EAPOC (Evidence
at the
Point-of-Care)
leverages patient-entered data to provide healthcare providers with evidence-based clinical
decision support for chronic diseases, instantly and at the point of care, to help improve patient
care. The Electronic Asthma Management System (eAMS) is a decision support tool offered by EAPOC.
EAPOC’s Platform was built with privacy by design, with data security and privacy engineered
from the ground up to ensure adherence to privacy legislation in Canada, using encryption in
transit and at rest.
The Personal Health Information Protection Act (PHIPA) in Ontario sets out rules for the
collection, use and disclosure of personal health information. The law applies to health
information custodians and organizations who provide to them. The legislation works to balance
individual's right to privacy with the legitimate needs if persons and organizations providing
health care services. As EAPOC will be collecting, processing and disclosing personal health
data between healthcare providers and patients , we adhere to PHIPA.
In Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA)
applies except where substantially similar legislation exists at the provincial level. The
purpose of PIPEDA is to “govern the collection, use and disclosure of personal information in a
manner that recognizes the right of privacy of individuals with respect to their personal
information and the need of organizations to collect, use or disclose personal information for
purposes that a reasonable person would consider appropriate in the circumstances ”. EAPOC is
defined as an “organization” under PIPEDA, and is be subject to all of the obligations defined
under those roles. EAPOC is committed to protecting and respecting the personal information of
its users, in accordance with PIPEDA. The following demonstrates EAPOC’s compliance with the 10
Fair Information Principles, which come from the Canadian Standards Association (CSA) Model
Code for the Protection of Personal Information (which are set in Schedule 1 of PIPEDA).
An organization is responsible for personal information under its control and shall designate an
individual or individuals who are accountable for the organization's compliance with the
following principles.
EAPOC has appointed a Privacy Officer who is responsible for EAPOC’s compliance with
privacy principles.
EAPOC has completed a Privacy Impact Assessment (PIA) to demonstrate evidence of
existing safeguards and highlight remaining needs.
Privacy training has been provided to all EAPOC staff, to ensure awareness of PHIPA and
PIPEDA.
The purposes for which personal information is collected shall be identified by the
organization at or before the time the information is collected.
EAPOC uses the personal information collected to augment and improve patient health.
All purposes for which personal information is collected, used and/or disclosed are described
in the Privacy Notice, available prior to the collection of information from Patient and
Healthcare Provider Users.
The knowledge and consent of the individual are required for the collection, use, or
disclosure of personal information, except when inappropriate.
All purposes for which personal information is collected, used and/or disclosed are
described in the Privacy Notice, available prior to the collection of information from
Patient and Healthcare Provider Users.
When Users register for the eAMS, they must review and accept EAPOC’s Terms of Use and
End User License Agreement (EULA) before using the eAMS.
The collection of personal information shall be limited to that which is necessary for the
purposes identified by the organization. The information shall be collected by fair and
lawful means.
EAPOC has completed a data inventory, where all opportunities for data minimization have
been considered and implemented.
EAPOC limits collection of data to what is minimally required to operate and understand
usage of the system. PHI is stored only when required. The information will only be used
for the purposes described in the Privacy Notice.
Personal information shall not be used or disclosed for purposes other than those for which
it was collected, except with the consent of the individual or as required by law. Personal
information shall be retained only as long as necessary for the fulfillment of those purposes.
EAPOC recognizes data is only collected for the purposes outlined in the Privacy Notice.
EAPOC has developed agreements with service providers on limited use.
EAPOC has developed a Data Retention Policy to establish data retention limits and
describe how data that is no longer required can be safely destroyed/deleted.
Personal information shall be as accurate, complete and up-to-date as is necessary for the
purposes for which it is to be used.
Patients self-enter their information in the eAMS, and accuracy at this stage is presumed.
EAPOC has built in validations in the eAMS to improve the accuracy of submitted information.
Patients can self-correct or change information directly through the Profile page in their
WebApp/Mobile App. Patients can also can also contact EAPOC to request corrections to their
eAMS Account Profile.
Patients can also directly contact their Healthcare Provider to update or correct any inaccurate
information they entered in the eAMS, so that it can be updated.
Personal information shall be protected by security safeguards appropriate to the sensitivity
of the information.
EAPOC implements a number of administrative, technical and physical safeguards to
protect personal information.
Any content sent to the provider interface uses Basic Authentication
(requiring a unique username and password) and HTTPS secure communication, and is encrypted
(decryption requires a key that is unique and private for each clinical site)
In electronic medical record (EMR)-integrated workflows, the eAMS uses Basic Authentication
(requiring a unique username and password) and HTTPS secure communication when connecting to
the EMR. The embedded URL that eAMS provides for access to decision support uses HTTPS secure
communication and has a time-limited expiry. Patient identity is validated both by matching provider
credentials (username and password) with the patient-selected provider setting, and by a unique hash.
An organization shall make readily available to individuals specific information about its
policies and practices relating to the management of personal information.
WebApp/Mobile Apps (for Patients) and Decision Support (for Healthcare Providers) are
designed so individuals can read the Privacy Notice and understand practices prior to
submitting personal health information.
EAPOC’s Privacy Impact Assessment (PIA) can be provided to sites upon request.
EAPOC’s Security/Technical Design Information can be provided to sites upon request,
after signing a non-disclosure/confidentiality agreement.
Upon request, an individual shall be informed of the existence, use, and disclosure of his or
her personal information and shall be given access to that information. An individual shall
be able to challenge the accuracy and completeness of the information and have it amended as
appropriate.
Patients have access to their information directly within the WebApp/Mobile Apps.
Patients can also directly contact their Healthcare Provider to request a copy of their
information, or request corrections if necessary.
Patients can self-correct or change information directly through the Profile page in
their WebApp/Mobile App. Patients can also can also contact EAPOC to request corrections
to their eAMS Account Profile.
Patients can also directly contact their Healthcare Provider to update or correct any
inaccurate information they entered in the eAMS, so that it can be updated.
An individual shall be able to address a challenge concerning compliance with the above
principles to the designated individual or individuals accountable for the organization's
compliance.
Individuals can contact EAPOC’s Privacy Officer at
privacy@easthma.ca for
any privacy questions or to lodge a complaint. Complaints will be documented by EAPOC
and addressed according to internal policies.
EAPOC is committed to providing a timely response to privacy-related inquiries.