What is Infoway doing to ensure the privacy and security of digital health information systems?
The privacy and security architecture is a key component of the Electronic Health Record Solution (EHRS) Blueprint. The framework and vision for electronic health records are intended to accommodate and respect privacy requirements across the country. Privacy rules may vary by jurisdiction, but the architecture has been designed to accommodate these differences.
Privacy and security components are also included in Infoway's Certification Services reviews to ensure that digital health solutions conform to assessment criteria.
In addition, one of the ways in which Infoway achieves its privacy mandate is to require funded projects that involve personal health information to conduct Privacy Impact Assessments, where applicable.
Infoway also recognizes that privacy has non-technical as well as technical aspects that need to be considered in interoperable digital health information systems in Canada. Infoway supports work on non-technical issues through mechanisms such as the Privacy Forum and the Health Information Privacy Group as well as other projects.
In addition, to promote consistency in legislative approaches and solutions, Infoway offers input on legislative activities and has contributed to consultation processes in: New Brunswick, Nova Scotia, Newfoundland and Labrador, Yukon, Northwest Territories, Ontario and Prince Edward Island.
Finally, Infoway's Emerging Technology Group provides thought leadership nationally and internationally by setting out privacy considerations related to topics such as cloud computing, big data analytics and mobile computing in clinical settings.
What is Infoway’s privacy mandate and role in respect to the implementation of digital health information systems in Canada?
Infoway acts as a strategic investor to foster and accelerate the development and adoption of digital health information systems in Canada. Provinces and territories are responsible for health care delivery, privacy legislation and digital health solutions within their own jurisdictions. Infoway's role is to support the privacy and security activities through:
- requiring that funded projects involving personal health information conduct Privacy Impact Assessments, where applicable
- working to identify practices that can be leveraged for re-use across the country
- working to ensure that projects adopt an interoperable approach
- raising awareness of the issues through white papers and webinars
- facilitating jurisdictional collaboration by sponsoring the Privacy Forum and the Health Information Privacy Group
- providing guidance on architectural developments related to the development and implementation of secure and privacy enhancing interoperable EHRs.
Does Infoway create or manage digital health information systems?
No, Infoway does not create or manage any personal health information systems. That is done by the jurisdictions.
Does Infoway hold or manage repositories of personal health data?
No, Infoway does not hold or manage any repositories of personal health data.
Does Infoway conduct Privacy Impact Assessments (PIAs)?
No. These PIAs are completed and submitted to Infoway by the applicable jurisdictional projects.
Have Canadians been consulted regarding EHRs and privacy? What views or concerns do they have?
In addition to public opinion polling or consultations conducted by the provinces and territories, Canada Health Infoway has conducted public opinion surveys on the subject of "Electronic Health Information and Privacy," in 2012 and 2007.
The findings indicate that Canadians support the use of electronic health records and expect their privacy to be protected in the collection, storage and use of their personal information.
The table below shows the measures Canadians would like to see in place to protect the privacy and security of their personal health information, and what privacy and security protections exist in jurisdictions.
|Measures that increase Canadians’ comfort with electronic health records (EHRs)||What is in place in jurisdictional laws and EHRs|
|Being able to find out when and who accessed their health record||
Laws: all jurisdictions have access provisions
EHRs: EHRs enable this through:
|Knowing they would be informed of any privacy breach that occurred||
Laws: breach notification obligations are increasingly being required
EHRs: EHRs enable this through:
|Being able to access and correct their records||
Laws: all jurisdictions have access and correction clauses
EHRs: EHRs have processes in place to document changes to records
|Legislation that would make unauthorized access of health records a criminal/serious offence||Laws: all newer laws have penalty provisions, and some include criminal prosecution|
Who do I contact if I need more information on privacy as it relates to digital health initiatives?
For specific privacy queries related to your jurisdiction, please contact your ministry or department of health.
For Infoway-related initiatives, please contact us.
Key privacy resources
- Privacy and EHR Information Flows in Canada, Version 2.0: 53 "common understandings" to support appropriate and privacy protective disclosures of EHR information
- Business and Architecture Considerations for Interoperable Consent Solutions: A Discussion Document
- Consent Management Solution Considerations: a companion piece to Business and Architecture Considerations for Interoperable Consent Solutions
- Ipsos Survey: Canadian attitudes toward electronic health information and their privacy
- Embedding Privacy into the Design of EHRs to Enable Multiple Functionalities – Win/Win
- White paper: Exploring the value, benefits and common concerns of e-booking
- EHRS Blueprint: Technology framework for securely sharing health information
- EHRi Privacy and Security Conceptual Architecture: Privacy and security requirements and standards for an interoperable EHR
- A Conceptual Privacy Impact Assessment of the EHRS Blueprint: Ensuring privacy is considered in the development of the EHRS blueprint
- White paper: Information Governance of the Interoperable Electronic Health Record
- EKOS Survey: Canadian attitudes towards electronic health information and their privacy
- Privacy and EHR Information Flows: 33 "common understandings" for the disclosure of EHR information