What are xwave's privacy and security practices? What are the physician's privacy and security responsibilities with respect to personal health information?
While xwave does not have any personal health information in its custody or control, it is responsible for the maintenance of the CMS ASP services, which include privacy and security measures, on behalf of the primary care physicians and their patients. As such, xwave has designed the functionality of the CMS ASP services with the objective of ensuring that both xwave, as the service provider, and your physician, as the health information custodian, are able to meet the requirements of PHIPA to protect the privacy and confidentiality of personal health information stored and processed through the CMS ASP services.
xwave has developed the following policies that provide employees and subcontractors with rules for protecting the privacy of personal health information according to the requirements of PHIPA. It is based on the ten fair information principles described in the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information, which forms the basis of the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The following also describes the privacy and security responsibilities of the physician and other users of the CMS ASP service.
Principle 1: Accountability
xwave has designated an individual, the CMS Privacy Officer, who is responsible within xwave for the compliance of the CMS ASP services with xwave's privacy policies. This person oversees CMS ASP services privacy requirements, employee and subcontractor compliance with xwave's CMS-related privacy policies, and the development and maintenenace of CMS-related privacy procedures.
Principle 2: Identifying Purposes
xwave provides reasonable functionality within the CMS ASP services intended to enable physicians and their support staff to identify and document the purpose of the collection of an individual's personal health informtion prior to or at the time the information is collected. It is the physician's responsibility to ensure that the purposes of collecting personal health information are identified to his or her patients as required by PHIPA or other applicable privacy laws.
Principle 3: Consent
xwave provides reasonable functionality in the CMS ASP services for the physician and their support staff to obtain and document an individual's consent (or withdrawal) for the collection, use or disclosure of their personal health information. It is the physician's responsibility to ensure that appropriate consent is obtained for the collection, use and disclosure of personal health information as required by PHIPA or other applicable privacy laws.
Principle 4: Limiting Collection
xwave endeavours to provide CMS ASP system functionality intended to assist health information custodians with the ability to limit the collection of personal health information what is required by them to provide health care services to the patient. It is the physician's responsibility to ensure that the collection of personal health information is limited to that which is reasonably necessary to meet the purpose for which it is collected as required by PHIPA or other applicable privacy laws.
Princple 5: Limiting Use, Disclosure and Retention
xwave provides CMS ASP system functionality intended to assist physicians and their support staff in preventing unauthorized use and disclosure of personal health information. xwave uses reasonable measures to prevent unauthorized access to personal health information by xwave employees and subcontractors, and has established. Policies and procedures relating to breaches of privacy, security and confidentiality of an individual's personal health information in connection the CMS ASP services are in place. It is the responsibility of the physician using the CMS ASP services to ensure that the use and disclosure of personal health information stored through the physician's account or the accounts of his/her support staff is limited to what is reasonably necessary to meet the purposes for which it is collected and is otherwise in compliance with PHIPA and other applicable laws. Where reasonably possible, xwave will ensure that CMS ASP service functionality includes authorization procedures for accessing personal health information that includes a protocol for tracking who accessed the information and for what purpose.
The CMS ASP system includes functionality intended to support the physician's observance of retention and destruction periods with respect to personal health information. It is the physician's responsibility to ensure that legal and regulatory requirements and professional obligations regarding personal health information and medical record retention are adhered to.
Principle 6: Accuracy
Health information custodians who collect, use and disclose personal health information retained within the CMS ASP system will be responsible for ensuring and maintaining its accuracy.
Principle 7: Safeguards
The CMS ASP service incorporates reasonable safeguards, including technological measures (e.g., the use of passwords and access controls), to protect personal health information stored and processed using the CMS ASP system against loss or theft, as well as unauthorized access, use, disclosure, modification or destruction. See the section entitled "Security Safeguards to Protect Personal Health Information" for more information about xwave's security practices. Security responsibilities of physicians and other users of the CMS ASP system include:
 |
|
|
| • | protecting usernames and passwords assigned to or selected by the physician and his/her support staff, and ensuring usernames and passwords are not disclosed or shared by or between users within or outside of the physician's office | |
| • | immediately notifying xwave in the event of password theft, leak or other compromise | |
| • | using secure tokens or other security safeguards as directed by xwave from time to time | |
| • | ensuring that PCs used to access the CMS service are located in a secure area within the physician's office | |
| • | not storing personal health information or other sensitive data on removable media, such as CDs, USB drivers or diskettes | |
| • | ensuring that operating system patches and anti-virus software are installed and up-to-date on all PCs used to access the CMS service | |
| • | complying with other reasonable security policies established and communicated to the physician and other users from time to time. |
Principle 8: Openness about Policies and Practices
xwave provides this Privacy Policy document regarding the CMS ASP services in order to make information about the service and xwave's privacy policies and practices readily and easily available to individual physicians and others. For further information about xwave's privacy policies and practices relating to the CMS ASP services, physicians and other users of the service can contact the CMS Privacy Officer as follows:
Privacy Officer
Clinical Management Systems
xwave, a Division of Bell Aliant
1550 Enterprise Road, Suite 100
Mississauga, Ontario L4W 4P4
Principle 9: Individual Access
The health information custodian has responsibility for providing individuals with information about the existence, use and disclosure of their personal health information and providing access to that information as required in accordance with PHIPA and other relevant privacy laws. xwave will not provide individuals with access to or copies of their personal health information, and will refer all such inquiries to the responsible subscribing health information custodian. The CMS ASP service functionality is designed to support means to enable the subscribing health information custodian to provide to individuals with appropriate access to their personal health information stored on the CMS ASP system.
Principle 10: Challenging Compliance
xwave does not have custody or control of personal health information and can only respond to inquiries regarding its privacy policies and obligations under applicable legislation. It is the responsibility of health information custodians who have custody and control of personal health information to respond to challenges concerning compliance with the above principle, as it relates to their respective services. xwave will develop procedures to receive and respond to complaints or inquiries from subscribing physicians about its privacy policies and practices with respect to the CMS ASP services.
