SCHEDULE DETAILS

PHASE DURATION START DATE END DATE RESOURCES

Before Implementation

Activities (eg.Focus group discussion, Continued training etc)

During Implementation

Activities (eg.Focus group discussion, Continued training etc)

After Implementation

Activities (eg: Refresher training etc)

2.7 FUTURE IMPROVEMENT PLAN

KEY AREAS OF IMPROVEMENT

ACTIONS TO ADDRESS IMPROVEMENT

RESPONSIBLE PERSON/S

Awareness of the need for change to take place (change is inevitable)

69

Page 70: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

MyHIX CHANGE MANAEMENT CHECKLIST & TEMPLATE

PHASE 2: MANAGING CHANGE

Desire to support and participate in the change

(through group effort/focus group/facility wide effort)

Knowledge of how to change (at an individual/group or

facility level)

Ability to implement required skills and behaviors

Reinforcement to sustain the change (at regular

intervals)

70

Page 71: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

E. MyHIX SUPPORTING DOCUMENTS / REFERENCES

Page 72: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

i. CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Page 73: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Preface

This document is a Change Management Toolkit to assist Managers at various levels in the facilities undergoing Health IT Change Management is being implemented. It was prepared with limited resources.

This Change Management Toolkit is basically adapted from the 1st Edition “ICT Change Management Policies and Guidelines” ISBN 978-983-3433-60-5 as well as other materials mentioned in the References.

Readers are highly encouraged to tailor this toolkit according to their local needs.

A further reading on Health IT Change Management is encouraged.

Page 74: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

1.0 OBJECTIVE

The objective of the Change Management Policies and Guidelines is to establish the framework, policies, plan, implementation and monitoring methods for the execution of change management in Kementerian Kesihatan Malaysia (KKM).

Change management encompasses all activities aimed at helping an organization encompassing both from the private and public sector to successfully accept and adopt new technologies and new processes in order to improve effectiveness of project implementation and deliverables. Effective change management enables the transformation of strategy, processes, technology and people to enhance performance and ensure continuous improvement in an ever – changing environment. A comprehensive and structured approach to enterprise change management is critical to the success of project that will bring about significant positive change and realization of benefits. The intent of this Policy and Procedures Guide is to ensure the effective management of change while reducing risk.

Change involves moving from the known current state to a desired future state. The traditional challenges inherent in a change management initiative stems from the fact that the future is uncertain and may adversely affect the human resource competencies, worth and coping abilities. It is believed that the organizational members or stakeholders generally do not support change unless compelling reasons convince them to do so. Similarly, organizations tend to be heavily invested in the status quo, and they resist changing it in the face of uncertain future benefits.

Henceforth, the definition of change management is interpreted as the structured approach to initiate the change individual, teams, organizations and societies that enable the transition from a current state to a desired future state.

This document represents the framework, policies, actions plans, implementation and monitoring methods for the executions of change managements indicating how something should be done or what sort of actions should be taken in a particular circumstance. Guidelines can be instituted as a policy at the behest of senior management. It is deemed that although change management is applicable to all form or projects and deliverables, the change management team will be applied to predominantly health information and communications technology (ICT) based projects.

The concerns highlighted are as follows:

• Unclear vision and scope of the projects; • End-user are not ready to accept the system because of the way the project was awarded etc.; • No project champion to enforce change; • No proper change management initiative;

2.0 INTRODUCTION

Page 75: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

• Unmanageable change requests from the end-users; • High turnover of staff; • Lack of knowledge to implement the project; • Budget constraints for the projects; • Lack of acceptance of projects.

It is deemed that although change management is applicable to all form of projects and deliverables, the change management team will be applied to predominantly information and communications technology (ICT) based projects.

KKM has identified major thrust and major programmes in the ICT Strategic Planning (ISP) to support, enable and drive the business of KKM. The thrusts and programmers are shown below:

# TRUST PROGRAMMES 1 TRUST 1

Towards a knowledge-based people involved in healthcare

PROGRAMME 2: Change Management Programmes

2 TRUST 2 Ensuring systems performance, integration & consolidation

PROGRAMME 1: Improving and Consolidation of Key systems

3 TRUST 3 Enhancing healthcare enabling environment of “hard” & “soft” infra structure

PROGRAMME 3: Maintenances Programmed

4 TRUST 4 Building a culture of R&D and Innovation

PROGRAMME 4: Health IT Governance

Programme 2, as shown above reiterated the need for the inclusion of a comprehensive change management plan as a part of the ISP in order to support Trust 1, i.e. “The involvement of knowledgeable personnel in the delivery of healthcare services.

The ISP has created a framework for the change management agenda which include four (4) activities i.e. formalize , buy –in, integrate and internalize as shown in figure 1 on the next page.

The Toolkit for Health IT Change Management Policies and Guidelines document will adopt the high-level framework that has been established in the KKM’s ISP. The Document will elaborate on the approach and methodology to support the framework and enable the ISP to achieve its

3.0 SCOPE

Page 76: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

objective in building the capacity to ensure “Trust 1: The involvement of knowledgeable personnel in the delivery of healthcare services”

Figure 1: ISP Framework for Change Management Agenda

From the various discussion and meetings, the proposed policies to be adopted by the KKM for the implementation of the change management programmes are as follows:

i. Every Health ICT project must include change management as part of the scope of the project. ii. Every Health ICT projects in KKM must adopt and use the KKM Change Management Framework and conform to the respective policies and guidelines herewith defined. iii. The Change Management Manager must be appointed from the Health facilities. iv. An estimated 5% of the project cost must be allocated for the change management programmes and subsequently, additional funding must be allocated from the operational budget for the continuity of the change management activities after the closure of the respective projects. The Change Management Manager shall be responsible for the allocation of the budget. v. The Change Management team must be comprise the Stakeholders and Sponsors. vi. The Change Management team must cater for a long-term implementation of projects.

4.0 POLICIES AND GOVERNANCE

STRUCTURE

Page 77: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

vii. The appointment of the Change Management Manager must be formally approved and ratified by the Project Steering Committee. viii. The Change Management manager of the Health facilities must be empowered to appoint team member for the Change Management Team.

Successful organizations recognize the benefits of information technology to drive the stakeholders’ value. These organizations also understand and manage the associated risk, such as increasing regulatory compliance and critical dependence of many business processes on IT. The need of assurance about the value of IT, the management of IT- related risk and increased requirement for control over information is the key elements of governance.

Project governance integrates and institutionalizes good practices to ensure that the organization’s ICT supports the business objectives. Project governance enables the organizations to take full advantage of its information, thereby maximizing benefits, capitalizing on opportunities and gaining competitive advantage. These outcomes require a framework for control that fits and complements with the existing governance structure in KKM. For example, project that involve the implementation of the Hospital Information Systems ( HIS ) in Hospital can be structured as shown in figure 2.

Page 78: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Figure 2: The implementation Structure

The change management will be lead by the Change Management Sponsor, i.e the person who charter and authorizes the change. For Large changes like the aforesaid project, this person is typically the Deputy Secretary General or the Deputy Director General of Health or the senior officer from the Business Owner’s Group. The Change Management Sponsor has the following responsibilities:

• Authority to decide, approve and authorize the change; • Authority to deploy resources to enable and support the change; and • Resolve conflict and remove potential barriers.

The Change Management Director refers to the leader who is supportive of the change. The Change Management Directors Promoters the change with their actions, behaviors and conversations and is strongly focused on control and less on execution. These practices will help optimize the change outcome for ICT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.

Change Management Manager (Business Owner)

HQ Change Management

Agent

Vendor Change Management

Agents

Site Change Management

Agents

Deputy Project Director Project Manager Deputy Director (Medical)

Deputy Director (Management)

Project Director Hospital Director

Secretary General

Page 79: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

The Change Management Director has the following responsibilities:

• Actively and visibly participate in the change; • Promote the change with the subordinates; and • Help resolve conflicts and manage resistance to change.

The Change Management Team is the group that develops and implements the change management plan and is made up of members of the project team. Although the Change Management Team’s primary role is to execute change management plan, they are not primary players. The Change Management sponsor, the Change Management Director, other senior managers, mid-level managers and supervisors will all be important advocates and will play the primary role in change management. The Change management Team’s responsibilities include coaching each of these group to ensure the change is successful.

The Hospital/Facilities Directors are the Change Management Agents in their respective hospitals. They are the preferred sender of change messages related to how a change impact employees or end-users personally. They are essential to convey and cascade the value of the change within the respective hospitals. Supervisors are also the most effective person to manage resistance to change at an individual level and to correct misinformation about the change.

Figure 3: The Governance Structure

Projects

Steering Committee

Change Management Committee Implementation Committee Technical Committee

Change Manager

Project Manager

Page 80: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

The governance structure for the management of projects in KKM should consider the inclusion of the change management role to be accountable to the Change Management Committee within the current structure in KKM. The Project Manager is the de factor leader of project and will be accountable to the implementation Committee while the Change Manager, although reporting to the Project Manager will be accountable to the Change Management Committee. The roles and responsibilities of the change Management Committee will be restricted to the management and coordination of the change management programmers’ in KKM and adopt the rules and procedures of the existing committees. The members of the Change Management Committee should include the stakeholders of the project including the sponsor, business owner and the representatives from the finance and procurement structure is depicted in figure 3. Suggest committees at facilities level:

1. Working Committee 2. Change Request Committee

The proposed policies and guidelines for the implementation of the change management team in Kementerian Kesihatan Malaysia will adopt elements of the ADKAR Change Management Model. This model was developed by Prosci with input from more than 1,000 organizations from 59 countries. It describes (5) five required building blocks for change to realized successfully in a change management endeavor.

The building blocks of the ADKAR Model include:

• Awareness – of why the change is needed • Desire – to support and participate in the change • Knowledge – of how to change • Ability – to implement new skills and behaviors • Reinforcement – to sustain the change

These building blocks are crucial in assessing the level of change and setting the stage to happen in an individual and subsequently in the organization as a whole:

i. Awareness represents a person’s understanding of the nature of the

change, why the change is being made and the risk of not changing. It also includes information about the internal and external drivers that created the need for change as well as “what’s in it for me”.

ii. Desire represents the willingness to support and engage in a change, by an individual’s personal situation as well as the intrinsic motivators that are unique to each person.

5.0 THE

APPROACH

Page 81: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

iii. Knowledge represents the information, training and education necessary to know how to change. it includes information about behaviors , processes, tools, systems, skills, job roles and techniques that are needed to implement the change.

iv. Ability represents the realization or execution of the change. Ability is turning knowledge into action and is achieved when a person or group has the demonstrated capability to implement the change at the required performance levels.

v. Reinforcement represents those internal and external factors that sustain a change. External reinforcement could include recognition, rewards and celebrations that are tied to the realization of the change. Internal reinforcements could be a person’s internal satisfaction with his or her achievement or other benefits derived from the change on a personal level.

The building blocks of the Change Management Model embedded the best practice perspectives that examine the influences and interactions among:

• The organization structure; • Its people; • The processes; and • The technology.

The methodology for the Change Management Model comprise of three (3) key phase;

• Phase 1 – Preparing for change • Phase 2 – Managing change • Phase 3 – Reinforcing Change

In each phase, the methodology provides guidelines, steps and action for the change management team to initiate and/or engage the change management plan. The proposed Change Management Model is shown in Figure 4.

Page 82: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Phases Components

Activities

Figure 4: The proposed Change Management Model

5.1 Phase 1: Preparing for Change

The first phase in the Change Management Model is aimed at getting ready. It answers the Question:”how much change management is needed for this specific project?”The first Phase provides the situational awareness that is critical for effective Change Management. The major activities in Phase 1 comprise as:

• Define the change management strategy; • Prepare the change management team; and • Develop the sponsorship model.

5.1.1 Define the Change Management Strategy

Figure 5 depicts the Phase 1 Steps 1 which attempts to identify the change characteristics. This step will size how much change management support will be required and scope the Change management approach accordingly. It will determine the nature of the change (type of change, the size of the change, who’s impacted (and who’s not), the number of impacted employees and others critical scope questions)

Preparing for Change Managing Change

Reinforcing Change

Change Management

Change Management

Change Management

- Assess the change - Assess the organization - Assess sponsorship - Assess risk and challenges - Design special tactics - From team and sponsor

- Communication - Sponsorship - Training - Coaching - Resistant Management

- Awareness - Desire - Knowledge - Ability Reinforcement

Business Result

- On time - On Budget - Achieve business objective

• Lower cost • Increased

revenue • Improved

quality

Phase 1-Preparing for change

Define your change

Prepare you

change management

Develop your sponsorship

Phase 2 – Managing Change

Develop change management plans

Take actions and implement plans

Phase 3 – Reinforcing change

Collect and analyze

Diagnose gaps and manage resistance

Implement corrective actions and celebrate

Page 83: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Figure 5: Phase 1 (Step 1) Preparing for Change - Define the Change Management Strategy

5.1.2 Prepare the Change Management Team

The second step of Phase 1 is to prepare the change management team. This step is critical to ensure that the right team members are assigned to the change management team, and that they have sufficient time to dedicate to this role. These steps are shown in figure 6: Phase 1 (Step 2) Preparing for change - Prepare the Change Management Team, on the next page.

Identify change characteristics

Phase 1 – Preparing for change

Define your change management strategy

Prepare your change management team

Develop your sponsorship model

Assessing the organization

Creating a change management

strategy

Task F : Assess the organizational value system and culture ( adaptability to change ) Task G : Determine the capacity for change ( how much more change can the organization absorb ) Task H : Establish the leadership styles and power distribution Task I : Review residual effect of past changes ( past failures may result in “baggage” that burdens Future change) Task J : Determine the middle-management’s predisposition to change ( middle management profile , the renegade factor and “ change villains “ ) Please refer

• Appendix 3 : Organizational Attributes Assessment

Task K : Establish the change management team structure that is required to implement change management. Task L : Determine the sponsor model that is necessary to provide direction and support for the change. Task M : Assess the critical ( risk assessment ) change management will be for success and how much change management will be required. Task N : Develop special tactic that may be necessary to deal with known problem areas. Please refer

• Appendix 4 : Change Management Strategy Presentation Outline

Task A : Describe the nature and scope of the change (workgroup, department, division, enterprise ) Task B : Determine the number of individuals impacted by the change. Task C : Define the change type ( policy, process ,system, organization, job role, staffing level, downsizing strategy, merger or acquisition ) Task D : Determine the amount of change ( incremental improvement vs. dramatic change ) Task E : Evaluate the impact on various groups ( optional depending on change complexity ) Please refer

• Appendix 1 : Change Characteristic Worksheet

Page 84: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Figure 6: Phase 1 (Step 2) Preparing for Change-Prepare the Change Management Team

5.2 Phase 2: Managing Change

The second phase of the Change Management Model is focused on creating the plans that are integrated into the project activities – what people typically think of when they talk about Change Management. Based on the research, there are five plans that should be created to help individuals move through the ADKAR Model. The major activities in Phase 2 comprise (as shown in Figure 8):

• Develop change management plans; and • Take actions and implement plans.

Phase 1 - Preparing for change

Define your change management strategy

Prepare your change management team

Develop your sponsorship model

Acquiring Resources

Assessing the competencies

Preparing the change management team

Task R : Assess the change management competencies and training of the selected team members and determine the current skill level and experience of selected team members to assess how much and what type of change management training is required for the team. Please refer

• Appendix 6 : Team member competency questionnaire

Task O : Select team members for the change management team Task P : Ensure sufficient resource allocation for the required change management activities, including:

• Increasing the number of full-time personnel or team members who can commit more time.

• Increasing the overall number of members on the team. • Providing the team with specific expertise ( e.g. outside consultant or

experts ) Task Q : Select a representative membership: team members should represent a variety of function, departments and levels within the organization. Please refer

• Appendix 5 : Selection criteria

Task S : Prepare the change management team by providing change management training and access to reference material. Task T : Educate the team by providing a common understanding of the business issues that motivated the change and the future state of the organization (after the change is implemented) Please refer

• Appendix 7 : Sample template for training supervisors on change management

Page 85: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Figure 7: Phase 2 Managing Change

5.2.1 Develop Change Management Plans

Figure 9 depicts Phase 2 Step 1, the application of change management theories and perspective and the change management strategy to develop customized and actionable Change Management plans. These plans are designed using ADKAR to maintain a result orientation. Step 2 will integrate the change management plan into the larger project activities to maintain consistency and alignment with the overall objectives of the project.

Figure 8: Phase 2 (Step 1 & 2) Managing Change – WBS and Deliverables

Phase 3: Reinforcing Change

Equally critical but most often overlooked, the third phase of the Change Management Model helps project teams create specific actions plans for ensuring that the change is sustained. In the phase, project teams develop

Phase 2 – Managing change

Develop change management plans

Take actions and implement plans

Outputs of phase 2:

• Communication plan • Sponsor roadmap • Training plan • Coaching plan • Resistance management plan

Phase 2 – Managing change

Deliverables of phase 2: • Communication plan • Sponsor roadmap • Training plan • Coaching plan • Resistance management plan • Training plan

Task X : Develop a communication plan that includes targeted audiences, key messages, frequency of communications, delivery mechanisms and senders . Task Y : Prepare a plan for the primary sponsor (s) for the activities they must perform to manage the change. Task Z : Enable supervisor and mangers to become effective coaches during change management. Task AA : Develop group and individual coaching plan for the specific change that is being Implemented. Task BB : Define a plan for managing resistance to the change at each level in the organization (Apply the top -10 resistance management techniques as appropriate) Task CC : Identify the necessary skills and behaviors to supports the change and assess current gaps (Document requirements for the training development) Please refer

• Appendix 8 : Communication Strategy • Appendix 9: Communication – Key messages for executives • Appendix 10:Communication – Guidelines for managers • Appendix 11:Communication – Guidelines for employees

Task DD: Integrate the change management plan into the larger project activities and implement the plan.

Develop change management plans

Take actions and implement plans

Page 86: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

measures and mechanisms to see if the change has taken hold, to the see if employees are actually doing their jobs the new way and to celebrate success.

Figure 9: Phase 3 Reinforcing Change

The Final component of a good change management program is reinforcing the change. The three Components to this phase include (as shown in figure 10):

• Collecting and analyzing feedback • Diagnosis gaps and managing resistance • Implementing corrective action and celebrating successes

Maintaining a result orientation will be critical to success. Simply initiating change management activities is insufficient unless the results of these activities are evaluated to determine the root cause of any gaps in order to implement corrective action. 5.3.1 Collect and analyze feedback

Figure 11 above depicts that feedback can take many different shapes and research findings have shown that the top three feedback mechanisms are teams or group sessions, email and individual meeting. Several key types of feedback include:

• Formal feedback (includes structured team meeting, question and answer sessions, web-forms etc.);

• Informal feedback by word of mouth normal business activities and everyday discussions;

• Proactive feedback (when looking for input); and • Reactive feedback (complaints)

Phase 3 – Reinforcing change Outputs of phase 3:

• Reinforcement mechanisms • Compliance audit reports • Corrective actions plans • Individual and group recognition

approaches • After action review

Collect and analyze feedback

Diagnose gaps and manage resistance

Implement corrective actions and celebrate success

Page 87: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Figure 10: Phase 3 (Step 1) Reinforcing Changes - Collect and Analyse Feedback

Subsequently, the next step is the audit compliance for the new environment. Audit compliance will be very specific to the change that being introduced. The project team can define what these new processes, system and roles look like. Methods for measuring compliance include:

• Observation; • Performance reports; • System usage; and • How often is the “old way of doing things “still being used?

Turning raw and disparate data into organized results.

5.3.2 Diagnose Gaps and Manage Resistance

Figure 12 depicts Phase 3 Step 2 which includes diagnosing gaps and managing resistance as an ongoing process. Although depicted in the change management process sequentially; the change management team will view this as an ongoing activity through the project. This step requires close relationships with the primary and key stake holders. Front line supervisors also play a key role in managing resistance.

Phase 3 - Reinforcing change

Listening to employees and gathering feedback

Auditing compliance

Analyzing change management effectiveness

Task EE : Gather feedback from employees about the change • Formal-formal feedback from structured team meeting

,question and answer sessions, web forms, etc; • Informal-informal feedback is gathered by word of mouth

( during normal business activities and everyday discussions )

• Proactive-proactive feedback are action – oriented for the change management team ;and

• Reactive – reactive feedback ( complaints are a common source of reactive feedback

Please refer • Appendix 12 : Listening to employees and gathering feedback

Task GG: Analyze the input from feedback and compliance reviews, a process of turning raw and disparate data into organized result and key findings.

Task FF: Audit compliance in the new environment, the methods for measuring compliance include

• Observation • Performance reports • System usage • How often is the “old way of doing

Collect and analyze feedback

Diagnose gaps and manage resistance

Implement corrective actions and celebrate successes

Page 88: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Figure 11: Phase 3 ( Step 2 ) Reinforcing Change - Diagnose Gaps and Manage Resistance

5.3.3 Implement Corrective Actions and Celebrate Successes

The last step in Phase 3 (as shown in figure 13) is to constantly seek out evidence of progress in the project. Watch for the achievement of major milestone and identify early successes even if small. Organize ways to recognize groups and individuals that have achieved success by promoting it publicly. Use normal staff meeting or regularly scheduled department meetings as an avenue for recognition of achievement. Ensure that key stakeholders are aware of these achievements and involve managers in the chain of command to award these recognitions. Use the communications plan guidelines to develop successful celebration communications.

Phase 3 - Reinforcing change

Identifying root causes and pockets of resistance

Developing corrective action plans

Enabling sponsors and coaches

Collect and analyze feedback

Diagnose gaps and manage resistance

Implement connective actions and celebrate successes

Task HH : Determine the root causes of any gaps in your change management results and identify pockets of resistance.

Task II: Determine the appropriate steps to address the roots cause of the performance gap. For each problem area, prepare for your primary sponsor or steering committee the following:

• Findings from feedback and compliance audits; • Root cause of these performance gaps; and • Corrective action plan.

Please refer

• Appendix 13 : Top 10 action steps for managing resistance

Task JJ: Provide sponsors and supervisors with the information and tools, like the Change Management Guide for Manager and Supervisors, to implement corrective actions. Task KK: Provide sponsors with the tops - 10 steps for managing resistance. Please refer

• Appendix 7 : Sample template for training

Page 89: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Figure 12: Phase 3 (Step 3) Reinforcing Changes - Implement Corrective Action and Celebrate Successes

Technical side of the project

People side of the project

Figure 13: Integrating Change into Project Management

Phase 3 - Reinforcing change

Implementing corrective

actions

Celebrating early success and reinforcing change

Conducting "After action review"

Task LL : Implement the corrective action plan have been developed in the last previous phase

Task MM : Identify and celebrate successes on the project and try to use these celebration and public acknowledgement to reinforce the change.

Task NN: Perform an after-actions review for the project (a post –project analysis of what worked and what did not resulting in lessons learned for the next project) Task OO: Transfer ongoing management of the change to operational managers.

Collect and analyze feedback

Diagnose gaps and manage resistance

Implement corrective actions and celebrate successes

Current Transition Future

Change Management

Project Management

Page 90: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

In the best case scenario when the entry point for change management is at the start of the project, the change management steps and activities can be interweaved with the project activities as shown in figure 16. In this model, the overall process becomes a seamless integration of both processes. Conversely, if change management begins later, the process typically an overlay of change management practices with the existing project activities. In this situation, the ability to integrate activities presents a greater challenge. Resistance may already be present within the organization and some immediate obstacles may cause the change management team to spend their initial efforts “fighting fires” (addressing the problems that caused the project team to seek out change management assistance). Damage control can sometime play a larger role than proactive change management activities.

5.4 Integrating Change into Project Management

This section provides an overview of how change management must be integrated into the overall project's activities. One of the key principles of effective change management is understanding change as a process, not as an event. It is necessary to consider the starting point for managing change before moving forward. In addition, the relationship between the approach being used to design and implement the business solution and the process for managing that change into the organization need to be examined and understood. The integration of change management into project management goes hand-in-hand throughout the lifecycle of the project as shown in figure 14 and 15.

Many processes exist today for improving business performance. Examples of commonly used processes include:

• Business Process Reengineering (BPR) • Benchmarking • Restructuring or Reorganization

Any of these methods can be applied independently of change management. Moreover, the types of business change can vary dramatically from simple technology changes to large - scale organization and process changes.

Page 91: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Figure 14: Integrating Change into Project Management

The overarching message is the importance of integrating change management activities presented in the change management process into the overall project approach depending on the starting point with the project and the unique characteristics of that business initiative.

Business Improvement Process

Change Management Proscess

Problem or Opportunity

Planning

Design

Development

Implementation

Assessment

Team and Sponsors

Communications

Coaching and feedback

Resistance Management

Page 92: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

The proposed implementation schedule for the Change Management Programme in BPM can be spread into three (3) key phase. The initial Phase comprises the following:

This in shown in figure 15.

Figure 15: Change Management Implementation

6.0 IMPLEMENTATION

Phase I Phase II Phase III

i. To ensure that the vendor understand the scope of projects.

ii. To identify and

determine the target groups.

iii. To formalize the Change

Management Committee from the sponsor, change agents, End-User etc.

iv. To build and develop the

Change Management structure.

v. To identify the right

approach for the implementation of Change Management.

i. All project which require a transition process must have the respective Change Management Plan.

ii. The Change

Management Manager must be from the Business Owner.

iii. To implement Change

Management Plan as soon as possible encompassing:

a. Coaching Plan b. Training Plan c. Resistance Plan

iv. All Change Management

Plans to be endorsed by the Project Committee.

i. Change Management Programmers must be audited six months from the time of implementation.

ii. Change Management

programmes must be audited every year until the system is thoroughly roll-out.

Page 93: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Prussic’s Change Management Maturity Model is based on benchmarking research and interactions with companies going through change whereby organizations are able to rank their competency level. It describes the varying levels of change management capability across organizations. The maturity model has five levels or stages, from no change management to organizational competency. Each level involves more attention and management of the people side of change. it is proven that a 'one-size-fits-all' approach does not work when managing change, since each change and each impacted group is different. However, a common methodology that is built on situational awareness and customization allows the entire organization to move towards Level 4 or Level 5 while retaining the flexibility for individual groups and departments. The Change Management Maturity Model is shown in Figure 16.

Level 5 Organizational Competency

Change Management Competency is evident in

all levels of the organization and is part of

the organization's intellectual property and

competitive edge.

Continuous process

improvement in place

Highest profitability and responsiveness

Level 4 Organizational Standards

Organizational-wide standards and methods

are broadly deployed for managing and leading

change

Selection of common approach

Level 3 Multiple Projects Comprehensive approach for managing change is

being applied in multiple projects

Examples of best practices evident

Level 2 Isolated Projects Some elements of change management are being

applied in isolated projects.

Many different tactics used

inconsistently

Level 1 Ad hoc or absent Little or no change management applied.

People-dependent

without any formal practices

or plans

Highest rate of project failure, turnover and

productivity loss

Figure 16: Change Management Maturity Model

7.0 CHANGE

MANAGEMENT MATURITY

MODEL

Page 94: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

The description of the maturity model is:

• Level 1 Level 1 Ad hoc or Absent Little or no change

management applied.

People-dependent

without any formal practices

or plans

Highest rate of project failure, turnover and

productivity loss

At Level 1 of the maturity model, project teams are not aware of and do not consider change management as a formal approach for managing the people side of change. Projects at this level can have one or more of the following characteristics:

• Project leadership is focused only on the "concrete" or tangible aspects of the project including funding, schedule, issue tracking and resource management.

• Communications from the project are on a 'need to know' basis only and typically infrequent.

• Employees find out about the change first through rumors and gossip rather than structured presentations and they react to change with surprise; resistance can be widespread.

• Supervisors and managers have little or no information about the change, and have no management skills to coach their employees through the change process.

• Productivity slows and turnover increase as the Change nears full implementations.

• Level 2 Level 2 Isolated Projects Little or no change

management applied.

People-dependent

without any formal practices

or plans

Highest rate of project failure, turnover and

productivity loss

In Level 2, elements of change management begin to emerge in isolated parts of the organization and is not centralized.

• A large variation of change management practices exists between

projects with many different change management approaches; some projects may be effectively managing change while others are still in Level 1.

• Managers and supervisors have no formal change management

training to coach their employees through the change process.

Page 95: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

• Little interaction occurs between the isolated project teams using change management; each new project "re-learns" the basic change management skills.

• Level 3

Level 3 Multiple Projects

Comprehensive approach for managing change is being applied in multiple

projects

Examples of best practices evident

At Level 3, groups emerge that begin using a structured change management process. Change management is still localized to particular teams or areas in the organization. Organizations at this level can have one or more of the following characteristics:

• Structured change management processes are being used across

multiple projects; multiple approaches and methodologies are being utilized.

• Some elements of knowledge sharing emerge between teams in the

organization; experiences are shared between teams in some departments or divisions.

• Senior leadership takes on a more active role in sponsoring change

and considers this role part of their responsibilities.

• Training and tools become available to project leaders and team members; manager is provided with training and tools to coach front-line employees in future changes, but no formal company-wide program exists.

• Level 4

Level 4 Organizational Standards

Organizational-wide standards and methods are broadly deployed for

managing and leading change

Selection of common approach

In Level 4, the organization has selected a common approach and implemented standards for using change management on every new project or change. (Note: a common methodology does not mean a 'one-size-fits-all' recipe) Methodologies are built on understanding the situation and using the appropriate tools for the specific change. Organizations at this level can have one or more of the following characteristics:

• There is an enterprise-wide acknowledgement of what change

management is and why it is important to project success.

Page 96: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

• A common change management methodology has been selected and plans are developed for introducing the methodology into the organization.

• Training and tools are available for executives, project teams,

change leaders, managers and supervisors. Managers and supervisors are provided formal training in change management.

• A functional group (e.g. : Change Request Committee etc.) may be created to support change initiatives.

• Resistance and non-compliance is expected in isolated instances. Adoption is not yet at 100% and the organization is in the process of building change management skills throughout the organization.

• Level 5

Level 5 Organizational Competency

Change management competency is evident in all level of the

organization’s intellectual property and competitive edge

Continuous process

improvement in place

Highest profitability and responsiveness

Finally in Level 5 is having change management competency as part of the skill set of the organization. Organizations at this level can have one or more of the following characteristics:

• Effectively managing change is an explicitly stated strategic goal, and

executives have made this a priority.

• Employees across the enterprise understand change management, why it is important to project success and how they play a role in making change successful.

• Managers and supervisors routinely use change management

techniques to help support a broad range of initiatives from strategy changes to individual employee improvement.

• The organization gathers data to enable continuous improvements

to the common change management methodology, tools, and training.

• Extensive training exists at all levels of the organization.

• Higher Return Of Investment (ROI), lower productivity loss and less

employee resistance are evident across the organization.

The above maturity model can be applied to identify and assess their change competency level and improve the readiness to adapt changes in delivering effective projects.

Page 97: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Change Characteristics Worksheet

This high-level worksheet will help you think about the change you are implementing. After completing the worksheet, you will complete a change characteristics assessment that will be guide for developing your change management strategies and action.

Scope of Change

Describe the nature and scope of you change.

Which group are most severely impacted ?

Which group are least impacted ?

Number of impacted employees

Identify the number of impacted employees:

Front line employees: Manager and supervisors: Executives and stakeholders:

Type of change What areas of your organization will be changing?

Process Job roles System or technology Staffing levels Functional role of each player

in the organisation Others

Amount of change

Radial and dramatic ( disruptive ) Incremental ( progressive )

APPENDIX 1

Page 98: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Timeframe for change

List the dates or time required for each key milestone:

Project initiation:

Design initiation:

Design complete:

Implementation initiation:

Implementation complete:

Post implementation review :

Page 99: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Change Characteristics Assessment Mark your location on the following spectrum. If you fall on the right of the spectrum, your project will require more change management resources and activities than if you fall on the left of the spectrum. This assessment result will be used to customize your change management strategy and activities. Record your assessment score.

Scope of Change

Workgroup Department Division Enterprise 1 2 3 4 5

Number of impacted employees

Less than 10 Over 1000 1 2 3 4 5

Variation in groups that are impacted

All group impacted Groups experiencing the the same change differently

1 2 3 4 5

Type of change

Single aspect, Many aspect, simple change complex change

1 2 3 4 5

Degree of process change

No change 100% change 1 2 3 4 5

Degree of technology and system change

No change 100% change 1 2 3 4 5

APPENDIX 2

Page 100: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Degree of job role changes

No change 100% change 1 2 3 4 5

Degree of organization restructuring

No change 100% change 1 2 3 4 5

Amount of change overall

Incremental change Radical change 1 2 3 4 5

Impact on employee compensation

No impact on pay Large impact on pay or benefit or benefit

1 2 3 4 5

Reduction in total staffing levels

No change Significant change expected expected

1 2 3 4 5

Time frame for change

Very short (<month ) 3 month to 12 month or very long (>year) initiative

1 2 3 4 5

Sum of points for change characteristics assessment (out of 60 total)

Note: A score of 35 or higher is considered a large change that will require more change management resources an activities to successful.

Page 101: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Organisational Attributes Assessment Mark your location on the following spectrum. If you fall on the right of the spectrum, your project will require more change management resources and activities than if you fall on the left of the spectrum. This assessment result will be used to customize your change management strategy and activities. Record your assessment score.

Perceived need for change among employees and managers

Compelling business need Employees do not view for change is visible change as necessary – employees are dissatisfied – employees are satisfied with the current state with the current state

1 2 3 4 5

Impact of past changes on employees

Employees perceive Employees perceive past changes as positive past changes as negative

1 2 3 4 5

Change capacity

Very few changes underway Everything is changing 1 2 3 4 5

Past changes

Changes were successful Many failed projects and and well - managed changes were poorly managed

1 2 3 4 5

Shared vision and direction for the organisation

Widely shared and Many different directions unfied vision and shifting priorities

1 2 3 4 5

APPENDIX 3

Page 102: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Resources and funding availability

Adequate resources and Resources and funds are available funds are limited

1 2 3 4 5

Organisation’s culture and responsiveness to change

Open and receptive to new Closed and resistant to new ideas and change ideas and change

1 2 3 4 5

Organisational reinforcement

Employees are rewarded for Employees are rewarded for risk taking and embracing change consistency and predictability

1 2 3 4 5

Leadership style and power distribution

Centralized Distributed

1 2 3 4 5

Executives/senior management change competency

Business leaders demonstrate Business leaders lack sponsor effective sponsorship on change skills and knowledge projects

1 2 3 4 5

Middle Management change competency

Managers are highly Managers lack knowledge competent at managing and skills for managing change change

1 2 3 4 5

Page 103: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Employee change competency

Employees are highly Employees lack knowledge competent at managing and skills for managing change change

1 2 3 4 5

Sum of organizational attributes assessment (out of 60 total):

A score of 35 or higher indicates a change resistant organization that will require more change management for the project to be successful.

Page 104: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Change Management Strategy Presentation Outline

To complete this first step in the change management process, you should prepare a presentation for the project team and project sponsor that includes:

1. Change characteristics assessment result Include key findings from the change characteristics worksheet and assessment.

2. Organizational attributes assessment result Include key findings from the organizational worksheet and assessment.

3. Proposed change management team Structure and size.

4. Proposed sponsorship model and stakeholder assessments Include model and assessment results (letter/number designations).

5. Risk assessment Include position on 2x2 matrixes and what it means for managing the change.

6. Recommendation for special tactics Anticipated resistance points and special steps. Review this material with the project sponsor and project team. Make any adjustments that are necessary to your strategy based on this review.

APPENDIX 4

Page 105: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Selection criteria

Interviews should be conducted based on the following criteria:

i. Excellent communication skills - team members should be good

listeners, facilitators and able to communicate the business change to people in all parts of the business.

ii. Business influence - individuals should have credibility with employees

(both below and above them in the organization). They should be trusted and have proper authority.

iii. Commitment to the change - an effective team member believes in

the value of the change and shares a vision of the desired future state.

iv. Knowledge of the business - team members need an understanding not only of the particular function or area being changed but also of general business principles and conditions.

v. Team player - team members should be able to work in and contribute

to success in a team environment.

vi. Change management experience - (optional) if team members have change management experience or training, this may accelerate preparing the team.

Individual character attributes should include:

• creativity • ability to see the big picture and to think strategically and cross-functionally • passion and dedication to success • empathetic, people-person • innovative problem solver • independent thinker • flexibility and ability to deal with ambiguity • stamina, resilience and persistence • enthusiastic • responsible • supporter with positive attitude

APPENDIX 5

Page 106: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Team member competency questionnaire

The following questions can be used to gauge the competency and experience of your change management team members.

i. Have you ever attended any formal change management training? If

yes, with what company and how long was the training?

ii. Have you ever been assigned to work on a change management team? If yes, what type of project and what was your role?

iii. Have you supported the communications or training aspect of a

business project? If yes, what type of work did you do?

iv. Are you knowledgeable about any change management methodologies or approaches? If yes, describe?

APPENDIX 6

Page 107: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Sample template for training supervisors on change management

1. Introduction and welcome

2. What is the role of a supervisor during change? • Create awareness about what it means to be an effective coach in a

changing environment. Describe the role and expectations for this specific project.

3. Why is this level of coaching important during change? • Illustrate the importance of supervisors in successful change.

Employees trust and look toward supervisors for candid and meaningful information, especially when things around them are changing.

4. How to use ADKAR with employees • The ADKAR model is an effective method for identifying where

changes are failing and what actions can be taken. It is easy to understand and will give you a way to talk with your employees about the change.

5. Group change coaching guidelines • Distribute sample group meeting agenda. Use role-plays and

question and answer exercises to practice group coaching during a change.

6. Individual change coaching guidelines • Distribute a sample individual change coaching plan. Present the

ADKAR profile and the corrective actions for each of the phases. Discuss implications, frequency and variations of individual coaching approaches.

7. Prepare change management coaching timelines • Define timelines for specific group and individual coaching activities.

8. Next steps and coaching support • Develop feedback mechanisms for returning information to the

change management team and adapting activities to meet the current situation. Tell managers and supervisors where they can get help.

APPENDIX 7

Page 108: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Sample group coaching agenda

1. Introductions and ice-breaker

2. Explanation of the change • Provide background and context for this change. Be honest about

what is known and what is not known at this time.

3. ADKAR introduction • Introduce the ADKAR model using example changes and show how

ADKAR applies to these changes.

4. ADKAR individual exercise • Have employees complete the ADKAR exercise for a personal

change. Those who feel comfortable can share their experience (you'll be surprised how many will share). You may want to provide the paperback book, "Employee's Survival Guide to Change." This book includes worksheets for ADKAR. ADKAR worksheets are also available in the templates section of the tool.

5. ADKAR group exercise and presentation • Work in small groups or as a whole team to look at the current

change in terms of ADKAR. Where are the barrier points? Brainstorm and capture on flipcharts.

6. Question and answer session • Facilitate a discussion about the change and about ADKAR. Provide

an open and safe environment for candid discussion about the change.

7. Next steps and where to get support

8. Individual coaching sessions • Announce that individual sessions will be conducted and provide

guidelines for these coaching sessions.

Page 109: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Communication Strategy

Step 1 - Identify your audiences

List the audiences that you will be communicating with during the change. You need to develop key messages and delivery activities for each audience (some deliveries may be suitable for more than one audience).

Your specific change characteristics will impact the number of audiences and the types of messages they will receive. Changes with smaller scope and fewer impacted employees will require "less" communication work. Consider:

• Which groups of front-line employees will be impacted? Do they

need different messages about the change?

• Which groups of managers and supervisors will be impacted? What messages do they need about the change?

• Which stakeholders and leaders need to know about the change? What messages do they need?

At a minimum you should consider five distinct audiences:

• Executives and business leaders (including stakeholders) • Mid-level managers and supervisors • Front-line employees • Customers (when appropriate) • Suppliers (when appropriate)

If your change impacts a process or policy for a large number of employees and the change will create new processes and tools for a smaller group, be sure to identify these as separate audiences. For example, a change in an HR procedure for submitting time sheets or travel receipts may impact 10,000 employees, but has a substantial impact on the 40 HR personnel who are implementing these new procedures. The HR personnel and the 10,000 employees should be treated as unique and separate audiences.

Step 2 - Identify key messages Identify the key messages that the audience needs regarding the change. These key messages will be customized based on the results of your change characteristics and organizational profile.

For example, if your organization is change resistant, then be more deliberate about what messages you are sending. Try to empathize with what the employees are experiencing and adapt your communications as necessary. If your organization is currently facing substantial change, let the employees know that you understand that there is a lot of change and that you will work to make this change easy. If past changes have failed, reassure them that this

APPENDIX 8

Page 110: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

project understands the background and has worked diligently to make this change a success. The power distribution and the middle manager predisposition will impact your delivery methods. Supervisors and managers are keys to successful change and you may need to develop specific strategies for ensuring their support in delivering key messages. Supervisors and managers will also be addressed in the coaching plan. For each targeted audience, your key messages will be unique. Guidelines and outlines for key messages for:

Executives Mid-level managers Employees

In addition, for each phase in the project (planning, design and implementation) your key messages will also change. The term "message" is used as a general term here to refer to the content only. The delivery mechanism (discussed later) could be a letter, face-to-face presentation, email, etc.

Step 3a - Timing and packaging For each message and audience, determine the:

• timing and packaging of the content (below) • delivery channel and sender for that message

Timing of communications and packaging

One of the most important decisions you will make in your change management planning is how to package the messages for each audience and when the communications will occur. The assessments you completed in the Preparing for change tab about the change characteristics and organizational characteristics will influence these decisions about packaging and timing.

Carefully consider what messages to send and when: The change management team should devote considerable time to deciding what messages to send to each audience and when. It is not a matter of just presenting the entire content and dumping this information on the target audience. The size of the change, the potential impact on employees and the readiness of the organization to change are all factors that will influence how much information is shared and at what time.

For example, small changes made to change-ready organizations will require fewer communications with more information content per presentation. The readiness of the organization to absorb data is higher and the likely resistance is lower. Therefore communications can be less frequent and more complete at the inception of the change. Large changes made to a change-resistant organization require more finesse. Change messages should be broken down into manageable (digestible) components that allow the target audience to mentally prepare for the change and to become more open to additional information about the change. Simply dumping the complete package of

Page 111: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

information all at one time will most likely not produce the desired results and may actually create resistance. In this case, employees should receive many communications that begin with the business issues and potential for a change and gradually build to include all the information about the change.

Step 3b - Delivery method and sender Face-to-face should be default communication mechanism for the majority of communication. Exceptions may be when it is not possible for the CEO, for the example, to be face-to-face with every employee. Periodic updates from the project team to all employees may also be an exception (could be via email or newsletter). All other communication should be face-to-face.

Methods for communicating change messages: Face-to-face options

Department or enterprise meetings Group meetings Focus groups One-on-one meetings Road show presentations ( by project team ) Town hall meetings Team meetings Brown bag lunches Training course and workshop

Alternate communication channels

• Emails • Bulletin boards • Cafeteria postings • Change booklets • Corporate newsletter ( Feature sections ) • Demonstrations • Faxes • Frequently asked questions ( memos or newsletter feature ) • Internal memos • Intranet pop-ups • Leaflets • Posters • Project newsletters • Videos • Voicemails • Webcasts • Website ( Intranet ) • Word of mouth

Take time to consider the best sender of the message. Benchmarking result show that employees prefer to hear from two key senders: the CEO or highest - level leader and their direct supervisor. From the business leadership they want to hear why the change is happening and understand the

Page 112: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

future state. From their direct supervisor, they want to hear messages about how the Change will impact them personally. Each message from your key messages work should be considered separately for” who” is the best sender of that messages.

Step 4 – Prepare and present Prepare and present your communications plan to the project team, primary sponsor and critical stakeholders. This is a necessary step to obtain their input and buy –in to your plan.

Use the communication planning templates to prepare your plan. Your plan will essentially answer the following questions about project communication:

• Who (who will receive the message and who will deliver that message)

• What (what is the content of the message) • When (when will these messages be delivered) • Where (where will the messages be delivered) • How (what media or channel will be used)

Successful communications are:

• Honest • Frequent and constant throughout entire program • Consistent • Open, transparent and safe.

Page 113: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Communication - key messages for executives

Using the master communications content, reduce the information to fit the audience with emphasis on their primary focus areas, specially for executives:

• Reduce content to executive summary only • Clearly articulate the objectives and scope ( they will be concerned

with how their organization may impacted ) • Focus on financials and alignment with the business strategy • Identify key decision point that they would be involved with or want

to know about • Present actions you need them to take or decision they need to

make

Use the executive presentation outline below as a starting point

1. Value proposition (summary of project overall) a. Summary of business change b. Key benefits to organization c. Alignment with business strategy d. Total cost savings e. Total incremental revenue f. Investment required g. Payback period h. ROI and NPV

2. Expected actions

a. Decisions to be made b. Actions required c. When action is required

3. Business need

a. Summary of key drivers (business issues or opportunities) behind the

change

4. Objective (Financial) and scope a. Financial goals a. Customer goals b. Organizations, processes and systems in scope c. Organizations, processes and systems out of scope

APPENDIX 9

Page 114: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

5. Proposed solution a. Concept level only b. Alignment with business strategy

6. Alternatives

a. Alternatives considered b. Option analysis

7. Recommendations

8. Financial analysis (if ready)

9. Schedule

Page 115: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Communication - Guidelines for managers

Using the master communications content, reduce the information to fit a mid-level manager audience:

• Present those key messages that you would expect them to

communicate to their employees • Keep managers one-step ahead of their employees (avoid surprises) • Focus on the scope of the change including clear explanations of

what is in scope and what is out of scope (some managers will shut-out information and filter it away from their organization if they do not see a direct connection with their work processes or systems)

• Be clear on the expected action you need them to take to support the change within their group or department

Use the manager outline below as a starting point. 1. Messages about the business today

a. The current situation and the rationale for the change

i. Business issues or drivers that created a need for change

ii. Competitive issues or changes in the marketplace iii. Customer issues iv. Financial issues

b. What might happen if a change is not made?

2. Messages about the change

a. A vision of the organization after the change takes place b. Scope of the change (including process scope, organizational scope,

systems and technology scope) c. Objectives for the change (what does success look like?) d. Overall timeframe to implement the change e. How big of change is needed (how big is the gap between today and

the future state)? f. Who is most impacted and who is least impacted? g. The basics of what is changing, how it will change, and when it will

change including what will not change h. How will this change affect other projects underway? i. Will this change affect the budgeting process or impact any existing

budgets? j. What do we know about the design of the change right now? k. Business case summary and details about the future state design

(process change, technology change, organization changes, job role changes)

APPENDIX 10

Page 116: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

3. Messages about how the change impacts employees

a. The expectation that change will happen and is not a choice b. The impact of the change on the day-to-day activities of each

employee c. WIIFM - "what's in it for me?" - from the employees' perspective d. Implications of the change on job security (will I have a job?) e. Specific behaviors and activities expected from employees f. Messages that should be reinforced with employees by managers g. Ways to provide feedback

4. Actions required by managers to support the change

a. Specific activities expected from managers b. Where managers can get more information and assistance for

employees c. Sample presentations that managers can use with their employees

5. Status updates and progress reports

a. The schedule for the project overall b. Who is making the major decisions for the project? c. When will new information be available? d. How will information be shared about the project? e. Early success stories

Page 117: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Communication - Guidelines for employees

Using the master communications content, reduce the information to fit front-line employees:

• Focus on the impact of the change on the employee. • Be clear about what you know now and what you do not know now. • Let employees know when more information will be available. • Be clear how employees can provide feedback about the change.

Use the employee message outline below as a starting point.

1. Message about the business today

a. The current situation and the rationale for the change (why is this change necessary?)

i. Business issues or drivers that created a need for change ii. Competitive issues or changes in the marketplace

iii. Customer issues (use quotes or customer input) iv. Financial issues (show trends and charts if available)

b. What might happen if a change is not made? c. Why is this change happening right now (what is the rush)?

2. Messages about the change

a. A vision of the organization after the change takes place b. Scope of the change (including process scope, organizational scope,

systems and technology scope) c. Objectives for the change (what does success look like?) d. Overall timeframe to implement the change e. Alignment of the change with the business strategy f. How big of change is needed (how big is the gap between today and

the future state)? g. Who is most impacted and who is least impacted? h. The basics of what is changing, how it will change, and when it will

change including what will not change i. What do we know about the design of the change right now? j. Details about the future state design (process change, technology

change, organization changes, job role changes)

k. Training requirements and educational opportunities

APPENDIX 11

Page 118: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

3. Messages about how the change impacts employees

a. The expectation that change will happen and is not a choice b. The impact of the change on the day-to-day activities of each

employee c. WIIFM - "what's in it for me?" - From the employees' perspective d. Implications of the change on job security (will I have a job?) e. Specific behaviors and activities expected from the employee,

including support of the change f. What are the consequences for not changing and the benefits of

supporting the change? g. Procedures for getting help and assistance during the change h. What do I do if I disagree with the change? i. Ways to provide feedback

4. Status updates and progress reports

a. The schedule for the project overall b. When will new information be available? c. How will information be shared about the project? d. Early success stories

Page 119: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Listening to employees and gathering feedback

Feedback can take many different shapes. Research findings show that the top three feedback mechanisms are team or group sessions, email and individual meetings. Several key types of feedback include:

• Formal - formal feedback is organized and facilitated. This includes

structured team meetings, question and answer sessions, web-forms, etc.

• Informal - informal feedback is gathered by word of mouth. Informal includes elevator discussions, water cooler conversations, general email, etc. Informal feedback is often gathered during normal business activities and everyday discussions.

• Proactive - proactive feedback is when you are going out looking for input. The activities that you design to gather feedback are action-oriented for the change management team.

• Reactive - reactive feedback is when you are given feedback without searching for it. Complaints are a common source of reactive feedback.

Managers and supervisors are key sources of these types of feedback. Employees discuss the change honestly and openly on a daily basis with their peers and in many cases their supervisors. This candid feedback is helpful in diagnosing gaps and developing approaches to managing resistance. The lessons that emerge from this informal feedback may not be fully disclosed in your organized, formal feedback channels.

The method you use to gather feedback will depend on the specific change and the characteristics of your organization. In some instances, you will be provided plenty of informal, reactive feedback (complaints). In other changes, you may have to work very hard to develop formal, proactive methods to find out what employees think of the change.

No matter which method you use to gather the data, the feedback and input of employees is crucial as you move forward with your change management activities.

APPENDIX 12

Page 120: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Top 10 action steps for managing resistance The methods listed below are intended to help create desire in employees. During change, employees tend to fall into three groups: those who adopt the change very early, those who are hesitant or uncertain about the change, and those who will not change. The actions below are targeted for those employees who are hesitant or uncertain about change. Before beginning, be sure you understand the employee's context for change.

The first step before using any of the methods suggested below is to ensure that each employee is aware of the need for change as discussed in the ADKAR model. This is a prerequisite before addressing an employee's desire to support and participate in a change. Part of building awareness around the need for change is ensuring that business leaders have created urgency for change with employees. This is part of sharing why the change is needed and what is the risk of not changing.

The methods provided here are techniques that have been demonstrated to work by other organizations. However, it is not a "one-size-fits-all" approach. The combination of a specific change, a specific organization and each unique employee will result in a course of action that is unique to each person and the situation. In addition, some employees are motivated by positive opportunities, while others are motivated by avoidance of negative consequences. Carefully choose the right approach for your situation.

Method 1 - Listen and understand objections Method 2 - Focus on the "what" and let go of the "how" Method 3 - Remove barriers Method 4 - Provide simple, clear choices and consequences Method 5 - Create hope Method 6 - Show the benefits in a real and tangible way

Method 7 - Make a personal appeal Method 8 - Convert the strongest dissenters Method 9 - Create a sacrifice Method 10 - Use money or power

Methods 1 - Listen and understand objections

A critical step any manager should take when creating desire to change is to listen. The power of true listening and empathy is often underestimated. In many cases employees simply want to be heard and to voice their objections. Understanding these objections can often provide a clear path toward resolution. Listening can also help managers identify misunderstandings about the change. Rumors and background conversation often produce incorrect messages and wrong perceptions. Only through listening can managers identify these wrong perceptions and provide a correct and clear story about the change.

APPENDIX 13

Page 121: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Caution: When engaging in this process, managers should avoid debating or arguing with employees. The goal is to listen and understand, and provide clarity about the change.

Method 2 - Focus on the "what" and let go of the "how" In some types of changes, it is effective for managers to let go of the "how" and simply communicate "what" needs to change. This process transfers ownership of the solution to employees. Managers can share a clear vision of the end state, along with specific goals and timelines with employees. Employees then take on the task of achieving that vision. Employee involvement and ownership naturally builds desire to support the change, and ensures that employee objections are addressed in their solution. This technique is especially useful in small groups or departments in which the change falls within the scope of that group, and has little or no impact on other groups or departments.

Caution: If any combination of the following characteristics is present, then this process is more difficult to implement:

• a change becomes significantly large such that cross-department

coordination and design is required. • the total number of employees is sufficiently large that they all

cannot reasonably be involved in and take ownership of the design • the design of the future state is already pre-determined and cannot

be changed • the change is dramatic and is happening quickly

Attempts to simulate employee participation through interviews, focus groups and other channels of collecting input from large groups of employees can backfire. Employee input does not equal employee ownership of the change. Input from employees is a good and necessary process, but will not necessarily create a desire to change when direct involvement and ownership are absent.

Methods 3 - Remove barriers Desire to change can be inhibited by obstacles or barriers. These barriers may relate to family, personal issues, physical limitations or money. The first step when using this method is to have followed Method 1 so that you fully understand the individual situation with this employee. What may appear to be resistance or objections to the change may be disguised barriers that the employee cannot see past. Identify the barriers clearly. Determine ways that the business may be able to address these barriers.

For example, if a change involves assigning a manager to a new location that requires commuting 2-hours each way, then a barrier for this manager may be

Page 122: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

a son or daughter who does not want to leave their current school (nor does the parent wish to miss the activities of their child). By allowing this manager to arrange a home office for two or three days each week, then the barrier to change related to family impact may be removed.

Method 4 - Provide simple, clear choices and consequences Building desire is ultimately about choice. Managers can facilitate this process by being clear about the choices employees have during change. In many cases, the actual change may be out of the control of front-line supervisors and managers. In these cases, it is very important that managers communicate in simple and clear terms what the choices and consequences are for each employee.

The City of Denver, Colorado USA, (similar to infrastructure development in Malaysia) recently began one of the largest road construction projects in the state to widen the primary interstate highway that runs through the city. This project is called T-Rex. The design and building process were carefully planned many years before construction actually began. The construction crews on this project did not have control over the final design nor the construction sequence. Commuters certainly did not have control. However, this project was a role model for managing complex change. In this case the citizens of Denver and the surrounding areas were those impacted by the change. The project team created an ongoing communication campaign involving TV, radio and other media to:

1. Let people know what would happen and when. 2. Provide alternate routes and choices for commuting into Denver. 3. Share the consequences of taking certain routes at certain times,

including providing ongoing information about the expected delays along each route.

In this example, the change was going to happen no matter what. Yet, by communicating the choices to commuters and the potential consequences of each choice, some degree of control is given back to these commuters. That is also true of changes at work. Even when the change is defined and outside of local control, by providing simple and clear choices along with the consequences of those choices, you can put the ownership and control back into the hands of employees.

Method 5 - Create hope Many people will respond to the opportunity for a better future. They want to have hope. Managers can create desire to change by sharing their passion for change, creating excitement and enthusiasm, and creating hope in a better future for employees and for the organization. People will follow a leader that can create hope and whom they respect and trust. This method is the most effective when executive leadership, through visible and active participation with employees, creates hope and energy around the future state.

Page 123: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Caution: Creating hope takes a special kind of person. We have all known individuals in our lives and throughout history who have the traits of leadership that cause people to hope and to follow. They create a vision and build promise for a better future. Public figures include John F. Kennedy, Martin Luther King, and Gandhi. Leaders with these qualities are rare but not absent in both government and in business today. If your organization has this type of leadership, then building desire to change becomes much easier.

Method 6 - Show the benefits in a real and tangible way For some employees - seeing is believing. Demonstrating the benefits of change in a real and tangible way can create desire with employees. Examples could include:

• Sharing case studies of other companies who have successfully completed a

similar change (and the results they achieved). • Inviting guests to provide personal testimonials of how a similar type of

change resulted in success for their organization. • Visibly demonstrating the success of pilot programs or trials within your own

organization (share small wins and celebrate success publicly).

Making the change real and demonstrating that success is possible can remove doubts and fears that some employees feel about change.

Method 7 - Make a personal appeal When a manager has a close working relationship with an employee, using a personal appeal to support the change can create desire within an employee. A personal appeal works best with honest, open relationships where there is a high degree of trust and respect.

In a personal appeal, there is both an emotional component and an expectations component ("I'm counting on you"). The emotional component is part of each person’s desire to support the people they are close to and whom they trust. The "I'm counting on you" component has built in a sense that the employee will be taken care of in the future, regardless of how things turn out with the change. Both of these elements can build desire to support change

Method 8 - Convert the strongest dissenters

Within every organization there exist outspoken opinion leaders. When one or more of these strong and vocal employees are against change, they can negatively influence many other employees within the organization. By targeting these strongest dissenters, managers can use special tactics and interventions suggested here to convert these employees to support the change. By doing so, the strongest dissenters can become your strongest

Page 124: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

advocates. They are often equally vocal in their support as they were in their resistance.

By focusing your energy on a few strong resistors rather than on large groups of employees, two objectives are achieved for building desire to change. First, you regain some control over the powerful background conversation that takes place around the coffee pot and during breaks between employees. Second, you gain sponsors of change that are already influential with their peers. If you are not successful in converting these strongest dissenters, then Method 9 may be a viable option.

Method 9 - Create a sacrifice Often termed the "sacrificial lamb," removing a key manager that is demonstrating resistance to change sends a powerful signal to the organization as a whole. The message is:

• They are serious about this change. • Resistance will not be tolerated. • The consequences for not moving ahead with the organization are

real and severe.

This method for creating desire to change is best used with a "Group 3" employee as discussed earlier. Often times these employees would be leaving the organization soon anyway. It is not necessary for this to be a negative experience for the employee that is leaving. Termination packages, early retirement offerings or a number of other programs can make this process good for the manager leaving, and at the same time send the right message to the organization.

Does this always need to be perceived by other employees as a harsh course of action? A recent case study shows how this method was used in a way that was not hurtful to the organization or the person leaving. A senior level manager at a financial services firm was outspoken and critical of changes planned in both processes and systems. The resistance continued long enough that many employees came to the conclusion that this change would not happen after all. They had learned from past experience that if this key manager was opposed to the change, then it did not happen. The resistance was so plain that even an external consultant commented on the risk. Since the culture and values in this organization were very family-oriented (we take care of one another), imagine the surprise when the CEO announced that this resistant manager would be leaving the organization. What was notable in this case, however, was how the termination was presented in public. The manager was being given a celebration send-off and early retirement plan for his long-standing contribution to the company. The separation was positive for the manager, and, in his own way, the CEO sent a message to the

Page 125: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

organization. That message was that we can manage change and continue to live our values.

Caution: Organizations should not look for a sacrificial lamb as a standard practice. This tool should be used after other options have failed and the change is at risk. When fear is created in an organization, this fear can play out in both negative and positive ways. Once a decision like this has been made, the organization needs to carefully manage the fallout from this approach.

Method 10 - Use money or power When mid-level or senior managers are resistant to change, yet are critical to

the success of the change and the organization, two incentives may be required to secure

their support. These incentives would be used when all other methods for building

desire have failed.

i. Increase their compensation or create a bonus program such that

they are directly rewarded for the successful completion of the change.

ii. Offer a promotion to a position they desire.

In short, bargain. When a manager is necessary to ensure a smooth transition, and assuming that other barriers, obstacles or objections have been removed, then at some point you have to decide what you are willing to give up in order gaining their support. What is their contribution worth to the business, and how can the business negotiate for this endorsement and support. This negotiation should be specific on the actions and behaviors’ that are expected to support the change.

An example of the need for this negotiation is with mergers and acquisitions. In these types of changes, key managers are necessary for successful transition. However, some of these key managers may have opposed the buy-out or merger. These special circumstances require different methods for keeping these critical managers on-board. Money and position are two tools that may create a desire to support the change in these circumstances.

Page 126: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

Policy For Control of Access TO patient information by Users of HOSPITAL/Clinic

Information SYSTEM (HIS/CIS)

The patient has the right to expect that there will be no disclosure of all or any of the information to persons without the patient-provider relationship unless he/she gives permission. Therefore, there is a responsibility on the part of custodians and users of the medical record to ensure that confidentiality of medical records is maintained at all times. This is done by having a clear policy on user access control.

PURPOSE OF USER ACCESS CONTROL POLICY

i. To maintain the confidentiality of electronic patient information. ii. Guide persons involved in the design, custody and use of clinical information

systems and electronic medical records including managers of Health care facilities, health care providers both clinical and clinical support, Health IT vendors, and other users of in formulating the operational policies and procedures of user access control.

iii. As a Standard for User Access Control (UAC) for all patient data in clinical systems in the Ministry of Health (MOH), and subsequently to be adopted by other healthcare agencies and private healthcare facilities in Malaysia.

SCOPE AND CONTEXT OF USER ACCESS CONTROL

User access control is a procedure that forms part of Information Management. It is the mechanism for ensuring confidentiality in the context of a Computerized Clinical Information System. The major criteria for assignment of access privileges are the type of data and the means of access.

GUIDING PRINCIPLES

The formulation of this policy is guided by the following principles:

i. All rights of access to patient information originate from the expressed or implied consent given by the patient.

ii. This consent is translated into patient provider relationships. The information given by the patient or gathered by the care-provider about him/her is privileged information.

iii. Access to EMR by a care provider depends on the roles or functions accorded to him or her by each healthcare facility.

iv. Care providers are bound by the Code of Ethics of their profession regarding the confidentiality of patient information.

v. All persons involved in the care of the patient and in the management of the data are responsible for the confidentiality of the patient’s clinical information.

Page 127: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

vi. The person in charge of the healthcare facility shall be responsible for putting in place the operational policies and procedures for the proper management of patient information.

vii. This User Access Control policy fulfils the legal requirements of parts pertaining to it within various laws, regulations, rules and circulars including: a. The Medical Act 1971, b. The Malaysian Medical Council (MMC) Ethical Codes and Guidelines:

• Code of Professional Conduct • Duties of a Doctor

o Good Medical Practice o Patient Confidentiality

c. Ministry of Health Circulars and Guidelines: • Management of Patient Medical Records in Hospitals and Medical

Institutions (2010) • ICT Security Policy (2010)

d. Guidelines issued by other health care professional bodies

In addition to the above, the following laws apply to all healthcare facilities in the private

sector:

i. Private Healthcare Facilities and Services Act 1998 ii. Personal Data Protection Act 2010

DEGREE OF CONTROL

These policies take into consideration the delicate balance between probability of loss of confidentiality and the need for availability of adequate information to ensure continuity of care.

OBJECTIVES OF USER ACCESS CONTROL

The basic principle for access to patient information shall be strictly on a need to know basis. This policy shall guide and facilitate user access control activities to achieve the following:

i. For authorized persons (users), access is allowed only to relevant information required to perform work.

ii. Patient information is disseminated only to relevant persons or parties. iii. Prevent access to all information by unauthorized persons.

Page 128: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

OUTLINE OF POLICY

THE POLICY ENSURES:

i. User access shall be properly managed ii. Permission shall be granted on a need to know basis. iii. The scope of access shall be limited by:

a. Care Provider–Patient relationship b. Role or Function c. Location

iv. Approach to Granting Access shall take into consideration that a. Continuity of care is facilitated b. Confidentiality is safeguarded

v. Access to patient information shall be monitored and mechanisms shall be in place to prevent improper access

The relevant authorities shall ensure that the design of the HIS/CIS built or procured possesses effective access control functions and tools.

RESPONSIBILITY

The overall responsibility regarding access control of clinical data belongs to the person in charge of the health care facility.

The person in charge should seek advice from individual care providers or from groups such as Medical Record Committees or Information Management Committees.

OVERSIGHT

The health care facility shall ensure the effective implementation and enforcement of the User Access Control Policy.

GRANTING OF ACCESS

Determination of Limits of Access shall be determined by each healthcare facility for each individual or group of care providers based on their assigned roles, function and location.

APPROACHES, METHODS AND MECHANISMS

The health care facility shall select the most appropriate user access control methods. However, any method put in place shall have the following mechanisms:

i. Valid users shall be identified and maintained in a Register. ii. An Authorization Matrix / Security Matrix shall be constructed to allocate

access to individual users and user groups. iii. There shall be a means for identifying each individual user at every

instance of access.

Page 129: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

CHANGE MANAGEMENT TOOLKIT FOR HEALTH INFORMATION TECHNOLOGY

iv. Data input tools and data views shall be customized for the individual user depending on his/her role and the provider group that he/she belongs to.

v. There are mechanisms to record all instances of access whether for viewing or data entry.

vi. Modification and manipulation of data may be allowed only in prescribed circumstances. It should be mandatory that reasons for such actions are documented.

vii. There shall be an Audit Trail detailing the person, date, time and circumstance when the information system or data is accessed.

viii. Methods and mechanisms shall be put in place to discourage, prevent and monitor unauthorized access or disclosure of patient information. This should include some form of disciplinary action.

EXCEPTIONS

i. ‘Breaking the glass’ policy for care provider is required only for the event of emergency “live threatening situations”. The attending HCP must key in the reason of access. Alert will be sent to director of facility. The access to patient information by authorised health care providers is logged.

ii. The patient himself can have access to his medical information subject to the procedures determined by the custodian of information; except in cases where the information is deemed detrimental to his physical or mental health.

iii. The patient’s appointed representative or his legal guardian can have access to all medical information or data on order by court of law.

iv. Data may be disclosed e.g. when the government by statute/legislation requires information for the public good in cases of epidemics and notifiable diseases.

CONCLUSION

Thus, in summary, the effective adoption, implementation and enforcement of this User Access Control Policy will ensure that all electronic patient information shall remain confidential. To this end, all HIS/CIS facilities shall institute adequate measures to:

i. Protect patient information from unauthorized access. ii. Have a multilayered approach utilizing multiple access point safeguards.

iii. Streamline user authorization and secure access across facilities. iv. Track users throughout the facility for a complete activity snapshot. v. Have a centralized monitoring, control and assignment of access levels for

simplified IT management at the facility.

Page 130: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

ii. USER ACCESS CONTROL POLICY

Page 131: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

A. Policy For Control of Access TO patient information by Users of HOSPITAL/Clinic

Information SYSTEM (HIS/CIS)

1 Background

A patient discloses information about him/herself (e.g. history) to health care providers

based on the premise of patient-provider relationship.

An Electronic Medical Record (EMR) is digitally documented information about the health

of an identifiable individual, recorded by a doctor or other healthcare professionals. This

medical record contains history, physical examination, investigations, diagnosis, treatment

and other sensitive data, that is needed to ensure continuity of care for the patient among

healthcare providers.

The patient has the right to expect that there will be no disclosure of all or any of the

information to persons without the patient-provider relationship unless he/she gives

permission.

Therefore, there is a responsibility on the part of custodians and users of the medical

record to ensure that confidentiality of medical records is maintained at all times. This is

done by having a clear policy on user access control.

2 Purpose OF USER ACCESS CONTROL POLICY

As part of its regulatory function, the Ministry of Health makes available this policy for use

by health care institutions in Malaysia for the following purposes:

i. To maintain the confidentiality of electronic patient information.

ii. Guide persons involved in the design, custody and use of clinical information

systems and electronic medical records including managers of Health care facilities,

health care providers both clinical and clinical support, Health IT vendors, and

other users of in formulating the operational policies and procedures of user

access control.

131

Page 132: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

iii. As a Standard for User Access Control (UAC) for all patient data in clinical systems

in the Ministry of Health (MOH), and subsequently to be adopted by other

healthcare agencies and private healthcare facilities in Malaysia.

3 scope and Context of User Access Control

User access control is a procedure that forms part of Information Management. It is the

mechanism for ensuring confidentiality in the context of a Computerized Clinical

Information System. The major criteria for assignment of access privileges are the type of

data and the means of access.

3.1 Type of Information

This policy addresses information about a single patient as well as the group of patients

cared for in a particular health care institution.

3.1.1 Individual patient data

The main bulk of the data is data that makes up the Electronic Medical Record (EMR). The

EMR contains information pertaining to a patient`s health and illness and its management.

The scope of information covered by this policy also encompasses other data regarding the

patient that is obtained in order to facilitate the provision of patient care services including

data regarding identity, demographics, payment methods and data required for

communications. Summaries and medical reports are also individual patient data.

3.1.2 Aggregated patient data

Data of a group of patients when put together is termed as aggregated data and is also

subject to user access control. These data include:

• Registries

• Extracted and analyzed clinical data

• Reports prepared for external agencies

• Prevalence and incidence of diseases

• Utilization review information e.g. Bed occupancy Rate (BOR) and length of stay (LOS)

132

Page 133: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

3.2 REASONS FOR Access AND Means of Access

In a computerized information management and communications system, care providers

and other users access information regarding a patient through various applications

software. Some providers may need access only to some selected parts or functions within

an application-software.

The reason for access can be any or all data management processes including

• generating

• capturing

• recording

• viewing

• manipulating

• transferring

• storing

• retrieving

• analyzing

• presenting

• viewing

• copying

• printing data

These are made available as separate applications software or a comprehensive integrated

system called the Hospital Information System (HIS-Fig. 1) which comprises of the

following:

• Patient Management System (PMS)

• Clinical Information System (CIS)

• Clinical Support Information System (CSIS)

o Laboratory Information System (LIS)

o Radiology Information System (RIS)

o Pharmacy Information System (PIS)

• Health-Information Management System (HIMS)

133

Page 134: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

HOSPITAL INFORMATION SYSTEM (HIS)

Management System Patient Care System (PCS)

Patient Management System (PMS)

Clinical Information System (CIS)

Clinical Support Services Systems (CSS)

Health-Information Management System (HIMS)

Patient Registration Application

Client- Resource Management Application

Appointment Application

Tele Referral Application

Charging-Billing Application

- Order Entry

- Result Reporting

Patient Clinical Notes

• Clerking Notes • Diagnosis • Procedure records • Event reports • Monitoring • Outcome

assessment • Follow up plan • Clinical summary • Discharge

Standard Reports for MOH Health Management Agencies (HMIS)

Q lit M t S t

Facility Management System

Hospitality Management System

Human Resource Management System

Financial Management System

Electronoc Medical Record (EMR)

CCIS

Pharmacy Information System

Laboratory Information System

Radiology Information System

Operation Theatre Information System

Dietary Management System

Forensic Management ( )

Ad Hoc Data Extraction for External Agencies, Audit, Research etc

Executive Information System (EIS)

FIGURE 1: HOSPITAL INFORMATION SYSTEM

134

Page 135: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

3.3 Categorization of users

Patient data is used not only by care providers but also other professionals. Users of the

EMR belong to two categories i.e.

Users Purpose of Use

1 Primary users Use for purposes of managing the patient’s health and disease

2 Secondary users Use of data of one or more patients for purposes other than

managing the patient’s current health problem

FIGURE 2 : MAIN CATEGORY OF USERS OF PATIENT INFORMATION

4 GUIDING PRINCIPLES

The formulation of this policy is guided by the following principles

viii. All rights of access to patient information originate from the expressed or implied

consent given by the patient

ix. This consent is translated into patient provider relationships. The information given

by the patient or gathered by the care-provider about him/her is privileged

information.

x. Access to EMR by a care provider depends on the roles or functions accorded to

him or her by each healthcare facility.

xi. Care providers are bound by the Code of Ethics of their profession regarding the

confidentiality of patient information.

xii. All persons involved in the care of the patient and in the management of the data

are responsible for the confidentiality of the patient’s clinical information

xiii. The person in charge of the healthcare facility shall be responsible for putting in

place the operational policies and procedures for the proper management of

patient information

xiv. This User Access Control policy fulfils the legal requirements of parts pertaining to

it within various laws, regulations, rules and circulars including

e. The Medical Act 1971,

135

Page 136: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

f. The Malaysian Medical Council (MMC) Ethical Codes and Guidelines:

• Code of Professional Conduct

• Duties of a Doctor

o Good Medical Practice

o Patient Confidentiality

g. Ministry of Health Circulars and Guidelines:

• Management of Patient Medical Records in Hospitals and Medical

Institutions (2010)

• ICT Security Policy (2010)

h. Guidelines issued by other health care professional bodies

In addition to the above, the following laws apply to all healthcare facilities in the private

sector:

iii. Private Healthcare Facilities and Services Act 1998

iv. Personal Data Protection Act 2010

4.1 degree of Control

These policies take into consideration the delicate balance between probability of loss of

confidentiality and the need for availability of adequate information to ensure continuity of

care.

5 Objectives of user Access Control

The basic principle for access to patient information shall be strictly on a need to know

basis. This policy shall guide and facilitate user access control activities to achieve the

following:

iv. For authorized persons (users), access is allowed only to relevant information

required to perform work

v. Patient information is disseminated only to relevant persons or parties

vi. Prevent access to all information by unauthorized persons

136

Page 137: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

6 Outline of Policy

The policy ensures:

vi. User access shall be properly managed

vii. Permission shall be granted on a need to know basis.

viii. The scope of access shall be limited by:

d. Care Provider–Patient relationship

e. Role or Function

f. Location

ix. Approach to Granting Access shall take into consideration that

c. Continuity of care is facilitated

d. Confidentiality is safeguarded

x. Access to patient information shall be monitored and mechanisms shall be in place

to prevent improper access

The relevant authorities shall ensure that the design of the HIS/CIS built or procured

possesses effective access control functions and tools.

7 elaboration of policies

7.1 Management and Administration of User Access Control

7.1.1 Responsibility

The overall responsibility regarding access control of clinical data belongs to the person in

charge of the health care facility. He/she shall ensure that ensuring the operational policy

and procedures is guided by the policy documented here.

Because control of user access to patient information is an information management

function, he/she may delegate this responsibility to the Information System Manager (e.g.

Chief Information Officer) or any other persons involved in managing clinical information

such as the Chief Medical Record Officer or Head of Information Technology Unit. The

137

Page 138: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

person in charge should seek advice from individual care providers or from groups such as

Medical Record Committees or Information Management Committees.

7.1.2 Execution

The person in charge shall designate suitable person(s) such as Medical Record Officers,

Information Technology professionals or Clinicians where relevant to execute the access

control operational policies and procedures. Their duties shall be clearly spelt out and they

shall be adequately facilitated to perform these duties.

7.1.3 Oversight

The health care facility shall ensure the effective implementation and enforcement of the

User Access Control Policy.

7.2 GRANTING of access

Determination of Limits of Access shall be determined by each healthcare facility for each

individual or group of care providers based on their assigned roles, function and location.

7.3 approaches, methods and mechanisms

The health care facility shall select the most appropriate user access control methods.

However, any method put in place shall have the following mechanisms:

i. Valid users shall be identified and maintained in a Register

ii. An Authorization Matrix / Security Matrix shall be constructed to allocate access to

individual users and user groups.

iii. There shall be a means for identifying each individual user at every instance of

access

iv. Data input tools and data views shall be customized for the individual user

depending on his/her role and the provider group that he/she belongs to

v. There are mechanisms to record all instances of access whether for viewing or data

entry

138

Page 139: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

vi. Modification and manipulation of data may be allowed only in prescribed

circumstances. It should be mandatory that reasons for such actions are

documented

vii. There shall be an Audit Trail detailing the person, date, time and circumstance

when the information system or data is accessed

viii. Methods and mechanisms shall be put in place to discourage, prevent and monitor

unauthorized access or disclosure of patient information. This should include some

form of disciplinary action

Computerized information systems shall utilize security management tools for user access

control procedures. It is the responsibility of the health care facility to ensure that the EMR

applications built or procured has proper access control tools in place and relevant staff

members are trained to use them.

7.4 Exceptions

i. ‘Breaking the glass’ policy for care provider is required only for the event of

emergency “live threatening situations”. The attending HCP must key in the reason

of access. Alert will be sent to director of facility. The access to patient information

by authorised health care providers is logged.

ii. The patient himself can have access to his medical information subject to the

procedures determined by the custodian of information; except in cases where the

information is deemed detrimental to his physical or mental health.

iii. The patient’s appointed representative or his legal guardian can have access to all

medical information or data on order by court of law.

iv. Data may be disclosed e.g. when the government by statute/legislation requires

information for the public good in cases of epidemics and notifiable diseases.

7.5 grades of confidentiality of data

Due consideration shall be given to the degree of confidentiality of medical information

and certain additional precautions may be taken to safeguard their confidentiality. The

following are considered as highly confidential data:

139

Page 140: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

i. Data of medico-legal cases (murder, rape, assault, child abuse, drug abuse,

litigation against a care provider or the institution)

ii. Data of patients with certain diseases e.g. STD, Psychiatric conditions, HIV infection

and AIDS

iii. Data of persons which might be of public interest.

iv. Data of patients if known to others may cause embarrassment or harm to him/her

e.g. adoption records

7.6 secondary use of medical record

i. Use of patient data, for purposes other than immediate patient care, is also subject

to user control policy.

ii. IT professionals and medical record officers involved in performing data extraction

shall be given access to the EMR with cautions and restrictions spelt out.

iii. Extracted data in the form of summaries e.g. medical reports shall be given only to

appropriate parties and always with the expressed consent of the patient.

iv. Discharge summaries used in referrals are given to other care practitioners if the

patient has agreed to seek treatment or services from the providers being

consulted or referred to.

v. Data for audits, quality management and HMIS shall as far as possible be

depersonalized

vi. For research purposes, what patient information can be accessed shall be

determined by the relevant department heads as well as the facility research

ethical committee and the Medical Research Ethics Committee (MREC) at MOH,

where needed.

vii. Access to a patient’s information by a student for the purpose of education or

training is subject to approval from the custodian of the information.

8 CONCLUSION

Thus, in summary, the effective adoption, implementation and enforcement of this User

Access Control Policy will ensure that all electronic patient information shall remain

confidential. To this end, all HIS/CIS facilities shall institute adequate measures to:

i. Protect patient information from unauthorized access

140

Page 141: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

USER ACCESS CONTROL POLICY

ii. Have a multilayered approach utilizing multiple access point safeguards

iii. Streamline user authorization and secure access across facilities

iv. Track users throughout the facility for a complete activity snapshot

v. Have a centralized monitoring, control and assignment of access levels for

simplified IT management at the facility.

141

Page 142: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

B. GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

1 INTRODUCTION

An Electronic Medical Record (EMR) is digitally documented information about the health

of an identifiable individual, recorded by a doctor or other healthcare professionals. The

patient has the right to expect that there will be no disclosure of all or any of the

information to persons without the patient-provider relationship unless he/she gives

permission. Therefore, there is a responsibility on the part of custodians and users of the

medical record to ensure that confidentiality of medical records is maintained at all times.

This is done by having a clear User Access Control Matrix.

It is the intent of this document to guide persons involved in, the design, custody and use

of clinical information systems and electronic medical records, including managers of

health care facilities, health care providers both clinical and clinical support, health IT

vendors, and other users, in constructing the User Access Control Matrix of their respective

healthcare facilities.

2 OBJECTIVES

2.1 General Objectives

To ensure that the confidentiality of electronic patient information is maintained as

required by the law.

2.2 Specific Objectives

2.2.1 The basic principle for access to patient information shall be strictly on a need to know

basis.

2.2.2 For authorized use access is allowed only to relevant information required to perform work

2.2.3 Patient information is disseminated only to relevant persons or parties

2.2.4 Prevent access to all information by unauthorized persons

142

Page 143: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

3 HOW TO USE THESE GUIDELINES

This document aims to help every facility come out with its own customized matrix that

fulfils that facility’s user access control requirements based on roles, function and location.

The User Access Control Policy is the parent document to this and as such should be used

along with these guidelines.

4 USER ACCESS CONTROL MATRIX

4.1 User Access Role Definition

4.1.1 Patient Care – a role of managing a particular illness which is related to the patient.

4.1.2 Administration – managing the work process or flow in the particular department or unit.

4.1.3 Audit & Research – Monitoring services by tabulating statistics and producing reports that

is related to the particular department under their care. Gathering information for

research purposes.

4.1.4 Education – Learning activity using the patients’ information.

4.1.5 Epidemiology – Is the study of the occurrence, distribution and determinants of states of

health and disease in human groups and populations and the application of this study to

the control of health problems.

4.1.6 Register – Is a record in writing as a verb; it is to record or to be recorded in an official list.

4.2 Options in Standard Operating environment

4.2.1 Read

4.2.2 Write

4.2.3 Print – All users are not allowed to print unless granted by custodian of information.

4.2.4 No access

4.2.5 Not applicable

143

Page 144: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

4.3 USER ACCESS MATRIX

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

A. Doctors

a. Hospital Director

• Admin 1. Read Read Read Read Read Read Read

Read

Access to all patient data within his facility.

No exceptions

• Audit & Research

2. Read Read Read Read Read Read Read

No Access

Access to all patient data within his facility.

No exceptions

• Patient Care 3. Read Read Read & Write

Read & Write

Read & Write

Read & Write

Read

No Access

Access to all patient data within his

No exceptions

144

Page 145: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

facility if he is treating the patient

b. Head of Department

• Admin 4. Read Read Read Read Read Read No Access

No Access (except

– full paying patient

)

Access to all patient data within his department only.

In the absence of a Hospital Director, a designated H.O.D. has the access to all patient data within the facility.

• Audit & Research

5. Read Read Read Read Read Read No Access

No Access

Access to all patient data within his department

Access to all referred cases to his specialty.

145

Page 146: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

only.

• Patient Care 6. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Access to all patient data within his department

Override allowed in referred and emergency cases.

• Education 7. Read No Access

Read Read Read Read No Access

No Access

Access to all patient data within his department only.

No exceptions

c. Specialist

• Admin 8. Read Read Read Read Read Read No Access

No Access

(except – full

paying patient

Access to all patient data within his department only.

In the absence of H.O.D., a designated Specialist has the access to all patient data

146

Page 147: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

) within the department.

• Audit & Research

9. Read Read Read Read Read Read No Access

No Access

Access to all patient data within his department only.

Access to all referred cases to his specialty.

• Patient Care 10. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Access to patient data under his care

Override access under:

-Emergency (Break the glass)

• Education 11. Read No Access

Read Read Read Read No Access

No Access

Access to patient data

No exceptions

d. Family Medicine

147

Page 148: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

Specialist

• Education 12. Read No Access

Read Read Read Read No Access

No Access

Access to patient data under his care.

No exceptions

• Audit & Research

13. Read Read Read Read Read Read No Access

No Access

Access to all patient data within his department only.

Access to all referred cases to his specialty.

• Patient Care 14. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Access to patient under his care.

Override access under:

1) Emergency

2) Referral

• Admin 15. Read Read Read Read Read Read No Access

No Access

Access to patient data under his

No Exceptions

148

Page 149: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

care.

e. Medical / Dental Officer

• Hospital with specialists

• Audit & Research

16. Read Read Read Read Read Read No Access

No Access

Access to all patient data within his department only.

Access to all referred cases to his specialty.

• Education 17. Read No Access

Read Read Read Read No Access

No Access

Access to patient data under his care.

No exceptions

• Patient Care 18. Read Read Read & Read & Read & Read & No No Access to Override

149

Page 150: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

Write Write Write Write Access Access patient data under his care.

access under:

1) On call

2) Emergency

3) Referral

• Hospital without specialist

• Audit & Research

19. Read Read Read Read Read Read No Access

No Access

Access to all patient data within his department only.

Access to all referred cases to his specialty.

• Education 20. Read No Access

Read Read Read Read No Access

No Access

Access to patient data under his care.

No exceptions

• Patient Care 21. Read Read Read & Read & Read & Read & No No Access to Override

150

Page 151: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

Write Write Write Write Access Access patient data under his care.

access under:

1)On call

2) Emergency

3) Referral

• Health Care Facilities

• Audit & Research

22. Read Read Read Read Read Read No Access

No Access

Access to all patient data within his department only.

Access to all referred cases to his specialty.

• Education 23. Read No Access

Read Read Read Read No Access

No Access

Access to patient data under his care.

No exceptions

151

Page 152: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

• Patient Care 24. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Access to patient data under his care.

Override access under:

1) On call

2) Emergency

3) Referral

• Admin 25. Read Read Read Read Read Read No Access

No Access

Access to all patient data within his facility only

No exceptions

f. House Officer

• Audit & Research

26. Read Read Read Read Read Read No Access

No Access

Access to all patient data within his department only.

Access to all referred cases to his specialty.

• Education 27. Read No Access

Read Read Read Read No Access

No Access

Access to patient data under his

No exceptions

152

Page 153: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

care.

• Patient Care 28. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Access to patient data under his care.

Override access under:

1) On call

2) Emergency

(No role to accept referral)

B. Nurses

i) Hospital setting

a. Matron / sister

• Admin 29. Read Read Read Read Read Read No Access

No Access

Only for patient under their area / department /

No exceptions

153

Page 154: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

facility

• Audit & Research

30. Read

(MRN and name only)

No Access

No Access Read Read Read No Access

No Access

Only for patient under their area / department / facility.

Override allowed for external auditing.

• Education 31. Read No Access

Read Read Read Read No Access

No Access

Only for patient under their area / department / facility

No exceptions

• Patient Care 32. Read Read Read Read Read Read No Access

No Access

1) Only for patient under their area / department / facility.

2) Can read & write only during emergencies.

Override allowed during on-call.

154

Page 155: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

Only can access on nursing notes.

b. Staff Nurse

• Education 33. Read No Access

Read Read Read Read No Access

No Access

Only for patient under their area / department / facility

No exceptions

• Audit & Research

34. Read No Access

No Access Read Read Read No Access

No Access

Only for patient under their area / department / facility.

Override allowed for external auditing.

• Patient Care 35. Read & Write Read & Write

Read & Write

Read & Write

Read & Write

Read & Write

No Access

Read & Write

(to

a) Only for patient under their area /

No exceptions

155

Page 156: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

charge /

itemize for FPP patient

s)

department / facility.

b) Only can write on nursing notes

• Registration 36. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Read & Write

Not Applica

ble

Register role Only in the absence of the registration clerks.

No exceptions

c. Community Nurse

• Patient Care 37. Read Read Read Read Read Read No Access

No Access

Only can write on nursing notes

No exceptions

156

Page 157: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

• Registration 38. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Read & Write

No Access

Register role Only in the absence of the registration clerks.

No exceptions

d. Dental Nurse

• Patient Care 39. Read Read Read & Write

Read & Write

Read Read & Write

No Access

No Access

Only can write on dental notes

No exceptions

• Audit Research & Education

40. Read Read Read Read Read Read Read Read Only for patient under their area

No exceptions

e. Dental Surgery Assistant

• Patient Care 41. Read Read Read Not Not Not No No No exceptions

157

Page 158: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

Applicable Applicable Applicable Access Access

• Registration 42. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Read & Write

Read & Write*

*

Only in the absence of the registration clerks. ** In the absence of billing Unit.

ii) Health Care Facilities

a. Matron / Sister

• Admin 43. Read Read Read Read Read Read Read Read Only for patient under their area /

Override allowed if there is no

158

Page 159: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

facility. matron in the area.

• Patient Care 44. Read Read Read Read Read Read No Access

No Access

1) Only for patient under their area / department / facility.

2) Only during emergencies.

3) Only can write on nursing notes

Override allowed during on-call.

• Audit, Research & Education

45. Read Read Read Read Read Read Read Read 1) Only for patient under their area.

2) Only on nursing care.

No exceptions

159

Page 160: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

b. Staff Nurse

• Patient Care 46. Read Read Read Read & Write

Read & Write

Read & Write

No Access

No Access

Only for patient under their area / facility.

Only can write on nursing notes

No exceptions

• Audit, Research & Education

47. Read Read Read Read Read Read Read Read 1) Only for patient under their area.

2) Only on nursing care.

No exceptions

• Registration 48. Read & Write Read & Write

Not applicable

Not applicable

Not applicable

Not applicable

Read & Write

No Access

Register role Only in the absence of the registration clerk.

No exceptions

c. Community Nurse

• Education 49. Read No Read Read Read Read No No Only for patient under their area /

No exceptions

160

Page 161: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

Access Access Access department / facility

• Registration 50. Read & Write Read & Write

Not applicable

Not applicable

Not applicable

Not applicable

Read & Write

No Access

Role as Only in the absence of the registration clerks.

No exceptions

• Patient Care 51. Read Read Read & Write

Read & Write

Read Read & Write

No Access

No Access

Only in the absence of the staff nurses

Only can write on nursing notes

No exceptions

d. Dental Nurse

• Patient Care 52. Read Read Read & Write

Read & Write

Read Read & Write

No Access

No Access

Only can write on dental

No exceptions

161

Page 162: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

notes

• Registration 53. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Read & Write

No Access

Only in the absence of the registration clerk

No exceptions

• Audit, Research & Education

54. Read Read Read Read Read Read Read Read Only for patient under their area.

No exceptions

e. Dental Surgery Assistant

• Patient Care 55. Read Read Read Not Applicable

Not Applicable

Not Applicable

No Access

No Access

No exception

• Registration 56. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Read & Write

Read & Write*

*

Only in the absence of the registration clerks. ** In the

162

Page 163: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

absence of billing Unit.

iii) Health Care Facilities

a. Matron

• Admin 57. Read Read Read Read Read Read Read Read Only for patient under their area / facility.

Override allowed if there is no matron in the area.

• Audit 58. Read Read Read Read Read Read Read Read 1) Only for patient under their area.

2) Only on nursing care.

No exceptions

b. Sister

163

Page 164: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

• Admin 59. Read Read Read Read Read Read Read Read Only for patient under their area / facility.

Override allowed if there is no sister in the facility.

• Audit 60. Read Read Read Read Read Read No Access

No Access

Only for patient under their area / facility.

No exceptions

c. Staff Nurse

• Patient Care 61. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only for patient under their area / facility.

Only can write on nursing notes

No exceptions

164

Page 165: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

• Registration 62. Read & Write Read & Write

Not applicable

Not applicable

Not applicable

Not applicable

Read & Write

No Access

Only in the absence of the registration clerk.

No exceptions

d. Community Nurse

• Patient Care 63. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on nursing notes

No exceptions

• Registration 64. Read & Write Read & Write

Not applicable

Not applicable

Not applicable

Not applicable

Read & Write

No Access

Only in the absence of the registration clerks.

No exceptions

e. Asst. Nurse

• Patient Care 65. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on

No exceptions

165

Page 166: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

nursing notes

• Registration 66. Read & Write Read & Write

Not applicable

Not applicable

Not applicable

Not applicable

Read & Write

No Access

Only in the absence of the registration clerks.

No exceptions

f. Midwifes

• Patient Care 67. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on nursing notes

No exceptions

• Registration 68. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Read & Write

No Access

Only in the absence of the registration clerks.

No exceptions

g. Dental Nurse

• Patient Care 69. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on nursing notes

No exceptions

166

Page 167: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

• Registration 70. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Read & Write

Read & Write

Only in the absence of the registration clerks.

h. Dental Surgery Assistant

• Patient Care 71. Read Read Read & Write

Not Applicable

Not Applicable

Not Applicable

No Access

No Access

No exceptions

• Registration 72. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Read & Write

Read & Write*

*

Only in the absence of the registration clerks. **In the absence of billing Unit

C. Medical Assistant

167

Page 168: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

i) Hospital Setting

• Patient Care 73. Read & Write Read & Write*

Read & Write

Read & Write

Read & Write*

Read & Write

No Access

No Access

Read & Write in:

1) A & E

2) Designated specialist clinic

No exceptions

• Registration 74. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Read & Write

Read & Write

Only in the absence of the registration clerks.

Only can write on nursing notes

No exceptions

ii) Health Care

168

Page 169: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

Facilities

• Patient Care 75. Read Read Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

No exceptions

• Registration 76. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Read & Write

Read & Write

Only in the absence of the registration clerks.

No exceptions

D. Healthcare Assistants

• Patient Care 77. No Access No Access

No Access No Access No Access Not Applicable

No Access

No Access

Not Applicable

No exceptions

• Registration 78. Read & Write Read & Write

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applica

ble

Not Applica

ble

Only in the absence of the registration

No exceptions

169

Page 170: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

clerks.

E. Pharmacists

• Admin 79. Read No Access

No Access No Access Read Read (med. only)/ TDM

No Access

No Access

No exceptions

• Audit 80. Read No Access

Read No Access Read Read No Access

No Access

No exceptions

• Dispensing 81. Read Read Read Read Read Read & Write *

No Access

Read Write* dispensing notes

No exceptions

• Patient Care 82. Read Read Read Read Read Read & Write

No Access

Read Write* Pharmacist Notes

No exceptions

F. Assistant Pharmacists

170

Page 171: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

• Dispensing 83. Read No Access

No Access No Access Read Read * & Write *

No Access

No Access

Read* prescription pharmacist notes

Write* dispensing notes

No exceptions

G. Medical Lab Technicians

• Perform Lab Orders

84. Read & write No Access

No Access No Access Read Read & Write*

(results of Ix.)

No Access

No Access

Amendment & addendums*

No exceptions

171

Page 172: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

H. Dental Lab Technologist / Prosthetic & Orthotics Technician

• Fabrication of Prosthetics / Orthotics

85. Read No Access

No Access No Access Read Read No Access

No Access

I. Optometrists

• Patient Care 86. Read No Access

Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on optometrist notes

No exceptions

J. Audio-metrists

• Patient Care 87. Read No Access

Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on audiometrist

No exceptions

172

Page 173: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

notes

K. Therapists

a. Occupational

• Patient Care 88. Read No Access

Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on therapist notes

No exceptions

b. Speech

• Patient Care 89. Read No Access

Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on therapist notes

No exceptions

c. Physio

• Patient Care 90. Read No Access

Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on therapist notes

No exceptions

173

Page 174: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

d. Clinical Psychologist

• Patient Care 91. Read No Access

Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on therapist notes

No exceptions

e. Prothetist & Orthotists

• Patient Care 92. Read No Access

Read & Write

Read & Write

Read & Write

Read & Write

No Access

No Access

Only can write on therapist notes

No exceptions

L. Dietician / Nutritionists

• Patient Care 93. Read No Access

Read Read Read Read & Write

No Access

No Access

Only can write on dietician

No exceptions

174

Page 175: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

notes

M. Radiographer 94. Read No Access

No Access No Access Read Read#, No Access

No Access

#Only Radiology Ix

No exceptions

N. Health Education Officer

• Health Promotions

95. Read

No Access

Read

No Access Read

No Access No Access

No Access

No exceptions

O. Assistant Environmental Health Officer

• Control of notifiable disease

96. Read No Access

Read Read Read Read & Print

No Access

No Access

No exceptions

175

Page 176: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

P. Medical Record Officer

• Admin 97. Read Read Read

Read

Read & Write (ICD

coding)

Read

Read Read

No exceptions

• Audit & Research

98. Read Read Read Read Read Read No access

Read Only can print statistical report

Q. Medical / Dental / Undergraduate

• Patient Care 99. No Access

No Access

No Access

No Access

No Access

No Access

No Access

No Access

Accessibility should be through HOD with restricted period/ only

• Education Training

100. Read No Read Read Read Read No No Accessibility should be

176

Page 177: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

Access Access Access through HOD with restricted period/ only

Patient that refused need to be blocked

R. Lecturers / Tutors / Preceptors

• Education 101. Read No Access

Read

Read

Read Read No Access

No Access

During the contract period only

No exceptions

S. Researcher

• Research & Planning

102. Read Read Read Read Read Read No Access

No Access

No exceptions

• Epidemiology 103. Read No Read Read Read Read No No No exceptions

177

Page 178: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

Access Access Access

• Clinical Research

104. Read No Access

Read Read Read Read No Access

No Access

Modifiable for particular protocol study & during study period only

T. Non-Clinical Administrator

• Admin 105. Read No Access

No Access No Access No Access No Access Read Read No exceptions

• Audit 106. Read No Access

No Access No Access No Access No Access Read Read No exceptions

U. Medical Social Worker

• Evaluate financial

107. Read Read Read No Access Read Read Read Read No exceptions

178

Page 179: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

status and provide assistance for the needy.

V. System Administrator

108. Read No Access

No Access No Access Read No Access No Access

No Access

No exceptions

• System Administrator (Operational)

109. Read Read Read Read Read Read Read Read Addendum when requested with documentation

For trouble shooting & must be documented

W. Patient 110. No Access No Access

No Access No Access No Access No Access No Access

No Access

No exceptions

Print report through Medical Records

179

Page 180: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

X. Appointed rep. / legal guardian (upon consent)

111. No Access No Access

No Access No Access No Access No Access No Access

No Access

No exceptions

Y. Courts

• Negligence / Suits

112. No Access No Access

No Access No Access No Access No Access No Access

No Access

No exceptions

Print of medical record on court request

Z. Insurance Companies (upon consent)

113. No Access No Access

No Access No Access No Access No Access No Access

No Access

No exceptions

Print of medical record on patient request

AA. Employers 114. No Access No Access

No Access No Access No Access No Access No Access

No Access

No exceptions

180

Page 181: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

No.

Area of accessibility

User

Roles

Row Standard Operating Environment

Demographic Data Clinical Data Financial Data Explanation Exceptions

Person Identification

Data

Next of Kin

History Physical Diagnosis Ix / Mx Salary Bills

BB. Allied Health Profession Students

115. No Access No Access

No Access No Access No Access No Access No Access

No Access

Under the direct supervision of their tutor of trainer.

Only for particular discipline

No exceptions

CC. Counseling Officers

• Patient Care 116. Read Read

Read & write

Read Read & write

Read & Write*

No Access

No Access

Only can write on counselor notes

No exceptions

181

Page 182: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

C. TECHNICAL REQUIREMENTS FOR USER ACCESS CONTROL AT HOSPITAL / CLINIC

INFORMATION SYSTEM (HIS/CIS)

1 INTRODUCTION

In any access control model, the entities that can perform actions in the system are called

subjects, and the entities representing resources to which access may need to be

controlled are called objects

2 ACCESS CONTROL SYSTEM

2.1 Identification and authentication (I&A)1

2.1.1 IDENTIFICATION AND AUTHENTICATION (I&A) IS THE PROCESS OF VERIFYING THAT AN

IDENTITY IS BOUND TO THE ENTITY THAT MAKES AN ASSERTION OR CLAIM OF IDENTITY.

THE I&A PROCESS ASSUMES THAT THERE WAS AN INITIAL VALIDATION OF THE IDENTITY,

COMMONLY CALLED IDENTITY PROOFING.

2.1.2 AUTHENTICATORS ARE COMMONLY BASED ON AT LEAST ONE OF THE FOLLOWING FOUR

FACTORS:

• Something you know, such as a password or a personal identification number (PIN).

This assumes that only the owner of the account knows the password or PIN needed

to access the account.

• Something you have, such as a smart card or security token. This assumes that only

the owner of the account has the necessary smart card or token needed to unlock the

account.

• Something you are, such as fingerprint, voice, retina, or iris characteristics.

• Where you are, for example inside or outside a company firewall, or proximity of login

location to a personal GPS device.

182

Page 183: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

2.2 Authorization

2.2.1 AUTHORIZATION APPLIES TO SUBJECTS. AUTHORIZATION DETERMINES WHAT A SUBJECT

CAN DO IN THE SYSTEM.

2.3 Accountability

2.3.1 ACCOUNTABILITY USES SUCH SYSTEM COMPONENTS AS AUDIT TRAILS (RECORDS) AND

LOGS TO ASSOCIATE A SUBJECT WITH ITS ACTIONS. THE INFORMATION RECORDED

SHOULD BE SUFFICIENT TO MAP THE SUBJECT TO A CONTROLLING USER. AUDIT TRAILS

AND LOGS ARE IMPORTANT FOR

• Detecting security violations

• Re-creating security incidents

• Detering future security violations.

3 ACCESS CONTROL MODELS

Access control models categorized as either discretionary or non-discretionary. The three

most widely recognized models are Discretionary Access Control (DAC), Mandatory Access

Control (MAC), and Role Based Access Control (RBAC). MAC and RBAC are both non-

discretionary. MOH REQUIREMENT IS BASED ON RBAC MODELS.

4 Role Based Access Control (RBAC) 2,3,

Within an organization, roles are created for various job functions. The permissions to

perform certain operations are assigned to specific roles. Members of staff (or other system

users) are assigned particular roles, and through those role assignments acquire the

permission to perform particular system functions.

183

Page 184: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

4.1 Three primary rules are defined for RBAC:

4.1.1 Role assignment: A subject can execute a transaction only if the subject has selected or been

assigned a role.

4.1.2 Role authorization: A subject's active role must be authorized for the subject. With rule 1

above, this rule ensures that users can take on only roles for which they are authorized.

4.1.3 Transaction authorization: A subject can execute a transaction only if the transaction is

authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can

execute only transactions for which they are authorized.

4.1.4 Constraints are restrictions that are enforced upon access permissions. They can include

contextual properties such as separation of duties, time-dependency, mutual exclusivity,

cardinality, or location, etc. Constraints may be enterprise specific. Examples of permission

constraints could include:

i. Head Nurse permission functions can be accessed only by one Registered Nurse per

12-hour shift on a hospital floor at any given time (cardinality of 1, time-

dependency),

ii. Only one Physician may have access to the Chief of Staff permission (cardinality of

1),

iii. A laboratory user can co-sign another Lab Technician’s results, but cannot co-sign

their own even if logged on as the Lab Technician Supervisor (separation of duties),

iv. Provider’s access to a remote hospital that is not his/her primary workplace

(location), and

v. A physician working scheduled clinic hours (time-dependency) vs. physician

working in a 24 hour Emergency Room (no time-dependency).

5 FUNCTIONAL REQUIREMENT STATEMENT OF USER ACCESS CONTROL

5.1 Pre-access

5.1.1 Right Person

i. Right User

a. Every user must key-in his/her User ID, Password

b. Biometrics can be used to recognize a valid user

184

Page 185: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

c. Key-in category and discipline/department (to construct Job Matrix/Security

matrix that block by discipline)

d. Declaration of relationship (Patient-care provider)

e. Health care provider must be on duty (To develop Electronic Rostering

module / function)

ii. Right Patient

a. Patient needs to register at facility

b. Biometrics can be used to recognize a valid patient

c. Assigned or classified to specific discipline/department/team or specific health

care provider

5.1.2 Right time

i. Active Record and In-Active Record

a. Active Record – Once patient register at facility

b. In-Active record (closed record) – After patient is discharged from the facility

there must be a time period before the patient’s record is closed. (e.g.

Inpatient: After 3 months from date of discharge, Outpatient: After 1 month

from date of discharge per encounter)

c. To access the encounter record after 3 months:

• Patient must register again at healthcare facility

• On request (must follow procedure to trace patient record)

ii. User must be on duty to have access.

a. To develop electronic rostering function/module

5.1.3 Right Location

i. Patient record only can be accessed within the MOH network or facility network.

ii. User can only have access at their dedicated place of work or location

iii. Table below shows how access is given according to location.

185

Page 186: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

NO ACCESS TYPE ACCESS USER

1. LOCATION • Only at that location

• Inpatient / Outpatient

• Clinic / Ward

• Discipline: e.g.O&G. A&E etc

HO, SN, AN, MS, JM,

SISTER, Allied Services

2. ROLE DEFINED 1 Referral

2 Audit

3 Education

4 Administration

Access can be made from location within the healthcare facility

Consultant /Specialist / HOD, Matron, MO

5.1.4 Right Function and Activity

i. To develop Menu or Sub Menu Matrix

ii. For each data segment and the corresponding applications software functionality,

the users/user groups will be allowed to perform any one or all of the following

data management functions (refer to Appendix B):

a. Generate, and record the data (write) as part of their work

b. Retrieve, View and use the data (Read) as part of their work

c. Manipulate (Modify, correct, delete) the data

5.1.5 Right Info

i. Different User Interface for Different User (segmentation of data)

ii. For each user, the data segments and the corresponding applications software

functionality that he/she will be allowed to use while performing his/her work is

identified. (refer to Appendix C; Figure 2 & 3)

iii. To develop a notes/reports an assignment matrix

5.1.6 Security for Highly Confidential Data (HCD)

i. Remove: All existing access by applying ‘block’

ii. Assign: Specific Authorized Care Providers or group of care providers

186

Page 187: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

5.2 During access

5.2.1 Warning Statement

i. Basic warning (Layer 1): General Alert

ii. Second warning (Layer 2): Category/Job Matrix/Location

iii. Third warning (Layer 3): Access Denied/Lock (Enter Special Code)*For highly

confidential data. (red flag by Director or committee)

5.2.2 Break Glass/Code Blue

i. Break glass code

ii. Alert to facility director or responsible person depending on the facility’s

Information Security Policy

iii. Logged

5.3 Post-access

5.3.1 Audit Trail

i. Audit Trail Capture:

a. Time/ Date/Location Access

b. User_Id

c. Create, View, Update, End of Module and Functions Used

d. Hit Counter/Statistic

ii. Dedicated module for audit trail

iii. Schedule and Ad-hoc

iv. Monitoring Person (Pengarah/Head of IT)

187

Page 188: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

GUIDELINES FOR THE IMPLEMENTATION OF USER ACCESS CONTROL POLICY

188

Page 189: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

Appendix

Ministry of Health, Malaysia

DISEMBER 2011

Page 190: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX A : GENERIC OF USER ACCESS CONTROL

APPENDIX A - GENERIC OF USER ACCESS CONTROL

1.1 Hospital Putrajaya

NO ACCESS TYPE ACCESS USER

1. LOCATION • Only at that location

• Inpatient / Outpatient

• Clinic / Ward

HO, SN, AN, MS, JM, SISTER, Allied Services

2. ROLE DEFINED 1. Referral

2. Audit

3. Education

4. Administration

Access can be made from anywhere within the healthcare facility

Consultant Specialist / HOD, Matron, MO

3. HIGHLY CONFIDENTIAL

• Data Blocked

• Allowance of access by referring Doctors

• This must be role defined

Access can be made from anywhere within the healthcare facility

• Consultant Specialist

• Inpatient: as long as in ward

• Outpatient: once sent home

• Idle for 1 hour or 5 pm

4. SPECIALITY Upon discharge:

Only allow user to read according to their speciality. If they want to access other than their speciality they have to be role defined. This applies only to Medical Officer and Specialist. Nursing Staff, Allied Health Staff, Houseman and students will have no exception- however if they need to, they can go to Medical Records Office. If they want to access other than their speciality they have to be role defined.

190

Page 191: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX A : GENERIC OF USER ACCESS CONTROL

• For inpatient, if the patient is referred to allied services, allied services personnel will use the referral document to give appropriately care.

• Authorization to desensitize the highly sensitive data is only made by Hospital Director • For Medical Lab Technicians (MLT) and Radiographers, access to clinical notes is not necessary-

they just need to look at the order request note

1.2 HOSPITAL SELAYANG – DYNAMIC USER

GLOSSARY OF TERMS

HO - House Officer

PPP - Penolong Pegawai Perubatan

PPK - Pembantu Perawatan Kesihatan

SN - Staff Nurse

JM - Jururawat Masyarakat

OSCC - One Stop Crisis Centre

SCAN - Suspected Child Abuse & Neglect

1.2.1 OUTPATIENT – WORKFLOW IN OUTPATIENT DEPARTMENT

No.

Encounter /

Task Patient Provider

Relationship Mechanism

Assign to

Named Care

Provider

Provider group

1. Scheduling & registration

Primary provider

New case:

Referral to specific Doctor

Assign privileges to referred Doctor

191

Page 192: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX A : GENERIC OF USER ACCESS CONTROL

No.

Encounter /

Task Patient Provider

Relationship Mechanism

Assign to

Named Care

Provider

Provider group

Referral to discipline (Specialist in charge/Doctor in charge)

Assign to Doctor on duty at appointment date and place.

May be based on expertise of care providers

Follow up case

Assign privilege to the care provider according to follow up plan

General purpose care provider (HO, nurses, PPP, JM, PPK)

Care providers where the patient will be registered are automatically given access.

Pre consultation / triage – SN / optometrist / audiologist

Given access as general purpose provider.

2. Carry out procedures-

Care provider providing treatment

Based on orders

Person assign perform task are given access

To use work list for this purpose.

3. Treatment

Care provider providing treatment i.e. pharmacist

Drug treatment- if prescription made, the pharmacist shall get access

Access can be narrowed down to pharmacist of that particular dispensary or open to all pharmacists.

4. Follow up

Relationship terminated

All access closed upon discharge BUT exception to certain discipline where task not completed yet for example Pathologist, Radiologist.

Appointment must be given to appropriate clinic.

Patient should be assigned to the

- -

192

Page 193: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX A : GENERIC OF USER ACCESS CONTROL

No.

Encounter /

Task Patient Provider

Relationship Mechanism

Assign to

Named Care

Provider

Provider group

same Primary provider (depending on type of cases) who is looking after the patient.

1.2.2 EMERGENCY DEPARTMENT – WORKFLOW IN EMERGENCY DEPARTMENT

No.

Encounter /

Task Patient Provider

Relationship Mechanism

Assign to

Named Care

Provider

Provider group

1. Pre-hospital care

Care provider providing treatment i.e. PPP

Person sent out with ambulance according to roster (transcribe later)

2. Triage Care provider providing treatment i.e. PPP

Performing assessment according to roster (transcribe later)

3. Registration Doctor providing care

Access open to all Doctors on duty

General purpose staff

(i.e. SN/PPP/PPK)

according to zone based on triage category (red/yellow/green/white staff)

4. Assessment and treatment

Doctor providing care

Access open to all Doctors on duty

General purpose staff

(i.e. SN/PPP/PPK)

according to zone based on triage category (red/yellow/green/white staff)

Locum Doctor providing care

Included as Doctors on duty

Must be given privilege as ED Doctor if they are coming

193

Page 194: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX A : GENERIC OF USER ACCESS CONTROL

No.

Encounter /

Task Patient Provider

Relationship Mechanism

Assign to

Named Care

Provider

Provider group

from other departments

5. Patient with sensitive data

Appointed Team member

OSCC – SCAN team

Team members on duty √

6. Referral to other specialities

Referred Doctor and team

Doctor / Team members on duty

1.2.3 IN PATIENT – WORKFLOW IN WARD

No.

Encounter / Task

Patient Provider Relationship

Mechanism

Assign to

Named Care

Provider

Provider group

1. Admission:

Admitting Doctor Shall be identified through admission form.

Primary provider can be identified through admission form based on Doctor who look after the patient at the clinic or ED or previous admission

General purpose care provider (HO, nurses, PPP, JM, PPK)

Where the patient will be admitted is automatically given access.

Care provider who performs clerking /assessment:

Automatic privileges shall be given to care provider according to duty roster

2. Diagnosis made:

Care team Care plan can be triggered where the care provider performing required task are identified and Automatic privileges shall be given.

194

Page 195: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX A : GENERIC OF USER ACCESS CONTROL

No.

Encounter / Task

Patient Provider Relationship

Mechanism

Assign to

Named Care

Provider

Provider group

(e.g. inclusion in their work list)

3. Procedures/Investigations/monitoring:

Care provider performing test, examinations etc.

Accesses are given through orders.

Automatically closed access once task completed.

4. Referral

Co-opted care provider

Access given to the care provider to whom the case is referred.

5. Treatment:

Assigned or Co-opted care provider

Access will be given through orders.

6. Transfer

Location;

Additional or changed care provider (Doctor)

Current care providers retains access

General purpose care provider E.g. nurses / HO / PPK

Access of General purpose care provider of previous location is taken away and access will be given to care providers at new location.

7. Transfer Specialty / department;

changed care provider (Doctor)

Provide access to specialty taking over the case

Access for referring specialty can be retained or taken away depending on whether care by them need continue.

8. Follow-up plan

All access shall be closed upon discharge

Primary care provider (depending on type of cases) who looks after the patient on follow-up must be identified.

The location/clinic must be identified before discharge

- -

195

Page 196: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX B : HIS FUNCTION

APPENDIX B – HIS FUNCTION

HOSPITAL INFORMATION SYSTEM (HIS)

Management System Patient Care System (PCS)

Patient Management System (PMS)

Clinical Information System (CIS)

Clinical Support Services Systems (CSS)

Health-Information Management System (HIMS)

Patient Registration Application

Client- Resource Management Application

Appointment Application

Tele Referral Application

Charging-Billing Application

- Order Entry

- Result Reporting

Patient Clinical Notes

• Clerking Notes • Diagnosis • Procedure records • Event reports • Monitoring • Outcome

assessment • Follow up plan • Clinical summary • Discharge

Standard Reports for MOH Health Management Agencies (HMIS)

Q lit M t S t

Facility Management System

Hospitality Management System

Human Resource Management System

Financial Management System

Electronic Medical Record (EMR)

CCIS

Pharmacy Information System

Laboratory Information System

Radiology Information System

Operation Theatre Information System

Dietary Management System

Forensic Management ( )

Ad Hoc Data Extraction for External Agencies, Audit, Research etc

Executive Information System (EIS)

196

Page 197: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX C : PRIVILEGE MATRIX FOR USERS OF CLINICAL ADMINISTRATION APPLICATION

APPENDIX C - Privilege Matrix for Users of Clinical Administration Application

This matrix looks at the needs from a user’s point of view.

FIGURE 1: PRIVILEGE MATRIX FOR USERS OF CLINICAL ADMINISTRATION APPLICATION (EXAMPLE)

User Category Application Read / View

Order Perform Task &

Enter data

Main Registration & Billing Clerk

Client Registration (PMI) Yes No Yes

Visit registration Yes Yes Yes

Billing Yes Print-Reprint Yes

Outpatient scheduling Yes Yes Yes

Inpatient ADT Yes No No

Clinic Receptionist

Client Registration Yes No No

Visit registration Yes Yes Yes

Billing Yes No No

Outpatient scheduling Yes No Yes

Inpatient ADT Yes Yes No

Clinic Manager / Clinic Nurse

Client Registration Yes No No

Visit registration Yes Yes Yes

Billing Yes No No

Outpatient scheduling Yes No No

Inpatient ADT Yes Yes No

Admission clerk Client Registration Yes Yes Yes

Visit registration Yes Yes Yes

Billing Yes Print-Reprint Yes

197

Page 198: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX C : PRIVILEGE MATRIX FOR USERS OF CLINICAL ADMINISTRATION APPLICATION

User Category Application Read / View

Order Perform Task &

Enter data

Outpatient scheduling Yes No No

Inpatient ADT Yes No Yes

Ward clerk Clinic Registration Yes No No

Billing Yes No No

Outpatient scheduling Yes Yes Yes

Inpatient ADT Yes Yes Acknowledge

198

Page 199: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX D : PRIVILEGE MATRIX FOR DIFFERENT USER GROUP FOR DIFFERENT APPLICATION SOFTWARE

APPENDIX D – PRIVILEGE MATRIX FOR DIFFERENT USER GROUP FOR DIFFERENT

APPLICATION SOFTWARE

Figure 2: Privilege Matrix matching Privileges to Perform Clinical Documentation in CIS-EMR for Nurse and Laboratory Technologist

System 01: Clinical Information System-EMR

Application Clinical documentation

User group DIRECT CARE PROVIDER (CLINICIAN) CLINICAL SUPPORT PROVIDER

NURSE LABORATORY TECHNOLOGIST

Data group Privilege for Data Management Functions

Privilege for Data Management Functions

A

Symptoms

Signs

Diagnosis

Lab orders

Read Write Manipulate Read Write Manipulate

View √ Insert √ Validate √ View √ Insert X Validate X

Retrieve √ Submit √ Modify √ Retrieve √ Submit X Modify X

Copy √ Record √ Add √ Copy X Transfer X Add X

Duplicate √ Delete √ Duplicate X Record X Delete X

Print √ Print X

Data group Privilege for Data Management Functions

Privilege for Data Management Functions

B

Status

Result

Read Write Manipulate Read Write Manipulate

View √ Insert X Validate X View √ Insert √ Validate √

Retrieve √ Submit X Modify X Retrieve √ Submit √ Modify √

Copy Record X Add X Copy √ Transfer √ Add √

199

Page 200: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX D : PRIVILEGE MATRIX FOR DIFFERENT USER GROUP FOR DIFFERENT APPLICATION SOFTWARE

Duplicate Delete X Duplicate √ Record √ Delete X

Print Print √

Figure 3: Privilege Matrix matching Privileges to Perform Laboratory Information System Tasks for Laboratory Receptionist and Laboratory Technologist

System 02: Laboratory Information System

Application Test performance and resulting

User group CLINICAL ADMINISTRATION STAFF CLINICAL SUPPORT PROVIDER

LABORATORY RECEPTIONIST LABORATORY TECHNOLOGIST

Data group Privilege for Data Management Functions

Privilege for Data Management Functions

C

Log in specimen

Reject specimen

Review worklist

Read Write Manipulate Read Write Manipulate

View √ Insert √ Modify √ View √ Insert √ Modify √

Retrieve √ Submit √ Add √ Retrieve √ Submit √ Add √

Copy X Record √ Delete X Copy √ Transfer √ Delete X

Duplicate X Duplicate √ Record √

Print X Print √

Data group Privilege for Data Management Functions

Privilege for Data Management Functions

D

Start test

End test

Task status

Result

Read Write Manipulate Read Write Manipulate

View X Insert X Validate X View √ Insert √ Validate √

Retrieve X Submit X Modify X Retrieve √ Submit √ Modify √

Copy X Record X Add X Copy √ Transfer √ Add √

Duplicate X Delete X Duplicate √ Record √ Delete X

Print X Print √

200

Page 201: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX E : USER DESCRIPTION DEFINITION

APPENDIX E - User Description Definition

No. DESIGNATION DEFINITION AND ROLES

1. Nursing Director/ Matron

A nurse who has been designated the responsibility and authority to manage the nursing activities of a hospital or a health district.

2. Assistant Medical Officer

Healthcare professional who has undergone training and obtained qualification recognized by MOH and registered by the Medical Assistant Board under Medical Assistants (Registration) Act 1977.

3. Medical Laboratory Technologist

An individual who is trained and registered as a Medical Laboratory Technologist to perform routine and complex laboratory investigations in various disciplines of pathology.

4. Medical Officer Privileges of Fully registered person (Medical Act 1971 No.26)

Every person whose name is for the time being borne on the Register as fully registered under this Act shall be entitled, according to his qualifications, to practice medicine, surgery and midwifery in accordance with the provision of this Act and to recover in due course of law reasonable charges for professional aid, advice and visits and the value of any medicine or any medical or surgical appliances rendered, made of supplied by him to his patients, provided that at the at the time of performing any such act he had an annual practicing certificate in force.

Any contract Medical Professional who have been issued temporary practicing certificate (TPC) to practice medicine for a specified period.

Exemption of certain medical officers in ships (Medical Act 1971, No15)

All ship’s surgeons while in the discharge of their duties shall be exempted from registration under this Act and shall be entitled to all the privileges of fully registered medical practitioners under this Act.

5. Medical Record Officer

A person who has undergone training in management of medical records works in a medical record office of a health facility.

6. Assistant Medical Record Officer

A person who has undergone training in management of medical records works in a medical record office of a health facility.

7. Assistant Medical Record

A person who has undergone training in management of medical records works in a medical record office of a health facility assist Assistant Medical Record Officer.

201

Page 202: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX E : USER DESCRIPTION DEFINITION

No. DESIGNATION DEFINITION AND ROLES

8. Medical Student

(undergraduate)

A person who is undergoing training in medicine and pursuing degree qualification from a recognized institution.

9. Medical Social Officer

An individual who is trained and registered as a Medical Social Officer to conduct assessment and intervention; manage biopsychosocial problems and provide consultation to individuals, their family members or caregivers.

10. Non-clinical Administrator

A non-health care professional that is tasked with administrative and financial duties at a health facility.

11. Staff Nurse Main functions of the nurse are to give a holistic treatment to the patients in the health facilities such as general wards, operation theatres, outpatient departments and specialist clinics.

12. Nutritionist An individual who is trained and registered as a Nutritionist to promote nutritional well being, prevent nutrition-related diseases, conduct nutrition interventions, carry out nutrition or nutrition-related research and development, provide nutritional consultancy and advice, assess and monitor the nutritional status of individuals and communities.

13. Dietitian An individual who is trained and registered as a Dietitian to perform nutrition assessment and diagnosis; prescribe medical nutrition therapy; monitor, evaluate and document the nutrition care of individuals and groups requiring diet intervention and rehabilitation; provide diet counseling to individuals and caregivers; manage foodservices including therapeutic diets; and promote wellness in the community and provide consultation to related industries.

14. Pharmacist A person, who has undergone training, received a degree qualification in pharmaceutical science and registered under Registration of Pharmacy Act 1951.

15. Pharmacy Assistant

A person who has undergone training in pharmacy, obtained diploma qualification recognized by MOH and registered by the Pharmacy Board.

A person who practice under supervision of a pharmacist

16. Diagnostic Radiographer

An individual who is trained and registered as a Diagnostic Radiographer to acquire and interpret medical images using ionizing radiation and other imaging modalities for medical diagnostic and interventional purposes.

17. Researcher

Clinical

A professional in a field related to health who is undertaking an authorized study / research project in a health & pharmaceutical sector.

202

Page 203: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX E : USER DESCRIPTION DEFINITION

No. DESIGNATION DEFINITION AND ROLES

Public Health

Health Economics

18. Scientific Officer A person, who has undergone training, received a degree qualification in a scientific field and working in a health facility. They included Biochemist, Microbiologist, Physicist, Genetics, Entomologist, Embryologist, Forensic, Food Nutrition & Biomedical.

Principal role: Conducts medical laboratory tests as well as processing samples and interpreting medical results to assist in the diagnosis, treatment and prevention of disease.

19. Clinical Scientist (Biochemist)

An individual who is trained and registered as Clinical Scientist (Biochemist) to conduct analysis and technical interpretation of data in the area of clinical biochemistry and its related fields, setting standard and monitoring of performance of diagnostic investigations, evaluation and selection of methods, instruments and technologies.

20. Clinical Scientist (Biomedical Science)

An individual who is trained and registered as a Clinical Scientist (Biomedical Science) to conduct diagnostic investigation in areas of clinical pathology including hematology, histopathology, cytopathology, microbiology, chemical pathology and transfusion services, selection and develop advanced technologies and methodologies and monitoring of laboratory setting for quality control.

21. Clinical Scientist (Embryologist)

An individual who is trained and registered as a Clinical Scientist (Embryologist) to perform all laboratory aspects of assisted human reproductive technologies.

22. Clinical Scientist (Medical Geneticist)

An individual who is trained and registered as a Clinical Scientist (Medical Geneticist) to perform cytogenetic, molecular genetics and biochemical genetics applications for diagnosing diseases, to provide advice in the related application protocol, to use his scientific skills in experimental designs and problem solving and in service development through research and investigations.

23. Clinical Scientist (Microbiologist)

An individual who is trained and registered as Clinical Scientist (Microbiologist) to detect and identify bacteria, virus, fungi and parasites, develop and implement methodologies, maintain quality performance, provide analytical result of microbiological and immunological investigations for the purpose of disease diagnosis, treatment and surveillance.

203

Page 204: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX E : USER DESCRIPTION DEFINITION

No. DESIGNATION DEFINITION AND ROLES

24. Entomologist An individual who is trained and registered as an Entomologist to conduct technical field inspections and laboratory studies directed at the identification, classification and control of insects that may have an adverse effect on the environment and health.

25. Forensic Science Officer

An individual who is trained and registered as a Forensic Science Officer to conduct medico legal forensic investigations in laboratories and crime scene.

26. Healthcare Foodservice Officer

An individual who is trained and registered as a Healthcare Foodservice Officer to manage foodservice operation in healthcare facilities, management of food production for normal and therapeutic diets, procurement of food and catering facilities, menu planning, budgeting, formulate policies and procedures for safety of food.

27. Medical Physicist An individual who is registered and trained as a Medical Physicist to conduct quality control of imaging and / or therapeutic radiation facilities and perform duties in nuclear medicine, radiotherapy, radiology and cyclotron facilities.

28. Nurse Unit Manager/Sister

A nurse who has been designated to be in-charge in a specified area of nursing in a health facility or district.

29. Specialist A registered medical / dental practitioner who has undergone the required training and acquired the necessary qualification to practice in a specialized area of medicine/ dentistry.

Any foreign specialist who have been issued temporary practicing certificate (TPC) to practice medicine for a specified period.

30. Physiotherapist An individual who is trained and registered as a Physiotherapist to promote, prevent, analyze, make physiotherapy diagnosis, carry out physiotherapy treatment, intervene, habilitate and rehabilitate of any form of physical conditions and disabilities to restore optimum movement and functional abilities.

31. Occupational Therapist

An individual who is trained and registered as an Occupational Therapist to prevent, promote, make occupational therapy diagnosis and provide occupational therapeutic interventions for individuals who are physically and / or psychosocially impaired to enhance performance through engagement and participation in activities of daily living, work and leisure.

204

Page 205: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX E : USER DESCRIPTION DEFINITION

No. DESIGNATION DEFINITION AND ROLES

32. Radiation Therapist

An individual who is trained and registered as a Radiation Therapist to perform radiotherapy imaging, develop, evaluate and verify treatment plans; to deliver the planned and prescribed treatment using accurate and safe radiation therapy; and to monitor and assess radiation side effects, with the aim of cure and palliation of diseases treated with radiotherapy.

33. Speech-Language Therapist

(speech pathologist)

An individual who is trained and registered as a Speech-Language Therapist managing individuals with speech, language, voice, communication, feeding and swallowing disorders through appropriate speech-language pathology modalities of screening, assessment, diagnosis, intervention, therapy, counseling, consultation, prevention and education.

34. Dental Officer A registered dental practitioner who is licensed to practice dentistry under the provision of the Dental Act 1971.

35. Dental student

(undergraduate)

A person who is undergoing training in dentistry and pursuing degree qualification from a recognized institution.

36. Dental Surgery Assistant

Healthcare personnel who has undergone training and obtained qualification recognized by MOH.

Role: Helps the dental officer or dental nurse in the management of patients, responsible for infection control in the dental surgery, register patients, Collect payment from patients and issue receipts, and manage patient records.

37. Dental Nurse Healthcare professional who has undergone training and obtained qualification recognized by MOH

Role: A dental nurse practice dentistry under the supervision of a registered dental surgeon in any hospital, clinic, or dental school approved for the purpose by the Minister.

38. Dental Therapist Means an individual who is trained and registered as a Dental Therapist, who works under the direct supervision of Dental Surgeon in the private sector or under direct/indirect supervision of a Dental Surgeon in the public sector to provide promotive, preventive and basic clinical dental care.

205

Page 206: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX E : USER DESCRIPTION DEFINITION

No. DESIGNATION DEFINITION AND ROLES

39. Dental Technologists

An individual who is trained and registered in the Register of Dental Technologists, who works under prescription of a Dental Practitioners, to fabricate dental appliances, dental restorative devices and maxilla-facial prostheses for the rehabilitation of oral function.

Healthcare personnel who has undergone training in dental technology and obtained qualification recognized by MOH. Role: Manufacture dental prosthetics including orthodontic appliances, crowns and bridges, complete/partial dentures and maxillofacial prosthesis according to specifications by dental surgeons/specialist. Also responsible for the repair and maintenance of dental equipment.

40. Healthcare Assistant

Healthcare personnel who has undergone specific in-house training and fit for purpose.

41. Environmental Health Officer

An individual who is trained and registered as an Environmental Health Officer to prevent environmental health hazard and the promotion and protection of the public health and the environment in the following areas of disease control; food hygiene and safety; housing; institutional environmental health; vector control; drinking water quality; water sanitation; emergency preparedness; enforcing public health legislation in tandem with the roles and functions as stipulated by the Expert Committee to the World Health Organization Report No. 79, or amendments made thereto.

42. Counseling Officer

Healthcare personnel who has undergone diploma or degree qualification and obtained qualification recognized by MOH/JPA.

43. Clinical Psychologist

means an individual who is trained and registered as a Clinical Psychologist to deal with research and clinical application of psychological principles for the recognition, assessment, diagnosis, treatment, rehabilitation and prevention of cognitive, emotional, behavioral and learning disorders to enhance subjective well-being, mental health and life functioning.

44. Hospital Director Healthcare personnel who is in charge of hospital, organization or activity and give instruction and direction.

45. Head Of Department

Healthcare personnel who is head of Department/Unit and has administration responsibility for unclassified faculty/staff member

46. Family Medicine Specialist

A Registered Family Physician who has undergone the required training, special emphasis is place on the primary care of families.

206

Page 207: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX E : USER DESCRIPTION DEFINITION

No. DESIGNATION DEFINITION AND ROLES

47. Houseman Officer

Means a medical practitioner undergoing internship training under the Malaysia Act 1971.

‘Internship’ is the period of resident medical practice before full registration as stipulated under the Medical Act 1971.

48. Community Nurse

The main task of community nurse concentrated in the area of obstetrics and family health which include aspects of nursing care in nursing practice, nursing management, nursing training, documentation and other tasks.

49. Optometrist Healthcare professional who has undergone training and obtained qualification recognized by MOH and registered by the (Majlis Optik Malaysia) MOM.

50. Audiologist

An individual who is trained and registered as an Audiologist to provide a comprehensive array of professional services related to the prevention of hearing loss, audiologic identification, assessment, diagnosis and intervention of persons with impairment of auditory and vestibular functions.

51. Health Education Officer

An individual who is trained and registered as a Health Education Officer to conduct individual and community needs assessment, behavioral diagnosis for health education / health promotion, plan and implement appropriate health education / health promotion interventions strategies in healthcare facilities and community, conduct appropriate evaluations and research with the aim to empower people by developing individual skills and creating supportive environment

52. Lecturers/Tutors/

Preceptors

Someone who teaches at a college or university

53. System Administrator

Is a person employed to maintain and operate a computer system and/or network. System administrators may be members of an information technology (IT) or Electronics and Communication Engineering department.

* Sources: Final draft Allied Health Act, Legal advisor, MOH; Medical Development Division, MOH; Dental Health Division, MOH; Pharmacist Division, MOH; Medical Assistants (Registration) Act 1977. Medical Act 1971. Training Management Division, MOH.

207

Page 208: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX F : GLOSSARY OF TERMS

APPENDIX F – GLOSSARY OF TERMS I

No. DESIGNATION DEFINITION

1. Allied Health Profession Students

A person, who has undergone training in allied Health and pursuing, degree qualification from a recognized institution

2. Courts 1. "Court" means any court in Malaysia of competent jurisdiction, and includes any Judge thereof whether sitting in Court or in chambers; CIVIL LAW ACT 1956 (REVISED 1972) [ACT 67]

2. "Court" means a court of competent jurisdiction

INTERPRETATION ACTS 1948 AND 1967 (CONSOLIDATED AND REVISED 1989) [ACT 388]

3. Court

A governmental body consisting of one or more judges who sit to adjudicate disputes and administer justice.

Black law’s dictionary 8th Edition

3. Custodian of information

A person who has responsibility for taking care of or protecting the information

4. Employer 1. "Employer" means any person who engages a worker and includes the agent, manager or factor of such employer; [ACT 246] PRIVATE EMPLOYMENT AGENCIES ACT 1981

2. "Employer" means the person with whom an employee has entered into a contract of service or apprenticeship and includes- (a) a manager, agent or person responsible for the payment of salary or wages to an "employee"; (b) anybody of persons whether or not statutory or incorporated; and (c) any Government, department of Government, statutory bodies, local authorities or other bodies specified in the Second Schedule and, where an employee is employed with any such Government, department, authority or body or with any officer on behalf of any such Government, department, authority or body, the officer under whom such employee is working shall be deemed to be an employer: Provided that no such officer shall be personally liable

208

Page 209: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX F : GLOSSARY OF TERMS

No. DESIGNATION DEFINITION

under this Act for anything done or omitted to be done in good faith by him as an officer of such employer; [ACT 452] EMPLOYEES PROVIDENT FUND ACT 1991

3. "Employer" means any person or body of persons, whether corporate or unincorporate, who employs a workman under a contract of employment, and includes the Government and any statutory authority, unless otherwise expressly stated in this Act; [ACT 177] INDUSTRIAL RELATIONS ACT 1967

4. "Employer" means any person who engages a worker and includes the agent, manager or factor of such employer; [ACT 246 ] PRIVATE EMPLOYMENT AGENCIES ACT 1981

5. "Employer" includes the Government of Malaysia and the Governments of each of the States; in respect of civilian employees engaged in Malaysia or in Singapore of any visiting force lawfully present in Malaysia or of any person in the civil employment of the Government of any Commonwealth country, whose contract of service was made in Malaysia or in Singapore, the Government of that Commonwealth country; any local authority; any person or body of persons whether statutory or incorporated or not; the legal personal representative of a deceased employer; and in relation to a person employed for the purpose of any game or recreation and engaged or paid through a club, the manager or members of the managing committee of the said club: Provided that where the services of a workman are temporarily lent or let on hire to another person by the person with whom the workman has entered into a contract of service or apprenticeship, the latter shall, for the purposes of this Act, be deemed to continue to be the employer of the workman whilst he is working for that other person; [ACT 273] WORKMENS COMPENSATION ACT 1952 (REVISED 1982)

6. "Employer" means any person who has entered into a contract of service to employ any other person as an employee and includes the agent, manager or factor of such first mentioned person, and the word "employ", with its grammatical variations and cognate expressions,

209

Page 210: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX F : GLOSSARY OF TERMS

No. DESIGNATION DEFINITION

shall be construed accordingly;

[ACT 265] EMPLOYMENT ACT 1955 (REVISED 1981)

5. Health Care Providers (HCP)

Generic term to reflect all medical practitioners, nurses, medical assistants and allied health professionals.

6. Insurance Companies

A corporation or association that issues insurance policies.

Black law’s dictionary 8th Edition

7. Legal Guardian A person who is legally empowered to act on behalf of an individual patient:

• A parent whose child is below the age of 18 years

• A parent whose child is mentally incapacitated

• A legally appointed person (by court of law).

1. "Guardian"

in relation to a child, includes any person who, in the opinion of the Court For Children having cognizance of any case in relation to the child or in which the child is concerned, has for the time being the charge of or control over the child.

CHILD ACT 200 [Act 611]

2. “Guardian”

A person having the right and duty of protecting the person, property or rights of one who is without full legal capacity or otherwise incapable of managing his own affairs. (1) Guardianship in chivalry was the right of the lord to hold the land, of an infant tenant until majority. (2) Guardianship in socage was the right of the next of blood to whom the inheritance could not descend, to the wordship of the land while the heir was under the age of 14. (3) Guardianship by nature was that exercised by a father over the person of his son and heir apparent. (4) A guardian by election is one chosen by a minor himself. (5) A guardian by statute is one appointed by will pursuant to the statute. (6) A guardian ad litem is a person appointed to defend an action or other proceeding on behalf of a minor or person under a disability.

CLJ LAW DICTIONARY

210

Page 211: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX F : GLOSSARY OF TERMS

No. DESIGNATION DEFINITION

8. Patient 1. "Patient" means a person registered as an outpatient or admitted as inpatient or admitted under the order of the Medical Director, medical officer, registered medical practitioner or upon the order of the Court under the Act.

MENTAL HEALTH REGULATIONS 2010

2. "Patient" means a person accepted on either an inpatient or outpatient basis.

PRIVATE HEALTHCARE FACILITIES AND SERVICES (PRIVATE HOSPITALS AND OTHER PRIVATE HEALTHCARE FACILITIES) REGULATIONS 2006

"Patient" means an individual in the terminal stage of illness who has an anticipated life expectancy of days, weeks or less than six months and who, alone or in conjunction with a family member or members, has voluntarily requested admission and has been accepted into a hospice or palliative care services programme; PRIVATE HEALTHCARE FACILITIES AND SERVICES (PRIVATE HOSPITALS AND OTHER PRIVATE HEALTHCARE FACILITIES) REGULATIONS 2006

211

Page 212: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX G :GLOSSARY OF TERMS

APPENDIX G - GLOSSARY OF TERMS II

Term Definition Source

Separation of duties By virtue user being authorized as a member of one role, the user is not authorized as a member of second role.

Cugini, D. Richard Khun, Role – Based Access Control (RBAC): Features and Motivations, National Institute of Standards and Technology, U.S. Department of Commerce Gaithersburg MD 20899

Mutual exclusivity The same user can be assigned to at most one role in a mutually exclusive set. This support separation of duties.

Ravi S. Sandhu, et al., Role-Based Access Control Models, IEEE Computer, Volume 29, Number 2, February 1996, pages 38-47.

Cardinality Some roles can only be occupied by a certain number of employees at any given period of time.

David F. Ferrialo, Janet A. Cugini, D. Richard Khun, Role – Based Access Control (RBAC): Features and Motivations, National Institute of Standards and Technology, U.S. Department of Commerce Gaithersburg MD 20899

212

Page 213: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX H : TASK FORCE AND LIST OF CONTRIBUTORS

APPENDIX H: TASK FORCE AND LIST OF CONTRIBUTORS FOR THE DEVELOPMENT OF THE

USER ACCESS CONTROL POLICY (UACP ) FOR HOSPITAL/ CLINICAL INFORMATION SYSTEMS

(HIS/CIS)

ADVISOR: Y. Bhg. Dato' Dr. Hassan Bin Abdul Rahman CHAIRMAN OF TASK FORCE: Dr. Amiruddin Bin Hisan FASILITATORS: En. Chan Peng Wah

Dr. Leela V Sabapathy

Mr. Abdollah Bin Salleh

Dr. Ahmad Fairuz Bin Mohamed

En. Samsuil Fuad Bin Munap

Dr. Dang Siew Bing

Pn. Wan Roshidah bt Wan Ismail

SECRETARIAT: En. Asraful Kamal Bin Ariffin

Matron Khalijah Binti Dalip

Matron Rozah Binti Ahmad

En. Hussin b Ahmad

En. Zamri b Ahmad

En. Jazmi b Md Sani

En. Kamaruzaman b Che Lah

Tn. Hj. Mohd Zaki Bin Sulaiman

En. Mohd Said Bin Morad

Sister Jamilah bt Abdollah

213

Page 214: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX H : TASK FORCE AND LIST OF CONTRIBUTORS

En. Mohd Norhisham Ismail

En. Mohd Khairuddin Bin Mokhtar

En. Mohd Rizuwan Bin Abdullah

STAGE 1 : PREPARATION OF THE DRAFT ON USER ACCESS CONTROL POLICY FOR HIS/CIS

USER ACCESS CONTROL POLICY WORKSHOP WITH SELECTED REPRESENTATIVES OF CLINICIANS FROM HIS/CIS FACILITIES & RELATED DIVISIONS OF MOH

Participants :

No. Name Job Title Name of Organisation

1. Mr. Abdollah Bin Salleh

Pakar Bedah Am & Clinical IT Coordinator

Hospital Selayang

2. Dr. Fekriah Binti Mohd Yatim

Timbalan Pengarah Bahagian Kesihatan Pergigian KKM

3. Dr. Norizah Binti Haji AB Ghani

Timbalan Pengarah (Klinikal)

Hospital Tuanku Jaafar Seremban

4. Dr. Wan Ahmad Hazim Wan Ahmad

Pakar Perunding Kanan O&G

Hospital Putrajaya

5. Dr. Baizurah Binti Mohd Hussain

Pakar Perunding Pathology

Hospital Ampang

6. Dr. Malek Faris Riza Feisal Bin Jeffrizal

Pakar Perubatan Hospital Putrajaya

7. Dr. Yusniza Binti Mohd Yusof

Pakar Perubatan Rehabilitasi

Hospital Tuanku Jaafar Seremban

8. Dr. Ahmad Taufik Bin Mohd Jamil

Ketua Pusat Teknologi Maklumat

Pusat Perubatan UKM

9. Dr. Mazni Bin Mat Junus

Pakar Psikiatri Hospital Serdang

214

Page 215: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX H : TASK FORCE AND LIST OF CONTRIBUTORS

10. Dr. Razak Othman Pakar Psikiatri Hospital Sungai Buloh

11. Dr. Azlina Bin A.Rahman

Pakar Trauma & Kecemasan

Hospital Ampang

12. Dr. Zainal Fitri Bin Zakaria

Pakar Kesihatan Keluarga

Klinik Kesihatan Putrajaya

13. Dr. Mohd Fauzi bin

Abu Bakar Pegawai Perubatan Klinik Kesihatan

Putrajaya

14. Puan. Sharifah Salwa Syed Abu Bakar

Pengurus Besar- Jabatan Pengurusan IT

Institut Jantung Negara

15. Dr. Shahabudin Bin Ibrahim

Ketua Pen. Pengarah Kanan

Bahagian Amalan Perubatan

16. Cik Kogilavani a/p Munusamy

Pegawai Teknologi Maklumat

Klinik Kesihatan Putrajaya

17. Tn. Hj. Sarudin Bin Zainul

Pen. Pegawai Perubatan

Hospital Selayang

18. Puan Zarina Ripin Pen. Pegawai Teknologi Maklumat

Hospital Selayang

19. Pn. Umi Kalsom Binti Adam

Ketua Pen. Setiausaha Kanan

Bahagian Pengurusan Maklumat

20. Matron Sin Lian Thye

Penyelia Jururawat Bahagian Perkembangan Perubatan

21. Matron Khuzaifah Bin Mohd Noh

Penyelia Jururawat Bahagian Perkembangan Perubatan

22. Syahir Bin Shaffie

Kerani Kaunter Pendaftaran Pesakit

Hospital Tuanku Jaafar Seremban

215

Page 216: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX H : TASK FORCE AND LIST OF CONTRIBUTORS

STAGE 2 : TO OBTAIN A WIDER CONSENSUS ON THE DRAFT POLICY

USER ACCESS CONTROL POLICY FORUM

Participants :

No. Name Job Title Name of Organisation

1. Mr. Abdollah Bin Salleh

Pakar Bedah Am & Clinical IT Coordinator

Hospital Selayang

2. Dr. Heselynn Binti Hussein

Ketua Jabatan Perubatan & Pakar Perunding Perubatan

Hospital Putrajaya

3. Dr. Wan Ahmad Hazim Wan Ahmad

Pakar Perunding Kanan O&G

Hospital Putrajaya

4. Pn. Kamarunnesa Binti Mokhtar Ahmad

Ketua Jabatan Farmasi & Pegawai Farmasi

Hospital Putrajaya

5. Cik Rubaizah Binti Yatim

Ketua Jabatan Teknologi Maklumat

Hospital Putrajaya

6. Dr. Baizurah Binti Mohd Hussain

Pakar Perunding Pathology

Hospital Ampang

7. Dr. Faizatuddarain Binti Mahmood

Pakar Radiologi

Hospital Ampang

8. Dr. Nurmaimun Musni

Pegawai Perubatan Hospital Ampang

9. Dr. Hajah Zainab Binti Ramli

Timbalan Pengarah (Surgikal)

Hospital Tengku Ampuan Rahimah Klang

10. Dr. Ahmad Tajuddin Bin Mohamad Nor

Pakar Perunding Jabatan Kecemasan

Hospital Tengku Ampuan Rahimah Klang

216

Page 217: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX H : TASK FORCE AND LIST OF CONTRIBUTORS

11. Dr. Hisham Kunhimon

Pakar Bedah Ortopedik Hospital Selayang

12. En. Sarudin Bin Zainul

Pen. Pegawai Perubatan Hospital Selayang

13. Mr. Muralee Madhavan

Pakar Ortopedik Hospital Serdang

14. En.Nizalene Deliza bin Husaini

Pegawai Teknologi Maklumat

Hospital Serdang

15. Dr. Husni Binti Husain

Pakar Perubatan Kesihatan Keluarga

Klinik Kesihatan Putrajaya

16. Cik Nazhiyah Binti Haron

Pegawai Teknologi Maklumat

Pejabat Kesihatan Daerah Putrajaya

17. Dr. Ahmad Taufik Bin Mohd Jamil

Ketua Pusat Teknologi Maklumat

Pusat Perubatan UKM

18. En. Mohamad Bin Zainudin

Pegawai Teknologi Maklumat

Pusat Perubatan UKM

19. Pn. Kamariah Binti Md Nasir

Pegawai Teknologi Maklumat

Pusat Perubatan UKM

20. En. Saravanan a/l Rajagopal

Pegawai Teknologi Maklumat

Hospital Sultan Haji Ahmad Shah, Kuantan

21. Pn. Hamidah Binti Karim

Pen. Pegawai Rekod Perubatan

Hospital Sungai Buloh

22. Pn. Siti Zamnah Binti Mohammed Zaki

Pen. Pegawai Tadbir Hospital Sungai Buloh

23. En. Rajali Halidi

Pen. Pegawai Takbir Rekod

Hospital Port Dickson

24. En. Jaafar Jamaan Timbalan Setiausaha Bahagian

Bahagian Pengurusan Maklumat, KKM

217

Page 218: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX H : TASK FORCE AND LIST OF CONTRIBUTORS

25. Datin Jawahiril Kamariah Binti Mohamad

Timbalan Setiausaha Bahagian

Bahagian Pengurusan Maklumat, KKM

26. En. Jaafar Bin Ahmad

Ketua Penolong Setiausaha Kanan

Bahagian Pengurusan Maklumat, KKM

27. Pn. Wan Mahani binti Wan Ismail

Ketua Penolong Setiausaha Kanan

Bahagian Pengurusan Maklumat, KKM

28. Dr. Azizah Binti Arshad

Ketua Penolong Pengarah Kanan

Bahagian Perkembangan Perubatan, KKM

29. Matron Khuzaifah Bin Mohd Noh

Penyelia Jururawat Bahagian Perkembangan Perubatan, KKM

30. Matron Sin Lian Tyhe

Penyelia Jururawat Bahagian Perkembangan Perubatan, KKM

31. Dr. Fekriah Binti Mohd Yatim

Timbalan Pengarah Bahagian Kesihatan Pergigian KKM

32. Sister Cheng Chue Chu

Ketua Jururawat Pergigian

Bahagian Kesihatan Pergigian KKM

33. Dr. Shahabudin Bin Ibrahim

Ketua Pen. Pengarah Kanan

Bahagian Amalan Perubatan, KKM

34.

Dr. Sharfudin Bin Noordin

Timbalan Pengarah Bahagian Amalan Perubatan, KKM

35. Cik Nasitah Binti Sani

Pen. Pegawai Teknologi Maklumat

Bahagian Amalan Perubatan, KKM

36. En. Jamalul Rijal Bin Abd. Aziz

Pegawai Teknologi Maklumat

Pusat Informatik Kesihatan, KKM

218

Page 219: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX H : TASK FORCE AND LIST OF CONTRIBUTORS

37. Dr. Ilias Bin Adam Yee

Penolong Pengarah Kanan

Pusat Informatik Kesihatan, KKM

38. Dr. Azrulreezal Azannee Bin Abdul Wahab

Penolong Pengarah Pusat Informatik Kesihatan, KKM

39. Dr. Fathullah Iqbal Bin Ab. Rahim

Penolong Pengarah Pusat Informatik Kesihatan, KKM

40. Puan Noorsiah Binti Hassan Basri

Pegawai Tadbir Rekod Perubatan

Bahagian Perancangan Dan Pembanggunan

41. Cik Lidyawati Binti Abdul Hamid

Pegawai Teknologi Maklumat

Bahagian Perancangan Dan Pembanggunan

42. Puan Narimah Binti Moris

Peguam Kanan Persekutuan

Penasihat Undang- Undang

43. Dr. Sarie Idhadhyu Yac’cob

Penolong Setiausaha Majlis Perubatan Malaysia

219

Page 220: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX H : TASK FORCE AND LIST OF CONTRIBUTORS

STAGE 3: TO REVIEW & OBTAIN THE APPROVAL FROM THE NATIONAL HEAD OF SERVICES, MOH

USER ACCESS CONTROL POLICY MEETING WITH HEAD OF NATIONAL SERVICES, MINISTRY OF HEALTH

Members at the meeting :

No. Name Job Title Name of Organisation

1. Mr. Abdollah Bin Salleh

Pakar Bedah Am & Clinical IT Coordinator

Hospital Selayang

2. Dato' Dr. Omar Ismail

Pakar Perunding Kardiologi

Hospital Pulau Pinang

3. Dato' Dr. Jeyaindran Tan Sri Sinnadurai

Pakar Prunding Kanan Perubatan

Hospital Kuala Lumpur

4. Dato' Dr. N. Premchandran a/l P.S. Menon

Pakar Perunding Kanan Orthopedic

Hospital Tuanku Ampuan Afzan

5. Dr. Hussin Imam Hj. Muhammad Ismail

Pakar Perunding Kanan Pediatrik

Hospital Kuala Lumpur

6. Mr. Johari Siregar Adenan

Pakar Perunding Neurosurgery

Hospital Sultanah Aminah Johor

7. Datin Dr. Zaharah Musa

Pakar Perunding Radiologi

Hospital Selayang

8. Dr. Basir Towel Pakar Perunding Kanan Orthopedic

Hospital Serdang

9. Pn. Narimah Moris Penasihat Undang-undang Kanan

Penasihat Undang-undang KKM

10 Dr. Heselynn Binti Hussein

Ketua Jabatan Perubatan & Pakar Perunding

Perubatan Hospital Putrajaya

11. Dr. Wan Ahmad Hazim Wan Ahmad

Pakar Perunding Kanan O&G

Hospital Putrajaya

220

Page 221: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

APPENDIX H : TASK FORCE AND LIST OF CONTRIBUTORS

12. Dr. Zainal Fitri Bin

Zakaria Pakar Kesihatan Keluarga

Klinik Kesihatan Putrajaya

13. Dr. Baizurah Binti Mohd Hussain

Pakar Perunding Pathology

Hospital Ampang

14. Cik Rubaizah Binti Yatim

Ketua Jabatan Teknologi Maklumat

Hospital Putrajaya

15 Cik Nazhiyah Binti Haron

Pegawai Teknologi Maklumat

Pejabat Kesihatan Daerah Putrajaya

16 Dr Leela a/p Sabapathy

Timbalan Pengarah, Bahagian Telekesihatan

17. En. Samsuil Fuad Bin Munap

Timbalan Pengarah Bahagian Telekesihatan

ACKNOWLEDGEMENT

Dr Ong Chee Leng, Deputy Director Telehealth Division has been instrumental in the initial work for the formulation of this User Access Control policy.

221

Page 222: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

REFERENCES

REFERENCES

1. http://en.wikipedia.org/wiki/Access_control/21072011

2. http://en.wikipedia.org/wiki/Role-based_access_control/21072011

3. HL7 Role-Based Access Control (RBAC) Role engineering Process/Version

1.3/HL7 Security Technical Committee/ September 2007

222

Page 223: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

iii. SOALAN LAZIM UNTUK ANGGOTA KKM (BM & BI)

Page 224: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ANGGOTA KKM (BM & BI)

SOALAN LAZIM MyHIX UNTUK ANGGOTA KKM Mengenai MyHIX 1. Apakah MyHIX?

Satu sistem yang membolehkan perkongsian maklumat penjagaan kesihatan individu di antara hospital/klinik kerajaan melalui talian virtual private network/1GovNet.

2. Kenapa MyHIX dilaksanakan? MyHIX dilaksanakan untuk membolehkan doktor atau pemberi rawatan mengakses maklumat kesihatan individu yang lengkap dan menyediakan penjagaan kesihatan yang lebih berkualiti dan berterusan. MyHIX adalah asas kepada pewujudan Rekod Kesihatan Sepanjang Hayat bagi individu yang mendapatkan rawatan dan penjagaan kesihatan di hospital/klinik kerajaan.

3. Apa itu Rekod Kesihatan Sepanjang Hayat? Ia adalah perancangan kerajaan untuk mewujudkan rekod kesihatan setiap individu pada masa hadapan. Ia akan digunakan semasa mendapatkan rawatan di mana-mana hospital/klinik kerajaan di Malaysia.

4. Apakah faedah yang diperolehi? • Memudahkan pesakit mendapatkan rawatan susulan di mana-mana hospital/klinik

kerajaan • Mengurangkan pemeriksaan dan penyiasatan yang berulang. • Membolehkan kesinambungan penjagaan kesihatan dan rawatan pesakit yang lebih

khusus.

5. Di manakah ia dilaksanakan? MyHIX telah dilaksanakan sebagai projek perintis di Hospital Putrajaya, Hospital Tuanku Ja’afar, Seremban, Hospital Port Dickson dan Klinik Kesihatan Putrajaya, Presint 9.

6. Bila ia dilaksanakan? Ia telah dilaksanakan sejak September 2011.

7. Apakah maklumat yang dikongsi? i. Maklumat demografi Maklumat peribadi pesakit seperti nama, jantina, nombor MyKad dan alamat. ii. Maklumat rawatan pesakit / ringkasan discaj Ringkasan discaj pesakit / ringkasan discaj mengandungi sejarah perubatan, diagnosa dan rawatan pesakit. Pada masa akan datang, maklumat tambahan seperti surat rujukan pesakit, keputusan makmal dan laporan pengimejan (X-ray) akan turut dikongsi.

224

Page 225: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ANGGOTA KKM (BM & BI)

8. Bagaimanakah MyHIX dilaksanakan? Maklumat kesihatan pesakit disimpan di dalam pangkalan data MyHIX secara automatik (default : opt- in) bagi membolehkan maklumat dikongsi oleh semua hospital/klinik kerajaan yang terlibat.

Hak Pesakit 1. Adakah pesakit berhak untuk tidak bersetuju berkongsi maklumat?

Ya, pesakit boleh memohon pengecualian (opt-out) MyHIX semasa sesi rawatan.

2. Bagaimana proses pengecualian (opt-out) MyHIX dilaksanakan? Pesakit perlu melengkapkan borang pengecualian(opt-out) kemasukan data ke MyHIX. Borang ini boleh didapati daripada anggota kesihatan yang bertugas di kaunter pendaftaran, bilik rawatan, wad atau lokasi yang ditentukan oleh hospital/klinik tersebut.

3. Di manakah proses pengecualian (opt-out) MyHIX dibuat? Proses pengecualian (opt-out) MyHIX boleh dibuat di kaunter pendaftaran, bilik rawatan atau dalam wad. Walau bagaimanapun ia bergantung kepada prosedur di setiap hospital/klinik kerajaan tersebut.

4. Bila proses pengecualian (opt-out) MyHIX dibuat? Proses pengecualian (opt-out) MyHIX boleh dilakukan pada bila-bila masa sebelum ringkasan discaj dihantar ke MyHIX.

5. Di manakah borang “Pengecualian Kemasukan Data ke MyHIX” yang telah dilengkapkan disimpan? Ianya disimpan dalam fail pesakit dan dihantar ke pejabat rekod. Bagi hospital/klinik kerajaan yang menggunakan Hospital Information System (HIS) / Clinical Information System (CIS), borang akan diimbas dan disimpan dalam pengkalan data (server) hospital/klinik berkenaan.

6. Bolehkah pesakit menukar keputusan pengecualian (opt-out) MyHIX mereka semasa mendapatkan rawatan? Boleh. Pengecualian (opt-out) MyHIX boleh dilakukan sepanjang sesi rawatan selagi ringkasan discaj belum dikeluarkan.

225

Page 226: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ANGGOTA KKM (BM & BI)

7. Bolehkah pesakit menukar keputusan pengecualian (opt-out) MyHIX mereka selepas tamat rawatan? Pesakit tidak boleh menukar keputusan pengecualian (opt-out) MyHIX selepas tamat rawatan kerana maklumat tersebut telah dihantar dan disimpan dalam pangkalan data MyHIX.

8. Siapakah yang boleh membuat keputusan untuk pengecualian (opt-out) MyHIX bagi pesakit yang tidak mampu membuat keputusan sendiri (berumur 18 tahun dan ke bawah, tidak waras dan tidak sedar diri)? Penjaga rasmi atau waris pesakit.

9. Adakah pemberi rawatan boleh mengakses maklumat pesakit dari MyHIX setelah pesakit memilih untuk pengecualian (opt-out) MyHIX? Ya. Pemberi rawatan masih boleh mengakses maklumat pesakit walaupun pesakit memilih untuk pengecualian (opt-out) MyHIX pada sesi rawatan semasa.

Ringkasan Discaj 1. Bagaimanakah format Ringkasan Discaj MyHIX diwujudkan?

Ringkasan discaj MyHIX diwujudkan berdasarkan Borang Ringkasan Discaj PD302. Perkongsian Maklumat 1. Bolehkah maklumat pesakit dikongsi antara hospital/klinik kerajaan (Kementerian

Kesihatan Malaysia)? Boleh, maklumat pesakit boleh dikongsi antara hospital/klinik kerajaan yang menggunakan perkhidmatan MyHIX.

2. Bolehkah maklumat pesakit dikongsi dengan hospital/klinik swasta atau badan berkanun (bukan dibawah Kementerian kesihatan Malaysia)? Setakat ini, berdasarkan akta Private Healthcare Facilities and Services Regulations 2005 (Peraturan 44(2)), maklumat pesakit belum boleh dikongsi.

Kerahsiaan Pesakit 1. Adakah kerahsiaan maklumat pesakit dalam MyHIX terjamin?

Ya, kerana setiap hospital/klinik kerajaan yang menggunakan sistem teknologi maklumat adalah tertakluk kepada Dasar Keselamatan ICT KKM dan User Access Control Policy.

226

Page 227: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ANGGOTA KKM (BM & BI)

Penggunaan Maklumat MyHIX 1. Bolehkah maklumat MyHIX digunakan untuk membuat analisa penyakit?

Setakat ini analisa penyakit belum boleh dibuat.

2. Bolehkah maklumat yang telah dihantar ke MyHIX diubahsuai? Maklumat tidak boleh diubahsuai setelah memasuki pangkalan data MyHIX.

3. Adakah doktor atau pemberi rawatan boleh menambah maklumat Ringkasan Discaj yang hendak dikongsi melalui MyHIX? Tidak boleh. Ringkasan discaj yang disimpan dalam MyHIX tidak boleh ditukar atau ditambah. Jika terdapat pertambahan maklumat, penambahan (addendum) boleh dibuat mengikut prosedur kendalian standard (SOP) hospital/klinik masing-masing. Addendum tersebut boleh dihantar ke MyHIX dan akan dikenalpasti sebagai satu ringkasan discaj yang baru.

4. Berapa lama tempoh maklumat disimpan di dalam MyHIX? Sepanjang hayat pesakit. Tempoh rekod disimpan adalah berdasarkan Akta Arkib Negara.

5. Adakah pesakit dibenarkan menggunakan maklumat kesihatan dalam MyHIX untuk tujuan pemantauan persendirian? Setakat ini, tidak dibenarkan. Ianya dalam perancangan masa hadapan.

Kesan pelaksanaan MyHIX 1. Adakah MyHIX akan mengganggu tugasan seharian?

MyHIX tidak mengganggu tugasan seharian. 2. Adakah semua anggota diberi latihan dan pendedahan tentang MyHIX?

Ya, semua anggota diberi latihan dan pendedahan tentang MyHIX.

227

Page 228: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ANGGOTA KKM (BM & BI)

MyHIX FREQUENTLY ASKED QUESTIONS (FAQ) FOR MOH STAFF

About MyHIX 1. What is MyHIX?

A system that enables the health care information of individual to be shared between government hospitals/clinics through virtual private network/1GovNet.

2. Why MyHIX implemented?

MyHIX is implemented to enable the doctor or health care provider to access the individual health information and provide continuous and better quality of care. MyHIX is fundamental to the establishment of Lifetime Health Record for every individual who seeks health/medical care at hospitals/clinics.

3. What is Lifetime Health Record?

It is the government's plan to create a health record for each individual in the future. It will be used when seeking treatment at any government hospitals/clinics in Malaysia.

4. What are the benefits? • Facilitates patients to get the follow-up treatment at any government

hospitals/clinics. • Reduces repeated check-ups and investigations. • Enables the continuity of health care and more specific treatment for patient.

5. Where does MyHIX implemented?

MyHIX has been implemented as a pilot project in Hospital Putrajaya, Hospital Tuanku Ja'afar Seremban, Hospital Port Dickson and Health Clinic Putrajaya, Precint 9.

6. When is MyHIX implemented?

MyHIX has been implemented since September 2011.

7. What information is shared? i. Patient demography Personal information such as name, gender, MyKad number and address. ii. Patient health care information Discharge summary which is a summary of health care information such as medical history, diagnosis and treatment. In the future, additional information such as referral letter, laboratory results and imaging reports (X-ray) will be shared.

228

Page 229: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ANGGOTA KKM (BM & BI)

8. How is MyHIX implemented? All patient health information shall be kept in MyHIX automatically (default opt-in) to enable the sharing of health care information between hospitals/clinics involved.

Patient Rights 1. Does the patient entitled to refuse the sharing of their information?

Yes. The patient can request for exemption (opt-out) from MyHIX during treatment session.

2. How does the exemption (opt-out) process work?

The patient is required to complete the MyHIX exemption (opt-out) form. The form can be obtained from the health staff at registration counter, treatment room, ward or specified location determined by the hospital/clinic.

3. Where is the exemption (opt-out) process done?

The exemption (opt-out) process can be done at the registration counter, in the treatment room or in the ward. However it is depending on the standard operating procedures (SOP) in each hospitals/clinics.

4. When a patient should be exempted (opt-out)?

At any time before the discharge summary is sent to MyHIX. 5. Where is the completed exemption (opt-out) form stored?

MyHIX exemption (opt-out) form is stored in the patient file and will be kept in the record office. For hospitals/clinics which are using the Hospital Information System (HIS) / Clinical Information System (CIS), the form will be scanned and stored in the facility’s server.

6. Can a patient be able to change his/her exemption (opt-out) decision during treatment? Yes, as long as the patient is still in the treatment process (not being discharged yet).

7. Can a patient be able change his/her exemption (opt-out) decision after discharge?

No, a patient cannot change his/her exemption (opt-out) decision after discharge.

8. Who make the decision for exemption (opt-out) for patients who are unable to make their own decisions (aged 18 years and under, mentally disable or unconscious)? The decision for exemption (opt-out) could be made by the legal guardian or next of kin of the patient.

229

Page 230: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ANGGOTA KKM (BM & BI)

9. Do doctors or health care providers able to access patient information from MyHIX after a patient choose to be exempted (opt-out)? Yes. Doctors or health care providers can still be able to access previous patient information (opt in by default) even if the patient chooses to be exempted (opt-out) for the current treatment.

Discharge Summary 1. How is the format of MyHIX discharge summary created?

The format of MyHIX discharge summary is created based on the Discharge Summary Form PD302.

Information Sharing 1. Can patient information be shared among the government hospitals/clinics (Ministry

of Health)? Yes, patient information can be shared between MOH health facilities using the MyHIX service.

2. Can patient information be shared among the private hospitals/clinics or

hospitals/clinics belong to statutory bodies (not under the Ministry of Health Malaysia)? So far, under the Private Acts Healthcare Facilities and Services Regulations 2005 (Regulation 44 (2)), patient information cannot be shared

Patient Confidentiality 1. Is the confidentiality of patient information secured in the MyHIX system?

Yes, because every health care facility using IT systems are subject to government’s privacy and security policy.

Use of MyHIX Information 1. Can the MyHIX information be used to analyze disease?

Currently it cannot be used 2. Can the information sent to MyHIX be modified?

It cannot be modified.

230

Page 231: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ANGGOTA KKM (BM & BI)

3. Can the doctor or care giver make addition to the Discharge Summary? It cannot be done. Discharge summary that has been stored in MyHIX cannot be changed or added. If there is any additional information (addendum), it could be done according to the standard operating procedures (SOP) of the hospitals/clinics. Then, the Addendum is sent to MyHIX system and it will be identified as a new discharge summary.

4. How long can be the information kept in the MyHIX system?

The information can be kept for a lifetime. The period for storing the record is based on the National Archives Act.

5. Could patients be allowed to use their health information which is stored in MyHIX

system for personal monitoring purposes? Currently it cannot be allowed. However, it is already included in future planning.

Impact of the implementation MyHIX 1. Will the MyHIX interfere with the daily tasks?

MyHIX will not interfere with daily tasks. 2. Will the training and exposure of MyHIX is given to all health staffs?

Yes, all health staffs will receive training and exposure on MyHIX.

231

Page 232: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

iv. SOALAN LAZIM UNTUK ORANG AWAM (BM & BI)

Page 233: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ORANG AWAM (BM & BI)

SOALAN LAZIM MyHIX UNTUK ORANG AWAM Mengenai MyHIX 1. Apakah MyHIX?

Satu sistem yang membolehkan perkongsian maklumat penjagaan kesihatan individu di antara hospital/klinik kerajaan melalui talian virtual private network/1GovNet.

2. Kenapa MyHIX dilaksanakan? MyHIX dilaksanakan untuk membolehkan doktor atau pemberi rawatan mengakses maklumat kesihatan individu yang lengkap dan menyediakan penjagaan kesihatan yang lebih berkualiti dan berterusan. MyHIX adalah asas kepada pewujudan Rekod Kesihatan Sepanjang Hayat bagi individu yang mendapatkan rawatan dan penjagaan kesihatan di hospital/klinik kerajaan.

3. Apa itu Rekod Kesihatan Sepanjang Hayat? Ia adalah perancangan kerajaan untuk mewujudkan rekod kesihatan setiap individu pada masa hadapan. Ia akan digunakan semasa mendapatkan rawatan di mana-mana hospital/klinik kerajaan di Malaysia.

4. Apakah faedah yang diperolehi? • Memudahkan pesakit mendapatkan rawatan susulan di mana-mana hospital/klinik

kerajaan • Mengurangkan pemeriksaan dan penyiasatan yang berulang. • Membolehkan kesinambungan penjagaan kesihatan dan rawatan pesakit yang lebih

khusus.

5. Di manakah ia dilaksanakan? MyHIX telah dilaksanakan sebagai projek perintis di Hospital Putrajaya, Hospital Tuanku Ja’afar, Seremban, Hospital Port Dickson dan Klinik Kesihatan Putrajaya, Presint 9.

6. Bila ia dilaksanakan? Ia telah dilaksanakan sejak September 2011.

7. Apakah maklumat yang dikongsi? i. Maklumat peribadi pesakit Maklumat peribadi pesakit seperti nama, jantina, nombor MyKad dan alamat. ii. Maklumat rawatan pesakit / ringkasan discaj

233

Page 234: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ORANG AWAM (BM & BI)

Maklumat rawatan pesakit / ringkasan discajmengandungi sejarah perubatan, diagnosa dan rawatan. Pada masa akan datang, maklumat tambahan seperti surat rujukan pesakit, keputusan makmal dan laporan pengimejan (X-ray) akan turut dikongsi.

8. Bagaimanakah MyHIX dilaksanakan? Maklumat kesihatan pesakit disimpan di dalam pangkalan data MyHIX secara automatik (default : opt in) bagi membolehkan maklumat dikongsi oleh semua hospital/klinik kerajaan yang terlibat.

Hak Pesakit 10. Adakah pesakit berhak untuk tidak bersetuju berkongsi maklumat?

Ya, pesakit boleh memohon pengecualian (opt-out) MyHIX semasa sesi rawatan.

11. Bagaimana proses pengecualian (opt-out) MyHIX dilaksanakan? Pesakit perlu melengkapkan borang pengecualian kemasukan data ke MyHIX. Borang ini boleh didapati daripada anggota kesihatan yang bertugas di kaunter pendaftaran, bilik rawatan, wad atau lokasi yang ditentukan oleh hospital/klinik tersebut.

12. Di manakah proses pengecualian (opt-out) MyHIX dibuat? Proses pengecualian (opt-out) MyHIX boleh dibuat di kaunter pendaftaran, bilik rawatan atau dalam wad. Walau bagaimanapun ia bergantung kepada prosedur di setiap hospital/klinik kerajaan.

13. Bila proses pengecualian (opt-out) MyHIX dibuat? Proses pengecualian (opt-out) MyHIX boleh dilakukan pada bila-bila masa sebelum ringkasan discaj dihantar ke MyHIX.

14. Bolehkah pesakit menukar keputusan pengecualian (opt-out) MyHIX mereka semasa mendapatkan rawatan? Boleh. Pengecualian (opt-out) MyHIX boleh dilakukan sepanjang sesi rawatan selagi ringkasan discaj belum dikeluarkan.

15. Bolehkah pesakit menukar keputusan pengecualian (opt-out) MyHIX mereka selepas tamat rawatan? Pesakit tidak boleh menukar keputusan pengecualian (opt-out) MyHIX selepas tamat rawatan kerana maklumat tersebut telah dihantar dan disimpan dalam pangkalan data MyHIX.

234

Page 235: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ORANG AWAM (BM & BI)

16. Siapakah yang boleh membuat keputusan untuk pengecualian (opt-out) MyHIX bagi pesakit yang tidak mampu membuat keputusan sendiri (berumur 18 tahun dan ke bawah, tidak waras dan tidak sedar diri)? Penjaga rasmi atau waris pesakit.

17. Adakah pemberi rawatan boleh mengakses maklumat pesakit dari MyHIX setelah pesakit memilih untuk pengecualian (opt-out) MyHIX? Ya. Pemberi rawatan masih boleh mengakses maklumat pesakit walaupun pesakit memilih untuk pengecualian (opt-out) MyHIX pada sesi rawatan semasa.

Perkongsian Maklumat 1. Bolehkah maklumat pesakit dikongsi antara hospital/klinik kerajaan(Kementerian

Kesihatan Malaysia)? Boleh, maklumat pesakit boleh dikongsi di antara hospital/klinik kerajaan dibawah Kementerian Kesihatan Malaysia yang menggunakan perkhidmatan MyHIX.

2. Bolehkah maklumat pesakit dikongsi dengan hospital/klinik swasta atau badan berkanun (bukan dibawah Kementerian Kesihatan Malaysia)? Setakat ini, berdasarkan akta Private Healthcare Facilities and Services Regulations 2005 (Peraturan 44(2)), maklumat pesakit belum boleh dikongsi

Kerahsiaan Pesakit 2. Adakah kerahsiaan maklumat pesakit dalam MyHIX terjamin?

Ya, kerana setiap hospital/klinik kerajaan yang menggunakan sistem teknologi maklumat adalah tertakluk kepada dasar/polisi kerahsiaan dan keselamatan Kerajaan.

235

Page 236: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ORANG AWAM (BM & BI)

MyHIX FREQUENTLY ASKED QUESTIONS (FAQ) FOR PUBLIC About MyHIX 9. What is MyHIX?

A system that enables the health care information of individual to be shared between government hospitals/clinics through online virtual private network/1GovNet. .

10. Why MyHIX implemented?

MyHIX is implemented to enable the doctor or health care provider to access the individual health information and provide continuous and better quality of care. MyHIX is fundamental to the establishment of Lifetime Health Record for every individual who seeks health/medical care at government hospitals/clinics.

11. What is Lifetime Health Record?

It is the government's plan to create a health record for each individual in the future. It will be used when seeking treatment at any government hospitals/clinics in Malaysia.

12. What are the benefits? • Facilitates patients to get the follow-up treatment at any government

hospitals/clinics. • Reduces repeated check-ups and investigations. • Enables the continuity of health care and more specific treatment for patient.

13. Where does MyHIX implemented?

MyHIX has been implemented as a pilot project in Hospital Putrajaya, Hospital Tuanku Ja'afar , Seremban, Hospital Port Dickson and Health Clinic Putrajaya, Precint 9

14. When is MyHIX implemented?

MyHIX has been implemented since September 2011.

15. What information is shared? i. Patient demography Personal information such as name, gender, MyKad number and address. ii. Patient health care information Discharge summary which is a summary of health care information such as medical history, diagnosis and treatment. In the future, additional information such as referral letter, laboratory results and imaging reports will be shared.

236

Page 237: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ORANG AWAM (BM & BI)

16. How is MyHIX implemented? All patient health information shall be kept in MyHIX automatically (default opt -in) to enable the sharing of health care information between hospitals/clinics involved.

Patient Rights 10. Does the patient entitled to refuse the sharing of their information?

Yes. The patient can request for exemption (opt-out) from MyHIX during treatment session.

11. How does the exemption (opt-out) process work?

The patient is required to complete the MyHIX exemption (opt-out) form. The form can be obtained from the health staff at registration counter, treatment room, ward or specified location.

12. Where is the exemption (opt-out) process done? The exemption (opt-out) process can be done at the registration counter, in the treatment room or in the ward. However, it is depending on the standard operating procedures (SOP) in each hospitals/clinics.

13. When a patient should be exempted (opt-out)?

At any time before the discharge summary is sent to MyHIX. 14. Can a patient be able to change his/her exemption (opt-out) decision during

treatment? Yes, as long as the patient is still in the treatment process (not being discharged yet).

15. Can a patient be able change his/her exemption (opt-out) decision after discharge?

No, a patient can not change his/her exemption (opt-out) decision after discharge. 16. Who make the decision for exemption (opt-out) for patients who are unable to make

their own decisions (aged 18 years and under, mentally disable or unconscious)? The decision for exemption (opt-out) could be made by the legal guardian or next of kin of the patient.

17. Do doctors or health care providers able to access patient information from MyHIX

after a patient choose to be exempted (opt-out)? Yes. Doctors or health care providers can still be able to access previous patient information (opt-in by default) even if the patient chooses to be exempted (opt-out) for the current treatment.

237

Page 238: MALAYSIA HEALTH INFORMATION EXCHANGE (MyHIX) TOOLKIT

SOALAN LAZIM UNTUK ORANG AWAM (BM & BI)

Information Sharing 1. Can patient information be shared among the government hospitals/clinics (Ministry

of Health Malaysia)? Yes, patient information can be shared between government hospitals/clinics using the MyHIX service.

2. Can patient information be shared among the private hospitals/clinics or

hospitals/clinics belong to statutory bodies (not under the Ministry of Health Malaysia)? So far, under the Private Acts Healthcare Facilities and Services Regulations 2005 (Regulation 44 (2)), patient information cannot be shared.

Patient Confidentiality 2. Is the confidentiality of patient information secured in the MyHIX system?

Yes, because every health care facility using IT systems are subject to government’s privacy and security policy.

238