Embed Size (px)
Citation preview
1
DATA SHARING AND HEALTH INFORMATION NETWORK PROVIDER AGREEMENT (“DSA”) (AMENDMENT AND RESTATEMENT OF THE ELECTRONIC SERVICE PROVIDER AGREEMENT DATED AS OF MARCH 1, 2014)
Between
THE COMMUNITY HEALTH SERVICES PROVIDERS WHO ENTER INTO A DSA ADHESION AGREEMENT (individually, an “HSP” and collectively, “HSPs” and which includes “New HSPs”)
-and-
CENTRE FOR ADDICTION AND MENTAL HEALTH IN RESPECT OF ITS DRUG AND ALCOHOL TREATMENT INFORMATION SYSTEM PROGRAM (“CAMH”)
-and-
RECONNECT COMMUNITY HEALTH SERVICES IN ITS ROLE AS LEAD AGENCY FOR THE CBI PROJECT (“Lead Agency”)
Dated as of December 1, 2015 (“Effective Date”)
2 TABLE OF CONTENTS
BACKGROUND 3 SECTION 1. DEFINITIONS/SCHEDULES 4 SECTION 2. PURPOSES OF THE CBI PROJECT AND THE DSA 7 SECTION 3. FLOW OF DATA 7 SECTION 4. STATUTORY AUTHORITIES AND COMPLIANCE 8 SECTION 5. ROLES AND RESPONSIBILITIES OF THE PARTIES 9 SECTION 6. PRIVACY AND SECURITY OBLIGATIONS OF CAMH 11 SECTION 7. GOVERNANCE OF THE CBI PROJECT 14 SECTION 8. EXECUTIVE SPONSORS 15 SECTION 9. REPORTS 15 SECTION 10. REPRESENTATIONS, WARRANTIES AND COVENANTS 15 SECTION 11. COMMUNICATIONS/CONFIDENTIAL BUSINESS INFORMATION 16 SECTION 12. DISPUTE RESOLUTION 16 SECTION 13. TERM AND TERMINATION 17 SECTION 14. NOTICES 18 SECTION 15. INDEMNIFICATION AND INSURANCE 19 SECTION 16. OWNERSHIP OF INTELLECTUAL PROPERTY 19 SECTION 17. GENERAL/INTERPRETATION 19 SECTION 18. CONDITIONS 21 SECTION 19. CONSEQUENTIAL AMENDMENTS TO THE ADDENDUM 1 AGREEMENT AND ICES DSA 21 SCHEDULE A – THE ADDENDUM 1 AGREEMENT 23 SCHEDULE B - TERMS OF REFERENCE FOR THE 24 COMMUNITY BUSINESS INTELLIGENCE WORKING GROUP 24 SCHEDULE C - INITIAL LIST OF ELEMENTS OF CLIENT INFORMATION TO BE UPLOADED TO REPOSITORY AND FORM PART OF DATA (AS AT EFFECTIVE DATE) 26 SCHEDULE D - DSA ADHESION AGREEMENT 27 SCHEDULE E – HINP SERVICES TO BE PROVIDED BY CAMH 28 SCHEDULE F – SERVICE LEVELS FOR CAMH 29 SCHEDULE G - MINIMUM TECHNICAL, ADMINISTRATIVE, PHYSICAL AND INFORMATION SECURITY SAFEGUARDS OF CAMH FOR PHI AND CONFIDENTIAL BUSINESS INFORMATION 30 SCHEDULE H- DATA FLOW (SECTION 3.0) 32 SCHEDULE I- PLAIN LANGUAGE DESCRIPTION FOR HSPS AND THE PUBLIC (CLAUSES 6.1(D) AND (E)) 33 SCHEDULE J - LIST OF CAMH POLICIES IN ITS ROLE AS HINP (CLAUSE 6.1(B) AND SCHEDULE G) 35
3
BACKGROUND
A. The CBI Project (as defined below) was undertaken in early 2012 by the Toronto Central LHIN (“TC LHIN”) and
Reconnect as transfer payment organization and lead agency, to work towards a robust level of data quality and
reporting by health services providers in the three sub-sectors of the community health services sector, being: 1)
community mental health providers; 2) community addiction providers; and 3) community support service
providers (collectively, the “Community Sector”).
B. As part of the first stage of the CBI Project, the Lead Agency, CAMH and health service providers in the Community
Sector entered into an Electronic Services Provider Agreement dated as of March 1, 2014 (“ESPA”) to appoint
CAMH as their electronic services provider and in order to disclose personal health information to CAMH in order
to provide reports to TC LHIN and individual HSPs.
C. On March 30, 2015, the parties to the ESPA entered into an addendum to the ESPA (“Addendum 1 Agreement”),
in order to authorize and direct CAMH to disclose data to the Institute for Clinical Evaluative Sciences (“ICES”), a
prescribed entity under PHIPA (as defined below) for specific purposes including analyzing or compiling statistical
information for management of the health system and for research purposes authorized under PHIPA.
D. The Parties wish to further implement the CBI Project by permitting HSPs to access personal health information
in the custody of one or more other HSPs, in respect of Shared Clients (as defined in clause 1.1(oo) below), in
order to assist in the provision of health care to Shared Clients.
E. In order for HSPs to share personal health information electronically, they must appoint a health information
network provider in accordance with the requirements of PHIPA. The Parties wish to appoint CAMH as their health
information network provider (“HINP”).
F. PHIPA requires that a HINP enter into a written agreement with each health information custodian concerning the
services provided to that health information custodian.
G. The Parties wish to enter into this DSA to comply with the PHIPA requirement for a written agreement and in
order to set out the roles and responsibilities of the Parties.
H. It is the intention of the Parties that:
i. for those HSPs that are parties to the ESPA and that sign the DSA Adhesion Agreement, this DSA shall,
from and after the date of their execution of the DSA Adhesion Agreement, constitute an amendment and
restatement of the ESPA as previously amended by the Addendum 1 Agreement (the ESPA as previously
amended by the Addendum 1 Agreement is referred to as the “Original ESPA”), and the terms and
conditions in this DSA, shall apply to such HSPs;
ii. for health service providers in the Community Sector that have not signed the DSA Adhesion Agreement,
but are parties to the Original ESPA, the Original ESPA shall continue to apply to them; and
iii. for CAMH and the Lead Agency (as defined below), the terms and conditions in the Original ESPA shall
continue to apply with respect to those health service providers in the Community Sector that have not
signed the DSA Adhesion Agreement, but are parties to the Original ESPA, and otherwise, with respect to
the HSPs referred to, above, in sub-paragraph “i.”, the terms and conditions of this DSA shall apply to
CAMH and the Lead Agency.
4 NOW THEREFORE in consideration of the promises and mutual covenants hereinafter contained and other good and
valuable consideration, the Parties agree as follows:
SECTION 1. DEFINITIONS/SCHEDULES
1.1 In addition to terms defined in this Agreement, the following capitalized terms shall have the following meanings:
(a) “Addendum 1 Agreement” means the Addendum No. 1 to the ESPA between the Parties and dated as of
March 30, 2015, for purposes of data linkage with ICES, as set out in Schedule A.
(b) “Agent” or “PHIPA Agent” means an “agent” as defined in PHIPA.
(c) “Applicable Legislation” means the federal, provincial and municipal legislation and rules, regulations
and bylaws thereunder that are applicable to the Parties in respect of their respective obligations under
this Agreement, including PHIPA and the Regulation, the Mental Health Act and the Public Hospitals Act.
(d) “Authorized User” means any Personnel of an HSP or CAMH who is authorized to access PHI for the purposes set out in this DSA.
(e) “Business Day” means Monday to Friday from 9:00 am to 4:00 pm exclusive of statutory holidays in Ontario.
(f) “CBI” means Community Business Intelligence.
(g) “CBI Project” means the Community Business Intelligence Project being undertaken by the Community Sector to work towards a robust level of data quality and reporting.
(h) “CBI Website” means the internet address for the CBI Project as amended from time, with notice to HSPs.
(i) “Client” is any patient/client of an HSP.
(j) “Client Information” means information about a Client that the HSP collects in its client information
management system, in whatever media or format and whether such information is expressed in English
or French.
(k) “Community Business Intelligence Working Group” or “CBI Working Group” means the group that is guiding the CBI Project, in accordance with the terms of reference set out in Schedule B to this Agreement, as amended from time to time.
(l) “Community Sector” has the meaning set out in paragraph A of the Background.
(m) “Confidential Business Information” means all information and data, in whatever media or form, that is directly or indirectly disclosed to a Party under this DSA, including but not limited to financial information, trade secrets, intellectual property, provided the information is either not generally known by or available to the public or marked “private”, “proprietary”, “restricted”, “confidential” or otherwise marked so as to indicate confidentiality, but which excludes information that: (i) is documented as already being in its possession without burden of confidentiality; (ii) is or becomes publicly available through no fault of a non-disclosing Party; or (iii) is disclosed pursuant to the lawful requirement of a court or government agency of competent jurisdiction without condition of confidentiality, provided that the disclosing Party is notified in advance and given the opportunity to seek a protective order against such disclosure.
5 (n) “Data” means the Client Information that is stored in the Repository, and includes Client Information
stored in the Repository before the Effective Date. As of the Effective Date, the elements of the Client
Information that shall make up the Data are set out in Schedule C. Additional elements of Client
Information will be uploaded to the Repository to form part of the Data upon direction from the CBI
Working Group, and Schedule C will be deemed to be amended accordingly. The amended Schedule C
shall be posted on the CBI Website.
(o) “DATIS” means the Drug and Alcohol Treatment Information System Program of CAMH, which is a
provincial information system hosted and maintained by CAMH in respect of all agencies funded by the
Ministry of Health and Long-Term Care to provide addiction treatment services.
(p) “De-identify” means, in relation to the PHI of an individual, to remove any information that identifies the individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual, and “De-identified” and “De-identification” have corresponding meanings.
(q) “DSA” or “Agreement” means this Data Sharing and Health Information Network Provider Agreement dated as of December 1, 2015 among the Lead Agency, CAMH and the HSPs, and includes any amendments, supplements, schedules, exhibits or appendices attached, referencing this Agreement, or expressly made a part hereof or attached hereto. For certainty, this DSA amends and restates the ESPA.
(r) “DSA Adhesion Agreement” means the agreement, in the form set out in Schedule D, by which a HSP
becomes a Party to this DSA.
(s) “Effective Date” means December 1, 2015.
(t) “EMPI” or “Enterprise Master Person Index” means a database that is used by CAMH across HSPs to
maintain consistent, accurate and current demographic and essential medical data on the Clients seen
and managed within such organizations. The Client is assigned a unique identifier that is used to refer to
this Client across organizations. The objective is to ensure that each Client is represented only once across
all the software systems used within such organizations and to identify matching Clients.
(u) “ESPA” has the meaning set out in paragraph B of the Background.
(v) “Funding Agreement” means the Master Funding and Services Agreement between CAMH and Reconnect dated as of March 1, 2013, as amended from time to time.
(w) “Health Information Network Provider” or “HINP” has the meaning set out in PHIPA, being a person who provides services to two or more HICs primarily to enable them to use electronic means to disclose PHI to one another.
(x) “HIC” means health information custodian and has the meaning set out in PHIPA.
(y) “HINP Services” or “Services” means the HINP Services provided by CAMH as specified in Schedule E.
(z) “HSPs” means the health service providers who have signed the DSA Adhesion Agreement and includes New HSPs.
(aa) “ICES DSA” means the Data Sharing Agreement among ICES, CAMH and Reconnect, signed by the Parties in March, 2015.
6 (bb) “Lead Agency” means the organization that is the transfer payment organization from the LHIN and lead
agency for the CBI Project, which as of the Effective Date, is Reconnect Community Health Services.
(cc) “LHIN” means a local health integration network in Ontario and includes more than one LHIN if applicable.
(dd) “New HSP” means a health services provider in the Community Sector and funded by the LHIN that signs the DSA Adhesion Agreement and who has never signed the Original ESPA.
(ee) “Original ESPA” means the ESPA as previously amended by the Addendum 1 Agreement.
(ff) “Party” means each of the Lead Agency, CAMH and the HSPs, and “Parties” means all of the Lead Agency, CAMH and the HSPs.
(gg) “Personal Health Information” or “PHI” has the meaning set out in PHIPA and includes PHI in the Data.
(hh) “Personnel” means any employees, agents, officers, directors, independent contractors, sub-contractors and others for whom a Party is responsible at law.
(ii) “PHIPA” means the Personal Health Information Protection Act, 2004 and regulations thereunder,
including the Regulation.
(jj) “Privacy, Security and Data Access Sub-Group” has the meaning set out in sub-section 7.3.
(kk) “Regulation” means Ontario Regulation 329/04 General to PHIPA.
(ll) “Repository” means the database system hosted within CAMH’s Information Technology infrastructure
that holds the Data uploaded by HSPs.
(mm) “Schema” means the CBI XML structure that has been developed so that Data may be submitted to
CAMH.
(nn) “Service Level Commitment” means a service level commitment of CAMH to the Lead Agency and HSPs
as outlined in the Service Level Commitments in Schedule F.
(oo) “Shared Client” means a Client who is receiving services from one HSP in the situation where such Client
has received or is receiving services from another HSP.
(pp) “Shared Client Data” means all of the Data from different HSPs about the same Client.
(qq) “Vendors” means the client management system providers for the HSPs.
1.2 Schedules. The Schedules to this DSA form part of this DSA and are as follows:
A. Addendum 1 Agreement B. Terms of Reference for CBI Working Group C. List of Data Elements D. DSA Adhesion Agreement E. HINP Services F. Service Levels for CAMH G. Minimum Technical, Administrative, Physical and Information Security Safeguards of CAMH H. Data Flow I. Plain Language Description (HSPs and Public)
7 J. List of CAMH Policies in its role as HINP
1.3 Any amendments to the Schedules shall be posted by the CBI Working Group on the CBI Website, and, from and
after the date of such posting until further amended or replaced, shall be deemed to be incorporated as amendments to this DSA.
SECTION 2. PURPOSES OF THE CBI PROJECT AND THE DSA
2.1 In order to support sector and organizational planning and development for the Community Sector as well as to assist in the provision of health care, the HSPs hereby appoint CAMH as their PHIPA Agent and HINP upon and subject to the terms and provisions of this DSA, including, without limitation, for the following purposes:
(a) to act as the Repository of Data;
(b) to provide reports to HSPs;
(c) to provide reports to LHINs and the Ministry of Health and Long-Term Care;
(d) to provide Data to ICES for data linkage as set out in the Addendum 1 Agreement;
(e) to provide Data for any other linkages agreed to by the Parties as further referenced in Section 2.3;
(f) to provide Shared Client Data to Authorized Users of HSPs in order to provide health care or assist in the provision of health care to shared Clients; and
(g) to develop a robust database of Client Information that may be accessed for research and related purposes, provided that such access is:
(i) approved by the Privacy, Security and Data Access Sub-Group;
(ii) in accordance with all requirements regarding necessary approvals; and
(iii) in accordance with all Applicable Legislation.
2.2 The purpose of this DSA is to outline the roles, responsibilities and rights of each HSP with respect to the Data, including Shared Client Data, the roles and responsibilities of CAMH as PHIPA Agent and HINP, and the roles and responsibilities of the Lead Agency.
2.3 In future phases of the CBI Project, Data may be linked with other prescribed entities, registries and health care organizations. Any further phases of the CBI Project will be developed and agreed to by the Parties through signed addenda to this DSA.
2.4 The Parties acknowledge and agree that the Addendum 1 Agreement, which sets out the terms and conditions of linkage of Data with ICES continues in full force and effect in accordance with its terms, with the consequential changes arising out of this DSA as set out in SECTION 19.
SECTION 3. FLOW OF DATA
3.1 The flow of Data and architecture for the CBI Project is as described in this SECTION 3 and Schedule H to this Agreement.
3.2 Each HSP shall provide its Client Information to CAMH in accordance with the requirements set out in Schedule C or as otherwise required by the CBI Working Group acting reasonably. HSPs who are community addiction providers and already providing Client Information to CAMH will continue to provide such Client Information to
8 CAMH (DATIS) and CAMH will ensure that such Client Information is included as part of the Data for the CBI Project.
3.3 The Data that CAMH receives and holds pursuant to this DSA shall be a copy of the original Client Information which is maintained by the HSP. CAMH shall not retain Data for longer than is necessary to perform the Services. CAMH will retain each record of PHI in the custody of the HSP within DATIS in accordance with the CBI Project’s Data Retention Policy. Subject to PHIPA, De-identified Data may be retained for as long as is required for purposes of planning for health care. It is acknowledged and agreed that each HSP will maintain its own Client Information that forms part of the Data in accordance with the statutory and policy requirements for such retention relevant to each HSP.
3.4 Each HSP shall be able to access their Data and Shared Client Data through a designated portal created by CAMH and will be able to make queries (about only their own Data and Shared Client Data) through the portal.
3.5 An HSP will be able to access Shared Client Data from other HSPs, if the first HSP is currently providing services to the Client, and the other HSP or HSPs are either currently providing services to such Client, or have previously provided services to such Client.
3.6 CAMH shall De-identify Data prior to sending any reports to the LHIN to ensure that any such reports do not contain PHI. CAMH shall provide the De-identified Data to the LHIN through a designated portal created by CAMH. The LHIN will be able to query the De-identified Data, according to parameters developed by the Privacy, Security and Data Access Sub-Group to ensure that no queries result in the LHIN having access to PHI.
3.7 CAMH may provide regular reports to HSPs, as determined by the Privacy, Security and Data Access Sub-Group.
3.8 CAMH shall provide Client Information to ICES in accordance with the provisions of the Addendum 1 Agreement.
SECTION 4. STATUTORY AUTHORITIES AND COMPLIANCE
HSPs
4.1 Each HSP acknowledges and agrees that it is a HIC as defined under PHIPA.
4.2 Under subsection 20 (2) of PHIPA, certain HICs, in the circumstances referred to in that subsection, are permitted to assume implied consent for the sharing of PHI of an individual for the purposes of providing health care or assisting in the provision of health care to the individual.
4.3 Under clause 39 (1) (d) of PHIPA, a HIC may disclose PHI to certain HICs as set out therein, where both HICs are providing health care or assisting in the provision of health care or have previously provided health care or assisted in the provision of health care to a Client and the disclosure is for activities to improve or maintain the quality of care provided by the receiving HIC to the Client or individuals provided with similar health care.
4.4 Under subsection 18 (2) of PHIPA, consent to the collection, use or disclosure of PHI about an individual to another HIC for purposes of providing health care or assisting in providing health care may be express or implied. Implied consent must be knowledgeable in accordance with the requirements of PHIPA.
4.5 Under clauses 37 (1) (c) and (d) of PHIPA, a HIC is authorized to use (among other uses) PHI about an individual
for planning or delivering programs or services that the HIC provides or that the HIC funds in whole or in part, allocating resources to any of them, evaluating or monitoring any of them and for the purpose of activities to improve or maintain the quality of care or to improve or maintain the quality of any related programs or services of the HIC. Subsection 37(2) of PHIPA provides the authority for HSPs to provide PHI to CAMH as their Agent to use PHI for these purposes, as part of the CBI Project.
9 4.6 Each HSP acknowledges and agrees that:
(a) in collecting PHI of a Client through the Repository and using and disclosing such PHI, in accordance with the terms of the DSA, each HSP is relying on one or more of the following statutory authorities:
(i) assumed implied consent as per subsection 20 (2) of PHIPA;
(ii) clause 39 (1) (d) of PHIPA;
(iii) implied consent under subsection 18 (2) of PHIPA; and
(iv) clauses 37 (1) (c) and (d) of PHIPA; and
(b) it will not collect PHI through the Repository, nor use or disclose the PHI so collected, if and to the extent that it is aware that the Client to whom the PHI relates has expressly withheld or withdrawn consent to such collection, use or disclosure (often referred to as “Lockbox”), unless permitted or required by law.
Health Information Network Provider (HINP)
4.7 The Parties acknowledge and agree that:
(a) in providing Services to enable the HSPs to use electronic means to disclose PHI to one another (as part of the CBI Project), CAMH is a HINP and shall comply with the requirements with respect to a HINP in the Regulation and in this DSA; and
(b) under the Regulation, HINPs must enter into a written agreement with each HIC concerning the services to be provided to such HIC and this DSA constitutes compliance with such requirement.
PHIPA Agent Status
4.8 Upon and subject to this DSA, each HSP hereby appoints CAMH as its PHIPA Agent to collect, use and disclose Data on its behalf in order to carry out the Services.
4.9 CAMH acknowledges and agrees that in carrying out the Services, it is a PHIPA Agent of the HSPs, and HINP, and shall comply with Applicable Legislation.
SECTION 5. ROLES AND RESPONSIBILITIES OF THE PARTIES
CAMH
5.1 CAMH shall provide the HINP Services set out in Schedule E.
5.2 CAMH shall comply with the Privacy and Security Obligations of an Agent and HINP under PHIPA as more fully set out in SECTION 6 and Schedule G.
Lead Agency 5.3 The Lead Agency shall:
(a) liaise with the LHIN regarding the CBI Project; (b) work with and provide funding for Vendors for New HSPs to develop the Schema and do initial testing of
credentials for participation by such New HSPs in the DSA; (c) provide ongoing feedback on implementation of the CBI Project; (d) track implementation activity in respect of the CBI Project for Vendors/HSPs; (e) provide HSPs and New HSPs with the DSA for execution;
10 (f) deal in a reasonable time frame with any complaints by an HSP about CAMH and its provision of Services,
or in relation to the CBI Project; (g) support the DSA through the CBI Project Team at the Lead Agency and implement the governance
structure for the CBI Project as further specified in SECTION 7; (h) provide support for implementation at [email protected] or such other email address
provided to HSPs; (i) update the Schedules to this DSA, as required and post updated Schedules on the CBI Website; (j) initiate the development of policies and procedures for the CBI Project, in consultation with the CBI
Working Group and CBI committees and sub-groups, and shall post the completed policies and procedures on the CBI Website; and
(k) develop and make available support documents for HSPs to implement the CBI Project, including providing HSPs with tools and information to assist them in meeting their obligations as HICs under this DSA.
HSPs 5.4 General. Each HSP agrees to:
(a) record Client Information as specified in the User Implementation Guide accessible at the CBI Website; (b) in the case of New HSPs, work with their Vendor to complete validation as outlined in the User
Implementation Guide; (c) use reasonable efforts to ensure that their Client Information to be uploaded to the Repository and stored
as Data is accurate, complete and as up-to-date as necessary for its own purposes; (d) adhere to jointly adopted policies and procedures for the CBI Project; (e) monitor the uploading of its Client Information to the Repository and deal with any errors in the Data
resulting from its Client Information uploaded to the Repository; (f) configure live credentials; (g) comply with the requirements of PHIPA, and any other applicable legislation for HICs, including having in
place information practices that comply with PHIPA, including practices relating to the collection, use, disclosure, retention and disposal of PHI, and monitor and enforce compliance with its own information practices; and
(h) submit Data to the live CBI environment after completion of the necessary validations.
5.5 Access to Repository. (a) Access to the Repository shall be determined by each HSP in accordance with its own policies and
procedures, but, at minimum, the policy shall require that the Authorized User has a need to access Data in the Repository to perform his or her employment responsibilities or assigned duties for that HSP and undertaken the requisite training to use the Repository in accordance with the requirements of this DSA.
(b) If an HSP revokes or suspends an Authorized User’s right of access to the PHI of its own Clients, such HSP shall immediately advise CAMH of the need to revoke or suspend, as the case may be, such Authorized User’s access to the Repository.
5.6 Privacy and Security Practices. Each HSP shall:
(a) with the support of audit logs provided by CAMH, have logging, auditing and monitoring policies and
procedures including communication of these controls to Authorized Users; (b) have an incident management process to identify, escalate, investigate and report any privacy and/or
security incident relating to the Data in the Repository which affects the HSP’s Clients, such process to interface with and support the CBI incident management process;
(c) have a process to handle Client requests to access, or correct their PHI, or challenge the HSP’s privacy practices. Any such requests must be communicated to CAMH at the first reasonable opportunity;
11 (d) have a process to handle a Client’s request to not share their PHI and to withdraw their consent for
sharing PHI (Lockbox), and to the extent that this impacts the Data, communicate this immediately to CAMH;
(e) keep Shared Client Data confidential and secure and use the same degree of care to protect such Data, as the HSP uses to protect its PHI of a like nature, but in any event, in maintaining such Shared Client Data confidential and secure, it shall not use a standard of care that is less than a reasonable standard of care;
(f) access the Data only in compliance with this DSA and Applicable Legislation; (g) take reasonable steps to ensure the physical, administrative, and technological security of PHI in its
custody or control and to prevent theft, loss and unauthorized access, copying, modification, use, disclosure or disposal of PHI;
(h) maintain such policies, procedures and systems as necessary to prevent unauthorized persons from having access to, collecting, using, disclosing, modifying, disposing, copying, stealing or otherwise committing any other act that could breach or compromise the confidentiality, availability, accessibility, integrity, structure, format or content of the PHI of a Client that has been uploaded into the Repository by another HSP, or the privacy of that Client;
(i) ensure that its Agents, including its Authorized Users, are aware of and comply with the requirements of this DSA with respect to the sharing of PHI through the Repository;
(j) be responsible for notifying its Clients of any inappropriate use, access, disclosure, theft or loss of any PHI in its custody; and
(k) provide training to its Agents, including its Authorized Users, with respect to their legal obligations relating to privacy and PHI generally.
5.7 The Privacy, Security and Data Access Sub-Group may recommend to the CBI Working Group that specific privacy
reviews and/or assessments be conducted of the HSPs to ensure that HSPs are complying with the requirements under this DSA and may further recommend to the CBI Working Group steps for dealing with non-compliance. Each HSP shall cooperate with any privacy or security review or assessment, which shall be carried out in such a manner as not to interfere unduly with the day-to-day operations of the HSP.
5.8 Consent Management. Each HSP agrees to: (a) in accordance with its own policies and procedures, take steps in compliance with PHIPA to ensure that
Clients are knowledgeable about the purposes of the collection, use and disclosure of their Data and that they may give or withhold their consent to the sharing of their PHI through the Repository; and
(b) have a process to manage Client requests to withhold/withdraw (or reinstate) consent to share Data, and communicate any such requests to CAMH as HINP at the first reasonable opportunity.
SECTION 6. PRIVACY AND SECURITY OBLIGATIONS OF CAMH
Privacy Requirements of CAMH as HINP under the Regulation 6.1 CAMH shall comply with the following privacy and security requirements under the Regulation as a result of its
status as a HINP: (a) notify every applicable HSP at the first reasonable opportunity, if CAMH accessed, used, disclosed or
disposed of PHI for purposes other than for providing the Services;
(b) develop and implement privacy and security policies and standard operating procedures appropriate to its role as a HINP, and make available to the HSPs copies of such documents upon request, including the policies set out in Schedule J (as amended from time to time);
12 (c) provide privacy and security training to CAMH Personnel responsible for delivering the HINP Services
which communicates the privacy obligations to which CAMH is subject in this DSA;
(d) provide the HSPs with a plain language description of the HINP Services that CAMH provides to the HSPs through the CBI Project that is appropriate for sharing with their Clients, including a general description of the safeguards implemented by CAMH to protect PHI in the custody of the HSP against unauthorized use and disclosure, and to protect the integrity of the information. This plain language description is set out in Schedule I;
(e) make available to the public the plain language description of the services and safeguards that CAMH has in place for the HSPs, as well as CAMH policies that govern the services that CAMH provides to the HSPs;
(f) maintain and make available to any HSP, on request of the HSP, an electronic record of:
(i) every access to all or a part of the PHI associated with the HSP and the CBI Project that is held in equipment controlled by CAMH, which record identifies the person who accessed the PHI and the date and time of the access, and;
(ii) every transfer of all or a part of PHI associated with the HSP and the CBI Project, which record identifies the person who transferred the information, the person or address to whom it was sent, and the date and time it was sent;
(g) perform, and provide to any HSP that requests a written copy of the results, an assessment of the HINP Services that CAMH provides to the HSPs, and which indicates:
(i) any threats, vulnerabilities and risks to the security and integrity of the PHI (“TRA”); and
(ii) a description of the remediation plan for any such threats, vulnerabilities and risks acceptable to CAMH and the Lead Agency;
(h) perform, and provide to an HSP a written copy (upon request) of the results of an assessment of the HINP Services that CAMH provides to the HSPs, and which indicates:
(i) how the HINP Services may affect the privacy of the individuals who are the subjects of the PHI (“PIA”); and
(ii) a description of the remediation plan for any such privacy risks, acceptable to CAMH and the Lead Agency; and
(i) ensure that any third party it retains to assist in providing HINP Services agrees to comply with the requirements to which CAMH is subject as an Agent and HINP under the DSA.
Access, Use and Disclosure of PHI:
6.2 Restrictions on Use: CAMH may only access and use Data of HSPs provided to CAMH that is necessary to provide the Services as directed by the HSPs.
6.3 Disclosure of Data: CAMH shall not disclose any PHI to which it has access except as directed by the HSPs and in accordance with PHIPA and this DSA.
6.4 Access by CAMH Personnel: CAMH shall give access to Data only to those of its Personnel acting on its behalf who are Authorized Users and who have a legitimate need to access the Data in order to fulfill CAMH’s obligations under this DSA.
6.5 Agreement with Personnel: CAMH shall not permit any of its Personnel, including third parties, to access the Data under this DSA unless such Personnel agree in writing to comply with the restrictions that apply to CAMH under PHIPA and this DSA.
13 Safeguards:
6.6 CAMH shall comply with the obligations accruing to an Agent under PHIPA. At a minimum, CAMH shall maintain the technical, administrative, physical and information security safeguards specified in Schedule G.
Accountability and Requests for Access/Correction:
6.7 Privacy Officer: CAMH has a designated privacy officer who shall be responsible for compliance by CAMH with the security and privacy obligations flowing from this DSA. The coordinates for the privacy officer are: Information and Privacy Office at 416-535-8501 x 33314 or [email protected]. Any amendments to the coordinates will be set out on the CBI Website.
6.8 Requests for Access: If CAMH receives a request for access or correction to PHI that CAMH has been provided by an HSP in order to provide the Services, it shall direct the request to the privacy officer for the HSP that collected the PHI at the coordinates specified on the CBI Website.
6.9 Privacy Breaches and Complaints:
(a) If CAMH becomes aware that PHI has been stolen or lost, or a person has obtained unauthorized access to PHI, or CAMH has used, disclosed or disposed of the PHI other than as contemplated in this DSA or in accordance with applicable law (collectively referred to in this sub-section as the “Breached PHI”), then CAMH shall at the first reasonable opportunity (not to exceed two Business Days) notify the privacy officer of the HSP that provided the PHI to CAMH as well as the Lead Agency by telephone followed by written notice at the coordinates set out in the CBI Website. The HSP shall contact the Client to whom the Breached PHI relates, in accordance with the HSP’s and CBI Project’s procedures for notification of a privacy breach. The Lead Agency shall advise the CBI Working Group of the breach and CAMH shall cooperate with the HSP, the Lead Agency and the CBI Working Group to deal with such breach.
(b) If an HSP receives a complaint regarding its collection, use, or disclosure of PHI in regard to the CBI Project, it shall deal with such complaint in accordance with the CBI Privacy Incident and Breach Management Policy posted on the CBI Website.
(c) If CAMH receives a complaint about the Services (but which does not involve the PHI of an HSP), it shall deal with such complaint in accordance with its own procedures for dealing with complaints, and shall immediately advise and consult with the Lead Agency about the complaint and about CAMH’s plans to deal with the complaint. The Lead Agency shall advise the CBI Working Group of the complaint and CAMH shall cooperate with the Lead Agency and the CBI Working Group to deal with such complaint.
(d) Without limiting the provisions of this SECTION 6, each Party agrees to cooperate with the other Parties in the event of a privacy breach, complaint or incident, including any complaints to the Information and Privacy Commissioner for Ontario, and take all necessary steps to deal with such breach, complaint or incident.
General
6.10 CAMH shall provide notice to, and obtain consent from, the Lead Agency and the Privacy, Security and Data Access Sub-Group, prior to implementing any substantive change to its technology environment or to the Schema that could impact the privacy or security of the CBI Project. CAMH shall not use any form of cloud computing for the CBI Project.
6.11 The Lead Agency may upon reasonable notice to CAMH and during a Business Day audit the premises of CAMH to determine if CAMH is in compliance with the privacy and security obligations set out in this DSA.
6.12 This SECTION 6 and Schedule G shall survive the termination or expiry of this DSA.
14
SECTION 7. GOVERNANCE OF THE CBI PROJECT
7.1 CBI Working Group. The CBI Working Group guides and provides advice on the establishment, implementation
and operation of the CBI Project, including reports to be provided to the LHIN and HSPs and future linkages of Data with other health care organizations, prescribed entities and a prescribed organization under PHIPA for an electronic health record. The terms of reference for the CBI Working Group are set out in Schedule B. The Parties acknowledge that the terms of reference are a living document and may be amended from time to time by the CBI Working Group, such amended terms of reference to form part of this DSA. Membership in the CBI Working Group shall include representation from the three sub-sectors of the Community Sector, the Lead Agency, CAMH, the LHIN, privacy and security and other subject matter experts, as needed and upon invitation of the CBI Working Group. The CBI Working Group shall report on an annual basis to the HSPs on the progress of the CBI Project, including the activities that have been successful and those that require improvement.
7.2 Accountability to the LHIN. The Parties acknowledge that the CBI Working Group and the Parties are ultimately accountable to the LHIN, through the LHIN Performance Measurement and Information Management Director and Team, and that the CBI Project is subject to funding from the LHIN.
7.3 Privacy, Security and Data Access Sub-Group. A Privacy, Security and Data Access Sub-Group has been established by the CBI Working Group to, among other items:
(a) support and assist with any privacy and security matters arising from the CBI Project and compliance with PHIPA;
(b) consider issues relating to access to Data, including research and other access requests;
(c) develop, review and amend CBI policies and procedures, where required;
(d) consider the criteria for which changes to the privacy and security environment for the CBI Project will require a PIA and/or TRA; and
(e) review this DSA and any addenda thereto.
7.4 Recommendations. The Privacy, Security and Data Access Sub-Group shall develop recommendations for consideration by the CBI Working Group concerning (among other items):
(a) retention of Data (and De-identified PHI) by the CBI;
(b) De-identification of Data;
(c) requests for Data; and
(d) parameters for queries of De-identified Data by the LHIN.
7.5 Membership. Membership for the Privacy, Security and Data Access Sub-Group shall be invited from the three sub-sectors of the Community Sector, the Lead Agency, CAMH, legal counsel with expertise in privacy, subject matter experts and representation from the LHIN.
7.6 Other Committees/Sub-Groups. The CBI Working Group may establish such other standing and ad hoc committees or sub-groups as are required from time to time, to assist in the operation of the CBI Project. Such committees/sub-groups shall be recommendatory bodies and shall present their recommendations to the CBI Working Group for approval. The Parties acknowledge that the roles and responsibilities of the various committees/sub-groups may change over time as more committees/sub-groups are established.
15 SECTION 8. EXECUTIVE SPONSORS
8.1 Each Party shall appoint a principal person from their respective organization to act as the executive sponsor (the “Executive Sponsor”) for this DSA. The Executive Sponsor for the Lead Agency shall be the Chief Operating Officer and for CAMH shall be the Director, DATIS. The coordinates for the Lead Agency and CAMH Executive Sponsors are specified in sub-section 14.1 and on the CBI Website.
8.2 In addition to the duties enumerated elsewhere in this DSA, the Executive Sponsor of each of the Parties shall be responsible for the overall management of the relationship between the Parties and be the person for notice and approvals required under the DSA. Each Party may change its Executive Sponsor upon notice to the Lead Agency, which shall update the list on the CBI Website accordingly.
SECTION 9. REPORTS
9.1 CAMH shall provide reports to HSPs about their Data.
9.2 CAMH shall report at least yearly to the Lead Agency on any substantive changes to the privacy and security environment for the CBI Project.
9.3 CAMH shall facilitate the LHIN to obtain reports in respect of the De-identified Data, but shall not, under any
circumstances, provide PHI to the LHIN. 9.4 CAMH shall ensure that any reports provided to the LHIN are provided in a manner that is non-identifying and the
Parties acknowledge that factors such as a small cell size and unique geographical and other Data elements need to be considered to ensure that none of the information provided is identifiable as that term is referred to in PHIPA. Where required, CAMH will suppress Data within an aggregate report when any cell in a table contains too few observations, or the Data may be combined with Data in another cell or cells, to eliminate risks of identification.
SECTION 10. REPRESENTATIONS, WARRANTIES AND COVENANTS
10.1 General Representations, Warranties and Covenants. Each Party warrants, represents and covenants to the
other Parties that it:
(a) is duly incorporated and in good standing under the laws of the Province of Ontario and/or the federal laws applicable thereto;
(b) has full power and authority to enter into and comply with this DSA, the representatives signing the DSA are duly authorized signing authorities, and all necessary acts and procedures have been taken in order to authorize the DSA;
(c) has no other agreement that would interfere with its obligations under the DSA; (d) is not aware of any actual or potential conflict of interest that it has in entering into this DSA; (e) operates and shall operate in compliance with all Applicable Legislation impacting its obligations under
this DSA, including compliance with the provisions of PHIPA; and (f) holds and shall hold all permits, licenses, consents, and authorities necessary to perform its obligations
under the DSA.
10.2 CAMH Performance Warranties and Covenants. CAMH warrants, represents and covenants to the other Parties that, in its capacity as service provider and HINP, it will:
(a) perform the Services diligently and competently by experienced and qualified Personnel, in a thorough
manner to a standard of professional competence in accordance with industry practices;
16 (b) ensure, with respect to any contract between CAMH and a contractor (who is not an employee of CAMH)
for the performance of the Services (or a part thereof), that it will enter into a written agreement with such contractor containing terms and conditions that are applicable to the contractor that are no less stringent than those included in this DSA;
(c) provide the Services to respond to the needs of the Parties in a timely fashion in accordance with all agreed upon timelines applicable to the Services;
(d) locate the Services and any Data storage only in Ontario in order to ensure that there is no cross-border transfer of Data;
(e) provide the Services in a manner that will permit interoperability and compatibility with other products and services necessary to implement the CBI Project;
(f) provide the Services in compliance with the policies existing and to be developed for the CBI Project and provided to CAMH (CAMH is involved in development of the policies through its participation on the Privacy, Security and Data Access Sub-Group); and
(g) ensure that CAMH Personnel that are directly funded by the CBI Project or who otherwise work on the CBI Project are trained in CBI Project policies.
10.3 While each HSP shall use reasonable efforts to ensure that PHI of Clients that it uploads to the Repository is accurate, complete and up-to-date as necessary for its own purposes, no HSP warrants or represents to any other Party the accuracy or the completeness of any PHI contained within the said environments. However, each HSP acknowledges the importance of ensuring that Data is accurate and up-to-date in order to maintain the utility of Shared Client Data.
10.4 The Parties acknowledge and agree that each of them is relying upon the representations, warranties and
covenants set out herein in executing this DSA and that the representations, warranties and covenants set out in this SECTION 10 survive the execution of this DSA and shall be true throughout the term of this DSA.
SECTION 11. COMMUNICATIONS/CONFIDENTIAL BUSINESS INFORMATION
11.1 Each Party agrees that, except as required to perform the Services or with prior written approval of the affected Party, it will not disclose to any person, firm, corporation or other entity any Confidential Business Information that belongs to or is in respect of another Party or that becomes known to a Party as a result of this DSA.
11.2 The DSA shall be posted on the CBI Website. No Party shall make any statement to the press or public
communication about the CBI Project without the prior written approval of The Lead Agency. Notwithstanding the foregoing, the Parties understand that CAMH is bound by the Freedom of Information and Protection of Privacy Act, 1990 (“FIPPA”) and that records supplied by the Parties to CAMH may therefore be subject to access under FIPPA. CAMH cannot guarantee that the confidentiality of this DSA or records created or provided by the Parties will be preserved if a request for access is made under FIPPA. CAMH shall follow all relevant procedures set out in FIPPA for the processing of a request including the provision of notification to the Parties that access has been requested.
11.3 This SECTION 11 shall survive the termination or expiry of this DSA.
SECTION 12. DISPUTE RESOLUTION
12.1 The Parties agree to open, honest and timely communication regarding this DSA and their obligations hereunder.
12.2 Where a dispute arises, the Executive Sponsors for the involved Parties shall try to resolve the dispute.
12.3 For situations where the Executive Sponsors cannot agree upon a solution within one week of the issue being raised, the issue may be referred by any of the Parties to their Executive Directors (or such other of its senior managers designated by a Party), for resolution within a further one week period.
17 12.4 If the Parties cannot resolve the dispute, the matter shall be considered by the CBI Working Group for resolution
within two weeks of the matter being referred to the CBI Working Group.
12.5 If the matter still is not resolved to the satisfaction of the Parties, any Party may withdraw from and terminate its rights and obligations under this DSA in accordance with, as applicable, Sections 13.3 (in the case of The Lead Agency), 13.4 (in the case of an HSP) and 13.5 (in the case of CAMH), provided that all provisions of this DSA which by their nature survive or are specifically set out as surviving the termination or expiry of this DSA shall remain in force.
SECTION 13. TERM AND TERMINATION
13.1 The term of this DSA commences on the Effective Date and will continue unless:
(a) terminated in accordance with this SECTION 13;
(b) the LHIN or other funder ceases to provide or diminishes funding for the CBI Project; or
(c) an order or direction is issued from the Minister of Health and Long-Term Care, applicable to the LHIN or regulatory/funding body that is inconsistent with the ability of the Parties to fulfil this DSA.
13.2 New HSPs may enter into this DSA on a staggered basis through the signing of a DSA Adhesion Agreement and shall only be responsible for the obligations hereunder as of the effective date set out in their DSA Adhesion Agreement (referred to as the Adhesion Date).
13.3 The Lead Agency may terminate this DSA for any reason upon 60 days’ written notice to the other Parties.
13.4 An HSP shall have the right to withdraw from and terminate its rights and obligations under this DSA upon 60 days’ written notice to the other Parties.
13.5 In order to provide time for an appropriate transition of Services, CAMH may terminate this DSA upon six months’ prior written notice to the other Parties.
13.6 If an HSP or CAMH is in default of its obligations under this DSA, the Lead Agency may give notice of default to such HSP or to CAMH as the case may be, specifying the nature of the default, and if the defaulting HSP or CAMH has not within 30 days after receipt of such notice, cured such default to the satisfaction of the Lead Agency, the Lead Agency may terminate CAMH or the HSP as a Party to this DSA, for default.
13.7 If the Lead Agency is in default of its obligations under this DSA, any Party may give notice of default to the Lead Agency (with a copy to the other Parties), specifying the nature of the default, and if the Lead Agency has not within 30 days after receipt of such notice, cured such default to the satisfaction of such Party, the Party shall bring the matter to the CBI Working Group for resolution. If no resolution is achieved by the CBI Working Group within 30 days, the Party may bring the matter to the LHIN for resolution. If the aggrieved Party is CAMH, CAMH shall bring the matter directly to the LHIN for resolution.
13.8 Notwithstanding sub-section 13.6, the Lead Agency shall be able to suspend the access of a Party to the Repository immediately upon written notice, if there is a material breach of the privacy and confidentiality provisions of this DSA by such Party and such access shall not be reinstated until such time as the Lead Agency is satisfied that the material breach has been rectified.
13.9 Upon the termination of this DSA or a Party for any reason:
(a) the Parties shall use reasonable commercial efforts to cooperate to minimize any disruption caused by the termination and to transition any of the Services or obligations if required, including in the case of CAMH
18 to take whatever action is necessary in order to transfer the Repository and related technology and equipment back to the Lead Agency or a third party, all as directed by the Lead Agency;
(b) all of the privacy and security obligations of the Parties will continue after termination; (c) in addition to the provisions of (a) and (b) above, if an HSP has been terminated or withdraws from its
participation in the DSA, then any Data (PHI) held by CAMH that has been uploaded to the Repository in respect of such HSP will, to the extent possible, be securely deleted or dealt with as otherwise instructed by the HSP and in accordance with the Data Retention Policy for the CBI Project; and
(d) in addition to the provisions of (a), (b) and (c) of this sub-section 13.9, if CAMH terminates its participation as a Party or if CAMH is terminated as a Party to this DSA by the Lead Agency, then all Data held by CAMH shall either be securely transferred to a new HINP or securely deleted within six months of notice of termination, as directed by the Lead Agency and the HSPs.
The CBI Working Group shall assist in ensuring an orderly transition in the event of termination of the DSA or the participation of any Party to this DSA.
SECTION 14. NOTICES
14.1 All notices under this DSA shall be in writing and shall be served by personal delivery, mail, email or facsimile transmission at the address of the receiving Party as set forth below or in the CBI Website (or at such different address as may be designated by such Party by written notice to the Lead Agency, provided that the Lead Agency updates the contact information for such Party by updating the CBI Website). All notices by mail shall be by registered mail; return receipt requested and shall be deemed delivered on the fifth Business Day after mailing. All notices by personal delivery shall be deemed delivered on receipt if during a Business Day (if not on a Business Day, then it shall be deemed delivered on the next Business Day). All notices by email or facsimile transmission shall be deemed delivered on the next Business day following the day of sending provided that there is evidence of a successful transmission.
For CAMH: Centre for Addiction and Mental Health Drug & Alcohol Treatment Information System Program 33 Russell Street – 3rd Floor Toronto, ON M5S 2S1 Email: [email protected]
For the Lead Agency: Reconnect Community Health Services 56 Aberfoyle Crescent, Ste. 400 Toronto, ON M8X 2W4 Email: [email protected]
Attention: Claudio Rocca, Director Fax: (416)593-4694
Attention: Mohamed Badsha, Chief Operating Officer Fax: (416) 248-6557
c.c. Sarah Lowy, Corporate Legal Counsel Centre for Addiction and Mental Health Bell Gateway Building, 6th Floor 100 Stokes Street Toronto, ON M6J 1H4 Fax: 416-583-1236 Email: [email protected] Notices for the HSPs shall be to the Executive Sponsors specified in the CBI Website and their coordinates therein.
19 SECTION 15. INDEMNIFICATION AND INSURANCE
15.1 Each Party (in this sub-section, the “Indemnifying Party”) shall indemnify and hold harmless the other Parties (in this sub-section, the “Indemnitee”) against any and all third party civil or administrative actions, claims or proceedings (including proceedings or complaints under PHIPA) and reasonable legal fees, incurred by the Indemnitee and result from the negligence of the Indemnifying Party in its performance under this DSA or the breach of its covenants and agreements under this DSA by the Indemnifying Party or its Personnel, on the condition that the Indemnitee shall provide prompt written notice of any claim that might give rise to such liability and co-operate in the defence of such claim, including the provision of material documentation in compliance with Applicable Legislation, and further provided that the Indemnitee may, at its option, assume responsibility for the defence of or response to such third party claim.
15.2 CAMH shall also indemnify and save harmless the other Parties against any and all claims or liabilities of any kind whatsoever arising from any third party suit or proceeding brought against the other Parties for the alleged infringement of any copyright, trademark, trade secret or other intellectual property or proprietary right, where such infringement has arisen out of CAMH's performance of the Services.
15.3 No Party (including their Personnel) shall be liable to the other Party or Parties or their Personnel in any way whatsoever, for any indirect, punitive, incidental, special or consequential damages, including, but not limited to, loss of savings or profit, nor for any lost revenue. This limitation shall apply whether or not such damages are foreseeable and whether or not the non-defaulting Party or Parties have been advised of the possibility of such damages.
15.4 Each Party shall maintain and pay for adequate liability insurance to cover its obligations under this DSA, and at minimum shall maintain: Commercial General Liability Insurance, for third party bodily injury, personal injury and property damage to an inclusive limit of not less than five million dollars ($5,000,000) per occurrence and not less than five million dollars ($5,000,000) in the annual aggregate.
15.5 Upon request by a Party, the other Parties shall provide a valid certificate of insurance and any replacements thereof that reference this DSA, and confirms the above requirements.
15.6 The obligations under this Section survive the termination or expiration of this DSA. SECTION 16. OWNERSHIP OF INTELLECTUAL PROPERTY
16.1 The ownership of intellectual property (arising from the Services) between CAMH and the Lead Agency shall be as set out in the Funding Agreement and survives the termination or expiry of the DSA.
SECTION 17. GENERAL/INTERPRETATION
17.1 Background. The Parties acknowledge and agree to the accuracy of the statements set out in the Background, which statements form part of this DSA.
17.2 Independent Contractors. Nothing contained in this DSA shall constitute or be deemed to create a partnership, joint venture or principal and agent relationship between the Parties. The Parties shall each act as independent contractors for the purposes of this DSA. Without limiting the foregoing, each Party covenants and agrees with every other Party that:
(a) it shall be solely responsible for obtaining any necessary licences and permits and for complying with any Applicable Legislation pertaining to the employees or agents it engages in carrying out its obligations under this DSA and shall, where applicable, pay, deduct, and remit to the appropriate government authority income tax and employer and employee contributions, premiums and assessments for Canada Pension, Employment Insurance, Employer Health Tax and Workplace Safety and Insurance Board
20 coverage in respect of its employees and agents, and any similar deductions or payments which may from time to time be applicable to such employees and agents; and
(b) its own employees shall remain under the exclusive control and direction of its board of directors and management, including, without limitation, with respect to the performance of its obligations under this DSA.
17.3 Jurisdiction of Laws This DSA shall be governed by the laws of Ontario and Canada applicable therein. The Parties irrevocably submit to the non-exclusive jurisdiction of the courts of Ontario.
17.4 Survival In addition to those provisions of this DSA specified as surviving the termination or expiry of this DSA or which could reasonably be expected to survive the DSA, the obligations set out in clauses 5.4(g) (with respect to an HSP, to the extent the HSP has custody or control of Data of other HSPs that the HSP received pursuant to this DSA) and 10.2(d), sub-sections 3.3, 5.6, 12.5, 13.9, 16.1 and 17.4 shall survive the termination of this DSA for any reason whatsoever.
17.5 Entire Agreement/Amendments This DSA and addenda to this DSA (including the Addendum 1 Agreement as amended by the DSA), together with the Schedules constitute the complete contract between the Parties relating to the subject matter hereof and supersede any prior or contemporaneous agreement or understanding whether written or oral, except that, it is hereby acknowledged and agreed, between CAMH and Lead Agency that the subject matter of this DSA is also the subject matter of the Funding Agreement and any agreements entered into pertaining to the Funding Agreement. Any amendments to this DSA must be in writing and signed by the Parties.
17.6 Waiver Any waiver of, or consent to depart from, the requirements of any provision of this DSA shall be effective only if it is in writing and signed by the Party giving it, and only in the specific instance and for the specific purpose for which it has been given. No failure on the part of any Party to exercise, and no delay in exercising, any right under this DSA shall operate as a waiver of such right.
17.7 Approvals Except where expressly provided as being in the discretion of a Party, if an approval, acceptance, consent, or similar action by a Party is required under the DSA, then such action shall not be unreasonably delayed or withheld.
17.8 Assignment/Transfer No Party may assign, transfer or otherwise dispose of all or any part of its rights or obligations under this DSA without the prior written consent of the other Parties.
17.9 Severability If any provision of this DSA shall be determined to be invalid, illegal or unenforceable, the remaining provisions of this DSA shall not be affected thereby.
17.10 Gender and Number In this DSA, words importing the singular include the plural and vice versa and words
importing gender include all genders, including the neutral gender. 17.11 Successors and Assigns This DSA shall enure to the benefit of and be binding upon the Parties and their respective
successors and permitted assigns.
17.12 Other Agreements/Further Assurances Each of the Parties shall upon a reasonable request by any of the Parties, execute and deliver such further documents and do such further acts and things as the requesting Party or Parties may request to evidence, carry out and give full effect to the terms, conditions, intent and meaning of this DSA.
17.13 Legislation Any reference to a statute shall mean the statute in force as at the date hereof, together with all regulations promulgated thereunder and rules and bylaws if relevant, as the same may be amended, re-enacted, consolidated or replaced from time to time, and any successor statute or regulation, rule or bylaw.
21 17.14 Counterparts/Signatures This DSA may be executed in counterparts. Each executed counterpart shall be deemed
to be an original. All executed counterparts taken together shall constitute one agreement. Signatures may be original, faxed, in electronic format or scanned.
SECTION 18. CONDITIONS
18.1 The disclosure to HSPs of Shared Client Data contemplated in this DSA is conditional upon:
(a) the PIA being completed and made available to all Parties (upon request);
(b) the TRA being completed and made available to all Parties (upon request);
(c) a risk remediation plan, if required, being agreed to by the Lead Agency and CAMH in respect of risks identified in the PIA and TRA;
(d) a plain language description of the HINP Services being provided to HSPs as contemplated in clause 6.1(d) of the DSA; and
(e) a plain language description being made available by CAMH to the public, as contemplated in clause 6.1(e) of the DSA through posting of the description on the CAMH website as well as on the CBI Website.
SECTION 19. CONSEQUENTIAL AMENDMENTS TO THE ADDENDUM 1 AGREEMENT AND ICES DSA
19.1 The Addendum 1 Agreement is hereby amended as follows, except that the following amendments shall not apply for the provisions of Schedule C of the Addendum 1 Agreement which shall remain the same:
(a) The phrase “Adhesion Agreement” shall be replaced with “DSA Adhesion Agreement”;
(b) In paragraph A of the Background, the phrase “Electronic Service Provider Agreement dated as of March 1, 2014 (“ESPA”)” shall be replaced with the phrase “Data Sharing and Health Information Network Provider Agreement dated as of December 1, 2015 (“DSA”)” and the phrase “an Adhesion Agreement” shall be replaced with the phrase “a DSA Adhesion Agreement”;
(c) The references to “ESPA” shall be replaced with “DSA”;
(d) The reference to “Electronic Services Provider” shall be replaced with “Health Information Network Provider”;
(e) In sub-section 2 (b), the phrase “as referenced in section 5.1 of the ESPA” shall be replaced with the phrase “as referenced in section 7.1 of the DSA”;
(f) In Section 8, the reference to “Clause 9.18 (a) of the ESPA” in the third line shall be replaced with “Clause 6.9(a) of the DSA”;
(g) In Section 13, the references to sub-sections “12.6”, “12.8” and “12.9” shall be replaced with sub-sections “13.6”, “13.8” and “13.9” respectively; and
(h) In the last paragraph of Addendum No. 1, add in the statement: “For New HSPs that have never entered into the Addendum 1 Agreement, the effective date of execution of the Addendum 1 Agreement is the effective date set out in their DSA Adhesion Agreement”.
19.2 The HSPs acknowledge that as a result of this DSA, consequential amendments to the ICES DSA may be required. The HSPs hereby appoint the Lead Agency (and the Lead Agency hereby accepts such appointment) to be their contracting agent (“CBI Agent”) for purposes of entering into a consequential amending agreement to the ICES
23
SCHEDULE A – THE ADDENDUM 1 AGREEMENT
The Addendum 1 Agreement is posted on the CBI Website and incorporated by reference herein as Schedule A to this
DSA.
24
SCHEDULE B - TERMS OF REFERENCE FOR THE
COMMUNITY BUSINESS INTELLIGENCE WORKING GROUP Overview In the spring of 2012 the Community Business Intelligence Project Reference Group was formed to develop a set of common data elements to support sector and organizational planning and development for the Community Sector service providers in the Toronto Central LHIN. In June 2012, the reference group in collaboration with the CBI Project Team produced a final report with 10 recommendations.
The Toronto Central LHIN reviewed the recommendations and is in support of moving forward with the implementation
for the community sector.
Working Group Objectives The purpose of the Community Business Intelligence Working Group is to oversee the implementation of the CBI Project. This group will work with the CBI Project Team to advise, offer input and ensure a broad community sector perspective is considered throughout the implementation. As membership continues to be appropriate for subsequent phases of activity, this group may be leveraged. Responsibilities
Determine scope and criteria for early adopter phase
Review implementation approach for early adopter phase
Identify challenges and success from early adopter phase and make recommendations for implementation approach for full rollout
Oversee full rollout implementation
Identify requirements for data linkages with other appropriate data sources
Identify priorities and criteria for electronic service provider to house the data repository
Recommendations on data access and reporting
Oversee any additional activities to support the implementation of Phase 1
Oversee activity related to the feed of data to ICES and contribute to the development of reports
Oversee any additional tiers of activity as appropriate.
25 Membership The CBI Working Group will be comprised (based on number of HSPs in each subsector, and with intent to include HSPs which offer services in more than one subsector) of:
Representatives (up to 3) from CSS HSPs Representatives (up to 3) from CMH HSPs Representatives (up to 3) from Addiction HSPs Subject matter experts as required Toronto Central LHIN Representation
The working group reserves the right to adjust representation as required. Sub Group Sub groups will be assembled as necessary. The requirement for the sub group will be determined by the CBI working group. Meeting Frequency and Administration Meetings will be held bi-monthly or at the call of the CBI project team to oversee the implementation of the CBI project. The CBI project team will be responsible for meeting administration. Decision Making The CBI working group will adopt a consensus model of decision-making. As such, deliberations of the working group will seek to build consensus based on full consideration of the needs and requirements of HSPs to most effectively serve and support persons in the TC LHIN who require support, service and treatment in the community. Where consensus is not an option the working group will adopt an approach to bring the topic to resolution. As the CBI working group is an advisory body, recommendations regarding the implementation of CBI will be presented to the TC LHIN Performance Measurement and Information Management Director and Team for approval. Duration The CBI Working Group will be initiated in February 2013 and will remain until March 2016. A determination for extending the term of the working group will be made at that time.
26
SCHEDULE C - INITIAL LIST OF ELEMENTS OF CLIENT INFORMATION TO BE UPLOADED TO REPOSITORY AND FORM PART OF DATA
(AS AT EFFECTIVE DATE)
Element Description
orgId The master number issued by the MOHLTC.
clientId The value that uniquely identifies a Client within a software
and agency record.
healthcardNo The OHIP health card number.
firstname First name provided by the Client.
lastnameAtBirth Last name on the Client’s birth certificate.
lastnameCurrent Last name provided by the Client.
middleNames Middle name(s) provided by the Client.
dateOfBirth The date of birth that appears on the Client’s birth certificate.
Age The actual or estimated age provided by a Client if their date of birth is not available. Note: If you collect the date of birth, you do not need to collect the age as well.
Gender The gender selected by the Client.
address1 The address provided by the Client.
address2 The address provided by the Client.
City The city provided by the Client.
postalCode The Canadian postal code for the address provided by the
Client.
lhin_OfResidence The LHIN in which the Client resides.
Phone The primary phone number provided by the Client.
program_enrollmentId The (primary) key that uniquely identifies a record in the table
storing admissions to functional centres (or programs).
fc_Id The functional centre ID.
fc_referralDate The date upon which the HSP becomes aware a Client’s referral to a functional centre for service.
fc_admissionDate The date on which the HSP registers a Client into a functional centre.
fc_serviceInitDate The date on which service delivery in a functional centre/Client starts or started.
fc_dischargeDate The date on which the HSP deregisters a Client from a functional centre.
27
SCHEDULE D - DSA ADHESION AGREEMENT
INSTRUMENT OF ADHESION dated ____________________________________ (“Adhesion Date") by [insert organization’s name] (the "HSP") to the Data Sharing and Health Information Network Provider Agreement made as of the first day of December, 2015 among Reconnect Community Health Services, Centre for Addiction and Mental Health and the Health Service Providers that enter into the DSA Adhesion Agreement (the "DSA"). NOW THEREFORE in consideration of being accepted as a Party to the DSA, the HSP, intending to be legally bound hereby, covenants and agrees with all present and future parties to the DSA as follows: 1. The HSP represents and warrants that it is a health information custodian for purposes of the Personal Health
Information Protection Act, 2004. 2. The HSP hereby covenants to and agrees with each of the other parties to comply with and be bound by all of the
terms and conditions of the DSA, as and from the Adhesion Date, as if the HSP were an original Party thereto and to the same extent as the other Parties to the DSA, and, without limiting the foregoing, to observe, fulfill and perform all of the obligations of an HSP under the DSA.
3. All capitalized terms used but not defined herein have the meanings set out in the DSA. 4. For purposes of SECTION 8 of the DSA, the HSP hereby designates its: [title] as the Executive Sponsor, with the
following coordinates:
<insert name and title of Executive Sponsor> <insert HSP’s address>
<insert HSP’s telephone number> <insert HSP’s fax number>
<insert HSP’s email address> 5. For purposes of Section 6.8 of the DSA, the HSP’s Privacy Officer is as set out below:
<insert name and title of Privacy Officer> <insert Privacy Officer’s address>
<insert Privacy Officer’s telephone number> <insert Privacy Officer’s fax number>
<insert Privacy Officer’s email address>
[Insert Full Legal Name of HSP]
By: __________________________________ I have authority to bind the corporation
The foregoing Instrument is hereby accepted by the current Parties to the DSA and the HSP has accordingly become a Party to the DSA as of the Adhesion Date, as evidenced by receipt by the Lead Agency of a completed and executed DSA Adhesion Agreement and posting of the coordinates of the HSP on the CBI Website.
28
SCHEDULE E – HINP SERVICES TO BE PROVIDED BY CAMH
CAMH, through DATIS and as a PHIPA Agent of the HSPs, shall, upon and subject to the terms and provisions of the DSA of which this Schedule is a part, provide HINP Services, including the following:
a) host the Repository; b) trouble shoot with HSPs and Vendors having challenges submitting Data into the production
environment; c) provide test and live credentials to HSPs and Vendors; d) provide reports to HSPs and the LHIN and support queries from the LHIN and from HSPs regarding their
Data, all as further specified in SECTION 9 of this Agreement; e) comply with all requirements under PHIPA for HINPs; f) have a process in place to handle Client requests to not share their PHI (Lockbox); g) provide an EMPI solution for matching of Data, through a contracted third-party; h) host the EMPI hardware and software components and manage the EMPI for purposes of Data linkage
and accuracy; i) provide or contract for any support required for the EMPI solution and establish and manage the EMPI
operational processes; j) manage Data retention in accordance with requirements from the Privacy, Security and Data Access Sub-
Group; k) provide notification to all HSPs of any unplanned outage or downtime, as soon as reasonably possible; l) participate in the CBI Working Group, and its various committees including the Privacy, Security and Data
Access Sub-Group, as required; m) provide incident and breach management support to HSPs, including advising the Lead Agency and any
HSP of any breach or incident with respect to their PHI; n) delete PHI from the Repository upon request by the HSP that provided the PHI; o) upload the Data to the Repository for any HSP that is a Party to this DSA, including any HSP that is in the
community addictions sub-sector (already submitting Data to CAMH); p) develop, maintain and make available Shared Client Data for Authorized Users of the HSPs in order to
provide or assist in the provision of health care services to Clients; q) support the HSPs in collaborating with researchers who have entered into research agreements with the
particular HSP and to whom the HSP has disclosed PHI for research purposes; r) De-identify PHI that the HSPs retain in the Repository so that the De-identified Data may be provided
(such as for purposes of research or analysis) as approved by the Privacy, Security and Data Access Sub-Group;
s) negotiate data sharing agreements as PHIPA Agent and HINP on behalf of the HSPs to support the disclosure of the HSPs’ PHI within the Repository to third parties such as prescribed entities and health care providers, to assist in the provision of health care and to support the management, evaluation or monitoring of, allocation of resources to, or planning the health system, where the disclosure by the HSPs is authorized under PHIPA; and
t) provide support services to the HSPs and their Authorized Users through a designated support function within CAMH, which includes end user support, including ad hoc training and provision of an online help desk function.
29
SCHEDULE F – SERVICE LEVELS FOR CAMH
CAMH is committed to providing the following service levels:
A secure technical infrastructure to support the CBI Project and its objectives.
A dedicated Storage Area Network space isolated from other CAMH environments.
A secure web services portal and/or other secure data transmission pointing to url cbiproject.ca
Maintenance of adequate staffing levels during business hours, necessary to support service level expectations
for the CBI Project.
Generation of automatic reports from the Helpdesk based on the requested schedule from the CBI Project Team.
Maintenance of 24/7 on call oversight of server, database and web services.
Daily incremental back up of server and database.
Four-hour disaster recovery time frame.
Lockbox capability being in place at the Repository level.
30
SCHEDULE G - MINIMUM TECHNICAL, ADMINISTRATIVE, PHYSICAL AND INFORMATION SECURITY SAFEGUARDS OF CAMH FOR PHI
AND CONFIDENTIAL BUSINESS INFORMATION
Technical/Data Security
authentication measures (such as computer password protection, registration of individuals with access to the Repository, and unique log-on identification) have been implemented to ensure that only Authorized Users can access PHI and Confidential Business Information
regular anti-virus-checking programs and updates have been implemented an encryption protocol is used if electronic transmission of Data is required and for Data at rest within the
repository testing and production environments are segregated no PHI to be used for the test phase of the CBI Project session management - time out after a period of inactivity no PHI is to be sent by facsimile transmission safeguards are monitored on an ongoing basis for compliance and effectiveness CAMH to have a process in place to ensure that access is terminated immediately upon an Authorized User no
longer requiring access to the Repository password policy parameters are required such as minimum password length, special characters, expiry, logging
invalid login attempts, resets for forgotten user passwords ongoing back up of Data protection against malware is in place regular vulnerability scanning to be in place and conducted
Administrative
an individual(s) has been designated as being responsible for privacy and security compliance for CAMH in respect of DATIS
an agreement between CAMH and each of the Authorized Users of the Repository – should also include a click through agreement notice dealing with key elements about use of the Repository when Authorized Users sign on
agreements between CAMH and any third party that it engages to assist in the administration/management of the Repository that flows through the privacy and security obligations under this DSA (e.g. software developer, helpdesk and technology troubleshooting) including the safeguards set out in this Schedule
a CAMH organizational governance framework for privacy, confidentiality, and security is in place CAMH organizational policies for Data storage, management, access and correction, breach management, auditing,
privacy, security, risk management, retention and destruction have been developed, implemented and are monitored and enforced
only Authorized Users may have access to and use of Confidential Business Information and PHI related to this DSA on a “need-to-know” basis (i.e., when required to perform Services)
all CAMH Personnel supporting the CBI Project shall sign a confidentiality agreement in which they specifically acknowledge that they will use PHI within DATIS only to carry out their job responsibilities and for no other purpose and the agreement shall contain provisions for appropriate discipline for breach of privacy, confidentiality, or security, up to and including dismissal or termination
mandatory and ongoing privacy, confidentiality, and security training is conducted for all CBI Project funded Personnel providing Services, as well as CAMH Personnel providing Services to the CBI Project
a CAMH “Privacy Breach” protocol has been developed and implemented a CAMH policy/protocol is in place for dealing with service complaints, including general privacy complaints backup security and acceptable business recovery plans, (including disaster recovery, Data backup and alternative
power) are in place
Physical
computers and files that hold Data are housed in secure settings in rooms protected by such methods as combination lock doors or smart card door entry, with paper files stored in locked storage cabinets
31 Personnel have been provided with photo identification or coded card swipe, if applicable visitors are screened and supervised if in an office setting and other appropriate physical access controls are in place
such as controlled entry to the hosting environment pre-booking of visitors if PHI is hosted in a data centre the number of locations in which Data is stored has been minimized and specified in advance the architectural space of CAMH in respect of DATIS precludes public access to areas where Data are held routine surveillance of premises is conducted physical security measures are in place to protect Confidential Business Information and PHI from hazards such
as flood or fire cameras are prohibited in any areas in which Confidential Business Information and PHI is available CCTV monitoring of CAMH premises Storage of PHI is not permitted on mobile or local devices Network security controls provision for secure destruction of PHI, including additional persistence (retention) on backup media Information Security Safeguards
end user access controls for the Repository shall be implemented by CAMH to ensure that access to Data within the Repository is segregated in such a way that no other person can view Data transferred to the Repository by the HSP (with the exception of CAMH Personnel who may require access to PHI in the course of providing Services.
administrative user access controls for the Repository will be implemented by CAMH to ensure that CAMH Personnel working within DATIS have access to only the PHI they require to provide the HINP Services.
CAMH has implemented, and shall maintain, report design procedures that minimize the exposure of CAMH Personnel to PHI.
all reports generated by CAMH on behalf of the HSP that will be provided to third parties (including the Ministry of Health and Long-Term Care, or any LHIN) will contain only De-identified Data.
CAMH shall maintain a list of Personnel with access to PHI in the Repository, which will also indicate the scope, frequency and purpose of access to PHI.
the CAMH internal network on which the CBI Project runs is protected from external threats by a firewall.
PHI transmitted from the HSP to the Repository shall be encrypted and transported securely using an HTTPS transport layer.
CAMH logs access to and activity within the Repository by both end users and CAMH Personnel, and will make the logs relevant to each HSP available to such HSP on request.
CAMH has developed and implemented, and shall maintain, policies and procedures for privacy and security incident management, which shall include procedures for notifying the HSP if any of its PHI is subject to breach, and for supporting the HSP in managing and resolving the breach.
CAMH has developed and implemented privacy and security policies and procedures appropriate to its role as an Agent and HINP to the HSPs, including procedures for privacy and security audits to support CAMH in determining that its Personnel are in compliance with their privacy responsibilities to the HSP. See Schedule J for an inventory/list of applicable policies and procedures.
32
SCHEDULE H- DATA FLOW (Section 3.0)
The architecture for the submission of Data from HSPs to the CBI Repository is represented above. The diagram illustrates the following data flow:
1. The Data elements as set out in Schedule C are sent from the Client Management System (CMS) Database of the
HSPs via encrypted web services to the Web Service compliant web server hosted at DATIS.
2. The Data elements are received by the Web Service Server and must meet the data format and mandatory data
element requirements. If they do not, records are rejected and the CMS will receive an error message.
3. Received Data elements are stored in the Landing Database with cell-level encryption applied to demographic and
health information data elements.
4. The Data as set out in Schedule C are assessed by the EMPI to identify and match Client records to create a
complete and single view of a Client. The EMPI will assign an identifier for each unique Client.
5. Data records are sent from the Landing Database to the Data Warehouse.
6. Reports for HSPs and the LHIN are prepared based on the current data records in the Data Warehouse.
7. HSPs can access their own reports including Shared Client Data about current Clients through an SSL-enabled
connection to the CBI reporting portal to review standardized reports and query data.
8. The LHIN is able to review De-identified Data through an SSL-enabled connection to the CBI reporting portal to
review standardized reports.
HSP
SSL - Enabled Web Service
Client
SSL - Enabled Web Service
Server
Transmission HINP
Landing DB
EMPI
Data Warehouse
Business IntelligenceLHIN
CMS Data
Internet
1 2 3
4
5
6
7
8
33
SCHEDULE I- PLAIN LANGUAGE DESCRIPTION FOR HSPs AND THE PUBLIC (CLAUSES 6.1(D) AND (E))
PLAIN LANGUAGE DESCRIPTION OF THE HEALTH INFORMATION NETWORK PROVIDER SERVICES OF CENTRE FOR ADDICTION AND
MENTAL HEALTH FOR THE COMMUNITY BUSINESS INTELLIGENCE PROJECT SOLUTION (CBI Solution) AND SECURITY SAFEGUARDS
The following is a plain language description of the network services and security safeguards of the Centre for Addiction
and Mental Health (CAMH) within the CBI Solution. This description provides an explanation to the health services
providers who are involved in the CBI Project and to the public of which health information network provider (HINP)
services are being provided by CAMH and how the security processes in place will ensure the confidentiality of the
personal health information (PHI) involved.
Description of the CBI Solution
The CBI Solution (i.e.: a CBI tool and CBI data repository) was created to enhance Community Sector1 data quality and
reporting capabilities. The CBI Solution facilitates the collection of PHI from health service providers (HSPs) to a central
data repository maintained by CAMH for the purposes of providing reports to HSPs and local health integration networks
(LHINs). The data is collected in order to gain a better understanding of which services are being used and the capacity
within the Community Sector to provide the services that are needed. With the CBI Solution, HSPs and the LHINs will have
access to higher quality data, and will be able to query data and run standard reports. In addition, the CBI Solution will
allow specific staff (authorized users) at an HSP to access PHI about shared clients from other participating HSPs for the
purposes of providing health care or assisting with providing health care to that client. PHI that is shared between HSPs
will be referred to as shared client data and only will be done if the HSPs have signed a data sharing agreement which
includes protections to maintain the security and confidentiality of the data.
HINP Services
In providing the services as a HINP, CAMH shall provide the following information systems, information management and
information technology services to enable the HSPs to disclose PHI to one another:
host the CBI data repository;
upload data to the CBI data repository for HSPs that have signed a data sharing agreement with other HSPs and CAMH
(in its role as the HINP);
provide reports to, and support data questions from, HSPs and the LHINs regarding the CBI data;
have a process in place to handle client requests to not share their PHI (Lockbox) and to correct their PHI;
provide a solution for matching of data;
provide incident and breach management support to HSPs;
delete PHI from the repository upon request by the HSP that provided the PHI;
develop, maintain and make available shared client data in order to provide or assist in the provision of health care
services to shared clients;
De-identify PHI that is being held in the CBI data repository so that the De-identified Data may be provided for purposes
of research or analysis; and
provide support services to the HSPs (and their authorized users) through a designated support function within CAMH,
which includes end user support, including ad hoc training and provision of an online help desk function.
1 The phrase “Community Sector” refers to the community health services sector consisting of: 1) community mental health providers; 2) community addiction providers; and 3) community support service providers.
34 Summary of Privacy and Security Safeguards
There are numerous controls built into the system that protect PHI including:
Secure Hosting
The CBI Solution is hosted in a secure environment with effective administrative, physical, technical and information
security safeguards in place that meet industry best practices
Authorization
HSPs access data through a designated portal created by CAMH
Each HSP will determine who, among their staff, will be permitted to access the data in the CBI data repository in
accordance with its own policies and procedures
Authentication
All authorized users are authenticated through an enhanced authentication mechanism prior to accessing the CBI
Solution
Strict password policy parameters are required and enforced
Data Security
Data is encrypted for electronic transmission of data and for data that stays in the repository
Data retention and disposal policies are in place to ensure data are only kept as long as needed and is disposed of properly
to ensure confidentiality
Logging
Access to any activity in the repository is logged and any suspicious activity is investigated
Audit logs are made available to HSPs
Security Assessment
A Threat Risk Assessment (TRA) and Privacy Impact Assessment (PIA) were conducted to identify privacy and security
gaps and deficiencies
Privacy
Each HSP and CAMH have implemented and follow privacy practices that comply with the Personal Health Information
Privacy Act, 2004 and its regulations regarding the collection, use and disclosure of PHI
A privacy incident and breach management policy is in place to address any privacy events (breach or incidents)
collaboratively among the appropriate parties
A CBI Working Group and a Privacy, Security and Data Access Sub-Group have been put in place to review privacy matters
and compliance
Conclusion
CAMH, as a HINP complies with the Personal Health Information Privacy Act, 2004 and regulations thereunder as well as
industry best practices, and uses a variety of administrative, physical, technical and information security safeguards to
protect PHI. In addition, CAMH has policies and procedures in place to ensure that its employees and authorized users
understand their obligations with respect to the CBI Solution and protection of PHI.
35
SCHEDULE J - LIST OF CAMH POLICIES IN ITS ROLE AS HINP (Clause 6.1(b) and Schedule G) (Subject to final CAMH approval)
Privacy Policies
CAMH Service Provider Privacy Policy
Procedure for Limiting Access to PHI
Policy and Procedure for Executing Agreements with Third Party Service Providers
Service Provider Logging and Auditing Policy
Service Provider Incident Management Procedure
Service Provider Retention and Disposal Policy
Policy and Procedure for Managing Requests for De-Identified Data
![MolecularCharacterizationofHeatShockProtein70-1Geneof Goat ...downloads.hindawi.com/archive/2010/108429.pdf · HSP70, HSP 60, HSP 40, HSP 10, and small HSP families [3]. Among HSPs,](https://img.pdfslide.net/doc/110x75/60928a385d38631f9170bc5d/molecularcharacterizationofheatshockprotein70-1geneof-goat-hsp70-hsp-60-hsp.jpg)
