Electronic Child Health Network - Ontario Laboratories Information System Limited Production Release. Delta Privacy Impact Assessment Summary



Similar documents
Ontario Laboratories Information System Electronic Medical Records Initiative. Privacy Impact Assessment Summary

Ontario Laboratories Information System ConnectingGTA Integration. Delta Privacy Impact Assessment Summary

Electronic Health Record Privacy Policies

Personal Health Information Privacy Policy

ONE Mail Direct. Privacy Impact Assessment Summary

Privacy Policy on the Responsibilities of Third Party Service Providers

Health Care Provider Guide

Access & Correction Policy

Privacy Incident and Breach Management Policy

ehealth Ontario Ontario Lab Data and Your EMR

ehealth Ontario Site Support Guide

Policy Reference Guide

EHR Contributor Agreement

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

Common Privacy Framework CCIM Assessment Projects

Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010

How To Ensure Health Information Is Protected

SUBJECT: VOYAGEUR TRANSPORTATION CORPORATE POLICIES/PROCEDURES TITLE: PRIVACY OF PERSONAL HEALTH INFORMATION

Privacy Practices for Frontline Health Care Workers. RNN Workshop June 5, 2015 Erin McLean, RN, BNSc Staff Development Coordinator

PHIPA Potpourri. Judith Goldstein, Legal Counsel Information and Privacy Commissioner/Ontario. IPC Mediators April 21, 2015

PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS

Record Keeping. Guide to the Standard for Professional Practice College of Physiotherapists of Ontario

Privacy Breach Protocol

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

INSTITUTE FOR SAFE MEDICATION PRACTICES CANADA

The Journey to Create Document Standards and Guidelines for Occupational Therapists. Christine Fleming Legislation and Bylaws Committee

ONE Mail Service Availability and Support

HIPAA Privacy Rule Policies

Taking care of what s important to you

Taking care of what s important to you

TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No. 2

Information Security Policy

June 25, Ministry of Health Security enhancement roadmap

WHEN BUSINESS GETS PERSONAL A QUICK GUIDE TO THE PERSONAL DATA PROTECTION ACT 2012 FOR ORGANISATIONS PERSONAL DATA PROTECTION COMMISSION

A Guide to Ontario Legislation Covering the Release of Students

Privacy and Management of Health Information: Standards for CARNA s Regulated Members

Brian Beamish. Commissioner (Acting) Ontario Information and Privacy Commission. Cyber Risk National Conference February 9, 2015

What s New in Access, Privacy and Health Care. Brian Beamish Commissioner. Ontario Connections May 21, 2015

Recommendations for the PIA. Process for Enterprise Services Bus. Development

Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act. Ann Cavoukian, Ph.D. Commissioner October 2005

Privacy Toolkit for the. Quality Improvement Decision Support Program. in Family Health Teams. Written by: Kate Dewhirst

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

A Guide. Personal Health Information Protection Act. to the. December Ann Cavoukian, Ph.D Commissioner

This notice describes how psychological and medical information about you may be used and disclosed and how you can get access to this information.

Mohawk DI-r: Privacy Breach Management Procedure Version 2.0. April 2011

OntarioMD Inc. Electronic Medical Records EMR SPECIFICATION FINAL. Date: January 17, 2011 Version: OntarioMD Inc. All rights reserved

Privacy Services in Ontario - What Are the Benefits of Copying Files?

ONE Mail Direct for Desktop Software

Table of Contents. Acknowledgement

REGULATORY PROPOSALS FOR PUBLIC COMMENT REAL ESTATE REGULATIONS INCREASING TRANSPARENCY IN MULTIPLE OFFER TRANSACTIONS

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Strengthening Public Sector Transparency and Privacy

Best Practices for Protecting Individual Privacy in Conducting Survey Research

BORN Ontario: Best Possible Beginnings for Lifelong Health. September 2011

Policy & Procedure HIPAA / PRIVACY AMENDMENT OF PHI

Privacy and Security Framework, February 2010

Document Management in the FIPPA Era

HOT!! Privacy Issues:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing

Hospital Mental Health Database Privacy Impact Assessment

Ownership, Storage, Security and Destruction of Records of Personal Health Information STANDARD OF PRACTICE S-022 INTENT DESCRIPTION OF STANDARD

Privacy and EHR Information Flows in Canada. EHIL Webinar Series. Presented by: Joan Roch, Chief Privacy Strategist, Canada Health Infoway

PRIVACY POLICY. Effective: January 1, 2014 Revised: March 19, Privacy Policy Page 1 of 7

RECORD AND INFORMATION MANAGEMENT FRAMEWORK FOR ONTARIO SCHOOL BOARDS/AUTHORITIES

INTRODUCTION. Application of the Principles

DATA PROTECTION POLICY

ehealth EHR Viewer & Integration Joint Service/Access Policy Executive Summary for Authorized Provider Organizations ("APOs")

Closing or Moving a Physician Practice

Privacy Policy for Bell s Finder Services & Business Tracking Services

Ann Cavoukian, Ph.D.

Specific Terms and Conditions of LINE Services for Business Partners: LINE Business Connect

Record keeping 3. Fees and services 4. Using, recommending, providing, or selling client-care products 4. Medication 5

National Association of Pharmacy Regulatory Authority s Privacy Policy for Pharmacists' Gateway Canada

Personal Health Information Protection Act

PERSONAL DATA PROTECTION CHECKLIST FOR ORGANISATIONS

Attachment for Primary Support Provider Sublicensing

Standards for Record Keeping

ADMINISTRATIVE MANUAL Policy and Procedure

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

Accountable Privacy Management in BC s Public Sector

HIPAA: The Role of PatientTrak in Supporting Compliance

CA Cloud Service Delivery Platform

National System for Incident Reporting

FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments

Last updated: 30 May Credit Suisse Privacy Policy

NOTICE OF PRIVACY PRACTICES

Can Your Diocese Afford to Fail a HIPAA Audit?

1. Collection and Use of Personal Information

Online Detainee Locator System

Privacy Management Program Toolkit Health Custodians Personal Health Information Act

3. Consent for the Collection, Use or Disclosure of Personal Information

PRIVACY BREACH POLICY

Guardian Angel Community Services Privacy Policy. Web site Policy:

EMBEDDING PRIVACY INTO ELECTRONIC HEALTH RECORDS. Manuela Di Re Associate Director of Legal Services Information and Privacy Commissioner of Ontario

1.2: DATA SHARING POLICY. PART OF THE OBI GOVERNANCE POLICY Available at:

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice

Transcription:

Electronic Child Health Network - Ontario Laboratories Information System Limited Production Release Delta Privacy Impact Assessment Summary

Copyright Notice Copyright 2012, ehealth Ontario All rights reserved Trademarks No part of this document may be reproduced in any form, including photocopying or transmission electronically to any computer, without prior written consent of ehealth Ontario. The information contained in this document is proprietary to ehealth Ontario and may not be used or disclosed except as expressly authorized in writing by ehealth Ontario. Other product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Introduction As required under Ontario Regulation (O.Reg.) 329/04 under the Personal Health Information Protection Act, 2004 (PHIPA), and by ehealth Ontario s personal health information privacy policy, ehealth Ontario completed a delta privacy impact assessment (PIA) on ehealth Ontario s electronic Child Health Network Ontario laboratories information system (echn-olis) limited production release (LPR) initiative in February, 2012. The echn-olis delta PIA for the LPR addresses only the changes in the OLIS initiative for the echn-olis LPR, including access by up to 20 users to the OLIS data via echn s system. Please see the OLIS physical PIA summary for information on the PIA conducted for the OLIS initiative. The echn-olis delta PIA found that ehealth Ontario has the authority as an agent of the Ministry of Health and Long-Term Care (MOHLTC), under PHIPA, and under section 6.2 of O.Reg. 329/04 for the echn-olis LPR, as ehealth Ontario is receiving personal health information (PHI) from the MOHLTC for the purpose of creating or maintaining one or more electronic health records, and providing health care provider access to the OLIS data via echn, acting as a service provider to ehealth Ontario. The following is a summary of the delta PIA, including a brief background on the echn-olis LPR, key findings, and ehealth Ontario s progress in implementing the recommendations identified in the delta PIA. Background OLIS is a cornerstone information system that connects hospitals, community laboratories, public health laboratories and health care providers (providers) to facilitate the secure electronic exchange of laboratory test orders and results. The ability to electronically share laboratory test information through OLIS supports providers in making decisions on patient care and treatment. echn is a not-for-profit organization operating an electronic health record for Ontario providers serving paediatric patients (18 years of age and younger). ehealth Ontario is collaborating with echn, in 2012, to conduct an LPR (i.e., a pilot project), making lab results in OLIS available to providers participating in the echn initiative. Providers participating in the LPR will log into the web-based echn system and view the OLIS data for their paediatric patients, in addition to PHI contributed by other providers. ehealth Ontario will make the OLIS data available to the end-user providers via echn under its authority established in O.Reg. 329/04, section 6.2. echn will be acting as a service provider to ehealth Ontario in maintaining the subset of OLIS data and in providing it to the end-user providers. OLIS includes the test results of individuals in Ontario who have had a laboratory test processed at one of the laboratories participating in OLIS. Individuals may withdraw consent to the use and disclosure of their PHI within OLIS. Withdrawal of consent may be applied to all of an individual s lab information in OLIS, or only to tests on a specific lab order. If an individual s consent has been withdrawn, providers may only access the individual s lab information within OLIS, via echn, with the individual s express consent. In December 2010, the MOHLTC, a health information custodian (HIC) under PHIPA assumed custody and control of patients' laboratory test results in OLIS. The MOHLTC published a notice to inform the public that the MOHLTC was assuming custody and control of OLIS. The notice included information on how individuals can withdraw or reinstate their consent for their PHI in OLIS. A PIA was already completed on the OLIS initiative in the fall of 2011. However, because PHI in OLIS is being shared with end-user providers, through echn, ehealth Ontario policies and O.Reg. 329/04 require that a delta PIA of the initiative be undertaken.

Summary of Delta Privacy Impact Assessment The echn-olis LPR delta PIA considers the initiative as of February, 2012. Specifically, the scope of the delta PIA includes the delivery of OLIS data, via echn, to the 20 providers participating in the LPR; the purposes and processes for sharing the OLIS data with providers; and the legislative authority under which ehealth Ontario may share OLIS data with providers, via echn. The PIA also considers the technical, administrative and physical safeguards which have been put in place to ensure that all flows of PHI occur in a secure and privacy-protective manner, and are in compliance with legislative requirements, relevant agreements, best practices as represented in the Canadian Standards Association Privacy Code and ehealth Ontario s privacy policies. The delta PIA concludes that ehealth Ontario has the overall PHIPA authorities for operating and managing the echn-olis LPR. Additionally, ehealth Ontario and echn, its service provider, each have a robust infrastructure for the processing and sharing of sensitive PHI, with policies and practices to protect the privacy of Ontarians and the security of the information retained by ehealth Ontario and by echn. The delta PIA recommends several measures to ensure that, for the echn-olis LPR, ehealth Ontario is in compliance with policies, procedures and privacy best practices. Summary of the Implementation Plan for the Delta Privacy Impact Assessment Recommendations The delta PIA provides a number of recommendations for the echn-olis LPR, as summarized below: 1. As echn is acting as ehealth Ontario s service provider, ehealth Ontario will ensure that the administrative and technical controls that it applies to OLIS data are also applied by echn to the OLIS data in the echn database. This ensures that patients receive the same level of privacy protection regardless of whether their lab results are in the OLIS database or in echn s system. ehealth Ontario will flow privacy and security obligations to echn through an agreement between the parties, and ensure it conducts appropriate assurance on echn s privacy posture. 2. ehealth Ontario will be making the OLIS data available to end-user providers under O. Reg. 329/04, section 6.2. ehealth Ontario will need to establish administrative controls with the end-user providers to ensure they do not collect the OLIS data for purposes other than that for which it was provided (i.e., to provide or assist in the provision of health care). Training and/or materials for enduser providers will include direction on privacy-related matters. 3. ehealth Ontario will work with echn to ensure processes are in place to identify, notify, and investigate potential incidents with respect to the OLIS data. 4. The parties will implement a technical fix to ensure consent directives are transferred to echn s system in all instances. 5. ehealth Ontario will establish a retention schedule that applies to OLIS data in echn. Should the project not continue after the pilot, echn will destroy the OLIS data, and return the audit logs to ehealth Ontario. 6. ehealth Ontario and echn will jointly develop processes for ensuring details of access to OLIS data by echn users are provided to ehealth Ontario. 7. ehealth Ontario will augment its access request process for the echn-olis initiative to assist the MOHLTC in responding to access requests by individuals. Additionally, ehealth Ontario will update

its communication materials to instruct echn and end-users on the individual access request process for OLIS data. 8. ehealth Ontario will obligate echn, through an agreement, to report complaints or inquiries in respect of OLIS data, to ehealth Ontario, and work with ehealth Ontario to investigate and respond to any complaints that may arise. ehealth Ontario is currently in the process of implementing each of the recommendations identified in the 2012 echn-olis LPR delta PIA. Glossary echn electronic Child Health Network LPR limited production release MOHLTC Ministry of Health and Long-Term Care OLIS Ontario laboratories information system O. Reg. Ontario Regulation PHIPA Personal Health Information Protection Act, 2004 PHI personal health information PIA privacy impact assessment Contact Information Please contact the ehealth Ontario Privacy Office should you have any questions about the echn-olis LPR delta PIA Summary: ehealth Ontario privacy office 777 Bay Street, Suite 701 Toronto, Ontario M5B 2E7 Tel: (416) 946-4767 privacy@ehealthontario.on.ca

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information