Portable Electronic Device Policy
|Policy:||Portable Electronic Device Policy|
|Policy Nr:||Sec 10 - 07|
|Target Review Date:||2020-07-24|
|Main Stakeholder:||Systems Analyst|
The Department of Internal Medicine takes all measures to comply with the Shared Health Confidentiality of Personal Health Information Policy and the WRHA Confidentiality of Personal Health Information Policy which are in place:
- To ensure that Trustees protect Personal Health Information including Demographic Information so that Individuals are not afraid to seek Health Care or to disclose sensitive information to health professionals.
- To also ensure that Personal Health Information is protected during its collection, use, disclosure, storage and destruction in accordance with the provisions of PHIA and other prevailing enactments such as The Mental Health Act.
Laptops - Are portable personal computers and may be a referred to as a “notebook”, “netbook” or “tablet” personal computers. They may be Digital Health Managed Laptops
Portable Electronic Devices (PEDs) - Include laptops, smartphones, pagers, iPods, iPads, call phones and any type of storage devices such as hard drives and flash drives etc.
Personal Health Information - Recorded information about an identifiable Individual that relates to:
- the Individual’s health, or health care history, including genetic information about the Individual;
- the provision of health care to the Individual; or payment for health care provided to the Individual;
- the PHIN (personal health identification number) and any other identification number, symbol or particular assigned to an Individual; and
- any identifying information about the Individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care;
and for further clarity includes:
- personal information such as financial position, home conditions, domestic difficulties or any other private matters relating to the Individual which have been disclosed to the Trustee;
and for the purpose of the WRHA Confidentiality of Personal Health Information Policy any Personal Health Information exchanged verbally about an identifiable Individual.
It is the practice of the Department of Internal Medicine to purchase desktop computers only. On a case-by-case basis, consideration of portable personal computers (laptops) may be made. Note that only Digital Health-managed laptops may be purchased if using a Shared Health or WRHA account, and only U of M approved laptops may be purchased if using a U of M account. Note that for purchasing additional equipment such as a monitor, keyboard, etc. approval is dependent upon where the equipment is located. Approval is by the Managing Director and the Department Head. This consultation must be made regardless of the source of funding, including privately purchased laptops which may contain FIPPA and/or PHIA information. This will ensure both members/employees of the department and the department is protected.
Protection of Personal Health Information is paramount - any Portable Electronic Device approved for purchase/use must have an operating system and hardware that will support password protection and encryption. "Support encryption" means the hardware must have, for example, a [TPM]. "Support password protection" means the Operating System software must support encryption "Out of the Box" - i.e. it's part of the Operating System and available immediately without any additional software.
Employees with Portable Electronic Devices shall be responsible to:
- secure them from unauthorized use;
- ensure they not be left unattended in an unsecured location;
- take appropriate precautions to prevent loss, theft or unauthorized access to sensitive data or e-mail.
- avoid or completely eliminate any Personal Health Information stored on the laptop or portable device.
Laptop computers will be the responsibility of the employee at all times. They are not to be left in vehicles or left unattended while not on a work location. Appropriate security, including tie-down cables should be used when working at remote locations. All laptops must be configured by the Department of Internal Medicine and/or Digital Health and will include security software including encryption. Under no circumstances can the normal functioning of this software be interfered with by the employee.
Loss or theft of Portable Electronic Devices, or any potential security breaches, shall be reported immediately by the employee by contacting the Shared Health Service Desk, the Managing Director(Vacant) and Systems Analyst(Tom Fraser). In the event of loss or damage through negligence or misuse while in the custody of the employee, the employee may be held responsible for the costs of repair and/or replacement.
The department will insist and ensure all reasonable measures will be in place to prevent the loss of sensitive data (eg. Antivirus; Firewall; physical tracking software if applicable). If the computer is not a WRHA-managed Digital Health computer, a tracing program must be purchased.
The authorization to proceed with the purchase of, or at the request of the Department Head the continued use of, a portable electronic device shall require completion of a brief business case (can simply be an e-mail) that details the following:
- Explain why a desktop is not suitable
- What patient and/or confidential information could ever be stored on the laptop/PED
- Submission of any laptop request must include notice that this policy has been read, is understood and is agreed to
- Proof of PHIA compliance of the equipment and PHIA training will be arranged by the Systems Analyst
- See Purchasing a WRHA Standard Desktop/Laptop which describes how the Systems Analyst purchases a WRHA Digital Health Standard Desktop or Laptop. The Systems Analyst ensures that all department and jurisdictional authority policies are complied with when they purchase computer equipment.
Shared Health Policies:
- Shared Health Confidentiality of Personal Health Information Policy
- Shared Health Use of Portable Electronic Devices and Personal Computer Policy
- Shared Health Reporting and Investigating Privacy Breaches and Complaints Policy
- Shared Health Privacy of Personal Information Under The Freedom of Information and Protection of Privacy Act Policy
- WRHA Use of Portable Electronic Devices and Personal Computer Policy
- WRHA Reporting and Investigating Privacy Breaches and Complaints Policy
- WRHA Confidentiality of Personal Health Information Policy
- WRHA Privacy of Personal Information Under The Freedom of Information and Protection of Privacy Act Policy