Information Security Policy

Transcription

1 Infrmatin Security Plicy Versin: 2.4 Dcument ID: 3541

2 Cpyright Ntice Cpyright 2015, ehealth Ontari All rights reserved N part f this dcument may be reprduced in any frm, including phtcpying r transmissin electrnically t any cmputer, withut prir written cnsent f ehealth Ontari. The infrmatin cntained in this dcument is prprietary t ehealth Ontari and may nt be used r disclsed except as expressly authrized in writing by ehealth Ontari. Trademarks Other prduct names mentined in this dcument may be trademarks r registered trademarks f their respective cmpanies and are hereby acknwledged. ehealth Ontari EHR Plicy Infrmatin Security Plicy i

3 Dcument Cntrl Next Review Date : Annually r therwise established by the Cnnecting Security Cmmittee. Apprval Histry APPROVER(S) APPROVED DATE Cnnecting Security Cmmittee Revisin Histry VERSION NO. DATE SUMMARY OF CHANGE CHANGED BY Nv 2013 versin adpted frm the cgta PSWG and revisin. Mark Carter Updated based n feedback f CSC Members. Added a reference t the Privacy and Assurance Plicy including bullet pints t supprt cntent. Mark Carter Plicy apprved at the CSC meeting September 9 th. Mark Carter Aligned name f access cntrl plicy based n final wave 3 CSC decisin. Mark Carter Updated plicies t nte the change in gvernance. The Steering Cmmittee was replaced by the Applicable Oversight Bdy. The reginal privacy and security cmmittee has been remved frm the exemptin decisin prcess. Gvernance respnsibilities f the Cnnecting Security Cmmittee have been added t the rles and respnsibilities sectin. Mark Carter ehealth Ontari EHR Plicy Infrmatin Security Plicy ii

4 Infrmatin Security Plicy Purpse T prtect the cnfidentiality, integrity, and availability f [the EHR Slutin] and persnal health infrmatin (PHI) stred in r prcessed by [the EHR Slutin]. In ding s, this plicy will utline the framewrk fr [the EHR Slutin] infrmatin security gvernance by: Defining the infrmatin security principles t manage: PHI and [The EHR Slutin] and infrmatin systems r infrmatin technlgies that cnnect t [the EHR Slutin]; and Scpe Establishing the rles and respnsibilities fr ensuring the principles in this plicy are implemented and maintained. This plicy applies t [the EHR Slutin] Prgram, their agents and their Electrnic Service Prviders and t [the EHR Slutin]. Fr health infrmatin custdians (HICs) that use [the EHR Slutin] t view, handle r therwise deal with PHI by prvisining access thrugh: Lcal identity prvider technlgy (lcal IdP), this plicy applies t: The HIC s lcal access cntrl and identity management infrastructure ( identity prvider services ) that manages the authenticatin and authrizatin used t prvisin access t [the EHR Slutin] (e.g., [the EHR Slutin] Security Tken Service Slutin, Micrsft Active Directry Federatin Services 2.0, etc.) Direct netwrk cnnectivity t [the EHR Slutin] Prvider Prtal and administrative functinality, including cmpnents in the cnnectin path (firewalls, prxies, etc.), and The integratin f [the EHR Slutin] Prvider Prtal with the HIC s lcal health infrmatin system (HIS) r electrnic medical recrd (EMR) applicatin(s). ehealth Ontari s ONE ID service, this plicy applies t: Direct netwrk cnnectivity t [the EHR Slutin] administrative functinality, including cmpnents in the cnnectin path (firewalls, prxies, etc.). In additin t the scpe set ut fr viewing sites, fr HICs that create r cntribute PHI t [the EHR Slutin] Clinical Data Repsitry ( cntributing sites ), this plicy als applies t: The data cntributin endpints that prvide PHI t [the EHR Slutin] s Clinical Data Repsitry; and ehealth Ontari EHR Plicy Infrmatin Security Plicy 1

5 The infrmatin technlgy and prcesses that ensure the quality f the data submitted (e.g., terminlgy mapping). This plicy des nt apply t any HIC, their agents r their Electrnic Service Prviders wh d nt view, create r cntribute t [the EHR Slutin]. Definitins [The EHR Slutin]: [The EHR Slutin] and supprting systems designed t stre and make available specified electrnic PHI frm the electrnic health infrmatin systems f HICs that may nt be available in planned prvincial r reginal repsitries s as t act as a single repsitry f such infrmatin t reduce the lad n surce systems. This des nt include any participating HIC s infrmatin systems r infrmatin technlgies. Privacy and Security Operatins Team: The Privacy and Security Operatins Team is made up f [The EHR Slutin] agents wh supprt [the EHR Slutin] privacy and security-related activities, initiatives and prcesses. Privacy and Security Cmmittee (PSC): The Privacy and Security Cmmittee (PSC) is a cmmittee cmprised f agents frm participating HICs t supprt the privacy and infrmatin security gvernance structure. Applicable Oversight Bdy: The Applicable Oversight Bdy is cmprised f senir-level executives wh versee all aspects f [the EHR Slutin]. See Plicy Gvernance Structure sectin belw. Cnnecting Security Cmmittee (CSC): The prvincial security frum cnsisting f senir security representatives frm acrss the regins and ehealth Ontari. This is a decisin making bdy respnsible fr establishing a functinal and usable infrmatin security gvernance framewrk fr participating rganizatins in the EHR. Electrnic Service Prvider: A persn that prvides gds r services fr the purpse f enabling a HIC t use electrnic means t cllect, use, mdify, disclse, retain r dispse f PHI, and includes a health infrmatin netwrk prvider. Infrmatin security: Refers t the prtectin f all types f infrmatin, infrmatin systems and infrmatin technlgies frm unauthrized access, cllectin, use, disclsure, transfer, disruptin, mdificatin, destructin r dispsal. Infrmatin system: A discrete set f infrmatin technlgy rganized fr the cllectin, prcessing, maintenance, use, disclsure, destructin, r dispsal f infrmatin. Data Cntributin End Pint(s): Technlgy and related prcesses that prvide data t the Clinical Data Repsitry r are queried t prvide data t a Clinical Viewer. Typically these systems are the Infrmatin System (e.g. Hspital Infrmatin System, Labratry Infrmatin System, Clinical Infrmatin System, etc.) that directly cnnects t [the EHR Slutin] t prvide clinical data. Identity Prvider Services: Technlgy and related supprting services, plicies, prcesses, and prcedures that are used t create, maintain, secure, validate, assert and manage electrnic identities t [the EHR Slutin]. Infrmatin technlgy: Any asset (physical r lgical) that is used in the autmatic acquisitin, strage, manipulatin, management, mvement, cntrl, display, switching, interchange, transmissin, r receptin f data r infrmatin. It includes, but is nt limited t, hardware, sftware, firmware, ancillary equipment, and related resurces. ehealth Ontari EHR Plicy Infrmatin Security Plicy 2

6 Shall/Must: Used fr abslute requirements, i.e., they are nt ptinal. Shuld: Used when valid reasns exist in certain circumstances nt t implement the requirement; hwever, the implementer must understand the implicatins befre chsing a different curse and must cnsider implementing cmpensating cntrls. May: The requirement is nly a recmmendatin, r prvided as an implementatin example and is nt intended n being exhaustive. ehealth Ontari EHR Plicy Infrmatin Security Plicy 3

7 Plicy 1. Principles Acceptable Use f Infrmatin and Infrmatin Technlgy 1.1. [The EHR Slutin] Prgram and HICs must define behaviural requirements gverning the acceptable use f infrmatin and infrmatin technlgy t which [the EHR Slutin] s agents and Electrnic Service Prviders, and HICs, their agents and Electrnic Services Prviders with access t [the EHR Slutin] must adhere. Infrmatin Security Training Refer t the Acceptable Use f Infrmatin and Infrmatin Technlgy Plicy [The EHR Slutin] Prgram and HICs must fster an infrmatin security-psitive culture. This may be achieved by implementing an infrmatin security awareness and educatin prgram t help all persns with access t [the EHR Slutin] t understand their infrmatin security-related bligatins. Threat Risk Management Cryptgraphy Refer t the Privacy and Security Training Plicy [The EHR Slutin] Prgram must perfrm infrmatin security threat risk assessments (TRAs) n [the EHR Slutin] and must track, and mitigate r frmally accept all f their risks that are identified thrugh a TRA HICs shuld perfrm infrmatin security TRAs n their identity prvider services and data cntributin endpints. Refer t the Threat Risk Management Plicy [The EHR Slutin] Prgram must implement cryptgraphic slutins in [the EHR Slutin] t prtect the cnfidentiality and integrity f PHI where apprpriate, as well as t cnfirm the identity f the riginatr f a cmmunicatin HICs must implement cryptgraphic slutins n their relevant infrmatin systems t prtect the cnfidentiality and integrity f PHI that is accessed thrugh [the EHR Slutin]. Refer t the Cryptgraphy Plicy. Infrmatin and Asset Management 1.7. [The EHR Slutin] Prgram must classify and define prtectin requirements fr PHI in [the EHR Slutin] in a manner that prtects its cnfidentiality, integrity, and availability in any frm (e.g., paper r electrnic) thrughut its infrmatin lifecycle. ehealth Ontari EHR Plicy Infrmatin Security Plicy 4

8 Refer t the Infrmatin and Asset Management Plicy. Access Cntrl and Identity Management 1.8. [The EHR Slutin] Prgram and HICs must establish apprpriate access and identity management cntrls t manage all persns and infrmatin system access t [the EHR Slutin]. These cntrls must: Define the infrmatin security respnsibilities f all persns wh have access t [the EHR Slutin] Ensure that nly authrized persns are granted access t [the EHR Slutin] and that persnal accuntability is assured Ensure that nly authrized infrmatin systems are granted access t [the EHR Slutin], and Prvide authrized persns r infrmatin systems with nly the least amunt f privileges that are sufficient t enable them t perfrm their duties but d nt permit them t exceed their authrity. Lgging and Mnitring Refer t the Access Cntrl and Identity Management Plicy fr System Level Access and the Identity Federatin Standard [The EHR Slutin] Prgram must lg and mnitr all access t [the EHR Slutin], and must lg and mnitr infrmatin system events n [the EHR Slutin] HICs must lg and mnitr all access by the HIC, their agents r Electrnic Service Prviders t [the EHR Slutin] s Prvider Prtal, and must lg and mnitr infrmatin system events n their identity prvider services and data cntributin endpints. Netwrk and Operatins Refer t the Security Lgging and Mnitring Plicy [The EHR Slutin] Prgram must implement cntrls t secure their netwrk infrastructure, and establish prcedures t secure the nging management and peratin f [the EHR Slutin] HICs must implement cntrls t secure their netwrk infrastructure, and establish prcedures t secure the nging management and peratin f their identity prvider services and data cntributin endpints. System Develpment Lifecycle Refer t the Netwrk and Operatins Plicy [The EHR Slutin] Prgram must define infrmatin system develpment and change cntrl requirements, and ensure that all system develpment activities perfrmed n [the EHR Slutin] are carried ut in accrdance with these requirements. ehealth Ontari EHR Plicy Infrmatin Security Plicy 5

9 1.14. HICs shuld define infrmatin system develpment and change cntrl requirements and ensure that identity prvider services and data cntributin endpint develpment activities are carried ut in accrdance with these requirements. Electrnic Service Prviders Refer t the System Develpment Lifecycle Plicy [The EHR Slutin] Prgram must ensure that their Electrnic Service Prviders wh will have access t [the EHR Slutin], r wh manage r prvide supprt t [the EHR Slutin] have adequate infrmatin security cntrls in place t prtect and maintain the level f cnfidentiality, integrity and availability HICs must ensure that their Electrnic Service Prviders wh will have access t their identity prvider services r data cntributin endpints, r wh manage r prvide supprt t these systems have adequate infrmatin security cntrls in place t prtect and maintain the level f cnfidentiality, integrity and availability. Physical Security Refer t the Electrnic Service Prvider Plicy [The EHR Slutin] Prgram must implement cntrls t prtect against the risks f unauthrized physical access and envirnmental damage t [the EHR Slutin] HICs must implement cntrls t prtect against the risks f unauthrized physical access and envirnmental damage t their identity prvider services and data cntributin endpints. Business Cntinuity Refer t the Physical Security Plicy [The EHR Slutin] Prgram must implement prcedures necessary t ensure that [the EHR Slutin]: Remains available, especially in the event f a disaster, r Can be recvered in the event that peratins are disrupted HICs shuld develp business cntinuity plans t ensure that their identity prvider services and data cntributin endpints: Remain available, especially in the event f disaster, r Can be recvered in the event that peratins are disrupted. Refer t the Business Cntinuity Plicy. Infrmatin Security Incident Management ehealth Ontari EHR Plicy Infrmatin Security Plicy 6

10 1.21. [The EHR Slutin] Prgram and HICs must implement an infrmatin security incident management prcess t identify and reslve infrmatin security incidents related t [the EHR Slutin] quickly and effectively, while minimizing their impact and reducing the risk f similar infrmatin security incidents frm ccurring. Refer t the Infrmatin Security Incident Management Plicy. Privacy and Security Assurance HICs must identify and mitigate privacy and security risks and areas f nn-cmpliance in respect f [the EHR Slutin], including thrugh privacy and security readiness self-assessments, privacy and security peratinal self-attestatins, auditing and mnitring activities and assurance f agents and Electrnic Service Prviders [The EHR Slutin] Prgram Office must identify and mitigate privacy and security risks and areas f nn-cmpliance in respect f [the EHR Slutin], including thrugh privacy impact assessments, threat risk assessments, privacy and security readiness self-assessments, privacy and security peratinal self-attestatins, auditing and mnitring activities and assurance f agents, Electrnic Service Prviders and third parties. Refer t the Privacy and Security Harmnized Assurance Plicy. 2. Infrmatin Security Exemptin Requirements 2.1. All shall/must requirements are mandatry. Any deviatin frm a mandatry requirement in a [the EHR Slutin] infrmatin security plicy, standard, r supprting dcument must be apprved by the Applicable Oversight Bdy All infrmatin security exemptin requests must be assessed by the Privacy and Security Operatins Team and then reviewed by the Applicable Oversight Bdy fr apprval [The EHR Slutin] Prgram must lg all infrmatin security exemptin requests Infrmatin security exemptins may be requested and granted fr any length f time. Hwever, all apprved exemptins must be reviewed by the Privacy and Security Operatins Team at a minimum, every tw years, t ensure that the level f risk has nt increased r that new risks have nt appeared. If the Privacy and Security Operatins Team reassesses the risk at a higher level r identifies additinal risks, then the exemptin must be presented t the Applicable Oversight Bdy fr re-apprval The Applicable Oversight Bdy has the right t revke any apprved infrmatin security exemptins. Hwever, HICs must be prvided with at least six mnths t cmply with the plicy if their infrmatin security exemptin is revked. Refer t Appendix A: Infrmatin Security Exemptin Requests ehealth Ontari EHR Plicy Infrmatin Security Plicy 7

11 3. Rles and Respnsibilities Privacy and Security Cmmittee 3.1. The Privacy and Security Cmmittee must: Applicable Oversight Bdy Review, prvide feedback, and ratify all [the EHR Slutin] infrmatin security plicies 3.2. The Applicable Oversight Bdy must: Apprve all infrmatin security plicies Apprve r deny all infrmatin security exemptin requests Where applicable, hld all [the EHR Slutin] agents and Electrnic Service Prviders, and HICs accuntable fr unauthrized r inapprpriate access, cllectin, use, disclsure, dispsal, mdificatin, r interference with [the EHR Slutin], PHI r [the EHR Slutin] infrmatin. Privacy and Security Operatins Team 3.3. Privacy and Security Operatins Team must: Prvide infrmatin security leadership and guidance t HICs Develp, implement and maintain an infrmatin security prgram that will establish an infrmatin security gvernance, strategy and plicy framewrk fr the HICs and external service prviders Develp, implement and maintain supprting plicies, standards and supprting dcuments that uphld and expand upn the principles f this plicy Prvide guidance t the HICs n infrmatin security training and awareness activities Mnitr, reprt, and make recmmendatins fr actin r imprvement t the PSC n infrmatin security psture, infrmatin security incidents, and the status and effectiveness f the infrmatin security prgram Review, and prvide recmmendatins n all infrmatin security plicy exemptins t the Applicable Oversight Bdy. Health Infrmatin Custdians (HICs) 3.4. All HICs must: Develp, implement and maintain an infrmatin security plicy fr their rganizatin that uphlds the principles f this plicy and any ther applicable infrmatin security plicies, standards and supprting dcuments ehealth Ontari EHR Plicy Infrmatin Security Plicy 8

12 Designate an infrmatin security lead t ensure cmpliance with the principles utlined in this plicy. The infrmatin security lead may be the same persn as the appinted cntact persn required by Persnal Health Infrmatin and Prtectin Act, 2004 (PHIPA) sectin15 r the site cntact identified in the participatin agreement Ensure that all agents and Electrnic Service Prviders wh have access t [the EHR Slutin] Services are apprpriately infrmed f their infrmatin security respnsibilities Require all agents and Electrnic Service Prviders wh have access t [the EHR Slutin] t agree t an end user agreement that includes cnfidentiality prvisins befre being prvided with access t [the EHR Slutin] Hld individual agents and Electrnic Service Prviders accuntable fr unauthrized r inapprpriate access, cllectin, use, disclsure, dispsal, destructin, mdificatin, r interference with [the EHR Slutin], r their infrmatin systems. Cnnecting Security Cmmittee Apprve all infrmatin security plicies Review trend reprting f security exemptins Review security incident reprts Exemptins Any exemptins t this Plicy must be apprved by the Applicable Oversight Bdy, wh will authrize exemptins nly where there is clear justificatin t d s and nly t the minimum extent necessary t meet the justified need. See Appendix A: Infrmatin Security Exemptin Requests in the Infrmatin Security Plicy Enfrcement All instances f nn-cmpliance will be reviewed by the Applicable Oversight Bdy. Plicy Gvernance Structure The Applicable Oversight Bdy has the authrity t impse apprpriate penalties, up t and including terminatin f the Agreements with the HIC, Electrnic Service Prviders r terminatin f the access privileges f agents, and t require the implementatin f remedial actins. EHR Slutin Applicable Oversight Bdy Cnnecting Ontari CDR ehealth Ontari Strategy Cmmittee References ehealth Ontari EHR Plicy Dcuments ehealth Ontari EHR Plicy Infrmatin Security Plicy 9

13 Infrmatin Security Plicy Acceptable Use f Infrmatin and Infrmatin Technlgy Access Cntrl and Identity Management Plicy fr System Level Access Lcal Registratin Authrity Prcedures Identity Federatin Standard Business Cntinuity Plicy Cryptgraphy Plicy Electrnic Service Prviders Plicy Infrmatin Security Incident Management Plicy Infrmatin and Asset Management Plicy Netwrk and Operatins Plicy Security Lgging and Mnitring Plicy Systems Develpment Lifecycle Plicy Physical Security Plicy Threat Risk Management Plicy Harmnized Privacy Prtectin Plicies Canada Health Infway Reference Canada Health Infway Electrnic Health Recrd Privacy and Security Requirements (Versin 1.1 Revised February 7, 2005) Other Infrmatin and Privacy Cmmissiner f Ontari s Guidelines n Facsimile Transmissin Security (January 2003) ehealth Ontari EHR Plicy Infrmatin Security Plicy 10

14 Appendix A: Infrmatin Security Exemptin Requests Stage Respnsibility Descriptin 1 [The EHR Slutin] s agent r Electrnic Service Prvider Cmpletes sectin 1 f the Infrmatin Security Exemptin Request Frm and sends the frm t Privacy and Security Operatins Team - OR A HIC, their agent r Electrnic Service Prvider ( Requestr ) 2 Privacy and Security Operatins Team Reviews the Infrmatin Security Exemptin Request Frm and cmpletes sectin tw. 1 3 Applicable Oversight Bdy Reviews the request and either: Apprves the request Apprves the request with cnditins, OR Denys the request 4 Privacy and Security Operatins Team Lgs the Applicable Oversight Bdy s decisin. Infrms the requestr f the Applicable Oversight Bdy s decisin and sends the HIC a cpy f the Infrmatin Security Exemptin Request Frm. Stres the Infrmatin Security Exemptin Request Frm. The fllwing is the prcess fr reviewing, and if necessary, reapprving infrmatin security exemptins that were riginally apprved fr a perid f greater than tw years. Stage Respnsibility Descriptin 1 Privacy and Security Operatins Team Reviews the apprved Infrmatin Security Exemptin Request Frm t assess if there is any change t the levels f risk riginally identified. 1 This sectin is dne in cnsultatin with the requestr, and is usually a cyclical prcess. Fr example, after Privacy and Security Operatins Team cnsults with the requestr, the requestr may agree t implement additinal cmpensating cntrls. The request frm wuld then be updated and the residual risk may be lwered. ehealth Ontari EHR Plicy Infrmatin Security Plicy 11

15 If there are n new risks and the riginal levels f risk have nt increased: The infrmatin security exemptin request lg is updated t indicate that the review was perfrmed but there were n additinal risks r increase t level f riginal risks. Advises the requestr that the exemptin request has been renewed. Lgs renewal. [Prcess ends here] If new risks have been identified r the riginal level f risks have increased: Privacy and Security Operatins Team updates the infrmatin security exemptin request frm and ntifies the requestr f the change in assessed risk. 2 Requestr Reviews the updated infrmatin security exemptin frm and updates the frm with any additinal cmpensating cntrls that have been put in place r that they will be put in place t address the additinal r increased level f risk. 3 Privacy and Security Operatins Team Reviews the updated infrmatin security exemptin frm and revises the residual risk rating if necessary. 4 Applicable Oversight Bdy Reviews the request and either: Sends the infrmatin security exemptin request frm t the Applicable Oversight Bdy. Renews the exemptin Renews the exemptin with cnditins, OR Revkes the exemptin. 5 Privacy and Security Operatins Team Lgs the Applicable Oversight Bdy s decisin. Infrms the requestr f the Applicable Oversight Cmmittee s decisin and sends the HIC a cpy f the Infrmatin Security Exemptin Request Frm. Stres the Infrmatin Security Exemptin Request Frm. ehealth Ontari EHR Plicy Infrmatin Security Plicy 12

16 Infrmatin Security Exemptin Request Frm Use this frm t request an infrmatin security exemptin. Frm Cmpletin Instructins 1. Cmplete all fields as specified. Mandatry fields fr the requestr are marked with an asterisk (*). If the frm is incmplete, it will be returned t yu. Indicate Nt Applicable r N/A if the field is nt applicable. 2. Once cmpleted, please the cmpleted frm t the Privacy and Security Operatins Team. 3. If yu have any questins regarding the cmpletin f this frm, please cntact yur [EHR Slutin] Site Crdinatr r the Privacy and Security Operatins Team. FORM TIPS: The frm will pen with the pinter in the start psitin. Begin typing yur infrmatin. Use the TAB key n yur keybard t mve t the next bx. Yu can use SHIFT + TAB t mve back. Click yur left muse buttn t fill in checkbxes. SECTION 1: Request (T be cmpleted by the requestr ) Requestr infrmatin First Name * Last Name * Title * (e.g., CEO, CIO) Business Telephne * (include ext.) ( ) Organizatin/Site/Hspital Name (e.g., ABC Hspital) Business * Name f plicy/standard/supprting dcument fr which an exemptin is being requested: * Requirement(s) * Reasn(s) fr nn-cmpliance: * Lists the infrmatin systems r specific infrmatin technlgies fr which this exemptin will be applied: * Type and sensitivity f affected data: * Prpsed plan fr managing/mitigating the risks assciated with nn-cmpliance r list f cmpensating cntrls that have been implemented: * Anticipated duratin (length f time) fr exemptin: * Additinal Infrmatin: Internal Endrsement (e.g., endrsement by HIC s CIO): Please list the endrser s full name and jb title (e.g., Jhn Smith, Chief Infrmatin Officer) and an frm the endrser when yu ehealth Ontari EHR Plicy Infrmatin Security Plicy 13

17 yur t exemptin request t the [the EHR Slutin] Prgram. SECTION 2: Assessment (t be cmpleted by Privacy and Security Operatins Team) [The EHR Slutin] Reviewer s Infrmatin First Name * Last Name * Title * (e.g., Security Analyst) Business Telephne * (include ext.) ( ) Business * Descriptin f Risk(s) t [the EHR Slutin] Prgram r the Cnnecting Slutin* Level f Residual Risk * (e.g., high, medium, r lw) Recmmendatin by Privacy and Security Operatins Team* [NOTE: Recmmendatin ptins are either: 1) apprve request as is, 2) apprve request with cnditins (must list cnditins), OR 3) deny request.] SECTION 3: Decisin (t be cmpleted by Privacy and Security Operatins Team) Applicable Oversight Bdy s Decisin* Date f Endrsement* [NOTE: Endrsement ptins are either: 1) recmmend apprving request as is, 2) recmmend apprving request with cnditins (must list cnditins), OR 3) recmmend denying request.] Evidence f decisin* (An frm a Applicable Oversight Bdy chair r a cpy f the meeting minutes is acceptable, please attach t the evidence in the space belw (e.g., by inserting a.msg r PDF file as an bject int this dcument. Nte: Yu must unlck the frm t attach file.) ehealth Ontari EHR Plicy Infrmatin Security Plicy 14