PIPEDA and HIPAA Information
One of the most important aspects of an EMR is its secure handling of private information. Thousands of private medical charts are being stored on our servers on a daily basis, and we believe it is important for you to know just what measures we have taken and what guidelines we are following to ensure the privacy and security of your data.
PIPEDA (The Personal Information Protection and Electronic Documents Act) is a set of rules and guidelines developed in Canada that govern the collection, use or disclosure of personal information about an identifiable individual; in our case, medical records. The Office of the Privacy Commissioner of Canada has prepared a guide to help organizations like SmartND fulfill their responsibilities under PIPEDA. The following is a summary of the guidelines and steps that SmartND has taken to comply with PIPEDA.
Keep in mind that although there may be some ambiguity in the wording used in this article, we only store medical information – we do not collect it. As such, it is assumed that the practitioner who is collecting the information from their patients has obtained the proper consent to do so. Although SmartND provides methods for practitioners to record that they have obtained consent from their patients, we do not monitor nor do we verify or audit this consent.
The accountability guideline requires that one individual be taken as accountable for adherence to the principles of PIPEDA. SmartND has appointed a Privacy Officer to take on this accountability and ensure that SmartND complies with all aspects of PIPEDA. The Privacy Officer for SmartND is Mr. Venk Prabhu. One of the roles of the privacy officer is to answer the following questions:
What personal information do we collect and is it sensitive?
We collect personal contact information and store medical information entered by healthcare practitioners and their patients. Some of this information can be considered sensitive.
Why do we collect it?
We collect and store this information as a service to health care providers so that they can more effectively fulfill their responsibilities to their patients. A health care provider’s role is to collect information from their patients in order to assess their condition and provide a treatment plan. We provide a service to help store this information, and allow health care providers as well as patients the ability to retrieve this information as necessary.
How do we collect it?
We collect this information through a cloud-based service called SmartND.
What do we use it for?
Personally identifiable information is never used for any purpose other than to display this information to specific healthcare providers. Non identifieable information is used to generate statistical reports on the usage of the SmartND service. These statistical reports do not contain any personally identifiable information, and are only used to improve the service and/or provide valuable statistical insights into the industry.
Where do we keep it?
This data is stored in the country of origin, on physical computer servers, under 24/7 security.
How is it secured?
The information is secured in many ways. The physical databases are secured by 24/7 security by reputable third-party hosting providers. The service itself uses SSL-based security to protect data entered into our service via the web-based application.
Who has access to or uses it?
Healthcare practitioners have access to all the data they have entered, and any data that has been share with them by other practitioners. Patients have access to their treatment plans and any other data that has been shared with them by the practitioners. Select senior SmartND staff have access to the databases but adhere to a strict access procedure where medical information is concerned. Every database access to private information is based on a client request, and we get your written permission before accessing your data. Your data is stored in such a way that our staff cannot easily determine who is the subject of the data being accessed. In most cases, troubleshooting on your account can be done without any access to private medical data at all, but in those few instances where we need to access your medical charts directly in order to help you troubleshoot a problem, this access is very targeted to the specific area we are helping you with.
To whom is it disclosed?
Personally identifiable information is never disclosed to any 3rd party by SmartND, unless required to by law. In the case of a legal requirement, SmartND will first communicate this to the practitioner involved, and give them enough time to oppose the request.
When is it disposed of?
Data on SmartND servers will not be disposed of. If ever SmartND is required to dispose of data, all data will be returned to the author of the data prior to disposal.
This guideline requires us to identify the reasons for collecting personal information at the time of collection: Personal contact information which is collected through the process of creating an account on SmartND is required in order for us to identify the individual creating the account. This identification is used to secure the account against unauthorized access, and to establish customer eligibility for special offers or discounts. We do not collect medical information and only serve as a storage service for this data.
This guideline requires us to not collect information indiscriminately. All the information that we collect ( we do not collect medical information) is used as described above, and no irrelevant information is collected.
Limiting use, disclosure, and retention
This guideline requires us to use collected information only for the reasons specified above, and to disclose this information only if necessary and if authorized by the PIPEDA guidelines. SmartND does only use the information collected for the purposes identified above.
This guideline requires us to be accurate about the use of the information collected. Our information collection methods are tested and do accurately store the right information in association with the right individual. If ever an error does occur, we are available to discuss the error and remedy it upon request.
This guideline requires us to use appropriate safeguards to protect personal information against loss or theft, unauthorized access, disclosure, copying, use or modification. Our safety protocols are identified above, and we are using industry standard SSL connections during data collection to prevent theft of sensitive information.
This guideline requires us to be open about the method we have used to safeguard personal information. This document serves that purpose.
This guideline requires us to allow individuals to have access to any personal information we store about them. Any medical information stored on our servers is always accessible to the practitioner who collected and authored the information. Should a patient request information from us regarding personal data that has been entered into our system by a practitioner, the practitioner will be contacted immediately and informed of this request. The practitioner will then be given an appropriate amount of time to respond to the patient’s request. Patients must make their request for personal information through a practitioner.
This guideline requires us to provide a simple means for our users to place complaints. Complaints may be sent via the contact form below. We will investigate all complaints received.