Privacy is the fundamental right of individuals to control the flow of their personal health information, including collection, use and disclosure. Security provides the tools to protect privacy.

Saskatchewan residents expect their personal health information to be protected. Individuals want the right to control who has access to their medical records and under what circumstances.

eHealth Saskatchewan sets the highest standards in privacy protection and security of personal health information and ensures that privacy and security provisions are integrated into all health initiatives.

The provincial Chief Information Officer (CIO) Forum's Security and Privacy Sub-committees collaborate with other stakeholders to establish provincial standards to protect personal privacy and ensure security uniformly across the health system.

These privacy protection and security safeguards ensure the protection of the Saskatchewan residents' personal health information and at the same time allow authorized health care service providers to access the information required to provide patient care in a timely and efficient manner.

eHealth Saskatchewan incorporates privacy protection into all aspects of its operations. Contracts and agreements with Saskatchewan health care organizations and service providers stipulate privacy protection as a top priority.

Project teams utilize the expertise of trained privacy professionals and tools such as privacy impact assessments (PIA). PIAs provide analysis of how personal health information is managed to conform to applicable privacy legislation, regulations, policies, procedures and best practices.

The PIA process ensures strict attention is paid in the design of all projects and services to protect the confidentiality and integrity of data from accidental or deliberate threats. Accountability for privacy is incorporated to ensure every program and project complies with legislation including The Health Information Protection Act (HIPA) and The Freedom of Information and Protection of Privacy Act (FOIP) .

A PIA identifies risks and vulnerabilities associated with collection, modification, disclosure, storage, retention and disposal of personal health information; evaluates existing privacy protection; and identifies alternative processes to mitigate potential privacy risks.

Authorization and authentication procedures ensure that only health professionals with a "need to know" have access to personal health information. Audit features target, track and report unauthorized access to personal health information, giving an extra measure of privacy protection.

A Privacy Working Group is in place and includes privacy officers in the health regions. This working group has developed a number of policies and training materials, which the health regions use to implement privacy-enhancing practices with health care providers.

Protection of personal health information requires the highest level of security, which is maintained in all initiatives through a comprehensive Security Architecture, enhanced with policies, procedures and audit practices.

The development of an internal security assessment process known as an Application Verification Toolkit (AVERT) ensures all new applications have been assessed for risk and security vulnerabilities. The AVERT process verifies that the security controls on personal health information continue to be effective and extensive.

The AVERT process will continue to be enhanced to meet security industry demands and an ever-changing environment. Security policies are currently being reviewed in compliance with the internationally accepted industry standard ISO 17799.

Security maturity self-assessments are also being developed to assist the health sector in setting goals and objectives. Self-assessments are used to understand the current state, identify the target end state and then establish measurable steps to guide progress.