Portable Electronic Device Policy
|Policy:||Portable Electronic Device Policy|
|Policy Nr:||Sec 10 - 07|
|Target Review Date:||2019-12-31|
|Main Stakeholder:||Systems Analyst|
The Department of Internal Medicine takes all measures to comply with the WRHA Confidentiality of Personal Health Information Policy which are in place: To ensure that Trustees protect Personal Health Information including Demographic Information so that Individuals are not afraid to seek Health Care or to disclose sensitive information to health professionals.
To also ensure that Personal Health Information is protected during its collection, use, disclosure, storage and destruction in accordance with the provisions of PHIA and other prevailing enactments such as The Mental Health Act.
Laptops - Are portable personal computers and may be a referred to as a “Notebook”, “Netbook” or “Tablet” personal computers. They may be Ehealth Managed Laptops
Portable Electronic Devices (PEDs) - include Laptops, smartphones, pagers, iPods, iPads, call phones and any type of storage devices such as hard drives and flash drives etc.
Personal Health Information - Recorded information about an identifiable Individual that relates to:
- the Individual’s health, or health care history, including genetic information about the Individual;
- the provision of health care to the Individual; or payment for health care provided to the Individual;
- the PHIN (personal health identification number) and any other identification number, symbol or particular assigned to an Individual; and
- any identifying information about the Individualthat is collected in the course of, and
is incidental to, the provision of health care or payment for health care; and for further clarity includes:
- personal information such as financial position, home conditions, domestic difficulties
or any other private matters relating to the Individual which have been disclosed to the Trustee; and for the purpose of the WRHA Confidentiality of Personal Health Information Policyany Personal Health Information exchanged verbally about an identifiable Individual.
It is the practice of the Department of Internal Medicine to purchase desktop computers only. On a case-by-case basis, consideration of portable personal computers (laptops) may be made. Approval is by the Managing Director and the Department Head. This consultation must be made regardless of the source of funding, including privately purchased laptops which may contain FIPPA and/or PHIA information. This will ensure both members/employees of the Department and the Department is protected.
Protection of Personal Health Information is paramount - any Portable Electronic Device approved for purchase/use must have an operating system and hardware that will support password protection and encryption. "Support encryption" means the hardware must have, for example, a [TPM]. "Support password protection" means the Operating System software must support encryption "Out of the Box"-ie. it's part of the Operating System and available immediately without any additional software.
Employees with Portable Electronic Devices shall be responsible to:
- secure them from unauthorized use;
- ensure they not be left unattended in an unsecured location;
- take appropriate precautions to prevent loss, theft or unauthorized access to sensitive data or email.
- avoid or completely eliminate any Personal Health Information stored on the laptop or portable device.
Laptop computers will be the responsibility of the employee at all times. They are not to be left in vehicles or left unattended while not on a work location. Appropriate security, including tie down cables should be used when working at remote locations. All laptops must be configured by the Department of Internal Medicine and/or Manitoba eHealth and will include security software including encryption. Under no circumstances can the normal functioning of this software be interfered with by the employee.
Loss or theft of Portable Electronic Devices, or any potential security breaches, shall be reported immediately by the employee by contacting the eHealth Service Desk, the Managing Director(Dale Gustafson) and Systems Analyst(Tom Fraser). In the event of loss or damage through negligence or misuse while in the custody of the employee, the employee may be held responsible for the costs of repair and/or replacement.
The Department will insist and ensure all reasonable measures will be in place to prevent the loss of sensitive data (e.g. Antivirus; Firewall; physical tracking software if applicable).If the computer is not a WRHA managed Ehealth computer, a tracing program if the laptop is lost/stolen must be purchased.
The authorization to proceed with the purchase of, or at the request of the Department Head the continued use of, a portable electronic device shall require completion of a brief business case (can simply be an email) that details the following:
- Explain why a desktop is not suitable:
- What patient and/or confidential information could ever be stored on the laptop/PED:
- Submission of any laptop request must include notice that this policy has been read, is understood and is agreed to.
- Proof of PHIA compliance of the equipment and PHIA training will be arranged by the Systems Analyst.
- See Purchasing a WRHA Standard Desktop/Laptop which describes how the Systems Analyst purchases a WRHA Ehealth Standard Desktop or Laptop. The Systems Analyst ensures that all Department and jurisdictional authority policies are complies with when they purchase computer equipment.
Elsewhere there is a link to Purchasing a U of M Standard Desktop/Laptop - does that need to be here as well, and does it need to be built?
- WRHA Use of Portable Electronic Devices and Personal Computer Policy
- WRHA Reporting and Investigating Privacy Breaches and Complaints Policy
- WRHA Confidentiality of Personal Health Information Policy
- WRHA Privacy of Personal Information Under The Freedom of Information and Protection of Privacy Act Policy