1 Health Care Provider Guide Diagnostic Imaging Common Service Project, Release 1 Version: 1.4
2 Copyright Notice Copyright 2014, ehealth Ontario All rights reserved No part of this document may be reproduced in any form, including photocopying or transmission electronically to any computer, without prior written consent of ehealth Ontario. The information contained in this document is proprietary to ehealth Ontario and may not be used or disclosed except as expressly authorized in writing by ehealth Ontario. Trademarks Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. ii Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
3 Document Control The electronic version of this document is recognized as the only valid version. Document ID 3598 Document Sensitivity Level Low Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. iii
4 Contents General Information 2 Purpose and Scope... 2 Audience... 2 Related Documents... 2 Glossary... 3 Service Description 4 Overview... 4 Benefits... 5 Benefits to You... 5 Benefits to Your Patients... 5 ehealth Ontario Responsibilities... 5 Diagnostic Imaging Information Publisher Responsibilities... 6 Diagnostic Imaging Information Consumer Responsibilities... 7 Privacy and Security Considerations 8 Patient Consent... 8 Background... 8 Overriding a consent directive... 8 Applying consent directives to Diagnostic Imaging data... 9 Access Requests... 9 Access requests made by patients for Diagnostic Imaging data... 9 Requests for audit logs... 9 Correction Requests...10 Privacy Complaints and Inquiries...10 Privacy Breach Management...10 Security Incident and Breach Management...11 Instructions for Health Care Providers...12 Instructions for Privacy Officers...12 Privacy-related questions from Health Care Provider sites...13 Summary of Security Safeguards in Place at ehealth Ontario 14 Administrative Safeguards...14 Technical Safeguards...15 Physical Safeguards...15 iv Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
6 Glossary Term CPS DI DI CS DI-r ENITS HN IHF LRA MRN ONE ID ONE Portal PACS RA SDM Definition Certification Practices Statement Diagnostic Imaging ehealth Ontario Diagnostic Imaging Common Service Regional diagnostic imaging repository Emergency Neuro Image Transfer System Health (Card) Number Independent Health Facility Local Registration Authority Medical Record Number. Patient identifier unique within an issuer site. Set of systems and processes for the assignment and management of electronic identities to allow secure access to ehealth services. ehealth Ontario Portal provides secure access to collaboration tools, content management and health care applications such as Diagnostic Imaging Common Service. Picture Archiving and Communications Systems Registration Authority Substitute Decision Maker Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 3
7 Service Description Overview Diagnostic Imaging (DI) Common Service is an initiative that supports the sharing and viewing of DI results across Ontario to all hospital and community-based health care providers anytime, anywhere. DI Common Service gives health care providers important information to make better decisions about a patient s treatment. Prior to DI Common Service, authorized health care providers could share images and reports securely with other providers only within their respective Diagnostic Imaging Repositories (DIrs). Now, with the first installment of DI Common Service, diagnostic reports can be shared across the entire province and future releases will enable sharing of diagnostic images and other types of DI information across Ontario. The diagnostic images and corresponding reports are stored in repositories from which they can be retrieved in digital format. This capability is providing physicians with faster access to information resulting in faster diagnosis. ehealth Ontario DI Program is committed to delivering health care providers in Ontario with secure electronic access to their patients comprehensive diagnostic images and reports from anywhere at any time, resulting in improved patient care. The program is achieving this through a number of initiatives in addition to the DI Common Service, which include hospital Diagnostic Imaging Repositories (DI-rs), integration of Independent Health Facilities (IHFs) and the Emergency Neuro Image Transfer System (ENITS). ehealth Ontario DI program is part of the agency s overall strategy to improve access to safe patient care. By putting in place a stable technical infrastructure, it guarantees that health care providers have access to vital clinical activity information when they need it. 4 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
8 Benefits Benefits to You Access to diagnostic reports across Ontario Faster and easier access to images 1 and reports 24/7 Remote access to diagnostic imaging reports for off-hours coverage Real-time clinical collaboration, increasing access to a broader range of specialists Benefits to Your Patients Eliminates unnecessary patient travel Reduces wait times and lengths of stay thanks to faster exam reports and clinical decisions by physicians and specialists Reduces duplicate and unnecessary exams Eliminates the need to physically transfer images or CDs to the specialist ehealth Ontario Responsibilities ehealth Ontario shall comply with the following obligations: Provide Diagnostic Imaging Common Service application functionalities as described below, for registered health care providers 24/7. 1 The initial release of Diagnostic Imaging Common Service will enable provincial sharing of diagnostic reports, while future releases will enable provincial sharing of diagnostic images and other types of DI information. Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 5
9 Provide alternative ways to search for a patient of interest within the Diagnostic Imaging Community of the Electronic Health Record Enable access to the patient s diagnostic imaging reports 2 that have been submitted by health care providers to the regional Diagnostic Imaging Repositories. Do not provide access to diagnostic imaging information that has been restricted by one or more consent directives issued by the patient. Temporarily reinstate access to diagnostic imaging information restricted by consent directives when the health care provider indicates that the patient s or his/her substitute decision maker s approval has been obtained. Provide general support for the application during standard business hours as described in the Support section of this guide. Update the application to expand and enhance the functionalities provided. Create and maintain a certification practices statement (CPS) that describes the practices followed by ehealth Ontario certification authority when issuing public key infrastructure certificates and keys. Conduct privacy and security assessments to ensure that the collection, storage, use and disclosure of personal identity information related to registration comply with legislative and privacy protection requirements. Assist providers in meeting their legislative obligation on responding to individual s access and correction requests. Diagnostic Imaging Information Publisher Responsibilities Health care providers that publish diagnostic imaging information shall comply with the following obligations: 2 The initial release of Diagnostic Imaging Common Service will enable provincial sharing of diagnostic reports, while future releases will enable provincial sharing of diagnostic images and other types of DI information. 6 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
10 Provide timely, complete and accurate diagnostic imaging order information to the regional Diagnostic Imaging Repository. Provide all diagnostic imaging reports, complete and accurate information associated with each report, all report addendums and all report replacements to the regional Diagnostic Imaging Repository on a timely basis. Diagnostic Imaging Information Consumer Responsibilities Health care providers that use diagnostic imaging information shall comply with the following obligations: Register as user of a portal hosting the Electronic Health Record Diagnostic Imaging application. Enrol in the Electronic Health Record Diagnostic Imaging application to access diagnostic imaging information submitted to the Diagnostic Imaging Repositories across Ontario. Follow the requirements of the ehealth Ontario Identity Provider Standard. Agree to follow ehealth Ontario acceptable use policy available at Review the reference information listed above and learn how to protect privacy and security when using ehealth Ontario products. Use Diagnostic Imaging Common Service application s functionalities only for approved clinical purposes. Always indicate the person or the organization that the user represents when accessing diagnostic imaging information. Diagnostic Imaging Common Service application to locate the electronic health record for the patient under your care. Obtain the patient s or the substitute decision maker s consent prior requesting temporary reinstatement of consent to access diagnostic imaging information restricted by consent directives. Use Diagnostic Imaging Common Service application to display, print or save diagnostic imaging reports. When support is required, follow the troubleshooting process as described in the Support section below. Implement and assist users to follow privacy and security policies, where applicable. Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 7
11 Privacy and Security Considerations Patient Consent Background As custodians of patient personal health information (PHI), health care providers working at sites have obligations under PHIPA and Ontario Regulation 329/04 (the regulation) for protection of PHI. Patient Consent Model DI Common Service data has a consent directive capability, which gives patients or their substitute decision maker (SDM) the option to restrict access to patient data in DI Common Service. A patient may restrict access to either: All of his/her diagnostic imaging results in DI Common Service (Domain consent directive); or A particular diagnostic imaging result.(hic Record consent directive) Not in Place in the first release In other words, if a patient restricts access to his/her results in DI Common Service, health care providers querying DI Common Service data will not be able to access any patient information that has been, or will be, submitted into DI Common Service. Overriding a consent directive In special cases (with consent from the patient or the patient s SDM) the patient directive restricting access to the test may temporarily be overridden by a provider. Health care providers may request to temporary override a consent directive applied to data when access has been granted directly by a patient or the patient s SDM (express consent). No health care provider using DI Common Service should override a consent directive applied to DI Common Service data without the patient s or SDM s express consent. Therefore, health care providers using DI Common Service are permitted to override consent directives applied to DI Common Service data only where permission to do so has been expressly authorized by the patient or the patient s SDM prior to performing the consent directive override. Overriding a patient s consent directive for DI Common Service data without express consent from the patient or the patient s SDM will constitute a breach of the EHR Access Services Schedule, and will be subject to the remedies available under the agreement. Temporary override will be logged in DI Common Service application interface, along with the identity of the overriding health care provider. 8 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
12 Applying consent directives to Diagnostic Imaging data If a patient contacts a health care provider and wishes to place a restriction on access to his/her information in DI Common Service, or wishes to reinstate access (remove the restriction), the HIC should Capture the patient and consent directive information on the DI CS Consent Form, and submit the patient and consent directive information to ehealth Ontario by faxing it to (416) or , In instances where a patient wants to issue consent directives on records contributed by more than one HIC, the provider can direct the individual to contact ehealth Ontario at to apply consent directives as per the consent management policy. Access Requests Access requests made by patients for Diagnostic Imaging data Under PHIPA, patients or their SDMs have a right to access the patient s data held by a HIC about the patient. Where provider receives a request for records collected, created and contributed by the provider to DI CS, the provider shall follow their Part V of PHIPA and its internal policies, procedures and practices to respond directly to the individual in respect of the Request for Access. In instances where request for access involve information contributed by another HIC or by multiple HICs, the provider shall Notify the individual that the Request for Access involves PHI not within the custody or control of the HIC that received the Request for Access; and Direct individual to contact ehealth Ontario at to make the Request for Access As per the DI CS Access and Correction policy, ehealth Ontario may seek assistance from you when responding to access requests received directly by ehealth Ontario. Requests for audit logs Where a provider receives a Request for Access directly from an individual related to the audit logs for records stored in DI CS the HIC shall Notify the individual that the HIC is unable to process the Request for Access; and Direct individual to contact ehealth Ontario at to make the Request for Access to logs Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 9
13 As per the DI CS Access and Correction policy, ehealth Ontario may seek assistance from you when responding to access requests received directly by ehealth Ontario. Correction Requests Where a HIC receives a Request for Correction directly from an individual related to records of PHI that were created and contributed to the DI CS solely by that HIC, the HIC shall follow Part V of PHIPA and its internal policies, procedures and practices to respond directly to the individual in respect of the Request for Correction. Where a HIC receives a Request for Correction directly from an individual related to records of PHI that were created and contributed to the DI CS solely by another HIC or by more than one HIC, the HIC that received the Request for Correction shall as soon as possible, but in any event no later than 2 days after receiving the Request for Correction: Notify the individual that the Request for Correction involves PHI not within the custody or control of the HIC that received the Request for Correction; and Direct individual to contact ehealth Ontario at to make the correction request As per the DI CS Access and Correction policy, ehealth Ontario may seek assistance from you when responding to access requests received directly by ehealth Ontario. Privacy Complaints and Inquiries Where a HIC directly receives an Inquiry/complaint related to DI CS and solely to the HIC and its agents and service providers, the HIC shall follow its own internal policies, procedures, and practices to address the Inquiry as per the DI CS Inquiries and Complaints policy. Where a HIC directly receives an Inquiry that it is unable to address and respond to related solely to DI CS or to the agents or Electronic Service Providers of ehealth Ontario, the HIC receiving the Inquiry as per the DI CS Inquiries and Complaints policy shall as soon as possible: Notify the person that the HIC is unable to respond to the Inquiry because DI CS is the subject of the Inquiry; and Direct individual to contact ehealth Ontario Privacy Office at (416) for complaints and inquiries. Privacy Breach Management The DI CS Privacy Breach Management policy describes detailed steps to be taken in the event of the privacy breach/incident. 10 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
14 A HIC shall report an actual or suspected Privacy Breach to ehealth Ontario by calling the 24/7 available Service Desk/ONE Support at as soon as possible, but in any event no later than the end of the next business day after the person at the HIC responsible for reporting actual or suspected Privacy Breaches to ehealth Ontario has become aware of an actual or suspected Privacy Breach caused or contributed to by: Another HIC or the agents or Electronic Service Providers of another HIC; More than one HIC or the agents or Electronic Service Providers of more than one HIC; ehealth Ontario or the agents or Electronic Service Providers of ehealth Ontario; or Any other unauthorized persons who are not agents or Electronic Service Providers of ehealth Ontario or any other HIC. In instances where breach is caused by HIC who solely created and contributed the data to DI CS, the HIC shall follow its internal policies, procedures, and practices to notify the individual(s) to whom the PHI relates at the first reasonable opportunity in accordance with PHIPA and to contain, investigate and remediate the Privacy Breach. In instances where breach is where the Privacy Breach was solely caused by a HIC that did not solely create and contribute the PHI to the DI CS, the HIC in consultation with other HICs (who contributed data) and ehealth Ontario identify the individual to investigate the breach. The specific roles for each party involved in the privacy breach are noted in the DI CS Privacy Brach Management policy. Security Incident and Breach Management This section includes instructions for providers at clinics and privacy officers at organizations to report to ehealth Ontario any security incidents or breaches (defined below) by you or your organization, including health care providers, agents, employees or service providers. A security incident is an unwanted or unexpected situation that results in: Failure to comply with the organization s security policies, procedures, practices or requirements. Unauthorized access, use or probing of information resources. Unauthorized disclosure, destruction, modification or withholding of information. A contravention of agreements with ehealth Ontario by your organization, users at your organization, or employees, agents or service providers of your organization. An attempted, suspected or actual security compromise. Waste, fraud, abuse, theft, loss of or damage to resources. Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 11
15 Instructions for Health Care Providers If you become aware of, or suspect, a security incident or breach of the Diagnostic Imaging Common Service system or data by you or any of your employees, agents, or service providers, you must immediately report the incident or breach to your privacy office. If you do not have a privacy office, or you are unable to reach your privacy office or support team to report a breach, please contact the ehealth Ontario service desk at and advise the ehealth Ontario agent that you would like to open a security incident ticket. You are expected to cooperate in any incident or breach containment activities or with any investigation undertaken by ehealth Ontario. During the investigation by ehealth Ontario, you may be required to provide additional information which may include personal health information or personal information, in order to contain or resolve the incident or breach. Note: It is extremely important that you do not disclose any patient personal health information and/or personal information to the ehealth Ontario agent when initially reporting a security incident or breach. Instructions for Privacy Officers If you become aware of, or suspect, an incident or breach related to Diagnostic Imaging Common Service system or data by any of your organization s staff members, including employees, agents or service providers, you must immediately report the incident or breach to the ehealth Ontario service desk at and advise the ehealth Ontario agent that you would like to open a security incident ticket. Note: It is extremely important that you do not disclose any patient personal health information and/or personal information to the ehealth Ontario agent when initially reporting a privacy or security incident or breach. Further, you may not contact any patient or SDM directly, unless expressly instructed to do so in writing by ehealth Ontario. It is expected that you and the organization s staff members will cooperate with any investigations conducted by ehealth Ontario in respect of any privacy or security incidents or breaches related to Diagnostic Imaging Common Service data. When reporting a confirmed or suspected privacy or security incident, please have the following information ready: 1) If possible, a description of the situation and condition that led to the incident. 2) Who was involved (name and role)? 3) Where did the incident happen? 4) When and at what time was the incident noticed? 5) If possible, describe how the incident was detected. 6) If possible, provide information on the most likely cause for example: a) Human error b) Negligence c) Technical failure, caused by failure of an application or system to maintain privacy 12 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
16 d) Process failure, caused by not following a process e) Wilful wrongdoing f) Act of nature 7) Describe the type of PI/PHI involved in the incident. 8) If possible, list measures taken to contain the incident or breach or any risks that could eventually result in an incident or breach. 9) If possible, list any corrective measures taken or additional controls applied. 10) What services, if any, are impacted? 11) Are ehealth Ontario s services impacted or involved? Once a call has been logged with the ehealth Ontario service desk, the ehealth Ontario privacy and security teams will be engaged to deal with the situation. Privacy-related questions from Health Care Provider sites If a health care provider has any questions regarding the privacy-related processes described above, including how to respond to individual access requests, consent obligations or incident/breach management processes, please contact the ehealth Ontario privacy operations department, at or (416) Please ensure that you do not include any personal information or personal health information in any s to ehealth Ontario. Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 13
17 Summary of Security Safeguards in Place at ehealth Ontario Administrative Safeguards ehealth Ontario has a Chief Privacy Officer and Chief Security Officer; these individuals are accountable for health information privacy and security All providers who use DI Common Services must sign a data access agreement with ehealth Ontario, which, among other things, spells out their responsibilities regarding privacy and security. ehealth Ontario requires its representatives to implement privacy and security safeguards, as appropriate to the service being provided. ehealth Ontario regularly reviews and enhances its privacy and security policies. Staff and contractors are required to read the relevant policies and acknowledge in writing that they have read and understood them. All staff and contractors must sign confidentiality agreements and undergo criminal background checks prior to joining or providing services to ehealth Ontario. ehealth Ontario has a security screening policy that requires staff to have an appropriate level of clearance for the sensitivity of the information they may access. ehealth Ontario staff and contractors generally have no ability or permission to access personal health information. If access to personal health information is required in the course of providing ehealth Ontario services, individuals are required to follow the access request process and are prohibited from using or disclosing such information for other purposes. ehealth Ontario ensures, through contracts, that any third party it retains to assist in providing services to health information custodians will comply with the restrictions and conditions necessary for ehealth Ontario to fulfill its legal responsibilities. ehealth Ontario has developed a full privacy and security incident management system. ehealth Ontario has mandatory privacy and security awareness and training programs for all staff and contractors. ehealth Ontario staff, contractors, suppliers and clients must promptly report any privacy and/or security breaches to ehealth Ontario for investigation. ehealth Ontario conducts privacy and security risk assessments for both product/service development and client deployments. Mitigation activities are well established and tracked as part of each assessment. 14 Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name.
18 ehealth Ontario provides a summary of the results of privacy and security risk assessments to the affected health information custodians. ehealth Ontario ensures all operational and systems changes follow the agency s change management procedures. Technical Safeguards Authorization and authentication (i.e. confirming who each user is, and what he/she is permitted to do) controls limit access to DI Common Services to only those individuals who require it to perform their job function. DI Common Services users are authenticated each time they access the system. Information about each data request is recorded in an audit trail maintained by DI Common Services, in compliance with PHIPA. Patients can expressly withhold or withdraw their consent to use or disclose information related to their diagnostic imaging information. The DI Common Services verifies all inbound messages to ensure that they are well formed. Personal health information is transmitted to and from DI Common Services securely using a mutually authenticated tunnel. Networks are protected by devices (firewalls and routers) which limit access to and from systems. The systems are kept up-to-date by installing software updates on a regular basis. Security agents are installed on each system to protect DI Common Services from malware and detect intrusions. ehealth Ontario s hosting environment provides continuous secure data backup and immediate failover capabilities for all system components. Physical Safeguards DI Common Services resides in a specially-built facility that is physically secured against unauthorized access. Biometrics, secure cabinets and access cards control physical access to facilities and equipment. The facilities are staffed and monitored continuously by security staff/employees. The facility is protected against environmental issues such as power outages and extreme weather. Diagnostic Imaging Common Service Project, Release 1 / Health Care Provider Guide /Version No Error! Unknown document property name. 15
ehealth Ontario Ontario Lab Data and Your EMR 2012 ehealth Ontario NOTICE AND DISCLAIMER All rights reserved. No part of this document may be reproduced, stored in a retrieval system, or transmitted, in
Policy Reference Guide Electronic Health Record (EHR) - connectinggta Version: 1.0 ehealth Ontario EHR Access and Correction Request for Service Form - cgta 1 Trademarks Other product names mentioned in
Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific
Ontario Laboratories Information System Electronic Medical Records Initiative Privacy Impact Assessment Summary Copyright Notice Copyright 2011, ehealth Ontario All rights reserved Trademarks No part of
ehealth Ontario Site Support Guide Version 5.2 Reference Guide This guide will assist sites accessing OLIS with information around processes and contacting ehealth Ontario for support. www.ehealthontario.on.ca
SUBJECT: VOYAGEUR PAGE 1 1.0 PURPOSE: 1.1 To establish and document a policy which defines Voyageur s commitment to the protection of an individual s personal health information in the course of providing
Access to Electronic Health Records Policy Franciscan Health System PURPOSE: The purpose of the Access to Electronic Health Records Policy ( EHR Policy ) is to establish processes and procedures for permitting
Ontario Laboratories Information System ConnectingGTA Integration Delta Privacy Impact Assessment Summary Copyright Notice Copyright 2012, ehealth Ontario All rights reserved Trademarks No part of this
OPA Communications and Member Services Committee February 2015 Table of Contents Preamble... 3 General Information... 3 Risks of Using Email... 4 Use of Smartphones and Other Mobile Devices... 5 Guidelines...
Quality Assurance Committee Approved by Council: February 11, 2014 Amended: September 20, 2014 *(formerly Guideline G-017) Note to readers: In the event of any inconsistency between this document and the
ehealth Ontario Site Support Guide Version 8.0 Reference Guide This guide will assist the electronic Child Health Network with information around processes and contacting ehealth Ontario for support. www.ehealthontario.on.ca
Record Keeping Guide to the Standard for Professional Practice 2013 College of Physiotherapists of Ontario March 7, 2013 Record Keeping Records tell a patient s story. The record should document for the
Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA) This document provides answers to some frequently asked questions about the The Personal Health
What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Table of Contents What is a privacy breach?...1
pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates Guidelines on Requirements and Good Practices For Protecting Personal Health Information Disclaimer
Exhibit 2 Business Associate Addendum This Business Associate Addendum ( Addendum ) governs the use and disclosure of Protected Health Information by EOHHS when functioning as a Business Associate in performing
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance Information Privacy and IT Security & Compliance The information in this module in addition to the
Common Privacy Framework CCIM Assessment Projects Acknowledgements This material, information and the idea contained herein are proprietary to Community Care Information Management (CCIM) and may not be
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
PURPOSE The Privacy Standard sets the foundation for all guidelines, policies and procedure within the toolkit. It is expected that this Privacy Standard will be used in its entirety and will not be rewritten
DATA SECURITY AGREEMENT Addendum # to Contract # This Data Security Agreement (Agreement) is incorporated in and attached to that certain Agreement titled/numbered and dated (Contract) by and between the
ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT THIS AGREEMENT ( Agreement ) is made and entered into this day of, 20, by and between Franciscan Health System ( Hospital ), and ( Community Partner ). RECITALS
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
Information and Privacy Commissioner / Ontario How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice Ann Cavoukian, Ph.D. Commissioner
& Privacy Breach Protocol Guidelines for Government Organizations www.ipc.on.ca Table of Contents What is a privacy breach? 1 Guidelines on what government organizations should do 2 What happens when the
Approved By Last Reviewed Responsible Role Responsible Department Executive Management Team March 20, 2014 (next review to be done within two years) Chief Privacy Officer Quality & Customer Service SECTION
The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training Introduction The HIPAA Security Rule specifically requires training of all members of the workforce.
FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance
SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION) ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL (AHS AND
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
Version 3.0 This policy maybe updated at anytime (without notice) to ensure changes to the HSE s organisation structure and/or business practices are properly reflected in the policy. Please ensure you
SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING AMONG ALBERTA HEALTH SERVICES, PARTICIPATING OTHER CUSTODIAN(S) AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION) ELECTRONIC MEDICAL RECORD INFORMATION
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No. 2 1.0 Purpose/Background The purpose of this policy is to establish the protocol to
Approved by: Information Technology Acceptable Use and Safeguards President and Chief Executive Officer Corporate Policy & Procedures Manual Number: X-50 Date Approved May 12, 2014 Next Review (3 years
Patient Email Consent Form Email is a widely accepted form of communication. While it cannot replace personal encounters between you and your health care provider, email can be a convenient way to exchange
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA Report of an investigation of a malicious software outbreak affecting health information August 19, 2011 Dr. Cathy MacLean Investigation Report H2011-IR-003
Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable
PACS JOINT SERVICES/ACCESS POLICY 1. High Level Policy The identifiable Diagnostic Imaging Data stored in PACS constitutes personal health information and is subject to the provisions of The Health Information
Access Control and Identity Management Policy for System Level Access Version: 1.5 Document ID: 3535 Copyright Notice Copyright 2016, ehealth Ontario All rights reserved No part of this document may be
1.2: DATA SHARING POLICY PART OF THE OBI GOVERNANCE POLICY Available at: http://www.braininstitute.ca/brain-code-governance 1.2.1 Introduction Consistent with its international counterparts, OBI recognizes
Agreement Digital Testing System (Annex 4 to the RFP Digital Testing System) Annex 1 - Data Processing Agreement ANNEX 1 DATA PROCESSING AGREEMENT RELATING TO THE AGREEMENT DIGITAL TESTING SYSTEM BETWEEN
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
EXECUTION DRAFT HIPAA Business Associate Agreement For Collaborative Services This Business Associate Agreement ( Agreement ) is by and between the Camden Coalition of Healthcare Providers, Inc. (the Business
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,
List of Professional Practice Briefs Checklist for HIM Readiness This PPB identifies 28 components to be considered in the transition of the paper based to EHR HIM Department from getting started to forms,
STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business
Online Banking Agreement and Disclosures This agreement states the terms and conditions that apply to your use of Online Banking services offered by Eastman Credit Union. Please read this agreement carefully.
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
HIPAA COMPLIANCE PLAN For CHARLES RETINA INSTITUTE (Practice Name) Date of Adoption 1/02/2003 Review/Update 10/25/2012 Review/Update 4/01/2014 I. COMPLIANCE PLAN A. Introduction This HIPAA Compliance Plan
BETWEEN: HER MAJESTY THE QUEEN IN RIGHT OF THE PROVINCE OF BRITISH COLUMBIA, represented by the Minister of Health ( the Ministry as the Province as applicable) at the following address: Assistant Deputy
Table of Contents 1 Acceptable use 1 Violations 1 Administration 1 Director and Supervisor Responsibilities 1 MIS Director Responsibilities 1 The Internet and e-mail 2 Acceptable use 2 Unacceptable use
Provider secure web portal & Member Care Information portal Registration Form Thank you for your interest in registering for the Aetna Better Health Provider Secure Web Portal and the Aetna Better Health
AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
1 Page: 1 of 7 I. PURPOSE: 1 The purpose of this standard is to provide direction for Tenet regarding auditing and monitoring requirements. Logging and auditing of actions within networks, systems, and
FernUniversität in Hagen: Certification Authority (CA) Certification Practice Statement VERSION 1.1 Ralph Knoche 18.12.2009 Contents 1. Introduction... 4 1.1. Overview... 4 1.2. Scope of the Certification
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients