TELUS EMR Mobile PIAPrivacy Impact Assessment

Page 2

Table of ContentsPIAs for Clinics.................................................................................................................3Project Summary..............................................................................................................4Data Elements..................................................................................................................5

Exposed........................................................................................................................5Patient Appointments / Calendar................................................................................5Patient Demographics................................................................................................5Patient Medical Information........................................................................................5Patient Encounters.....................................................................................................5Patient Search............................................................................................................6Address Book.............................................................................................................6

Collected.......................................................................................................................6Patient Photo..............................................................................................................6Other..........................................................................................................................6

Project Information Flow..................................................................................................7KinLogix........................................................................................................................7

Legend.......................................................................................................................7Med Access...................................................................................................................8

Legend.......................................................................................................................8PS Suite........................................................................................................................9

Legend.......................................................................................................................9Wolf.............................................................................................................................10

Legend.....................................................................................................................10Services......................................................................................................................11

Legend.....................................................................................................................11Data Access...................................................................................................................12

Access Patient Information.........................................................................................12Role based Access to Health Information by clinic staff..............................................12Pairing Workflow.........................................................................................................14Device Security Measures and Safeguards................................................................15Audit Log.....................................................................................................................15

Additional information we store in the Mobile Activity Logs......................................15Information not logged.............................................................................................16

Incident and Responses.................................................................................................17Loss of control of the device.......................................................................................17Compromise of Device Credentials.............................................................................17Unauthorized Registration of Device...........................................................................17

Verification and Validation..............................................................................................18Appendix........................................................................................................................19

TELUS EMR Mobile Clinic Terms and Conditions......................................................19TELUS EMR Mobile End User Agreement..................................................................20TELUS EMR Mobile Clinic Terms and Conditions (FR)..............................................22TELUS EMR Mobile End User Agreement (FR).........................................................23

Page 3

PIAs for Clinics

Clinics (depending on the province in which they are situated) are responsible for maintaining an up to date Privacy Impact Assessment (PIA) for the combination of software and processes in place at the clinic.

TELUS cannot make these updates on behalf of a clinic, as each clinic’s processes and software (including 3rd party software) are unique.

Adoption of TELUS EMR Mobile, like any other change to the IT landscape at a clinic, may require an impact to the PIA.  

The TELUS EMR Mobile team cannot provide any specific advice on completing a clinic PIA.

The TELUS EMR Mobile team maintains an internal PIA document for TELUS EMR Mobile that we use to ensure that we are adequately covering security, privacy, and all other software-oriented aspects that could cause a security or privacy breach.  The TELUS EMR Mobile team is happy to share this document to aid in the creation of clinic PIAs, however it must be noted that this document may or may not be good enough from a clinic PIA, and does not substitute for a thorough, clinic-specific PIA performed and documented by the clinic.  

Page 4

Project SummaryThe TELUS Mobile EMR application (“Mobile App”) is a mobile application that allows medical practitioners access to a subset of data in their Electronic Medical Record (“EMR”) system to facilitate activities and care delivery via their smart phone or tablet. This application represents an extension of the EMR system already in production at the clinic and is leveraged only by authorized Medical Practitioner users of the EMR. No sensitive data is ever stored on the device and a secure connection is made with the EMR data.

The following EMR applications are currently supported: KinLogix EMR Med Access EMR PS Suite EMR Wolf EMR

Practitioners frequently need to access information from outside the clinic property. Often the restrictive networks present in hospitals and other medical facilities create barriers to accessing critical patient information required for timely care delivery. By leveraging a cellular or Wi-Fi network securely, authorized TELUS EMR Mobile users (“Users”) can access this critical information when it is required.

Additionally, at the point of care, practitioners might require a photograph of a patient condition to augment the patient’s text-based medical chart. The TELUS EMR Mobile app leverages the native camera capabilities of the device to facilitate capturing a photograph and uploading to the patient chart in the EMR. Photographs captured via the Mobile App are not stored on the device, but are uploaded via 256 bit HTTPS/SSL encrypted connection and deleted from the device after upload.

Practitioners also require Patient contact information to facilitate required communication with patients. TELUS EMR Mobile users can dial directly from their mobile device to phone numbers stored in the EMR, improving convenience and reducing transcribing errors for dialing. Additionally, practitioners can access Patient addressing information to generate a map or directions to addresses (Patient, Pharmacy or Medical Consultant) stored in the EMR.

Custodians are obligated to maintain the privacy and confidentiality of identifying health information to the greatest extent possible, within reason, as part of collecting, using, storing, disclosing, and disposing of said information in the course of providing health services and carrying out duties and responsibilities related to same or as necessitated by obligations under, for example, legislation or professional guidelines.

Page 5

Data Elements

ExposedThe following data elements will be accessible as read-only by the application user.

Patient Appointments / Calendaro Appointments

Appointment Date Appointment Time

o Notes associated with the booking (Reason for Visit)o Schedules within the clinico Provider IDo Service facility / Location

Patient Demographicso Titleo First Nameo Last Nameo “Goes By” Nameo Date of Birth (DOB)o Gendero Languageo Contact information

Phone number(s) Address

o Chart IDo PHNo Patient Notes

Patient Medical Informationo Active Problemso Current Medicationso Allergieso Past Procedureso Riskso Vaccinationso Family Historyo Personal History

Patient Encounterso Patient Visit Noteso Consults

Page 6

o Created by User Created Date and Time

o Edited by User (if applicable) Edited Date and Time

o Visit Encounter Date and Time

Patient Searcho Patient Nameo PHNo Date of Birtho Gender

Address Booko Clinic Address Book

This contains contact information for other physicians of different specialties as well as facility contacts. This includes specialists, pharmacies, nursing homes, etc. This data is maintained by the individual clinic.

CollectedThe following is the data we collect using the Mobile Application.

Patient PhotoWe allow the capture of photographs using the Mobile App that uploads to the patient chart. Photographs captured via the Mobile App are not stored on the device, but are uploaded via 256 bit HTTPS/SSL encrypted connection and deleted from the device after upload.

Othero Device Hardware information

IMEI OS Model Name

o User specific preferences (saved on Device) Tutorial viewed (Yes/No) Connectivity for each paired clinic Clinic ID User ID Clinic security policy (PIN length, inactivity timeout) Cryptographic Identifier (user_token) which, in concert with

credentials enables access

Page 7

Which calendar to display Last scheduled viewed

Page 8

Project Information FlowThe way the Mobile Application connects to the various data sources depends on the EMR the user is paired with.

KinLogix

LegendQIDC = Quebec Data CenterHTTPS = HTTP SecureEMR = Electronic Medical RecordsSQL = Structured Query Language

Page 9

Med Access

LegendCIDC = Calgary Data CenterHTTPS = HTTP SecureEMR = Electronic Medical RecordsSQL = Structured Query Language

Page 10

PS Suite

LegendQIDC = Quebec Data CenterHTTPS = HTTP SecureEMR = Electronic Medical RecordsSQL = Structured Query Language SSH = Secure Shell

Page 11

Wolf

LegendCIDC = Calgary Data CenterHTTPS = HTTP SecureEMR = Electronic Medical RecordsSQL = Structured Query Language

Page 12

Services

LegendHTTPS = HTTP SecureEMR = Electronic Medical RecordsSQL = Structured Query Language

Page 13

Data AccessTo pair to TELUS EMR Mobile, users must already have an account created on one of the EMR platforms that we support. The user will only have access to health information maintained in the EMR system they are paired to. Our application respects any data restrictions imposed on the user by the EMR.

To activate EMR Mobile on a clinic, a clinic administrator must first accept our Terms and Agreements from the EMR administrative settings. Once complete, this will activate the Mobile Dashboard which allows users to pair their devices.

Access Patient Information

This project will:

1) Display information from the clinics EMR, in accordance with EMR security and use 2) this information to make health care decisions3) Leverage the capabilities of the native device to initiate a phone call to a patient or

provider using the native telephony capabilities of the device4) Generate a map to an address of patient or provider maintained in the EMR

leveraging the native capabilities of the device5) Capture a patient photograph and upload it to the EMR to augment text data

captured regarding patient condition

Role based Access to Health Information by clinic staff

Users of TELUS EMR Mobile will only have access to health information maintained in the Clinic’s EMR system as required to perform their assigned duties.

The following table is an example of these positions and their information access needs. Please note that each clinic may set up their access rights differently.

Position & Job Title

User Role Type of access (Read, Write, Edit)

Description of information this user can access

Receptionist Reception Read/View - all data elements, all patient records; prescriptionsCreate/Write/Edit – all notes, immunizations and treatments

Demographics, scheduling, visits, tasks, encounter notes

Medical Administratio Read/View - all data elements, all Demographics,

Page 14

Office Assistant

n / Health Professional

patient records; prescriptionsCreate/Write/Edit – all notes, immunizations and treatments

scheduling, visits, tasks, encounter notes

Clinic Manager

Administration

Read/View - All medical data is hidden; all other data is viewableCreate/Write/Edit - Messages onlyAccess to billing

Demographics, scheduling, visits and tasks, reports, billingSystem access management

Physicians Doctor Read/View - all data elements, and all patient recordsCreate/Write/Edit – all including prescriptions

Clinical care information – notes, labs/ DI, allergies, immunizations, referrals, billingSystem access management

POS Vendor Helpdesk / Technical Support

Help Desk Support

Read/View – same as user they are assisting (remote control their session)Create/Write/Edit – same as user they are assisting (remote control their session)

(see above user roles)

Page 15

Pairing Workflow

Page 16

Device Security Measures and Safeguards

We have implemented several measures to mitigate risk if a user was to have their device misplaced or compromised.

PINs can be set on the administrative dashboard to be either 4 or 6 digit PINs. The Mobile app will lock after 5 unsuccessful login attempts

o One must login to the EMR to reset their PIN if this happens Our App inherently forces users to have 2 factor authentication (must have the

registered device & know the PIN). Our App will timeout if the user is inactive for 2 minutes and return to the login

page. Devices can be deactivated or unpaired from the EMR administrative dashboard. Administrators can review all devices paired from the dashboard and deactivate

them if necessary

Audit Log

TELUS EMR Mobile writes an audit trail using each EMR’s built-in audit log.

We track the following events:

Login Access to Patient Chart Photo Uploads

For each event, we track:

Time User Device Patient (if applicable)

Additional information we store in the Mobile Activity Logs

In addition to the events we store in the EMR audit logs, we also log the following in our Mobile Activity Logs.

Deviceo Carrier

This information is not available to the end user, but can be available upon request.

Page 17

Information not logged

The following is information is accessible through the TELUS EMR Mobile app that we do not log. Please note that the user must be logged in to access these features.

Part of Application Data Accessed

Home Patient Last Name Patient First Initial Patient Appointment Type Patient Appointment Time Patient Arrival Status

Patient Search Patient Name DOB / Age PHN Gender

Calendar Patient Last Name Patient First Initial Patient Gender Patient Appointment Type Patient Appointment Time Clinic Calendars

Address Book This accesses the clinic’s address book which may contain

o Doctors Nameso Doctors Clinic Phoneo Doctors Clinic Addresso Other facilities

Pharmacies Nursing homes Etc.

Page 18

Incident and Responses

Loss of control of the device

As access to EMR Mobile is constrained to registered devices, loss of control of a registered device should create a trigger to investigate further with the following workflow:

If a user loses control of their device, they must immediately:

Log into the EMR and deregister their device Contact the Clinic Administrator to conduct a review of the System Audit Logs to

determine if information has been accessed by the mobile device during the period when the user lost control of the device before it was deregistered

Compromise of Device Credentials

If a user is concerned that their credentials have been compromised, they will need to consider whether their device has been outside of their control for any period. If so, please see ‘Loss of control of the device’ and follow that workflow.

Unauthorized Registration of Device

All devices registered for use with the EMR must be approved in advance by clinic administrators. Clinic administrators will be notified by the system when new devices are registered. If the device was not approved in advance, the clinic administrator may log into the EMR and review that the device is appropriately registered. If the Clinic System Administrator finds a device has been inappropriately registered, they may review the system audit logs to ensure no personal health information has been accessed inappropriately.

Page 19

Verification and ValidationTELUS EMR Mobile has undergone several internal security audits.

In 2014, there was an internal audit held reviewing the authentication and authorization of all web service calls. Prior to that, there have been Fortify code scans done on the services codebase.

Most recently, a security audit was completed in July 2016 by the TELUS Security Solutions team to determine if our Mobile EMR web services had any security weaknesses or misconfigurations which could be used to gain access to any sensitive information.

Their assessment found that the application was well secured with only one low risk issue discovered. This issue has since been fixed.

Page 20

Appendix

TELUS EMR Mobile Clinic Terms and Conditions

TELUS EMR MOBILE CLINIC TERMS AND CONDITIONS

Clinic is to activate the TELUS EMR Mobile functionality (“EMR Mobile”) within a TELUS Electronic Medical Records Solution (the “Solution”). EMR Mobile is governed by the same terms and conditions as the ones contained in the contract applicable to the Solution (the “Contract”), subject to the variations and precisions set out herein. By clicking the “Accept” button below, you represent that you have been authorized by all parties to the Contract (collectively, “you”) to accept on their behalf the following terms and conditions. If you have any questions or comments regarding the following terms and conditions, please contact TELUS EMR Technical Assistance Centre.

EMR Mobile is offered to you without additional charges but is subject to your full compliance with the Contract, including any payment obligations contained therein. TELUS reserves the right to discontinue EMR Mobile at any time by giving you a thirty (30) days prior written notice. EMR Mobile must not be activated for or used by users who are not authorized users of the Solution and must immediately be uninstalled when a user ceases to be an authorized user of the Solution.

EMR Mobile is not designed or intended to be used, directly or indirectly, as a medical device. EMR Mobile is offered for the convenience of its users to access a portion of the information contained in the Solution. Users should use the desktop / laptop portion of the Solution when circumstances require to review information that is not accessible through EMR Mobile, such as when recommending a treatment. Make sure that all users are aware of such limitations and the content of these terms and conditions.

You are responsible for immediately deactivating any lost or stolen device on which EMR Mobile is installed. If you need assistance in deactivating a device, contact TELUS EMR Technical Assistance Centre.

TELUS support obligations set out in the Contract do not extend to the devices (for example, tablets, handsets) used by users to access the EMR Mobile, even if such devices were sold to you by TELUS or one of its affiliates. All service levels and penalties contained in the Contract, if any, do not apply to EMR Mobile.

Page 21

TELUS EMR Mobile End User Agreement

You are about to have access to the TELUS EMR Mobile application (“EMR Mobile”), which connects to your TELUS Electronic Medical Records Solution (the “Solution”), be it: Wolf EMR, PS Suite EMR, Kinlogix EMR, or Med Access EMR. The following describes terms and conditions that are applicable to the use and access of EMR Mobile. By clicking the “Accept” button below, you confirm your acceptance with the following terms and conditions. If you have any questions or comments regarding the following terms and conditions, please contact the TELUS Technical Assistance Centre that supports your Solution at the number below.

Kinlogix EMR: 1-855-880-9589Med Access EMR: 1-888-781-5553 Opt.4PS Suite EMR: 1-800-265-8175 Opt.1Wolf EMR: 1-866-879-9653 Opt. 1

To install and use EMR Mobile, you must be an authorized user of the Solution. If you cease to be an authorized user of the Solution, you must immediately uninstall EMR Mobile. TELUS reserves the right to discontinue EMR Mobile at any time by giving you a thirty (30) days prior written notice.

EMR Mobile is not designed or intended to be used, directly or indirectly, as a medical device. EMR Mobile is offered for your convenience to access a portion of the information contained in the Solution. You should use the desktop/laptop portion of the Solution when circumstances require to review information that is not accessible through EMR Mobile, such as when gathering information to recommend a treatment.

Do not install EMR Mobile on a device that you share with a third party, colleague or family member. EMR Mobile will request you to re-authenticate after a short period of inactivity. You are responsible for maintaining the confidentiality of your authentication credentials at all times. You are responsible for immediately reporting to your EMR administrator any lost or stolen device for immediate deactivation.

You are responsible for complying with all applicable laws, by-laws and regulations that apply to your use of EMR Mobile, including laws related to privacy, health information, and the practice of medicine. EMR Mobile allows you to capture photos and upload them in the Solution. Before photographing patient identifiable images, please ensure you have captured appropriate consent.

If you experience difficulties or require information regarding your use of EMR Mobile or the contract applicable to the Solution, please contact your EMR/Clinic administrator. Your use and access of EMR Mobile are made “as is”, without any additional warranty, support or representations. TELUS shall not be liable for any direct, indirect, consequential, punitive or exemplary damages in connection with EMR Mobile. Notwithstanding the foregoing, TELUS’ entire and cumulative liability in connection with EMR Mobile shall not exceed an amount of $1000 CAD. TELUS support obligations

Page 22

applicable to the rest of the Solution do not extend to the devices (for example, tablets, handsets) used to access EMR Mobile, even if such devices were sold by TELUS or one of its affiliates. All service levels and penalties applicable to the rest of the Solution, if any, do not apply to EMR Mobile.

While you have downloaded EMR Mobile from the Apple App Store, you understand and agree that Apple is not a party to hereto and has no liability hereunder or in connection with EMR Mobile. To the extent applicable, Apple may be a third party beneficiary to the above terms and conditions.

Page 23

TELUS EMR Mobile Clinic Terms and Conditions (FR)

CONDITIONS D’UTILISATION du DME Mobile - CLINIQUES

Vous êtes sur le point d’activer la fonctionnalité TELUS DME Mobile (« DME Mobile») dans votre solution de dossier médical électronique KinLogix (la « Solution »). Le DME Mobile est régi par les mêmes conditions que celles décrites dans le contrat applicable à la Solution (le « Contrat »), mis à part les modifications et précisions énoncées aux présentes. En cliquant sur le bouton d’acceptation ci-dessous, vous déclarez que vous avez été autorisé par toutes les parties au Contrat (collectivement « vous ») à accepter en leur nom les conditions suivantes. Si vous avez des questions ou des commentaires portant sur ces conditions, appelez le centre d’assistance technique du DME KinLogix.

L’utilisation du DME Mobile vous est offerte sans frais supplémentaires, mais est conditionnelle à votre plein respect du Contrat, notamment des obligations de paiement qu’il mentionne. TELUS se réserve le droit d’interrompre le service DME Mobile en tout temps, sur avis écrit de trente (30) jours. L’application DME Mobile ne doit pas être activée pour des personnes autres que des utilisateurs autorisés de la Solution ni utilisée par de telles personnes. Elle doit être immédiatement désactivée dès qu’un utilisateur cesse d’être un utilisateur autorisé de la Solution.

Le DME Mobile n’est pas prévu ni conçu pour être utilisé, directement ni indirectement, comme un instrument médical. Le DME Mobile est offert à ses utilisateurs afin de leur permettre d’accéder à une partie du contenu de la Solution. Les utilisateurs doivent utiliser un ordinateur de bureau ou un ordinateur portable pour accéder à la Solution lorsque les circonstances exigent qu’ils consultent la partie de celle-ci qui n’est pas accessible par l’intermédiaire du DME Mobile, par exemple, lorsqu’ils doivent recommander un traitement. Assurez-vous que tous les utilisateurs sont au fait de telles limitations et du contenu des présentes.

Vous êtes responsable de désactiver immédiatement tout appareil perdu ou volé sur lequel DME Mobile est installé. Si vous avez besoin d’aide pour désactiver un appareil, communiquez avec le centre d’assistance aux utilisateurs de DME de TELUS.

Les obligations de TELUS énoncées dans le Contrat relativement au soutien ne s’étendent pas aux appareils (par exemple, les tablettes ou les téléphones) utilisés pour accéder à DME Mobile, même si de tels appareils vous ont été vendus par TELUS ou une de ses sociétés affiliées. L’ensemble des niveaux de service et des pénalités énoncés dans le Contrat, le cas échéant, ne s’appliquent pas au DME Mobile.

Page 24

TELUS EMR Mobile End User Agreement (FR)

Vous êtes sur le point d’accéder à l’application TELUS DME Mobile (« DME Mobile »), laquelle se connecte à votre solution de dossier médical électronique TELUS (la « Solution »), soit : Wolf DME, Suite SC DME, KinLogix DME ou Med Access DME. Les présentes décrivent les conditions applicables à l’accès au DME Mobile et à son utilisation. En cliquant sur le bouton d’acceptation ci-dessous, vous confirmez que vous acceptez les conditions suivantes. Si vous avez des questions ou des commentaires portant sur ces conditions, appelez le centre d’assistance technique TELUS qui prend en charge votre Solution au numéro suivant :

Kinlogix DME: 1-855-880-9589Med Access DME: 1-888-781-5553, option 4PS Suite DME: 1-800-265-8175, option 1Wolf DME: 1-866-879-9653, option 1

Pour installer et utiliser le DME Mobile, vous devez être un utilisateur autorisé de la Solution. Si vous cessez de l’être, vous devez immédiatement désinstaller le DME Mobile. TELUS se réserve le droit d’interrompre le service DME Mobile en tout temps, sur avis écrit de trente (30) jours.

Le DME Mobile n’est pas prévu ni conçu pour être utilisé, directement ni indirectement, comme un instrument médical. Le DME Mobile vous est offert afin de vous permettre d’accéder à une partie du contenu de la Solution. Vous devez utiliser un ordinateur de bureau ou un ordinateur portable pour accéder à la Solution lorsque les circonstances exigent que vous consultiez la partie de celle-ci qui n’est pas accessible par l’intermédiaire du DME Mobile, par exemple, lorsque vous devez récupérer des renseignements afin de recommander un traitement.

N’installez pas le DME Mobile sur un appareil que vous partagez avec un tiers, un collègue ou un membre de votre famille. Le DME Mobile vous demandera de vous authentifier de nouveau après une courte période d’inactivité. Vous êtes responsable de protéger la confidentialité de vos authentifiants en tout temps. Vous êtes responsable de signaler immédiatement toute perte ou tout vol d’appareil à l’administrateur de votre DME aux fins de désactivation immédiate.

Vous êtes responsable de respecter l’ensemble des lois et des règlements applicables à l’utilisation du DME Mobile, notamment les lois relatives à la confidentialité, aux renseignements médicaux et à la pratique de la médecine. Le DME Mobile vous permet de capturer des photos et de les charger dans la Solution. Avant de prendre des photos sur lesquelles il est possible d’identifier un patient, assurez-vous d’avoir obtenu le consentement de ce dernier.

Si vous éprouvez des difficultés ou avez besoin de renseignements relatifs à l’utilisation du DME Mobile ou au contrat applicable à la Solution, communiquez avec l’administrateur de votre clinique ou de votre DME. L’accès au DME Mobile et son

Page 25

utilisation sont offerts « tels quels », sans garantie, ni soutien, ni déclaration supplémentaires de quelque type que ce soit. TELUS ne pourra en aucun cas être tenue responsable de dommages directs, indirects, consécutifs, punitifs ou exemplaires en relation avec le DME Mobile. Nonobstant ce qui précède, la responsabilité entière et cumulative de TELUS en relation avec le DME Mobile ne peut dépasser un montant de 1000 $ CAN. Les obligations de TELUS relatives au soutien qu’elle apporte pour le reste de la Solution ne s’étendent pas aux appareils (par exemple, les tablettes ou les téléphones) utilisés pour accéder au DME Mobile, même si de tels appareils ont été vendus par TELUS ou une de ses sociétés affiliées. L’ensemble des niveaux de service et des pénalités applicables au reste de la Solution, le cas échéant, ne s’appliquent pas au DME Mobile.

Même si vous avez téléchargé le DME Mobile sur la boutique App Store d’Apple, vous comprenez et acceptez le fait qu’Apple ne constitue pas une partie aux présentes et n’a aucune responsabilité en vertu des présentes ni à l’égard du DME Mobile. Dans la mesure applicable, Apple peut être un tiers bénéficiaire des conditions précitées.