Blog

How We Do It: Data Privacy and Security

August 14, 2019

agewell3

When we talk to leaders in the fields of home care, residential care and long-term care, a common concern is that of data privacy and security. Not only do they want to offer reassurance that their clients’ health and personal information will be kept safe, but they are also legally bound to do so.

Healthcare providers are bound by the regulations of the Personal Health Information Protection Act (PHIPA in Canada) and the Health Insurance Portability and Accountability Act (HIPAA in the United States). As a “data processor” MemorySparx Connect enables our customers to meet these obligations with policies, processes, and systems that are built right into the product.

"My company’s mission is to pave the way on this.  Open, secure and easy-to-use communication and information access tools that can be used by everyone who cares for and about people is the only way forward." - CEO Mary Pat Hinton

To that end, Dr. Tricia Barfoot is our full-time Privacy Officer and Data Scientist. In collaboration with our product development team, Dr. Barfoot works diligently with regulatory bodies and legal counsel to validate our practices and ensure they are kept up to date. Encryption, consent, permissions and privacy are all intrinsic parts of our product, by design. We facilitate organizations to maintain the privacy and security of the individual wherever we can, sometimes even beyond regulations/obligations.

Here are some ways in which we ensure a secure implementation of MemorySparx Connect:

  • We satisfy the requirements to act as a Health Information Network Provider (HINP) in Ontario so that more than one Health Information Custodian can collaborate and share data on a person.
  • We always encrypt data, when it is transmitted over a public or private network and when it is stored. We use professionally-managed services to store data, located in multiple secure storage facilities for redundancy. We have well-tested backup and restoration procedures to enable recovery from a major disaster.
  • As part of our Data Retention Policy, when an organization is no longer using MemorySparx Connect, we will delete all of their data from our storage and backup systems.  
  • Our Internal Data Access Procedure and Acceptable Use and Conduct Policy ensure that Emmetros employees have restricted access to data based on their respective roles, and that no one in the company accesses the health content put into MemorySparx Connect.
  • Our Privacy Breach Management Procedure outlines our own internal process for responding to and minimizing the impact of a security vulnerability or breach. Should an unforeseen problem arise, we will notify affected customers and work to fix the root cause of the problem.

Our policies and practices are modeled after those such as Health Shared Services, which follows HINP for their Client Health and Related Information System (CHRIS). We invite you to contact privacy@emmetros.com if you have additional questions regarding information security or service availability.