|
Subject/Title
Granting of Remote Access to Health Information |
Reference Number: |
| Effective Date: | |
| Approving Authority: Executive Management |
Date Revised: |
| Classification: Information Security and Privacy |
Last Review: |
| Next Review: |
| Note: The Calgary Health Region is committed to ensuring the accuracy and consistency of the policies on its Regional Policy Website. As policies are reviewed and updated periodically, the information contained in this document is accurate only on the date that it is viewed/printed (2010/09/02). Before relying on the information after this date, please check the Regional Policy Website for any changes to the policy. If you have any questions regarding this notice or the information presented in this policy, please contact Regional Policy Services using the Feedback link below. |
| Feedback |
|
Reason For Policy • To set out the requirements for granting Remote Access to Health Information under the custodianship of the Calgary Health Region (the “Region”) through Alberta Wellnet. • To establish criteria and safeguards for Remote Access to Health Information for compliance with the Health Information Act (HIA). Policy Statement The Region shall establish clear accountability structures, supported by policies and processes, to protect Health Information from any unauthorized use, disclosure or modification. The Region shall only grant Remote Access to Health Information under its custodianship through Alberta Wellnet to Authorized Persons for authorized purposes. Remote Access shall only be granted to provide health care services, support the Region’s business operations, or to support workflow. Applicability This policy applies to all staff (including employees, independent contractors, medical, dental, podiatry, and midwifery staff, and other health professionals), students, volunteers, and other persons acting on behalf of the Region. Process 1. GRANTING OF ACCESS TO HEALTH INFORMATION 1.1. Remote Access to Health Information shall be granted on a limited basis to Authorized Persons who have a demonstrated need for access. An applicant requesting Remote Access shall seek approval from his or her Manager/Director, who has delegated responsibility to authorize such requests. Approved requests shall be forwarded to the Information Technology (IT) Security Office or a designated access administrator to facilitate Remote Access. 1.2. Prior to facilitating Remote Access, the Information and Privacy (I&P) Office and the IT Security Office shall determine the need for a Privacy Impact Assessment or an IT security assessment. Required assessments shall be carried out under the direction of the applicable security office. 1.3. The IT Security Office shall ensure that the applicant meets the required criteria for Remote Access (see Appendix “A”), and that any required assessments are completed. Authorized requests shall be forwarded to the application owner to grant Remote Access privileges. 2. RESPONSIBILITIES OF USERS GRANTED REMOTE ACCESS 2.1. Users who have been granted Remote Access to Health Information shall: • comply with all applicable contracts or agreements; • protect the confidentiality and privacy of the information; • use the Health Information responsibly and appropriately; and • maintain the integrity and accuracy of the Health Information. 2.2. Users shall not use, modify, or disclose Health Information to non-authorized persons unless written consent has been obtained from the individual who is the subject of the information (see the Protection & Privacy of Health and Personal Information policy, #1471). 3. ACCESS SECURITY All Remote Access connections shall use two-factor authentication to validate the User’s access privileges. 4. COSTS Any costs incurred by the Region in the provision of Remote Access shall be payable by the applicant. Costs, as determined by fee schedules established by the Region, may include expenses for computer hardware, software requirements, or costs of ongoing technical support. 5. TRAINING Training shall be provided by the Region. The User is responsible for contacting the appropriate application owner(s) or access administrators, and to attend all required training sessions before accessing the Region’s application remotely. 6. GRANTING OF REMOTE ACCESS FOR VENDOR SUPPORT In the event that a vendor requires Remote Access for the purposes of providing system or application support, the Region shall establish a contractual relationship with the vendor prior to Remote Access being granted. The contract shall clearly outline the terms and conditions for granting Remote Access privileges. 7. SURVEILLANCE AND MONITORING Remote Access shall be subject to ongoing surveillance and monitoring as directed by the I&P Office and the IT Security Office. Periodic reviews and audits of User activity shall be carried out by the IT Security Office. 8. WITHDRAWAL OF REMOTE ACCESS PRIVILEGES Inappropriate access, use, disclosure, or modification of Health Information shall result in the immediate withdrawal of Remote Access privileges. Privileges may also be withdrawn in the event that Remote Access fails to meet the Region’s IT Security Standards, or at the discretion of the IT Security Office. Definitions AUTHORIZED PERSONS means Region employees, responsible and consulting physicians, students or volunteers, or contractors involved in the provision of health services or administrative support to the Region’s patients or clients, or who are involved in the Region’s business operations. HEALTH INFORMATION means information that relates to (a) diagnosis, treatment and care, (b) health services providers or (c) registration (i.e., demographic, residency, health services eligibility or billing). REMOTE ACCESS means a user’s ability to access Health Information through Alberta Wellnet by connecting to the Region’s network from outside of the network’s firewall. USER means any individual who uses or discloses information, or an individual who uses any Region owned IT Resource including but not limited to IT equipment, Information Systems, IT infrastructure, networks, shared drives, databases, systems, hardware, software, internet, e-mail, and applications. Underlying Principles 1. DUTY TO PROTECT HEALTH INFORMATION The Region is required under HIA to protect all Health Information within its custody or control. The Region has a duty to collect and use only the Health Information that is essential to carry out the intended purpose, and to disclose the Health Information only to Authorized Persons. 2. DUTY TO CONTROL AND MONITOR ACCESS TO HEALTH INFORMATION The Region has a duty to protect the privacy, confidentiality, and integrity of Health Information under its custodianship by establishing and monitoring controls and limitations for Remote Access. 3. DUTY TO CONDUCT PRIVACY IMPACT ASSESSMENTS The Region has a duty to conduct a Privacy Impact Assessment of the impact of any proposed change in practice relating to the collection, use and disclosure of Health Information. Cross References to Calgary Health Region Policies Information Security Additional References Appendix A - Acceptance Criteria for Remote Access Connection Health Information Act (Alberta) International Organization for Standardization (ISO) BS 7799-2: 2002 |