Care Provider Access Privacy Policy

Last Updated:  April, 2013

Excelleris is committed to maintaining the confidentiality of the personal health information it is entrusted with and recognizes information privacy as priority accountability.

This policy applies to access by health care providers and their delegated staff to the health care information in Excelleris’ custody. regardless of how the access is performed (i.e. Launchpad™ portal or physician office EMR). This policy is an extension of the Excelleris corporate Privacy Statement, which can be found at http://www.excelleris.com/corporate/privacy/.

Accountability

Excelleris is responsible for ensuring the health care information received from its customers is distributed only to the customer’s designated health care providers, accessible only by authorized health care providers and consumers, and securely stored while in its custody.

A Privacy Officer is accountable for ensuring Excelleris complies with privacy legislation and these policies. Excelleris also ensures all employees understand their responsibilities for confidentiality.

A health care provider with access to personal health information hosted by Excelleris is responsible for ensuring the confidentiality of the health care information. An authorized user is responsible for protecting their user-ID and password.

Where an authorized and regulated health care provider delegates access privileges under his or her name that health care provider is accountable for all access by the delegate.

Collection and Use of User Personal Information

When registering for access to health care information the following personal information about the health care provider or delegate is collected:

  • Name, address and phone number;
  • Where the applicant is a private practice physician or a college-regulated health care provider, the applicant’s Medical Service Plan (MSP) number; and
  • Where global access or PharmaNet access is requested, the applicant’s College of Physicians and Surgeons ID (CPSID).

A user’s personal information is necessary for ensuring accurate delivery of health care and to confirm an individual’s identity for user support functions such as password reset.

Access to Health Care Information

All access to health care information complies with applicable privacy legislation and PharmaNet regulations. Access will be granted only if necessary for the user to perform their duties – approved by physician or director – and the access will be restricted to the minimum personal information necessary to perform those duties. All users acknowledge Excelleris’ terms and conditions for access to health care information in its custody prior to access privilege approval.
Excelleris  maintains a current record of all users and their permitted access privileges and a log of all access by users to health care information.

Health care providers, under legislated whistle-blower protection, report all suspected inappropriate access to their health authority’s Privacy Office, if applicable, or the Excelleris Privacy Officer.

Health Authority Global Access

A health authority location with global access to health care information does so under a Data Access Agreement, such agreement subject to approval by Excelleris’ Privacy Officer and Medical Officer.

A health authority routinely reviews all global access made by its employees to health care information in Excelleris’ custody. Suspected inappropriate access will be investigated and managed according to the health authority’s policies.

Global access users obtain an individual’s consent as set out by the Data Access Agreement.  An electronic record is maintained by Excelleris of the consent entries for all access, including global access users. Health Authority locations should maintain a file of consent forms.

Each health authority location with global access privileges will appoint and make known to Excelleris a Site Administrator with responsibilities stated in the Data Access Agreement. A change in the Site Administrator will be made known to Excelleris.

Fax requests by global access users for support services are not permitted as a privacy precaution. Excelleris will not disclose patient results to global users if requested.

Use of Personal Information

A health care provider or delegate’s access to health care information hosted by Excelleris must be for the sole purpose of providing health care services.

Agreements & Responsibilities

All access to personal health information is subject to the terms and conditions of the following agreements, as applicable:

  • Physician/Director Confidentiality and Acceptable Use Agreement
  • Data Access Agreement for Health Authority Global Access
  • Health Care Provider Confidentiality and Acceptable Use Acknowledgement for Global Access
  • PharmaNet Agreement

Excelleris has the right to monitor compliance to agreements and terminate access at its discretion.

Security & Safeguards

Excelleris protects the personal information in its custody using current industry standard security practices to prevent loss, theft, unauthorized access, copying, or misuse. Each authorized user will be provided and responsible for a unique user-ID.

Excelleris accepts phone requests only for personal health information to ordering and copied physicians, as a measure to protect confidentiality.

We regularly review our privacy policies and practices and, from time to time, will update our Care Provider Access Privacy Policy. If we make changes we will post the new version on this website.

For questions about this Privacy Policy, please contact the Excelleris Privacy Officer at privacyofficer@excelleris.com.