Privacy Impact Assessment by c3aUuWY

VIEWS: 13 PAGES: 44

									Privacy Impact Assessment
<<Project Name>>
<<Client Name>>
Prepared by MD+A Health Solutions




Version:        ##
Last Revised:   ##
Privacy Impact Assessment




                                          Executive Summary
Instructions

         Executive summary should focus on a brief introduction to the initiative as well as a summary
          of the key, high-level recommendations




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                         <Organization Logo Here>


Page ii
Privacy Impact Assessment




                                                                     Table of Contents
1     Introduction ................................................................................................................................................. 1
    1.1       Project Overview ................................................................................................................................... 1
    1.2       Key Stakeholders .................................................................................................................................. 1
    1.3       PIA Scope .............................................................................................................................................. 1
    1.4       Out-of-Scope ......................................................................................................................................... 2
2     System Overview .......................................................................................................................................... 3
    2.1       Diagram................................................................................................................................................. 3
    2.2       Information Repositories ..................................................................................................................... 3
    2.3       Key Applications ................................................................................................................................... 4
    2.4       System Roles ......................................................................................................................................... 4
3     Business Process Overview .......................................................................................................................... 6
    3.1       Business Processes Associated with PHI ............................................................................................ 6
      3.1.1          Title of Business Process #1 ......................................................................................................... 6
    3.2       Supporting Business Processes............................................................................................................ 7
      3.2.1          Title of Supporting Business Process #1 ...................................................................................... 7
    3.3       Privacy Issues Associated with Business Processes............................................................................ 7
4     Privacy Analysis ...........................................................................................................................................8
    4.1       Authority for Collection, Use, and Disclosure ....................................................................................8
    4.2       Governance and Accountability ...........................................................................................................8
      4.2.1          Governance Structure ................................................................................................................... 9
      4.2.2          Agreements ................................................................................................................................. 10
      4.2.3          Policies ......................................................................................................................................... 12
      4.2.4          Training ....................................................................................................................................... 14
    4.3       Consent ............................................................................................................................................... 15
      4.3.1          Consent Model ............................................................................................................................ 15
      4.3.2          Consent Directives Model........................................................................................................... 17
    4.4       Privacy Operations ............................................................................................................................. 19
      4.4.1          Access and Correction ................................................................................................................ 19



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                                                           <Organization Logo Here>


Page iii
Privacy Impact Assessment




      4.4.2         Complaints Management ........................................................................................................... 21
      4.4.3         Incident Handling ....................................................................................................................... 22
      4.4.4         Auditing and Reporting .............................................................................................................. 23
      4.4.5         Collection, Use, and Disclosure.................................................................................................. 25
      4.4.6         Retention and Destruction .........................................................................................................26
5     Technical Safeguards ................................................................................................................................. 27
    5.1      User Registration and Account Provisioning ....................................................................................28
    5.2      Authentication ....................................................................................................................................29
    5.3      Access Control .................................................................................................................................... 31
    5.4      Encryption .......................................................................................................................................... 32
    5.5      Session Management.......................................................................................................................... 33
    5.6      Auditing and Reporting...................................................................................................................... 34
    5.7      Testing and Use of Test Data ............................................................................................................. 35
    5.8      General Security Safeguards .............................................................................................................. 36
6     Risk Management Plan ..............................................................................................................................38
Appendix: Glossary............................................................................................................................................ 39
Appendix: References ........................................................................................................................................ 39




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                                                       <Organization Logo Here>


Page iv
Privacy Impact Assessment




1 Introduction
1.1 Project Overview

Instructions

        Provide an overview of the initiative being assessed. The overview should provide enough of an
         introduction to provide a reader who is not familiar with the initiative a basic understanding of
         it.

1.2 Key Stakeholders

Instructions

        Description of the stakeholders involved in the project

        This is important because it will help to identify which roles they serve under PHIPA as well as
         defining their relationship with one another.

Stakeholder                                        Role

<<Stakeholder>>                                    <<Role under PHIPA>>
                                                   <<Roles and Responsibilities related to the
                                                   initiative>>


1.3 PIA Scope

Instructions

        The scope of the PIA should be defined before beginning the information gathering and analysis.
         This will help establish boundaries around the information gathering and analysis.

        Key factors influencing scope
             o   Perspective
                        From whose perspective is the PIA being written? HIC, HINP, or other? For
                         example, is the PIA concerned only with the accountabilities associated with the
                         HICs or will it also examine the accountabilities of HINP or Service Providers?
             o   Business processes
                        What is the breadth of process analysis? Is it just clinical processes or also
                         supporting processes (e.g., backup, help desk)?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                            <Organization Logo Here>


Page 1
Privacy Impact Assessment




                        Will the PIA look only at the processes associated with the initiative or does it
                         need to consider how they interface with the organizational processes?
             o   Conceptual versus design level versus operational
                        How far along is the program? What type of PIA is being written?
             o   Technology
                        What is the breadth of technology to be analyzed? How does it integrate with
                         other systems? Will these be in-scope?

1.4 Out-of-Scope

Instructions

        Processes and technology that are related to the in-scope items but that are considered out-of-
         scope for the analysis




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                            <Organization Logo Here>


Page 2
Privacy Impact Assessment




2 System Overview
Instructions

          The purpose of the System Overview section is to give the reader an understanding of the shared information service that supports the
           initiative.

          This section should be quite high-level because it is not intended to be an exhaustive technical architecture. Non-technical readers should
           be able to understand it and be provided an adequate basis with which to understand the concepts and issues discussed in the remainder
           of the PIA.

2.1       Diagram

Instructions

          Develop a diagram of the information repository (i.e., key applications, databases, and users). The purpose of this diagram is to
           educate a reader who is unfamiliar with the initiative about how the initiative works. The diagram should therefore be at a high-level
           and not be too technically focused.

2.2       Information Repositories

Instructions

          Description of the information repositories involved, both electronic and paper-based. The information repositories should focus on
           those which contain PHI as well as any logs generated by the application.

          In many instances there will only be one information repository (i.e., one database). If so, it may be more worthwhile to structure this
           section as conceptual entities within the information repository (e.g., patient demographics, lab results, clinical notes, and so forth).

          If it will help the reader understand the system, include repositories that do not include PHI.



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                                                     <Organization Logo Here>



Page 3
Privacy Impact Assessment




Repository                Description                                       Custody & Control            PHI?      Elements

<<Information             <<Brief description of the purpose of the         <<HIC with the legal         <<Yes     <<Conceptual description of
repository>>              repository>>                                      custody & control; for       or        information contained in the
                                                                            example, a company may       No>>      repository>>
                                                                            host a database for a HIC,
                                                                            the HIC has legal custody
                                                                            and control of that
                                                                            database>>


2.3       Key Applications

Instructions

          Provide a description of the key applications associated with the initiative if it helps the reader understand how the system works.
          Pay particular attention to any applications that change PHI (e.g., an EMPI that merges duplicate patient records into one).

Application                     Purpose

<<Application >>                <<Purpose of application >>




2.4       System Roles

Instructions

          Identify the roles of all end-users and system administrators that have access to the information repository. Indicate why they have
           access to the application, what they have access to, and whether that includes access to PHI.


27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                                                     <Organization Logo Here>



Page 4
Privacy Impact Assessment




Role                              Function                                                       Access
                                                                                                 to PHI?

<<User role>>                     <<basic description of what they do in the system>>            <<Yes or
                                                                                                 No>>

e.g., Nurse Practitioners         Nurse Practitioners have direct access to the application,     Yes
                                  and use it to create, modify, and view patient records.

e.g., Registration Agents         Registration agents are responsible for registering users as   No
                                  well as provisioning new accounts on the system




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                                    <Organization Logo Here>



Page 5
Privacy Impact Assessment




3 Business Process Overview
Instructions

        The business process overview is a key section in describing the initiative for the reader. The
         business processes describe how PHI moves through the initiative from the time it is collected to
         the time it is destroyed.

        The business processes form the heart of the information handling analysis

3.1 Business Processes Associated with PHI

Instructions

        The business processes detailed here should include any of those which involve PHI (or PI). If
         possible support the processes with diagrams to make it easier for the reader to understand how
         PHI moves through the system.
        Business processes of particular interested are:
             o Those involving collection, access, and disclosure of PHI
             o Establishing or managing consent directives
             o Privacy auditing and reporting mechanisms
        The detail of the processes will vary depending on the initiative but it is important to ensure that
         you clearly identify any new collections, uses, and disclosures of the information.


3.1.1 Title of Business Process #1
Instructions

        Include a diagram is possible
        Provide a brief, one-sentence description of the business process that is being described prior to
         completing the table below.

Step                                   Actor                 PHI Involved          Comments

<<Title of step>>                      <<Person or           <<Conceptual list     <<Comments on the
                                       application           of the PHI            step if required>>
                                       conducting the        involved in the
                                       action>>              step. Indicate how
                                                             the PHI is being
                                                             used>>




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                            <Organization Logo Here>



Page 6
Privacy Impact Assessment




Example:                               Radiologist           Searches with:         Application will only
                                                                                    return a patient if it
Radiologist searches for the                                     Last name
                                                                                    matches on both Last
patient
                                                                 OHIP              Name and OHIP #
                                                                  Number

Application displays list of           Application           Displays:              The application
patients                                                                            displays details about
                                                                 First Name
                                                                                    the patient so that the
                                                                 Last Name         Radiologist can confirm
                                                                                    the identity of the
                                                                 Date of Birth
                                                                                    patient prior to viewing
                                                                 Major             the patient’s images.
                                                                  Diagnoses

                                                                 OHIP
                                                                  Number




3.2 Supporting Business Processes

3.2.1 Title of Supporting Business Process #1
Instructions

        Supporting business processes are those which do not involve PHI but that do affect the
         confidentiality of the information or that help the reader to understand the full picture of the
         system.
        Business processes of particular interested are:
             o Creation of accounts
             o Process for resetting passwords
             o System supports

3.3 Privacy Issues Associated with Business Processes

Instructions

        Review the business processes that you have just detailed above to identify whether there are
         any privacy issues associated with them. Some of the questions that you should ask are:
            o Is more PHI being collected, accessed, or disclosed than necessary?
            o Are there users who do not appear to require access to the PHI?
            o Is PHI being used for the purpose for which consent was provided?
            o How are consent and consent directives being handled? Is it appropriate?


27181bb5-5e3c-4df2-900d-8698568eb916.doc                                            <Organization Logo Here>



Page 7
Privacy Impact Assessment




             o Are the business processes clearly defined and documented?
             o Is collection, use, and disclosure limited to that which is necessary and appropriate?
        Use this same table below to detail all of the issues that you identify with the
         initiative and the recommendations you make.

Issue                                                   Recommendation

<<Issue in 6 words or less>>                             1.   <<Recommendation to respond to issue>>

        <<Description of issue>>

Example:                                                 2. The application should limit the PHI that is
                                                            displayed to confirm patient identity. The
Search displays more PHI than required
                                                            information should be limited to:
After the radiologist searches for a patient, the
                                                                 Patient First Name
application displays detailed information about the
patient to help the radiologist confirm the identity             Patient Last Name
of the patient. This information includes previous
Major Diagnoses for the patient. It is unclear that              OHIP or MRN Number
Major Diagnoses assists in verifying the patient                 Date of Birth
identity.




4 Privacy Analysis
4.1 Authority for Collection, Use, and Disclosure

Instructions

        Discuss the authority for collection, use, and disclosure of PHI at a high-level.
        In most instances, but not all, the authority for collection and use of PHI will be implied or
         express consent. The patient will have provided consent for the HIC to collect and use PHI for
         the purpose of providing treatment and care. You will need to pay particular attention to use
         for secondary purposes however. Using the information for other purposes generally requires
         consent of the patient (there are some exceptions outlined in PHIPA).

        With shared information repositories, the authority for disclosure will be of key interest in this
         discussion. You need to ensure that the initiative has established its authority under PHIPA for
         disclosing the information to other HICs.

4.2 Governance and Accountability

Instructions


27181bb5-5e3c-4df2-900d-8698568eb916.doc                                               <Organization Logo Here>



Page 8
Privacy Impact Assessment




        The governance and accountability section examines the governance model for the initiative
         and how accountability is distributed among the HICs and vendors. The key issue within the
         governance and accountability section is ensuring that


4.2.1 Governance Structure
Instructions

        Governance Structure Discuss the governance structure of your initiative and support it with a
         diagram if useful.

        Use the checklist in each of the following sections to help you understand what the key issues for
         analysis are.

Question                                              Status                                           Docum
                                                                                                       ented?
                                                                                                       (Y/N)

                                                      Operation   Developed   Planned       No Plans
                                                      al


1. Has a Privacy Sub-Committee been
   established?

2. Does the Sub-Committee report directly to the
   decision-making authority for the initiative?

3. Has a Terms of Reference been adopted for
   the Privacy Sub-Committee?

4. Do the Terms of Reference provide authority
   to the Privacy Sub-Committee to established
   privacy policy for the initiative?

5. Do the Terms of Reference provider authority
   to the Privacy Sub-Committee to compel
   participating organizations to follow the
   policies and procedures of the initiative?

6. Is the Sub-Committee comprised of privacy,
   business, and technical expertise?

7. Has the initiative identified Privacy Leads at
   each of the participating organizations?



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                <Organization Logo Here>



Page 9
Privacy Impact Assessment




Question                                                Status                                           Docum
                                                                                                         ented?
                                                                                                         (Y/N)

                                                        Operation   Developed   Planned       No Plans
                                                        al


8. Do the Privacy Leads report to the Privacy
   Sub-Committee?

9. Are the Privacy Leads knowledgeable about
   privacy?

10. Is contact information for the Privacy Leads
    publicly available?




4.2.2 Agreements
Instructions

         Analyse the agreements that are in place for the initiative. The key agreements for an PHI -
          sharing initiative will be:
               o   Data Sharing Agreement – Agreement among HICs who are disclosing PHI to one
                   another
               o   Service Level Agreement – An agreement between the HICs and the HINP which
                   outlines the HINPs responsibilities for PHI protection as well as limits their use and
                   disclosure of PHI
               o   Confidentiality Agreements – Agreements signed by end-users and system
                   administrators with access to PHI which outlines their responsibilities with respect to
                   PHI confidentiality and more generally acceptable uses of the system

         The agreements should provide a comprehensive framework for protecting PHI and patient
          privacy. They should outline the roles and responsibilities of all the parties with respect to
          protecting PHI and patient privacy.

         The toolkit has some template agreements that may help you in identifying the key contents that
          should be found in these.




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                  <Organization Logo Here>



Page 10
Privacy Impact Assessment




Question                                             Status                                           Docum
                                                                                                      ented?
                                                                                                      (Y/N)

                                                     Operation   Developed   Planned       No Plans
                                                     al


11. Have Data Sharing Agreements (DSAs) been
    signed among the HICs?

12. Do the DSAs indicate the purpose of
    collection, use, and disclosure?

13. Do the DSAs outlined the roles and
    responsibilities of each HIC with respect to
    privacy and PHI protection?

14. Do the DSAs compel the HICs to meet a
    minimum benchmark with respect to privacy
    and PHI protection?

15. Do the DSAs establish common policies and
    procedures with respect to privacy operations
    (e.g., consent management, incident
    handling)?

16. Do the DSAs establish common policies and
    procedures with respect to PHI handling (e.g.,
    acceptable use and disclosure, safeguards)?

17. Have SLAs been signed with vendors?

18. Do the SLAs compel the vendors to follow
    PHIPA?

19. Do the SLAs contain a description of the
    services that the vendor will provide?

20. Do the SLAs contain a description of how the
    vendor will protect PHI?

21. Do the SLAs compel the vendor to notify the
    HIC in the event of an incident or breach?



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                               <Organization Logo Here>



Page 11
Privacy Impact Assessment




Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


22. Are the vendor requirements aligned with O.
    Reg 329/04 if the vendor is considered a
    HINP?

23. Have all staff and contractors with access to
    PHI signed Confidentiality Agreements?

24. Do the Confidentiality Agreements sanction
    staff and contractors from disclosing PHI?

25. Have all end-users and system administrators
    signed Acceptable Use Agreements (click-
    through agreements are adequate)?

26. Do the Agreements outline the purpose for
    collection, use, and disclosure?

27. Do the Agreements compel end-users and
    system administrators to follow the policies
    and procedures of the initiative with respect to
    PHI?

28. Do the Agreements sanction end-users and
    system administrators for collection, use, and
    disclosure of PHI for anything but those
    reasons outlined by the initiative?

29. Do the Agreements define the end-users and
    system administrators’ responsibility to
    protect the PHI?




4.2.3 Policies
Instructions



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 12
Privacy Impact Assessment




         Each organization will have its own privacy and information handling policies which serve as
          organizational controls to protect PHI and privacy. However, the initiative should also
          establish privacy and information handling policies to guide how the organizations will work
          together in protecting PHI and patient privacy. These policies will establish the minimum
          requirements for each organization participating in the initiative.

         The toolkit includes some privacy-related policies that can be adopted by your initiative to help
          ensure all organizations have a consistent privacy approach with respect to the initiative.

Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


30. Have common policies and procedures been
    defined for the initiative?

31. Does the initiative have a Consent policy?

32. Does the initiative have an Individual Access
    and Correction policy and procedure?

33. Does the initiative have an Auditing policy and
    procedure?

34. Does the initiative have an Incident
    Management policy and procedure?

35. Does the initiative have a Complaints and
    Inquiries policy and procedure?

36. Does the initiative have a Security policy and
    procedure?

37. Does the initiative have a Training policy and
    procedure?

38. Do the policies and procedures guide how
    organizations work together to protect privacy
    and PHI when sharing PHI within the
    initiative?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 13
Privacy Impact Assessment




Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


39. Have all the organizations agreed to follow the
    same policies and procedures?

40. Are the policies and procedures (or
    summaries) publicly available?




4.2.4 Training
Instructions

         Training is an important part of ensuring that end-users and system administrators are aware
          of their privacy obligations as well as how to use the privacy-related functionality of the system
          (e.g., how to establish a consent directive). Training should also be provided to the local
          registration agents (LRAs) who are responsible for verifying the identity of users as well as
          creating user accounts for them. The LRA training should generally involve the process for
          verifying identity, establishing appropriate user roles, and the process for decommissioning
          users (i.e., disabling their access tights) when they no longer require system access.

         Discuss the privacy training that end-users, system administrators, and LRAs receive prior to
          being provided access to PHI on the system.

Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


41.   Are all end-users and system administrators
      trained on privacy awareness prior to being
      given access?

42. Does the training include privacy functionality
    (e.g., how to set a consent directive) and
    privacy awareness (e.g., what is a breach)?



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 14
Privacy Impact Assessment




Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


43. Does the training cover privacy operations
    (e.g., what to do in the event of a breach)?

44. Is training provided to Local
    Registration Agents (i.e., those
    responsible for verifying user identities
    and establishing their access rights)?

45. Is the training refreshed from time to time?

46. Is training customized according to their
    general role (e.g., end-user versus system
    administrator)?




4.3 Consent

4.3.1 Consent Model
Instructions

         Describe the consent model for the initiative. With shared information services, the key issue
          will be ensuring that patients are knowledgeable about any disclosures associated with their
          PHI. Your organization will already have public notices related to how PHI is collected and
          used within your organization, but this would need to be augmented so that patients are fully
          informed about how their information is disclosed to other HICs or non-HICs.
         Discussion of the consent model should include:
              o   Whether implied or express consent will be sought
              o   The communications strategy used to inform patients of the purpose of collection and
                  their privacy rights, including the right to withdraw or withhold consent and make a
                  complaint
              o   Critical analysis of the process used to obtain consent
              o   Whether and how consent will be documented



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 15
Privacy Impact Assessment




Question                                              Status                                           Docum
                                                                                                       ented?
                                                                                                       (Y/N)

                                                      Operation   Developed   Planned       No Plans
                                                      al


47. Is a consent model in place?

48. Does the consent model establish the type of
    consent required for the initiative?

49. Will consent be obtained prior to collection of
    information?

50. Does the consent model establish what
    documentation will be collected on consent?

51. Does the consent model establish what
    documentation would be required from an
    SDM?

52. Have procedures been defined for collection of
    consent?

53. Have the roles and responsibilities of the
    various parties been defined with respect to
    consent management (e.g., who will physically
    record consent)?

54. Does the consent process include verification
    of the individual’s identity?

55. Does the information repository support
    documenting consent?

56. Has a public notice been created

57. Have communications materials been
    established to support the consent process?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                <Organization Logo Here>



Page 16
Privacy Impact Assessment




Question                                                 Status                                           Docum
                                                                                                          ented?
                                                                                                          (Y/N)

                                                         Operation   Developed   Planned       No Plans
                                                         al


58. Will the communication materials be
    presented to the client prior to collection of his
    or her PHI?

59. Do the communications materials discuss the
    purpose for collection, use, and disclosure?

60. Do the communications materials discuss the
    scope of information being collected?

61. Do the communications materials include
    contact information for the Privacy Lead and
    the IPC/Ontario?

62. Do the communications materials indicate the
    patient’s right to make a complaint and
    provide a telephone number for enquiries?




4.3.2 Consent Directives Model
Instructions

         Also describe the consent directives model that your initiative supports. Again, this is
          particularly important in a shared information repository where the PHI may available to a
          number of providers.

         Discussion of the consent directives should include:
              o   The types of consent directives that the system will support
              o   The process for establishing a consent directive
              o   Whether and how end-users will be able to override consent directives




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                   <Organization Logo Here>



Page 17
Privacy Impact Assessment




Question                                             Status                                           Docum
                                                                                                      ented?
                                                                                                      (Y/N)

                                                     Operation   Developed   Planned       No Plans
                                                     al


63. Has the initiative defined what consent
    directives the patient can establish (e.g.,
    record level, domain-level, client level, etc)

64. Will the consent directives be technically
    enabled (e.g., masking)?

65. Are the processes for establishing consent
    directives defined?

66. Are changes to consent directives logged?

67. Is there documentation to support
    establishing a consent directive?

68. Is the person required to verify his or her
    identity when creating a consent directive?

69. Does the consent policy include discussion of
    consent directives overrides?

70. Does the policy include guidance on what
    information is required to be documented
    when a consent directive is overridden?

71. Does the system indicate when a
    consent directive is in place (i.e., that
    PHI has been masked)?

72. Does the system support documenting the
    reason for a consent directive override?

73. Does the system challenge the user to provide
    a reason for the consent directives override?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                               <Organization Logo Here>



Page 18
Privacy Impact Assessment




Question                                                Status                                           Docum
                                                                                                         ented?
                                                                                                         (Y/N)

                                                        Operation   Developed   Planned       No Plans
                                                        al


74. Is the length and scope of an consent
    directives override defined (e.g., how long it is
    overridden and whether it is for all the
    patient’s info)?

75. Are consent directives overrides limited to
    particular roles (e.g., emergency room
    providers)?

76. Are consent directives overrides logged?

77. Do consent directives overrides generate alerts
    or reports?




4.4 Privacy Operations

4.4.1 Access and Correction
Instructions

         The access and correction sections examines how the HICs are working together to ensure that
          an individual’s right of access to their PHI and to have their PHI corrected if it is inaccurate is
          respected. The initiative will need to have policies and procedures to guide who responds to an
          access and correction request if it is related to PHI collected by multiple HICs.

         The section should also address how the shared information service supports providing an
          individual access to their own record(i.e., collating all of the PHI held on them) as well as how
          amendments to the PHI are supported if it is in accurate.

Question                                                Status                                           Docum
                                                                                                         ented?
                                                                                                         (Y/N)

                                                        Operation   Developed   Planned       No Plans
                                                        al




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                  <Organization Logo Here>



Page 19
Privacy Impact Assessment




Question                                              Status                                           Docum
                                                                                                       ented?
                                                                                                       (Y/N)

                                                      Operation   Developed   Planned       No Plans
                                                      al


78. Has an individual access and correction policy
    been established?

79. Is information about how clients can access
    and correct their PHI public?

80. Have the organizations determined how they
    will work together to provide individual access
    to shared repositories?

81. Do the processes ensure that the HIC
    originally collecting the PHI determines
    whether access is appropriate?

82. Do the access processes also enable an
    individual to view his or her record?

83. Have the organizations determined how they
    would work together to correct PHI in shared
    repositories?

84. Do the processes ensure that the HIC
    originally collecting the PHI determines
    whether correction is appropriate?

85. Does the system supporting appending the
    correction to the original record (not
    overwriting it)?

86. Does the system support appending a letter of
    disagreement if the client feels information is
    incorrect that the HIC does not feel is
    appropriate to change?

87. Has documentation for the client to complete
    been established to make an access request?



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                <Organization Logo Here>



Page 20
Privacy Impact Assessment




Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


88. Has documentation for the client to complete
    been established to make a change request?




4.4.2 Complaints Management
Instructions

         The Complaints section examines how the HICs are working together to respond to a complaint
          if that complaint impacts multiple HICs. Discuss in this section whether there is an established
          policy and procedure in place and whether it will be effective in addressing clients’ complaints.



Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


89. Have Privacy Leads been identified at each of
    the participating organizations?

90. Has a complaints and inquiries policy been
    established?

91. Is there public information about how an
    individual can complain?

92. Have the organizations determined how they
    will work together to address complaints that
    will affect multiple HICs?

93. Do the processes establish criteria to define a
    lead organization to respond to the complaint?



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 21
Privacy Impact Assessment




Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


94. Has documentation related to making a
    complaint been developed and made available
    to the public?




4.4.3 Incident Handling
Instructions

         Incident handling should discuss the controls in place to help avoid a privacy incident or breach
          as well as how the HICs will collaborate on addressing any incidents that occur. This section
          will need to be considered closely with auditing and reporting which provide mechanisms to
          help identify incidents and breaches.

Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


95. Has an incident handling policy and
    procedure been developed?

96. Have the organizations defined a process by
    which they will work together should an
    incident arise that affects multiple
    organizations?

97. Does standard documentation exist for
    incident reports?

98. Have staff and contractors been trained on
    what to do in the event of an incident?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 22
Privacy Impact Assessment




Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


99. Are privacy operations reviewed regularly to
    identify issues that may lead to a breach (e.g.,
    reviewing to ensure that consent and consent
    directives are being managed appropriately)?

100. Is PHI-handling reviewed regularly to
   identify issues that may lead to a breach (e.g.,
   reviewing how end-users are using the system
   to identify areas in which they are not
   compliant with the policies)?




4.4.4 Auditing and Reporting
Instructions

         Due diligence is an important aspect of shared information services because the HICs must trust
          that the other HICs meet minimum privacy benchmarks that the initiative establishes. This is
          established through both organizational audits and technical audit logging. Organizational
          audits involve reviewing whether organizations are compliant with the policies and procedures.
          Technical audit logging supports producing reports on user behavior (e.g., access to PHI,
          consent overrides) to ensure that they are compliant with policies and procedures..



Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


101.      Is there a policy guiding auditing?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 23
Privacy Impact Assessment




Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


102. Does the auditing policy establish
   mechanisms by which the initiative is
   regularly reviewed from a privacy perspective?

103. Are all organizations required to review
   their privacy operations and PHI handling on
   a regular basis?

104. Are all organizations required to report
   back to the Privacy Sub-Committee on the
   results of the audit?

105. Are regular audits of any sub-vendors
   conducted (e.g., yearly)?

106. Do all organizations have to perform a
   readiness assessment before participating in
   the initiative?

107.   Does the audit policy establish processes
   for monitoring end-user and system
   administrator compliance?

108. Does the system log all information
   required to generate an audit report?

109. Are audit reports easily available to the
   Privacy Leads?

110.  Have the Privacy Leads been trained in
   how to understand the audit reports?

111.Does the audit policy require Privacy Leads to
    regularly review technical audit reports to
    identify user behavior that is inconsistent with
    the initiative’s policies and procedures?



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 24
Privacy Impact Assessment




4.4.5 Collection, Use, and Disclosure
Instructions

         This section provides an area for you to discuss the policies and procedures related to how PHI
          is handled in the initiative. For a shared information service, a key points of discussion will be
          how organizations and end-users are restricted from using and disclosing the PHI for any other
          purposes other than that for which the initiative has been developed. The discussion will also be
          around who has been provided access to the system and whether that access is appropriate.



Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


112.    Has a policy addressing collection, use,
    and disclosure been developed?

113.   Does the policy provide guidance about
    appropriate protocols when collecting PHI?

114.    Has the scope of PHI to be collected been
    defined?

115.    Have communications materials been
    developed to be provided to clients when
    collecting information?

116.    Does the policy outline how PHI is to be
    used within the initiative?

117.   Does the policy restrict secondary uses of
    PHI?

118.   Have end-users and organizations been
   informed about acceptable uses of the PHI?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 25
Privacy Impact Assessment




Question                                                Status                                           Docum
                                                                                                         ented?
                                                                                                         (Y/N)

                                                        Operation   Developed   Planned       No Plans
                                                        al


119.    Does the policy outline who should have
    access to the system?

120. Are organizations trained on the
   importance of limiting access?

121.    Are the participating organizations
    required to submit a list of end-users and their
    access rights?

122.   Does the policy outline appropriate
   disclosures of the PHI?

123.   Does the system limit the amount of
   information that is disclosed?




4.4.6 Retention and Destruction
Instructions

         A key privacy principle is that information should not be retained any longer than is necessary
          to fulfill the purposes for which it was collected. When it is no longer required, it should be
          destroyed or anonymized so that it can no longer be associated with an identifiable individual.
          This section provides you with an opportunity to discuss what happens to the PHI when it
          reaches the end of its usefulness. It is important to note that there is legislation that regulates
          healthcare professionals in maintaining health records. These should be considered when
          developing the appropriate retention cycle.

Question                                                Status                                           Docum
                                                                                                         ented?
                                                                                                         (Y/N)

                                                        Operation   Developed   Planned       No Plans
                                                        al




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                  <Organization Logo Here>



Page 26
Privacy Impact Assessment




Question                                                 Status                                           Docum
                                                                                                          ented?
                                                                                                          (Y/N)

                                                         Operation   Developed   Planned       No Plans
                                                         al


124.  Has a policy for retention and destruction
   been developed?

125. Has a retention schedule been developed for
    PHI in the system? This should include both
    long-term repositories (e.g., a database) as
    well as temporary repositories (e.g., queues
    and caches, temporary files, paper copies of
    data).

126.    Is the PHI securely retained and destroyed
   in the system?




5 Technical Safeguards
Instructions

          Technical safeguards contribute to an organization’s privacy program by preventing or
           reducing the risk of both intentional and unintentional disclosure, destruction or alteration of
           personal health information. This section provides checklists to help organizations review its
           technical solution, so that the PHI contained within it is protected to the fullest extent possible.
          The checklist items in this section do not constitute a comprehensive listing of technical
           safeguards and controls, but rather key items for consideration. Organizations are advised to
           review the ISO/IEC 27002 information security standard, and the various the Canada Health
           Infoway (CHI) privacy and security standards and guidelines for discussions of detailed
           technical safeguards.
          Organizations are additionally advised to conduct threat and risk assessments and physical
           vulnerability assessments (or penetration tests) as part of the standard due diligence conducted
           on the system being assessed.

Question                                                 Status                                           Docum
                                                                                                          ented?
                                                                                                          (Y/N)




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                   <Organization Logo Here>



Page 27
Privacy Impact Assessment




                                                       Operatio    Develop     Planned       No Plans
                                                       nal         ed


    1. Have the controls and safeguards
       protecting PHI been thoroughly
       documented in the solution
       architecture or in a privacy and
       security architecture document?

    2. Has the organization conducted
       threat and risk assessments and
       physical vulnerability assessments
       as part of its readiness activities for
       system go-live?




5.1 User Registration and Account Provisioning

Instructions

         The organization should create business rules and processes for the creation of new user
          accounts for both end-users and system administrators. Rules should define the characteristics
          and attributes of any authorized system user (eg, organizational affiliation, professional
          qualifications, etc.) and appropriate access roles. Processes should include identity verification
          processes for new users; rules for assigning and providing to new users their usernames and
          passwords, etc.
         Ensure that, as far as possible, administrative users whether staff or vendors, have unique user
          accounts, i.e., that administrators do not share accounts, which dilutes the usefulness of audit
          logs in tracking administrative access to the system.

         Create business rules and associated technical supports for maintenance of user accounts; users
          who leave an organization should have their accounts promptly deactivated; user accounts
          should never be deleted, only deactivated; activity on all user accounts should be auditable, and
          audit logs should be available for any user who has ever had an account on the system,
          including users whose accounts have been deactivated.

Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 28
Privacy Impact Assessment




Question                                             Status                                           Docum
                                                                                                      ented?
                                                                                                      (Y/N)

                                                     Operation   Developed   Planned       No Plans
                                                     al


1. Has the organization defined user roles within
   the system, and documented the access to PHI
   that each role has?

2. Does the initiative have processes in place for
   verifying the stated identity of users
   requesting access to the system?

3. Is the new user’s contact information collected
   as part of the registration process?

4. Are unique, randomized temporary passwords
   issued to new users?

5. Are account credentials (user ID, password,
   tokens) for new users sent through some
   secure means?

6. Are user accounts reviewed periodically to
   verify that the accounts are being used, and
   that the user still requires access to the
   system?

7. Can system administrators temporarily
   disable/suspend user accounts?

8. Do all users, including vendors and service
   providers, have unique accounts, i.e., once
   account per administrator user?




5.2 Authentication

Instructions




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                               <Organization Logo Here>



Page 29
Privacy Impact Assessment




         Ensure that, if users access systems containing PHI via the Internet, there is an additional
          factor for authenticating these users beyond simple username/password combination, such as
          hardware tokens, or risk-based enhanced authentication

         Users with administrative privileges should also require some form of enhanced authentication
          beyond simple username/password combination.
         Establish password management policies for users and administrators to follow; policies should
          address such issues as password strength and password expiry rules.

         Ensure that where there is system-to-system communications involving PHI (e.g. two systems
          exchanging HL7 data) that the systems authenticate to each other(e.g. via mutual SSL
          authentication).

Question                                             Status                                           Docum
                                                                                                      ented?
                                                                                                      (Y/N)

                                                     Operation   Developed   Planned       No Plans
                                                     al


1. Does the system uniquely authenticate all
   users, including administrative users?

2. Are new users forced to change their
   temporary passwords on their first login?

3. Is there some additional factor beyond
   username/password combination for
   authenticating a user, eg. token, enhanced
   authentication, biometrics etc.

4. Are passwords stored in the system in a way
   that they cannot be seen by others eg,
   encrypted/hashed?

5. Has the business process for resetting a user’s
   forgotten password been established?

6. Do help desk personnel have a process for
   confirming the identity of a user who requests
   a reset of his or her forgotten password?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                               <Organization Logo Here>



Page 30
Privacy Impact Assessment




Question                                            Status                                           Docum
                                                                                                     ented?
                                                                                                     (Y/N)

                                                    Operation   Developed   Planned       No Plans
                                                    al


7. Do administrators reset a user’s password to a
   temporary value that must be changed upon
   login?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                              <Organization Logo Here>



Page 31
Privacy Impact Assessment




5.3 Access Control

Instructions

    Organizations should employ a role-based model for access control: that is, a model where each
     user of the system is assigned one or more of just a few roles within the system, to which are
     attached unique sets of permissions – in particular, permissions to access PHI.
    Role-based access models can be extended by employing relationship-based access; in this model, a
     user only receives permissions within a system if he or she has a legitimate relationship with the
     system users (or individuals whose PHI is stored within the system) with whom he or she could
     potentially interact within the system; among such relationships, the organizations should ensure
     that the system supports access based on circle-of-care relationships.
    Access control for all users should be guided by the principle of least privilege, which states that
     any user of a system should be given access to only those resources required for his or her work;
     implementing this principle within an organization requires careful planning, and should be based
     on a clear definition of roles and associated privileges.
    The access model for the system should include a clear process for converting access policies and
     business decisions into automated access control rules within the system. The system may also
     provide a means for one user to delegate system access to another. If this is the case, appropriate
     safeguards should be put in place to ensure that the ability to delegate is not misused.

Question                                              Status                                           Docum
                                                                                                       ented?
                                                                                                       (Y/N)

                                                      Operation   Developed   Planned       No Plans
                                                      al


1. Has the initiative defined user roles within the
   system, and documented the type of access to
   PHI that each role has (including
   administrative roles)?

2. Is access to system resources for users and
   administrators based on the principle of least
   privilege?

3. Is access to the system implemented through
   an access model, preferably role-based access
   control (RBAC)?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                <Organization Logo Here>



Page 32
Privacy Impact Assessment




Question                                              Status                                           Docum
                                                                                                       ented?
                                                                                                       (Y/N)

                                                      Operation   Developed   Planned       No Plans
                                                      al


4. Is there a clear understanding of the types of
   administrative roles with access to PHI (e.g.
   system-level administrators)

5. Is there a clear understanding of all the means
   through which a user (including
   administrative users) could access the system
   (including remote access), and are appropriate
   security measures in place for each one of
   these means?

6. All delegations in the system should be
   captured in audit logging.

7. If feasible, delegations should be time-limited.




5.4 Encryption

Instructions

    Personal health information should be encrypted when it is being sent over an untrusted network
     such as the Internet; while in transit over wireless networks; and while it is being stored on any
     portable/removable media, such as smart phones, CD/DVD, USB drives, laptops, etc.).
    User credential data, and any other data used for sign-on and authentication purposes (e.g.
     responses to secret questions), should be encrypted wherever it is stored, and wherever it is being
     transmitted. This is typically accomplished via use of a one-way hashing algorithm.

Question                                              Status                                           Docum
                                                                                                       ented?
                                                                                                       (Y/N)

                                                      Operation   Developed   Planned       No Plans
                                                      al




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                <Organization Logo Here>



Page 33
Privacy Impact Assessment




Question                                              Status                                           Docum
                                                                                                       ented?
                                                                                                       (Y/N)

                                                      Operation   Developed   Planned       No Plans
                                                      al


1. Is PHI encrypted when sent over untrusted
   networks such as the Internet?

2. Is PHI encrypted when it is sent over wireless
   networks?

3. Is PHI encrypted whenever it is stored on
   portable/removable media?

4. Are user credentials, and any other data
   required for sign-on and authentication,
   encrypted at all times (ie, while stored and
   while being sent over any network)?




5.5 Session Management

Instructions

    Whatever client a user employs to access the system will need to “remember” the user’s credentials
     as it interacts with the system – that is, as data is sent back and forth between the user’s client and
     the system – by caching user credentials and other information. However, the client should also be
     configured to purge any of this cached information once the user logs out, or if the user’s session
     times out after a predetermined period of inactivity.
    User sessions should expire after a certain period of user inactivity to ensure that logged-in clients
     are not inadvertently left open and exposed to the view of others.
    Clients should not cache any PHI or user credentials for longer than the session is active; at the end
     of a session, all cached PHI should be purged from the client.

Question                                              Status                                           Docum
                                                                                                       ented?
                                                                                                       (Y/N)

                                                      Operation   Developed   Planned       No Plans
                                                      al




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                <Organization Logo Here>



Page 34
Privacy Impact Assessment




Question                                              Status                                           Docum
                                                                                                       ented?
                                                                                                       (Y/N)

                                                      Operation   Developed   Planned       No Plans
                                                      al


1. Do client sessions timeout after a configurable
   period of user inactivity

2. Is all PHI deleted from the client cache on
   user logout or session timeout?

3. Does the system allow only one active session
   per user (i.e. per set of user credentials)?




5.6 Auditing and Reporting

Instructions

   Audit logs of system activity and reports based on these logs are critical tools for reducing the risks
    of the unauthorized disclosure or alteration of PHI. System logs record activity within the system
    and should include, when the system is storing PHI, a record of any access including views,
    transfers, changes, deletions and additions of any personal health information in the system.
    Organizations may wish to create alerts for certain types of events, such as access to the PHI of a
    patient with a VIP/confidential flag.
   Audit logging should also record relevant security-related events, such as user login attempts (both
    successful and unsuccessful).
   There must be a mechanism for communicating this audit log information through clearly
    understandable reporting to any individual who can legitimately request it.

Question                                              Status                                           Docum
                                                                                                       ented?
                                                                                                       (Y/N)

                                                      Operation   Developed   Planned       No Plans
                                                      al


1. Does audit logging record all activity involving
   PHI (views, transfers, changes, additions,
   deletions)?




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                <Organization Logo Here>



Page 35
Privacy Impact Assessment




Question                                                Status                                           Docum
                                                                                                         ented?
                                                                                                         (Y/N)

                                                        Operation   Developed   Planned       No Plans
                                                        al


2.   Does audit logging record security-related
     events, including all authentication attempts
     (both successful and unsuccessful)?

3. Are audit logs protected from tampering (e.g.
   deletion, alteration, overwriting etc.)?

4. Does the audit system have the ability to
   report and alert on suspicious activities
   involving access to patient data?

5. Are reports on audit logging available to
   authorized requesters of this information in a
   user –friendly format?




5.7 Testing and Use of Test Data

Instructions

     Testing of the system should include testing of all mechanisms for ensuring the integrity and
      security of PHI, and should encompass the application features and business processes discussed in
      this section of the PIA checklist.
     Although in many cases initial testing of a system can be conducted without the use of PHI,
      ongoing troubleshooting or system upgrades often require the use of ‘real’ production data
      containing PHI. Before this occurs, however, an application should be tested with the following
      types of test data:
              o Anonymized or de-identified data: real patient data (PHI) that has had all
                  information regarding the identity of individuals (e.g. demographics) completely
                  removed or otherwise deleted; It is most useful for basic system performance testing,
                  testing for scalability, etc.;
              o “Dummy” or false data: this is data that has been entirely fabricated by the testing
                  team. It is difficult to generate large volumes of fabricated data that is usable for testing
                  purposes;
              o Pseudonymized data: this is real patient data that has been altered in some way so
                  that the individuals associated with the data are not identifiable. It is therefore possible


27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                  <Organization Logo Here>



Page 36
Privacy Impact Assessment




                 to associate data elements with a unique individual but not possible to ascertain their
                 identity.
    If actual patient data must be used for testing purposes, organizations must ensure that
     appropriate safeguards are in place to protect this data, including protection of the testing
     environment (eg, complete segregation of test environment from production environment at
     functionality and database level), restricted access and complete purging of PHI data from test
     environments when testing is completed.

Question                                             Status                                           Docum
                                                                                                      ented?
                                                                                                      (Y/N)

                                                     Operation   Developed   Planned       No Plans
                                                     al


1. Have de-identification algorithms been
   reviewed by an expert with appropriate
   training and credentials to ensure that
   individuals cannot be re-identified?

2. Do test environments have the safeguards and
   controls required to protect personal health
   information during testing and
   troubleshooting processes?

3. Are there processes in place for completely
   and irretrievably removing personal health
   information from test environments?

4. Is access to any test environments hosting PHI
   restricted appropriately? For example, time-
   limited access, no access from untrusted
   networks etc,

5. Have all individuals involved in testing with
   actual patient data been given privacy
   training, and signed appropriate
   confidentiality agreements?




5.8 General Security Safeguards

Instructions


27181bb5-5e3c-4df2-900d-8698568eb916.doc                                               <Organization Logo Here>



Page 37
Privacy Impact Assessment




   All IT systems should have a set of security safeguards, in the form of technical controls and
    operational processes that address the following domains:
   Availability: Business owners for the application should define achievable application availability
    targets based on input from the technical team; these targets should be documented as part of all
    incident management, business continuity management and disaster recovery management
    planning.
   Backup, Archiving and Data Retention: The organization should establish a policy governing
    all data backup activity. Documented and properly implemented backup and recovery processes
    support to the integrity and availability of an application. The hosting organization should ensure
    that back-up copies of both the application software and the system data are taken on a regularly
    scheduled basis.
    Backups should be stored in a separate, secure location from the application hosting site where
    possible.
    The organization should establish a policy for archiving and retention of system data. All backups
    and archives should be physically protected or encrypted to ensure that the data within them cannot
    be extracted except by authorized individuals through authorized processes
   Network Security: Applications should be implemented using a zoned or tiered network topology.
    For example, Internet-facing applications should implement a ‘DMZ’ that separates the application
    data from the Internet-facing zone via use of network firewalls.
    All networks that the application uses to transfer data from one point to another must be protected,
    both physically (see below) and that are used All PHI should travel on secure networks where
    possible, and should be encrypted where it cannot travel on secure networks
   Physical Security: The facilities in which the application’s software and data are hosted must be
    physically protected from intrusion, vandalism, theft, etc. Physical assets connected to the
    application should be protected behind secure walls, with locked access card-controlled entrances or
    reception desks with an actual person at the desk. Appropriate measures to protect systems from
    fire and flooding should be in place for hosting facilities.

Question                                             Status                                           Docum
                                                                                                      ented?
                                                                                                      (Y/N)

                                                     Operation   Developed   Planned       No Plans
                                                     al


1. Are there physical safeguards in place in areas
   where PHI is stored, such as locked doors,
   security guards, and access card readers?

2. Are the areas where PHI is stored protected
   against natural hazards such as fire and
   flooding




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                               <Organization Logo Here>



Page 38
Privacy Impact Assessment




Question                                               Status                                           Docum
                                                                                                        ented?
                                                                                                        (Y/N)

                                                       Operation   Developed   Planned       No Plans
                                                       al


3. Are printouts containing PHI labeled
   appropriately with the information sensitivity
   and handling requirements?

4. Are visitors to hosting facilities required to
   sign in and be escorted?

5. Has a disaster recovery plan been developed
   and tested?




6 Risk Management Plan
Instructions

         The risk management plan should be a collation of the issues and recommendations identified
          throughout the PIA. They will also include the priority of the recommendation as well as the
          person responsible for addressing it.

         The priority of the recommendation should be rated as low, medium, and high. There are
          several ways to categorize the priorities, but a commonly used methodology is:
              o   High – Failure to address would almost definitely result in a privacy breach (e.g.,
                  failure to obtain express consent for disclosure to a non-HIC)
              o   Medium – Failure to address may lead to a breach (e.g., failure to put appropriate
                  access controls on the system)
              o   Low – Enhances privacy but failure to address will not result in a breach (e.g., having
                  client sign a form indicating consent)

         Please note that the organization or initiative conducting the PIA should record the issues and
          recommendations in the Risk Response Template as well. This allows the initiative or
          organization to provide a response to these (including accepting the issue and recommendation
          but not doing anything to address it) depending on priority, business value, cost, and so forth.

Issue                               Recommendation(s)                   Priority            Responsible



27181bb5-5e3c-4df2-900d-8698568eb916.doc                                                 <Organization Logo Here>



Page 39
Privacy Impact Assessment




<<Issue in 6 words or              3. <<Recommendation to      <<High,      <<Person
less>>                                respond to issue>>                    responsible for
                                                               Medium,
                                                                            addressing
         <<Description of
                                                               Low>>        recommendation>>
          issue>>

Example:                           4. The application should   Medium       J. Smith
                                      limit the PHI that is
Search displays more PHI
                                      displayed to confirm
than required
                                      patient identity. The
After the radiologist searches        information should be
for a patient, the application        limited to:
displays detailed information
                                         Patient First Name
about the patient to help the
radiologist confirm the identity         Patient Last Name
of the patient. This information
includes previous Major                  OHIP or MRN Number
Diagnoses for the patient. It is         Date of Birth
unclear that Major Diagnoses
assists in verifying the patient
identity.



Appendix: Glossary

Appendix: References




27181bb5-5e3c-4df2-900d-8698568eb916.doc                                 <Organization Logo Here>



Page 40

								
To top