Privacy Impact Assessments
Summary of Fast Healthcare Interoperability Resources (FHIR) Application for BORN Clinical Data Integrations - Privacy Impact Assessment August 2022
The Children’s Hospital of Eastern Ontario-Ottawa Children’s Treatment Centre (CHEO-OCTC) with respect to the Better Outcomes Registry and Network (BORN) engaged an external consultant to conduct a privacy impact assessment (PIA) on the implementation of the Fast Healthcare Interoperability Resources (FHIR) Application (App) that would enable data contributors who are health information custodians (HICs) to review and correct errors in patient information submitted through clinical data integrations established between contributor patient information systems (e.g., hospital information systems or electronic medical records) and the BORN information system (BIS). The FHIR App will allow real time data submission feedback between the BIS and each contributor’s HIS or EMR. The introduction of the FHIR app is intended to enable hospital users to review and correct data errors in data submitted to the BIS in the context of their local system, enabling real time updates to the BIS.
Summary of Recommendations
The consultant identified four (4) potential privacy risks and made recommendations to mitigate those risks. Below is a summary of these recommendations:
Recommendation 1:
A clause should be added in section 8 of the Data Sharing Agreement (DSA) requiring the data provider to ensure that authorized users complete privacy training before access to the BIS is granted.
Recommendation 2:
A clause should be added to section 9 of the DSA that requires the data provider and BORN to coordinate privacy breach notification and investigation obligations if such a scenario arises.
Recommendation 3:
DSA should be amended to describe the expectation that Health Information Custodian (HIC) train end users to use the FHIR App to address data quality issues with data they contributed to the BIS.
Recommendation 4:
The End User Terms can be enhanced by including obligations on the end users to complete the privacy training.
Summary of BORN Ontario Data Warehouse Privacy Impact Assessment, October 2021
The Children’s Hospital of Eastern Ontario (CHEO) with respect to the Better Outcomes Registry and Network (BORN) is a prescribed person under Ontario’s Personal Health Information Protection Act, 2004. BORN is a provincial program with a mandate to facilitate high quality care to pregnant individuals, infants, and children in Ontario. To this end, BORN collects, uses, and discloses PHI related to reproductive, pregnancy, newborn, and child health from care providers and agencies across the province.
Historically, BORN has relied upon the cloud-hosted BORN Information System (BIS) to store, process, manage, analyze, develop, and share data and data products. Recently, BORN invested in a Microsoft Azure-hosted data warehouse (the BDW). As a proof-of-concept of the BDW, BORN has initially included a limited subset of BIS data in the BDW, focusing on a limited set of variables to evaluate the design and concept. In the future, BORN anticipates including a broader dataset in the BDW environment. BORN also anticipates procuring and implementing a business intelligence (BI) solution to further support these objectives in collaboration with CHEO at a later stage.
BORN engaged an external consultant to conduct a Privacy Impact Assessment (PIA) to assess the privacy risks associated with the implementation and use of the BDW, as well as identify privacy-related considerations for the future BI solution.
Summary of Risks and Recommendations
The consultant identified 2 risks associated with BORN’s implementation and use of the BDW and has made 2 recommendations to address these risks and support compliance with privacy legislation, best practice, and the IPC/Ontario’s Manual for the Review and Approval of Prescribed Persons and Prescribed Entities:
Recommendation 1: BORN should update their privacy governance structure and Committee Terms of References to reflect the activities that will be supported by the introduction of the data warehouse and BI application in future, with consideration of the intent to use these systems to better support access to BORN data, and potentially expand access to data products derived from patient data for purposes that align with BORN's mandate. This includes:
- Updating the Terms of Reference for the PHI Disclosure Committee and Reporting Analysts Team to accommodate the BDW and related decision-making.
- Developing decision-making and operational supports for the Committees, Reporting Analysts and Data Analysis and Research Team to clarify the types of decisions made at each group and escalation pathways for decisions.
Recommendation 2: BORN should update the policies and procedures in the privacy manual to reflect the new policies and procedures required for the data warehouse and BI application, in particular revising policies and procedures related to de-identification and aggregation of data to reflect the constraints of de-identification processes associated with the BDW environment.
Various BORN Programs - Privacy Impact Assessment, November 2018
The Children’s Hospital of Eastern Ontario (CHEO) with respect to the Better Outcomes Registry and Network (BORN) undertook a privacy impact assessment (PIA) on three BORN program initiatives:
- Sending completed Healthy Babies Healthy Children (HBHC) screens from hospitals to public health units (PHUs) and sending missed screening alerts to PHUs where a HBHC screen has not been completed in the hospitals; and
- Collecting additional data about a child’s growth parameters (height and weight) and lifestyle from primary care to facilitate the province’s Healthy Growth Initiative (HGI).
The PIA also supports BORN in identifying the appropriate signing authority when entering into data sharing agreements (DSAs) with primary care to collect data elements from their electronic medical record (EMR) systems.
Based on the information gathered, the privacy consultant identified various strengths of the BORN privacy program, and support for privacy within these specific initiatives such as consulting with the Privacy and Security Review Committee and the Data Dictionary Collection Review Committee, ensuring its Privacy and Security Management Plan has been reviewed and approved by the IPC/Ontario, and assessing the privacy risks of the initiatives in the planning stages.
BIS-to-Cloud Privacy Impact Assessment, August 2018
BORN engaged a privacy consultant to conduct a privacy impact assessment (PIA) on the migration of the BORN Information System (BIS) from the CHEO Information Technology Shared Services Department (CHEO IT) hosting infrastructure into the Microsoft Azure Cloud using the services of Dapasoft, a Microsoft partner and the developer of the BORN Information System (BIS).
Based on the information gathered, the consultant identified various strengths of the BORN privacy program, and support for privacy within the BIS-to-Cloud project more specifically. Because the migration to the cloud will not result in any new or modified collections or disclosures of PHI, there are limited privacy impacts for the current phase of the project. Should future phases of the project require the BIS to be re-architected such that it has an impact on the collection, use, and/or disclosure of PHI, or that it meets the requirements of P-25 Privacy Impact Assessments of the BORN Privacy and Security Management Plan, then another PIA should be completed.