TOH Portal Services Expansion. Privacy Impact Assessment Summary

Similar documents
Client Registry. Privacy Impact Assessment Summary

Electronic Child Health Network Ontario Laboratories Information System

ONE Network. Privacy Impact Assessment Summary

ConnectingGTA Combined Back-End and Front-End Solution Privacy Impact Assessment (Executive Summary & Conclusion)

Privacy Policy on the Responsibilities of Third Party Service Providers

Adopter s Site Support Guide

Electronic Service Provider Standard

Personal Health Information Privacy Policy

ConnectingOntario Operations Guide

ConnectingOntario Clinical Viewer

Community Development and Recreation Committee

Privacy and Data Protection Policy

Schedule EHR Access Services

OLIS Report Identification Guidance

Security Logging and Monitoring Standard

Cryptography Standard

ehealth Ontario Entitlement Management Procedures Manual Version: 1.1 Document Owner: Manager, Business Delivery

ONE ID Identity and Access Management System

ehealth Ontario Site Support Guide

Physical Security Standard

ONE Mail Partnered: Adding ONE Pages. to Outlook 2010 and Outlook 2013

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

Schedule Identity Services

ehealth Community Consultation Task Group Recommendation Report 2010

THE EHEALTH PORTAL -- ENABLING ACCESS TO PROVINCIAL HEALTH INFORMATION ONLINE

2017_Privacy and Information Security_English_Content

Networking and Operations Standard

Chapter 35 ehealth Saskatchewan Sharing Patient Data 1.0 MAIN POINTS

Electronic Communication of Personal Health Information

Memorandum of Understanding between the Central LHIN and the Toronto Central LHIN to establish a Joint ehealth Program

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

University Health Network (UHN)

ONE ID Identification Information and User Name Standard

Protecting Personal Health Information on Mobile and Portable Devices. Guidance from the Information and Privacy Commissioner of Ontario

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Data Contributor, Identity Provider, or Viewer Sites

Putting It All Together:

Data Backup and Contingency Planning Procedure

ONE Mail Direct for Web Browsers

HIPAA Federal Security Rule H I P A A

4.3 Case Study #09: National ehealth network in Denmark

Maryland Health Care Commission

Policy and Procedure: SDM Guidance for HIPAA Business Associates

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

The ABCs of HIPAA Security

Integrating HIPAA into Your Managed Care Compliance Program

Attachment B Newtopia Wellness Program and Genetic Testing. The Health Risk Assessment also invites individuals to undergo genetic testing.

INVESTIGATION REPORT , , ,

Organizational Privacy Transformation: A case study from Critical Issues to Award Winning Success

NOTICE OF PRIVACY PRACTICES

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Privacy Policy Framework

NCQA and HIPAA. The Fifth National HIPAA Summit. A match made in? Sharon King Donohue, JD General Counsel, Chief Privacy Officer November 1, 2002

HIPAA Security and Privacy Policies & Procedures

Therapy Provider Portal. User Guide

COLLECTION & HOW THE INFORMATION WILL BE USED

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Agenda. Introductions CBI Project Overview, Objectives, and Scope Technical Overview Privacy and Security Overview Implementation Overview Questions

HIPAA For Assisted Living WALA iii

WHO-ITU National ehealth Strategy Toolkit

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

HL7 Import for CellTrak

NOTE: The first appearance of terms in bold in the body of this document (except titles) are defined terms please refer to the Definitions section.

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

HIPAA-HITECH: Privacy & Security Updates for 2015

How to Navigate International Privacy and Data Security Developments Beyond the US and the EU, Namely Canada January 30, 2019

HIPAA Compliance & Privacy What You Need to Know Now

University of Wisconsin-Madison Policy and Procedure

CCIS. Critical Care Information System. Login Guide. Version /12/2015. Prepared By: CCIS Provincial Implementation Team.

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

Data Processing Agreement DPA

ehealth Partnership with Hamilton Niagara Haldimand Brant (HNHB) LHIN

HIPAA AND SECURITY. For Healthcare Organizations

01.0 Policy Responsibilities and Oversight

ONTARIO TELEMEDICINE NETWORK S OTNHUB USER AGREEMENT

HIPAA Privacy, Security and Breach Notification

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

HealthInfoNet CLINICAL PORTAL USER REFERENCE GUIDE. Revised: Page 1 of 24

Re: PIPEDA s.11 complaint re: canada.com service - outsourcing to US-based service provider

ONE Mail Partnered USER GUIDE. Version: 1.3 Document ID: 3365 Document Owner: ONE Mail Product Team

Ministry of Health and Long-Term Care EBS HCV SOAP Specification Version 4.2

Guidance for Exchange and Medicaid Information Technology (IT) Systems

Privacy Law Doing Business In Canada

Information Technology Branch Organization of Cyber Security Technical Standard

Cyber Partnership Blueprint: An Outline

Digital Healthcare. Yordan Iliev Director R&D Healthcare. Regional Cybersecurity Forum, November 2016, Grand Hotel Sofia, Bulgaria

INFORMATION TECHNOLOGY SECURITY POLICY

HIPAA & Privacy Compliance Update

TERMS OF USE Terms You Your CMT Underlying Agreement CMT Network Subscribers Services Workforce User Authorization to Access and Use Services.

User Guide. French Language Services (FLS) Annual Report Non-Identified Agencies

The NIS Directive and Cybersecurity in

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Security and Privacy Breach Notification

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Ministry of Government and Consumer Services. ServiceOntario. Figure 1: Summary Status of Actions Recommended in June 2016 Committee Report

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Transcription:

TOH Portal Services Expansion Privacy Impact Assessment Summary

Copyright Notice Copyright 2011, ehealth Ontario All rights reserved Trademarks No part of this document may be reproduced in any form, including photocopying or transmission electronically to any computer, without prior written consent of ehealth Ontario. The information contained in this document is proprietary to ehealth Ontario and may not be used or disclosed except as expressly authorized in writing by ehealth Ontario. Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Introduction ehealth Ontario completed a Privacy Impact Assessment (PIA) on the expansion of portal services at The Ottawa Hospital (TOH) in October 2011, in accordance with Ontario Regulation (O.Reg.) 329/04 under the Personal Health Information Protection Act, 2004 (PHIPA) and ehealth Ontario s Personal Health Information Privacy Policy. The TOH portal services expansion PIA found that ehealth Ontario has the authority under section 6.2 and 6(3) of O.Reg. 329/04 to operate portal services within the four walls of TOH, as ehealth Ontario is receiving personal health information (PHI) from the Ministry of Health and Long-Term Care (MOHLTC) for the purpose of creating or maintaining one or more EHRs and for providing electronic services to two or more health information custodians (HICs) where the services are provided primarily to HICs to enable the HICs to use electronic means to disclose PHI to one another. The PIA also analyzed, on a conceptual level, the expansion of Portal Services beyond the four walls of TOH to authorized health care practitioners within the Champlain Local Health Integration Network (LHIN). The following is a summary of the PIA, including a brief background on portal services at TOH, key findings, and ehealth Ontario s progress in implementing the recommendations identified in the PIA. Background The primary objectives of the portal services initiative are to develop portlets that provide clinicians with greater access to clinical data such as that stored in the Ontario laboratories information systems (OLIS) and Ontario Drug Benefit (ODB) databases. Portlets are web-based applications that will enable clinicians (e.g., hospitals), to access data within repositories such as OLIS and ODB, through a portal (e.g., TOH portal). A portlet must be accessed through a portal, and can be distributed across as many applicable portals as are necessary. ehealth Ontario has been working with TOH to integrate ehealth Ontario s portal services into the MyTOH Portal. This project is currently in a pilot phase and will begin to rollout more broadly to authorized users. Through this pilot, TOH clinicians have access to PHI in the OLIS and the ODB databases. OLIS contains laboratory results on patients who have had laboratory tests conducted in Ontario. ODB contains drug claims histories of individuals who receive benefits through the ODB Program or the Trillium Drug Program. A clinician at TOH can log into the TOH web portal and have access to the lab results and prescription information for patients who are receiving or have received health care services at TOH. The MOHLTC is the HIC of the PHI in the ODB and OLIS databases (ehealth Ontario is acting as an agent to the MOHLTC to operate and manage OLIS). The MOHLTC has the authority under PHIPA to disclose PHI in OLIS and ODB for the purpose of assisting in the provision of healthcare. ehealth Ontario, as an agent to the MOHLTC in respect of OLIS, provides OLIS data to itself under section 6.2 of O.Reg. 329/04 for the purposes of making OLIS data available to clinicians at TOH through a portlet. ehealth Ontario makes OLIS data available to clinicians at TOH as part of its role in creating and maintaining EHRs under O.Reg.329/04. Additionally, ehealth Ontario is acting as a health information network provider under O.Reg. 329/04, for the ODB data, in providing electronic means to two or more HICs to enable them to disclose PHI to one another. ehealth Ontario s roles under O.Reg. 329/04 and its policies and procedures require that a PIA of the portal services initiative be undertaken.

Summary of Privacy Impact Assessment The scope of the TOH portal services expansion PIA includes a physical analysis of all components of the initiative up to and including Release 2, scheduled for November 2011, and a conceptual analysis of portal services expansion beyond the four walls of TOH, scheduled for early 2012. The PIA analyzes the legislative authority under which ehealth Ontario receives PHI from contributing HICs (in this case, the MOHLTC), and flows this information to end-user HICs (clinicians at TOH). The PIA also considers the technical, administrative and physical safeguards which have been put in place to ensure that all flows of PHI occur in a secure and privacy-protective manner, and are in compliance with legislative requirements, relevant agreements, best practices as represented in the Canadian Standards Association Privacy Code and ehealth Ontario s privacy policies, procedures and privacy best practices. The PIA concludes that ehealth Ontario has the overall PHIPA authorities for providing Portal Services to TOH, for the purpose of creating or maintaining one or more (EHRs), under section 6.2 of O.Reg. 329/04 and for providing electronic means to two or more HICs to enable them to disclose PHI to one another, under section 6(3) of O.Reg. 329/04. Additionally, ehealth Ontario has a robust infrastructure for the processing of sensitive PHI, with policies and practices to protect the privacy of Ontarians and the security of the information in the custody of ehealth Ontario. The PIA recommends several measures to ensure that for the TOH portal services expansion, ehealth is in compliance with PHIPA and O.Reg. 329/04 as well as ehealth Ontario policies, procedures and privacy best practices. Summary of Recommendations made in the Privacy Impact Assessment The PIA provides a number of recommendations associated with portal services at TOH, as summarized below: 1. ehealth Ontario to review, and if required, revise relevant agreements with TOH and MOHLTC to allow Portal Services to expand to all clinicians at TOH who require access to the PHI. ehealth Ontario to include provisions in compliance with section 6(3)7 of PHIPA O. Reg 329/04, where ehealth Ontario is acting as a health information network provider. 2. ehealth Ontario to develop a formal project charter, governance framework and terms of reference for expansion of portal services beyond the four walls of TOH. 3. In the current release of portal services within the four walls of TOH, all users act under the authority of TOH, such that a temporary reinstatement of consent applies to all clinicians within the four walls of TOH who are authorized to access data through ehealth Ontario s portlets. ehealth Ontario to enhance existing technical capabilities to ensure each individual user must perform an override of consent directives in order to access a patient s record. 4. ehealth Ontario to review, and if required, update privacy and security incident management procedures to specifically address the new requirement in O.Reg. 329/04 to notify contributing HICs (i.e., MOHLTC), of inappropriate access, use, or disclosure of PHI made available through portal services. 5. ehealth Ontario to develop and document a procedure for managing individual access requests for data made available through portal services prior to expansion beyond the four walls of TOH.

6. ehealth Ontario to finalize and implement its privacy health check toolkit prior to expansion of portal services beyond the four walls of TOH. ehealth Ontario is currently in the process of implementing each of the recommendations identified in the 2011 TOH portal services expansion PIA. Glossary HIC health information custodian LHIN Local Health Integration Network MOHLTC Ministry of Health and Long-Term Care ODB Ontario Drugs Benefits OLIS Ontario laboratories information system O.Reg. Ontario Regulation PHIPA Personal Health Information Protection Act, 2004 PHI personal health information PIA Privacy Impact Assessment TOH The Ottawa Hospital Contact Information Please contact the ehealth Ontario privacy office should you have any questions about the TOH portal services expansion PIA Summary: ehealth Ontario Privacy office 777 Bay Street, Suite 701 Toronto Ontario M5B 2E7 Tel: (416) 946-4767 privacy@ehealthontario.on.ca

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback