The Personal Health Information Protection Act, 2004 (PHIPA) establishes a legal framework for protecting the privacy of patients’ personal health information (PHI). The Act defines health care facilities as “health information custodians” (HICs) and their employees as “agents” who act on their behalf when collecting, using, and disclosing personal health information. The Regulation made under PHIPA also specifies requirements for health information network providers (“HINPs”) who provide electronic services to enable HICs to share PHI with one another.
The South East Local Health Integration Network (SELHIN) has developed an electronic service portal called the Shared Health Integrated Information Portal (SHIIP), through Kingston Health Sciences Centre (KHSC), for HICs in the geographic area managed by the SELHIN to share PHI with one another. SHIIP is a secure web-based portal which enables health care providers to share patient data in real-time, or near real-time, including hospital emergency room and acute care visits, post-acute, and service detail from community services the patient received. The portal incorporates and connects information from existing technology assets, facilitates the identification of complex/high-needs patients, and helps to inform clinical decision and care planning to improve the patients' quality of service and experience in the health care system.
KHSC has entered into a contract with the Kingston, Frontenac, Lennox & Addington Health Unit (KFLA) to provide certain information technology and related services required for the provision of SHIIP. These services include (amongst others) system development, managing the data warehouse and application, and help desk. KHSC provides electronic services to HICs for the purposes of providing information to, or receiving information from SHIIP.
KHSC functions in different roles (i.e. HINP, electronic service provider (ESP) and agent) as defined in PHIPA and its Regulation when providing services to SHIIP participants. To the extent that SHIIP is used to permit two or more participants to disclose PHI to one another related to a coordinated care plan (CCP), KHSC is a HINP to those participants. To the extent that SHIIP is used to permit a participant to use electronic means to disclose or collect PHI, KHSC is an ESP to those participants. Lastly, to the extent that SHIIP is used to generate patient scores such as HARP, LACE, mHOMR, and complex flags, KHSC is an agent acting on behalf of the participant that contributed the data used to produce the scores.
As a HINP, KHSC is subject to the requirements under subsection 6(3) of the Regulation of PHIPA. Below are policies that describe the standards employed by KHSC to protect the PHI managed in SHIIP. If you have questions about KHSC’s role as a HINP, or if you require further documents regarding our privacy practices, please contact KHSC Privacy Office using the contact information below.
Plain Language Description: Shared Health Integrated Information Portal (SHIIP)
A. SHIIP Access
Health care providers will be granted access to SHIIP in order to allow them to access and use personal health information for the purpose of providing or assisting in the provision of health care. Personal health information in SHIIP will only be used for research or a secondary purpose as allowed for and in accordance with the conditions specified by the Personal Health Information Protection Act, 2004 (PHIPA) and its regulations. Health care providers will be authorized to access SHIIP through the services or sub-contracted third-party services of Kingston Health Sciences Centre (KHSC).
B. Personal Health Information
Personal Health Information (PHI) is information about the health care provided to an identifiable individual. The PHI available in SHIIP is contributed by health information custodians connected to SHIIP (e.g. hospitals and community health service providers). PHI in SHIIP presents the information as it is received. The contributing health information custodian remains accountable for the completeness and accuracy of any PHI contributed by that health information custodian into SHIIP. Health information custodians may also amend the PHI they contributed from time to time, so when providing care, health care providers should always access the latest information for that particular patient in SHIIP.
C. Security and Privacy Safeguards
SHIIP has implemented, and will maintain administrative, physical and technical safeguards to protect the PHI being transferred, processed or stored from theft, loss, unauthorized use, modification, disclosure, destruction and/or damage. These safeguards include security software and encryption protocols, firewalls, locks and other access controls, privacy impact assessments, staff training and confidentiality agreements.
To see a list of partner organizations who have signed onto this agreement, click here.
Privacy Breach Management
Content Management / Lock-Box
Auditing of Access to Hospital Electronic Data and Information
Kingston Health Sciences Centre
76 Stuart Street,
Kingston, ON K7L 2V7
Tel: 613-549-6666 Ext. 2567