 |
    |
Privacy and Security
The Health Information Act (HIA) establishes rules to protect the privacy of an individual's health information, as well as regulate how health information can be collected, used and disclosed.The legislation requires custodians (typically health service providers in the publicly funded health system) and affiliates (employees, volunteers, contractors, etc. who work for a custodian) to only collect, use and disclose health information in the most limited manner, with the highest degree of anonymity possible and on a need-to-know basis.
The Office of the Information and Privacy Commissioner has oversight responsibilities over the HIA and monitors how the legislation is administered in the health system.
Who Can Access Alberta Netcare?
Only authorized custodians and their affiliates may access health information through Alberta Netcare. Before any individual is authorized to access Alberta Netcare, a series of privacy and security assessments must be completed. Authorized users must also sign an information manager agreement with Alberta Health and Wellness that limits how health information in Alberta Netcare may be collected, used and disclosed. Only then are these health service providers registered as authorized users and given a login ID.
Users are restricted in terms of the information they can access based on their role in the health care system. This means that access permissions and other security credentials are set up so that users have enough information to do their jobs, while ensuring that information is accessible only on a "need-to-know" basis.
For example: A medical office clerk may only have access to certain information in an electronic health record, such as a person's first and last name, date of birth, gender and personal health number, while a physician may have access to additional information including drug intolerances, lab results and diagnostic images.
Various security safeguards are in place to ensure that only authorized users can access Alberta Netcare. These include the use of SecurID® remote access fobs for users who access Alberta Netcare from outside a government or Alberta Health Services network.
Encryption and Controls
The security controls used to protect information viewable through Alberta Netcare are based on international standards and best practices. Any access to Alberta Netcare is logged.
Encryption
All electronic messages that are shared are encrypted, which means that the information is encoded to provide a high level of security.
Controls
High-quality network security controls include the use of firewalls and an intrusion detection system to alert the appropriate personnel of any unusual activity.
Penalties
The HIA has established fines for anyone who knowingly collects, uses, or discloses health information or who gains or attempts to gain access to health information in contravention of the HIA. Individuals who breach privacy and access rules could be subject to criminal charges, fines of up to $100,000, and disciplinary measures within their licensing or professional organizations.
In 2007, a medical office clerk appeared in court and pleaded guilty to charges of improperly accessing another person's medical information through the Alberta Netcare Portal in contravention of the HIA. The medical office clerk was fined $10,000 for the offence.
The Office of the Information and Privacy Commissioner (OIPC) is charged with protecting the health information of Alberta and has said they will not hesitate to recommend charges again in the future. More information can be found on the OIPC website:
http://www.oipc.ab.ca/ims/client/upload/NR_HIAchargeCourt_Apr_16_07.pdf
Global Person-Level Masking
Albertans have the option of requesting that their health information in Alberta Netcare be "masked." This means that information about an individual will not be automatically visible when a record is accessed, except for first and last name, date of birth, gender and personal health number. This is called Global Person-Level Masking (GPLM). GPLM enables participating custodians and affiliates to actively consider an individual's expressed wish to 'mask' their information through Alberta Netcare.
Requesting a Mask
An individual wishing to request a mask must contact a participating custodian, ideally one with whom they already have a current care relationship. The custodian can assist them in completing the request and will submit the application on behalf of the individual. Before submitting the application, the custodian must discuss the consequences of applying and rescinding a mask with the individual. There may be circumstances where a custodian is unable to authorize that an individual's information be masked, for example, if masking that information could pose a threat to public health and safety.
How Does Masking Work?
When a mask has been applied, the health information contained in the patient's electronic health record will not automatically be displayed. However, authorized health service providers may unmask a record in limited circumstances, such as with the patient's consent or if clinically necessary. All unmasking activity is flagged, electronically logged and may be audited.
Rescinding a Mask
An individual may request that a mask be rescinded by contacting a participating custodian. A request to rescind a mask may also be initiated by a health service provider if he or she becomes aware of changing circumstances that affect the individual's eligibility for masking. In this case, custodians or delegates will make every attempt to inform the individual of their decision prior to removal of the mask.
Individuals that would like additional information about Global Person Level Masking should contact a participating custodian such as a pharmacist or physician, or contact the Alberta Health and Wellness Health Information Act Help Desk:
Phone: 780-427-8089 (toll free 310-0000)
Email: hiahelpdesk@gov.ab.caHealth service providers can also download a fact sheet titled Protecting Patient Privacy through Masking Information in Alberta Netcare. This resource provides custodians with a summary of GPLM and the application process.
Privacy and Security Agreements and Assessments
Gaining access to Alberta Netcare is a formal, staged process for health service providers who may be eligible within their role as custodian under the HIA. Before health service providers become authorized users of Alberta Netcare, they must complete and comply with four requirements that confirm their privacy and security commitment and readiness.
- Privacy Impact Assessment (PIA) is a "due diligence" requirement where the custodian identifies and addresses potential privacy risks that may occur in a project. A PIA describes how information will be transferred between authorized custodians in a project, identifies the legal authorities that allow for the flow of information, assesses potential impacts on and risks to privacy and identifies strategies to minimize the risks.
In accordance with the HIA Section.64, a custodian is required to prepare and submit a PIA to the Office of the Information and Privacy Commissioner (OIPC) for review and comment before implementing or amending any proposed new practice or system or any proposed change to existing practices or systems relating to the collection, use and disclosure of individually identifying health information.
A completed PIA is one of the conditions that need to be met before a custodian or their affiliates are granted user access to Alberta Netcare.
For additional information about PIAs, please contact the OIPC:Phone: 780-422-6860
Website: http://www.oipc.ab.ca/pia/
The PORA process is managed by the AHW Information Compliance and Access Unit (ICA).
For additional information about pORAs, please contact the Alberta Netcare Deployment team:Toll free: 1-866-756-2647
Phone: 780-642-4082 (in Edmonton)
Email: health.ehrdeployment@gov.ab.ca
- Information Manager Agreement (IMA) is the legal agreement between AHW and a participating custodian. The agreement governs a custodian's access to Alberta Netcare and establishes the terms, conditions and restrictions under which such access is granted.
For more information on the Alberta Netcare IMA, please contact the Information Compliance and Access Unit (ICA) of AHW:Phone: 780-427-8089
Email: hiahelpdesk@gov.ab.ca
- Information Exchange Protocol (IEP) establishes the specific rules for the collection, use and disclosure of information through Alberta Netcare. These rules bind all HIA custodians who are signatories to the Alberta Netcare Information Manager Agreement (IMA) and any other legal agreements for participating in Alberta Netcare that may be prescribed.
For more information on the Alberta Netcare IMA, please contact the Information Compliance and Access Unit (ICA) of AHW:Phone: 780-427-8089
Email: hiahelpdesk@gov.ab.caStakeholders and Authorities
The Alberta Netcare teams work closely with the responsible authorities and stakeholders to ensure Alberta Netcare and its users are compliant with legislated and regulated privacy and security practices. These authorities and stakeholders include:
- Alberta's Office of the Information and Privacy Commissioner (OIPC)
Phone: 780-422-6860
Website: http://www.oipc.ab.ca/
- Alberta Health and Wellness, Information Compliance and Access Unit (ICA)
Phone: HIA Help Desk 780-427-8089
- College of Physicians and Surgeons of Alberta (CPSA)
Toll free: 1-800-561-3899
Phone: 780-423-4764 (in Edmonton)
Website: http://www.cpsa.ab.ca/home/home.asp
- Alberta Medical Association (AMA)
Toll free:1-800-272-9680
Phone: 780-482-2626 (in Edmonton)
Website: http://www.albertadoctors.org/
- Alberta College of Pharmacists (ACP)
Toll free: 1-877-227-3838
Phone: 780-990-0321 (in Edmonton)
Website: http://pharmacists.ab.ca/
- Alberta Pharmacists Association (RxA)
Phone: 780-990-0326
Website: http://www.albertapharmacy.ca/
