Privacy & Security
eCHN aims to build trust and ensure transparency with its clients, patients, and the public. eCHN’s Privacy and Security Program meets this commitment by ensuring privacy best practices are considered when undertaking new initiatives. The following documents outline eCHN’s commitment to Privacy and Security:
- HealthCare Provider User Guide
- Managing Consent on the eCHN Portal
- Audit Reporter User Guide
eCHN conducts risk assessments on its operations, information systems and programs to ensure statutory and contractual compliance, as well as ensure that privacy best practices are built into eCHN’s day to day operations. A Privacy Impact Assessment (PIA) is completed to identify privacy-related risks and make recommendations on how to address those risks while ensuring personal health information (PHI) is appropriately managed.
eCHN has conducted PIAs on the projects listed below.
Audit Reporter Tool
This tool enables appointed users from a site’s Privacy Office or Health Records department to retrieve audit logs to monitor who has viewed patient data.
eCHN systems are all developed with significant attention to security architecture for the safeguarding of PHI throughout its lifecycle. Receipt and methods for data exchange between eCHN and members have been specified within agreements and eCHN is compliant with all stipulated requirements.
eCHN’s system is administered centrally in eCHN’s secure data centre. eCHN’s data repositories are populated through secure data feeds from contributing clients.
Access to the eCHN Portal is administered through a user authentication database centrally maintained by eCHN. eCHN Clients must authorize and validate those users who access the eCHN Portal under their authority. eCHN also reviews all applications for eCHN portal access and validates applicants’ professional college and/or license numbers where applicable.
eCHN applies the following technical safeguards to data in its care:
- Strong multifactor authentication mechanisms are enforced for accessing sensitive systems.
- Administrative access to information-processing infrastructure is granted on a need to know basis. All system and application access activities are logged.
- Network traffic is monitored and managed using security devices such as routers, switches, network firewalls, intrusion-detection systems, anti-virus programs and Security Incident and Event Management tools.
- Encrypted channels are used for all data communication between eCHN and its members or its eCHN Portal users.
- eCHN’s security policy prohibits removal of any media containing Personal Health Information from eCHN’s premises. Also, eCHN’s policy limits the storage of PHI to specified/secure servers.
- eCHN Personnel laptops and desktops are fully encrypted. If laptops are lost or stolen, data confidentiality and integrity is not compromised.
- Vulnerability assessments of technical configurations and operational security practices are carried out periodically and when new projects are undertaken, or significant changes are introduced.
- A patch management process ensures that the information-processing infrastructure is updated with critical security patches and functional updates in a timely manner.
- All accounts of former staff or consultants are revoked upon termination of employment or contracts.
- Critical information is backed-up on a regular basis and is recoverable in the event of operational incidents.
- Infrastructure availability is monitored and managed 24/7.
eCHN applies the following physical safeguards to data in its care:
- eCHN infrastructure is hosted in a secure data centre facility that is well equipped with applicable environmental controls.
- Physical access to the data centre is restricted to authorized users; the facility is manned and supervised 24/7.
- Access to the eCHN facility is restricted to eCHN personnel and contractors. Guests to the eCHN facility must be escorted by an eCHN team member.
- Equipment and materials used to store or process PHI and other sensitive information is securely disposed of in accordance with the eCHN Destruction of PHI Policy.
eCHN applies the following administrative safeguards to data in its care:
- eCHN has appointed accountable individuals for privacy and security.
- eCHN has a comprehensive set of information security policies which are regularly revised and updated.
- All staff and contractors must sign confidentiality agreements and undergo background checks prior to joining or providing services to eCHN.
- eCHN conducts mandatory privacy and security awareness training programs for its staff and contractors
- All privacy and security incidents are managed in accordance with eCHN Privacy and/or Security Incident Management procedures.
- Threat and risk assessments are conducted whenever new projects are undertaken or changes in security architecture are introduced.
- eCHN has established a formal threat and risk management program. A specialized management forum, the Privacy and Security Leadership Committee, provides strategic direction and governance oversight for the risk-management program, including regular review of risks and the corresponding risk treatment plans.
- Audit logs recording user activity, system administrator activity, exceptions, and information security events are kept and archived.
Privacy and Security FAQs
eCHN cannot disclose any PHI directly to a patient or parent. However, upon successful validation of the identity of a requestor and their relationship to the patient, eCHN may a) confirm that the patient’s health information exists in the eCHN data repository, and b) identify which health information custodian(s) contributed the patient information to eCHN. If you would like to find out if eCHN holds information about your child and which health information custodian(s) contributed this information to eCHN, please complete the eCHN PHI Inquiry Form.
Personal health information (PHI) is contributed to eCHN by Ontario hospitals which are data-contributing eCHN clients. eCHN also receives PHI from eHealth Ontario for the Ontario Laboratories Information System (OLIS). For additional information about the OLIS program, please visit the eHealth Ontario website.
The term Agent is defined in section 2 of the Personal Health Information Protection Act (PHIPA), 2004 and is reflective of the role undertaken by eCHN for clients who contribute data to or through our system. In its role as a PHIPA agent, eCHN acts on behalf of health information custodian clients in relation to the PHI contributed. eCHN also operates as a Health Information Network Provider, as it provides an electronic solution to enable authorized healthcare providers to disclose data to one another. A Health Information Network Provider is defined in section 6(2) of Regulation to the Personal Health Information Protection Act, 2004.
The eCHN security program balances the need to protect the sensitive data eCHN maintains, while providing a high level of service to health care practitioners in Ontario. The eCHN Security Policy defines baseline control measures which are required to safeguard personal health information. For additional information on the eCHN security safeguards, see “eCHN Architecture and Safeguards”.
You may withdraw consent (or reinstate a previously withdrawn consent) by contacting the Health Records department for the hospital(s) that contributed data to eCHN for your child and submitting a request to withdraw consent for your child’s record. The contributing hospital will explain the options available to you and arrange to process the consent request.
If you would like to discuss any concerns about how eCHN safeguards PHI, please complete the eCHN Privacy Complaint Form.
eCHN operates under contract with each data-contributing hospital and in compliance with the provisions of the Personal Health Information Protection Act (PHIPA), 2004. As an agent of the contributing hospitals, eCHN gathers PHI which is only to be used in the eCHN Portal. The purpose of the data exchange between eCHN users is the provision of health care to pediatric patients.
To contact the eCHN Privacy & Security Office:
eCHN Privacy Office
electronic Child Health Network
180 Dundas Street West, Suite 2405
If you would like to find out what information eCHN holds about your child please complete the eCHN PHI Inquiry Form.
Please note that eCHN cannot disclose any PHI directly to a patient or a patient’s guardian. However, upon successful validation of the identity of a requestor and their relationship to the patient, eCHN may:
- Confirm that the patient’s health information is in our database and
- Confirm which Health Information Custodian(s) contributed the patient information to eCHN
If you would like to discuss any concerns about how eCHN ensures the safeguarding of your personal health information, please complete the eCHN Privacy Complaint Form.