A unique and innovative model
Health Information Network
The Aline-Chrétien Health Hub (ACHH) is a partnership between Hôpital Montfort (HM), Bruyère, CHEO, Eastern Ottawa Resource Centre, Geriatric Psychiatry Community Services of Ottawa, Home and Community Care Support Services Champlain, Ottawa Public Health, ParaMed and Youth Services Bureau of Ottawa that will enable easier access to coordinated health care services.
The first step in this partnership is to create a collaborative electronic platform using Microsoft Teams in which providers of specialized and community care can offer both physical and virtual services.
Clients will be greeted with a friendly check in service that they ca access using their own mobile device’s browser or a kiosk at the ACHH. This kiosk can scan a QR code from Blueink’s eId-Me app or a provincial health card to bring up a client’s appointments for that day. The check-in services will help guide clients with wayfinding instructions for the clinic that their appointment is created for. The ACHH solution equips providers with the tools they need to have virtual, phone, or in-person appointments with their clients. An automated notifications system keeps clients updated on their upcoming appointments by sending confirmation and reminder notifications. Clients will save time by completing intake forms ahead of their appointment as needed through the ACHH generated notifications. Providers will be informed and expecting you, so you won’t have to repeatedly answer the same questions.
Health Information Network Provider Statement of Practices
HM hosts the ACHH solution for this partnership. Under s.10(4) of the Personal Health Information Protection Act (PHIPA) and ss.6(3) of Regulation 329/04 made under PHIPA, a person who provides services to two or more health information custodians to use electronic means to disclose personal health information to one another is a health information network provider (HINP).
Our responsibilities include:
- Managing changes in roles and responsibilities as they pertain to PHIPA and establishing appropriate agreements
- Assessing the privacy and security of the information system to help ensure that it protects personal health information
- Appointing one or more individuals who will be responsible for the privacy and security of the personal health information in the shared system
- Establishing logging, auditing and monitoring policies and procedures, including the communication of these controls to the participants
- Providing incident and breach management support to the participants by informing the parties in the event of a Privacy Breach or unauthorized access
- Making plain language safeguards available to both the public and participating organizations
- Completing a Privacy Impact Assessment (PIA) and Threat/Risk Assessment (TRA)
For more information about our information privacy practices, please contact the Access to Information and Privacy Protection Office at 613-748-4903, or firstname.lastname@example.org
Plain Language Description of Health Information Network Provider Services
The Personal Health Information and Protection Act (PHIPA, 2004) defines a Health Information Network Provider (HINP) as an organization that hosts two or more organizations information system for patient’s personal health information. The partners at ACHH share an integrated solution called the “ACHH Collaborative Platform” based on Microsoft Teams.
HM hosts the Microsoft Teams ACHH solution for this partnership with Bruyère2, CHEO, Eastern Ottawa Resource Centre, Geriatric Psychiatry Community Services of Ottawa, Home and Community Care Support Services Champlain, Ottawa Public Health, ParaMed and Youth Services Bureau of Ottawa under s.10(4) and ss.6(3) of Regulation 329/04 made under PHIPA. As part of that responsibility, Montfort assesses the threats, risks and impacts associated with the shared system and works to safeguard the Personal Health Information and meet its obligations related to privacy and security.
Summary of Privacy and Security Safeguards
We understand the importance of ensuring the privacy and security of personal health information and have developed a HINP framework that describes the standards used to protect this information. There are numerous controls built into the system that protect personal health information (PHI) including:
The ACHH collaborative platform is hosted in a secure environment with effective administrative, physical, technical and information security safeguards in compliance with industry best practices.
Access controls are used to prevent unauthorized or inappropriate access to PHI, ensure protection of HM systems, prevent unauthorized computer access, detect unauthorized or inappropriate activities, and ensure the integrity and reliability of information systems.
HM and its ACHH partners only grant PHI access to authorized persons based on roles and responsibilities for each position within the organization and only to the extent they require to fulfill the requirements of their job. Any HIC’s that are considered to be a subscriber are expected to adhere to similar principles based on their corporate policies and procedures.
All users are authenticated through an enhanced authentication mechanism prior to accessing the ACHH collaborative system.
Strict password policy parameters are required and enforced
Data is encrypted during transmission and while stored in ACHH system.
Data retention and disposal policies are in place to ensure PHI is kept as long as required and is disposed of properly to ensure confidentiality.
To ensure that appropriate safeguards are in place to protect the privacy and security of all data, HM will require the Platform Administrator to complete a privacy compliance survey on an annual basis.
Audits and Monitoring
Audits are performed to ensure the privacy, confidentiality and security of personal health information (PHI) housed within the shared solution. HM as a HINP has the responsibility to ensure that PHI it has under custody and control is not inappropriately accessed.
A Technical Risk Assessment (TRA) and Privacy Impact Assessment (PIA) were conducted to identify privacy and security gaps and deficiencies.
Penetration testing has been performed to prevent any unauthorized access and modification to the ACHH collaborative solution and its data.
Each ACHH partner and HM have implemented and follow privacy practices that comply with the Personal Health Information Protection Act, 2004 and its regulations regarding the collection, use, disclosure, retention and disposal of PHI.
A privacy incident and breach management policy is in place to address any privacy events (breach or incidents) collaboratively among the appropriate parties.
A consent management process is in place to manage and enforce Client/Patient’s consent among participating organizations.
A client privacy support process is in place to manage Clients/Patients’ requests to access and/or correct their PHI in the ACHH System, and to challenge the privacy compliance of the participating HIC.
HM, as a HINP and agent complies with the Personal Health Information Protection Act, 2004 and regulations thereunder as well as industry best practices, and uses a variety of administrative, physical, technical and information security safeguards to protect PHI. In addition, HM has policies and procedures in place to ensure that its employees and authorized users understand their obligations with respect to the system and protection of PHI.
Adapted from Grand River Hospital website.