Shared EMR Access Administrator (AA) Guide ~ External

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Shared EMR Access Administrator (AA) Guide ~ External"

Transcription

1 Shared EMR Access Administrator (AA) Guide ~ External Developed and maintained by: Information Stewardship Office (ISO) Information Sharing Framework Governance Committee (ISF GC)

2 TABLE OF CONTENTS Purpose of Guide 3 Shared EMR 3 Information Sharing Framework 3 EMR Custodian 3 Appointing the Access Administrator 4 User Access Management (Access Administrator Responsibilities) 4 Information Security Awareness 6 Privacy Awareness 8 Reporting of Breaches 9 External Delegation of Access Administration (EDoAA) Form 9 Staff Access Request Form (SARF) 10 Shared EMR Security Roles 10 Shared EMR Access Administrator Guide Version 11 Appendices Appendix A Definitions Appendix B - SARF Security Roles (eclinician) Appendix C Frequently Asked Questions

3 PURPOSE OF GUIDE This guide provides shared electronic medical record (semr) Access Administrator s (AA) with instructions to carry out their user access management duties as per the requirements identified in the EMR Information Exchange Protocol (EMR IEP). The EMR IEP contains the rules that all authorized custodians and their affiliates must follow with respect to access, use, disclosure and retention of prescribed health information via the shared EMR. Custodians will receive a copy of the EMR IEP during the initial engagement and implementation process. Custodians may also request a copy of the EMR IEP at anytime. SHARED EMR The shared EMR is a medical record system shared by multiple custodians, with each custodian contributing patient information and data to the system. Co-custodians of the shared EMR include participating physicians, Alberta Health Services (AHS), and Covenant Health. eclinician eclinician is a shared EMR system, used in the Edmonton area, for ambulatory care physicians to schedule and manage patient appointments, initiate or accept referrals, store patient electronic health records and bill for healthcare services. Currently only ambulatory (outpatient) information is stored in eclinician. INFORMATION SHARING FRAMEWORK The Information Sharing Framework (ISF) establishes governance of health information stored in an AHS operated shared EMR system. This legal framework includes information sharing agreements between physicians as co-custodians and AHS, participating physician agreements, and an information exchange protocol. See Appendix A for more information regarding the ISF, participating parties, and legal agreements. EMR CUSTODIAN Before any custodian is authorized to access a shared EMR, they must execute an agreement under the ISF and complete an Organizational Readiness Assessment. Custodians must also sign legal agreements prior to becoming authorized to access the shared EMR. Physician Participation Agreement (PPA) agreement to become part of the shared EMR environment, contributing and using information within. By signing this agreement, a physician agrees to terms in the Information Management Agreement and the Information Sharing Agreement. 3

4 Once a custodian has executed the PPA, they may appoint an AA. The AA will act on the custodian s behalf to request shared EMR access for the affiliates. As per HIA section 62(2), any collection, use or disclosure of health information by an affiliate of a custodian is considered to be a collection, use or disclosure by the custodian. Consequently, the appointed AA must ensure that the affiliate s access to shared EMR information is restricted based on their role in the healthcare system. This means that access permissions and other security credentials are set up so that affiliates have enough information to do their jobs, while ensuring that information is accessible on a need to know basis only. EMR custodians are: Participating physicians Alberta Health Services (AHS) Covenant Health (COV) APPOINTING THE ACCESS ADMINISTRATOR AAs must be approved by the EMR custodians for each clinic where they carry out user access management duties. Designation of the AA will initially be done during the onboarding process for clinics and facilities to the shared EMR and this position role will be identified in their Organizational Readiness Assessment. The custodian appoints the AA by completing the External Delegation of Access Administration (EDoAA) Form and adding their approval as the Organization Requestor. The appointed AA s are acting on behalf of the custodian to ensure user access to confidential health information is properly administered and given only to those who need this access to perform their jobs. EMR custodians are: Participating physicians Alberta Health Services (AHS) Covenant Health (COV) USER ACCESS MANAGEMENT (ACCESS ADMINISTRATOR RESPONSIBILITIES) The AA is the primary contact regarding user access to the shared EMR for their clinic or clinics. The main responsibility of the AA is to perform user access management duties that include the following: 4

5 Shared EMR Access The AA is responsible for ensuring that the affiliate s access to the shared EMR is based on the HIA principle of a need to know and the least amount of information to do their job. Specific responsibilities include: Approve and submit access requests in a timely manner. Requests are submitted using the Staff Access Request Form (SARF). During this process, the AA to confirm user has completed the organization s privacy and security training and the confidentiality and user agreement have been signed. Restrict user access to shared EMR information in accordance with their duties to the custodian, selecting the appropriate security levels and login department(s) on the SARF form. For example, certain administrative roles are not required to enter or modify encounters or medications and therefore will have their access restricted to what is required to do their job. Verify that the user permissions are appropriate for the role or job duties and meet the HIA principle of a need to know and the least amount of information to do their job. Terminate user permission when access is no longer required. Process terminations by completing and submitting the SARF form. Ensure users have been advised of their HIA obligations and the EMR IEP rules for collection, use, and disclosure of shared EMR information through organizational and application specific training. Review user s access information and permissions to ensure that information is complete and accurate. Submit changes to user information and permissions to ensure that information is complete and accurate. Comply with legislative and custodian policy obligations when collecting user information while performing user access management duties. Privacy and Security Training As per HIA section 62(2), custodians are responsible for the actions of their affiliates. If an affiliate does something the HIA forbids them to do, it is as if the custodian did it. Consequently, affiliates must comply with the HIA, as well as with the policies and procedures adopted by the custodian. As the appointed representative of the custodian, the AA will ensure users have been educated and informed about: 5

6 The information security and privacy issues related to the shared EMR, including potential annual refresher training. That information used in the shared EMR is private and confidential and the user must take reasonable steps to maintain the confidentiality of the information. Of their compliance obligations under the HIA. That a person who knowingly collects, uses or discloses health information in contravention with the HIA, may be found guilty of an offence and liable to a fine defined in the HIA. That the Information Manager monitors access to the shared EMR for security purposes and to protect the information. By accessing the shared EMR, users are expressly consenting to these monitoring activities. About what is considered a security or privacy breach and how to report a breach. Auditing User Access to the shared EMR Custodians are responsible and obligated to protect the privacy and confidentiality of shared EMR information. They must ensure that this information is only used for the purposes and under the terms and conditions stipulated in the EMR IEP and the HIA. Access logs play an important role in auditing user access, proactive monitoring and responding to breach investigations. The AA can request that the Information Manager provide access logs on their users. The Information Manager regularly audits for misuse of the shared EMR. i.e. users looking at their own health record i.e. users accessing a masked (protected) chart inappropriately or outside their job role. INFORMATION SECURITY AWARENESS Information security means: Preserving the confidentiality and integrity of information and ensuring that systems are available to provide service to patients. Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The EMR IEP outlines the general responsibilities of EMR custodians: EMR IEP : Each EMR custodian has a duty pursuant to Section 60 of the Health Information Act to protect the confidentiality of EMR information and to protect against 6

7 reasonably anticipated threat or hazard to the security of that EMR information, or unauthorized use, disclosure, modification or unauthorized access to EMR information. EMR IEP : EMR custodians are responsible for all EMR information accessed and used by the EMR custodian and their EMR affiliates. AAs assist by safeguarding the confidentiality, integrity and availability of the health information under the control of the custodian. Protecting the confidentiality of information means only authorized users can access sensitive information. It means taking steps to prevent any unauthorized access, use or disclosure of information. Access is based on user role and profession. This means that access permission and other security credentials are set up so that users have enough information to do their jobs, while ensuring that information is accessed only on a need to know basis. The integrity of information is about maintaining the reliability and accuracy of information so it can be used to make informed health decisions. An unauthorized change of health information used for decision making or an error in the information is an example of something that causes loss of integrity. Ensuring the continued availability of information means it is accessible to those who need the information. A system outage is something that causes loss of availability. When granting access to the shared EMR, the following security principles should be followed: Segregation of duties: The separation of duties in order to manage conflict of interest, the appearance of conflict of interest, and fraud. It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual. Example: Users cannot approve their own access to the shared EMR. It must be approved by the AA. Authorization to use and disclose: Once you have been given access to the shared EMR information, you are required to use that information only during the course of your work. Using or disclosing that information for personal gain or for purposes outside of the HIA is prohibited and is considered a breach. The HIA sets out fines for custodians and affiliates who knowingly breach the Act. 7

8 PRIVACY AWARENESS The following EMR IEP rules must be adhered to by all users of the shared EMR: EMR IEP and 4.1.3: An EMR custodian may access and use EMR information for provision of health services. EMR IEP 4.1.2: Use of EMR information shall adhere to the principles of: using the least amount of EMR information necessary for the purpose and using EMR information only on a need to know basis. EMR IEP 6.1.1: An EMR custodian may disclose EMR information for any purpose where the individual who is the subject of the information has provided consent for that disclosure. EMR IEP 6.2.1: An EMR custodian may disclose specific EMR information where expressly authorized or required by Sections 35 or 37 of the Health Information Act. EMR IEP : An affiliate must be authorized by an EMR custodian for access. Affiliates retain full responsibility for all EMR information they access. Any use or disclosure of EMR information by an affiliate is considered use or disclosure by the EMR custodian. The following HIA privacy provisions must be adhered to when granting access to the shared EMR: HIA Section 57: The duty of a custodian to collect, use or disclose individually identifying health information with the highest degree of anonymity possible. HIA Section 58: The duty of a custodian to collect, use or disclose the least amount of individually identifying health information. HIA Sections 24, 28, 43: The duty of an affiliate to collect, use or disclose health information in a manner that is in accordance with the affiliate s responsibilities as determined by their custodian ( need to know basis). HIA Section 60: The duty of a custodian to protect the confidentiality of health information. HIA Section 58(2): The duty of a custodian to consider the expressed wishes of an individual regarding the disclosure of individually identifying health information. 8

9 Further information regarding the HIA can be obtained from the following: HIA Guidelines and Practices Manual This manual provides supplementary information regarding the HIA and Regulations. The manual explains the role and responsibilities with respect to the administration of the Act, and is intended to provide guidelines and suggest best practices, not binding rules. Manual - Manual.pdf Manual Appendix 3 and 4 Responsibilities of Custodians in Administering the HIA: HIA and Regulations REPORTING OF BREACHES An information security and privacy breach occurs when there is a violation of the: (1) HIA; (2) EMR IEP rules for accessing shared EMR information; and/or (3) security and privacy policies of the custodian. A breach can also happen if there is a failure or absence of required safeguards to prevent a loss of confidentiality, integrity, or availability of information. Examples of security incidents include: Deliberate misuse of health information in the shared EMR A missing laptop, PDA or portable device containing health information Virus, spyware, or malware infection impacting health information Disclosure of your shared EMR password or other authentication credentials Security and privacy breaches are to be reported promptly to the Information Manager and the custodian. The Information Manager will report any security or privacy breaches to the Information Stewardship Office (ISO) and a formal investigation will be initiated. EXTERNAL DELEGATION OF ACCESS ADMINISTRATION (EDoAA) FORM Purpose The EDoAA is used by the authorized custodian (or multiple custodians) to add, remove or amend the appointed AA for their facility or multiple facilities. 9

10 Completion The most current version of the EDoAA form is located on the public-facing Alberta Health Services website. Submission The completed form is to be submitted to the Information Stewardship Office at: Fax: Pre-implementation to shared EMR EDoAA Submission Process (initial request, changes to AA, removal of AA) AHS-IT EMR Deployment Team Notifies ISO of upcoming clinic to the shared EMR environment Provide clinic with EDoAA form in ERM and ISF package information. Clinic/AA ISO Clinic and ISO to ensure AA position is outlined in the Privacy Impact Assessment Clinic AA to complete EDoAA form and submit to ISO. Review and approve EDoAA form and submit to IM. For initial requests: verify clinic validity and the clinic s privacy and security measures. IM Review and approve. Inform clinic of AA approval. STAFF ACCESS REQUEST FORM (SARF) The SARF is used by the appointed AA to manage the user access to the shared EMR for affiliates of the custodian. Only authorized custodians and their affiliates can access the shared EMR. SHARED EMR SECURITY ROLES According to the HIA Sections 57 and 58, the sharing of health information must, in all cases, be carried out in the most limited manner and with the highest degree of anonymity that is 10

11 possible. According to the HIA Section 28 and 43, affiliates must only share or access health information in accordance with their duties to the custodian. This is called a need to know basis. Consequently, the AA must manage user access to the shared EMR based on the need to know and the least amount of information for the user to do their job. The security role matrix for the shared EMR is located with the SARF form. Access to the shared EMR is based on the security role matrix, which lists roles/duties with corresponding access permissions. The AA will select a role based on the affiliate s duties to the custodian ( need to know ). Security roles will be assigned per system to include: Referrals Scheduling EMR Billing Each role in the security role matrix comes with standard access, which is automatically assigned when the role is selected and departmental access must be selected in order to be assigned. Certain roles are restricted to specific professions. For example, EMR Roles 1-3 and 21 are allocated to medical professionals; while EMR Roles 14 and 16 are allocated for administrative staff. Role assignment must adhere to the HIA, EMR IEP, and be based on the job the affiliate is doing for the custodian. See Appendix B for more detail. SHARED EMR ACCESS ADMINISTRATOR GUIDE VERSIONS VERSION V01 APPENDICES DATE YYYY-MM-DD Appendix A: Definitions Appendix B: SARF Security Roles Appendix C: Frequently Asked Questions 11

12 APPENDIX A: DEFINITIONS Access Administrator (AA) An individual designated by a participating custodian to complete and submit access requests for custodian affiliates to the shared EMR system. Affiliate An affiliate is an employee of an EMR custodian, permitted by the custodian to access, use or disclose shared EMR information on behalf of the custodian. The custodian is responsible for the actions of their affiliates. HIA 1(1)(a) In relation to the custodian, i. an individual employed by the custodian, ii. a person who performs a service for the custodian as an appointee, volunteer or student or under a contract or agency relationship with the custodian, iii. a health services provider who is exercising the right to admit and treat patients at a hospital as defined in the Hospitals Act, iv. an information manager as defined in section 66(1) Example: Affiliates are hospital staff or physician office staff employed by a custodian. Custodian A custodian is permitted to access, use or disclose shared EMR information in accordance with the Information Sharing Agreement, Information Management Agreement, Health Information Act (HIA), and EMR Information Exchange Protocol (EMR IEP). HIA 1(1)(f) (i) board of approved hospital as defined in the Hospitals Act (ii) operator of nursing home as defined in the Nursing Homes Act (iii) a provincial health board established pursuant to the regulations made under 17(1)(a) of the Regional Health Authorities Act (ix) a health services provider who is designated in the regulations as a custodian, or who is within a class of health services providers that is designated in the regulations (xiv) other entity designated in the regulations Co -custodian A co-custodian is a custodian, as outlined above, that shares custodianship of shared EMR records. Example: Participating physicians, AHS, and Covenant Health are co-custodians of the Information shared EMR Manager records (i.e. (IM) eclinician). Each co-custodian contributes and shares information within the shared EMR environment. 12

13 The IM is the service provider for the shared EMR system. The IM provides information management and information technology services and audits for misuse of EMR information. AHS is the Information Manager for the shared EMR. Information Sharing Framework (ISF) The ISF establishes governance of health information stored in an AHS operated shared EMR system. Within this framework, a governance body that is neutral and represents all participating custodians exists. Legal agreements have also been put into place to ensure that all parties comply with their legislative requirements and roles within the EMR IEP. ISF Governance Committee (ISF GC) The ISF GC includes membership from AHS, AMA, Covenant Health, Faculties of Medicine, Alberta Health, CMPA, CPSA and a member of the public. Maintain information sharing agreements Establish policy and monitor use and disclosure of EMR information Oversee privacy and security issues related to the shared EMR Resolve disputes between AHS and participating physicians Information Stewardship Office (ISO) The ISO is a neutral office reporting to the ISF GC to exercise a number of its operational functions. Develop policy and security policies for the shared EMR Notify ISF GC of audits and investigations Provide recommendations should a breach occur Mediate disputes related to access, use and disclosure of the shared EMR Coordinate secondary use and research requests Monitor the Information Manager s compliance with the Information Management Agreement and Information Exchange Protocol Legal Agreements EMR Information Exchange Protocol (EMR IEP) The EMR IEP outlines rules for access, use and disclosure of EMR information. Information Sharing Agreement (ISA) Participating physicians and AHS agree to submit information to and share information within the shared EMR system. This agreement is incorporated into the Information Manager Agreement below. Access, use and disclose shared EMR information as per the principles and guidelines of the HIA and EMR IEP. 13

14 Information Manager Agreement (IMA) Participating physicians recognize AHS, as service provider, in the role of Information Manager (IM). Information Manager to provide information management and information technology services. Provide regular auditing to identify any inappropriate use and disclosure of EMR information. This permission does NOT grant the Information Manager to use data within the shared EMR as they see fit. The ISO will closely monitor the IM to ensure compliance with their role as service provider. Participating Physician Agreement Physicians agree to become part of the Information Sharing Framework to become a cocustodian of the shared EMR data and submit their information to the shared EMR system. They grant permission for AHS to act as Information Manager for their shared EMR data. By signing this agreement, they agree to terms outlined in the IMA and ISA above. 14

15 APPENDIX B: SARF SECURITY ROLES (eclinician) 15

16 16

17 17

18 18

19 19

20 20

21 21

22 APPENDIX C: FREQUENTLY ASKED QUESTIONS Who are the custodians in eclinician? The eclinician co-custodians are AHS, Covenant Health and participating physicians. Who decides if an affiliate should receive access to the shared EMR? It is the responsibility of the custodian to determine who requires access to the shared EMR system based on their role and responsibility. A custodian may delegate this authority to an Access Administrator to act on their behalf, requesting access for the affiliate(s). ) The AA must ensure that the affiliate s access to shared EMR information is restricted based on their role in the healthcare system. Access permissions and other security credentials are set up on the principle of a need to know basis. What training and education is required for users of the shared EMR? All EMR Custodians are required to take reasonable steps to advise their affiliates of their privacy expectations. As per Health Information Regulation Section 8(6), a custodian must ensure that its affiliates are aware of and adhere to all the custodian s administrative, technical and physical safeguards in respect of health information. This education may take place through the AA. Users are expected to take any system training specific to their role and responsibilities within the shared EMR system. Users will not be granted access to the EMR system prior to completion of this training. Training requests may be ed to: Under what circumstances can a user access and disclose shared EMR information? A user may access shared EMR information as follows: EMR IEP Using the least amount of EMR information necessary for the purpose and only on a need to know basis. EMR IEP For providing health services to the individual and information is necessary for the provision of health services or for making a determination for a related health service. 22

23 EMR IEP Subject to the professional standards of practice of the CPSA and other professional bodies, non-identifying EMR information may be used by an EMR custodian for any purpose. HIA Section 28 and EMR IEP An affiliate of a custodian (i.e. physician office staff under physician as custodian) must not use health information in any manner that is not in accordance with the affiliate s duties to the custodian. Any use or disclosure of EMR information by an affiliate is considered use or disclosure by the custodian. A user may disclose shared EMR information as follows: EMR IEP For any purpose where the individual who is the subject of the EMR information has provided consent for that disclosure. HIA Section 35 (1) A custodian may disclosure identifying health information, without patient consent, to a person who is responsible for providing continuing treatment and care, for the purpose of a court proceeding, in compliance with a subpoena/warrant, for the purpose of processing payment for health services, etc. Can a user access their own information or information of a family member? A user, including custodians and affiliates, does not have right to access information of a family member or of themselves unless they are directly involved in the provision of a health service. In circumstances where information is required, the user would then become an applicant and be required to follow the process outlined in EMR IEP and Custodians that access this information, without going through the proper release process, would be considered in breach of the EMR IEP and HIA. Privacy, security and confidentiality of health information are essential. Individuals have the right to access their health information through the appropriate and secure means by following the access and disclosure policies and procedures. EMR custodians and affiliates must follow the same process as those without access to the shared EMR when obtaining their health information. Shared EMR access is a privilege and assigned based on the role and responsibility of the users in the provision of health services. Misuse of these systems can result in restriction or suspension of your access rights, which may impact your employment or ability to deliver patient care. 23

24 What should I do if I encounter a security or privacy breach? Security and privacy breaches are to be reported promptly to the Information Manager and the custodian. The Information Manager will report any security or privacy breaches to the Information Stewardship Office (ISO) and a formal investigation will be initiated. What if the breach was performed by the custodian? All security and privacy breaches, including those by a custodian, must be reported to the Information Manager. What access levels are included in each of the security roles for eclinician? Below is a high level summary of what each security role entails. Additional details may be found in the Staff Access Request Form (SARF) instructions. Referral Security Roles Default 0 All other users by default have ability to view referrals and assign referrals to appointments. Role 1 Users who require greatest control over scheduling (i.e. primary scheduler). Role 2 Users responsible for triage of patients require ability to allow or disallow scheduling of referrals. Role 3 Users who only require the ability to view and create new referrals. Billing Security Roles Role 1 Users whose function includes administration of clinic financials and accounting. Have access to all billing functions, including ability to run financial reports for the entire clinic. Role 2 Users that require access to billing functionality in order to manage and process clinic billing (i.e. Senior Billing Clerk). Role 3 Users that process patient invoicing and are responsible for running end of day billing reports. Role 4 Users that process patient invoicing at the point of service. Limited to creating and processing third party claims at the point of service (i.e. Registration Clerk). Role 5 Users that require access to clinic statistical and financial reports, but do not do client billing. Scheduling Security Roles Role 1 Users who require greatest control over scheduling (i.e. primary schedulers). Role 2 Users who routinely schedule appointments but do not require the ability to modify a provider s schedule (i.e. Senior Scheduler). Role 3 Users who require scheduling functionality, but would not overrule a provider s schedule. Role 4 Users without the experience to book visits beyond the clinic s normal scheduling rules (i.e. Entry Level Scheduler). 24

25 Role 5 Users who can run department appointment reports and direct patient traffic. Role 7 Users who only perform check in and check out of patient appointments. EMR Security Roles Medical Professionals Role 1 Clinically authorized health care provider (i.e. Nurse Practitioner or fully licensed physician). Users carry the greatest responsibility over a patient s chart and accordingly have the highest level of access. Role 21 Clinicians who require charting abilities but are limited in their ability to administrate aspects of a patient s chart. These users are considered to have the appropriate level of expertise to be able to close their own encounters (i.e. Senior Resident). Role 2 Clinicians who require charting abilities but are limited in their ability to administrate aspects of a patient s chart without the support of a clinically authorized health care provider (i.e. Senior Resident). Role 3 Clinicians requiring charting capabilities whose work must be reviewed and signed off by a clinically authorized health care provider (i.e. Resident). Licensed/Accredited Professional and Clinical Support Staff Role 4 Acting without oversight of a Role 1 provider (above), these fully licensed or accredited professionals need to sign certain orders as the authorizing provider (i.e. referrals as part of mental health intake assessment). (i.e. RN,RPN,RD, PH, PT, OT) Role 5 Fully licensed or accredited professional who sign both medication and procedure orders as a delegate of a clinically authorized provider. More commonly used security role than above. (i.e. RN,RPN,RD, PH, PT, OT) Role 22 Fully licensed or accredited professionals who sign both medication and procedure orders as a delegate of a clinically authorized provider. Same as role 5 above but also allows user to do problem oriented charting. (i.e. RN,RPN,RD, PH, PT, OT) Role 7 Clinical support staff who has been appointed a higher level of responsibility by a clinically authorizing provider, such as writing medication orders. (i.e. LPN, MOA, Technologists). Administrative Roles Role 14 Will be used by the HIM Access and Disclosure group. Users require ability to chart on certain non-scheduled, non-face to face encounters (i.e. release of information), and full access to the current and historical patient chart. 25

26 Role 16 Typically, an abstractor role. Users require the ability to chart on non-scheduled, non-face to face encounters, and the ability to close encounters and modify the problem list. View Only and Access to Service Roles Role 17 View only role with the In Basket Results. Users will use this role as an interim role used by clinicians to familiarize with eclinician. Role 18 View only role with non-clinical In Basket. Users will use this role as an interim role used by front office or admin staff to familiarize with eclinician. Role 19 View only role with non-clinical In Basket and the ability to chart on letters. Users able to create, edit, print and route both patient and provider letters from within a letter navigator tied to scheduled visits. Role 20 View only role with In Basket Results and the ability to chart on letters. Role is combination of Roles 17 and

A Physician s Guide to the Information Sharing Framework

A Physician s Guide to the Information Sharing Framework A Physician s Guide to the Information Sharing Framework 1 Table of Contents Background 4 Information Sharing Framework 5 The Shared EMRs 9 Professional Obligations 10 Participation in the Information

More information

FREQUENTLY ASKED QUESTIONS

FREQUENTLY ASKED QUESTIONS FREQUENTLY ASKED QUESTIONS GENERAL What is the Information Sharing Framework (ISF)? The ISF is a set of legal agreements designed to allow physicians to fulfill College of Physicians and Surgeons of Alberta

More information

21 May 2014 APPROVING AUTHORITY. Information Sharing Framework Governance Committee (ISF GC) 15 May 2014. Information Stewardship Office 21 May 2015

21 May 2014 APPROVING AUTHORITY. Information Sharing Framework Governance Committee (ISF GC) 15 May 2014. Information Stewardship Office 21 May 2015 TITLE DOCUMENT # Intake/Deplo yment for New Shared EMR ISO-I-01 PARENT POLICY, PROCEDURE OR STANDARD (IDENTIFY PARENT AND DELETE UNUSED TERMS) APPROVED ISO STANDARD 21 May 2014 APPROVING AUTHORITY LAST

More information

Information Sharing Framework Governance Committee 15 May 2014. Information Stewardship Office 21 May 2015

Information Sharing Framework Governance Committee 15 May 2014. Information Stewardship Office 21 May 2015 IS O STANDARD TITLE DOCUMENT # PARENT POLICY, PROCEDURE OR STANDARD (IDENTIFY PARENT AND DELETE UNUSED TERMS) APPROVING AUTHORITY ISO-IV-02 APPROVED 21 May 2014 LAST UPDATE Information Sharing Framework

More information

SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION)

SCHEDULE C to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION) SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION) ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL (AHS AND

More information

NEXT REVIEW MAY 01, 2017

NEXT REVIEW MAY 01, 2017 TITLE Privacy Auditing & Investigation of Shared EMR Systems DOCUMENT # IPO-1108-01-02 APPROVAL LEVEL Chief Privacy Officer SPONSOR Legal & Privacy CATEGORY Breach Investigation & Education Team INITIAL

More information

SCHEDULE "C" ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL

SCHEDULE C ELECTRONIC MEDICAL RECORD INFORMATION EXCHANGE PROTOCOL SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING AMONG ALBERTA HEALTH SERVICES, PARTICIPATING OTHER CUSTODIAN(S) AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION) ELECTRONIC MEDICAL RECORD INFORMATION

More information

Privacy and Management of Health Information: Standards for CARNA s Regulated Members

Privacy and Management of Health Information: Standards for CARNA s Regulated Members Privacy and Management of Health Information: Standards for CARNA s Regulated Members September 2011 Permission to reproduce this document is granted; please recognize CARNA. College and Association of

More information

Alberta Electronic Health Record (EHR) An Alberta Netcare Guide for Authorized Custodians and/or their Authorized Affiliates

Alberta Electronic Health Record (EHR) An Alberta Netcare Guide for Authorized Custodians and/or their Authorized Affiliates Health Information Technology and Systems (HITS) Information Management Branch (IM) HIA Policy, Privacy and Security Unit 21 Floor, ATB Place 10025 Jasper Avenue Edmonton, Alberta T5J 1S6 Telephone: 780-422-8642

More information

INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA

INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA INFORMATION AND PRIVACY COMMISSIONER OF ALBERTA Report of an investigation of a malicious software outbreak affecting health information August 19, 2011 Dr. Cathy MacLean Investigation Report H2011-IR-003

More information

Responsibilities of Custodians and Health Information Act Administration Checklist

Responsibilities of Custodians and Health Information Act Administration Checklist Responsibilities of Custodians and Administration Checklist APPENDIX 3 Responsibilities of Custodians in Administering the Each custodian under the Act must establish internal processes and procedures

More information

TABLE OF CONTENTS. University of Northern Colorado

TABLE OF CONTENTS. University of Northern Colorado TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...

More information

CIHI Submission: 2011 Prescribed Entity Review

CIHI Submission: 2011 Prescribed Entity Review pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health

More information

Alberta Electronic Health Record Regulation Section 5 Framework September 2011 Version 1.1

Alberta Electronic Health Record Regulation Section 5 Framework September 2011 Version 1.1 Alberta Electronic Health Record Regulation Section 5 Framework September 2011 Version 1.1 Acknowledgements The College of Physicians & Surgeons of Alberta thanks the following stakeholders for their valuable

More information

STANDARDS OF PRACTICE (2013)

STANDARDS OF PRACTICE (2013) STANDARDS OF PRACTICE (2013) COLLEGE OF ALBERTA PSYCHOLOGISTS STANDARDS OF PRACTICE (2013) 1. INTRODUCTION The Health Professions Act (HPA) authorizes and requires the College of Alberta Psychologists

More information

Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance

Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance Information Privacy and IT Security & Compliance The information in this module in addition to the

More information

PHIA GENERAL INFORMATION

PHIA GENERAL INFORMATION To: From: Researchers Legal Services and Research Services Date: May 21, 2013 Subject: Research and the New Personal Health Information Act On June 1, 2013, the Personal Health Information Act ( PHIA )

More information

Table of Contents. Page 1

Table of Contents. Page 1 Table of Contents Executive Summary... 2 1 CPSA Interests and Roles in ehealth... 4 1.1 CPSA Endorsement of ehealth... 4 1.2 CPSA Vision for ehealth... 5 1.3 Dependencies... 5 2 ehealth Policies and Trends...

More information

Closing or Moving a Physician Practice

Closing or Moving a Physician Practice Closing or Moving a Physician Practice Background The College of Physicians & Surgeons of Alberta (CPSA) provides Standards of Practice representing the minimum standards of professional behaviour and

More information

DEPARTMENTAL POLICY. Northwestern Memorial Hospital

DEPARTMENTAL POLICY. Northwestern Memorial Hospital Northwestern Memorial Hospital DEPARTMENTAL POLICY Subject: DEPARTMENTAL ADMINISTRATION Title: 1 of 11 Revision of: NEW Effective Date: 01/09/03 I. PURPOSE: This policy defines general behavioral guidelines

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

The Manitoba Child Care Association PRIVACY POLICY

The Manitoba Child Care Association PRIVACY POLICY The Manitoba Child Care Association PRIVACY POLICY BACKGROUND The Manitoba Child Care Association is committed to comply with the legal obligations imposed by the federal government's Personal Information

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

Table of Contents. Preface... 1. 1 CPSA Position... 2. 1.1 How EMRs and Alberta Netcare are Changing Practice... 2. 2 Evolving Standards of Care...

Table of Contents. Preface... 1. 1 CPSA Position... 2. 1.1 How EMRs and Alberta Netcare are Changing Practice... 2. 2 Evolving Standards of Care... March 2015 Table of Contents Preface... 1 1 CPSA Position... 2 1.1 How EMRs and Alberta Netcare are Changing Practice... 2 2 Evolving Standards of Care... 4 2.1 The Medical Record... 4 2.2 Shared Medical

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Rowan University Data Governance Policy

Rowan University Data Governance Policy Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data

More information

Personal Health Information Privacy Policy

Personal Health Information Privacy Policy Personal Health Information Privacy Policy Privacy Office Document ID: 2478 Version: 6.2 Owner: Chief Privacy Officer Sensitivity Level: Low Copyright Notice Copyright 2014, ehealth Ontario All rights

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

HEALTH INFORMATION ACT. Guidelines and Practices Manual

HEALTH INFORMATION ACT. Guidelines and Practices Manual HEALTH INFORMATION ACT Guidelines and Practices Manual March 2011 This publication is a practical reference tool for the application of Alberta s Health Information Act (HIA). It is designed to assist

More information

TOOLBOX. ABA Financial Privacy

TOOLBOX. ABA Financial Privacy ABA Financial Privacy TOOLBOX This tool will help ensure that privacy remains a core value in all corners of your institution. The success of your privacy program depends upon your board s and your management

More information

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates Guidelines on Requirements and Good Practices For Protecting Personal Health Information Disclaimer

More information

POLICY. All (SHR) staff means SHR employees, practitioner staff (including physicians), professional staff, students and volunteers.

POLICY. All (SHR) staff means SHR employees, practitioner staff (including physicians), professional staff, students and volunteers. POLICY Number: 7311-20-011 Title: VENDOR VISITATION AND CONDUCT Authorization [ ] President and CEO [ X ] Vice President, Finance and Corporate Services Source: Director, Supply Chain Management Cross

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

Health Sciences Compliance Plan

Health Sciences Compliance Plan INDIANA UNIVERSITY Health Sciences Compliance Plan 12.18.2014 approved by University Clinical Affairs Council Table of Contents Health Sciences Compliance Plan I. INTRODUCTION... 2 II. SCOPE... 2 III.

More information

The Health Information Act and You. A Primer for Pharmacy Technicians

The Health Information Act and You. A Primer for Pharmacy Technicians The Health Information Act and You A Primer for Pharmacy Technicians Disclaimer As per the definition regarding bias or conflict of interest put forth in the Guidelines and Criteria for CCCEP Accreditation

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

The Health Information Act. Use and Disclosure of Health Information for Research

The Health Information Act. Use and Disclosure of Health Information for Research The Health Information Act Use and Disclosure of Health Information for Research The Health Information Act (HIA) sets out rules respecting the use and disclosure of health information for research purposes

More information

Guidelines on Data Protection. Draft. Version 3.1. Published by

Guidelines on Data Protection. Draft. Version 3.1. Published by Guidelines on Data Protection Draft Version 3.1 Published by National Information Technology Development Agency (NITDA) September 2013 Table of Contents Section One... 2 1.1 Preamble... 2 1.2 Authority...

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

Information Protection Readiness for Securing Personal Information

Information Protection Readiness for Securing Personal Information for Securing Personal Information Information Protection Readiness for Securing Personal Information May 23, 2014 Office of the City Auditor The Office of the City Auditor conducted this project in accordance

More information

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid. Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment

More information

HomeCare Rehab and Nursing, LLC (HCRN) (DBA - Baker Rehab Group) Notice of Privacy Practice

HomeCare Rehab and Nursing, LLC (HCRN) (DBA - Baker Rehab Group) Notice of Privacy Practice HomeCare Rehab and Nursing, LLC (HCRN) (DBA - Baker Rehab Group) Notice of Privacy Practice THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Data Management Handbook. Revised September 2013

Data Management Handbook. Revised September 2013 Data Management Handbook Revised September 2013 Table of Contents 1. Introduction to Data Management 1 2. Data Assessment Custodian Assessment 2 3. Custodial Responsibilities 3 4. Options for Populating

More information

REVISION EFFECTIVE DATE N/A

REVISION EFFECTIVE DATE N/A TITLE RESEARCH GRANTS AND CLINICAL TRIAL FUNDING DOCUMENT # 1150 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Finance CATEGORY Financial Stewardship INITIAL APPROVAL DATE June 21,

More information

TERMS OF SERVICE TELEPORT REQUEST RECEIVERS

TERMS OF SERVICE TELEPORT REQUEST RECEIVERS TERMS OF SERVICE These terms of service and the documents referred to in them ( Terms ) govern your access to and use of our services, including our website teleportapp.co ( our site ), applications, buttons,

More information

Code of Conduct. Code of Conduct

Code of Conduct. Code of Conduct Code of Conduct Code of Conduct Alberta Health Services Code of Conduct Table of Contents Message from the Alberta Health Services Governing Body and the President and Chief Executive Officer...3 A Guide

More information

HEALTH INFORMATION ACT

HEALTH INFORMATION ACT Province of Alberta HEALTH INFORMATION ACT Revised Statutes of Alberta 2000 Current as of June 17, 2014 Office Consolidation Published by Alberta Queen s Printer Alberta Queen s Printer 7 th Floor, Park

More information

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5 Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose

More information

VCUR 2008 EMR FUNDING EXTENSION PROGRAM OFFER TO PARTICIPATING PHYSICIAN TO: (the Physician )

VCUR 2008 EMR FUNDING EXTENSION PROGRAM OFFER TO PARTICIPATING PHYSICIAN TO: (the Physician ) T 780.482.2626 12230 106 Ave NW F 780.482.5445 amamail@albertadoctors.org Edmonton AB T5N 3Z1 TF 1.800.272.9680 www.albertadoctors.org VCUR 2008 EMR FUNDING EXTENSION PROGRAM OFFER TO PARTICIPATING PHYSICIAN

More information

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians

Compliance HIPAA Training. Steve M. McCarty, Esq. General Counsel Sound Physicians Compliance HIPAA Training Steve M. McCarty, Esq. General Counsel Sound Physicians 1 Overview of HIPAA HIPAA contains provisions that address: The privacy of protected health information or PHI The security

More information

PRIVACY POLICY. Consent

PRIVACY POLICY. Consent PRIVACY POLICY car2go N.A. LLC and car2go Canada Ltd. (collectively, car2go ) recognize the importance of protecting your personal information. We take the protection of your personal information seriously

More information

REQUEST FOR BOARD ACTION

REQUEST FOR BOARD ACTION REQUEST FOR BOARD ACTION HENDERSON COUNTY BOARD OF COMMISSIONERS MEETING DATE: 23 March 2005 SUBJECT: ATTACHMENT(S): HIPAA 1. Proposed Resolution adopting policies 2. Proposed policies SUMMARY OF REQUEST:

More information

Iowa Student Loan Online Privacy Statement

Iowa Student Loan Online Privacy Statement Iowa Student Loan Online Privacy Statement Revision date: Jan.6, 2014 Iowa Student Loan Liquidity Corporation ("Iowa Student Loan") understands that you are concerned about the privacy and security of

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

ACOT WEBSITE PRIVACY POLICY

ACOT WEBSITE PRIVACY POLICY ACOT WEBSITE PRIVACY POLICY Our commitment to privacy acot.ca (the Website ) is a website owned and operated by The Alberta College of Occupational Therapists ( ACOT ), also referred to as we, us, or our

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT THIS AGREEMENT ( Agreement ) is made and entered into this day of, 20, by and between Franciscan Health System ( Hospital ), and ( Community Partner ). RECITALS

More information

3. Consent for the Collection, Use or Disclosure of Personal Information

3. Consent for the Collection, Use or Disclosure of Personal Information PRIVACY POLICY FOR RENNIE MARKETING SYSTEMS Our privacy policy includes provisions of the Personal Information Protection Act (BC) and the Personal Information Protection and Electronic Documents Act (Canada),

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

COUNTY OF ORANGE DEPARTMENT OF HEALTH. Corporate Compliance Plan

COUNTY OF ORANGE DEPARTMENT OF HEALTH. Corporate Compliance Plan COUNTY OF ORANGE DEPARTMENT OF HEALTH Corporate Compliance Plan COUNTY OF ORANGE DEPARTMENT OF HEALTH CORPORATE COMPLIANCE PLAN I. Corporate Compliance Plan It is the policy of the Orange County Department

More information

Updated February 15, 2008 MINISTRY OF HEALTH SOFTWARE SUPPORT ORGANIZATION SERVICE LEVEL AGREEMENT

Updated February 15, 2008 MINISTRY OF HEALTH SOFTWARE SUPPORT ORGANIZATION SERVICE LEVEL AGREEMENT BETWEEN: HER MAJESTY THE QUEEN IN RIGHT OF THE PROVINCE OF BRITISH COLUMBIA, represented by the Minister of Health ( the Ministry as the Province as applicable) at the following address: Assistant Deputy

More information

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information: Information and Privacy Commissioner of Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Canadian Institute for Health Information: A Prescribed Entity under the Personal

More information

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) PRIVACY POLICY (Initially adopted by the Board of Directors on November 16, 2007) PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) The Corporation is committed to controlling the collection,

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014 This Notice sets forth the principles followed by United Technologies Corporation and its operating companies, subsidiaries, divisions

More information

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation. PRIVACY AND ANTI-SPAM CODE FOR OUR DENTAL OFFICE Please refer to Appendix A for a glossary of defined terms. INTRODUCTION The Personal Health Information Act (PHIA) came into effect on December 11, 1997,

More information

HIPAA Security Education. Updated May 2016

HIPAA Security Education. Updated May 2016 HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)

More information

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered

More information

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH Council of Australian Governments An agreement between the Commonwealth of Australia and the States and Territories, being: The State of New South Wales The State

More information

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy I. PURPOSE To identify the requirements needed to comply with

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment

More information

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services Bureau

More information

The Health Information Protection Act

The Health Information Protection Act 1 The Health Information Protection Act being Chapter H-0.021* of the Statutes of Saskatchewan, 1999 (effective September 1, 2003, except for subsections 17(1), 18(2) and (4) and section 69) as amended

More information

Office of the Chief Information Officer

Office of the Chief Information Officer Office of the Chief Information Officer Online File Storage BACKGROUND Online file storage services offer powerful and convenient methods to share files among collaborators, various computers, and mobile

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Guide to the National Safety and Quality Health Service Standards for health service organisation boards

Guide to the National Safety and Quality Health Service Standards for health service organisation boards Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian

More information

PRIVACY POLICY. The effective date of this Privacy Policy is December 15, 2010. Last Updated September 29, 2014. Overview

PRIVACY POLICY. The effective date of this Privacy Policy is December 15, 2010. Last Updated September 29, 2014. Overview PRIVACY POLICY The effective date of this Privacy Policy is December 15, 2010 Last Updated September 29, 2014 Overview The Bay Area Toll Authority (BATA) is committed to ensuring customer privacy and security.

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice Information and Privacy Commissioner / Ontario How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice Ann Cavoukian, Ph.D. Commissioner

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version November 3, 2015 1. Scope and order of precedence This agreement (the Data Processing Agreement ) applies to Oracle s Processing of Personal

More information

MEDICAL TRAINEE DATA FORM (This information is required for all medical students)

MEDICAL TRAINEE DATA FORM (This information is required for all medical students) ALEXANDRA MARINE AND GENERAL HOSPITAL 120 Napier Street, GODERICH, ON N7A 1W5 (519) 524-8689 ext. 5712 Fax: (519) 524-5579 Email: amgh.administration@amgh.ca MEDICAL TRAINEE DATA FORM (This information

More information

PRIVACY BREACH POLICY

PRIVACY BREACH POLICY Approved By Last Reviewed Responsible Role Responsible Department Executive Management Team March 20, 2014 (next review to be done within two years) Chief Privacy Officer Quality & Customer Service SECTION

More information

University of Maryland Baltimore Information Technology Acceptable Use Policy

University of Maryland Baltimore Information Technology Acceptable Use Policy The UMB School of Nursing follows and adheres to the UMB Campus Information Technology Acceptable Use Policy. The UMSON further defines Authorized User to also include any person who receives a password

More information

Ability to view, download, or print a "Continuity of Care Document" or "Health Summary".

Ability to view, download, or print a Continuity of Care Document or Health Summary. The Salina Pediatric Care patient portal offers secure viewing and communication as a service to patients who wish to view parts of their records and communicate with our staff. This can be a valuable

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act.

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

ABOM Business Associate Agreement

ABOM Business Associate Agreement ABOM Business Associate Agreement This agreement ( Agreement ) is between the American Board of Obesity Medicine ( ABOM ), as the Business Associate, and the Covered Entity (individually a Party and collectively

More information

Table of Contents. Acknowledgement

Table of Contents. Acknowledgement OPA Communications and Member Services Committee February 2015 Table of Contents Preamble... 3 General Information... 3 Risks of Using Email... 4 Use of Smartphones and Other Mobile Devices... 5 Guidelines...

More information

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3 INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS I. Introduction 2 II. Definitions 3 III. Program Oversight and Responsibilities 4 A. Structure B. Compliance Committee C.

More information

Exhibit 2. Business Associate Addendum

Exhibit 2. Business Associate Addendum Exhibit 2 Business Associate Addendum This Business Associate Addendum ( Addendum ) governs the use and disclosure of Protected Health Information by EOHHS when functioning as a Business Associate in performing

More information

MONTANA PROFESSIONAL ASSISTANCE PROGRAM, INC. POSITION DESCRIPTION:

MONTANA PROFESSIONAL ASSISTANCE PROGRAM, INC. POSITION DESCRIPTION: MONTANA PROFESSIONAL ASSISTANCE PROGRAM, INC. POSITION DESCRIPTION POSITION DESCRIPTION: REPORTS TO: CLINICAL COORDINATOR CLINICAL DIRECTOR SUPERVISES: SUMMARIES OF DUTIES Reports to the Clinical Director.

More information

HIPAA Business Associate Contract. Definitions

HIPAA Business Associate Contract. Definitions HIPAA Business Associate Contract Definitions Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule. Examples of specific definitions:

More information

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Information Security and Electronic Communications Acceptable Use Policy (AUP) Policy No.: AUP v2.0 Effective Date: August 16, 2004 Revision Date: January 17, 2013 Revision No.: 1 Approval jwv / mkb Information Security and Electronic Communications (AUP) 1. INTRODUCTION Southwestern

More information

Strategies for occupational therapists to address elder abuse/mistreatment

Strategies for occupational therapists to address elder abuse/mistreatment Strategies for occupational therapists to address elder abuse/mistreatment Provincial Legal Information: ALBERTA Prepared by the Canadian Association of Occupational Therapists August 2011 This project

More information