Description of Services and Safeguards
Health Information Network Provider (HINP) for Shared Health Integration Information Portal (SHIIP)
Plain Language Description of Services and Safeguards
This plain language description of services and safeguards is part of the documentation provided as a Health Information Network Provider (HINP). This document outlines the roles of those involved in the HINP Policy, the services being provided and the safeguards in place to protect personal health information.
This document is being provided in accordance to section 6(3)(2) of the Regulations to PHIPA.
KFL&A Public Health shall:
a. not use any PHI to which it has access in the course of providing the services except as necessary for the purpose of providing those services,
b. not disclose any PHI to which it has access in the course of providing the services, and
c. not permit its employees or any person acting on its behalf to access any PHI unless the employee or person agrees to comply with the restrictions that apply to KFL&A Public Health under 1.1 (a) and (b), above.
The Shared Health Integrated Information Portal (SHIIP) is an information tool that connects and summarizes information from multiple clinical and administrative data sources within the South East healthcare system. KFL&A Public Health role shall be to build, to operate, and to maintain the SHIIP database.
As a technology enabler, this SHIIP tool will support collaborative, multi-agency care processes such as clinical management and care coordination for patients.
The SHIIP tool will provide clinicians with electronic access to real-time and historic views of patient information at the point of care.
Clinicians will be able to quickly access key information and identify complex and high needs patients enabling improved quality of care.
Identified Safeguards
There are numerous controls built into the system to protect personal health information. Participating HICs are obligated under the Ontario health information privacy legislation, the Personal Health Information Protection Act, 2004 (PHIPA) to provide the following safeguards:
Physical measures include:
- Restricting access to areas where personal health information is stored (e.g., office areas and network server room) through the use of proximity cards, identification badges, keys, security codes, alarm systems, and after business hours logbook
- Using lockable filing cabinets
- Having procedures in place for secure destruction of records containing personal health information
Administrative measures include:
- Comprehensive set of agency privacy and security policies and procedures
- Annual signing of confidentiality agreements to protect personal health information
- Mandatory and role-based privacy awareness training with periodic refresher training
- Established procedures for breach management
- Access controls and login reports
- Maintaining clean desks, ensuring that paper documents containing personal health information are shredded, deleting personal health information from USB keys when no longer needed, and locking computers when away from the desk area
- Keeping personal health information in the strictest of confidence at all times and not to share it purposefully or accidentally (e.g., discussing an individual in a public space) with unauthorized persons
Technical measures include:
- Training on the creation of strong passwords for all electronic information systems and for all devices and services requiring passwords
- Having restrictions on storing personal health information on portable or removable media (e.g., USB keys) and mobile computing devices (e.g., laptop and tablets) or smart phones unless the media has been issued from the agency, and the personal health information has been encrypted
- Requiring encryption on any external e-mail messages containing personal health information
- Having locked server room
- Having network security measures including firewalls and antimalware measures
- Having internal network layers and endpoint security measures
- Conducting privacy impact assessments and threat risk assessments as required