SECURITY: 2014

Personal Health Information Protection Act, 2004

this 5 min. course covers:• changing

landscape of electronic health records

• security threats & obligations

• protections for personal health information (PHI)

Connecting GTA – Coming in 2014

• early adoption of cGTA builds on eCare’s success to further strengthen point of care access to electronic patient information

• security: critical factor in whether patients consent to sharing personal health information (PHI) in cGTA

cGTA changes the security landscape

• health care organizations required to reinforce IT security • planned link (Cerner to cGTA) requires infrastructure incl.

• active directory accounts for credentialed physicians

• merging Cerner account/active directory account to create “single sign-on” from Cerner to cGTA

• strong passwords, change management

Note: physicians without active directory account will be notified; Information Services will support transition

We are in this together …

• patients & families trust we have strong security policies & consistent practices to protect their personal health information (PHI)

Threats to electronic PHI • weak passwords

• inappropriate chart access

• using another’s login/password• • theft/loss of laptop, unencrypted USB

key/removable storage media

• PHI sent by unencrypted e-mail

• texting personal identifiers

Information security practices

physical, technical & administrative

• work together to protect PHI and information systems

Preventatives work• strong passwords, access & change

controls • network security, secure remote

access• encrypted e-mail between NYGH sites• training, personal accountability• confidentiality agreements• audit trails of access to technical

systems• photo ID• serious consequences for

inappropriate chart access, use or disclosure up to termination of employment, hospital privileges

Strong login passwords mandatory

• on desktops, laptops, mobile devices & removable storage media – do not share, write down or store on equipment

• STRONG: combination of letters, numbers, symbols, minimum of 8 characters &

no dictionary words

Protect yourself – never share login, password

together they serve as your electronic signature

everything done using it will be attributed to you until proven otherwise

always log off PowerChart

Mobile devices, removable storage media

don’t store PHI on laptops/mobile devices unless encrypted (Information & Privacy Commissioner/Ont.)

encryption protects electronic info if lost/stolen

whole disk encryption: on all NYGH laptops  NYGH computers enforce encryption if you

download to a mobile device; password you choose will decrypt  

Encrypting filesEncrypt a copy, not the original file or else you will have to use a password to open it

WORD DocumentClick “File” > “Protect Document” > “Encrypt with Password”  

PDFClick “File” > “Properties” > “Security”. Select “Password Security” from the “Security Methods” drop-down menu. Check off “Require a Password to Open the Document”

Create a strong password and write it down before entering and saving. Send the file and password by separate emails. In the email sending the file, advise that the password will be sent separately.

Secure emailencrypted transmission between NYGH sites:  General, Branson, Senior's Health Centre  - if intercepted, it cannot be read

without encryption: it's like sending a postcard 

Never send personal health or confidential info from or to a personal email account e.g. hotmail, gmail or yahoo - transmission is not encrypted; can be intercepted & read

Working out of NYGH

don't take PHI or confidential info out of hospital unless absolutely necessary  

instead, use secure remote access where possible

What you can dominimize storage of PHI /confidential

info on mobile devices, laptops, storage media

back up files to network before leaving

ensure encryption enabled on laptop/mobile device

use secure storage for laptops, mobile devices, removable media, paper records or keep with you at all times

If it doesn’t go as planned… just call me

chief privacy officer

416-756-6448

Security Summarycombine physical, administrative &

technical protections

avoid “What’s the risk?” thinking

Encryption protects patients and reputations … still a bargain

Never share login & password

Information & Privacy Commissioner/Ontario (IPC)

Provides oversight of compliance with the Personal Health Information Protection Act. In this role the Commissioner:

• adjudicates access appeals, investigates privacy complaints and may issue public reports

• may enter and inspect premises, records, information management practices and require evidence under oath, affirmation

• has Order making power; may levy fines of up to $250,000.00

IPC Contact: 416-326-3333 www.ipc.on.ca

Thank-youFor more information please contact Rita Reynolds, ChiefPrivacy Officer at ext. 6448.