 |
At Medgate Inc. (“Medgate”), your privacy is important to us. We comply with Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA), the new privacy law, which applies to us beginning January 1, 2004, as well as applicable provincial privacy and the United State's Health Insurance Portability and Accountability Act (HIPAA), as promulgated by the US Department of Health and Human Services (HHS).
Medgate is committed to providing on-going regulatory compliance that meets federal, provincial and US law. To that end, Medgate provides robust security, audit trail capabilities, and record storage features that will meet the requirements set forth by PIPEDA and HIPAA. At Medgate, we will continue to monitor HHS actions relating to current and proposed HIPAA standards and changes made to federal and provincial laws to ensure that Medgate remains fully compliant with US and Canadian legislation.
HIPAA does not apply to employment related medical records and to occupational health medical providers who do not conduct standard HIPAA transactions as promulgated in the December 28, 2000 and August 15, 2002 Federal Register. Under OSHA standard 29 CFR 1910.1020, employees have the right of access to their employment related medical record, and this may be accomplished by providing a printed (hard) copy to the employee upon their request (in Medgate, a copy can be printed of any component or the entire medical record).
Medgate also complies with the European Commission’s Directive on Data Protection. Under the Directive, the personal data of European Union citizens cannot be transferred to non-EU nations unless such recipient nations are deemed to meet the European “adequacy” standards for privacy protection. Canada has been prescribed as a country meeting the EU “adequacy” standards. As a Canadian company, Medgate is able to receive EU personal data under the provisions of the Directive.
Medgate’s hosted software solution is hosted at SunGard Data Center, a highly secure Tier 3, SAS 70 facility serving 25,000 customers in 50 countries including the world’s 50 largest financial services companies. SunGard is certified under the Safe Harbor framework established by the U.S. Department of Commerce in consultation with the European Commission. As such, SunGard self-certifies annually to its adherence to Safe Harbor principles including notice, choice, access, data integrity, and enforcement and is a qualified recipient of EU personal data.
|
| How our software protects your information |
|
|
|
Medgate's software controls security through a database userid/password that controls access to individual modules and/or tables. Security is administered by assigning users to groups, and then granting privileges to those groups. The privileges that may be granted are the standard database rights of Read, Insert, Update and Delete. Although security is effectively handled by the back-end database, the software provides an administration tool for this purpose as part of the front-end application.
Medgate's product has an additional (row-level) site security layer, where users can be restricted to reading and/or updating records for their own location. This feature is configurable through an administrator function built into the front-end. It uses the 5 demographic fields (geographic location, department, division, location and organization) to restrict access to particular locations.
Every record in the application includes audit fields to identify the user ID and date/time stamp of the individual who created and last updated a particular record. Since each user is given their own unique userid/password combination, this becomes the electronic signature for each record.
Medical notes have a lockout feature to preserve the integrity of this information, but also allow corrections to be made. Notes can be edited for a set period of time (such as 24 hours), after which they are locked down and cannot be modified. The lock out period is also configurable through an administration feature.
|
|
| Medgate will not use or disclose any information it may come into contact with during its business dealings with clients. Personal information that is collected, such as e-mail or telephone numbers, is used solely for the purposes of providing Medgate services and products to you, such as the purchase or upgrade of our software. This also applies to data on our client's servers or Medgate's servers (under an Application Service Provider contracts) that is accessed by Medgate technical staff either onsite or online for the purposes of support, data conversion, testing and training. We may also retain information related specifically to the provision of technical support. |
|
|
|
|
