Documents,Terms & Links

Security and Privacy Policy Statement


bphealth is committed to excellence and focused on improving healthcare and patient/client outcomes. We ensure that by partnering with our clients, we provide the expertise to implement and support secure, interoperable and sustainable business and technology solutions that realize tangible benefits for the system and its users. We maintain a firm commitment to our client’s security and privacy. In that effort, we implement applicable security safeguards to protect the privacy of those who use our services.

Our Privacy and Security Framework is based on standards that utilize several proven methodologies and provide a comprehensive approach towards conducting risk management and meeting compliance objectives both for the government and the private sector clients within Canada.

This Security and Privacy Policy, effective Sep 22, 2008, applies to all our service offerings and relates to internal practice and information we handle or obtain during our business engagement processes. We have a long history of recognizing and protecting the privacy of our customers' information. We strive to protect or clients privacy and utilize security technologies that gives the safest and most powerful customer service experience available.

Privacy Principles

bphealth generally does not collect client’s information that personally identifies individuals except when individuals provide such specific information on a voluntary basis. If bphealth consultants require access to personal information while conducting client services, our consultants strictly adhere and comply with the guidelines set out at bphealths Security and Privacy polices and procedure. It is the policy of bphealth to control the collection, use, and disclosure of personal information. In certain circumstances personal information may be collected, used, or disclosed without the knowledge and consent of the individual. Exemptions include, but are not limited to, personal information gathered for:

  1. Legal, medical, or security reasons
  2. Detection and prevention of fraud or for law enforcement
  3. Journalistic, artistic or literary purposes if its use is confined to those purposes

bphealth shall meet the following requirements unless exempted by the provisions stated above:

I. Accountability
bphealth is responsible for personal information under its control and shall designate a Privacy Officer to be accountable for bphealth's compliance with all relevant Privacy regulations.

II. Identifying Purposes
The purposes for which personal information is accessed or collected shall be identified by bphealth at or before the time the information is accessed or collected.

III. Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information.

IV. Limiting Collection
The access or collection of personal information shall be limited to that which is necessary for the purposes identified by bphealth.

V. Limiting Use, Disclosure and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as permitted by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

VI. Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

VII. Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

VIII. Openness
bphealth shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

IX. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

X. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for bphealth's compliance.

Security and Privacy Standards

bphealth Security and Privacy Standards are based on guiding principles set out at the following:

  1. ISO/IEC 27002:2005
    http://www.iso.org/iso/catalogue_detail?csnumber=42103
  2. IPC or Office of the Information Privacy Commissioner of Ontario
    http://www.ipc.on.ca/index.asp?navid=36
  3. PIPEDA or Personal Information Protection and Electronic Documents Act
    http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp
    http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm
  4. PHIPA or Personal Health Information Protection Act
    http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm
  5. FIPPA or Freedom of Information and Protection of Privacy Act
    http://www.accessandprivacy.gov.on.ca/english/act/index.html
  6. RCMP/CSE Harmonized TRA Methodology
    http://www.rcmp-grc.gc.ca/ts-st/pubs/tra-emr/tra-emr-1-eng.pdf
  7. SANS - Overview of Threat and Risk Assessment or TRA
    http://www.sans.org/reading_room/whitepapers/auditing/76.php


bphealth's Internal Security and Privacy Policies

All bphealth staff are required to comply with the internal polices:

  1. Information Security Classification and Labeling Policy
  2. Security and Privacy Incident Management Policy
  3. IT Acceptable Use Policy
  4. Client Communication Policy
  5. Compliance Management Policy
  6. Security and Privacy Management Framework

Security and Privacy Policy Changes

We may change our security and privacy policy at any time. Any changes to the privacy and security policy will be posted on this Web site so that you are aware of the information we collect and how we use it.

Compliance

All bphealth members who collect, maintain and/or use personal information, are responsible for insuring that the collection, use and disclosure of this information is carried out in accordance with this policy and relevant procedures.

The Privacy Officer is accountable for bphealth's policies and practices with respect to the management of personal information, and is the individual to whom complaints and inquiries can be forwarded.

How to Register a Privacy Complaint

You may register a privacy-related complaint by contacting bphealths Privacy Officer by using one of the following methods:

  1. Call: 416.363.3900
  2. Fax: 416.363.2872, Attn: Privacy Officer
  3. E-mail: info@bphealth.ca
  4. Mail:
        84 Gerrard Street West
        Toronto, ON M5G 1J5
        Attention: Privacy Officer