We are committed to safeguarding the privacy and security of personal health information within the new clinical information system that is being developed as part of the Clinical & Systems Transformation project.
The Privacy Working Group (PWG) is overseeing the completion of a privacy impact assessment that will identify privacy and security risks associated with the CST project and make recommendations to address such risks. The PWG is also responsible for:
- Developing access models that will ensure that only people who need to see a patient’s data to carry out their duties will have access to such personal information;
- Designing and implementing a robust, effective privacy audit solution;
- Establishing appropriate privacy controls, such as enhanced information security flags and clinical relationship attestation;
- Developing and implementing user privacy and security training and confidentiality undertakings;
- Developing a system and data governance framework; and
- Assuring that data sharing is done in accordance with the General Health Information Sharing Agreement (GHISA) and complies with the BC Freedom of Information and Protection of Privacy Act.
“We’re designing the new system with privacy in mind, including the capability to have all the data needed for auditing purposes. Auditing will be a lot better. You can’t audit who’s had access to paper charts.” – Steven Tam, General Counsel and Chief Privacy Officer for VCH, and chair of the Clinical & Systems Transformation project’s Privacy Working Group.
Our software contract is with Cerner Canada and all of our data will be stored in Canada. Because Cerner is a US company, some people have raised concerns that we might be subject to requests for personal information through the Patriot Act that we will not be able to refuse.
It is possible that a US authority might make requests for personal information, but the overall risk is low in this respect. We are working with Cerner on the system development and implementation, but Cerner does not actually have custody or control of the data. Because of this, any attempt by a US authority to obtain BC Health Organization data through Cerner is unlikely to be effective.
At times Cerner staff may have access to Health Organization data, particularly as we get ready to go into production testing, which usually requires live data. It is possible that during these times, US authorities might make a request for data; but we have provisions in our contract with Cerner that prohibit the parties from disclosing personal information in response to a foreign demand and to require them to notify us of any such demands. In such a case, the Health Organization(s) would respond to such a request.
In short, the way in which we have structured our relationship with Cerner minimizes vendor custody and control over the data. Therefore, there is less opportunity for a US authority to obtain data from them. If there is a request and they do have access to our data at the time, our contract requires them to refrain from disclosing any personal information and to notify us, which allows us to respond. We are unlikely to be able to eliminate the risk entirely, but we are meeting our statutory requirements in this regard.