HINP Statement of Information Practices

The Personal Health Information Protection Act, 2004 (PHIPA) establishes a legal framework for protecting the privacy of patients’ personal health information (PHI). The Act defines health care facilities as “health information custodians” (HICs) and their employees as “agents” who act on their behalf when collecting, using, and disclosing personal health information. The Regulation made under PHIPA also specifies requirements for health information network providers (“HINPs”) who provide electronic services to enable HICs to share PHI with one another.

PHIPA describes a Health Information Network Provider (HINP) as someone that provides services to two or more Health Information Custodians where the services are provided primarily to enable the Custodians to use electronic means to disclose Personal Health Information (PHI) to one another.
See below for information on QCH’s role as a Health Information Network Provider in each of the following systems:


Plain Language Description - MEDITECH

The Champlain Association of Meditech Partners (“CHAMP”) is the group of hospitals in the Champlain Local Health Integration Network that utilize the Meditech healthcare computer information system (the “Meditech System”). The CHAMP Members utilize a single instance of the Meditech system hosted by Queensway Carleton Hospital (QCH).

CHAMP partners include: Arnprior Regional Health, Bruyère Continuing Care, Carleton Place & District Memorial Hospital, Hôpital Glengarry Memorial Hospital, Hôpital Montfort, and Queensway Carleton Hospital. Additional affiliate partners include the Eastern Ontario Regional Laboratory Association.

MEDITECH is an electronic health record for authorized Participants who are involved in a Patient’s care, to access Patient’s information such as demographics, physician orders, treatment, recovery plans, assessment tools, inter-professional progress notes, etc. MEDITECH offers a secure and accurate method of collecting, using, viewing, and sharing of Patient’s personal health information (PHI) as part of the Patient assessment process. Participants have the ability to contribute, store, access and share their patients’ PHI.

The services provided by the MEDITECH system are set out in a Hosting Agreement that has been entered into by all Hospitals (Participants). The agreement sets out a model where the support and accountability for the system core applications, core functions and data centre infrastructure are centralized with QCH while localized components are maintained by the Member with the assistance of QCH.

Organizational Safeguards:

As HINP, QCH employs a combination of technical, physical, and administrative safeguards to help protect the security, confidentiality and integrity of systems and the information on them:

    • A documented Disaster Recovery/Business Continuity Plan;
    • Anti-virus solutions;
    • Regular audits, Privacy Impact Assessments (PIA) and Threat Risk Assessments (TRA);
    • Automated systems logging and monitoring of patient information;
    • Use of complex passwords are enforced on all systems;
    • Regular backup of data and a robust off-site storage system;
    • Data Sharing Agreements with all participants;
    • Employees receive regular education and training on privacy, confidentiality, and security;
    • Firewall systems guard our network perimeter;
    • Formal agreements in place with maintenance and service providers;
    • Network traffic is monitored continually, helping identify threats;
    • Policies, procedures and standards govern related operations;
    • Servers are housed in a secure space, with redundant and backup power supplies;
    • Servers are patched on an ongoing basis; and
    • Third parties and their authorized staff are subject to control processes such as data sharing agreements, privacy agreements and contracts.
Policies, Practices and Standards: 

In general, with regards to the system it maintains as HINP, other than as may be permitted or required by law, QCH does not:

    • Use any personal health information to which it has access in the course of providing the services for the health information custodian except as necessary in the course of providing the services;
    • Disclose any personal health information to which it has access in the course of providing the services for the health information custodian; or
    • Permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply with the restrictions that apply.
Accountability to Partner Organizations:

As HINP, QCH is accountable to its partner organization and takes the following steps:

    • Notifies participating health information custodians (HICs) of any privacy breaches detected;
    • Provides each participating HIC with a copy of the HINP statement of information;
    • Completes a Privacy Impact Assessment (PIA) and, where requested, provides a copy;
    • Makes this statement available to the public on our website;
    • Maintains appropriate logging and monitoring of PHI;
    • Performs regular privacy and security assessments of the operation of in-scope systems; and
    • Binds third parties providing services to these programs to these requirements. 

For more information about QCH’s privacy and security practices, please contact the QCH Privacy Office by calling 613-721-2000 ext. 2915 or by sending an email to privacy@qch.on.ca.



Plain Language Description - SHIIP

The Shared Health Integrated Information Portal (SHIIP) is a secure web-based portal which enables health care providers to share patient data in real-time, or near real-time, including hospital emergency room and acute care visits, post-acute, and service detail from community services the patient received. The portal incorporates and connects information from existing technology assets, facilitates the identification of complex/high-needs patients, and helps to inform clinical decision and care planning to improve the patients' quality of service and experience in the health care system.

Queensway Carleton Hospital provides certain information technology and related services required for the provision of SHIIP. These services include (amongst others) system development, managing the data warehouse and application, and help desk. QCH provides electronic services to HICs for the purposes of providing information to, or receiving information from SHIIP.

QCH functions in different roles (i.e. HINP, electronic service provider (ESP) and agent) as defined in PHIPA and its Regulation when providing services to SHIIP participants. To the extent that SHIIP is used to permit two or more participants to disclose PHI to one another related to a coordinated care plan (CCP), QCH is a HINP to those participants. To the extent that SHIIP is used to permit a participant to use electronic means to disclose or collect PHI, QCH is an ESP to those participants. Lastly, to the extent that SHIIP is used to generate patient scores such as HARP, LACE, mHOMR, and complex flags, QCH is an agent acting on behalf of the participant that contributed the data used to produce the scores.

As a HINP, QCH is subject to the requirements under subsection 6(3) of the Regulation of PHIPA. Below are policies that describe the standards employed by QCH to protect the PHI managed in SHIIP. If you have questions about QCH’s role as a HINP, or if you require further documents regarding our privacy practices, please contact the QCH Privacy Office using the contact information identified above.

A. SHIIP Access

Health care providers will be granted access to SHIIP in order to allow them to access and use personal health information for the purpose of providing or assisting in the provision of health care. Personal health information in SHIIP will only be used for research or a secondary purpose as allowed for and in accordance with the conditions specified by the Personal Health Information Protection Act, 2004 (PHIPA) and its regulations. Health care providers will be authorized to access SHIIP through the services or sub-contracted third-party services of Queensway Carleton Hospital.

B. Personal Health Information

Personal Health Information (PHI) is information about the health care provided to an identifiable individual. The PHI available in SHIIP is contributed by health information custodians connected to SHIIP (e.g., hospitals and community health service providers). PHI in SHIIP presents the information as it is received. The contributing health information custodian remains accountable for the completeness and accuracy of any PHI contributed by that health information custodian into SHIIP. Health information custodians may also amend the PHI they contributed from time to time, so when providing care, health care providers should always access the latest information for that particular patient in SHIIP.

C. Security and Privacy Safeguards

SHIIP has implemented, and will maintain administrative, physical, and technical safeguards to protect the PHI being transferred, processed, or stored from theft, loss, unauthorized use, modification, disclosure, destruction and/or damage. These safeguards include security software and encryption protocols, firewalls, locks and other access controls, privacy impact assessments, staff training and confidentiality agreements.

For more information about SHIIP, please visit Shared Health Integrated Information Portal (shiip.ca)