Privacy Roles

Kingston Health Sciences Centre

  • Health Information Network Provider to Contributing and Receiving Participants through the provision of the SHIIP solution that will allow Contributing Participants to disclose, and Receiving Participants to collect PHI about patients that they share
  • Electronic Service Provider to the participants of the SHIIP solution who use electronic means to disclose or collect PHI
  • Agent of the participant who has contributed the PHI used to produce HARP/LACE scores and on whose behalf KHSC produces those scores
  • KHSC must maintain privacy and security policies and procedures that enable them to comply with their obligations under PHIPA and applicable agreements
  • Training: Provide some assistance and tools to support participant with their training obligations. Inform their agents and Electronic Service Providers on the policies, procedures and practices as required by PHIPA.
  • Access and Correction: KHSC must log then notify the contributing sites involved in the access or correction requests of the request.
  • Inquiries and Complaints: Log then responds to the inquiries and complaints that are escalated by participants.
  • Consent Management: Log and review consent directive requests and forward to KFLA for application. Then confirms the application of the consent directive with the requesting site.
  • Assurance: Ensures that participants are compliant with their SHIIP Privacy obligations on a yearly basis, and provide support to reach compliance if needed.
  • Breach Management: Support participants with their breach management activities when they notify KHSC of a suspected breach. Coordinating efforts when the breach is suspected in more than one organization. In a situation where the breach is caused by the SHIIP system functionality, KHSC would be the breach investigator and must notify involved organizations.
  • Auditing: Provide support to the sites with auditing responsibilities.

Kingston, Frontenac, Lennox & Addington Public Health

  • Third party service provider to enable KHSC to provide SHIIP services
  • KFLA must maintain privacy and security policies and procedures that enable them to comply with their obligations under PHIPA and applicable agreements
  • Training: Inform their agents and Electronic Service Providers on the policies, procedures and practices as required by PHIPA.
  • Consent Management: Log and apply the consent directive requests provided by KHSC SHIIP Coordinator and confirm when completed.

SHIIP Contributing Participants

  • Health information custodians that use the SHIIP solution to:
    – Disclose PHI in the form of ADT data to SHIIP Receiving Participants
    – Determine complex/high needs patient status, and disclose this status to Receiving Participants
    – Calculate scores for patient risk of readmission to hospital, and disclose these scores to Receiving Participants
  • Contributors must maintain privacy and security policies and procedures that enable them to comply with their obligations under PHIPA and applicable agreements
  • Access and Correction: The participant must log then escalate to SHIIP Coordinator any access or correction request from a patient if the information in question relates to information contributed to the SHIIP repository.
  • Inquiries and Complaints: The participant must log then escalate any inquiry or complaint that cannot be resolved by the participant to SHIIP Coordinator.
  • Consent Management:  The participant must log then notify the SHIIP coordinator of any consent directive request that is related to the information in SHIIP.
  • Assurance: The participant must make sure that the organization complies with the SHIIP requirements and policies. A yearly attestation confirming compliance will be required by each participant.
  • Breach Management: If any participant is aware of a breach, they must notify the SHIIP Coordinator and follow their internal breach management policy.
  • Auditing: Participants must complete some auditing of the access of the SHIIP end users in the organization quarterly. Every audit should be logged and if suspicious activity is found, the participant must notify the SHIIP Coordinator.
  • Training: Each participant must ensure that all of its agents who have access to the SHIIP solution have received privacy training in the past year, and the completion of the training must be logged. Inform their agents and Electronic Service Providers on the policies, procedures and practices as required by PHIPA.

SHIIP Receiving Participants

  • Health information custodians that use the SHIIP solution to:
    – Collect PHI in the form of ADT data from SHIIP Contributing Participants
    – Collect complex/high needs patient status information from Contributing Participants
    – Collect scores for patient risk of readmission to hospital from Contributing Participants
    – Populate a patient’s Coordinated Care Plan
  • Receiving participants must maintain privacy and security policies and procedures that enable them to comply with their obligations under PHIPA and applicable agreements
  • Access and Correction: The participant must log then escalate to SHIIP Coordinator any access or correction request from a patient if the information in question relates to information contributed to the SHIIP repository.
  • Inquiries and Complaints: The participant must log then escalate any inquiry or complaint that cannot be resolved by the participant to SHIIP Coordinator.
  • Consent Management:  The participant must log then notify the SHIIP coordinator of any consent directive request that is related to the information in SHIIP.
  • Assurance: The participant must make sure that the organization complies with the SHIIP requirements and policies. A yearly attestation confirming compliance will be required by each participant.
  • Breach Management: If any participant is aware of a breach, they must notify the SHIIP Coordinator and follow their internal breach management policy.
  • Auditing: Participants must complete some auditing of the access of the SHIIP end users in the organization quarterly. Every audit should be logged and if suspicious activity is found, the participant must notify the SHIIP Coordinator.
  • Training: Each participant must ensure that all of its agents who have access to the SHIIP solution have received privacy training in the past year, and the completion of the training must be logged. Inform their agents and Electronic Service Providers on the policies, procedures and practices as required by PHIPA.
  • Sites must ensure that the SHIIP user list for the organization is accurate and reflects the current status and permissions of the employees with access to the SHIIP viewer. If any change is needed, the site LRA must contact the SHIIP coordinator and complete the appropriate form.
  • The LRAs for each participant site must have received privacy training in the past year. The participant site must also ensure that the LRAs have the appropriate permissions to enroll users in the SHIIP system. If any change is needed, the site LRP must contact the SHIIP coordinator and complete the appropriate form in order to designate a new LRA.