Electronic information systems play an important role in health care. Securely sharing data between health care providers helps us give the best possible care. As we do so, we are committed to protecting your Personal Health Information (PHI).
Ontario's Personal Health Information Protection Act (PHIPA) defines how health care providers, organizations and electronic hosting systems may collect, use and share PHI. These include Health Information Network Providers (HINPs) and Electronic Service Providers (ESPs).
In partnership with third parties, we host several electronic information systems. These allow authorized health care providers to contribute to, store, access and share their patients' PHI. As a result, we are classified as a HINP and/or an ESP. As required under PHIPA regulations, outlined below are our practices to secure and protect patient information.
At Osler, we co-host the following systems:
Integrated Assessment Record (IAR)
The IAR is a clinical viewer hosted on behalf of Community Care Information Management (CCIM).
Through this tool:
- authorized users can view a consenting patient's assessment information to effectively plan and deliver services to that patient
- assessment information can move with a patient from one Health Service Provider (HSP) to another
- HSPs can collaborate with other care providers and view assessment information electronically, securely and accurately
Rapid Electronic Access to Clinical Health Information (REACH)
REACH is a portal that allows health care providers from participating partner organizations to view patient data for the purpose of providing care to those patients.
We co-host REACH with Trillium Health Partners, Headwaters Healthcare Centre, Halton Healthcare Hospitals, and Home and Community Care Support Services Central West and Mississauga Halton, as part of Ontario Health (central region).
Organizational safeguards
We have many technical, physical and administrative safeguards to help protect the security, confidentiality and integrity of the above systems and the information within them. These include:
- a documented Disaster Recovery/Business Continuity Plan, with periodic drills;
- anti-virus solutions to help protect our infrastructure from infection;
- audits, Privacy Impact Assessments and Threat and Risk Assessments are conducted;
- an automated systems log and monitoring of all access to patient information;
- complex passwords (enforced on all systems);
- data backed up on a regular basis and stored off-site;
- data-sharing agreements with all participants;
- employee training on privacy awareness and security best practices;
- firewall systems to guard our network perimeter;
- formal agreements with related maintenance and service providers;
- continuous monitoring of network traffic to help identify threats;
- policies, procedures and standards to govern related operations (see below);
- servers housed in a secure space, with redundant and backup power supplies;
- patching of servers on an ongoing basis; and
- registration/control processes for third-party participants and their authorized staff.
Polices, practices and standards:
Regarding the above systems, in general and other than as permitted or required by law, we do not:
- use any PHI accessed while providing services for a health information custodian, except as necessary while providing the services;
- disclose any PHI to which we have access while providing services for the health information custodian; or
- allow our employees, or anyone acting on their behalf, to access the information unless they agree to abide by our policies and procedures.
We are accountable to partners with access to the above systems. We:
- notify participating Health Information Custodians (HICs) of any privacy breaches detected;
- provide each participating HIC with a copy of this statement and, on request, a copy of the data-sharing agreement including its statement of network services;
- make a copy of this statement publicly available on our website;
- maintain appropriate logging and monitoring of PHI that will be made available to participating HICs on request;
- perform regular privacy and security assessments of the operation of in-scope systems and provide summary copies of assessment results to participating HICs; and
- bind to these requirements third parties providing services to these programs.
Beyond the commitments above, these internal policies, procedures and standards are also relevant to our stewardship of in-scope systems:
- Acceptable Use Policy;
- Business Continuity Framework;
- Code Grey Information Services Internal Response Policy;
- Data Encryption Policy;
- Data Governance Policy;
- Identity and Access Management Standard;
- Information Classification Standard;
- Information Security Policy;
- Privacy and Information Security Assessments Standard;
- Privacy Breach Policy;
- Master Privacy Policy;
- Server Security Standard;
- Use and Protection of Personal Information Policy; and
- Monitoring of Access to Information System Policy.
Questions?
For more information, or to ask questions about our privacy and security practices, contact us at 905-494-2120 ext. 29466 or by email at PrivacyOffice@williamoslerhs.ca.
