Access

The process of obtaining personal health information from a health organization by a client, his or her legally authorized representative, or a user.

Access control

The management of who can obtain what information, and what they can do with it.

Anonymization

The process of removing identifiers from personal health information so that specific individuals are not known.

Application Service Provider (ASP)

A company that offers health organizations access over the internet to application and related services that would otherwise have to be located in the organization's computers.

Asset

An item or object that has value to a health organization. For example, personal health information is a valuable information asset to health organizations.

Audit

An independent examination of information systems and processes to detect unauthorized activities.

Audit Log

A chronological listing of access to information resources. Items that are typically logged include user ID, time of access, resources that were accessed, device used to access the information and modifications that were made.

Audit mechanisms

The tools used to record in chronological order users who have accessed, modified, distributed, and deleted personal health information.

Authentication

The process for verifying the identity of an individual user.

Authentication devices

The tools used to authenticate an individual user. People can be identified by the use of something they know, such as password, something they have, such as a photo identification card, or something they are, such as a biometric identifier.

Breach

An action by an authorized or unauthorized user which results in a negative impact or which causes interruption, disclosure, unauthorized access, modification, destruction or denial of service. An information security breach is sometimes referred to as an information security incident.

Change management processes

The processes that ensure the secure control of all changes to equipment and software. These are sometimes referred to as change control processes.

Code of conduct/Code of ethics

A documented set of rules outlining appropriate behaviours for the members of a health organization or professional group. Codes of conduct are often based on a code of ethics - ethical principles outlining rules for appropriate behaviors.

Compliance

Meeting requirements as set out in relevant laws, regulations, standards, ethical principles, codes of conduct, contractual agreements, or policies and procedures.

Confidentiality

Ensures that information is accessible only to those authorized to have access.

Consent

Permission from a client or his or her legally authorized representative to collect, use or disclose his or her own personal health information. Consent can be express, where a client specifically agrees to some action, or implied, where consent is implicit in some action such as the delivery of client care.

Disclosure

The release of personal health information to a third party for specific and defined purposes.

Educational awareness program

A comprehensive corporate program designed to foster a security conscious organization culture. Such a culture is important to health organizations because it supports diverse goal sin information protection. Goals can be broad - for example, legislative compliance - or more specific, such as increasing the frequency of secure behaviors associated with e-mail.

Encryption

The process of mathematically converting information to render it unintelligible without a key to decode it.

Firewall

A set of related programs, located at a network gateway server, which protects the resources of a private network from users from other networks.

Hacker

An individual characterized as a "computer expert" who has expertise in programming and information systems. In the popular media, a hacker is a person who uses his or her expertise to collect, access, use or disclose information inappropriately.

Information protection

A broad term used to discuss the privacy, confidentiality, and security of personal health information in the Guidelines.

Integrity

Safeguarding the accuracy and completeness of information and processing methods.

Personal health information

Any information in any form - electronic, written, verbal, etc. - about an identifiable person. This includes information that is specifically health related, such as a person's medical condition or prescription medications, as well as information, which is not always considered directly related to a person's health, such as his or her name, address, telephone number, or health insurance number. It also includes genetic information and blood tissue samples.

Health Records Professionals

Health Record Professionals refer to individuals who are qualified in the field of working with data in health records and who manage health information services in health facilities. Health Record Administrators and Health Record Technicians have completed post-secondary studies as per curriculum certified by the Canadian Health Records Association (CHRA) and have a professional obligation to safeguard patient privacy and confidentiality at all times.

Privacy

The right of an individual to control who has access to his or her personal health information and under what circumstances. This is known as the right of information self-determination.

Privacy Officer

The individual in an organization whose role is to assist management in providing leadership for protecting the privacy, confidentiality, and security of personal health information through specialist skills and advice. The Privacy Officer should report directly to the Chief Executive Officer, President, or the Chief Operating Officer.

Read - only

A level of access to information that only allows the user to review information. The user with read-only access is unable to make modifications to information or to delete or transmit information.

Remote access

The ability to get access to a computer or a network from a remote distance. In health organizations, outsourced service providers, people at branch offices, telecommuters, and people who are traveling may need access to the organization's network.

Retention

The process of holding data or information in a secure or intact manner usually for a defined period of time after which it may be permanently discarded.

Risk Management

The department or individual (e.g. Risk Manager) whose role is to minimize the risks associated with poor information protection. Risks can result in significant damage to an organization's reputation, a loss of client trust in the ability of the organization to protect personal health information, fines, liability, and investigations by the Privacy Commissioner.

Secure behaviors

The behaviors exhibited by users of a health organization to support a security-conscious organizational culture. Examples of secure behaviors include wearing photo identification badges at all times, reporting security breaches or incidents promptly to the Privacy officer and participating in regular educational awareness programs.

Security

Information security is characterized as the preservation of the confidentiality, integrity, and availability of personal health information. Information security is achieved by implementing policies and procedures based on relevant legislation, standards and ethical principles, careful planning, design, implementation and maintenance of appropriate technology solutions, and managing ongoing operations related to the collection, classification, access and disclosure of personal health information.

Service level agreement (SLA)

A contract between a service provider and the service recipient that specifies in measurable terms, what services are provided, and at what level.

Third party

Any individual or organization that is not the client, the original collector of information, or the health organization where a client is directly seeking information and/or services.

Threat Risk Assessment (TRA)

A tool used to identify information assets, threats to those assets and possible security safeguards. A TRA has three major components - a Threat Analysis, a Risk Analysis, and an Assessment of Safeguards.

Virtual private network (VPN)

A network having a combination of security layers and security procedures that facilitate the secure transmission of information over public telecommunications systems. Privacy of information transmission is enhanced because a VPN encrypts information before it is sent into the public network and then decrypts it at the receiving end.