Various BORN Programs - Privacy Impact Assessment, November 2018

The Children’s Hospital of Eastern Ontario-Ottawa Children’s Treatment Centre (CHEO-OCTC) with respect to the Better Outcomes Registry and Network (BORN) undertook a privacy impact assessment (PIA) on three BORN program initiatives:

  1. Sending completed Healthy Babies Healthy Children (HBHC) screens from hospitals to public health units (PHUs) and sending missed screening alerts to PHUs where a HBHC screen has not been completed in the hospitals;
  2. Sending missed immunization alerts to PHUs where babies and children have not been immunized; and
  3. Collecting additional data about a child’s growth parameters (height and weight) and lifestyle from primary care to facilitate the province’s Healthy Growth Initiative (HGI).

The PIA also supports BORN in identifying the appropriate signing authority when entering into data sharing agreements (DSAs) with primary care to collect data elements from their electronic medical record (EMR) systems.

Based on the information gathered, the privacy consultant identified various strengths of the BORN privacy program, and support for privacy within these specific initiatives such as consulting with the Privacy and Security Review Committee and the Data Dictionary Collection Review Committee, ensuring its Privacy and Security Management Plan has been reviewed and approved by the IPC/Ontario, and assessing the privacy risks of the initiatives in the planning stages. The consultant identified one potential privacy risk associated with having DSAs with primary care and made one recommendation to mitigate that risk, namely:

Recommendation 1: Discuss with primary care how PHIPA relationships in the primary care setting are defined in agreements to support both parties in having confidence that the appropriate person is signing the DSA with BORN and identify technical requirements for the EMR and the BIS to support the authorized disclosure of PHI to BORN.

BIS-to-Cloud Privacy Impact Assessment, August 2018

BORN engaged a privacy consultant to conduct a privacy impact assessment (PIA) on the migration of the BORN Information System (BIS) from the CHEO-OCTC Information Technology Shared Services Department (CHEO IT) hosting infrastructure into the Microsoft Azure Cloud using the services of Dapasoft, a Microsoft partner and the developer of the BORN Information System (BIS).

Based on the information gathered, the consultant identified various strengths of the BORN privacy program, and support for privacy within the BIS-to-Cloud project more specifically. Because the migration to the cloud will not result in any new or modified collections or disclosures of PHI, there are limited privacy impacts for the current phase of the project. Should future phases of the project require the BIS to be re-architected such that it has an impact on the collection, use, and/or disclosure of PHI, or that it meets the requirements of P-25 Privacy Impact Assessments of the BORN Privacy and Security Management Plan, then another PIA should be completed.

Still, the consultant identified six potential privacy risks associated with the BIS-to-Cloud project and made six recommendations to mitigate those risks prior to finalizing decisions in the project and go-live. Below is a summary of these recommendations for BORN:

Recommendation 1: Clarify services, contractual relationships, PHIPA roles, and privacy obligations for the BIS-to-Cloud project. Specifically:

  • Revise the scope of services that Dapasoft will provide for BORN for the BIS-to-Cloud project;
  • Within CHEO, revise the the scope of services that CHEO IT will provide to BORN for the BIS-to-Cloud project;
  • Revise the agreement between Dapasoft and CHEO to be consistent with the requirements of PHIPA and the IPC, as it pertains to both the migration to and ongoing management of the BIS in the cloud; and
  • Require that Dapasoft enter into agreements with subcontractors on terms consistent with its agreement with CHEO such as the PHIPA relationships, scope of services, and appropriate privacy obligations for cloud service providers (e.g., ISO 27018).

Recommendation 2: Identify and conduct any updates to privacy and security policies and procedures that are needed to support privacy in the BIS-to-Cloud project (where required to align with updates to security policies, procedures, and standards, including IPC requirements)

Recommendation 3: Ensure access controls for BORN, Dapasoft (and Dapasoft’s subcontractor, Microsoft), and CHEO IT support limits on staff access to PHI because of the BIS-to-Cloud project, namely through:

  • Access control matrices;
  • Job descriptions;
  • Provisioning and de-provisioning practices; and
  • Lists of staff with access to PHI.

Recommendation 4: Set retention schedules for temporary or duplicate copies of PHI where they are not yet established, or they need to be updated for the migration of the BIS to the cloud and the ongoing management of PHI in the cloud.

Recommendation 5: Set secure storage requirements for temporary, duplicate, or backup copies of PHI where they are not yet established for the migration of the BIS to the cloud and the ongoing management of PHI in the cloud.

Recommendation 6: Set secure disposal requirements for temporary, duplicate, or backup copies of PHI where they are not yet established for the migration of the BIS to the cloud and the ongoing management of PHI in the cloud.

Prenatal Screening Program - Privacy Impact Assessment, April 2018

BORN Ontario supports prenatal screening in the province through quality assurance review and monitoring of epidemiological prenatal screening data; i.e., multiple marker screening (MMS), and more recently, non-invasive prenatal testing (NIPT) data. It also has co-lead the Prenatal Screening Subcommittee (PSSC) in partnership with the Provincial Council for Maternal and Child Health (PCMCH).

As a prescribed person, BORN Ontario will operate the PSP by facilitating prenatal screening health care and supporting key health care providers, i.e., laboratories, providers of test result interpretation, and primary care, to provide care, and to assess how they provide care and services to individuals. It also will monitor and report on quality metrics to the MOHLTC as well as health care providers and professional colleges that assess health care system performance and the performance of the providers themselves respectively. BORN Ontario will leverage its BORN Information System (BIS) to collect, use, and disclose PHI for the PSP as it has for its prenatal screening activities to date. BORN Ontario relies on Dapasoft, the developer of the BIS solution, to provide BIS maintenance and support services and technical changes to the BIS required to enable the collection of cytogenetic and NIPT screening data to further inform prenatal screening.

Based on the information gathered, the consultant retained by BORN identified various strengths of the BORN privacy program, and support for privacy within the PSP more specifically. Evidence includes the recent review of BORN Ontario’s Privacy and Security Management Plan by the Information and Privacy Commissioner of Ontario (October 2017) and that the activities undertaken by the PSP appear to align with the purposes of BORN Ontario as a prescribed person facilitating or improving the provision of health care for mothers, infants, and children. Still, the consultant identified four potential privacy risks associated with the PSP and made four recommendations to mitigate those risks. Below is a summary of these recommendations:

Recommendation 1: Revise the data sharing agreement (DSA) template to forbid third-party service providers from using PHI for their own purposes and identify that any access to PHI in the custody of BORN Ontario is a use of PHI by BORN Ontario and not a disclosure of PHI to the service provider.

Recommendation 2: Revise the Privacy Requirements for BORN Projects and New Collections form with similar considerations for the disclosure of PHI to any person including health care providers.

Recommendation 3: Ensure the PSP website has a plain language description of BORN Ontario’s role in operating the PSP and links to the BORN Ontario plain language notice on its organizational website.