Safeguards for the Protection of Personal Information and Personal Health Information

Physical Safeguards

• On-premises production servers are in highly secure, managed data centres with strict physical access controls, including but not limited to, mantraps, cameras, and security guards.
• Data centre physical security controls have been validated by an independent third party in accordance with federal government standards, and through internally conducted threat and risk assessments.
• Cloud-based servers are in the Amazon Web Services (AWS) Canadian data centres that have a comprehensive suite of security controls and certifications in place.
• Access to office areas is controlled with access badges, and traffic in the office areas is recorded by security cameras.

Administrative Safeguards

• Individuals have been appointed who are accountable for privacy and security, namely the Chief Privacy Officer and Chief Information Security Officer.
• Formal contracts and service level agreements ensure that any third party retained to assist in providing services to Ontario Health or to health information custodians, will comply with the restrictions and conditions necessary for us to fulfil our legal responsibilities.
• A comprehensive suite of privacy, security and human resources policies and procedures which outline employee responsibilities.
• All staff and contractors must sign confidentiality agreements and undergo criminal background checks prior to joining or providing services to eHealth Ontario. We have a security screening policy that requires staff to have an appropriate level of clearance for the sensitivity of the information they may access.
• We have mandatory privacy and security awareness and training programs for staff, which includes testing to confirm that the main concepts and behaviour requirements are understood.
• Ontario Health has an Access Control Standard.
• An enterprise security and privacy incident management program is in place to ensure management of incidents and regular training and awareness for staff members involved in incident management.
• Security threat and risk assessments are conducted as part of both product and service development and client deployments. Security risk mitigation activities are established, assigned to a responsible individual, recorded and tracked as part of each assessment.
• Privacy representatives will follow the guidelines outlined in our Privacy Impact Assessment Standard

Technical Safeguards

• Adoption of industry standards to ensure security of PI and PHI.
• Encryption applied to sensitive data.
• A logging, monitoring and auditing system to record when PI and PHI is accessed or transferred.

For additional HINP Safeguards visit OTNhub Services and Safeguards

For additional Electronic Health Record (EHR) Safeguards visit Safeguards | eHealth Ontario