Healthquest Online PIA Amendment - Simply Vital to …€¦ · Web viewThis information is retained...

DATE

Ms. Jill Clayton, CommissionerOffice of the Information and Privacy Commissioner# 410, 9925 - 109 St NWEdmonton, AlbertaT5K 2J8

Re: Amendment to Privacy Impact Assessment (PIA File # _________ – Accepted DATE) – For the implementation of Healthquest Online Services

Dear Ms. Clayton,Please accept this change amendment in order to address a more inclusive description of our Organizational Privacy Management Privacy Impact Assessment (PIA File#__________) in implementing an expansion to our current service offering and use structure of our Electronic Medical Record (EMR), Microquest’s Healthquest; for your review. This additional capability will also alter the way we provide notice, confirm and document consent in our practice. Please find enclosed our practice Policies and Procedures to satisfy the Organizational Privacy Management component of our PIA. This document outlines the privacy structure and controls within our clinic. I am submitting this document in compliance with Section (64) of Alberta’s Health Information Act (HIA).

This change will encompass the following aspects of our PIA:

Section A Project Summary

Section B Organizational Privacy Management

Section C Project Privacy Analysis

Section D Project Privacy Risk Mitigation

Section E Policy & Procedure Attachments

We have reviewed the Monitoring of Privacy and Security Controls section of our PIA (PIA File#__________) and do not anticipate any threat to the security practices in place as described in our PIA. We have determined that the change will not affect how we are operating from the way we have described in our PIA except where included in this document.The expansion of our Electronic Medical Record program is expected to commence upon completion of this amendment.Custodians participating in this mutual change to our privacy solution include:CUSTODIANNAMECUSTODIANNAME

If you require additional information on any aspect identified in this amendment endorsement, please contact me at PH#.

I trust that this will be satisfactory.

Sincerely,

__________________________________PRIMARYCUSTODIAN, Primary Custodian

Enclosures: Privacy Impact Assessment | Healthquest Online Portal AmendmentAmended Information Manager Agreement(s)

Our practice information is as follows:NAMEADDRESSCITYPOSTALCODE

Phone: Fax: E-Mail:

PRACTICE NAME

Healthquest Online PIA Amendment

Clinic AddressP.F.

Version Control

Date Version

Author of changes Description

DATE 1 Authorized by:PRIMARYCUSTODIAN

Healthquest Online Portal Amendment

2020

Table of ContentsHealthquest Online PIA Amendment.......................................................................................3Section A: Project Summary....................................................................................................5Section B: Organizational Privacy Management.....................................................................9Section C: Project Privacy Analysis........................................................................................13

Information Flow Diagram | Healthquest Online.........................................................16Flow Purposes Table..................................................................................................17

Section D: Project Privacy Risk Mitigation.............................................................................23APPENDIX ONE | POLICY & PROCEDURE’s.............................................................................29

Policy & Procedure #1 | Information Handling and Security.......................................30Policy & Procedure #2 | Records Security Classification............................................39Policy & Procedure #3 | Wireless Networking & Remote Access................................43Policy & Procedure #4 | Privacy Breach Management...............................................47Policy & Procedure #5 | Password Management........................................................51Policy & Procedure #6 | Encryption for Electronic Data Transmission & Protection. . .52

APPENDIX TWO | REFERENCES..............................................................................................55APPENDIX THREE | DEFINITIONS............................................................................................57APPENDIX FOUR| ATTACHMENTS...........................................................................................60

Attachment #1 | Privacy Breach Reporting Form | OIPC | Commissioner...................61Attachment #2 | Privacy Breach Reporting Form| Minister........................................64Attachment#3 | Privacy Breach Reporting Form | Individual.....................................65Attachment #4 | Sample Collection Notice Poster.....................................................68Attachment #5 | Consent to the Transmission of Health Information Form...............69

Updated IMA with Microquest’s Healthquest.........................................................................70

HQO PIA Amendment 2020

Section A: Project Summary 1 The HIA requires that a custodian establish or adopt policies and procedures to facilitate implementation of the Act (section 63). It also requires a custodian to submit a privacy impact assessment (PIA) to the Office of the Information and Privacy Commissioner before implementing a new practice or information system – or when making changes to an existing practice or system – that collects, uses or discloses individually identifying health information (section 64). If a custodian is considering electronic communication tools to correspond with patients, they must have appropriate risk mitigation strategies and policies. A PIA helps to manage privacy risks when communicating with patients electronically before such tools are implemented.

Project Background

What does the information system or administrative practice do?

This amendment to the Electronic Medical Record (EMR) System Privacy Impact Assessment (PIA) has been initiated to describe unique nature of an online environment for the creation and communication of Health Information and the challenges it presents to the protection of data during the supplementary use of Healthquest Online for the provisioning of health services. As healthcare Custodians, we are required under the Health Information Act (HIA) to protect Health Information in our custody or control against reasonably anticipated threats or hazards that could result in loss, unauthorized use or disclosure, modification or inaccuracy. This implementation will be a major technological change and we are embarking on this venture by first considering the most reasonable best practices for ensured continuity of the security in our medical clinic. What is the business rationale for the project?

The purpose of this project is to improve upon contribution means to the patient medical record in order to form the most inclusive care plan. Expedition has been exacerbated by and immediate and significant need for virtual care options.Electronic communications with patients can improve efficiency by:

o Sending appointment reminders to limit calls made from the practice;

o Notifying patients about a new service offering;o Following up with patients on a treatment plan;o Limiting the support staff workload; o Reducing loss of information due to access restrictions; o Maximizing resources to improve on income loss.

Who are the key players?

Microquest will utilize Twilio services to support their Healthquest Online structure.

1 OIPC - Advisory for Communicating with Patients Electronically – Published August 2010 / Updated June 2019

DATE CLINICNAME P a g e | 5


Where will health information be stored and accessed?

Health Information that this clinic maintains responsibility and custodianship for will be stored in the clinic Healthquest EMR database and backed up as described in PIA File#_____. Microquest’s privacy policies and procedures describe how information from the clinic EMR will be transmitted and made available to authorized users of Healthquest Online. Why does the project need to collect, use or disclose health information to achieve its objectives?

The purposes for which we collect, use and disclose health information are described in full in PIA File#_____ and will remain unchanged.

Distributed Approach to Threat and Hazard Identification & Management

Clinic

We have reviewed the current policy for a distributed approach to Threat and Hazard Identification and Management. At this time, we do not require any changes to be made, our process will remain unchanged from our formerly submitted PIA File # _____. EMR Vendor

Microquest has developed processes to identify threats and hazards in the use of their online features and they have built security controls into the system based on international best standards and practices. Some of those controls include:

o Encryption of all electronic messageso Use of firewalls and intrusion detection systemso Regular reviews of audit logs o Role based access control

Backup services

Our backup services have not changed from how we have described them in PIA File#___________. Microquest retains standard web log data (e.g. access times, IP addresses, etc.) solely for debugging purposes. This is retained for 6 months maximum.

Network / Hardware Equipment

In addition to our formerly submitted Network and Hardware equipment outline, this integration will require the Healthquest Online service to be installed in order to provide access. This is done on the Custodians existing Healthquest database server. Concurrently, a port needs to be opened in the firewall to allow for external access. Install instructions have been provided to the Custodian during the service request to ensure proper installation techniques on our side.

Wireless & Remote Access



This section will remain similar to what has been previously submitted in our PIA File #_______ for office/home office access and use. Additionally, Policy & Procedure #3 | Wireless Networking & Remote Access has been added to this submission to outline the extra requirements of wireless technology outside of the Custodian’s control.

While it is understood that the majority of internet participation is through wireless connection, in order to reduce the risk of hackers stealing Health Information over Wi-Fi; Microquest recommends a wired data connection method for any interaction that may consider Health Information data. It is also advised that the patient or Custodian accessing Healthquest Online services do so from a private computer/device and use secure accounts with a tested and secure internet connection. Health information should never be stored on individual computers.

Data Migration

Data Migration will NOT be required for this upgrade. Data migration has been planned for in our original Privacy Impact Assessment File#______ and Microquest will adhere to the policies and procedures as previously suggested if required.

Destruction of Outgoing EMR System

This change will NOT necessitate the destruction an outgoing EMR system.

Clinic Profile – UPDATE TO BE REFLECTIVE OF YOUR PRACTICE

OPEN DATE:ADDRESS:

PRIVACY OFFICER:TYPE OF PRACTICESTAFFING HISTORY OF RECORDSBILLING PROCESS Accredited Submitter (Microquest)

Microquest acts as the accredited submitter for claims to Alberta Health’s H-Link system. As such, Microquest maintains an Information Manager Agreement with all clients in order to protect the data that Microquest transmits to Alberta Health on behalf of the health service provider. Alberta Health claims are indicated directly into Healthquest EMR, securely transmitted to Microquest over FTSP (utilizing TLS 1.2), and then transmitted to Alberta Health H-Link using their secure web portal. Once claims have been sent to H-Link and properly analyzed and assessed, Microquest removes any copies of the claims from their servers.



Outsourced Billing Agent ( VENDORNAME ) An Information Manager Agreement is in place with each the billing agent and to ensure security and privacy protection measures in compliance with the HIA.

TYPE OF SOFTWARE Healthquest Online (HQO) – Health Participation Software

Individual Components: Healthquest Online Booking Healthquest Intake Forms Healthquest Self Check-In Healthquest Appointment Reminders Healthquest Patient Portal Healthquest Patient Chart Healthquest Dictation Healthquest Billing Chits



Section B: Organizational Privacy Management Our intention to expand our offering capacity to include Healthquest Online will not alter our organizational privacy management as outlined in Section B of our PIA File# _________. OR

We have reviewed our Privacy Impact Assessment Section B and we have determined that our intent to offer Healthquest Online services to our patients will alter our organizational privacy management. We have considered the following changes to be necessary to ensure that we remain parallel to the expectations of the Health Information Act and other relevant privacy legislation. The processes and safeguards remain unchanged.

Management Structure

Original PIA Organizational Privacy Management Structure: Staff Position Job Responsibility Reports to Number of

IndividualsReceptionist Reception,

Administration Clinic Manager #FT / #PT

MOA / Clinic Manager

Clinic Administration

Lead Physicians #FT / #PT

PCN RN Medical Assistance Lead Physicians and PCN #FT / #PTPhysicians Patient Care Licensing Body #FT / #PTOther Allied Health Professionals

Patient Care Licensing Body & Primary Custodian

#FT / #PT

Amended PIA Organizational Privacy Management Structure: Staff Position Job

ResponsibilityReports to Number of

Individuals

Receptionist Reception, Administration

Clinic Manager #FT / #PT

MOA / Clinic Manager

Clinic Administration

Lead Physicians #FT / #PT

PCN RN Medical Assistance

Lead Physicians and PCN #FT / #PT

Physicians Patient Care Licensing Body #FT / #PTOther Allied Health Patient Care Licensing Body & Primary #FT / #PT



Professionals Custodian

Policy Management

As part of our activities preparing to deploy the fullest capacity of privacy and security for Healthquest Online, a set of specific information privacy and security policies and procedures have been developed to establish responsibilities with respect to protecting the privacy and security of Health Information protected under the HIA. As part of our initiative(s) we have:

o Identified information sensitive systems and data (information flow diagrams);

o Developed privacy and security policies and procedures, computer usage, email usage, and internet usage policies and guidelines;

o Developed an ongoing personal awareness and training program relevant to the protection and confidentiality of Health Information in accordance with the HIA;

o Developed a detailed assessment of the clinical care privacy and confidentiality implications of our daily administrative processes, to ensure the protection of the Health Information of our patients.

Our staff have participated in the development, review, and identification of potential privacy and security issues. Our Privacy Officer, PRIVACYOFFICERNAME authorizes new policies, procedures, and changes to them. There are certain policies and procedures that have been considered in order to address:

o Communicating with patients electronically; o Acceptable use of mobile devices; o Determinations on how to manage records submitted by patients;o Regularly confirming patients’ preferred methods of communication

and contact information.

Vendor – Microquest’s Healthquest EMR

We have reviewed the current policy for the secure use of a vendor to provide an electronic medical record system. At this time, we do not require any changes to be made, our process will remain unchanged, our vendor will still be Microquest. An updated IMA to support the changes in our chosen EMR has been included in this submission. Training and Awareness | Privacy Officer

We have reviewed the current policy for the Training and Awareness of a Clinic Privacy Officer. Our processes will remain unchanged for this amendment.General Privacy Awareness and Training Practices

We have reviewed the current policy for clinic Privacy Awareness and Training Practices. Our processes will remain unchanged for this amendment.



EMR Privacy Training and Awareness

We have reviewed the current policy for EMR Privacy Training and Awareness. At this time, we do not require any changes to be made.

Incident Response

We follow up on breach incidents as outlined in our policies and procedures, to ensure that steps are taken to prevent future occurrence. This includes a communication plan to persons involved, staff, public, etc. and an audit plan to ensure implementation or preventative or correction steps are achieved including revision to policies and procedures.

Privacy Breach Management

Reporting a privacy breach is mandatory under the Health Information Act (HIA) or the Freedom of Information and Protection of Privacy Act (FOIP).

Clinic

This section will remain the same as formerly submitted in our PIA File # _________.EMR Vendor

Microquest has a Chief Privacy Officer who is responsible for information privacy and security, including ensuring that appropriate administrative, technical and physical security features are in place to protect Health Information in the custody and control of the Custodian.

Section 66(2) of the Health Information Act requires Information Managers as described in Section 66(1) to maintain an Information Manager Agreement. Our Information Manager Agreement includes the details of our privacy breach reporting mechanism. Microquest will minimize security / privacy breaches at their facility from occurring by use of an Intrusion Detection System, (IDS) and Intrusion Prevention System (IPS). Each server is monitored by an IDS in real-time. All systems are protected by monitored firewalls and passwords, and all unnecessary ports disabled. The infrastructure offers multiple levels of secured managed firewalls and host-based protection. Microquest will minimize the damage caused by a security / privacy breach at their

facility by:1. Regularly monitoring of firewalls and systems for unauthorized access

attempts. 2. All employees are responsible to report to the Security Administrator

and Chief Privacy Officer any suspected privacy problems or security breaches immediately upon detection.

3. The Security Administrator and Chief Privacy Officer will promptly mitigate and investigate all breaches.

4. All alerts from IPS and IDS are routed to a centralized monitoring system and dispatched to Security Administrators.

5. Security and privacy problems are investigated and escalated, as necessary.



6. The Security Administrator and Chief Privacy Officer will investigate and escalate to the appropriate personnel or as required, to the President, within 24 hours.

7. Security and privacy incident reports will be completed and submitted within 24 hours of an incident.

8. The Security Administrator will initiate and ensure completion of an incident report for each breach of security and all staff and contractors will be required to contribute as requested

9. All breaches reported to the Custodian involved and to the OIPC and will include the following information:

o The nature of the non-permitted or violating use or disclosureo The health information disclosedo Identify, if possible, who made the non-permitting or violating use or

received the non-permitted or violating disclosureo Any corrective action that has been taken or will be taken to prevent

further disclosure o Any actions that have been taken or will be taken to mitigate any

deleterious effect of the non-permitted or violating use or disclosure o Any other information that may be reasonably requested or helpful.

Alberta Netcare Training and Awareness

We have reviewed the current policy for Alberta Netcare Training and Awareness. At this time, we do not require any changes to be made.

Sanctions & Termination for Cause

We have reviewed the current policy for Sanctions and Termination of Cause, and we have determined that this section will additionally outline the following provision:

Upon knowledge of a material breach of this agreement by an agent, Microquest shall provide written notice to the Custodian and the Agent identifying the breach. Microquest shall conduct a formal investigation and take such remedial actions against the Agent including suspensions or termination for cause as deemed appropriate.

Access and Correction Requests

We have reviewed the current policy for Access and Correction and will consider this amendment to additionally include in our privacy practice the following:

The custodian who entered information into the EMR system is identified as the individual that must make the correction or amendment. They are responsible for making the determination in each individual case if the correction is warranted, as per the Health Information Act.

In the event a request for access to or correction of information is made to Microquest, Microquest will do the following:



1. Record the specifics of the request (who, what, when, where, etc.) in written forms and direct to the vendor Chief Privacy Officer.

2. As per the IMA, the Chief Privacy Officer will refer the request to the appropriate Custodian of data.

3. Microquest’s Chief Privacy Officer will inform the applicant in writing of the final decision pertaining to the request for access/ correction

This information is retained within the EMR, of which the physician/custodian has full control in order for the physician/custodian to meet legal requirements in responding to access and correction requests. Other than expressly permitted under the Agreement with the Custodian, Microquest will not disclose, allow access to, or use of, Health Information by a person; unless compelled pursuant to an order of Section (6) (Disclosure Compelled by Law) by a court in Alberta of competent jurisdiction in accordance with.



Section C: Project Privacy Analysis 2Custodians have a duty to protect the privacy of their patients and the confidentiality of Health Information in their custody or control as outlined in section 60 of the Health Information Act (HIA). The risks of communicating with patients electronically must be considered. Responsibility for safeguarding health information cannot be transferred to a patient by having a patient sign a consent form or disclaimer to accept the risks associated with electronic communications.

Health Information Listing

We have reviewed the Health Information Listing section of our PIA File #________ and we have determined that changes will need to be made to support this constructive new approach to our health service offering. By default, the content of the Healthquest Online portal may contain the following as part of an interaction:

HQO Feature

REGISTRATION DIAGNOSTIC, TREATMENT AND CARE INFORMATION

SCHEDULING / BILLING

INFORMATION

PATIENT CHART

Patient Name **AddressPhone Number (Home)Phone number (Work)Additional contact numbers (cell, pager)GenderDate of BirthPersonal Health Number **Contact NameContact relationshipContact AddressContact phone numbers (home, work)AlertsPharmacyChart Number **

Family and social historyPast medical historyImmunization historyMedicationsAllergiesLab orders & resultsProblem list Vital stats Progress notes ConsultsDiagnostic imaging ReportsHealth service providerInformation (PhysicianName, provider ID **; referring physician name, referring Dr. ID**)

Appointment dateAppointment time Reason for visit PayerAmount owing UnitsProvider ID**Referring Dr. ID **Service facility Functional center Date Originating facility Originating location Hospital admit dateCommentsPay-to entity

BILLING CHITS

Patient Name **AddressPhone Number (Home)GenderDate of BirthPersonal Health Number **

Health service providerInformation (PhysicianName, provider ID **; referring physician name, referring Dr. ID**)

Appointment dateAppointment time Reason for visit PayerAmount owing Units

2 OIPC - Advisory for Communicating with Patients Electronically – Published August 2010 / Updated June 2019



AlertsPharmacyChart Number **

Provider ID**Referring Dr. ID **Service facility Date CommentsPay-to entity

DICTATION Patient Name **AddressPhone Number (Home)GenderDate of BirthPersonal Health Number **Chart Number **

Family and social historyPast medical historyImmunization historyMedicationsAllergiesLab orders & resultsVital stats Progress notes ConsultsDiagnostic imaging ReportsHealth service providerInformation (PhysicianName, provider ID **; referring physician name, referring Dr. ID**)

Appointment dateAppointment time Reason for visit Provider ID**Referring Dr. ID **Service facility Date Originating facility Originating location Hospital admit dateComments

ONLINE BOOKING

Patient Name **Phone Number Date of BirthEmail


Appointment dateAppointment time Reason for visit Service facility

INTAKE FORMS


Family and social historyPast medical historyImmunization historyMedicationsAllergiesVital stats Health service providerInformation (PhysicianName, provider ID **; referring physician name, referring Dr. ID**)

Appointment dateAppointment time Reason for visit Date Pay-to entity

APPOINTMENT REMINDERS

Patient Name **AddressPhone Number (Home)Phone number (Work)Additional contact

Health service providerInformation (PhysicianName, provider ID **; referring physician name,

Appointment dateAppointment time



numbers (cell, pager)GenderDate of BirthPersonal Health Number **

referring Dr. ID**)

PATIENT PORTAL


Family and social historyPast medical historyImmunization historyMedicationsAllergiesLab orders & resultsProblem list Vital stats Progress notes ConsultsDiagnostic imaging ReportsHealth service providerInformation (PhysicianName, provider ID **; referring physician name, referring Dr. ID**)

Appointment dateAppointment time Reason for visit PayerAmount owing UnitsProvider ID**Referring Dr. ID **Service facility Functional center Date Hospital admit dateCommentsPay-to entity

SELF CHECK IN

Patient Name **AddressPhone Number (Home)Phone number (Work)Additional contact numbers (cell, pager)GenderDate of BirthPersonal Health Number **Contact NameContact relationshipContact AddressContact phone numbers (home, work)Pharmacy


Appointment dateAppointment time Provider ID**Comments

** Unique Identifier



Information Flow Diagram | Healthquest Online Healthquest Online | Information Flow Diagram

DATA CENTERCUSTODIAN SITE

REMOTE ACCESS

CUSTODIAN USER / PATIENT


Custodian

Healthquest User / Affiliate

Healthquest EMR

HQ Online

Custodian Database

Healthquest

Databas

BILLING

PATIENT

DICTATION

INTAKE FORMS

APPOINTMENT REMINDERS

SELF CHECK-

PATIENT

TERMINAL TERMINALPatient

1

3

4

4

5

4

ONLINE

Twilio

12

7

8

9

10

11

6

3

2

13

14

2


Flow Purposes Table INFO FLOW

DESCRIPTION

1 Microquest user or affiliate at the custodian site interfaces with the Healthquest EMR application on a workstation to maintain up to date information of the Custodian Schedule, current usage forms and consent measures in the EMR.

2 Healthcare providers and Custodians can access the provider portal through the secure HQ website to enter or review charting aspects such as:

BILLING CHITS – Billing requests are sent to the clinic from the remote billing clerk or custodian allowing for the uploading of claim data/photos for a billing clerk at the clinic to process.DICTATION – Notes collected into the Healthquest Online mobile application are sent into the Healthquest database to be populated into the Custodians database.PATIENT CHART – The Custodian accesses the Healthquest Online interface by remote terminal or outside device to view patient chart.

3 The Healthquest application communicates with the local (or hosted in cloud setups) database to backup and secure Health Information records using an ODBC database connection. Information access all ultimately happens through the Custodians secure database.

4 The Healthquest application communicates through the database to Online Services to populate booking updates, intake forms, appointment reminders, billing chits, patient chart, patient portal, self-check-in and dictation.

5 Custodian and affiliate information entered into the Healthquest Online application is sent to the Healthquest database for population at the Custodian site.

6 The patients interact with the Healthquest Online application by outside device through a web portal.

7 INTAKE FORMS — The patient accesses intake forms from their remote terminal by connecting to the Healthquest Online portal to complete and consent to health services.

8 PATIENT PORTAL - Under Development

The patient receives an invite to sign up for the Patient Portal from the clinic. The invite includes a unique, time-sensitive link. Using the link, the patient must create an account with matching demographics to the clinic’s record (e.g. name, date of birth, PHN), and submit an email/password. Upon successful account creation, the patient can login to the portal at their convenience and access any messages and conversations that have been created. The patient can also initiate messages to the clinic and reply to any open conversations. The clinic is notified of new messages within Healthquest itself, whereas the patient will receive an email notifying them of new messages.



9 ONLINE BOOKING – The patient accesses the Healthquest Online webpage from a remote portal to schedule appointments securely as designated by the Custodian to be available for that appointment type.

10 SELF CHECK-IN – Patients access the Healthquest Online Portal to check into appointments when they arrive at the clinic.

11 APPOINTMENT REMINDER’s & CONFIRMATIONS – Are sent directly to the patient’s designated device through the use of encryption and Twilio software.

12 User information entered into the online service application will flow to Healthquest’s database from the web page to be attached to patient profiles/charts.

13 Healthquest EMR communicates with HQ online web services through the Healthquest database to populate information into the Custodian’s EMR.

14 Patient interacts with Healthquest Online Appointment Reminders through third-party Twilio technology for the secure transmission of data.

Information exchange initiatives

We have reviewed the Information Exchange Initiatives section of our PIA File # ______ and we have concluded to add the following information exchange initiative to facilitate this upgrade:

Messaging and Video Conferencing – Twilio – Healthquest Online services include use of third-party software “Twilio” to facilitate specific features for custodian communication with patients.

Notice

We have reviewed Healthquest’s additions to the way we ensure Notice and in order to secure an impactful privacy policy, Healthquest has layered the online application with privacy details and provisioned notice in the following ways:

o Links to their Privacy Policy;o Pop-up disclaimer acceptance for application use;o Consent notices; o Role-Based access.

Data Migration

Data Migration will NOT be required for this upgrade. Data migration has been planned for in our original Privacy Impact Assessment File#______ and Microquest will adhere to the policies and procedures as previously suggested if required.

Encryption



Encryption is an important and effective way to mitigate the risks associated with use, collection, and disclosure of personal Health Information. Encryption scrambles the contents of a record so that only those with access to a secret key or password can unscramble and read it. The encryption system must reliably continue to protect encrypted data without ongoing configuration and testing by users who use the system to view or update the data. Our Privacy Impact Assessment will be amended to include – “Healthquest has mitigated the risks associated with encryption and confirmed that the application does not store any personal Health Information on a device used for accessing the Healthquest Online features; all information is retained in the Custodian’s Healthquest database. All Healthquest Online data is encrypted using industry standard TLS 1.2 for end-to-end encryption.”.

Virus Protection 3Devices need protection against digital attacks such as viruses, spyware, and hackers. Firewalls, anti-virus software and security patches are all important protections against these kinds of malicious threats. Given the dynamic nature of electronic threats, it is critical to keep these products current using regular scheduled updates or real-time update protocols.Microquest will protect the data under their control from unauthorized access using enterprise grade antivirus software in the database and EMR environment. The Clinic will use an antivirus software for their own data backup and storage arrangements and further to ensure absolute protection. It is also recommended that any patients connecting to a Healthquest Online Portal ensure their own security by accessing only from a terminal that has been fully secured with their own personal antivirus protection plan.

Consent and Expressed Wishes 4The OIPC advises that patient consent to use electronic transmission (e.g., email, text messages) does not relieve a Custodian of their legal duty to protect the confidentiality of patient information. The HIA allows individuals to consent to certain disclosures of their health information; however, it does not include a patient’s right to consent to how their health information is collected, managed, stored, or secured. A patient therefore cannot consent or otherwise waive the responsibility of the custodian to adhere to the Act.

The clinic will obtain consent from the patient (electronic or otherwise) prior to them utilizing the patient portal. Upon use of the portal, patients are presented with "Terms and Conditions" and "Privacy Policy" documents outlining the various Health Information collected and retained. These steps have been taken to inform patients about the virtual care solution and any inherent risks that may arise with its use, including what Health Information is being collected/retained and whether it will end up in their health record.

Consent

When utilizing online tools, the patient can record consent in the following ways:a. Directly on the Intake Form (an explicit consent form can be sent to the

patient who can then electronically sign and return back to the clinic);

3 CPSA – Advise to the Profession “Electronic Communication and Security of Mobile Devices” Published October 2007 Revised January 2016. 4 CPSA – Advise to the Profession “COVID-19: Virtual Care” Section “Consent” – Published March 2020



b. By accepting the terms and conditions/privacy policy prior to creating an account on the patient portal. These will outline and apply consent to electronic communication;

c. Prior to any virtual appointment (i.e. video call), patients will be provided a disclaimer/consent that must be accepted before entering the appointment.

Additionally, the Custodian/Physician/Affiliate will utilize the virtual care encounter note template when communicating with patients so that it is pre-generated with the following statement for additional security:

“Informed consent was obtained from this patient to communicate and provide care using virtual care and other communication tools. This patient has been explained the risks related to unauthorized

disclosure or interception of personal health information and steps they can take to help protect their information”

Health Information will only be used and disclosed for the purpose for which it was collected unless alternate use or disclosure is authorized or required by law. To further the consent process, the following information has been added to the CLINICNAME’s service website, posted in our office, or made available to patients as a reference when we obtain verbal consent:Our health service is starting to offer virtual care, this means that we will be using video and audio technologies for some patient visits rather than asking all patients to come into our office. We do our best to make sure that any information you give to us during virtual care visits is private and secure, but no video or audio tools are ever completely secure. There is an increased security risk that your health information may be intercepted or disclosed to third parties when using video or audio communications tools. To help us keep your information safe and secure, you can:

o understand that video, calls, or texts you may receive are not secure in the same way as a private appointment in an exam room; and

o use a private computer/device (i.e., not an employer's or third party's computer/device), secure accounts and a secure internet connection. For example, using a personal and encrypted email account is more secure than an unencrypted email account, and your access to the Internet on your home network will generally be more secure than an open guest Wi-Fi connection.

By providing your information, you agree to let us collect, use, or disclose your personal health information through video or audio communications (while following applicable privacy laws) in order to provide you with care. In particular, the following means of electronic communication may be used: videoconferencing, text messaging, website/portal.”

** Attachment #4 | Sample Collection Notice Poster Expressed Wishes

We have reviewed the current policy for the determining Expressed Wishes. At this time, we do not require any changes to be made, our process will remain unchanged.



Data Matching

Data Matching will NOT be utilized as part of this implementation initiative. Our Privacy Impact Assessment File# _________ has already included our privacy awareness guidelines for future data matching requirements.

Contracts and Agreements

It has been determined that our implementation of Microquest’s Healthquest Online solution will alter the Information Manager Agreement we have in place with them. Updated agreements have been included in this submission.No other changes have been made to the policies of our original PIA File# _________ regarding ‘Contracts and Agreements and Information Manager Agreements’. Microquest is responsible to ensure that third-party vendors are compliant with the HIA in relation to the services they provide on our behalf. All agreements, such as service contracts will include provisions binding providers to a standard of privacy protection equivalent to ours.



Use of Health Information outside Alberta

Custodians are directly responsible for the actions of their service providers, including those located outside of Alberta. Transferring or storing health information outside of Alberta is permitted under the HIA but requires careful consideration to assess and mitigate risk.

This project will NOT involve the use of Health Information outside of Alberta. All data remains in Alberta at all times. Microquest has engaged Twilio for secure messaging and intends to add video conferencing to incorporate plans for an extensive patient health portal feature. While Twilio servers may be outside of Canada, any data sent will be scrubbed after the data is sent. Video conferencing calls are not saved in any format; they are peer-to-peer calls and once the session has been terminated, nothing can be recovered or re-watched/referenced.

Healthquest EMR Authentication

Patients must be pre-existing within our clinic EMR before they can be invited to use the portal. Our clinic will verify the identity of the patient at the clinic during an encounter. To sign up for the portal, the patient must verify their name, date of birth, and PHN, all of which must exactly match their record in the EMR.Microquest’s Healthquest uses a username and password combination for authentication. The password policy is configurable and includes options such as:

o Minimum length;o Required characters;o Prohibiting passwords that contain the user’s username or any part

of the user’s full name;o Password expiration;o Prohibiting the use of the user’s previous 24 passwords;o The option to lock user accounts after a set number of failed login

attempts.

Microquest’s EMR solution Healthquest, has a screen lock feature that automatically applies a requirement to use a password to unlock the screen. Healthquest also has a feature where users can be automatically logged out after a configurable amount of time with no user activity. This will be automatically enabled in our setup.Contact information for Microquest’s privacy team is provided in their "Terms and Conditions" and "Privacy Policy" documents in order to facilitate queries about the Healthquest Online solution.

Accuracy

Microquest’s EMR Solution Healthquest has several checks to ensure data accuracy, including:



o Audit trails; o The new patient feature verifies potential duplicates and a warning

is displayed to the user if a patient already exists with the same name;

o Chart merge and unmerge functions;o Time and date stamps indicate the most recent verification attempt

– this function is displayed in multiple areas of the patient chart; o A warning prompt is engaged if a new patient chart is created with

and existing PHN/ULI number; o The new patient adding function has a feature to copy the address

and phone number details from another patient of the same family; o A data matching algorithm based on multiple individual identifiers

(i.e. name, PHN, DOB) is used for importing results into the EMR to avoid user error.

The Audit Log records user activity on patient charts and can be filtered by patient, user, or activity. The EMR tracks changes to both the application settings and data within. Some examples of what is logged include:

o What user account made the changeo What time the change was madeo What patient the change was made to, if applicableo What computer the change was made from

For changes at the field level, the updated value is captured (stateful logging). The Audit Log output is configurable to show basic information while allowing the log entry to be opened for more detailed information. In most circumstances, deletions of patient data can be identified and reversed through the Audit Log.



Section D: Project Privacy Risk Mitigation Access Controls

In the event an unauthorized person gains physical access to the device, there should be some level of access control enabled on the device. This could include login control and passwords, device controls and access control for files and data. Microquest uses many methods to secure access to the application in order to satisfy the need-to-know principal and protect the important data within, including:

o Role-based access: roles can be assigned to users and define what areas they can access;

o Feature permissions; define what data a user has access to within the areas they have access to;

o Unique identifiers restrict access to each data and application system required for individual administration of duties

o Each user, at login, is informed of the date and time of the last valid logon and any subsequent failed logon attempts;

o Controls are in place to detect any discrepancies in logon attempts; o Clearly stated information access privileges for each defined role;o System administrators must each have an administrator account for

performing system administration and a limited privilege account for performing non-system administration tasks;

o Passwords are to be kept confidential at all times and reset every 90 days. They should not be written down, posted publicly or shared with other staff except for security purposes;

o Unique passwords or other authentication controls are required for each desktop, network server, EMR, etc.

Access to Health Information by Role

We have confirmed/updated our Role Based Access to Health Information table to be reflective of the staff in our clinic. The physician access designation also includes the options for access as allowed by our EMR provider. Permissions are patient and provider based; our Custodian must choose a system administrator(s) to control user access for all roles except patient access in which case the system automatically generates the role.User permissions are assigned by “roles”, which are a group of permissions based around the job of the employee. Healthquest comes with pre-set (default) roles designed to meet practice standards, but if required Microquest provides users the ability to not only create their own roles, but also easily customize permissions for particular users within the roles. These can be controlled on a user-by-user basis. Our current practice is structured as follows:

Position & User Role # of Type of access Description of information



Job Title

Current Users

(Read, Write, Edit)

this user can access

Receptionist Administration

#FT / #PT

Read/View /Create/Write/Edit–All listed data elements

Messaging; Patient Demographics; Scheduling; visits and tasks; Referrals; Private & 3rd Party

Medical Office Assistant (MOA)

Administration

#FT / #PT

Read/view-all data elements and all patient recordsCreate/write/edit-all notesNetcare Access

Documents; Day Sheet; Forms; Medications & Allergies; Messaging; Patient Demographics; Billing; Scheduling; visits and tasks, encounter notes; Immunizations, Referrals or Consults; Private & 3rd Party

Administration (i.e. Clinic Manager)

Office Administration

#FT / #PT

Read/view-all data elements and all patient recordsCreate/write/edit-all notesAccess to billing Netcare Access

Documents; Chronic Conditions; Day Sheet; Forms; Labs; Medical History; Medications & Allergies; Messaging; Patient Demographics; Patient Diagnostics; Billing; Clinical Care; Scheduling; visits and tasks, encounter notes, system access management; Reports; Immunizations, Referrals or Consults; Private & 3rd Party

Other Allied Health CareProfessionals(Nurses)

Health Professional

#FT / #PT

Read/view-all data elements and all patient recordsCreate/write/edit-all notesAccess to billing Netcare Access


Physicians Doctor #FT / #PT

Read/view-all data elements and all patient recordsCreate/write/edit-all notes

Documents; Chronic Conditions; Day Sheet; Forms; Labs; Medical History; Medications & Allergies; Messaging; Patient Demographics; Patient



Access to billing Netcare Access

Diagnostics; Billing; Clinical Care; Scheduling; visits and tasks, encounter notes, system access management; Reports; Immunizations, Referrals or Consults; Private & 3rd Party

LocumTenens

Doctor #FT / #PT

Read/View –all data elements, and all patient recordsCreate/Write/Edit-all including prescriptions


Contractors/Third Party Vendors Vendor Helpdesk/Technical Support

IT Helpdesk Support

#FT / #PT

Read/View-same as user they are assisting (remote control their session)Create/Write/Edit-same as user they are assisting (remote control their session)

(see above user roles)

Patient Patient N/A Read/View/Write specific features and data elements

Information the patient may be able to access during their interaction with the Healthquest Online portal have been outlined in Section C – Health Information Listing.

Privacy Risk Assessment and Mitigation Plans

The risks to privacy associated with making health information available unintentionally available through use of Healthquest Online services have been assessed and mitigated as described in this amendment. The risks associated with operating an electronic medical record were assessed in PIA File #_______.

Project Specific Risks and Mitigation



PRIVACY RISK

RISK DESCRIPTION MITIGATION MEASURES FOR PROJECT

POLICY REFERENCE

INFERENCE / INTERCEPTION

The name and nature of a health service provider on its own may reveal health information of an individual if other individuals, such as friends or family members, have access to or can see notifications on a patient’s device.If accounts or devices are shared or accessible by multiple people, the wrong recipient may read the message.

Limiting amount of health information: When sending or receiving health information that does not include clinical details, Microquest will limit the amount of health information sent electronically; limit the amount of health information collected using web forms or electronic templates; and notify patients exactly what will and what will not be communicated electronically, in addition to how messages containing clinical information will or will not be accepted.

Policy & Procedure #2 | Records Security ClassificationPolicy & Procedure #3 | Wireless Networking & Remote AccessPolicy & Procedure #5 | Password ManagementAttachment #5 | Consent to the Transmission of Health Information Form

MISDIRECTION / IDENTIFICATION

Patients may have similar names or account addresses and a message may be sent to the wrong patient.Electronic communications raise questions about how a patient can verify and trust that the sender is a clinic or custodian.

The patient receives an invite to sign up for the Patient Portal from the clinic prior to use. The invite includes a unique, time-sensitive link. Using the link, the patient must create an account with matching demographics to the clinic’s record (e.g. name, date of birth, PHN), and submit an email/password.

Policy & Procedure #5 | Password ManagementPolicy & Procedure #6 | Encryption for Electronic Data Transmission & ProtectionAttachment #5 | Consent to the Transmission of Health Information Form

ENCRYPTION

Virtual care may be vulnerable to interception and hacking by unauthorized third parties.If mobile devices are used to store health information, those devices must be encrypted.

Microquest has implemented technical and functional requirements; Secure and managed encryption keys; Identified, authorized, and trained users. Encryption by default has been initiated, secure implementation & encryption keys are used and there is a process for

Policy & Procedure #2 | Records Security ClassificationPolicy & Procedure #6 | Encryption for Electronic Data Transmission & ProtectionAttachment #5 | Consent to the Transmission of



the authentication of users.

Health Information Form

DEVICE MANAGEMENT:

Virtual care is often accessed on portable devices, such as smart phones, tablets, and laptops, which are vulnerable to theft and loss. Safeguards around how a device is stored, whether health information is stored in a cloud or on a device itself, and appropriate uses of devices outside of a clinic or office environment must be considered.

Custodians are responsible to develop guidelines for use as most suitable to their office hardware and equipment. Notice and consent disclaimers have been outfitted with details about risk mitigation through the deployment of controls and distributed throughout the Healthquest Online Application.

Policy & Procedure #1 | Information Handling and SecurityPolicy & Procedure #3 | Wireless Networking & Remote AccessPolicy & Procedure #5 | Password ManagementPolicy & Procedure #6 | Encryption for Electronic Data Transmission & ProtectionAttachment #4 | Sample Collection Notice PosterAttachment #5 | Consent to the Transmission of Health Information Form

Monitoring of Privacy & Security Controls

We have reviewed the Monitoring of Privacy and Security Controls section of our PIA and have determined that the expanded use of Healthquest Online will not change how we are operating from the way we have described in our PIA File#______. However, we will amend to include the additional steps Microquest is taking to aid in our Monitoring of Privacy and Security Controls, specifically:

1. To detect unauthorized access and prevent modification or misuse of user data in the EMR application, Microquest will maintain responsibility for the following:

o Use of the Healthquest EMR and internal network;o Auditing of access logs on a quarterly basis or if a complaint is

made or a breach of security is suspected; o Monitoring for security incidents (i.e. user receives an alert that a

user account has been locked due to a user having had a maximum of 5 unsuccessful login attempts);

o Securing other built in parameters such as masking and unmasking of a patient record, password changes, etc.;



o Monitoring firewalls and systems regularly for unauthorized access attempts automated security monitoring solutions are in place with notifications sent to Microquest administrators;

o Auditing of access logs on a quarterly basis or if a complaint is made or a breach of security is suspected;

2. All alerts IPS and IDS are routed to a centralized monitoring system and dispatched to vendor security administrators. Additionally, all Microquest employees are responsible to report to the Security Administrator and Chief Privacy Officer suspected security breaches.

3. All systems are protected by monitored firewalls and passwords and all unnecessary ports disabled, in addition to the other provisions of this policy document. The infrastructure offers multiple levels of secured managed firewalls and host-based protection.

4. The content of a user audit or patient audit includes:o Role (or profession or occupation) of a user who performed and

access;o Date of access;o Time of access;o Action performed by a user during an access (create, view, update

or modify, delete, patient search, copy, print);o Name or facility or organization of access;o Application data accessed;o Patient ID;o Name or the patient whose information is being accessed.



Physical Protection

Regulated members are ultimately responsible for managing the security of electronic messages on their devices and systems. Understanding the planned use of the device is critical. Each participant connecting to a virtual care environment should complete an assessment to answer the following questions:1 Who will have access to the device and how will access be controlled?2 Where and how will the remote device be used, and under what circumstances?3 What information is needed on the remote device for the defined use, and in what

detail?4 Is the storage in the device removable, and how can it be accessed?5 Is storage on the mobile device the appropriate solution, versus a communication

protocol (such as a virtual private network) to a more secure storage location?6 How and when will information loaded or collected on the device be synchronized with

the medical record?7 How will a record be kept of what information is on what device?

PIA Compliance

We have reviewed the PIA Compliance section of our PIA and have determined that the use of Healthquest Online features will not alter how we are operating from as it has been described in our PIA File#_____. This Amendment has been submitted in compliance.



APPENDIX ONE | POLICY & PROCEDURE’s



Policy & Procedure #1 | Information Handling and Security Background

Under section 60 of the HIA, Custodians are required to take reasonable steps to maintain administrative, technical and physical safeguards to protect the confidentiality of health information and patient privacy. This includes protection against unauthorized use, disclosure, access to or modification of the Health Information.In addition, section 8 of the regulations states that Custodians must:

o Identify and maintain a written record of all administrative, technical and physical safeguards you have in place to protect health information.

o Periodically assess these safeguards to ensure their continued effectiveness.

o Designate an individual to be responsible for overall security and protection of health information

o Ensure that staff is aware of and adhere to all administrative, technical and physical safeguards.

o Establish penalties that may be imposed against anyone who breaches or attempts to breach safeguards.

o Before storing information in a jurisdiction outside of Alberta, allowing a person outside of Alberta to use information or disclosing information to such a person, enter into a written agreement that ensures the information is adequately safeguarded. (regulation 8 (4)).

Purpose

The information security provisions of the Health Information Act (HIA) require Custodians to protect individually identifying Health Information in their custody or control by making reasonable security arrangements to protect against unauthorized access, collection, use, disclosure or destruction. The Act also requires Custodians to take appropriate safeguards for the security and confidentiality of records, including addressing the risks associated with electronic health records. This policy outlines administrative, technical and physical safeguards to protect confidential information and electronic health records.

Scope

1. Administrative Safeguardso The Clinic shall ensure that policies and procedures to facilitate the

safeguarding of confidential information in its custody or control are developed updated and maintained, as necessary.

o The clinic shall appoint a Privacy Officer, complete / submit/receive acceptance of clinic PIA and submit PIA updates for



acceptance as required when a physical, technical or administrative change occurs in the clinic that affect the collection, use or disclosure of Health Information.

o The need for confidentiality and security of information shall be addressed as part of the conditions of employment for all Clinic staff, beginning with the recruitment stage, and included as part of job descriptions and contracts.

o The performance of individuals shall be monitored to reduce the risk of error, fraud, or misuse of information. Affiliates must be aware of, and appropriately trained regarding, policies and procedures for safeguarding information. All new staff is required to sign off that they have read, understood and will abide by the privacy and security policies and procedures.

o All staff are required to attend privacy and security training sessions on an annual basis, or as new privacy practices and procedures are implemented. All staff, students, volunteers and contracted personnel are required to sign a Confidentiality Agreement.

o The least amount of information necessary for the intended purpose will be used or disclosed, and only to affiliates or recipients with a need-to-know. If the intended purpose can be accomplished without use or disclosure of identifying information, then the information should be made anonymous.

o Before implementing new administrative practices or information systems related to the collection, use and disclosure of health information, the Clinic shall complete a Privacy Impact Assessment (PIA) for submission to the Office of the Information and Privacy Commissioner. The PIA will describe how the new initiative will affect privacy, and what measures the Clinic will put in place to mitigate risks to privacy.

o Affiliates shall report any violations or breaches of information security as soon as possible to the Clinic Manager and/or Privacy Officer in order that corrective action can be taken to resolve the immediate problem and minimize the risk of future occurrence. The nature of the response will be determined according to the level of gravity of the breach / violation and may include dismissal.

o Health Information is retained in accordance with the records retention provisions as stated in the Physician's’ Office Medical Records Policy of the College of Physicians and Surgeons of Alberta.

o HIA obligations are clearly passed along by contracts with Information Managers, researchers, contractors and recipients outside of Alberta.

o The Clinic is always staffed during hours of operation and nobody is permitted behind the reception area or other restricted locations without meeting the proper security measures.



2. Technical SafeguardsThe Alberta EHR Regulation defines a Custodian’s logging requirements for implementation of a new, or where significant changes are being made to an existing, electronic health record system. Logging requirements include:

o User and application identification associated with an access;o Name of user and application that performs an access;o Date of an access;o Time of an access;o Actions performed by a user during an access, including, without

limitation, creating, viewing, editing and deleting information;o Name of facility or organization at which an access is performed;o Display screen number or reference;o Personal health number of the individual in respect of whom an

access is performed; ando Other information required by the Minister.

Information systems users are assigned a unique identifier (User ID) that restricts access to each data and application systems to that information required for the administration of their duties. Use of user IDs other than that assigned to an individual is strictly prohibited.

o System Administrators must each have an administrator account for performing system administration and a limited privilege account for performing non-system administration tasks.

o Access to electronic health information systems is password protected.

o Passwords are to be kept confidential at all times and should not be written down, posted publicly, or shared with other staff except for security purposes. Unique passwords or other authentication controls are required for each desktop, network, server, EMR, etc. A strong password standard is used.

o Confidential business or identifiable Health Information will not be sent via e-mail over public or external networks without the use of appropriate security measures such as encryption or by the use of a two-factor authentication connection.

o Private use of the Internet is discretionary and downloading of music, photographs, games, and access to social networking sites (i.e. Facebook) is prohibited however professional use is allowed, only by designated personnel that are aware of all clinic privacy and security measures. The use of the internet will be monitored by the Clinic Privacy Officer.

o Each user should have a unique user login and password to access the computer network. User rights and accounts will be assigned



and maintained by Privacy Officer and the Technical Support Company of which the clinic will maintain an IMA with.

o Installation or alteration to system software and hardware will be the responsibility of Privacy Officer or Clinic Manager and the IT Company. The Privacy Officer will ensure that original master copies of software are stored with proper physical controls.

o The Custodian has signed an Information Manager Agreement with Microquest to ensure that management and storage of data falls under a contractual agreement.

o Microquest has technical safeguards in place, including but not limited to creating individual system access ID’s with strong passwords, daily encrypted backups of EMR data and the implementation and maintenance of hardware/ software, firewalls at the facility. These technical safeguards have been discussed with the clinic as part of the Information Manager Agreement.

o Virus scanning software is installed to protect Health Information from unauthorized modification, loss, access or disclosure.

o Remote access method is via SSL-VPN with RSA two –factor authentication then remote desktop connection with Microsoft terminal server via localhost (PC OR MAC) or web-based session via SSL-VPN (PC only)

o The conditions for this service are clearly laid out in our Information Manager Agreement to comply with section 8(4) of the Health Information Regulation and section 66(2) of the Act. We have confirmed that their location has safeguards that comply with our policies and that the backups will be encrypted and can be restored if required. Each computer in the network has antivirus software that is updated automatically;

o Microquest has a consistent patch management processes and patches are applied regularly with critical patches applies as soon as they are released. In the Clinic, the IT vendor will apply patches as soon as they are released.

o Laptops and mobile devices (PDA’s, memory sticks, etc.) require layered security protection. Clinic staff using laptops will be provided specific training on mobile computing to ensure that they understand the physical, administrative, and technical safeguards implemented. These include:

Ensure that the Administrator account has been renamed and given a strong password. Use a locking cable or clamp to secure your laptop to a desk or table’s in place for its network and workstations operating systems.

Never leave your laptop unattended, particularly overnight on desktops. Lock it in a desk drawer or cupboard.



Select laptops that have hard drive (power on) passwords and use these protection measures. Passwords on the hard drive boot sector are more secure than operating system user passwords.

Do not store personal or Health Information on mobile computing devices.

Data on the hard drive is encrypted as is data on all other mobile devices.

Each laptop will be installed with a personal firewall. Firewalls are not to be turned off by the user; the firewall will be password protected so that only the Network Administrator can change it. Users are to request the Network Administrator to change settings on a firewall when required.

Ensure laptop’s network connection defaults are set to disable automatic roaming.

Mobile devices including Smart Phones, Android, blackberry’s, iPhone's, memory devices must each have, at minimum, unique password settings and, where possible, data encryption enable.



3. Remote Access to EMR Or Clinic Computer Network, if Applicableo Remote access to EMR will be granted on a need-to-know basis. o Wherever possible, internet connection will be gained using wired

network connection. o Alternate network connection method used is HSPA (High speed

packet access) modem, commonly known as a ‘Rocket stick’. This technology uses the cellular data network to get internet access. The following additional safeguards will be implemented when this technology is used.

o Uniquely label the Rocket stick (i.e. With return mailing label to prevent loss or swapping);

o Record and securely maintain Rocket stick unique ID and device properties separate from the laptop;

o Physicians and authorized clinic employees and vendors may be granted access to wireless network and / or remote access to the clinic computer network.

o Authorized remote access users acknowledge that the clinics privacy and confidentiality policies and procedures (including wireless networking) and security requirements for the clinic also apply to the remote access sites (i.e. Home offices)

4. Physical Safeguardso Information that is not confidential or sensitive in nature will be

disposed of by placing it in recycling bins. o Prior to disposal of electronic storage devices (e.g. computers, hard

drives, diskettes, tapes, CDs), the media will be destroyed to be unusable.

o The Clinic will maintain documentation for each employee that has received access control items (including identification badges, keys, access cards, fobs, security tokens, perimeter security alarm passwords, computer system passwords, etc.). When an employee is terminated the clinic will ensure that each item is returned, and /or the access control item is cancelled (passwords cancelled, door locks re-keyed, etc.)

5. Employee Use of Computers and Internet5.1 Computer and Office Equipment Use

o The use of Clinic systems, including computers, fax machines, and all forms of Internet/Intranet access, is for Clinic business and for authorized purposes only.

o Brief and occasional personal use of the electronic mail system or the Internet is acceptable as long as it is not excessive or



inappropriate, occurs during personal time and does not result in expense to the Clinic.

o Downloading of music, photography, games, and access to social networking sites (i.e. Facebook) is prohibited.

o The use of the Internet will be monitored by the Clinic’s administration.

o Use is defined as “excessive” if it interferes with normal job functions, responsiveness, or the ability to perform daily job activities.

o Electronic communication should not be used to solicit or sell products or services that are unrelated to the Clinic’s business; distract, intimidate, or harass coworkers or third parties; or disrupt the workplace.

o Passwords are to be kept confidential at all times and should not be written down, posted publicly, or shared with other staff except for security purposes.

o Unique passwords or other authentication controls are required for each desktop, network, server, etc.

o A strong password standard is used. Passwords are changed every 90 days, as prompted by the system.

o Confidential business information will not be sent via e-mail over public or external networks without the use of appropriate security measures such as encryption.

o Emails, documents, or other sources containing Health Information are NOT to be printed at remote locations. There is an increased risk that this information can continue to reside outside of the authorized network.

o Use of Clinic computers, networks, and Internet access is a privilege granted by management and may be revoked at any time for inappropriate conduct carried out on such systems, including, but not limited to:

Sending chain letters, or participating in any way the creation or transmission of unsolicited commercial e-mail (“spam”) that is unrelated to legitimate Clinic purposes;

Engaging in private or personal business activities, including excessive use of instant messaging and chat rooms (see below):

Misrepresenting oneself or the Clinic; Violating the laws and regulations of Canada or any

nation or any state, city, province, or other local jurisdiction in any way;

Engaging in unlawful or malicious activities;



Deliberately propagating any virus, worm, Trojan horse, trap-door program code, or other code or file designed to disrupt, disable, impair or otherwise harm either the Clinic’s networks or systems or those of any other individual or entity;

Using abusive, profane, threatening, racist, sexist, or otherwise objectionable language in either public or private messages;

Sending, receiving, or accessing pornographic materials;

Becoming involved in partisan politics; Causing congestion, disruption, disablement,

alteration, or impairment of Clinic networks or systems;

Maintaining, organizing, or participating in non-work-related Web logs (“blogs”), Web journals, “chat rooms”, or private/personal/instant messaging;

Failing to log off any secure, controlled-access computer or other form of electronic data system to which you are assigned, if you leave such computer or system unattended;

Using recreational games; Defeating or attempting to defeat security restrictions

on Clinic systems and applications;Using Clinic systems to access, create, view, transmit, or receive racist, sexist, threatening, or otherwise objectionable or illegal material is strictly prohibited. “Material” is defined as any visual, textual, or auditory entity. Such material violates the Clinic’s anti-harassment policies and is subject to disciplinary action. Use of Clinic resources for illegal activity can lead to disciplinary action, up to and including dismissal and criminal prosecution. The Clinic will comply with reasonable requests from law enforcement and regulatory agencies for logs, diaries, archives, or files on individual Internet activities, e-mail use, and/or computer use

6. Ownership and Access of Electronic Mail, Internet Access, and Computer Files

o The Clinic owns the rights to all data and files in any computer, network, or other information system used in the Clinic.

o The Clinic also reserves the right to monitor electronic mail messages (including personal/private/instant messaging systems) and their content, as well as any and all use of the Internet and of computer equipment used to create, view, or access e-mail and Internet content.

o Employees must be aware that the electronic mail messages sent and received using Clinic equipment are not private and are subject



to viewing, downloading, inspection, release, and archiving by Clinic officials at all times.

o The Clinic has the right to inspect any and all files stored in private areas of the network or on individual computers or storage media in order to assure compliance with policy and provincial laws.

o No employee may access another employee’s computer, computer files, or electronic mail messages without prior authorization from either the employee or an appropriate Clinic official.

o The Clinic has licensed the use of certain commercial software application programs for business purposes. Third parties retain the ownership and distribution rights to such software. No employee may create, use, or distribute copies of such software that are not in compliance with the license agreements for the software. Violation of this policy can lead to disciplinary action, up to and including dismissal.

7. Confidentiality of Electronic Mailo Electronic mail is subject at all times to monitoring, and the release

of specific information is subject to applicable state and federal laws and Clinic rules, policies, and procedures on confidentiality.

o Since there is the possibility that any message could be shared with or without your permission or knowledge, the best rule to follow in the use of electronic mail for non-work-related information is to decide if you would post the information on the office bulletin board with your signature.

o It is a violation of Clinic policy for any employee, including system administrators and supervisors, to access electronic mail and computer systems files to satisfy curiosity about the affairs of others. Employees found to have engaged in such activities will be subject to disciplinary action.

8. Electronic Mail TamperingElectronic mail messages received should not be altered without the sender’s permission; nor should electronic mail be altered or forwarded to another user and/or unauthorized attachments be placed on another’s electronic mail message.

9. Policy Statement for Internet/Intranet Browser(s)o The Internet is to be used to further the Clinic’s mission, to provide

effective service of the highest quality to the Clinic’s customers and staff, and to support other direct job-related purposes.

o Supervisors should work with employees to determine the appropriateness of using the Internet for professional activities and career development, such as research, professional development and work-related activities.



o Employees are individually liable for any and all damages incurred as a result of violating Clinic security policy, copyright, and licensing agreements.

o All Clinic policies and procedures apply to employees’ conduct on the Internet, especially, but not exclusively, relating to intellectual property, confidentiality, Clinic information dissemination, standards of conduct, misuse of Clinic resources, anti-harassment, and information and data security.

10.Personal Electronic Equipmento The Clinic prohibits the use in the workplace of any type of camera

phone, cell phone camera, digital camera, video camera, or other form of image-recording device without the express permission of the Clinic and of each person whose image is recorded.

o Employees should not bring personal computers to the workplace or connect them to Clinic electronic systems unless expressly permitted to do so by the Clinic.

o Any employee bringing a personal computing device or image recording device onto Clinic premises thereby gives permission to the Clinic to inspect the personal computer or image recording device at any time with personnel of the Clinic’s choosing and to analyze any files, other data, or data storage media that may be within or connectable to the personal computer or image recording device in question.

o Employees who do not wish such inspections to be done on their personal computers or imaging devices should not bring such items to work.

Security Breaches

“Policy & Procedure #4 | Privacy Breach Management “outlines the provisions addressing how our office handles security breaches and other compliance issues.



Policy & Procedure #2 | Records Security Classification Why security classification is important

There are several reasons why we should be concerned about information security classification. Security standards support the effective application of the Act in the conduct of day-to-day business. These include:

Protection of personal information. PIPA governs the collection, use and disclosure of personal information including employee and business contact information. The Health Information Act governs the collection, use and disclosure of personally identifiable Health Information.

Protecting confidential information from unauthorized access. In the normal business of the clinic certain information must remain confidential. Examples may include business plans, accounting, program evaluations, etc.

Protecting intellectual property. Supporting routine disclosure.

Classifying Information Assets

Four levels of security classification have been identified; they are:

CLASSIFICATION

DESCRIPTION EXAMPLES OF INFORMATION ASSETS

EXAMPLES OF RISK IMPACTS

1. UNRESTRICTED

Information that is created in the normal course of business that is unlikely to cause harm (including information deemed public by legislation or through a policy of routine disclosure). Unrestricted information is available to the public, employees and contractors, sub-contractors, and agents.

Program and services listings;Job postings; Ordinary staff meeting agendas and minutes.

Little or no impact Minimal inconvenience if not available; If lost, changed, or denied would not result in injury to an individual, the Custodian or Affiliate (that is, no legal repercussions)

2. PROTECTED

Information that is sensitive outside the organization and could impact service levels or performance or result in low levels of monetary loss.Protected information

Draft request for proposals; Business information; Employment Applications; Planning documents;

Unfair competitive advantage; Disruption to business if not available;Low degree of risk if corrupted or



would include personal information, financial information or details concerning the effective operation of the organization. Protected information is available to employees and authorized non-employees (contractors, sub-contractors, and agents) possessing a need to know for business-related purposes.

Documents containing personal information; Business contact lists;Transitory emails which may contain contact information but little or no information of ongoing value.

modified

3. CONFIDENTIAL

Information that is sensitive within the organization and could cause serious loss of privacy, competitive advantage, damage to partnerships, relationships, and reputation. Confidential information includes extremely sensitive personal information.Confidential information is available only to a specific function, group, or role.

Human resource files such as benefits, program files or personnel files; Third-party business information submitted in confidence;

Health information patient records;

Program evaluation;Billing records;Fee for service contracts.

Loss of reputation or competitive advantage Loss of confidence in the organization;Loss of personal or individual privacy;Loss of opportunity (e.g., insurance, health coverage); Financial loss; High degree of risk if corrupted or modified.

4. RESTRICTED

Information that is extremely sensitive.Extremely sensitive personal information where the individual has expressly directed restricted access. Restricted information is available only to named individuals or specified positions.

Health information – patient records where the individual has expressly directed restricted access

Complaints or investigations of or by health service providers

Significant financial loss; Destruction of partnerships and relationships;Significant damage Extreme risk if corrupted or modified.



Storage Procedures

CLASSIFICATION

PRINT/HARD MEDIA ELECTRONIC FILES

UNRESTRICTED

No special storage requirements

No special storage requirements;Regular back-ups to ensure availability and integrity

PROTECTED Secure location (e.g., locked office; locked file room)

All media under physical and/or logical access control of protected zone (e.g. group authorized access)

CONFIDENTIAL

Secure location with restricted access, Clean desk policy

All media under physical and/or logical access control of confidential zone (e.g., authorized access and authenticated access)

RESTRICTED

Stored in highly secure zone, with access tracking, Clean desk policy Audit trail for all access points (e.g., signatures)

All media under physical and/or logical access control of restricted zone (e.g., single, or double authentication, encrypted data, audit and monitoring)

Transmission Procedures

CLASSIFICATION


UNRESTRICTED

No special procedures No special procedures; Can be sent by email; Can be posted on website.

PROTECTED Sealed envelope,First class mail

If electronic message contains personal information, personal information must be transmitted in such a way to prevent interception, modification, or unauthorized receipt en route or at the destination (e.g., password protected file; encryption; personal information (sent in separate e-mail) in addition to non-editable format (pdf))

CONFIDENTIAL

Sealed envelope stamped confidential, Receipt confirmation required

Message sent in such a way to prevent interception, modification, or unauthorized receipt en-route or at destination; Recipient confirmation required; Audit of access points (suggested)

RESTRICTE Tamper evident packaging Message sent in such a way to prevent



CLASSIFICATION


D (e.g., double-sealed envelope with inside envelope signed to reveal evidence of tampering), Transmitted under a continuous chain of custody with receipts covering each individual who obtains custody

interception, modification, or unauthorized receipt en route or at destination (e.g., encryption used to send/authenticate message); Complete audit trail of each access point.

Allowing Appropriate Access and Disclosure

CLASSIFICATION

ACCESS RESTRICTIONS AUDIT/ACTIVITY FILES

UNRESTRICTED

Open to the public and all employees, contractors, sub-contractors and agents

None

PROTECTED Authorized access (employees, contractors, sub-contractors and agents) on a “need-to-know” basis for business related purposes

Periodic audits to show protection is in fact occurring

CONFIDENTIAL

Limited to individuals in a specific function, group or role

Pre-clearance based on position or contractor, sub-contractor, or agent relationship; Log of access/actions; Periodic audits of adequate protection

RESTRICTED Limited to named individuals (positions)

All access or actions will be logged and subject to non-repudiation processes as appropriate



Policy & Procedure #3 | Wireless Networking & Remote Access Purpose:

To ensure that the risks of transmitting personal and Health Information are mitigated, and that the information is accessible for authorized purposes. The intent of this policy is to include enough technical detail so that the Clinic Manager can discuss the recovery procedure with the IT professional who will implement.Policies regarding wireless networking and information handling and security apply at the clinic and anywhere else the authorized clinic devices are used (i.e. home office, telework). These alternate work locations should be discussed with and approved by the System Administrator before devices are used.

Administrative Safeguards:

o Complete an inventory of all authorized wireless devices and update the documentation when necessary (annually at minimum);

o Disable the access point during off hours (unplug the access point or internet);

o Document the access point settings in case of reset and have that documentation available both on and off site (disaster recovery planning);

o Establish an inventory of wireless devices and other hardware and peripherals connected to the network;

o Routinely check for rogue and unauthorized devices (system management);

o The System Administrator will periodically (at least once monthly) monitor any connectivity issues to ensure the integrity of the wireless network;

o Review and update all security and access policies, including Wireless Policies, quarterly in recognition that this technology and its inherent risks changes quickly. Provide updates and training to wireless users as required;

o Remote access to the EMR and other administrative information sources; including email; outside of the practice will be granted case by case on a need-to-know basis.

o Sensitive information is to be cleared from shared printers, copiers, or faxes immediately.

Physical Safeguards:

o The internet router is securely maintained in a restricted location;



o UPS (uninterrupted power supply) for the router and subsequently business continuity and workflow is not dependent on wireless connectivity, it is dependent on a backup power supply that is properly configured during setup;

o Access Points (AP) are located central to the building to reduce the strength of the signal leaving the building where possible to provide optimal strength to the equipment used in the building. (May need to consider re-organizing desk and equipment orientation in rooms to maximize signal strength.)

o Lock your house, apartment, or dwelling, when vacant.o Access the application only in a private, preferably secure area (e.g.

locked room) and not using public spaces (i.e. coffee shops, library, etc.)

o Be aware of who is in your immediate vicinity. Reduce the likelihood of others listening to your conversations or viewing your screens.

Technical Safeguards:

o Firewall has been installed on the router;o Firewall is active;o Passwords to the router have been changed from default settings; o The administrator password of the router and network should be

synchronized;o Scheduled scanning for rogue devices and updates for wireless

network devices;o Periodically update the drivers on the wireless devices;o Disable SNMP (Simple Network Management Protocol); o Wireless access points are secure, specifically:o Unique SSID (Service Set Identifier) implemented. All computers on

the wireless network must have the same SSID as on the wireless access point (AP).

o WPA or WPA2 implemented on the access point, and wireless devices.

o Set the static IP (Internet Protocol) address on the AP from the usual default of 192.168.0.1 to something else, like 192.168.47.120. Set a static IP address on the wireless clients so that they share the same numbers for the first three octets as the IP address just assigned to the access point, such as 192.168.47.x. Disable the Dynamic Host Configuration Protocol (DHCP) on the AP;

o Turn off administration over wireless (assuming you have at least one computer connected to the wireless access point using a network cable);



o The System Administrator will lock the authorized client device (laptop) to only connect to pre-defined SSID’s and device addresses (and combinations thereof));

o Enable the built-in windows firewall on the laptop. Each computer in the network has antivirus protection that is updated automatically;

o Do not allow any system function to save or remember any of your passwords;

o ‘Lock’ the computer if you plan to leave its vicinity. Do this by pressing the Ctrl, Alt, and Delete keys simultaneously, and then press the Lock Computer button on the Windows Security dialog that pops up;

o Do not store personal or Health Information on mobile computing devices unless you need to. This must be limited to what is necessary, and the data may only be stored for as long as necessary to complete a task. Data must be permanently deleted from laptops once it is no longer required.

o Mobile devices including Smart Phones, Android, Blackberry’s, iPhone's, memory devices must each have, at minimum, unique password settings and, where possible, data encryption enabled;

o Passwords are to be kept confidential at all times and should not be written down, posted publicly, or shared with other staff except for security purposes. Unique passwords or other authentication controls are required for each desktop, network, server, EMR, etc. A strong password standard is used. Passwords for the EMR are changed every (minimum) 90 days as prompted by the system;

o Wherever possible, internet connection will be gained using wired network connection;

o When using wireless connections outside of the ‘trusted zone’ is unavoidable, the user will access the internet tools on the web browser to: a) delete history, b) clear temporary files, c) clear the cache in virtual memory, d) clear cookies, and e) close the internet browser.

Wireless Networking Comparison

Wireless Networking

Degree of Risk Intercepted /

Create Vulnerability

Key Mitigation Strategies

(best) wired network connection

By far this is the most secure method of gaining



internet access

(next best) 802.11 Wireless networks with WPA2

WPA2 AES/CCMP encryption on all modern access points and devices.

Ensure devices (each laptop, printers) also have WPA2 enabled

The pass phrase used to generate the key should be, at minimum, 20 characters long

The network SSID (name) should not reference the location.

Secure the client devices with software firewalls set to restrict traffic to only the necessary protocols and ports.

Ensure the approved network is the only network on the 'preferred network' list (sometimes named other things). Having other network names listed can cause the device to automatically connect to a non-approved network.

MAC address filtering (standard on all devices) should be used as an administrative measure only, to ensure that only authorized user devices are allowed on the network despite users knowing the key.

(good alternative) HSPA (High Speed Packet Access) modem, commonly known as a ‘Rocket stick’

Uniquely label the Rocket stick Record and securely maintain the Rocket stick

unique ID and device properties separate from the laptop

Ensure laptop’s network connection defaults are set to disable automatic roaming

Wi-Fi based internet access

High Risk Do not use for sensitive information. Do not use with a device (laptop) that may also

access EMR (for example, do not use a laptop to connect to Wi-Fi in the coffee shop and later to a wired network connection)



Policy & Procedure #4 | Privacy Breach Management Adapted from the Government of Alberta, Health Information Regulation Amendment: Mandatory Breach Notification | Continuity of Care Leaders Group: June 27th, 2018

Background

A privacy breach can take place when there is unauthorized access to or collection, use, disclosure or disposal of personal or Health Information. The right of an individual to lodge a privacy complaint is at the core of fair information practice and must be taken seriously. Detailed laws and regulations protect many aspects of data security and directing a complainant on the requirements of an organization in specific circumstances can facilitate timely and thorough investigation and resolution.

Practice

All systems are protected by monitored firewalls and passwords, and all unnecessary ports disabled, in addition to the other provisions of this policy document. The infrastructure offers multiple levels of secured managed firewalls and host-based protection.

Reporting privacy breaches

Reporting a privacy breach is mandatory under the Health Information Act (HIA) or the Freedom of Information and Protection of Privacy Act (FOIP).

Healthcare organizations and vendors hosting components of an EMR should be able to respond positively and informatively to complaints and questions with easily accessible and simple-to-use procedures in place. They should be able to receive and respond to inquiries about their policies and practices related to the practice of handling individually identifying Health Information. Section 60(1) of the HIA requires notification to the Commissioner, Minister and affected individual(s) where:

o There has been any loss of, or any unauthorized access to, or disclosure of individually identifying Health Information; and

o There is risk of harm to the individual who is the subject of the information as a result of the loss or unauthorized access or disclosure.

*An access or disclosure is unauthorized if it occurs in contravention of the Health Information Act or its regulations.

Affiliates must notify their custodian if there has been any loss of, unauthorized access to, or disclosure of individually identifying health information. If there is a risk of harm to an individual as a result of the breach, a custodian is required to notify, as soon as practicable:

o The Commissionero The Ministero The Subject of the individually identifying health information



PIPA organizations are required to notify the Commissioner of incidents “involving the loss of, or unauthorized access to, or disclosure of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual.”Reporting a breach to the OIPC allows the OIPC to support you in responding to the breach and ensures all in the program learn from the breach. (See “Reporting a Privacy Breach to the Office of the Information and Privacy Commissioner of Alberta” and “Key Steps in Responding to Privacy Breaches”).A (suspected) privacy breach should be identified and reported to the Privacy Officer. The Privacy Officer will respond immediately to the breach and take immediate common-sense steps to limit the breach. These steps will include:

o Immediately containing the breach by, for example, stopping the unauthorized practice, recovering the records, shutting down the system that was breached, revoking access or correcting weaknesses in physical security.

o Notify the police if the breach involves theft or criminal activity.o Ensure any breach involving the Netcare EHR is reported to the

Alberta Medical Association immediately at 780.860.9840.

In addition, the Privacy Officer may contact the following organizations for guidance or assistance:

o OIPC –Edmonton (780)422.6860 or Toll Free: 1.888.878.4044 (Calgary office does not have HIA people) (if you intend to seek advice from the OIPC regarding how to respond to the incident and what actions should be taken, you should report the incident as soon as possible)

Validate the risks associated with the breach and will consider:

o Personal or health information involved; o Cause and extent of the breach; o Individuals affected by the breach; o Foreseeable harm from the breach;o Based on the assessment or risk, consider whether the following

authorities or organizations should be informed: Insures or others; Professional or regulatory bodies; Credit card companies and/ or credit reporting agencies;

o Initiate a privacy breach report (template provided in this PIA);o Consider notification of individuals and organizations based on:

Litigation requirements Contractual obligations



After the initial response to suspected or confirmed privacy breach, the Privacy Officer should take the following steps:

o Develop an appropriate mitigation to those involved, staff, public, etc.;

o Investigate the cause of the breach and preventative action taken, this may include:

conducting a security audit doing a Threat Risk Analysis

o Review and update the policies and procedures to reflect the lessons learned;

o Plan for an audit at the end of the process to ensure that the prevention plan has been fully implemented.

Notice Requirements

Adapted from the Government of Alberta, Health Information Regulation Amendment: Mandatory Breach Notification | Continuity of Care Leaders Group: June 27th, 2018

The notification to those involved must include the following:

Notice to the Individual

[Attachment#4 | Privacy Breach Reporting Form | Individual]o Description of the circumstances;o Date or time period of the breach; o Name of the Custodian who had custody or control of the

information; o Description of the risk of harm the individual faces; o Description of the steps the custodian has taken or is intending to

take to reduce the risk of harm to the individual;o The steps the custodian has taken or is intending to take to reduce

the risk of future breach; o Description of the steps the individual can take to reduce risks to

himself/herself;o Statement that the individual may ask the Commissioner to

investigate the breach; o Commissioner’s contact information; o Name and contact information of a person able to answer questions

about the breach on behalf of the Custodian;o Any other relevant information

Notice to the Commissioner | OIPC



[Attachment #2 | Privacy Breach Reporting Form | OIPC | Commissioner] o Description of the circumstances, date/time, etc.; o Name of who had custody or control of the information; o A non-identifying description of the risk of harm to an individual as a

result of the breach;o Including a description of the type of harm and an explanation of

how the risk of harm was assessed;o Description of the steps taken to reduce the risk of a future breach;o A non-identifying copy of the information that has been or will be

provided in the notice of the individual if applicable; o Name and contact information of a person able to answer questions

about the breach on behalf of the Custodian;o Any other relevant information.

Notice to the Minister

[Attachment #3 | Privacy Breach Reporting Form| Minister]o Name of the Custodian who had custody or control of the

information; o Description of the circumstances, date/time, etc.;o A non-identifying description of the risk of harm to an individual as a

result of the breach;o Including a description of the type of harm and an explanation of

how the risk of harm was assessed; o Description of the steps taken to reduce the risk of a future breach;o Name and contact information of a person able to answer questions

about the breach; o Any other information considered relevant.

Other Requirements

The HIA provides for substitutional notification when approved by the Commissioner, where individuals may be difficult to reach via letter or electronic communication (such as homeless individuals).

**Substitutional notification can be through a poster or online.

Offence Penalties Added to the HIA:

o An offence for failure to notify, and



o An offence for failure to take reasonable steps in accordance with the Regulations to maintain administrative, technical and physical safeguards that will protect against any reasonably anticipated threat or hazard to the security or integrity of Health Information or the loss of Health Information.



Policy & Procedure #5 | Password Management Purpose:

To ensure that the privacy and security of data systems are maintained by using a strong password standard, each user will have and use limited privilege accounts for performing job tasks. Each System Administrator must each have an administrator account for performing system administration and a limited privilege account for performing non-system administration tasks.

Procedure

Passwords are to be kept confidential always and should not be written down, posted publicly, or shared with others except for security purposes. Unique passwords or other authentication controls are required for each desktop terminal, network, server, EMR, etc.Each new user will be given clear directions on how to create a new password for access to each application. The following are minimum complexity rules requirements for password development.

o A minimum length of 8 characters;o No embedded part of name;o A combination the following characters: alpha-uppercase, alpha-

lowercase, numeric, special characters;o Maximum validity days of 90;o 24 iterations (12 for Hosted installs) required before reuse,o 5 maximum invalid attempts before account lockout with notice

sent to Microquest administrators

GROUP EXAMPLE

Lowercase letters a, b, c, ...

Uppercase letters A, B, C, ...

Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Non-alphanumeric (symbols)

( ) ` ~ ! @ # $ % ^ & * - + = | \ { } [ ] : ; " ' < > , . ? /



Policy & Procedure #6 | Encryption for Electronic Data Transmission & Protection Background

The CLINICNAME intends to implement Healthquest Online software for protected use of communication with patients. Healthquest Online usage is conducted in accordance with our attached policies and procedures included as part of this PIA and our originally submitted PIA File#______. Microquest has assisted the Clinic in the development of this Policy and Procedure to facilitate the proper management of personal health information in transmitting via encrypted Healthquest Online solutions. Effective and efficient records management practices ensure that evidence of transactions and decisions is created, captured, managed, and made accessible to those who need it, for as long as it is required, regardless of the medium or format of the record. Effective records management practices also:

o Improve transparency and accountabilityo Support business operationso Provide business continuity in the event of a disastero Preserve corporate memoryo Assist in litigationo Safeguard vital informationo Protect the personal/health information privacy of individuals

The Personal Health Information Protection Act establishes rules for protecting the privacy of individuals and the confidentiality of their personal Health Information, while at the same time facilitating effective and timely health care. Custodians have a duty to ensure that health records in their custody or control are retained, transferred and disposed of in a secure manner. They are also required to take reasonable steps to protect personal Health Information against theft, loss and unauthorized use or disclosure.

Purpose

Most forms of communication entail an element of risk. A message can be inadvertently sent to the wrong recipient, for example, by mistyping an email address or using the autocomplete feature. Virtual care is often accessed on portable devices, such as smart phones, tablets, and laptops, which are vulnerable to theft and loss. Communication can also be forwarded or changed without the knowledge or permission of the original sender. Virtual care may be vulnerable to interception and hacking by unauthorized third parties. Personal Health Information is sensitive in nature. Its unauthorized collection, use or disclosure may have far-reaching consequences for individuals, including stigmatization, discrimination, and psychological harm.



Some of the identified issues and risks associated with the mismanagement of communication records include:

o Increased instances of no records existing;o No clear guidance for employees on how to conduct a thorough

search for potentially responsive records to an access to information request;

o Lack of records management training including the identification of transitory and official records and the process for retaining and disposing of records;

o Consent and notices not being captured in the organization’s records management system for official records.

Encryption Expectations

On all Healthquest Online features, the encryption system used is:o Private, using a paid service offering that will not scan or record

records;o Encrypted at transport and while being stored;o Stored in Alberta to avoid the possibility of health information being

used outside of the province from which it originated.

A good encryption algorithm must be used — one that has been subjected to rigorous peer review. Next, the algorithm must be properly implemented, and the security of this system reviewed, and the review documented at a minimum yearly. Once the encryption system is deployed, any passwords, encryption keys, or other sensitive data must be protected and managed effectively. Users who are authorized to decrypt data must be securely authenticated by means of passwords, biometrics, or security tokens.Systems must not leave unencrypted copies of data in web browser caches or on laptop disk drives where they may later be read by an unauthorized third party. In nearly all cases, this means all messages must be stored on a server and not downloaded to a computer.Authorized users should be properly registered, trained and equipped. The encryption system’s protections should be operational by default, without health-care users needing to take special steps to ensure that data remains encrypted. Finally, personal Health Information must remain available throughout its life cycle, regardless of forgotten passwords or misplaced security tokens.

Encryption Standards

Our Information Manager Agreement with Microquest ensures that appropriate agreements are in place to secure compliance with the following encryption standards:

TECHNICAL AND

Encryption systems are designed to meet a minimum standard; Encryption products are independently validated against

standards to ensure that they are designed and implemented



FUNCTIONAL STANDARDS

properly; Devices or software programs that are certified are used with

the standard specifics and acceptable algorithms.

SECURE AND MANAGED ENCRYPTION KEYS

Passwords and Encryption keys are:

Of a sufficient length (256-bit) that they effectively resist attempt to break the encryption; and

Remain protected so that they cannot be stolen or disclosed to unauthorized individuals.

IDENTIFIED, AUTHORIZED AND TRAINED USERS:

Health information custodians are able to determine at any given time which users have access to encrypted information on a given mobile device or on mobile media. This means that users who are authorized to access or update encrypted data are individually identified beforehand and given appropriate authentication tokens (e.g., robust passwords), as well as adequate training.

ENCRYPTION BY DEFAULT

Availability and information life cycle protection:

There must be a reasonable assurance that encrypted data will remain available (e.g., despite forgotten passwords, staff who are unavailable due to illness or death, etc.). Microquest has developed a centralized authentication management system as well as a system for backup of encrypted data. No unintended creation of unencrypted data:

No file containing decrypted data will persist as a consequence of a user having accessed encrypted data and viewed or updated it in decrypted form. A copy of the decrypted data will not persist unless an authorized user has intentionally created one.

SECURE IMPLEMENTATION & ENCRYPTION KEYS

The encryption will be secured with an algorithm that meets or exceeds the expectations and requirements of the standards of the health care industry and regulatory and governing bodies. Microquest’s communication integrations are transferred in 256-bit SSL encryption and has been developed to replace unsecure methods of communication.

SECURE AUTHENTICATION OF USERS

Prior to decrypting, authorized users must be securely authenticated (e.g., by means of robust passwords) to ensure that only authorized users can decrypt and access data.

Notice and Consent

Custodians are responsible to notify their patients about communication policies during the registration process and obtain their consent prior to the use of Healthquest Online services. Please refer to Attachment #6| Consent to the Transmission of Health Information Form.



APPENDIX TWO | REFERENCES https://www.oipc.ab.ca/news-and-events/news-releases/2020/notice-pias-during-a-

public-health-emergency.aspx OIPC - Securing Personal Information: A Self-Assessment Tool for Organizations |

March 2012 OIPC - Advisory for Communicating with Patients Electronically – Published August

2010 / Updated June 2019 OCR Privacy Rule Summary - HIPAA Compliance Assistance – Summary of the HIPAA

Privacy Rule – Revised 05/03 OIPC Fact Sheet| Safeguarding Personal Health Information and Secure Destruction of

Personal Information. | https://www.ipc.on.ca/wp-content/uploads/Resources/fact-01-e.pdf

OIPC Fact Sheet | Personal Health Information on Mobile Devices and Health-Care Requirement for Strong Encryption. | https://www.ipc.on.ca/wp-content/uploads/Resources/fact-16-e.pdf

Freedom of Information and Protection of Privacy Regulation, AR 186/2008. Retrieved from www.qp.alberta.ca/documents/ Regs/2008_186.pdf.

OIPC Canada / Alberta & British Columbia Seizing Opportunity: Good Privacy Practices for Developing Mobile Apps

Canadian Standards Association’s Model Code CPSA – Advise to the Profession “Electronic Communication and Security of Mobile

Devices” Published October 2007 Revised January 2016. http://www.cpsa.ca/wp-content/uploads/2015/08/AP_Electronic-Communications-Mobile-Devices.pdf

CPSA – Advise to the Profession “COVID-19: Virtual Care” Section “Consent” – Published March 2020 http://www.cpsa.ca/wp-content/uploads/2020/03/AP_COVID-19-Virtual-Care.pdf

OIPC Fact Sheet | Communicating Personal Health Information by Email | September 2016 |https://www.ipc.on.ca/wp-content/uploads/2016/09/Health-Fact-Sheet-Communicating-PHI-by-Email-FINAL.pdf

OIPC Fact Sheet| Safeguarding Personal Health Information and Secure Destruction of Personal Information. | https://www.ipc.on.ca/wp-content/uploads/Resources/fact-01-e.pdf

OIPC Fact Sheet | Personal Health Information on Mobile Devices and Health-Care Requirement for Strong Encryption. | https://www.ipc.on.ca/wp-content/uploads/Resources/fact-16-e.pdf

Freedom of Information and Protection of Privacy Regulation, AR 186/2008. Retrieved from www.qp.alberta.ca/documents/ Regs/2008_186.pdf.

AR 224/2001, section 4. Retrieved from www.qp.alberta.ca/documents/Regs/2001_224.pdf.

Ibid, section 6, & 10. In February 2016, the Information Commissioners of Canada issued a joint statement

calling on governments at all levels to create a legislated duty for public bodies to document their deliberations, actions and decisions. The “Statement of the Information and Privacy Commissioners of Canada on the Duty to Document” is available at www.oic-ci.gc.ca/eng/resolution- obligation-de-documenter_resolution-duty-to-document.aspx.

For the Government of Alberta, see Transitory Records Schedule (1995/007-A001) which delegates authority to destroy or delete transitory records to every


http://www.oic-ci.gc.ca/eng/resolution-obligation-de-documenter_resolution-duty-to-document.aspx



http://www.qp.alberta.ca/documents/Regs/2001_224.pdf



https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cpsa.ca%2Fwp-content%2Fuploads%2F2020%2F03%2FAP_COVID-19-Virtual-Care.pdf&data=02%7C01%[email protected]%7Ccf60111188604116f4fb08d7d0264b88%7Cd83bbe94c2c54a5f90fd25320352d05d%7C1%7C1%7C637206735207615791&sdata=hzJrOo7rALv5nFLNGSbwWW7cCUp3YOdcECBISSKa7zo%3D&reserved=0

https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.cpsa.ca%2Fwp-content%2Fuploads%2F2020%2F03%2FAP_COVID-19-Virtual-Care.pdf&data=02%7C01%[email protected]%7Ccf60111188604116f4fb08d7d0264b88%7Cd83bbe94c2c54a5f90fd25320352d05d%7C1%7C1%7C637206735207615791&sdata=hzJrOo7rALv5nFLNGSbwWW7cCUp3YOdcECBISSKa7zo%3D&reserved=0

http://www.cpsa.ca/wp-content/uploads/2015/08/AP_Electronic-Communications-Mobile-Devices.pdf

http://www.cpsa.ca/wp-content/uploads/2015/08/AP_Electronic-Communications-Mobile-Devices.pdf



https://www.oipc.ab.ca/news-and-events/news-releases/2020/notice-pias-during-a-public-health-emergency.aspx

https://www.oipc.ab.ca/news-and-events/news-releases/2020/notice-pias-during-a-public-health-emergency.aspx


Government of Alberta employee. Retrieved from www.alberta.ca/managing-government- information.aspx#toc-10.

National Archives of Australia. Keep the Knowledge - Make a Record. eLearning Module. Retrieved from www.naa.gov.au/ Images/KTK-elearning-text_tcm16-96071.pdf.

State Archives and Records Authority of New South Wales (2017). Managing email: Email messages are State records. Retrieved from www.records.nsw.gov.au/recordkeeping/advice/managing-email.

SA 2003, c. P-6.5. Retrieved from www.qp.alberta.ca/documents/Acts/P06P5.pdf. International Organization for Standardization. (2016). ISO 15489-1: Information and

documentation – Records management (2nd ed.), p. vi. Geneva, Switzerland. Available from www.iso.org/standard/62542.html.

Cloy, David. (2007). Managing Email – Good Practice Guidance (3rd version). Records Management Office. University of Stirling, Scotland. Retrieved from www.rec-man.stir.ac.uk/documents/ManagingEmail-GoodPracticeGuidancev3.pdf.

State Archives and Records Authority of New South Wales (2018). Training Resource Centre: Email Management – Part A. eLearning Module. Available from www.records.nsw.gov.au/recordkeeping/recordkeeping-online-modules.

The Office of the Information and Privacy Commissioner of Alberta’s “Guidelines for Managing emails” Adapted from “State Archives and Records Authority of New South Wales (2018). Training Resource Centre: Email Management – Part A. eLearning Module”. Available from www.records.nsw.gov.au/recordkeeping/recordkeeping-online-modules.


http://www.records.nsw.gov.au/recordkeeping/recordkeeping-online-modules



http://www.rec-man.stir.ac.uk/documents/ManagingEmail-GoodPracticeGuidancev3.pdf

http://www.rec-man.stir.ac.uk/documents/ManagingEmail-GoodPracticeGuidancev3.pdf

http://www.iso.org/standard/62542.html

http://www.qp.alberta.ca/documents/Acts/P06P5.pdf

http://www.records.nsw.gov.au/recordkeeping/advice/managing-email

http://www.naa.gov.au/Images/KTK-elearning-text_tcm16-96071.pdf



http://www.alberta.ca/managing-government-information.aspx#toc-10




APPENDIX THREE | DEFINITIONS This section provides definitions of terms used in applicable privacy legislation, and these policies and procedures.

A“Affiliates”

An individual employed by the custodian A person who performs a service for the custodian as an appointee, volunteer of

student or under a contract or agency relationship with the custodian An information manager as defined in HIA section 66(1) – (i.e. EMR vendor) A person who is designated under the HIA regulations to be an affiliate, i.e. All

employees, volunteers, students and persons contracted to provide services for custodians.

“Agreement" means this agreement including the schedules attached.“Authorized Representative:

Means any person who can exercise the rights or powers conferred on an individual under applicable privacy legislation.

This includes the right of access to an individual’s health information and the power to provide consent for disclosure of such information.

If the individual is under 18 years of age, and does not understand the nature of the right or power or the consequences of exercising the right or power, by the guardian of the individual

If the individual is deceased, by the individual’s personal representative if the exercise of the right or power relates to the administration of the estate

A guardian or trustee appointed under the Dependent Adults Act if the right or power related to the powers or duties of the guardian or trustee

An agent under the Personal Directives Act if the directive so authorizes A person who has power of attorney granted by the individual if the exercise of

the right or power relates to the powers or duties conferred by the power of attorney

The access of health information on Alberta Netcare by authorized custodians is deemed to be use of health information (not collection or disclosure)

If the individual is a formal patient as defined in the Mental Health Act, by the individuals nearest relative as defined in the Act if the exercise of the right or power is necessary to carry out the obligations of the nearest relative under that Act.

Any person with written authorization from the individual to act on the individual’s behalf.

C“Collection” Means to gather, acquire, receive or obtain health information“Consent” Agreement by an individual to the disclosure of their own health information to

a third party. The consent must include:

An authorization for the custodian to disclose the information specified in the consent

The purpose for which the information may be disclosed The identity of the person to whom the information may be disclosed An acknowledgement that the individual providing the consent has been

made aware of the reasons why the information is needed and the risks and benefits to the individual of consenting or refusing to consent

The date the consent is effective and the date, if any, on which the consent expires



A statement that the consent may be revoked at any time by the individual providing it. A consent or revocation of consent can be provided in writing or electronically.

Electronic consent is valid only if the level of authentication is sufficient to identify the individual who is granting the consent or revoking the consent.

Continuing Care Provider – individuals who provide care to the patient. May include other family, parents of young children, group home employee.

“Control” The authority to exercise control over or to manage the record or information including restricting, regulating and administering its use, disclosure and disposition.

“Custodian” A health services provider who is designated in the regulations as a custodian, or who is within a class of health services providers that is designated in the regulations.This includes the following:

Regional Health Authorities (RHAs), Alberta Mental Health Board and Alberta Cancer Board

Operators of nursing homes and hospitals not owned by the above Community Health Councils and subsidiary health corporations of

RHAs, Boards Minister and the Department of Health and Wellness Boards, committees, panels, councils or agencies established by any of

the above and designated in the regulations Regulated health professionals paid through the Alberta Health Care

Insurance Plan, including physicians, chiropractors, dental surgeons, dental mechanics, opticians,

Licensed Pharmacists and Pharmacies Others listed in the HIA and the regulations made under it.

**Note: custodian is not a custodian if acting as an affiliate

“Custody” Physical possession of the health record or information. D

“Data Linking” Refers to the merging of files on an identifiable individual for the purpose of ensuring complete registration, diagnostic treatment and care information. For example, unique identifiers are used to populate the EMR with laboratory test result reporting.

“Data Matching” Means the creation of individually identifying health information by combining individually identifying or non-identifying health information or other information from two (2) or more electronic databases, without the consent of the individuals who are the subjects of the information

“Disclosure” Individually identifying health information shall not be disclosed except in accordance with HIA

Depending on the situation the HIA outlines whether the custodian may, must or must not disclose health information. Most rules in HIA say that a custodian may disclose health information in certain situations. Some disclosure situations require consent, and some do not. A custodian may disclose non-identifying health information for any purpose if that disclosure of non-identifying information is to a person that is not a custodian; the custodian must inform the person that the person must notify the commissioner of an intention to use the information for data matching prior to using the information for data matching.

E



“Expressed wishes” A patient may request a custodian to not disclose some or all of their health information to certain people or organizations. The custodian must consider those wishes, and any other relevant factors, when they decide how much health information to disclose.

H"Health Information Act" or “HIA” means the Alberta Health Information Act, R.S.A. 2000,

H-5, as amended from time to time, and the regulations there under

“Health Information Regulation” means Alberta Regulation 118/2010 as amended from time to time“Health Information” means recorded information about individuals. There are three

types of health information: (1) diagnostic, treatment and care information, and (2) registration information (including billing information), (3) Health Service Provider Information; as that term is defined in section 1(1)(k) of the Health Information Act. The collection, use and disclosure of all three types are regulated by the Health Information Act**Note: Health service provider information is protected differently under the HIA effective September 1st, 2010. Is it not deemed to be individually identifying information of the individual who received the health service?**Note: information collected during provision of employment and insurance medicals for the purpose of determining an individual’s fitness to work are not deemed to be health services, nor is the information collected deemed to be health information under HIA. Information collected for such services is deemed personal employment information and is protected under PIPA.

I“Information Manager” means a person or body that (a) processes, stores, retrieves or

disposes of health information (b) in accordance with the regulations, strips, encodes or otherwise transforms individually identifying health information to create non-identifying health information, and (c) provides information management or information technology services. (HIA s 66(1)) Effective Sept 1st, 2010, an information manager is considered an affiliate under HIA.

"Information Manager Agreement" means an agreement made pursuant to section 66 of the HIA and includes this Agreement

"Information Manager Services" means those services described in section 5, “Services to be Provided”

R“Record” Information in any form, including notes, images, audiovisual recordings,

books, documents, maps, drawings, photographs, letters, vouchers and papers and any other information that is written, photographed, recorded or stored in any manner. Does not include software or any mechanism that produces records.

“Research” Means academic, applied or scientific health-related research that necessitates the use of individually identifying diagnostic, treatment and care information or individually identifying registration information, or both.



U“Use” To apply health information for a purpose authorized under HIA (s27), and

includes the reproduction of information, but does not include disclosing information (i.e. Accessing Alberta Netcare for health information within a practice to provide patient care)



APPENDIX FOUR| ATTACHMENTS



Attachment #1 | Privacy Breach Reporting Form | OIPC | CommissionerOffice of the Information and Privacy Commissioner, Alberta. “Reporting a Privacy Breach to the Office of the Information and Privacy Commissioner of Alberta”

Date Phone

Contact Person

Fax

Title Email

Mailing Address

RISK EVALUATION

Incident Description:

(Describe the nature of the breach and its cause)

Date of Incident Date Incident DiscoveredHow was the Incident DiscoveredLocation of Incident Estimated Number of Individuals affectedType of Individuals Affected Client

Customer PatientEmployeeOther: ______________________________

Personal Information Involved:

(Describe the personal or health information involved in the breach (e.g. name, address, health care number, financial, medical information), the form it was in (e.g. paper records, electronic database). Do not send the OIPC

identifiable personal information.

SAFEGUARDS



Describe physical security at the time of the incident (locks, alarm systems, etc.)Describe technical security (encryption, passwords, etc.)Harm from the breach: Identify the type of harm(s) that may result from the

breach. Identify theft (most likely when the breach includes loss

of health insurance number, credit card numbers, debit card numbers with password information and any other information that can be used to commit financial fraud)

Risk of physical harm (when the loss of information places any individual at risk of physical harm, stalking or harassment)

Hurt, humiliation, damage to reputation (associated with the loss of information such as mental health records, medical records, and disciplinary records)

Loss of business or employment opportunities (usually as result of damage to reputation to an individual)

Breach of contractual obligations (contractual provisions may require notification of third parties in the case of a data loss or privacy breach)

Future breaches due to similar technical failures (notification to the manufacturer may be necessary if a recall is warranted and/or to prevent a future breach by other users)

Failure to meet professional standards or certification standards (notification may be required to professional regulatory body or certification authority)

Other (specify):________________________________________________

NOTIFICATION

Has your Privacy Officer / Responsible Affiliate been notified?

YES

Who was notified and when?

NO When to be notified?

Have the police or other authorities been notified (e.g. professional bodies or person required under contract)?

YES


NO When to be notified?

Have affected individuals been notified? YES

Form of notification and when?



NO When to be notified?Describe the notification process (e.g. who was notified/ the form of notification. Please provide a copy of notification to the OIPC).

You may wish to provide the OIPC with any additional information you have collected regarding the breach, including:

o Steps that have been taken to reduce the risk of harm (e.g. recovery of information, locks changed, computer systems shut down),

o Internal investigation reports or findings,o Long term strategies you intend to implement to correct the

situation (e.g. staff training, policy development)However, as noted above, if you intend to seek advice from the OIPC regarding how to respond to the breach and what actions should be taken, you should report the incident as soon as possible even where the above information is not yet available. Once completed, submit the Privacy Breach Report form to the OIPC at the address below. It is preferable to submit the form by fax where timing is an issue.

CONTACT INFORMATION FOR REPORTING:

Office of the Information and Privacy Commissioner

Edmonton (FOIP and HIA): #410, 9925 - 109 Street

Calgary (PIPA): #500, 640 - 5 Avenue SW Toll Free: 1-888-878-4044Calgary, Alberta T2P 3G4 Edmonton, Alberta T5K 2J8Fax: (403) 297-2711 Fax: (780) 422-5682Phone: (403) 297-2728 Phone: (780) 422-6860

[email protected]



Attachment #2 | Privacy Breach Reporting Form| Minister Adapted from the Government of Alberta, Health Information Regulation Amendment: Mandatory Breach Notification | Continuity of Care Leaders Group: June 27th, 2018.

Date Phone

Contact Person

Fax

Title Email

Mailing Address

Name of the custodian who had custody or control of the information

Description of the circumstances, date/time, etc.

A non-identifying description of the risk of harm to an individual as a result of the breach

Including a description of the type of harm and an explanation of how the risk of harm was assessed. Description of the steps the custodian has taken to reduce damage and the risk of future breach:Name and contact information of a person able to answer questions about the breach on behalf of the custodianAny other information the custodian considers relevant

Office of the Information and Privacy Commissioner


Calgary (PIPA): #500, 640 - 5 Avenue SW Toll Free: 1-888-878-4044Calgary, Alberta T2P 3G4 Edmonton, Alberta T5K 2J8



Fax: (403) 297-2711 Fax: (780) 422-5682Phone: (403) 297-2728 Phone: (780) 422-6860

[email protected]



Attachment#3 | Privacy Breach Reporting Form | Individual Adapted from the Government of Alberta, Health Information Regulation Amendment: Mandatory Breach Notification | Continuity of Care Leaders Group: June 27th, 2018.

Date Phone

Contact Person

Fax

Title Email

Mailing Address

RISK EVALUATION

Date of Incident Date Incident DiscoveredHow was the Incident DiscoveredLocation of Incident Estimated Number of Individuals affectedType of Individuals Affected o Client

o Customer o Patiento Employeeo Other: ______________________________

Incident Description:(Describe the nature of the breach and its cause)Name of the Custodian who had custody or control of the information Personal Information Involved:(Describe the personal or health information involved in the breach (e.g. name, address, health care number, financial, medical information), the form it was in (e.g. paper records, electronic database). Do not send the OIPC identifiable personal information.

SAFEGUARDS



Describe physical security at the time of the incident (locks, alarm systems, etc.)Describe technical security (encryption, passwords, etc.)Harm from the breach: Identify the type of harm(s) that may result from

the breach. Identify theft (most likely when the breach

includes loss of health insurance number, credit card numbers, debit card numbers with password information and any other information that can be used to commit financial fraud)

Risk of physical harm (when the loss of information places any individual at risk of physical harm, stalking or harassment)

Hurt, humiliation, damage to reputation (associated with the loss of information such as mental health records, medical records, and disciplinary records)

Loss of business or employment opportunities (usually as result of damage to reputation to an individual)

Breach of contractual obligations (contractual provisions may require notification of third parties in the case of a data loss or privacy breach)

Future breaches due to similar technical failures (notification to the manufacturer may be necessary if a recall is warranted and/or to prevent a future breach by other users)

Failure to meet professional standards or certification standards (notification may be required to professional regulatory body or certification authority)

Other (specify):__________________________________________________

NOTIFICATION

Has your Privacy Officer / Responsible Affiliate been notified?

YES


NO

When to be notified?

Have the police or other authorities been notified (e.g. professional bodies or person required under contract)?

YES


NO


Have affected individuals been notified? YES

Form of notification and when?



NO


Describe the notification process (e.g. who was notified/ the form of notification. Please provide a copy of notification to the OIPC).

You may wish to provide the OIPC with any additional information you have collected regarding the breach, including:

o Steps that have been taken to reduce the risk of harm (e.g. recovery of information, locks changed, computer systems shut down),

o Internal investigation reports or findings,o Long term strategies you intend to implement to correct the

situation (e.g. staff training, policy development)However, as noted above, if you intend to seek advice from the OIPC regarding how to respond to the breach and what actions should be taken, you should report the incident as soon as possible even where the above information is not yet available. Once completed, submit the Privacy Breach Report form to the OIPC at the address below. It is preferable to submit the form by fax where timing is an issue. Office of the Information and Privacy Commissioner


Calgary (PIPA): #500, 640 - 5 Avenue SW Toll Free: 1-888-878-4044Calgary, Alberta T2P 3G4 Edmonton, Alberta T5K 2J8Fax: (403) 297-2711 Fax: (780) 422-5682Phone: (403) 297-2728 Phone: (780) 422-6860

[email protected]



Attachment #4 | Sample Collection Notice Poster Adapted from the CPSA – Advise to the Profession “COVID-19: Virtual Care” Section “Consent” – Published March 2020.

Our health service is starting to offer virtual care, this means that we will be using video and audio technologies for some patient visits rather than asking all patients to come into our office. We do our best to make sure that any information you give to us during virtual care visits is private and secure, but no video or audio tools are ever completely secure. There is an increased security risk that your health information may be intercepted or disclosed to third parties when using video or audio communications tools. To help us keep your information safe and secure, you can:

understand that video, calls, or texts you may receive are not secure in the same way as a private appointment in an exam room; and

use a private computer/device (i.e., not an employer's or third party's computer/device), secure accounts and a secure internet connection. For example, using a personal and encrypted email account is more secure than an unencrypted email account, and your access to the Internet on your home network will generally be more secure than an open guest Wi-Fi connection.

By providing your information, you agree to let us collect, use, or disclose your personal health information through video or audio communications (while following applicable privacy laws) in order to provide you with care. In particular, the following means of electronic communication may be used: videoconferencing, text messaging, website/portal).”



Attachment #5 | Consent to the Transmission of Health Information Form LAST NAME FIRST NAME PHN / ULI DOB (DD/MM/YYYY)PHONE NUMBER EMAIL

For the purposes of communication with InspiroMed

MAILING ADDRESS:

CITY/TOWN PROVINCE POSTAL CODE

Risks: Like most forms of communication, virtual care entails an element of risk. o A notice can be inadvertently sent to the wrong recipient, for

example, by mistyping an email address or using the autocomplete feature.

o Virtual care is often accessed on portable devices, such as smart phones, tablets, and laptops, which are vulnerable to theft and loss.

o Virtual care may also be vulnerable to interception and hacking by unauthorized third parties.

o Personal health information is sensitive in nature. Its unauthorized collection, use or disclosure may have far-reaching consequences for individuals, including stigmatization, discrimination, and psychological harm.

I, ____________________________________, have been provided with and understand the risks associated with using Healthquest Online services to communicate about my personal health, and subsequently agree that only the contact information provided above will be used for communication and only the following information will be considered acceptable communications for sending and receiving:

o Scheduling Appointments o Completing Intake Forms o Appointment Reminders and Confirmationo Checking into appointments o Accessing my health portal o Other: ________________________________________________

____________________________ ______________________________Signature Date



Updated IMA with Microquest’s Healthquest *Attached to this submission


Healthquest Online PIA Amendment - Simply Vital to …€¦ · Web viewThis information is retained...

Documents

Transcript of Healthquest Online PIA Amendment - Simply Vital to …€¦ · Web viewThis information is retained...