Security and Privacy
Ontario has very strict laws relating to protecting the privacy of patient data of all types. At HSG we are committed to meeting and exceeding the current best practices and the specific standards outlined by the Ontario government. To accomplish this we have implemented a security and privacy strategy focused on protecting patient information through all aspects of care.
The "Personal Health Information Protection Act" (PHIPA) of 2004 outlines specific steps healthcare providers (health information custodians) must take to protect their patient's private health information. The law gives permission to healthcare providers to collect information related to care and how to handle such data. With the interest of keeping our patients as informed as possible below are some of the steps we take to protect your privacy. Our goals through all of this is to keep your information private. We will only collect information directly related to your care and share it with those directly involved in your treatment.
What information is collected and why?
Personal health information (PHI) includes everything from a patients name, birth date, and medical history through to clinical photographs, notes, and x-rays. We collect this information as a part of regular treatment to help us diagnose, plan, prepare, and ultimately treat you. In some cases this information is shared with other providers directly associated with your ongoing treatment. This may include lab technicians, referring providers, or other medical providers. In all cases your consent will be sought before any PHI is shared.
What steps are being taken to protect my information?
All employees, contractors, and businesses who may come in contact with PHI within our practice have been trained on the importance of protecting patient information as well as techniques to protect said data. All digital records are stored locally on a secure server which in a secure area of the building under 24/7 security and video monitoring. Physical access to the server is limited to directors as well as our IT staff. Data stored on the server is encrypted at both the disk, operating system, and application level.
Computer terminals are locked by secure passwords which are time limited to ensure security. Additionally login requires the use of a physical security key/dongle adding a second layer of protection. This is also known as physical Two-Factor Authentication. Applications used on the terminals are locked with secure employee specific passwords allowing for tracking of access to patient information.
How do you communicate with other dental providers?
In complex treatments it is common for us to need to communicate with outside dental labs and dental providers. In this case the majority of our communication takes place by phone, email, or physical couriers. This area is not well defined by PHIPA. In this case we use a US based email provider which requires a secure password as well as a physical login key/dongle to access the accounts. From there, emails containing PHI are further encrypted. Authorized recipient are required to log into a secure server to access this information. Given we control the secure server we are able to control and limit access to the private data. This include limiting access by time, geographic location, and duration of access. This further limiting the risk of unauthorized access. This is beyond the suggestions of the Information and Privacy Commissioner of Ontario's (IPCO) for communicating health information via email. The IPCO published a fact sheet on the subject in 2016. (Found here)
Physical login key/dongle?
To access many of our digital systems we require staff to use physical keys in the form of USB dongles on top of a secure passwords. This adds an additional physical layer of security not often found in consumer service providers. In practice it requires a physical key to be inserted into any device in order to authorize a login. Without it a user will not be able to access their account, even with the proper username and password information. On top of this we geographically lock logins to our office. Physical security keys are stored in a lockbox in a secure location to prevent unauthorized access. That said, they are useless without the appropriate username and password, which is part of how they work to improve security.
What about network security?
Network security is the area related to protecting the computers in our office from the outside world. We use modern networking equipment to constantly monitor traffic in and out of our office to ensure we maintain a secure connection. We routinely perform security reviews and internal audits to ensure our systems are up to date and operating as intended.
How is my data handled?
Protected health information is held on-site on a server in a secure location. It is encrypted at the disk level as well as the application level. External backups are performed to a secure location in Ottawa and are fully encrypted. The only time your information leaves our practice is by way of an encrypted referral. To accomplish this a secure email is sent with a link for the recipient to verify their identity. Only after this information is verified can the recipient download and decrypt the protected information on their end.
Where is my data stored during transmission?
Before emails containing sensitive data are transmitted from our computer system they are encrypted using locally held encryption keys. Transmitted data is never transmitted in a non-encrypted state. Like 34% of all web-services our secure transmission provider uses AWS to temporarily hold your encrypted data. This involves servers located in the United States.
The only exception to the above protocol is the secure transmission of information to our lab providers. In most cases this is an end-to-end encrypted pathway which meets our standards to protection. In the case of Invisalign cases we use their encrypted submission portal. As they are a US based provider data is stored on a secure US based server during this process.
Where can I get more information about PHIPA?
The best resource is the Information and Privacy Commissioner of Ontario's website. On their site you will find A Guide to the Personal Health Information Protection Act A Guide to the Personal Health Information Protection Act (Dec 2004) which is available for download (click here). Alternatively a copy of the Personal Health Information Protection Act (2004) can be found here.
What happens if there is a breach?
Cases of data breaches are extremely uncommon, but examples of possible breaches include an email containing PHI being sent to the wrong email address or faxing a document with PHI to the wrong fax number. As you can imagine, with proper safeguards in place, this would be extremely rare. We have policies and added protection to prevent this including our maintaining control over encrypted email content even after the message has been sent. In the unlikely event of a data breach we are required by PHIPA 2004 to inform all those diretly involved. Our Privacy Officer, Sam Hickman, would then lock down our system and perform a thorough investigation to better understand the breakdown in security protocol to help prevent it from happening in the future.
Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A
Overview of Security Keys/Dongles and 2-Factor Authentication
This page is not meant to be exhaustive. Its intention is to demostrate some of the steps we are taking to protect your information via current best practices. Should you have any questions or concerns relating to the information above please feel free to contact our privacy officer at firstname.lastname@example.org. Additionally, if you feel your privacy is at risk or has been violated, we ask that you immediately contact our practice or Privacy Officer so we can resolve this situation.