Regional HIS Privacy Declaration

Regional HIS Privacy Declaration 

TransForm Shared Service Organization (TransForm) currently provides Information Technology (IT) and Hosting services to Health Service Providers (HSP) in South West Ontario. Our customers continue to enhance their electronic information systems, particularly when it comes to providing prompt access to a patient’s Personal Health Information (PHI). TransForm’s role in securing and delivering these electronic services is critical to safeguarding our customers’ and their patients’ data.

In protecting patients’ PHI, Ontario’s Personal Health Information Protection Act (PHIPA) identifies various types of healthcare roles, and prescribes requirements for each of them, in terms of how they may collect, use and disclose PHI. Under s.10(4) of the Personal Health Information Protection Act (PHIPA) and ss.6(3) of Regulation 329/04 made under PHIPA, a person who provides services to two or more health information custodians to use electronic means to disclose personal health information to one another is a health information network provider (HINP).

In its capacity as the HSP IT services delivery partner, TransForm is classified as the HINP in the context of providing the regional Hospital Information Systems (HIS) and administering access to them. As part of TransForm’s obligations under the Regulation, this page represents our statement of Information Practices in relation to these offerings.

TransForm as HINP

TransForm is a HINP under the regulation, in relation to its hosting of the following systems:

  • Cerner Millennium (e-VOLVE) is a solution that brings together four hospitals in the Erie St. Clair ESC) region to transform the way clinical services are delivered by equipping the region with an integrated, modern hospital information system (HIS).
  • Infor Hospital Revenue Cycle Management (Patient Accounting) is a regional shared system for integrating accounts receiving and billing into a financial systems management solution. The solution allows for customized patient statements and invoices, split billing to multiple payers, and automated collection processes.

The following technical, physical and administrative safeguards are in place at TransForm, to help protect the security, confidentiality and integrity of the in-scope systems and the information on them:

  • Anti-virus solutions help to protect our infra-structure from infection;
  • Audits, Privacy Impact Assessments and Threat and Risk Assessments are conducted;
  • Automated systems log and monitor all access to patient information;
  • Complex passwords are enforced on all systems;
  • Data is backed up on a regular basis and stored off-site;
  • Data-sharing agreements are in place with all participants;
  • Employees receive trainingon privacy awareness and security best practices;
  • Firewall systems guard our network perimeter;
  • Formal agreements are in place with related maintenance and service providers;
  • Network traffic is monitored continually, to help identify threats;
  • Policies, procedures and standards govern related operations (see below);
  • Servers are housed in a secure space, with redundant and backup power supplies;
  • Servers are patched on an ongoing basis; and
  • Third party participants and their authorized staff are subject to registration/control processes.

 In general, with regard to the systems it maintains as HINP other than as may be permitted or required by law, TransForm does not:

  • Use any personal health information to which it has access in the course of providing the services for the health information custodian except as necessary in the course of providing the services;
  • Disclose any personal health information to which it has access in the course of providing the services for the health information custodian; or
  • Permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply with the restrictions that apply to the person.

In terms of accountability to the clients with access to the systems above, TransForm:

  • Notifies participating Health Information Custodians (HIC’s) of any privacy breaches detected;
  • Provides each participating HIC with a copy of this statement and, where requested, a copy of the DSA including its statement of network services;
  • Makes a copy of this statement available to thepublic on our website;
  • Maintains appropriate logging and monitoring of PHI that will be made available to participating HICs on request;
  • Performs regular privacy and security assessments of the operation of in-scope systems and provides summary copies of the results of those assessments to participating HICs; and
  • Binds third parties providing services to these programs to these requirements.

For more information about our information privacy practices, please contact the Information Privacy & Security Office via email at privacy@transformsso.ca. You can also contact our Chief Information Technology & Security Officer:

Mazen Joukhadar
mazen.joukhadar@transformsso.ca
(519) 437-6289

 

Contact Us

Contact Information

750 Richmond St Chatham, ON N7M 5J5