GRH hosts the Cerner system for this partnership. Under s.10(4) of the Personal Health Information Protection Act (PHIPA) and ss.6(3) of Regulation 329/04 made under PHIPA, a person who provides services to two or more health information custodians to use electronic means to disclose personal health information to one another is a health information network provider (HINP).
We understand the importance of ensuring the privacy and security of your personal health information and have developed a HINP privacy policy that describes the standards used to protect this information.
Our responsibilities include:
- Managing changes in roles and responsibilities as they pertain to PHIPA and establishing appropriate agreements
- Assessing the privacy and security of the information system to help ensure that it protects personal health information
- Appointing one or more individuals who will be responsible for the privacy and security of the personal health information in the shared system
- Establishing logging, auditing and monitoring policies and procedures, including the communication of these controls to the participants
- Providing incident and breach management support to the participants by informing the parties in the event of a Privacy Breach or unauthorized access
- Making plain language safeguards available to both the public and participating organizations
- Completing a Privacy Impact Assessment (PIA) and Threat/Risk Assessment (TRA)
For more information about our information privacy practices, please contact the Information Privacy & Security Office at 519-749-4300 ext. 4275 or email privacy@grhosp.on.ca.
Plain Language Description of Health Information Network Provider Services
The Personal Health Information and Protection Act (PHIPA, 2004) defines a Health Information Network Provider (HINP) as an organization that hosts two or more organizations hospital information system for patients personal health information. Grand River Hospital and St. Mary’s General Hospital share a system called Cerner.
Grand River Hospital hosts the Cerner system for this partnership with St. Mary’s General Hospital. Under s.10(4) and ss.6(3) of Regulation 329/04 made under PHIPA. As part of that responsibility Grand River Hospital assesses the threats, risks and impacts associated with the shared system and works to safeguard the Personal Health Information and meet its obligations related to privacy and security.
Summary of Privacy and Security Safeguards
We understand the importance of ensuring the privacy and security of personal health information and have developed a HINP framework that describes the standards used to protect this information. There are numerous controls built into the system that protect personal health information (PHI) including:
Secure Hosting
The Cerner System is hosted in a secure environment with effective administrative, physical, technical and information security safeguards in compliance with industry best practices.
Access Control
Access controls are used to prevent unauthorized or inappropriate access to PHI, ensure protection of Grand River Hospital systems, prevent unauthorized computer access, detect unauthorized or inappropriate activities and ensure the integrity and reliability of information systems.
GRH only grants PHI access to authorized persons based on roles and responsibilities for each position within the organization and only to the extent they require to fulfill the requirements of their job. Any HIC’s that are considered to be a subscriber are expected to adhere to similar principles based on their corporate policies and procedures.
Authentication
All users are authenticated through an enhanced authentication mechanism prior to accessing the Cerner system.
Strict password policy parameters are required and enforced
Data Security
Data is encrypted during transmission and while stored in Cerner
Data retention and disposal policies are in place to ensure PHI is kept as long as required and is disposed of properly to ensure confidentiality.
To ensure that appropriate safeguards are in place to protect the privacy and security of all data, GRH will require the PA to complete a privacy compliance survey on an annual basis.
Audits and Monitoring
Audits are performed to ensure the privacy, confidentiality and security of personal health information (PHI) housed within the shared electronic health system. GRH as a HINP has the responsibility to ensure that PHI it has under custody and control is not inappropriately accessed.
Security Assessment
A Technical Vulnerability Assessment (TVA) and Privacy Impact Assessment (PIA) were conducted to identify privacy and security gaps and deficiencies.
Penetration testing has been performed to prevent any unauthorized access and modification to the Cerner system and its data.
Privacy
Each subscriber and GRH have implemented and follow privacy practices that comply with the Personal Health Information Protection Act, 2004 and its regulations regarding the collection, use, disclosure, retention and disposal of PHI.
A privacy incident and breach management policy is in place to address any privacy events (breach or incidents) collaboratively among the appropriate parties.
A consent management process is in place to manage and enforce Client/Patient’s consent among participating organizations.
A client privacy support process is in place to manage Clients/Patients’ requests to access and/or correct their PHI in the Cerner System, and to challenge the privacy compliance of the participating HIC.
Conclusion
GRH, as a HINP and agent complies with the Personal Health Information Protection Act, 2004 and regulations thereunder as well as industry best practices, and uses a variety of administrative, physical, technical and information security safeguards to protect PHI. In addition, GRH has policies and procedures in place to ensure that its employees and authorized users understand their obligations with respect to the system and protection of PHI.