E-HIS Privacy and Security Policy
The Electronic Health Information System (“E-HIS“) Privacy and Security Policy was last updated on January 27, 2017.
- Background
Heidi Watson, operating as “Canadian Electronic Health Information System”, (the “Service Provider“) is committed to safeguarding the personal and personal health information entrusted to us by allied health professionals and their clients.
The Service Provider has policies, procedures and guidelines in place designed to protect personal and personal health information, in accordance with applicable Canadian privacy laws including The Health Information Protection Act (Saskatchewan) (“HIPA“) and the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA“).
The privacy law applicable to you is the law of the jurisdiction where you use the E-HIS application. This Policy outlines the principles and practices the Service Provider follows in protecting information stored in E-HIS.
- How is personal and personal health information collected, used and disclosed in connection with E-HIS?
a. Client’s Personal and Personal Health Information
Through E-HIS, the Service Provider is providing a service which enables allied health professionals including, but not limited to, physiotherapists, occupational therapists, massage therapists, respiratory therapists, speech language pathologists, psychiatrists, social workers, and nurses to securely store personal and personal health information, access resources, and collaborate with other allied health professionals for the purpose of running a private healthcare practice and providing health services to clients.
Allied health professionals will collect personal and personal health information directly from the individual clients. Through E-HIS, allied health professionals will then be able to securely store the information collected electronically and to communicate with other allied health professionals to discuss and consult on practice development and related matters, as well as share and collaborate on clients’ treatment and care.
Each allied health professional is responsible for collecting, using and disclosing the personal and personal health information of an individual client in accordance with applicable privacy laws and ethical standards, including any bylaws or other ethical guidelines established by the allied health professional’s regulatory body.
E-HIS is intended to create a single patient record for each client that may be accessed by all allied health professionals who use E-HIS and are treating that client. As noted above, allied health professionals using E-HIS are required by the Service Provider to comply with applicable privacy laws and ethical guidelines in their use of E-HIS, including only accessing client information on a need-to-know basis. E-HIS requires allied health professionals to complete the access description chart (inputting a valid reason for access to and use of the personal and personal health information) prior to accessing any patient record which was generated by another user.
It is important to note that individual clients have the right under applicable health privacy legislation to prevent access by any or all healthcare providers to their single patient record. E-HIS provides an optional lockbox chart setting which prevents access to a client’s patient record by any E-HIS user unless authority has been granted. This lockbox setting can also be selected by allied health professionals at any time to ensure the protection of any particularly sensitive personal or personal health information. Clients should contact their allied health professional(s) to discuss any concerns with the single patient record and to request use of the lockbox chart setting. Clients may also contact the E-HIS Privacy Officer at the address below.
The Service Provider will not use a client’s personal health information or a client’s identifiable personal information for any purpose. The Service Provider will not trade, rent, sell, use or disclose any of a client’s personal and personal health information for any purpose, unless it has the client’s consent or is otherwise authorized by law.
b. Allied Health Professional’s Personal Information
The Service Provider may collect, use and disclose the personal information of allied health professionals, as necessary, for the following purposes:
- confirming an allied health professional’s identity and status as a registered healthcare provider in good standing with the applicable regulatory body in the jurisdiction of his or her practice; and
- providing and supporting E-HIS and each allied health professional’s user account.
Allied health professionals should also be aware that anonymous technical information may be collected by the Service Provider through the use of E-HIS or as a result of a visit to the Service Provider’s website. For example, this information may include the allied health professional’s IP address, browser type, operating system, access times and information about the way they use E-HIS. The Service Provider uses this anonymous technical information to track usage patterns for purposes such as improving the user experience and improving the operation and content of the E-HIS application and the Service Provider’s website, and compiling aggregate and statistical information. The Service Provider reserves the right to disclose such aggregate information to third parties.
The Service Provider will not trade, rent, sell, use or disclose any of the allied health professional’s personal information for any other purpose, unless it has the allied health professional’s consent or is otherwise authorized by law.
- How is consent obtained for E-HIS?
a. Client Consent
The Service Provider does not and does not intend to collect, use or disclose any personal health information, and accordingly the Service Provider is not responsible for obtaining or managing the consent of individual clients.
Before a client’s personal and/or personal health information is stored, used, shared or disclosed in E-HIS, the client’s consent must be obtained in accordance with applicable health privacy laws. Each allied health professional is responsible for obtaining and managing consent from each of his or her individual clients.
b. Allied Health Professional Consent
Allied health professionals who create a user account and use E-HIS to store, use, collaborate on and share client information must consent prior to using the application. Such consent may be express or implied.
It is assumed that by continuing to use E-HIS or deal with the Service Provider after having had this Policy available to him or her that the allied health professional consents to the collection, use and, where applicable, disclosure of his or her personal information for the purposes for which the information was collected and as are set out in this Policy.
c. Withdrawal of Consent
Client
A request to withdraw consent by a client must be made by contacting the applicable allied health professional. The Service Provider cannot respond to client requests to withdraw consent.
Allied Health Professional
An allied health professional may withdraw consent to the Service Provider’s collection, use and disclosure of personal information at any time, with reasonable notice, subject to applicable laws and contracts, and unless the personal information is necessary for the Service Provider to fulfill its legal obligations. However, if consent is withheld or withdrawn, the Service Provider may not be able to fulfill the purpose(s) for which the information was collected, or fulfill any obligations it may owe to the allied health professional in connection with such purposes.
A request to withdraw consent by the allied health professional in relation to the E-HIS application may be made by contacting the Service Provider at the address noted below.
- Who is accountable for the personal and personal health information in E-HIS?
The Service Provider acts as an information management service provider to trustees/custodians/caretakers (as defined under the applicable privacy law) of personal and personal health information, such as a client’s allied health professional. Responsibility for the client’s personal and personal health information transmitted through E-HIS remains at all times with the applicable allied health professional. The Service Provider assumes no ownership in, nor custody or control of, the client’s personal and personal health information transmitted or stored using the E-HIS application.
Each allied health professional is responsible and accountable for the personal and personal health information of his or her individual clients in E-HIS, as well as for compliance with applicable privacy legislation, including HIPA and PIPEDA. The allied health professional will be accountable to address all access/amendment requests and any privacy or security concerns as per this Policy.
The Service Provider is responsible for compliance with applicable privacy legislation and the Service Provider’s privacy policies and procedures.
- Can personal and personal health information be accessed or amended?
a. Client
Clients have a right to access and amend their personal and personal health information pursuant to applicable privacy law. The Service Provider is an information management services provider to the allied health professional and accordingly any questions regarding accessing and/or amending a client’s personal and personal health information must be addressed to the client’s allied health professional.
If any questions or concerns arise regarding the Service Provider’s use of personal and personal health information outside of the arrangement with the allied health professional, please contact the Service Provider at the address noted below.
b. Allied Health Professional
Allied health professionals also have a right to access and amend their personal information pursuant to applicable privacy law. Any requests for access or amendment to a allied health professional’s personal information entered in E-HIS may be made by the allied health professional by contacting the Service Provider at the address noted below.
- What safeguards are in place to protect personal and personal health information?
Privacy safeguards, as outlined in applicable privacy laws including HIPA and PIPEDA, apply to the personal and personal health information in E-HIS. Personal and personal health information in E-HIS is kept in strict confidence and is only used or disclosed in accordance with this Policy or as authorized or required by law.
In addition, the Service Provider has reasonable security safeguards in place, including policies, practices, and security technology that are designed to protect information from theft, unauthorized use, error, or loss. These safeguards include, but are not limited to, the following:
- E-HIS is password protected and encrypted;
- E-HIS may only be accessed by registered users using their individual IDs and passwords;
- Each client chart requires allied health professions to complete the access description chart (inputting a valid reason for access to and use of the personal and personal health information) prior to accessing any patient record which was generated by another user;
- A lockbox chart setting is available for particularly sensitive personal and personal health information of clients stored in E-HIS or where the client has requested that the lockbox chart setting be used with respect to his/her patient record;
- E-HIS and all personal and personal health information stored therein are hosted in Canada;
- All E-HIS data is transferred and stored in a secure and encrypted manner;
- E-HIS has an automatic log out function when a user closes his or her internet browser; and
- The Service Provider requires staff who have access to personal health information to complete privacy training and sign an appropriate oath of confidentiality committing to access client charts only on a need-to-know basis and to maintain the confidentiality of any personal health information accessed.
It is important to note that E-HIS is a web-based application and works by sending data, which may include client’s personal and personal health information, using encryption technology, via the internet. The internet is not a secure method of communication, and the Service Provider cannot guarantee the privacy or security of information sent via the internet. No security or encryption the Service Provider provides can protect against every circumstance. The Service Provider will continue to monitor security issues and will update and improve security when it is reasonable and practical to do so.
Passwords
Allied health professionals will be assigned a user account and password. The allied health professional will be required or permitted to set or change the password to their user account from time to time. Certain password selection rules will be automatically enforced at the time of selection. In addition, any password selected shall:
- Be different from any other personal identification number or other secret code used for any other type of services;
- Not contain any information about the allied health professional that may be easily obtained or guessed by someone else (such as name, birth date, telephone number, address or username);
- Not be changed to any password previously used by the allied health professional; and
- Not be disclosed to any person except on a need-to-know basis.
Allied health professionals are responsible for maintaining the security of their user account and password. In addition, allied health professionals are responsible for every action undertaken on E-HIS using their account and password.
Mobile Device Security
Allied health professionals are also responsible for the general security associated with personal devices that may be used to access E-HIS. The Service Provider suggests that allied health professionals take additional measures to protect the security of such devices, including:
- All devices used to access E-HIS should be protected by mobile encryption. Encryption prevents unauthorized users from being able to access the data on the device.
- Ensure that E-HIS is only accessed from a secure device as the security of the E-HIS application relies on the underlying device’s security. Jailbroken or rooted devices break the underlying security model of the phone and should not be used to access to use E-HIS.
- Protect physical access to a device used to access E-HIS by requiring a long, complex password that must be re-entered frequently or a fingerprint scan. Users should not leave their mobile device unattended while logged into the E-HIS application and should log off immediately at the completion of each access.
- If E-HIS is being accessed through a Wi-Fi hotspot, ensure that only secure Wi-Fi connections are used. Most public Wi-Fi hotspots do not encrypt the information being sent and are not secure.
- Ensure that a device used to access E-HIS has up-to-date virus protection software and update any applications installed on the device and the device’s operating system when new versions are available, as updates may include security patches.
- Ensure you have the ability to remotely locate a lost or stolen device, and, when necessary, the ability to remotely wipe all relevant data from a lost or stolen device.
- How can the Service Provider be contacted if questions or concerns arise about the privacy or security of personal and personal health information in E-HIS?
The Service Provider’s Privacy Officer is responsible to receive and address privacy-related complaints and concerns associated with E-HIS. If you have a privacy-related complaint or concern regarding E-HIS, we encourage you to contact the Service Provider’s Privacy Officer at the following:
Heidi Watson
107 10th Street, Weyburn SK S4H1H1
Phone: 306-891-5316
Email: heidi.j.watson@gmail.com
If the Service Provider’s Privacy Officer is unable to resolve your privacy-related complaint or concern to your satisfaction, you may contact the Saskatchewan Information and Privacy Commissioner for additional assistance and information. This provincial office oversees HIPA in Saskatchewan. The contact information for the Saskatchewan Information and Privacy Commissioner is as follows:
Saskatchewan Information and Privacy Commissioner
503 – 1801 Hamilton Street
Regina, SK
S4P 4B4
Phone: (306) 787-8350
Toll Free Phone (within Saskatchewan): 1-877-748-2298
As an alternative, you can contact the Office of the Privacy Commissioner in your jurisdiction.
© 2017 MLT Aikins LLP Version 1.0