Privacy and Security Training Policy (PS.Pol.051)

Transcription

1 Privacy and Security Training Plicy (PS.Pl.051) Purpse T define the plicies and prcedures fr prviding privacy and security training in respect f the CnnectingGTA Slutin. Definitins Electrnic Service Prvider A persn wh prvides gds r services fr the purpse f enabling a HIC t use electrnic means t cllect, use, mdify, disclse, retain r dispse f persnal health infrmatin (PHI), and includes a health infrmatin netwrk prvider. Privacy Breach Privacy breach has the same meaning as in the Privacy Breach Management Plicy and its assciated prcedures, as amended frm time t time. Scpe This plicy and its assciated prcedures apply t the prvisin f privacy and security training t health infrmatin custdians (HICs), CnnectingGTA and agents and Electrnic Service Prviders f HICs and CnnectingGTA in respect f the CnnectingGTA Slutin. This plicy and its assciated prcedures d nt apply t privacy and security training: In respect f any ther system ther than the CnnectingGTA Slutin; In respect f any ther infrmatin ther than PHI in the CnnectingGTA Slutin; T any agents f HICs wh d nt cllect, use r disclse PHI in the CnnectingGTA Slutin; T any Electrnic Service Prviders f HICs wh d nt view, handle r therwise deal with PHI in the CnnectingGTA Slutin; r T any agents r Electrnic Service Prviders f CnnectingGTA wh d nt view, handle r therwise deal with PHI in the CnnectingGTA Slutin. This plicy and its assciated prcedures als d nt apply t basic privacy and security training, als knwn as privacy and security awareness training. CnnectingGTA Privacy and Security Training Plicy (PS.Pl.051), v11 Nvember 22, 2013 Page 1

2 Plicies and Prcedures 1. Guiding Plicies 1.1. PHIPA requires a HIC that is nt a natural persn t designate a cntact persn t facilitate the HIC s cmpliance with the Persnal Health Infrmatin Prtectin Act, 2004 (PHIPA) and t ensure that all agents f the HIC are apprpriately infrmed f their duties under PHIPA PHIPA permits a HIC that is a natural persn t designate a cntact persn t facilitate the HIC s cmpliance with PHIPA and t ensure that all agents f the HIC are apprpriately infrmed f their duties under PHIPA. Where a HIC that is a natural persn des nt designate a cntact persn t perfrm these functins, the HIC is required t perfrm these functins n his r her wn PHIPA requires CnnectingGTA t ensure that thse acting n its behalf agree t cmply with cnditins and restrictins necessary t enable CnnectingGTA t cmply with PHIPA HICs and CnnectingGTA shall have in place and maintain plicies, prcedures and practices in respect f privacy and security that cmply with PHIPA and prvide training t their agents and electrnic service prviders n the plicies, prcedures and practices as required by PHIPA HICs and CnnectingGTA shall take steps that are reasnable in the circumstances t ensure their agents and Electrnic Service Prviders cmply with PHIPA and this plicy and its assciated prcedures. 2. Prcedures Related t Creating Privacy and Security Training Materials 2.1. CnnectingGTA shall develp and distribute privacy and security training materials t enable HICs and CnnectingGTA t train their agents and Electrnic Service Prviders wh cllect, use and disclse PHI in the CnnectingGTA Slutin r wh view, handle r therwise deal with PHI in the CnnectingGTA Slutin, as the case may be, n their privacy and security duties and bligatins CnnectingGTA shall ensure that the privacy and security training materials are rle-based t enable HICs and agents and Electrnic Service Prviders f HICs and CnnectingGTA t understand hw t meet their duties and bligatins in respect f the CnnectingGTA Slutin in their day-t-day peratins At a minimum, the privacy and security training materials shall address the requirements described in paragraph 5.1.CnnectingGTA will review and refresh the privacy and security training materials every tw years r earlier in circumstances where amendments t the privacy and security plicies, prcedures and practices will impact the duties and bligatins f HICs, CnnectingGTA and/r their agents and Electrnic Service Prviders in respect f the CnnectingGTA Slutin. 3. Prcedures Related t Delivering Privacy and Security Training 3.1. HICs shall ensure that all their agents and Electrnic Service Prviders, ther than CnnectingGTA and agents r Electrnic Service Prviders t CnnectingGTA, are apprpriately infrmed f their relevant duties under PHIPA and the CnnectingGTA privacy and security plicies, prcedures and practices, prir t permitting the agents and Electrnic Service Prviders t cllect, use r disclse PHI in the CnnectingGTA Slutin r t view, handle r therwise deal with PHI in the CnnectingGTA Slutin, as the case may be CnnectingGTA shall ensure that all its agents and Electrnic Service Prviders are apprpriately infrmed f their relevant duties under PHIPA and the CnnectingGTA privacy and security plicies, prcedures and practices, prir t permitting its agents and Electrnic Service Prviders CnnectingGTA Privacy and Security Training Plicy (PS.Pl.051), v11 Nvember 22, 2013 Page 2

3 t view, handle r therwise deal with PHI in the CnnectingGTA Slutin HICs and CnnectingGTA shall nt permit their agents and Electrnic Service Prviders t cntinue t cllect, use r disclse PHI in the CnnectingGTA Slutin r t cntinue t view, handle r therwise deal with PHI in the CnnectingGTA Slutin, as the case may be, unless the agent r Electrnic Service Prvider has been apprpriately infrmed f its relevant duties under PHIPA and the CnnectingGTA privacy and security plicies, prcedures and practices When infrming their agents and Electrnic Service Prviders f their duties under PHIPA and the CnnectingGTA privacy and security plicies, prcedures, and practices, HICs and CnnectingGTA shall ensure that the agent r Electrnic Service Prvider is infrmed, if relevant t their day-t-day duties, f the infrmatin described in paragraph HICs and CnnectingGTA shall impse cnsequences n agents and Electrnic Service Prviders wh d nt understand their relevant duties under PHIPA and the CnnectingGTA privacy and security plicies, prcedures, and practices HICs and CnnectingGTA shall be able t demnstrate with evidence that their agents and Electrnic Service Prviders understand their relevant duties under PHIPA and the CnnectingGTA privacy and security plicies, prcedures, and practices. 4. Prcedures Related t End User Agreements 4.1. CnnectingGTA shall ensure that the CnnectingGTA Slutin requires HICs as well as agents and Electrnic Service Prviders f HICs and CnnectingGTA t acknwledge and agree t cmply with the duties and bligatins in the end user agreement prir t cllecting, using r disclsing PHI in the CnnectingGTA Slutin r prir t viewing, handling r therwise dealing with PHI in the CnnectingGTA Slutin, as the case may be, and at a minimum, every tw years thereafter CnnectingGTA shall ensure that the CnnectingGTA Slutin des nt permit agents and Electrnic Service Prviders f HICs and CnnectingGTA t cllect, use r disclse PHI in the CnnectingGTA Slutin r t view, handle r therwise deal with PHI in the CnnectingGTA Slutin, as the case may be, unless the agent r Electrnic Service Prvider has acknwledged and agreed t cmply with the duties and bligatins in the annual end user agreement CnnectingGTA shall develp and implement an end user agreement that, at a minimum: Sets ut the purpses fr which HICs and agents and Electrnic Service Prviders f HICs are permitted t cllect, use r disclse PHI in the CnnectingGTA Slutin r t view, handle r therwise deal with PHI in the CnnectingGTA Slutin, as the case may be; Sets ut the purpses fr which agents and Electrnic Service Prviders f CnnectingGTA are permitted t view, handle r therwise deal with PHI in the CnnectingGTA Slutin; Requires HICs and agents and Electrnic Service Prviders f HICs and CnnectingGTA t acknwledge that they have read, understd and agreed t cmply with the privacy and security plicies, prcedures and practices in respect f the CnnectingGTA Slutin; Requires HICs and agents and Electrnic Service Prviders f HICs and CnnectingGTA t agree t cmply with PHIPA; Requires HICs and agents and Electrnic Service Prviders f HICs and CnnectingGTA t implement the administrative, technical and physical safeguards set ut in the end user agreement t prtect PHI in the CnnectingGTA Slutin; Requires HICs and agents and Electrnic Service Prviders f HICs and CnnectingGTA t prvide ntificatin in accrdance with the Privacy Breach Management Plicy and its assciated prcedures, as amended frm time t time, if they believe that an actual r CnnectingGTA Privacy and Security Training Plicy (PS.Pl.051), v11 Nvember 22, 2013 Page 3

4 suspected Privacy Breach has ccurred r is abut t ccur in respect f the CnnectingGTA Slutin; and Sets ut the cnsequences f breach f the end user agreement. 5. Training Cntent 5.1. The cntent fr training shall include the fllwing infrmatin if the rle f the agent r Electrnic Service Prvider requires it: The nature f PHI that is retained in the CnnectingGTA Slutin; The status under PHIPA f CnnectingGTA and ther rganizatins participating in the CnnectingGTA Slutin and the duties and bligatins arising frm this status; All f the permitted and knwn purpses fr which HICs and their agents and Electrnic Service Prviders are permitted t cllect, use and disclse PHI in the CnnectingGTA Slutin r t view, handle r therwise deal with PHI in the CnnectingGTA Slutin, as the case may be, and the limitatins placed theren; The authrity fr the cllectin, use and disclsure f PHI in the CnnectingGTA Slutin r the viewing, handling r dealing with PHI in the CnnectingGTA Slutin, as the case may be, by HICs and their agents and Electrnic Service Prviders; The purpses fr which PHI in the CnnectingGTA Slutin is permitted t be viewed, handled r therwise dealt with by CnnectingGTA and its agents and Electrnic Service Prviders and the limitatins placed theren; The authrity fr viewing, handling r dealing with PHI in the CnnectingGTA Slutin by CnnectingGTA and its agents and Electrnic Service Prviders; The prcesses r materials available t HICs and their agents t ensure that cnsent is knwledgeable; An verview f the privacy and security plicies, prcedures and practices that have been implemented in respect f the CnnectingGTA Slutin and the duties and bligatins f HICs and agents and Electrnic Service Prviders f HICs and CnnectingGTA arising frm these plicies, prcedures and practices; The cnsequences f breach f the privacy and security plicies, prcedures and practices implemented in respect f the CnnectingGTA Slutin; The administrative, technical and physical safeguards put in place t prtect PHI in the CnnectingGTA Slutin against theft, lss and unauthrized use r disclsure and t prtect recrds f PHI in the CnnectingGTA Slutin frm unauthrized cpying, mdificatin r dispsal; The duties and bligatins f HICs and agents and Electrnic Service Prviders f HICs and CnnectingGTA in implementing the administrative, technical and physical safeguards; The end-user agreement that HICs and agents and Electrnic Service Prviders f HICs and CnnectingGTA must acknwledge and agree t cmply with; and The duties and bligatins f HICs and agents and Electrnic Service Prviders f HICs and CnnectingGTA with respect t identifying, reprting, cntaining and participating in the investigatin and remediatin f Privacy Breaches and Security Breaches. CnnectingGTA Privacy and Security Training Plicy (PS.Pl.051), v11 Nvember 22, 2013 Page 4

5 Enfrcement All instances f nn-cmpliance will be reviewed by the Privacy and Security Cmmittee wh will recmmend apprpriate actin t the CnnectingGTA Steering Cmmittee. The CnnectingGTA Steering Cmmittee has the authrity t impse apprpriate penalties, up t and including terminatin f the Participatin Agreement with the HIC r terminatin f the access privileges f agents, and t require the implementatin f remedial actins. References 1. Legislative PHIPA, ss. 10, 15 and 17 and Part V.1 PHIPA, Reg. 329/04, s. 6 Dcument Management Plicy Number PS.Pl.051 Versin 11 Versin Histry V11 Plicy structure refreshed and increased level f prcedural detail added V10 Initial release Effective Date LPR G-live Last Review Date Nvember 22, 2013 Next Review Date Annually r therwise established by PSC CnnectingGTA Privacy and Security Training Plicy (PS.Pl.051), v11 Nvember 22, 2013 Page 5

6 CnnectingGTA Privacy and Security Training Plicy (PS.Pl.051), v11 Nvember 22, 2013 Page 6