will allow authorized users to will allow authorized users to · hap will be released in stages...

April 19, 2017

Jill Clayton

Information & Privacy Commissioner of Alberta

Office of the Information and Privacy Commissioner of Alberta

410, 9925 - 109 Street Edmonton, Alberta, T5K 2J8

Dear Commissioner Clayton,

Re: Health Analytics Portal (HAP) Privacy Impact Assessment (AHS PIA File #2135)

Enclosed is the Privacy Impact Assessment (PIA) for the above information repository or

administrative practice pursuant to Section 64 of the Health Information Act.

Alberta Health Services (AHS) is preparing to implement the Health Analytics Portal (HAP), a sub-project of the Provincial Health Analytics Network (PHAN) Program within AHS and Alberta Health (AH). HAP will be released in stages over the coming year and is expected to be fully operational by March 31, 2018. Please refer to the release schedule below for more details.

Release Date Details

1 August 2, 2017 Will allow individuals and organizations to Register to be part of the HAP environment

Will provide registered, authorized users with access to aggregated Tableau dashboards that are not considered public (therefore classified as confidential)

Will allow HAP Administrators to manage users and audit user activity

2 November 16,

2017

• Will allow authorized users to access services such as education, discussion boards,

metadata, consulting and advisory access personally identifying health information upload patient panels data for matching with AHS data

3 February 19,

2018

Will allow authorized users to: access services such as education, discussion boards,


The Health Analytics Portal (HAP) will provide a ‘single window’ entry point to a trusted, online source of healthcare data and information products for use by researchers and data analysts and those dedicated to improving healthcare in Alberta. HAP is aligned with the Alberta Government’s commitment to enable a strong health research and innovation system for the province.

Should you have any questions in this regard, please contact Sharon Exham at 780-918-4979 or via

e-mail [email protected]

Very truly yours,

Alberta Health Services

Linda C. French

Chief Privacy Officer and Legal Counsel

cc: Sharon Exham, Information & Privacy Coordinator

| 25

Health Analytics Portal (HAP)

AHS File Reference # 2135 Target Date of Submission April 17, 2017

Information & Privacy Coordinator

Sharon Exham

AHS Responsible Affiliate Linda French

Chief Privacy Officer 403 943-0423

Expected Date of Implementation: throughout 2017-2018 fiscal year

of 25

Source / Destination Repositories and Their Associated PIA’s

NOTE: If this project sends information to or receives information from another repository or system please list the systems and PIAs in the table below, otherwise leave the table empty.

Source / Destination Repository OIPC File Reference #

AHSDRR H5277, 003070

Tableau H6370

Data De-identification AHS File 2203

of 25

Privacy Impact Assessment Summary

Alberta Health Services (AHS) is preparing to implement the Health Analytics Portal (HAP), a sub-project of the Provincial Health Analytics Network (PHAN) Program1 within AHS and Alberta Health (AH). HAP will be released in stages over the coming year and is expected to be fully operational by March 31, 2018. Please refer to the release schedule below for more details.

Release Date Details

1 August 2, 2017 Will allow individuals and organizations to Register to be part of the HAP environment

Will provide registered, authorized users with access to aggregated Tableau dashboards that are not considered public (therefore classified as confidential)

Will allow HAP Administrators to manage users and audit user activity

2 November 16, 2017

• Will allow authorized users to access services such as education, discussion boards,


3 February 19, 2018

• Will allow authorized users to: access services such as education, discussion boards,


The Health Analytics Portal (HAP) will provide a ‘single window’ entry point to a trusted, online source of healthcare data and information products for use by researchers and data analysts and those dedicated to improving healthcare in Alberta. HAP is aligned with the Alberta Government’s commitment to enable a strong health research and innovation system for the province2.

1 PHAN Background

The Provincial Health Analytics Network (PHAN) vision is to leverage data that is created from administering and delivering health services. Data is stored, documented, and made accessible so that it can be used and re-used to streamline access to information and analytical resources. The success of the PHAN is enabling access to this data to the stakeholders that require it. Currently this data is not available from one central source and thus access of the data that stakeholders want is limited. The business need is to enable analysis of clinical and administration data in support of Alberta’s integrated health system, provide timely access to data from a central source and incorporate consistent application of analytical best practices to improve the creation of health system information and enhance evidence-based decision making.

2 Alberta's Health Research and Innovation Strategy, 2010: http://economic.alberta.ca/documents/ahris_report_aug2010.pdf?0.3942046595522639

http://economic.alberta.ca/documents/ahris_report_aug2010.pdf?0.3942046595522639

of 25

Section A - Project Summary

This section provides an overview of the repository.

1. What does the information system or administrative practice do? By the time it is fully operational (March, 2018), the HAP will provide: (See Appendix 1 for more information about the project) 1. Interactive access to Tableau reports for stakeholders

a. The first priority is to allow stakeholders (Alberta Health, Alberta Bone and Joint, Health Quality Council of Alberta, Primary Care Networks, Alberta Health Services, Researchers, and the public) the ability to interact with selected published Tableau reports.

2. The ability for authorized data users to access AHS data assets, starting with Discharge Abstract Database (DAD) and National Ambulatory Care Reporting System (NACRS). a. Users will be able to download aggregated non-identifying and transactional identifiable data

sets in a format consumable by analytical software. b. Users will be able to upload client selection data (e.g. patient panel lists) to the HAP and

have the appropriate resultant data made available for download. This function may require human intervention.

3. Enable simplified, on-line approval, for access to data managed by AHS. a. Creation of registration and access was determined by previous work performed by the Privacy and Access working group (as part of the Secondary Use Data Project).

4. Online access to services such as data education services, metadata and data consulting and advisory services.

5. The integration of additional information products, data assets and services as prioritized by the HAP Steering Committee.

2. What is the business rationale for the project? Creating one health system in Alberta provides a unique and unprecedented opportunity to connect information across multiple areas. Albertans expect that policy makers, service providers, researchers, and other groups have access to relevant and timely information. In-stead of developing their own data assets, these stakeholders should have timely access to information to use for policy creation, decision-making, research, and providing healthcare services to Albertans. Provincial Health Analytics Network (PHAN) leverages data that is created from administering and delivering health services. Data is stored, documented, and made accessible so that it can be used and re-used to streamline access to information and analytical resources. The success of the PHAN has been enabling access to this data to the stakeholders that require it. Currently this data is not available from one central source and thus exposure of the data that the end users want is limited. The Business need is to enable robust analysis of clinical and administration data in support of Alberta’s integrated health system and to Provide timely access to data from a central source, incorporating consistent application of analytical best practices to improve the creation of health system information and enhance evidence-based decision making.

of 25

3. Who are the key players?

a. Alberta Health Services • Information Technology (IT) • Analytics (DIMR) • AHS Analytic Community3

b. Non-Alberta Health Services • Alberta Health (AH) • Health Quality Council of Alberta (HQCA) • Alberta Innovates • PCNs and PCN physicians • University of Alberta and University of Calgary • Researchers • Albertans

4. Where will health information be stored and accessed? All data available to HAP users is stored within the secure AHS network environment. Some data and information products will be available to the general public on the public facing HAP webpage. However, in order to gain access to more identifiable data on HAP, a user will need authorization and authenticationby registering for a User id/password or user ID/password/PIN+ fob token. HAP will also include role based security to ensure users only access areas of the portal that they are authorized to access. HAP role based secure will:

1. Restrict access to either the entire site or portions of the site, depending on their access level 2. Lock user accounts after 5 of login attempts 3. Ensure that all transactions, error messages, security breach attempts are displayed 4. Write to audit log files 5. Terminate a session after 20 minutes of inactivity 6. Restrict multiple simultaneous sessions

See the concept diagram (Image 1) below to illustrate the HAP environment.

3 Includes CancerControl Alberta, Primary Health Care, Corporate Services

of 25

Image 1

5. Why does the project need to collect, use or disclose health information to achieve its objectives? Aggregate, de-identified and identifiable information may be collected, used or disclosed within the HAP environment. Users will only be provided with access to identifiable health information according to their approved access level which will be managed based on the requirements of the Health Information Act (e.g disclosure authorized by s 35(1), a data matching PIA or by s54 Research Agreement).

of 25

Section B – Organizational Privacy Management Alberta Health Services’ Organizational Privacy Management Privacy Impact Assessment was accepted by the Office of the Information & Privacy Commissioner in March 2012 # H4631.

Section C - Project Privacy Analysis 1. Information available to HAP users will be dependent on the users’ access privileges. The data

elements listed below would be available to those with Level 3 or 4 access (See Section D.1). Levels 1 and 2 would provide access to aggregated and/or de-identified data.

Type of Information

Data Elements What is the purpose for the collection, use or disclosure of each

data element?

Source of Information

Demographics Unique Lifetime Identifier (ULI) Personal Healthcare Number (PHN) Medical Record Number (MRN) Municipality Province Postal Code Date of Birth Date of Death Gender (sex)

• Data matching • Internal Management

purposes, • Planning and resource

allocation, • Health system

management • Provider education • Research

System Extracts from AHSDRR (or other AHS data repositories)

Clinical (diagnostic, treatment & Care)

Health Service Provider Identifier Health Service Provider Name Health Service Provider Practice Municipality Health Service Type Health Service Facility

• Data matching • Internal management

purposes, • Planning and resource

allocation, • Health system

management, • Public health

surveillance, • Health policy

development • Research

System Extracts from AHSDRR (or other AHS data repositories)

User information

HAP will collect business information from registered users during the registration process . HAP will also collect information to track user activity (i.e.. IP address, pages accessed, files downloaded, data and times).

• To manage and improve the site.

Directly from individuals and from activity logs

of 25

2. Information Flow Analysis a. Information Flow Diagram4

Health Analytics Portal (HAP)

HAP (AHS Sharepoint site containing various data sets and information products)

Registered HAP Users

AHSDRR

Unregistered (Public) Users

Tableau (Public)

AHSDRR data

1

Non-identifiable, Aggregate or

identifiable data and/or information

products

Aggregate , data and/or Information

products

Identifiable Patient Panel

data

TableauAggregate, de-

identified or identifiable dashboards

2

Aggregate dashboards

3

Non-identifiable, Aggregate or

identifiable Tableau dashboards

6

Aggregate Tableau

dashboards

4 Flows 2, 3, 6 and 8 represent flows involving dashboards created using the Tableau reporting tool. Links to dashboards will be available through HAP, but the dashboards will not be stored in the HAP environment, they will remain on the Tableau server.

of 25

b. Legal Authority and Purpose Table LEGAL AUTHORITY AND PURPOSES TABLE

Flow # Flow Description Type of

Information Purpose Legal Authority

1

Data in the AHSDRR is used to create various datasets and information products and loaded to HAP

Patient registration and treatment information in 4 levels:

1. aggregate 2. de-identified 3. partially

identified 4. fully identifiable

To support provincial health analytics and other secondary uses

HIA

Use: 26, 27(1)(d)(g)(2)

2

Tableau dashboards generated on the Tableau server are available through links on the HAP. Dashboards are not stored on HAP, they remain on the Tableau server (may include underlying data)

As above as above HIA

Use: 26, 27(1)(d)(g)(2)

3

Aggregated Tableau dashboards generated on Tableau Public are available through links on HAP. Dashboards are not stored in HAP, they will remain on the Tableau Public server. (may include de-identified or aggregate underlying data)

Aggregate health statistics


HIA

Use: 26

4

Registered users upload patient panel data to enable data matching with AHS data.

PHN, DOB, gender To match with other identifiable health information in HAP that is related to the patient panel.

HIA

Use: 27(1)(d)(g)

Data matching: 70

5

Registered HAP users download, data and/or information products





HIA

Use: 26, 27(1)(d)(g)(2)

6 Registered HAP Users download aggregated, de-identified or identifiable


To support provincial health analytics and

HIA

Use: 26

of 25

LEGAL AUTHORITY AND PURPOSES TABLE Flow

# Flow Description Type of Information Purpose Legal

Authority

Tableau dashboards generated on the Tableau server and available through links on the HAP.



other secondary uses Disclosure: 32

7 Aggregate data and/or information products are downloaded by un-registered (public) users



HIA

Use: 26 Disclosure: 32

8 Aggregate Tableau dashboards are downloaded by un-registered (public) users.



HIA

Use: 26 Disclosure: 32

NOTE: The HAP site will also collect IP addresses from all users, as well as which pages they access, what files downloaded, and the date and time of this activity. In addition, the HAP site will collect Business information of registered users. Collection and use of this information is authorized by the Freedom of Information & Protection of Privacy Act (s. 33(c) and 39(4))

of 25

3. Notice Organizational notices exist in AHS facilities wherever information is collected and may be considered appropriate in some situations. However, forms (electronic or paper) used for collecting health or personal information may need to contain appropriate notices.

The following image illustrates the AHS Privacy Notice which must be posted in areas where health information is collected.

Health Analytics Portal will not be used for AHS to collect health information from patients. However, HAP will have the ability to collect identifiable data sets from other custodians or health partners to enable data matching. In addition the HAP site will collect certain information regarding the use of the site (e.g. IP addresses) to monitor use and measure utilization statistics. The HAP site will include a Privacy Policy as well as Terms of Use provisions to advise users of the information collected and the appropriate uses of the data and information products available on the HAP.

4. Consent and Expressed Wishes a) Consent

Generally, the HAP Admin will confirm that the use and disclosures of identifiable health information are authorized under section 35 of the HIA. There are no disclosures from the HAP that require consent under the HIA. If a circumstance occurred where consent was required, the HAP Administrator would follow AHS policies related to consent (Refer to AHS Corporate Policy 1112 Collection, Access, Use and Disclosure of Information).

of 25

b. Expressed Wishes

If data is acquired from a source system that has the ability to filter based on expressed wishes, this information is filtered out at the source before it is published to HAP.

5. Data Matching Many of the dashboards, data and information products made available to users of HAP will have been created by AHS matching various data sources within AHS. This is authorized by HIA s. 69.

In addition, some registered HAP users will have the authority to upload identifiable information to HAP for data matching purposes authorized by s 70 of the HIA.

6. Contracts and Agreements and Information Management Agreements

a. Contractors n/a HAP is managed within the AHS environment by AHS employees. No contractor is involved.

b. Contractors who are Information Managers n/a

c. Research Agreements Research involving information held by AHS shall be done in compliance with Alberta’s privacy legislation. The Health Information Act and the Freedom of Information and Protection of Privacy Act require a research agreement to be in place before disclosing identifying information for research.

Prior to receipt of research ethics approval, the Repository Owner or Repository Owner’s delegate may be contacted by researchers to identify whether health information required for their research project are available. Should the requested health information be available in the repository, the researchers shall be redirected to the AHS Provincial Research Administration team for coordination of a formal request and completion of a research agreement.

Before disclosing information to a Researcher the HAP Admin will work with the AHS Provincial Research Administration team to ensure that all operational and legal requirements are met, including a fully executed research agreement.

7. Use of Health Information Outside of Alberta HAP will provide access to aggregate information products to the general public, which includes individuals outside of Alberta.

of 25

Section D – Project Privacy and Security Risk Mitigation 1. Access Controls

a. Access Registration (See HAP Registration Management Diagram below) Individuals can access limited data and information products that can be accessed by the general public. In addition, a formal registration process has been created for all individuals requesting a greater level of access to the HAP environment. The registration process includes the following activities before access is granted: • First and foremost, any user requesting access to the HAP must belong to an

organization that holds a valid HAP Participation Agreement. This agreement sets out the level or access any employees will require as well as which datasets they can access.

• The individual requesting access completes an access request form and passes it to their supervisor.

• The supervisor reviews the access request and confirms access is required for the individual to perform their role. The supervisor passes the request to the organization’s Authorized Approver (HAP AA).

• The HAP AA reviews the request and determines whether access will be granted. If access is denied, then the Authorized Approver shall inform the requestor. If access is permitted, then the HAP AA will define the account permissions associated with the request and forward to the HAP Administrator for processing.

• The HAP AA is responsible for ensuring all users from his/her organization complete HAP Orientation as well as Security & Privacy Awareness Training.

• All user access rights for his or her organization will be reviewed annually by the HAP AA to ensure that each user has the access privileges required to perform job tasks.

• The HAP AA shall review user status regularly to ensure that dormant accounts are disabled.

• The HAP AA, upon being informed that a password is suspected of having been compromised or has been compromised shall immediately report the incident to HAP Administrator.

Users will be required to refresh their HAP user registration and training annually.

of 25

Image 2

Steering CommitteeHealth Analytics Portal (HAP) User Registration Management

User Management

HAP Adminstrator

Access ManagementHAP Security

Org A

HAP Participating Organization

Org A HAP

HAP Authorized Approver

Org A HAP User 1

HAP User-Level 3 access to ED

Org A HAP User 2


Org A HAP User 3

HAP User-Level 3 access to DAD/NACRS and Lab

Org A HAP User 4

HAP User-Level 2 access to Lab

User Access must align with HAP Participation agreement

Org B

HAP Participating Organization

Org B HAP

HAP Authorized Approver

Org B HAP User 1


Org B HAP User 2


Org HAP User 3

HAP User-Level 3 access to DAD/NACRS and Lab

Org B HAP User 4

HAP User-Level 2 access to Lab

User Access must align with HAP Participation agreement

HAP Partipation AgreementHAP Partipation Agreement

HAP User Agreement, HAP AA Orientation and

Training

HAP User Agreement, HAP AA Orientation and

Training

All User Agreements signed off by Org A HAP AA All User Agreements signed off by Org B HAP AA

b. Vendor Access n/a – no vendor involved in HAP.

c. Access Authentication HAP access identification and authentication methodology will meet AHS’s requirements.

d. Access to Health Information by Role

User security levels in the Health Analytics Portal are cumulative. For example, Security Level 4 provides access to Levels 1-3, as well as the additional security privileges of Level 4.

Users must also be authorized to access different data and information products that are determined by the HAP AA based on the analyst’s intended purpose(s). For example, a user with Security Level 2 access may have authorization to access multiple data assets such as Lab, DI, ED visits, but can only access aggregated and/or non-identifiable information products created from those data assets.

of 25

Table 1 - Security levels are as follows:

Level Definition

Level 1 (no authentication) – Aggregate

This is the default access level and available to the public. Registration is not required for Level 1 – Aggregate.

HIA definition-aggregate health information means non-identifying health information about groups of individuals.

Means non-identifying health information about groups of individual with common characteristics. This is often referred to as statistical information and often is the kind of information from which it is virtually impossible to identify a single individual unless the cell or sample size is very small (less than 10).

Level 2 (2 factor authentication) - De-identified

e.g. Patient scrambled PHN, age in years or age groups, geo code not postal code, data shifting where date of service and date of supply are randomly perturbed to ±14 days of the true date.

Means that the identity of the individual who is the subject of the information cannot be readily ascertained from the information. The Health Information Act regulates information that identifies individuals. The Health Information Act contains a few basic provisions restricting the use of non-identifiable information.

Level 3 (2 factor authentication) - Partially identifiable

e.g. Patient PHN, DOB, gender, postal code

Means that the identity of the individual who is the subject of the information can be ascertained from the information with minimal effort.

Level 4 (2 factor authentication) - Fully identifiable

e.g. Patient names, address, contact information

Means that the identity of the individual who is the subject of the information can be readily ascertained from the information. (Source, HIA)

This may require additional security requirements and possible second authentication.

of 25

Based on the users’ security level, different data and information products are available to them based on the intended purpose(s). For example, a user with Security Level 2 access may have authorization to access multiple data products such as Lab, DI, or ED visits, but can only access aggregated and/or non-identifiable information products created from those data products.

The table (Table 2) below provides an illustration of possible options as an example:

User Security Level Information Products

User A 2 Lab and DI

User B 2 ED

User C 3 Lab and ED

User D 3 DI

Some registered users with additional privileges will have the ability to upload identifiable data that represents their patient panel and may download information products resulting from the matching of AHS data with the registered user’s data and based on selected criteria. This level of privilege will not be provided until there is a data matching Privacy Impact Assessment in place.

Other registered users include the Designated Access Approver (HAP AA) for each organization participating in the Health Analytics Portal. This level of user will be responsible for reviewing and approving access requests from individuals from their organization.

Access to Health Information by Role User Role # of

users in role

Position/Job Title

Type of Access (e.g create, read, update, delete)

Description of information this user can access (include examples)

Security Level 1 <1000 in first 5 years

Non registered users (public)

Download aggregated information products and other support material and services

Data and Information Products based on groups of individuals with common characteristics

Security Level 2

<1000 Level 2-4 within first 5 years

Authorized Analyst

Download aggregated or non-identifiable information products and other support material and services

Data and Information Products based on groups of individuals with common characteristics and/or de-identified data products and information products

Security Level 3 Authorized Analyst

Download aggregated and/or non-identifiable and/or partially identifiable information products and other support material and services

Data and Information Products based on groups of individuals with common characteristics and/or de-identified data products and information products and/or partially

Security Level 4 Authorized Analyst

Download aggregated and/or non-identifiable and/or partially identifiable and/or fully identifiable information products and, datasets and other support material and services

Data and Information Products based on groups of individuals with common characteristics, and/or de-identified data products sets as well as fully identifiable health data and information products

Health Analytics 200 Designated Authorize Security Levels User(s) from specified

of 25

Access to Health Information by Role User Role # of

users in role

Position/Job Title

Type of Access (e.g create, read, update, delete)

Description of information this user can access (include examples)

Portal Authorized Approver (HAP AA)

Authorized Approver for each participating organization

and Data Assets for HAP Participating Organization

organization and security levels. Aggregated reports and other support material and services.

Health Analytics Portal Administrator (HAP Admin)

2 AHS Analytics (DIMR)

Reviews and approves organizations, Reviews HAP AAs. Reviews all HAP users and HAP content. Manages HAP Team.

Data Management Analyst (Data Quality, metadata, education, consulting and advisory)


Data Governance Team

Health Analytics Portal Security (HAP) Security

2 AHS IT Access team/Analytics (DIMR)

Set up user accounts, security groups, manages network access points.

Health Analytics Portal Data Sharing, Access and Auditing Analyst


Monitor user activity proactively and reactively. Addresses privacy and security breaches. Prepares Participation Agreements and maintains Privacy Impact Assessment. Archiving and disposal of data.

User activity logs and confidential information

2. Education and Training Training is provided based on the users’ role within HAP (Registered user, HAP Admin, HAP AA).

The HAP Admin shall ensure that all HAP AAs have received required training to ensure they understand their roles and responsibilities.

The HAP AAs shall ensure that all those granted access (Registered Users) comply with all related pre-access training and compulsory refresher courses necessary for access to the repository. Repository access will be granted upon confirmation of the repository training as well as the mandatory AHS Privacy and Security Awareness training.

of 25

3. Privacy and Security Risk Assessment and Mitigation Plans

a. Assessment of Project related Privacy and Security Risks

Risk Description Mitigation Measures Policy Reference

Unauthorized access to information in the application from within the internal network.

Because of weak or inadequate access controls, information in the application could be accessed by other network authenticated users without a need to know.

• The HAP complies with AHS password standards

• HAP users must belong to an organization with a valid Participation Agreement in place.

• All registered users must complete the access request process detailed above (D.1.d)

• Activities of all authorized users are governed by the HAP Participation Agreement.

• In the event that unauthorized access to information in the application is reported or detected, there exist AHS Privacy Breach Investigation and IT Security Incident Response Processes for privacy breach and security incident investigations, respectively.

• Regular audits will be conducted to validate compliance with HAP Participation Agreements.

1143 Information Security and Privacy Safeguards 1112 Collection, Access, Use, and Disclosure of Information 1105 Access to Information (Physical, Electronic, Remote) 1109 Information Technology Acceptable Use

Lack of program - specific training on business practices, privacy and security.

Privacy and security of information may be compromised in the course of performing business functions if employees are not trained to incorporate security and privacy practices in business processes.

• All registered users will be required to complete a HAP User Agreement (under development) and receive training and orientation relevant to their approved level of access.

1143 Information Security and Privacy Safeguards 1112 Collection, Access, Use, and Disclosure of Information 1108 Delegation of Authority and Responsibilities for compliance with FOIPP and HIA

Loss of integrity of information due to data entry errors or unauthorized changes to information.

Information could be incorrectly entered in the application. Authorized users may inadvertently or deliberately make changes to

• The HAP complies with AHS password standards

• All registered users will be required to complete a HAP User Agreement and receive HAP training and orientation relevant to their approved level of access. (See D.2)

1143 Information Security and Privacy Safeguards 1140 Business Continuity

of 25


information in the application. Unauthorized modification could also be performed by unauthorized users who already have access to AHS network. These actions may cause information to be incomplete, incorrect or unreliable.

• All users requiring access to potentially identifying or identifying data will require 2 factor authentication.

• All authorized users are governed by the HAP User Agreement.

• In the event that data integrity issues are detected or reported, there exist AHS Privacy Breach Investigation and IT Security Incident Response Processes for privacy breach and security incident investigations, respectively.

Planning for IT Resources 1109 Information Technology Acceptable Use

More information is collected than it is required to achieve the specific business purpose.

The application maybe configured to accept more data elements than required for the specific business purpose. Also forms (paper or electronic) used for collecting identifying information may capture more information than required.

• The HAP site will allow some users to upload data (e.g. patient panels) for data matching purposes. These users will receive a warning prior to uploading and will confirm that they are uploading the least amount of information required to meet the intended purpose.

• The HAP site will collect identifying information (user IP address) related to users’ activity. This information will provide metrics to manage and improve the HAP site.

1143 Information Security and Privacy Safeguards 1112 Collection, Access, Use, and Disclosure of Information

1108 Delegation of Authority and Responsibilities for compliance with FOIPP and HIA

Unauthorized access to audit logs

Audit logs are altered.

• Audit logs are accessible to a limited number or users based on their role within the governance team.

• Audit data will be stored in a secured location. Back up will be stored in an alternate location.

• Audit logs stored in the alternate location (the vault) will not be accessible and are considered the “source of truth”. (An audit framework is under development)

1143 Information Security and Privacy Safeguards 1144 Monitoring and Auditing of IT Resources

Lack of appropriate and adequate logging and auditing capabilities

Lack of appropriate and adequate logging auditing capabilities means inappropriate or unauthorized access to identifiable information cannot

• An auditing framework based on the AHSDRR Audit Framework is under development

1143 Information Security and Privacy Safeguards 1144 Monitoring and

of 25


be captured. This prevents privacy breaches from being detected and investigated as appropriate logs and log reports may not be available for review.

Auditing of IT Resources

Lack of proactive auditing of users’ activities

Lack of regular proactive auditing could lead to unauthorized or in appropriate access to identifiable information to go undetected.



• Audit logs stored in the alternate location (the vault) will not be accessible and are considered the “source of truth”. (An audit framework based on the AHSDRR Auditing Framework is under development)

• User activity will be logged and audited for appropriate use.

1143 Information Security and Privacy Safeguards 1144 Monitoring and Auditing of IT Resources 1109 Information Technology Acceptable Use

Lack of monitoring of privileged user activities.

Privileged users, generally, have the ability to change system configurations. Unauthorized activities of this category of users could cause system malfunction, loss of information or data corruption.



• Audit logs stored in the alternate location (the vault) will not be accessible and are considered the “source of truth”. (An audit framework based on the AHSDRR Auditing Framework is under development)

• User activity will be logged and audited for appropriate use.

1143 Information Security and Privacy Safeguards 1144 Monitoring and Auditing of IT Resources 1108 Delegation of Authority and Responsibilities for compliance with FOIPP and HIA 1109 Information Technology Acceptable Use

Information unavailability

Information becomes unavailable due to unforeseen circumstances

• The HAP site may become unavailable to undergo planned maintenance. All users will receive proactive notice of planned outages.

• In the event that the site unavailable

Business Continuity Planning for IT Resources (AHS IT Policy # 1140) section

of 25


due to unforeseen circumstances, users will be informed of the estimated outage.

2.5 Section E – Business Continuity Change Control for IT Resources (AHS IT Policy # 1141) section 1.2

Improper or lack of information classification

Information is misclassified resulting in too little or too much information. Information is retained longer than necessary.

• Data and information products available to HAP users will be classified by content developers and managed in accordance with AHS Information Classification policy. A Content Management process is under development

1142 Information Classification

Loss or theft of mobile devices or portable storage medium

Information may become exposed to unauthorized individuals through the loss or theft of a mobile device or portable storage medium.

• All AHS devices are encrypted. • The HAP Participation Agreement will

address requirements for the protection of identifying health information downloaded from the HAP

• Participating organization will be required to complete an Organization Self-Assessment to confirm appropriate safeguards are in place.

• User Agreements will address requirements for the protection of identifying health information downloaded from the HAP

• All HAP users must complete Education & Training that includes the responsibility for protecting identifying health information downloaded from the HAP.

•

1160 Cell Phones and Other Mobile Devices 1143 Information Security and Privacy Safeguards

Hacking Unauthorized access to HAP

Regular (Annual) vulnerability testing will be completed.

1143 Information Security and Privacy Safeguards

of 25

4. Monitoring of Privacy & Security Controls A Health Analytics Portal Auditing Framework will be developed to support the auditing and monitoring requirements for HAP.

a. Repository Logging Capability The HAP will meet AHS requirements to log and monitor users. A Health Analytics Portal Auditing Framework will be developed to support the auditing and monitoring requirements for HAP.

b. Audit and Monitoring Process The HAP Administrator shall ensure random proactive audits are performed monthly. Audit and monitoring triggers will be identified in the HAP Auditing Framework (under development).

c. AHS Internal and External Audits The HAP Administrator shall ensure that all staff cooperate with all internal or external audits of the repository and comply with all requests for information regarding the repository. Audit requests that require the disclosure of personally identifiable information will be reviewed with the Information and Privacy Office prior to disclosure.

5. Privacy Breaches A privacy breach occurs when there is an unauthorized collection, use, disclosure, access to, or disposal of personally identifiable information. It includes failure to comply with AHS policies, or HIA or FOIP, concerning our duty to protect the information in AHS’s care and custody. Information may be in various formats (e.g. paper, audio recordings, microfiche, and verbal disclosures/conversations, electronic and photographic) and types of information may include that of AHS: • patients (e.g. name, date of birth, health care number, diagnosis, treatment) • employees (e.g. employee number, home address, personnel file) • administrative documents which may be confidential (e.g. draft business proposals,

system security diagrams) or may contain personally identifiable information (e.g. reports of employee sick time or patient self-pay invoicing).

a. Inappropriate Access to Records Any suspected inappropriate access to personally identifiable information as a result of audits or verbally provided shall be forwarded to Information & Privacy for investigation by the HAP Administrator. All entries in repository logs that are suspect are to be provided to the Information & Privacy Office for investigation. The logs will be a complete copy from the beginning of the inappropriate access through to the time the access was removed.

of 25

b. Breach Discovery The Repository Owner or the Repository Owner’s delegate, upon notification or discovery of a privacy breach involving their repository will: • take immediate steps to prevent any further privacy breaches • contact the Information and Privacy Office to report the privacy breach, including a

complete list of: o the names of individuals whose information was breached and the type of

personal information that was breached o document a list of all AHS affiliates who were involved in the breach or were

involved in containing the breach o document where or to whom the personal/health information was disclosed

• attempt to recover the disclosed information by arranging to have it returned to the Repository Owner or the Repository Owner’s delegate. If the information cannot be returned then the Repository Owner or the Repository Owner’s delegate will ensure the information has been destroyed and that no copies of the information were made.

• If the incident involves laptops, memory sticks, phones or other electronic devices, the Repository Owner or the Repository Owner’s delegate shall contact AHS Information Technology to report the security incident.

c. Breach Investigation The Repository Owner or the Repository Owner’s delegate and all those involved in the investigation shall cooperate fully with the Information and Privacy Office and provide any information requested by the investigator.

d. Post Breach Recommendations

The Repository Owner or the Repository Owner’s delegate shall, as soon as practical, implement all of the recommendations documented in a privacy breach report issued by the Information & Privacy Office investigator upon completion of the investigation.

6. PIA Compliance

a. Regular Maintenance

The PIA and all Amendments associated with the PIA shall be reviewed on a regular basis not exceeding twelve months. Minimal differences between the PIA and the repository will be documented and forwarded to the AHS Information & Privacy Office for feedback and direction. Should significant differences exist between the repository and what is described in the PIA, a new PIA will need to be prepared for submission to the OIPC. Significant differences consist of one or more of the following: • the PIA was submitted on a format no longer accepted by OIPC, • the PIA is over five years old since its submission, • multiple (greater than three) Amendments to the PIA exist, • changes to the collection, use or disclosure of health information, • changes to user access to the health information, • changes to the flow of health information.

of 25

The internal web-based Information & Privacy tool, PIA Compliance Questionnaire, shall be used to report the compliance results and document any changes that affect the existing PIA.

b. Amendments Amendments are required whenever changes are made to the repository that are not described in the PIA. AHS Information & Privacy Office may be contacted for feedback and direction regarding the changes. Change to a repository that may require an Amendment consist of one or more of the following: • changes to the collection, use or disclosure of health information, • changes to user access to the health information, • changes to the flow of health information.

The internal web-based Information & Privacy tool, PIA Amendment Questionnaire, may be used to automatically generate the Amendment process any changes that may require changes to the PIA.

Section E – Corporate Policies & Departmental Procedures 1. General Privacy Technology Management Policy Table

The organization’s privacy and security policies are described and documented in the Alberta Health Services’ Organizational Privacy Management Privacy Impact Assessment that was accepted by the Office of the Information & Privacy Commissioner in March 2012 (OIPC ref. # H4631).

2. Project Specific Policy Table

a. Delegation

The Information Repository Owner is accountable for all of the procedures and practices described in this PIA and may delegate the management of portions of the PIA to individuals in their management structure. The Information Repository Owner shall maintain a record of the names and titles of those individuals who have been delegated to manage portions of the PIA.

b. Requests Regarding Health Information The staff involved do not have the training to deal with health information requests. All requests for health information other than requests by care providers shall be forwarded to AHS Health Information Management for processing and escalation.

c. Collection, Use and Disclosure of Health Information

The Information Repository Owner is responsible for ensuring that the collection, use and disclosure of health information meet the requirements set forth in the Alberta Health Information Act and all applicable AHS Policies and Procedures.

http://wspiamgt01.healthy.bewell.ca/piams/intake/csearch.php

http://wspiamgt01.healthy.bewell.ca/piams/intake/amendmentsearch.php

of 25

PIA Appendix Listing Document Name Appendix #

Health Analytics Portal Handout 1.

will allow authorized users to will allow authorized users to · hap will be released in stages...

Documents