The Health Information Act (HIA)
The Health Information Act
is the Northwest Territories’ privacy law relating to health records. The HIA has two purposes:
- To make rules about the collection, use, disclosure, and security of personal health information that protect the privacy of the people the information is about
- To facilitate the provision of health services
An official guide to the HIA can be found here
Owl and HIA
Custodians have a number of responsibilities under the HIA, and here we’ve listed some of the ways Owl helps you meet these expected duties and responsibilities. Under the HIA, safeguards developed and implemented by custodians must specifically include:
- The use of authentication and encryption to protect personal health information stored electronically: At Owl, we use bank-level encryption (SSL) to encrypt all data that moves between our secure and dedicated servers and the device and browser on which a clinician accesses their Owl Practice account. Data that is encrypted between our secure and dedicated servers and the device and browser on which a clinician accessing their Owl account is done using SHA256 with RSA. We continuously test our systems to ensure all of our encryption layers have the most up-to-date patches for any vulnerabilities that surface over time (example: Heartbleed/CVE-2014-0160).
- Measures to protect hardware and software from unauthorized access and use: All Users of Owl are required to have a unique user login and password. Practice owners have the option to receive a notification when failed login attempts are made so you can mitigate if needed with the user or identify unauthorized attempts at access to the account.
- A requirement that personal health information be maintained in a designated area subject to appropriate security safeguards: All Owl servers are stored in racks which have lock and key access, and the rooms themselves can only be accessed via a keycard. All data centers have 24/7 video surveillance. Our servers are located in Toronto and Montreal, so you can be assured your client's practice data is securely stored in Canada.
- A requirement that access to personal health information be monitored on an ongoing basis for the purpose of ensuring that only authorized access is occurring: We keep comprehensive internal logs of all of this information, so if a Practice Owner is ever concerned about a user’s activity on their account, they can reach out to us for information on what that user has been doing.
- Procedures that provide for the recording, reporting and investigation of security and privacy breaches: While we take significant and extensive measures to ensure a security breach could never occur, if one was to take place, we would of course notify our customers immediately so that you could fulfill your obligations under the HIA.
Other acts that may be potentially relevant to clinics in the Northwest Territories are:
The Information and Privacy Commissioner of the Northwest Territories can be reached through the contact details on this website