Health Information Network Provider (HINP) Privacy Policy

Document Control: Owned by:

Legal & Privacy Office

Implemented by:

Legal & Privacy Office

Last Revised:

December 18, 2014

Next Review Date:

January 1, 2016

Approved by:

Chief Privacy Officer

Effective Date:

January 1, 2015

HINP Privacy Policy

December 2014

For questions concerning this Policy please contact: CCO Legal & Privacy Office Cancer Care Ontario 620 University Avenue Toronto, ON M5G 2L7 Tel: (416) 217 - 1816 E-mail: [email protected]

©2014 Cancer Care Ontario

2

HINP Privacy Policy

December 2014

INTRODUCTION Background and Overview Cancer Care Ontario (CCO) is the provincial agency responsible for continually improving cancer services. Formally launched and funded by the Ontario government in 1997, CCO is governed by the Cancer Act (Ontario). Further, as an Operational Service Agency of the Ontario government, CCO’s mandate is determined pursuant to a Memorandum of Understanding (MOU) between CCO and the Ministry of Health Long-Term Care (MOHLTC) dated December 2, 2009. As the provincial agency responsible for continually improving cancer services, and the Ontario Government’s cancer advisor, CCO: 

Directs and oversees close to $950 million public health care dollars to hospitals and other cancer care providers to deliver high quality, timely cancer services;



Implements provincial cancer prevention and screening programs designed to reduce cancer risks and raise screening participation rates;



Works with cancer care professionals and organizations to develop and implement quality improvements and standards;



Uses electronic information and technology to support health professionals and patient self-care and to continually improve the safety, quality, efficiency, accessibility and accountability of cancer services;



Plans cancer services to meet current and future patient needs, and works with health care providers in every Local Health Integration Network (LHIN) to continually improve cancer care for the people they serve; and



Rapidly transfers new research into improvements and innovations in clinical practice and cancer service delivery.

In addition to cancer, CCO has other core lines of business including supporting and hosting the provincial Access to Care (ATC) program, which is a part of the Government of Ontario’s Wait Times Information Strategy (WTIS). CCO has also worked with renal leadership in Ontario to operate the Ontario Renal Network (ORN). In 2010, the MOHTLC formally transferred the provincial oversight and co-ordination of the Chronic Kidney Disease (CKD) Management Program to the ORN under the auspices of CCO. CCO also administers the Provincial Drug Reimbursement Program (PDRP), which includes the New Drug Funding Program (NDFP), the Evidence Building Program (EBP), and the Case-by-Case-Review Program (CBCRP) for cancer drugs, on behalf of the MOHLTC. Beyond CBCRP, CCO offers ad-hoc support (e.g., reviewer identification) to

HINP Privacy Policy

December 2014

out-of- country (OOC) requests when required for non-drug funding requests, such as cancer-related tests, radiation, and surgery. Each of these programs is governed by separate accountability agreements between CCO and the MOHLTC. In order to fulfill its mandate, CCO requires access to personal health information (PHI) from across Ontario. CCO derives its authority to collect, use, and disclose this information from its designations under Ontario’s Personal Health Information Protection Act, 2004 (PHIPA). CCO uses the information it collects to:       

Plan and manage the cancer system in Ontario; Operate Ontario’s cancer screening program, which offers certain groups in Ontario the opportunity to get regularly tested, or screened, for breast cancer, colorectal cancer and cervical cancer; Develop and test information technology (IT) solutions (e.g., computer applications, web portals) in respect of health system projects and programs managed by CCO; Support health research; Manage ATC initiatives; Manage the Ontario Renal Network Program; and Operate CCO’s New Drug Funding Program (NDFP).

PHI is disclosed by CCO, as authorized by law, to organizations such as the Institute for Clinical and Evaluative Sciences, the Canadian Institute for Health Information and Statistics Canada, as well as researchers who comply with the research requirements set out the PHIPA. Finally, CCO provides information technology (IT) solutions, such as applications or network services, to health information custodians (HICs) involved in a number of health system programs and projects managed by CCO.

Cancer Care Ontario’s Privacy Program CCO is committed to respecting personal privacy, safeguarding confidential information and ensuring the security of PHI within its custody or control. CCO meets this commitment through its Privacy Program. This Program is overseen by the Chief Privacy Officer (CPO), who reports directly to CCO’s President & CEO. The CPO is supported in carrying out her responsibilities by a network of individuals and committees with specific privacy and security-related responsibilities, including: 

A Director, Legal & Privacy, who is responsible for the day-to-day operation of privacy processes within CCO and compliance with CCO privacy policies. 4

HINP Privacy Policy

December 2014



Privacy Managers, Specialists and Analysts who report to the Director, Legal & Privacy, and support CCO’s Privacy Program.



Data Stewards, each associated with a specific data-holding, who are responsible for authorizing both internal and external requests for access to CCO data.



A Facilities Manager who is responsible for ensuring the physical integrity of CCO premises.



Systems Security Specialists who report to the Chief Technology Officer (CTO), and oversee IT security safeguards for CCO data.



A Core Privacy and Security Committee composed of the CPO, Legal & Privacy Office staff, Enterprise Information Security Office staff, and key members of CCO’s information management team - which provides advice and consultation to the CPO on specific privacy topics.



A Data Access Committee, supported by a Working Groups and an Information Management Coordinator, which is responsible for reviewing and approving requests for access to CCO data by researchers.

Key components of CCO’s Privacy Program include:  CCO’s privacy policies and procedures;  a privacy network comprised of individuals and committees, as described above;  an employee privacy training and awareness program;  a privacy audit and compliance program which generates and monitors system audit logs; and  privacy impact assessments on existing and proposed CCO data-holdings and/or programs.

LEGISLATIVE AUTHORITIES The PHIPA establishes a statutory privacy framework for protecting PHI. The Regulation1 made under PHIPA also specifies requirements for “providers to custodians” (referred to herein as “Service Providers”)2 that enable HICs to use electronic means to collect, use, modify, disclose, retain or dispose of PHI. The Regulation further specifies requirements for “Health Information Network Providers” (also referred to as “HINPs”) that enable two or more HICs to use electronic means to share PHI.3

1

Ontario Regulation 329/04. See section 10(4) of PHIPA and Section 6 of the Regulation to PHIPA. 3 See section 6(2) of the Regulation to PHIPA. 2

5

HINP Privacy Policy

December 2014

CCO provides IT services, such as the CCO data centre and servers, to HICs to enable them to collect, use, disclose, retain or dispose of PHI. Service Providers are subject to the three privacy requirements found in section 6(1) of the Regulation, which include: i. ii. iii.

limiting a Service Provider’s use of PHI to that required to provide IT services; prohibiting a Service Provider’s disclosure of any PHI to which it has access in the course of providing the IT services; and limiting access by a Service Provider’s employees or contracted third parties to only that PHI required to provide the IT services.

CCO also provides information systems (listed in Appendix A) to HICs to enable them to exchange PHI with each other. In providing such services, CCO is subject to additional privacy requirements under the Regulation, as specified below.

SCOPE OF CCO’S HEALTH INFORMATION NETWORK PROVIDER PRIVACY POLICY CCO’s Health Information Network Provider Privacy Policy (the “Policy”) applies to the provision of IT services by CCO to two or more HICs, where the services are provided primarily to enable the latter to use electronic means to disclose PHI to one another. In addition to the service provision requirements outlined above, Health Information Network Providers are subject to the requirements under section 6(3) of the Regulation to PHIPA. This Policy describes the standards employed by CCO to protect PHI managed in this capacity and describes how CCO meets the seven privacy requirements detailed in the Regulation. This Policy is intended to supplement CCO’s Principles and Policies for the Protection of Personal Health Information at CCO (“CCO’s Privacy Policy”), which is the framework document of CCO’s Privacy Program and describes the privacy practices CCO employs to protect PHI collected, used, and disclosed for the purposes of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for the Ontario cancer system,4 and for purposes of facilitating or improving the provision of health care5. This Policy and any amendments to the Policy are approved by the CPO. Amendments are communicated to CCO staff, contracted third parties and participating HICs. Where appropriate, the Policy identifies supporting documents and relevant authorities for each of the fair information practices. Where there is a discrepancy between this Policy and PHIPA, PHIPA takes precedence.

4 5

See section 45 of PHIPA. See section 39(1)(c) of PHIPA. 6

HINP Privacy Policy

December 2014

HEALTH INFORMATION NETWORK PROVIDER (HINP) REQUIREMENT HINP Requirement Notification.

RELATED PROCEDURES

1:

Breach CCO requires all employees and relevant third-party providers to advise the CCO Legal & Privacy Office at the first reasonable CCO will notify every applicable HIC, at opportunity of any privacy breach, suspected the first reasonable opportunity, of any privacy breach or privacy risk relating to the privacy breach, suspected privacy unauthorized access, use, disclosure, or breach or privacy risk related to the disposal of PHI retained by CCO or managed unauthorized access, use, disclosure, via its IT services. The terms “privacy or disposal of PHI managed by CCO via breach”, “suspected privacy breach” and its IT services.6 “privacy risk” are defined and explained in CCO’s Privacy Breach Management Procedure. The Legal & Privacy Office will work with the Program Area in which the incident occurred to contain, investigate, and resolve the incident. The Legal & Privacy Office will notify the applicable HIC(s)’ Privacy Officer in writing at the following three points in the breach management process: 1) Breach identification: once the privacy breach, suspected privacy breach or privacy risk is identified and contained; 2) Breach investigation: once the investigation is complete and actions to resolve the incident and ensure it does not recur are identified; and 3) Breach resolution: upon conclusion of the breach management process. See CCO’s Privacy Breach Management Procedure.

6

See section 6(3)(1) of the Regulation to PHIPA. 7

HINP Privacy Policy

December 2014

HINP Requirement 2: Providing HICs CCO’s Legal & Privacy Office will ensure that with a Plain Language Description of the following are provided to each applicable Services and Safeguards. HIC: CCO will supply each applicable HIC  general information on CCO’s Privacy with a plain language description of the Policy and practices; CCO IT services provided and  general information on CCO’s Health safeguards that have been Information Network Provider Privacy implemented to protect PHI against Policy and related procedures; unauthorized use or disclosure, and to  a description of the IT services provided as protect the integrity of the information.7 a Health Information Network Provider;  a description of the administrative, technical and physical safeguards in place to protect PHI in the information system(s);  contact information for CCO’s Legal & Privacy Office. Where HICs make a request for information regarding CCO’s Privacy Program or practices, the CCO employee receiving the request will refer the inquiry to the CCO Legal & Privacy Office for response. See CCO’s Privacy Inquiries and Complaints Procedure.

7

See section 6(3)(2) of the Regulation to PHIPA. 8

HINP Privacy Policy

December 2014

HINP Requirement 3: Public CCO’s Legal & Privacy Office, in conjunction Description of Services, Safeguards, with CCO Communications, will ensure that Directives, Guidelines and Policies. the following are available to the public and key stakeholders. CCO will make available to the public a plain language description of the CCO  general information on CCO’s Privacy IT services provided and the safeguards Policy and practices; employed to keep PHI secure and  general information on CCO’s Health confidential. This public description will Information Network Provider Privacy include any directives, guidelines, and Policy and related procedures; polices that apply to these services.8  a description of the IT services provided as a Health Information Network Provider;  a description of the administrative, technical and physical safeguards in place to protect PHI in the information system(s);  the contact information for CCO’s Legal & Privacy Office. Where a member of the public requests information on CCO’s Privacy Program or practices, the CCO employee receiving the request will refer the inquiry to CCO’s Legal & Privacy Office for response. See CCO’s Privacy Inquiries and Complaints Procedure.

8

See section 6(3)(3) of the Regulation to PHIPA. 9

HINP Privacy Policy

December 2014

HINP Requirement 4: Provision of CCO will make available to HICs upon Audit Logs. request a list of applicable audit logs the latter may request. HICs may request audit CCO will make available to the applicable HIC upon request, and to the logs by contacting the CCO Legal & Privacy via email extent reasonably practical, an Office electronic record of all accesses and ([email protected]) transfers of PHI associated with the or telephone (416-217-1816). Audit logs for HIC.9 named patients (that is, which contain PHI) may only be requested by telephone. The Legal & Privacy Office will only accept requests made by the HIC’s Local Registration Authority or Privacy Officer (or authorized delegate(s)). Requests for audit logs must include:  facility, site, and, as appropriate, name or unique application-based identifier of the end-user or patient whose record is in question;  range of dates (and times, if required) for the audit log; and  requestor’s contact information and role. Once the request has been completed, CCO’s Legal & Privacy Office will send the audit log to the requestor using a secure delivery method. When it is not reasonably practical for CCO to fulfill the request, CCO will inform the requestor in writing of such limitations. See CCO’s Logging, Monitoring and Auditing Standard. See CCO’s Health Information Network Provider Audit Log Request Procedure.

9

See section 6(3)(4) of the Regulation to PHIPA. 10

HINP Privacy Policy

HINP Requirement 5: Providing HICs with a Privacy Impact Assessment and Threat Risk Assessment of Services Provided. CCO will perform and provide to each applicable HIC a written copy of the results of a privacy impact assessment and threat risk assessment on the IT services provided.10

December 2014

CCO will conduct privacy impact assessments (PIAs) and threat risk assessments (TRAs) on all new or significantly amended CCO IT services provided by CCO in its role as a HINP. The CPO and the CTO, respectively, will authorize or reject new IT services based on these analyses, and implement any recommendations contained therein. CCO will share its PIAs with the Office of the Information and Privacy Commissioner / Ontario upon request. Due to their sensitive nature, TRAs will be provided to the HIC’s Privacy or Security Officer subject to the signing of a nondisclosure agreement. See CCO’s Privacy Impact Assessment Standard.

10

See section 6(3)(5) of the Regulation to PHIPA. 11

HINP Privacy Policy

December 2014

HINP Requirement 6: Restrictions on The use of PHI contained in the Health Employees and Third Parties. Information Network Provider information systems is restricted to CCO staff and CCO will ensure that all employees or contracted third-parties who require access contracted third parties retained comply in order to support IT service provision. To with CCO’s privacy and security obtain access, staff are required to: restrictions and conditions.11  sign a CCO confidentiality agreement;  successfully complete privacy/security training, which describes the contents of this Policy and associated procedures; and  sign a privacy acknowledgement, which attests to their understanding of the training. In addition, third-party service providers are required to sign a contract which assures the protection of PHI commensurate with that provided by CCO. The CPO and CTO are responsible for ensuring that data access by staff and relevant third parties is in compliance with the above and audited on a regular basis. See CCO’s Privacy Training and Awareness Procedure. See CCO’s Internal Data Access Procedure.

11

See section 6(3)(6) of the Regulation to PHIPA. 12

HINP Privacy Policy

December 2014

HINP Requirement 7: Written The CPO will ensure that the Health Agreement with Respect to Services Information Network Provider services and Safeguards. agreement includes the following restrictions: CCO will enter into a into a written  CCO will not use PHI to which it has agreement with each HIC describing the access in the course of providing IT services provided, the administrative, services except as necessary in the technical and physical safeguards in course of providing the services; place to protect the confidentiality and  CCO will not disclose PHI to which it has security of the information, and that access in the course of providing IT requires CCO to comply with PHIPA services; and its Regulations.12  All CCO employees and contracted third parties agree to comply with CCO’s privacy and security requirements; and  CCO will notify the applicable HIC(s) at the first reasonable opportunity of any privacy breach, suspected privacy breach or privacy risk relating to the unauthorized access, use, disclosure or disposal of PHI. See CCO’s Privacy Breach Management Procedure.

12

See section 6(3)(7) of the Regulation to PHIPA. 13

HINP Privacy Policy

December 2014

REFERENCES The following documents inform this Policy:

Privacy: 

Ontario Personal Health Information Protection Act, 2004 (PHIPA)



Canadian Standards Association’s Model Code for the Protection of Personal Information



Principles and Policies for the Protection of Personal Health Information at Cancer Care Ontario (“CCO Privacy Policy”)



CCO Confidentiality Agreement



CCO Privacy and Security Acknowledgement



CCO Privacy Governance Chart



CCO Data Steward – Terms of Reference

Security: 

CCO’s Information Security Policy (ISP-01)



CCO’s Information Security Code of Conduct (ISP-02)



CCO’s Information Classification and Handling Standard (ISS-01)



CCO’s Logical Access Control Standard (ISS-03)



CCO’s Operational Security Standard (ISS-04)



CCO’s Logging, Monitoring and Auditing Standard (ISS-06)

Interactive Symptom Assessment and Collection (ISAAC) tool: 

PPCIP Privacy Impact Assessment



PPCIP Threat Risk Assessment



PPCIP Health Information Network Provider Gap Assessment



Interactive Symptom Assessment and Collection (ISAAC) Software License Agreement (partial application)



Interactive Symptom Assessment and Collection (ISAAC) Software License Agreement (full application)



Interactive Symptom Assessment and Collection (ISAAC) Terms of Use (Organizational) 14

HINP Privacy Policy 

December 2014

Interactive Symptom Assessment and Collection (ISAAC) Terms of Use (Patient)

Ontario Positron Emission Tomography (PET) Scan Evidence-Based (EB-PET) Program: 

EB-PET Privacy Impact Assessment



EB-PET Threat Risk Assessment



PET Scans Ontario License Agreement (PET Centres)



PET Scans Ontario Terms of Service (Referring Physician)



PET Scans Ontario Terms and Conditions

Diagnostic Assessment Program – Electronic Pathway Solution (DAP-EPS): 

DAP-EPS Privacy Impact Assessment; Addendum #1; Addendum #2



DAP-EPS Threat and Risk Assessments (January 2013 and February 2014)



DAP-EPS License Agreement



DAP-EPS Caregivers Terms of Use Agreement



DAP-EPS User Terms of Use Agreement

eClaims Solution: 

Privacy Impact Assessment (PIA) - New Drug Funding Program (NDFP) eclaims Solution Project



CCO New Drug Funding Program eClaims Threat and Risk Assessment



CCO eClaims Software and License Agreement



eClaims Privacy FAQs for Patients



eClaims Privacy FAQs for Health Care Providers

Ontario Renal Reporting System (ORRS): 

Privacy Impact Assessment (PIA) Addendum – Ontario Renal Network Ontario Renal Reporting System Release 3.0 (ORRS R. 3.0)



ORRS R.3.0 Threat Risk Assessment



ORRS R.3.0 Technical Vulnerability Assessment and Penetration Testing 15

HINP Privacy Policy 

December 2014

ORRS License and Health Information Network Provider Agreement, including, as Schedules: the End User License Agreement, the Website Terms and Conditions of Use and the Registration Authority (RA)/Local Registration Authority (LRA) Agreement – ORRS (Chronic Kidney Disease Sites)

16

HINP Privacy Policy

December 2014

APPENDIX A: INFORMATION TECHNOLOGY SERVICES This Appendix describes the information system(s) that Cancer Care Ontario (CCO) provides participating health information custodians in its capacity as a Health Information Network Provider.

Interactive Symptom Assessment and Collection (ISAAC) Web Application CCO provides the Interactive Symptom Assessment and Collection (ISAAC) web application to cancer centres, community care access centres, hospitals or other health care providers for the primary purpose of capturing and tracking information on patient symptom intensity using the Edmonton Symptom Assessment System (ESAS). The tool also allows providers to record a patient's functional status. Health information custodians (HICs) are required to sign a software license agreement prior to being authorized to use the software.

PET Scans Ontario Web Application CCO provides the PET Scans Ontario web application to physicians and PET Centres for the purposes of supporting the activities of the uninsured program domains (PET Registry, PET Clinical Trials and the PET Access Program) and insured PET scan services under the EB-PET Program. The PET Scans Ontario web application provides the ability for physicians, through the use of web-based forms, to request PET scans for their patients and the ability for PET centres, through the use of web-based forms, to submit results from PET scans performed at their institutions. Health Information Custodians, authorized users, are required to accept a Terms of Use prior to being authorized to use the web application.

Diagnostic Assessment Program – Electronic Pathway Solution (DAP-EPS) CCO provides the Diagnostic Assessment Program – Electronic Pathway Solution (DAPEPS), a navigational web-based tool, for the purposes of connecting Referring Physicians, primary care providers, patients, staff at DAP Facilities and specialists that are part of the patient’s DAP Team, in order to facilitate the communication of information to patients and their designated caregivers, and providing patients and HICs with a centralized view of the information relating to the patients’ cancer diagnosis. The PHI collected, used and disclosed through the DAP-EPS is solely for the purposes noted above, and pursuant to the PHIPA and its Regulation. Reports including aggregate level data only are provided to the funders of the DAP-EPS, namely Canada Health Infoway and the Canadian Cancer Society.

17

HINP Privacy Policy

December 2014

eClaims Solution CCO provides the eClaims solution for the purposes of operating CCO’s Provincial Drug Reimbursement Programs (PDRP). The PDRP is the provinces operational unit responsible for administering cancer drug funding to hospitals. The solution offers a webbased portal or interfaces with existing hospital systems, enabling clinicians (pharmacists and physicians) to access and track patient’s historical treatment records, including ones submitted by other treatment facilities, and submit treatment orders. Additionally, it is used by CCO adjudicators and hospital users for drug claims reimbursement and the adjudication of drug eligibility.

Ontario Renal Reporting System (ORRS) CCO provides the ORRS web application to Ontario healthcare facilities that treat patients with Chronic Kidney Disease (the Sites) for the purposes of connecting these facilities when a patient transfers from one Site to another. ORRS allows the new or TransferringIn Site to determine if a patient has previously been treated at a different Site (the Transferring-Out Site) and, if so, access certain PHI related to the treatment that the patient received in the past. This facilitates the care and treatment by the TransferringIn Site by, for example, avoiding duplicate testing and the requirement for the patient to repeat their health history to their new healthcare providers. Limited patient information is also communicated between Sites in order for them to improve treatment based on more timely and accurate information related to the funding that will be available to them to provide services based on the patient-centred Chronic Kidney Disease patient-centred funding model.

18