CIHI Portal P r i v a c y I m p a c t A s s e s s m e n t

Transcription

1 CIHI Portal P r i v a c y I m p a c t A s s e s s m e n t

2 The contents of this publication may be reproduced in whole or in part, provided the intended use is for non-commercial purposes and full acknowledgement is given to the Canadian Institute for Health Information. Canadian Institute for Health Information 495 Richmond Road, Suite 600 Ottawa, Ontario K2A 4H6 Phone: Fax: Canadian Institute for Health Information

3 Table of Contents CIHI Portal Privacy Impact Assessment... iii Executive Summary... v 1. Introduction PIA Objectives and Scope CIHI Portal Background and Context Background Description of CIHI Portal Description of Data Accessible Through CIHI Portal Organization and Governance Authorities Governing CIHI Portal CIHI Portal Overview Diagram Privacy Analysis Principle 1: Accountability for Personal Health Information Principle 2: Identifying Purposes for Personal Health Information Principle 3: Consent for the Collection, Use or Disclosure of Personal Health Information Principle 4: Limiting Collection of Personal Health Information Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information Principle 6: Accuracy of Personal Health Information Principle 7: Safeguards for Personal Health Information Principle 8: Openness About the Management of Personal Health Information Principle 9: Individual Access to, and Amendment of, Personal Health Information Principle 10: Complaints About CIHI s Handling of Personal Health Information Conclusion Appendix A Summary of Identified Privacy Risks, Mitigation Measures Currently in Place and Recommendations Appendix B Glossary of Terms Appendix C Examples of CIHI Portal Data Appendix D Acknowledgement of the Conditions of Use of CIHI Portal... 26

4

5 CIHI Portal Privacy Impact Assessment Prepared by: Peter Pakeman, Program Consultant, Privacy and Legal Services, CIHI Mary Ledoux, Senior Privacy Consultant, Privacy and Legal Services, CIHI Mimi Lepage, Chief Privacy Officer and General Counsel, Privacy and Legal Services, CIHI Caroline Heick, Director, Acute and Ambulatory Care Information Services, CIHI Sharon Tracy, Manager, Portal Services, CIHI Jean-Marie Berthelot, Vice President, Programs, CIHI David H. Flaherty, PhD, Chief Privacy Advisor, CIHI; David H. Flaherty Inc., Privacy and Information Policy Consultants, Victoria, British Columbia CIHI 2008 iii

6

7 Executive Summary The purpose of this privacy impact assessment (PIA) is to examine the privacy, confidentiality and security risks associated with CIHI Portal. CIHI Portal is an analytical web-based tool for health care data, designed by the Canadian Institute for Health Information (CIHI) to meet the needs of its clients, who are also its data providers. CIHI Portal provides health care service organizations such as hospitals, regional health authorities and ministries of health with online access to pan-canadian health care data in a secure environment that safeguards privacy and confidentiality. In order to be able to use CIHI Portal, CIHI Portal clients must sign a service agreement with CIHI. The service agreement is signed at a senior level in the organization to ensure that clients are aware both of their organizational responsibilities and the responsibilities of their users. The service agreement limits CIHI Portal clients rights to use and disclose confidential information, including personal health information and facility-identifiable information, obtained through CIHI Portal. As well, a mandatory education program (elearning and instructor-led training) exists for users, which reinforces the appropriate uses and disclosures of data from CIHI Portal. CIHI Portal does not contain the names, health card numbers, dates of birth or full postal codes of recipients of health care services. A review of the 10 privacy principles set out in the Canadian Standards Association s Model Code for the Protection of Personal Information as they apply to CIHI Portal was undertaken. While a number of potential privacy risks were identified, this assessment concludes that, except as identified below, the mitigation measures currently in place are such that CIHI and its clients are prepared to accept and manage any remaining risks. The PIA sets out the following four recommendations: Recommendation 1: The threat and risk assessment specific to CIHI Portal scheduled for be completed by the end of that fiscal year. Recommendation 2: A general review of the requirements of the service agreement relating to confidentiality, privacy and security be undertaken by CIHI s Privacy and Legal Services and completed by the end of It is further recommended that a revised agreement be phased in over time. In addition, a specific privacy risk was identified with respect to lack of control of user names and passwords by CIHI Portal clients users, including active passwords that are assigned to users no longer employed by the client and where, after reviewing the mitigation measures currently in place, the PIA has determined that the residual risk was such that additional measures are required. The following two recommendations address this issue: CIHI 2008 v

8 Recommendation 3: As part of the general review of the confidentiality, privacy and security provisions of the service agreement set out in recommendation 2 above, the service agreement should be amended, at minimum, to include a specific requirement for: a. clients to advise CIHI within a set number of working days of any changes in authorized users; b. clients users to exit from their account at the end of each session; and c. clients users to sign an acknowledgement of the conditions of use of CIHI Portal (Appendix D) to reinforce their understanding of their responsibilities and obligations, including control of passwords. Recommendation 4: As part of the education process for users, phase into the training materials a clear and easily understood explanation of the acknowledgement and its implications. vi CIHI 2008

9 1. Introduction The Canadian Institute for Health Information (CIHI) collects and analyses information on health and health care in Canada. Its goal is to provide timely, accurate and comparable information to inform health policies, support the effective delivery of health services and raise awareness among Canadians of the factors that contribute to good health. CIHI obtains data directly from hospitals, regional health authorities and ministries of health, including personal health information about recipients of health services, registration and practice information about health professionals and health facility information. CIHI Portal was developed by CIHI for Canadian health care service organizations specifically those that submit data to CIHI to assist them in monitoring, planning and making decisions on the delivery of health care services. 1.1 PIA Objectives and Scope The purpose of this privacy impact assessment is to examine the privacy, confidentiality and security risks associated with CIHI Portal. It includes a review of the 10 privacy principles set out in the Canadian Standards Association s Model Code for the Protection of Personal Information as they apply to CIHI Portal and a summary of potential privacy risks that have been identified, along with any measures that have been put in place to avoid or mitigate those risks. This privacy impact assessment is specific to CIHI Portal. It builds on a PIA carried out in 2005 that assessed and addressed key data protection issues as CIHI Portal was in a beta test environment. In addition, a formal privacy impact assessment was conducted for the clinical administrative databases; it is available on CIHI s website ( CIHI

10

11 2. CIHI Portal Background and Context 2.1 Background CIHI Portal was developed initially in 2003 as a pilot project involving three data providers. The purpose of the pilot project was to demonstrate the value and evaluate the feasibility of developing and implementing CIHI Portal as an analytical tool that provided access to pan-canadian data to assist health system stakeholders with high-level decision-making and performance management. At the end of the pilot project, the evaluation concluded that there was an external client demand for such a service and that the most significant issue for CIHI Portal was ensuring the protection of individual privacy while allowing appropriate analytical capacity. CIHI Portal moved to a beta test involving approximately 15 data providers in the fall of For the beta test, CIHI addressed potential privacy, confidentiality and security issues that arose from access to CIHI Portal by adopting practices in the area of privacy risk management, including controls on users, service agreements with its clients, data disclosure and disclosure avoidance rules and security practices. 2.2 Description of CIHI Portal CIHI Portal is an analytical web-based tool for health care data, designed by CIHI to meet the needs of its clients, who are also its data providers. CIHI Portal provides health care service organizations such as hospitals, regional health authorities and ministries of health with online access to pan-canadian health care data in a secure environment that safeguards privacy and confidentiality. CIHI Portal also supports communities of practice and includes meta data, a comprehensive education program and a mechanism to provide users with client support. CIHI Portal offers its clients the ability to share and view pre-built reports, to query the data based on their own requirements and to build customized reports for purposes of evaluation to support decision-making and to facilitate knowledge transfer. CIHI Portal supports regular performance measurement and the determination of best practices by allowing clients to compare their organizations with customized peer groups at local, regional, provincial and national levels. Clients can carry out research and planning on clinical administration, resourcing, service provision, cost efficiencies and population demographics. CIHI Portal serves as a focal point for collaboration and the establishment of communities of practice. Through CIHI Portal, clients are able to share reports, methodologies and findings with peers within and across organizations. Together, they can create internal and external networks of collaboration. This unique bundle of features allows users from various levels of health care management across the country to answer the questions that are specific to their needs. CIHI

12 2.3 Description of Data Accessible Through CIHI Portal CIHI Data The Discharge Abstract Database (DAD) is a pan-canadian database for information on all acute care hospital separations (discharges, deaths, sign-outs, transfers) in Canada, except Quebec, and is one of the clinical databases used by CIHI for research and statistical purposes. CIHI Portal contains a selected subset of data from DAD. The DAD data accessible through CIHI Portal are broadly categorized in the following manner: Variables related to recipients of health care services (that is, in-patients, same-day surgery out-patients); Variables related to providers of health care services (that is, physicians); and Variables related to the facilities delivering the health care services (that is, hospitals). For each of the above categories, the data are further categorized in the following manner (see Appendix C for examples of CIHI Portal data): Demographic and geographic information about recipients; Identification and geographic information about facilities; Entry/admission/status information about recipients; Patient service information about recipients; 4 CIHI 2008

13 Provider code and type of service information about providers; Clinical information about recipients; Special care units information about recipients Death/discharge/status information about recipients; Date and time periods information about recipients hospitalizations; Derived values (such as statistical calculations, filtering, methodologies) about recipients hospitalizations; and Value-added data based on CIHI methodology for grouping discharges (that is, Case Mix Group, major clinical category). With respect to information about recipients of health care services, it is important to note that names are not submitted to the Discharge Abstract Database and, therefore, are not found in CIHI Portal. As well, although health card numbers, dates of birth and full postal codes of recipients of health care services are found in the original DAD data submitted to CIHI, they are not included in CIHI Portal Other Data CIHI Portal also contains aggregated, non-confidential population statistics from the Statistics Canada census of population and geographic data. 2.4 Organization and Governance Organization CIHI Portal Services was established as a program area in the Acute and Ambulatory Care Information Services Branch (AACIS) in April Governance The following table identifies key internal positions and groups with responsibilities for CIHI Portal in terms of privacy and security risk management. Position/Group Vice President, Programs Director, Acute and Ambulatory Care Information Services Manager, Portal Services Portal Steering Committee Chief Technology Officer Role/Responsibilities The vice president, programs chairs the Portal Steering Committee and is responsible for the overall operations and strategic direction of CIHI Portal. The director is fully accountable for CIHI Portal. The director is responsible for strategic and operational decisions about CIHI Portal and ensuring its continued successful development. The manager is responsible for ongoing management, development and deployment of CIHI Portal. The manager makes operational decisions about CIHI Portal, supports the Portal Steering Committee and consults internally and with CIHI Portal clients as appropriate. Chaired by CIHI s vice president, programs, this committee s role is to make strategic recommendations and decisions about the direction of CIHI Portal. The chief technology officer is responsible for the strategic direction and overall operations/implementation of CIHI s technological and security solutions. CIHI

14 Position/Group IM Steering Committee Chief Privacy Officer and General Counsel Privacy, Confidentiality and Security Team Role/Responsibilities Chaired by CIHI s chief technology officer, the role of this committee is to make strategic recommendations and decisions related to technology. The chief privacy officer is responsible for the strategic direction and the overall implementation of CIHI s privacy program. Chaired by CIHI s chief privacy officer, this team supports CIHI Portal by reviewing privacy-sensitive issues and the service agreement. Chief Privacy Advisor The chief privacy advisor is an external resource available to CIHI. Individuals who do not believe their challenges about CIHI s handling of personal health information have been satisfactorily resolved may be appeal to the chief privacy advisor, who will report his findings to CIHI s president and chief executive officer. Manager, Analytical Systems Senior Program Consultant, Security The manager is responsible for ensuring that technical requirements for the ongoing development and maintenance of CIHI Portal are met. The Analytical Systems team is responsible for acting as system administrator for CIHI Portal. The senior program consultant is responsible for providing guidance on maintaining and enhancing security for CIHI Portal, and assisting with documentation such as security impact assessments and threat and risk assessments. 2.5 Authorities Governing CIHI Portal General CIHI conducts its business activities in accordance with the following: applicable statutory authorities CIHI is a prescribed entity under the Personal Health Information Protection Act (PHIPA) in Ontario CIHI is an information manager for the department of Health and Wellness and several regional health authorities in Alberta under the Alberta Health Information Act; CIHI s Principles and Policies for the Protection of Personal Health Information (updated November 2007, 3rd Edition), which is based on the 10 privacy principles described in the Canadian Standards Association s Model Code for the Protection of Personal Information; and data-sharing agreements negotiated between data providers and CIHI, which set out the purpose, use, disclosure and retention requirements as well as any subsequent data sharing that may be permitted. 6 CIHI 2008

15 2.5.2 CIHI Portal Service Agreement In order to be able to use CIHI Portal, CIHI Portal clients, which could be a hospital, regional health authority or ministry of health, must sign a service agreement with CIHI. The service agreement is signed at a senior level in the organization to ensure that clients are aware both of their organizational responsibilities and the responsibilities of their users. The service agreement limits CIHI Portal clients rights to use and disclose confidential information, including personal health information and facility-identifiable information, obtained through CIHI Portal. Specifically, clients and their users are permitted to use such data solely for internal, non-commercial, local/regional evidence-based decision-making, planning and analytical purposes. Confidential information cannot be disclosed to any third party, except as expressly permitted in the service agreement or as required by law. Specifically, publication or disclosure outside of the client organization is permitted only where all reasonable attempts to prevent the identification of individuals are employed and there are no cell sizes with fewer than five observations. Organization-identifiable information cannot be released unless the written consent of each organization identified in the information has been obtained prior to release. Clients assume responsibility for ensuring that users of CIHI Portal in their organizations are aware of the terms and conditions of the service agreement. Within each client organization, individual users must be made aware of their strict obligation to: keep their user names and passwords strictly confidential; keep de-identified record-level data obtained through CIHI Portal, including any reports, strictly confidential and not disclose such data to persons or organizations outside the client s organization, except as expressly provided for in the service agreement or as required by law; use de-identified record-level data from CIHI Portal solely for non-commercial, internal purposes related to the client s planning, research/analysis or decision-support activities, unless explicitly permitted by an agreement between CIHI and the client; not attempt to identify individuals when accessing and using de-identified record-level data accessible through CIHI Portal, and/or attempt to link these data with personal health information originating from any other source; and access CIHI Portal from the client s corporate network only. Clients agree to immediately notify CIHI of any unauthorized use of any users means of access or any other breach of confidentiality or security of which they become aware. In addition, the service agreement sets out the following specific requirements and responsibilities with respect to user names and passwords: Each user must create a user profile (name, title and address), user name and password on CIHI s website as instructed by CIHI. Clients and their users are responsible for maintaining the confidentiality of the means of access. Clients are fully responsible for all activities that occur under their means of access. CIHI

16 User names and passwords may not be shared and are non-transferable, nor can they be assigned to an un-named individual or occupational position (such as director of health records). Clients and their users must not permit any third party or unauthorized user to access CIHI Portal. Each user will be issued a user name and password that provides him or her with access to those areas of CIHI Portal that he or she is permitted to access. CIHI has put in place a mandatory training program that addresses each of these items. As a reminder for the users, a link to the conditions of the service agreement is provided on CIHI Portal home page. 8 CIHI 2008

17 3. CIHI Portal Overview Diagram Users access CIHI Portal through a secure web interface. Depending on their role, users are able to create ad hoc custom queries and/or access reports created by CIHI and other CIHI Portal users, both within and outside of their organizations. The outputs from these queries may be shared within CIHI Portal or exported to other file formats (such as MS Excel). The underlying record-level data are not exportable. SECURE CIHI PORTAL ENVIRONMENT De-identified record level subset of DAD Secure web interface Queries Aggregate-level reports CIHI Portal clients/users Hospitals Ministries of health Regional health authorities CIHI

18

19 4. Privacy Analysis 4.1 Principle 1: Accountability for Personal Health Information CIHI s president and chief executive officer is accountable for ensuring compliance with CIHI s Principles and Policies for the Protection of Personal Health Information (updated November 2007, 3rd Edition). CIHI has a chief privacy officer, a corporate Privacy, Confidentiality and Security team to manage privacy matters at CIHI, a privacy sub-committee of its board of directors and an external chief privacy advisor. CIHI Portal clients are accountable for the application of the service agreement within their respective organizations. They are also subject to the requirements of data protection laws in their respective jurisdictions and the independent oversight of privacy commissioners or their equivalents. 4.2 Principle 2: Identifying Purposes for Personal Health Information CIHI Portal is a service provided by CIHI to meet the needs of its clients for online access to pan-canadian health care data. The service agreement limits CIHI Portal clients rights to use and disclose confidential information, including personal health information and facilityidentifiable information, obtained through CIHI Portal. Specifically, clients and their users are permitted to use such data solely for internal, non-commercial, local/regional evidencebased decision-making, planning and analytical purposes. 4.3 Principle 3: Consent for the Collection, Use or Disclosure of Personal Health Information The de-identified, record-level data found in CIHI Portal are collected in their original form through the administration of the health care system in the various jurisdictions and provided to CIHI as a secondary user. Data providers are responsible for meeting the statutory consent requirements in their respective jurisdictions at the time the data are collected initially. 4.4 Principle 4: Limiting Collection of Personal Health Information CIHI Portal is not collecting or using any new personal health information for the purposes of CIHI Portal. It is a secure means of access to selected data already held at CIHI in the Discharge Abstract Database. 4.5 Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information Limiting Use CIHI limits the use of CIHI Portal to authorized purposes, and only authorized users have access. The CIHI Portal service agreement allows clients to use de-identified record-level data only for their own non-commercial, internal analysis, planning, research and decisionmaking purposes. CIHI

20 Privacy Risk Inappropriate use and/or disclosure of confidential information by CIHI Portal clients users Mitigation Measures Currently in Place As described in Section 2.5.2, CIHI Portal clients are required to sign a service agreement, which imposes confidentiality and security restrictions and obligations. Failure to respect the terms and conditions of the service agreement would jeopardize their continued access to CIHI Portal. CIHI can, and intends to, audit compliance through technological means (electronic audit trails). CIHI Portal clients are also subject to the requirements of data protection laws in their respective jurisdictions Limiting Disclosure As part of its mandate, CIHI publishes aggregated personal health information only in a manner designed to minimize any risk of residual disclosure. This generally requires a minimum of five observations per cell. CIHI recognizes, however, that internal reports produced for clients through CIHI Portal are not reviewed for confidentiality as are the data CIHI publishes and releases into the public domain. Query results obtained through CIHI Portal, therefore, may contain small cell sizes (defined as five or fewer occurrences) that are not suppressed in the reports produced by users. The reason for this practice is that, in general, information obtained through CIHI Portal will not be published by clients but will be used to inform internal decision-making in a specific health care environment. CIHI Portal includes record-level, potentially identifiable data in order to provide essential functionality for its clients. Privacy Risk Residual disclosure (such as the combination of data on age of patient, plus geographic unit, plus facility in rural areas that could re-identify individuals) Mitigation Measures Currently in Place The disclosure of reports produced by authorized users is limited to CIHI Portal clients who have signed a service agreement (see Section 2.5.2), which imposes a variety of confidentiality and security restrictions and obligations on them. The terms of the service agreement provide for: a prohibition against attempts to identify individuals; a prohibition against data linkage using information gained by way of CIHI Portal; safeguards prohibiting further publication by CIHI Portal clients, including a requirement to suppress cell sizes with fewer than five observations; and consequences for institutions in the case of demonstrated breaches, such as denial of further access to CIHI Portal. 12 CIHI 2008

21 Further, within client organizations, users are broken down into three roles: report reader, information consumer and analyst. Access to specific features and data fields in CIHI Portal is controlled on a user-by-user basis, through security and permissions features based on the principle of need-to-know and determined by the role of the user. For example, report readers are permitted only to view reports they cannot create or manipulate reports. Information consumers can manipulate existing reports. Analysts have maximum access and do hands-on work with the data available through CIHI Portal (for example, creating reports). In addition, specific protective measures implemented in CIHI Portal to control disclosures include: Only a selected subset of variables from the DAD is included in CIHI Portal (approximately 100 data elements). De-identification measures are applied to the data; for example, dates of birth, health card numbers and full postal codes of patients are not included in CIHI Portal. CIHI Portal does not allow direct access to individual records. Analysts who have maximum access to the data available through CIHI Portal may submit queries to create reports but cannot see or request the extraction of individual records. There are special protections to mask sensitive abortion data (any procedure that terminates a pregnancy for any reason, including therapeutic abortions). The organizational contact identified in the service agreement is responsible for naming authorized users in each user role and for communicating changes in user access to CIHI. Mandatory education (elearning and instructor-led training) for users reinforces the appropriate use and disclosure of data from CIHI Portal. Technical safeguards (for example, user/id and password, encryption, auditing, system monitoring) regulate the query environment and limit disclosure by minimizing risks of unauthorized access, including only providing access to named users (for further information, see Principle 7 Safeguards) Limiting Retention Data accessible through CIHI Portal form part of CIHI s information holdings and are retained permanently for long-term analyses and reporting purposes. Currently, data are included back to Principle 6: Accuracy of Personal Health Information CIHI has a comprehensive data quality program. Any known data quality issues are addressed by the data provider or documented in data limitations documentation, which is made available to all users. Analytical Systems and Portal Services verify that the data available within CIHI Portal match the data in the Discharge Abstract Database in terms of accuracy (that is, volumes, completeness). Furthermore, policies 9.5 and 9.6 of CIHI s Principles and Policies for the Protection of Personal Health Information (updated November 2007, 3rd Edition) state that when an individual requests an amendment to or correction of his or her personal health information, CIHI refers the individual to the data provider. When a data provider notifies CIHI that the individual has successfully demonstrated the inaccuracy or incompleteness of personal health information, CIHI amends the information as required. See Section 4.9 (below) for information on an individual s right of access to personal health information. CIHI

22 4.7 Principle 7: Safeguards for Personal Health Information CIHI has established physical, technical and administrative security practices to ensure the confidentiality and security of its data holdings. In addition to the general safeguards already in place, CIHI Portal implemented the following technical and administrative safeguards: CIHI Portal security architectures/security filters include security features such as privileges (used to control what features the user can access) and permissions (used to control the level of access a user has, such as what data and reports the user can see) by role. Security filters manage the different functionality of each user role for example, analysts can create reports, information consumers can view and modify reports and report readers can only view reports. Users cannot change or remove a security filter it is enforced automatically when users execute queries. Users of CIHI Portal cannot turn off security features. Only the internal CIHI Portal administrator has the ability to modify security filters, privileges and permissions. Encryption software incorporated in CIHI Portal uses a networking protocol called Secure Sockets Layer (SSL). SSL is cryptographic protocols that provide secure communications on the internet for such things as web browsing, , internet faxing, instant messaging and other data transfers. User names and passwords permit authentication and ensure that only authorized users can access CIHI Portal. Privacy Risk Unauthorized access to CIHI Portal Mitigation Measures Currently in Place Monitoring and auditing through the use of system audit trails and logs for CIHI Portal, which include: what was queried, when and by whom; all system accesses logged by user ID, time and date; all queries run logged by the nature of the query, user ID, time and date; sessions disconnected after a preset time; and intrusion detection system to proactively block undesirable access. In addition: The system will lock out users after a pre-determined number of failed login attempts (because of the complexity of the passwords). Users may be required to attain re-authorization via mandatory training and evaluation if they have not used CIHI Portal within a 12-month period from the date of last access. Ethical hacks: CIHI conducts an annual vulnerability assessment and penetration testing of select information systems (ethical hack). The intent of the assessment is to gather information on the selected systems and applications and then examine this information for weaknesses that could ultimately be used to compromise the underlying system, and hence personal health information. 14 CIHI 2008

23 The latest ethical hack conducted in 2007 found that, in general, external facing systems (via the internet) were well protected. While the results of the 2007 ethical hack are generally positive, they were not specific to CIHI Portal. Threat and risk assessment: The manager of Portal Services, in consultation with the senior program consultant, security, engages appropriate risk management activities, such as commissioning threat and risk assessments and security impact assessments and escalating any issues of concern to the chief privacy officer, the chief technology officer and/or the appropriate management team(s). A threat and risk assessment specific to CIHI Portal is scheduled for Recommendation 1: The threat and risk assessment specific to CIHI Portal scheduled for be completed by the end of that fiscal year. CIHI Portal service agreement As described in Section 2.5.2, CIHI Portal clients are required to sign a service agreement which imposes confidentiality and security restrictions and obligations. Clients and their users must use at least the same degree of care and oversight to maintain confidentiality as they would use to protect their own information, but in no event less than a reasonable degree of care. Further, the terms of the service agreement set out the consequences for clients in the case of demonstrated breaches, such as denial of further access to CIHI Portal. Recommendation 2: The service agreements for CIHI Portal have evolved in order to take into account the various needs of CIHI clients and, while some versions are more stringent than others, some privacy or security requirements may have been lost over time. A general review of the requirements of the service agreement relating to confidentiality, privacy and security, therefore, is recommended to be undertaken by CIHI s Privacy and Legal Services Secretariat and completed by the end of It is further recommended that a revised agreement be phased in over time. Privacy Risk Lack of control of user names and passwords by CIHI Portal clients users, including active passwords that were assigned to users who are no longer employed by the client Mitigation Measures Currently in Place In order to be able to use CIHI Portal, each CIHI Portal client must sign a service agreement with CIHI that sets out specific requirements and responsibilities with respect to user names and passwords. In addition to the requirement to keep their user names and passwords strictly confidential, clients agree to immediately notify CIHI of any unauthorized use of any users means of access or any other breach of confidentiality or security of which they become aware (see Section CIHI Portal Service Agreement). The service agreement requires that the client designate an organizational contact who is responsible for notifying CIHI of who within the client s organization will be named as users and for providing and maintaining accurate, complete, true information about each user. CIHI

24 The Portal Services team provides organizational contacts with quarterly reports outlining names of users as well as usage, and asks for discrepancies to be reported. Recommendation 3: As part of the general review of the confidentiality, privacy and security provisions of the service agreement set out in recommendation 2 above, the service agreement should be amended to include a specific requirement for: a. clients to advise CIHI within a set number of working days of any changes in authorized users; b. clients users to exit from their accounts at the end of each session; and c. clients users to sign an acknowledgement of the conditions of use of CIHI Portal (Appendix D) to reinforce their understanding of their responsibilities and obligations, including control of passwords. Recommendation 4: As part of the education process for users, phase into the training materials a clear and easily understood explanation of the acknowledgement and its implications. 4.8 Principle 8: Openness About the Management of Personal Health Information CIHI makes information available about its privacy policies, data practices and programs relating to the management of personal health information on its corporate website. As well, this PIA is accessible on CIHI s website ( 4.9 Principle 9: Individual Access to, and Amendment of, Personal Health Information CIHI recognizes that individuals have a right of access to their personal health information. However, because the data in CIHI Portal do not contain any direct identifiers (such as name, address, health card number), CIHI cannot accurately authenticate a requester as the person to whom the personal health information relates. It will continue, therefore, its standard practice of referring the requester to the original data provider Principle 10: Complaints About CIHI s Handling of Personal Health Information As set out in CIHI s Principles and Policies for the Protection of Personal Health Information (updated November 2007, 3rd Edition), complaints about CIHI s handling of personal health information are investigated by the chief privacy officer. If an individual does not believe that his or her challenge has been satisfactorily resolved, he or she may appeal to CIHI s chief privacy advisor, who will report his findings to CIHI s president and chief executive officer. If a complaint is found to be justified, CIHI takes appropriate corrective measures. 16 CIHI 2008

25 5. Conclusion This PIA summarizes CIHI s assessment of the privacy implications of CIHI Portal. While a number of potential privacy risks were identified, this assessment concludes that, except as identified under Principle 7 Safeguards for Personal Health Information (Section 4.7) above, the mitigation measures currently in place are such that CIHI and its clients are prepared to accept and manage any remaining risks. A summary of the privacy risks identified, the mitigation measures currently in place and any related recommendations is found in Appendix A. CIHI undertakes to review this PIA to coincide with major enhancements of CIHI Portal or as deemed necessary by the Portal Steering Committee or by the chief privacy officer. CIHI

26

27 Appendix A Summary of Identified Privacy Risks, Mitigation Measures Currently in Place and Recommendations Privacy Risk Inappropriate use and/or disclosure of confidential information by CIHI Portal clients users Residual disclosure (for example, the combination of data on age of patient, plus geographic unit, plus facility in rural areas that could re-identify individuals) Mitigation Measures Currently in Place and Recommendations As described in Section 2.5.2, CIHI Portal clients are required to sign a service agreement, which imposes confidentiality and security restrictions and obligations. Failure to respect the terms and conditions of the service agreement would jeopardize their continued access to CIHI Portal. CIHI can, and intends to, audit compliance through technological means (electronic audit trails). CIHI Portal clients are also subject to the requirements of data protection laws in their respective jurisdictions. The disclosure of reports produced by authorized users is limited to CIHI Portal clients who have signed a service agreement (see Section 2.5.2), which imposes a variety of confidentiality and security restrictions and obligations on them. The terms of the service agreement provide for: a prohibition against attempts to identify individuals; a prohibition against data linkage using information gained by way of CIHI Portal; safeguards prohibiting further publication by CIHI Portal clients, including a requirement to suppress cell sizes with fewer than five observations; and consequences for institutions in the case of demonstrated breaches, such as denial of further access to CIHI Portal. Further, within client organizations, users are broken down into three roles: report reader, information consumer and analyst. Access to specific features and data fields in CIHI Portal is controlled on a userby-user basis, through security and permissions features based on the principle of need-to-know and determined by the role of the user. For example, report readers are permitted only to view reports they cannot create or manipulate reports. Information consumers can manipulate existing reports. Analysts have maximum access and do hands-on work with the data available through CIHI Portal (for example, creating reports). In addition, specific protective measures implemented in CIHI Portal to control disclosures include: Only a selected subset of variables from the DAD was included in CIHI Portal (approximately 100 data elements). De-identification measures are applied to the data; for example, not including dates of birth, health card numbers and full postal codes of patients in CIHI Portal. CIHI Portal does not allow direct access to individual records. Analysts who have maximum access to the data available through CIHI Portal may submit queries to create reports but cannot see or request the extraction of individual records. CIHI

28 Privacy Risk Unauthorized access to CIHI Portal Mitigation Measures Currently in Place and Recommendations There are special protections to mask sensitive abortion data (any procedure that terminates a pregnancy for any reason, including therapeutic abortions). The organizational contact identified in the service agreement is responsible for naming authorized users in each user role and for communicating changes in user access to CIHI. Mandatory education (elearning and instructor-led training) for users reinforces the appropriate use and disclosure of data from CIHI Portal. Technical safeguards (such as user ID and password, encryption, auditing, system monitoring) regulate the query environment and limit disclosure by minimizing risks of unauthorized access, including only providing access to named users (for further information, see Principle 7 Safeguards). Monitoring and auditing through the use of system audit trails and logs for CIHI Portal, which include: what was queried, when and by whom; all system accesses logged by user ID, time and date; all queries run logged by the nature of the query, user ID, time and date; sessions disconnected after a preset time; intrusion detection system to proactively block undesirable access. In addition: The system will lock out users after a pre-determined number of failed login attempts (because of the complexity of the passwords). Users may be required to attain re-authorization via mandatory training and evaluation if they have not used CIHI Portal within a 12-month period from the date of last access. Ethical hacks: CIHI conducts an annual vulnerability assessment and penetration testing of select information systems (ethical hack). The intent of the assessment is to gather information on the selected systems and applications and then examine this information for weaknesses that could ultimately be used to compromise the underlying system, and hence personal health information. The latest ethical hack conducted in 2007 found that, in general, external facing systems (via the internet) were well protected. While the results of the 2007 ethical hack are generally positive, they were not specific to CIHI Portal. Threat and risk assessment: the manager of Portal Services, in consultation with the senior program consultant, security, engages appropriate risk management activities, such as commissioning threat and risk assessments and security impact assessments and escalating any issues of concern to the chief privacy officer, the chief technology officer and/or the appropriate management team(s). A threat and risk assessment specific to CIHI Portal is scheduled for Recommendation 1: The threat and risk assessment specific to CIHI Portal scheduled for be completed by the end 20 CIHI 2008

29 Privacy Risk Lack of control of user names and passwords by CIHI Portal clients users, including active passwords that were assigned to users who are no longer employed by the client Mitigation Measures Currently in Place and Recommendations of that fiscal year. CIHI Portal Service Agreement As described in Section 2.5.2, CIHI Portal clients are required to sign a service agreement, which imposes confidentiality and security restrictions and obligations. Clients and their users must use at least the same degree of care and oversight to maintain confidentiality as they would use to protect their own information, but in no event less than a reasonable degree of care. Further, the terms of the service agreement set out the consequences for clients in the case of demonstrated breaches, such as denial of further access to CIHI Portal. Recommendation 2: The service agreements for CIHI Portal have evolved in order to take into account the various needs of CIHI clients and, while some versions are more stringent than others, some privacy or security requirements may have been lost over time. A general review of the requirements of the service agreement relating to confidentiality, privacy and security, therefore, is recommended to be undertaken by CIHI s Privacy and Legal Services Secretariat and completed by the end of It is further recommended that a revised agreement be phased in over time. In order to be able to use CIHI Portal, each CIHI Portal client must sign a service agreement with CIHI that sets out specific requirements and responsibilities with respect to user names and passwords. In addition to the requirement to keep their user names and passwords strictly confidential, clients agree to immediately notify CIHI of any unauthorized use of any users means of access or any other breach of confidentiality or security they become aware of (see Section CIHI Portal Service Agreement). The service agreement requires that the client designate an organizational contact who is responsible for notifying CIHI of who within the client s organization will be named as users and for providing and maintaining accurate, complete, true information about each user. The Portal Services team provides organizational contacts with quarterly reports outlining names of users as well as usage, and asks for discrepancies to be reported. Recommendation 3: As part of the general review of the confidentiality, privacy and security provisions of the service agreement set out in recommendation 1 above, the service agreement should be amended to include a specific requirement for: a. clients to advise CIHI within a set number of working days of any changes in authorized users; b. clients users to exit from their accounts at the end of each session; and c. clients users to sign an acknowledgement of the conditions of use of CIHI Portal (Appendix D) to reinforce their understanding of their responsibilities and obligations, including control of passwords. Recommendation 4: As part of the education process for users, phase into the training materials a clear and easily understood CIHI

30 Privacy Risk Mitigation Measures Currently in Place and Recommendations explanation of the acknowledgement and its implications. 22 CIHI 2008

31 Appendix B Glossary of Terms Term Case Mix Group (CMG) CIHI Portal CIHI Portal Clients CIHI Portal Clients Users CIHI Portal Service Agreement Confidential Information Data Provider De-Identified Information Discharge Abstract Database (DAD) Ethical Hack Health Information Major Clinical Category (MCC) Meta Data Mitigation Measures Organization- Identifiable Information Definition CIHI s Case Mix Groups categorize patients into statistically and clinically homogeneous groups based on the collection of clinical and administrative data. An analytical tool for health care data that provides hospitals, regional health authorities and ministries of health with online access to pan-canadian health care data in a secure environment that safeguards privacy and confidentiality. Individual hospitals, regional health authorities and ministries of health which have entered into a CIHI Portal service agreement with CIHI. Those employees and contractors of the CIHI Portal client that have successfully completed the CIHI Portal training curriculum and require access to CIHI Portal. An agreement between the client and CIHI with respect to the client s access to and use of CIHI Portal. For purposes of the CIHI Portal service agreement, confidential information includes personal health information and facility-identifiable information. An organization or individual that discloses health information to CIHI. For purposes of CIHI Portal, record-level data that do not include name, date of birth, health card number or full postal code. A national-level database containing information on all acute care hospital separations (discharges, deaths, sign-outs, transfers) in Canada, except Quebec. An assessment of the vulnerability and penetration testing of information systems. A broad term encompassing information of all types about health and health care, including personal health information, health facility information and health expenditure information. Major clinical category is a high-level grouping of clinically similar cases based on body system or other specific type of clinical problem. Summary information that assists data users in the interpretation and use of data. Means of reducing the possibility of privacy risks. Refers to information which includes the identity (that is, name or number) of any health organization, health facility, local health integration network, government ministry, continuing care facility, acute care hospital, specialty hospital, long-term care home, ambulatory agency such as an outpatient clinic, rehabilitation centre, community health centre, home care agency, mental health facility, regional health authority or local health authority. CIHI