HINP Statement of Information Practices
The Personal Health Information Protection Act, 2004 (PHIPA) establishes a legal framework for protecting the privacy of patients’ personal health information (PHI). The Act defines health care facilities as “health information custodians” (HICs) and their employees as “agents” who act on their behalf when collecting, using, and disclosing personal health information. The Regulation made under PHIPA also specifies requirements for health information network providers (“HINPs”) who provide electronic services to enable HICs to share PHI with one another.
PHIPA describes a Health Information Network Provider (HINP) as someone that provides services to two or more Health Information Custodians where the services are provided primarily to enable the Custodians to use electronic means to disclose Personal Health Information (PHI) to one another.
See below for information on QCH’s role as a Health Information Network Provider in each of the following systems:
- Hosting of the Meditech Electronic Health Records System for CHAMP
Plain Language Description - MEDITECH
The Champlain Association of Meditech Partners (“CHAMP”) is the group of hospitals in the Champlain Local Health Integration Network that utilize the Meditech healthcare computer information system (the “Meditech System”). The CHAMP Members utilize a single instance of the Meditech system hosted by Queensway Carleton Hospital (QCH).
CHAMP partners include: Arnprior Regional Health, Bruyère Continuing Care, Carleton Place & District Memorial Hospital, Hôpital Glengarry Memorial Hospital, Hôpital Montfort, and Queensway Carleton Hospital. Additional affiliate partners include the Eastern Ontario Regional Laboratory Association.
MEDITECH is an electronic health record for authorized Participants who are involved in a Patient’s care, to access Patient’s information such as demographics, physician orders, treatment, recovery plans, assessment tools, inter-professional progress notes, etc. MEDITECH offers a secure and accurate method of collecting, using, viewing, and sharing of Patient’s personal health information (PHI) as part of the Patient assessment process. Participants have the ability to contribute, store, access and share their patients’ PHI.
The services provided by the MEDITECH system are set out in a Hosting Agreement that has been entered into by all Hospitals (Participants). The agreement sets out a model where the support and accountability for the system core applications, core functions and data centre infrastructure are centralized with QCH while localized components are maintained by the Member with the assistance of QCH.
As HINP, QCH employs a combination of technical, physical, and administrative safeguards to help protect the security, confidentiality and integrity of systems and the information on them:
- A documented Disaster Recovery/Business Continuity Plan;
- Regular audits, Privacy Impact Assessments (PIA) and Threat Risk Assessments (TRA);
- Automated systems logging and monitoring of patient information;
- Use of complex passwords are enforced on all systems;
- Regular backup of data and a robust off-site storage system;
- Data Sharing Agreements with all participants;
- Employees receive regular education and training on privacy, confidentiality, and security;
- Firewall systems guard our network perimeter;
- Formal agreements in place with maintenance and service providers;
- Network traffic is monitored continually, helping identify threats;
- Policies, procedures and standards govern related operations;
- Servers are housed in a secure space, with redundant and backup power supplies;
- Servers are patched on an ongoing basis; and
- Third parties and their authorized staff are subject to control processes such as data sharing agreements, privacy agreements and contracts.
Policies, Practices and Standards:
In general, with regards to the system it maintains as HINP, other than as may be permitted or required by law, QCH does not:
- Use any personal health information to which it has access in the course of providing the services for the health information custodian except as necessary in the course of providing the services;
- Disclose any personal health information to which it has access in the course of providing the services for the health information custodian; or
- Permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply with the restrictions that apply.
Accountability to Partner Organizations:
As HINP, QCH is accountable to its partner organization and takes the following steps:
- Notifies participating health information custodians (HICs) of any privacy breaches detected;
- Provides each participating HIC with a copy of the HINP statement of information;
- Completes a Privacy Impact Assessment (PIA) and, where requested, provides a copy;
- Makes this statement available to the public on our website;
- Maintains appropriate logging and monitoring of PHI;
- Performs regular privacy and security assessments of the operation of in-scope systems; and
- Binds third parties providing services to these programs to these requirements.
For more information about QCH’s privacy and security practices, please contact the QCH Privacy Office by calling 613-721-2000 ext. 2915 or by sending an email to firstname.lastname@example.org.