Key Administrative Activities - EBUS.01
All points of service (POS) must have someone specifically designated to manage the following activities. These activities may be assigned to a single person or allocated to several individuals.
Initially and on an ongoing basis, the designate must coordinate and conduct privacy and security activities including but not limited to:
- training staff on privacy and security policies/procedures;
- reviewing business processes for compliance with rules as specified by the ministry;
- receiving and responding to privacy and security related notifications;
- answering privacy and security questions (e.g., from patients);
- responding to complaints, incidents, breaches, audits;
- updating office policies/procedures; and
- performing user access audits.
The designate must establish and redesign business processes as required for new functionality or when changes to the ministry interface are introduced.
Initially and on an ongoing basis, the designate must manage staff account access including:
- user enrolment and access management (e.g., new user set up).
A formal application is to be submitted for all users (practitioners and support staff) prior to them requiring access or requiring changes to privileges; and
- deactivation of inactive user accounts.
A request is to be submitted to the Ministry of Health (the ‘ministry’) when a user no longer requires access to ministry health information exchange (HIE) services (e.g., extended leave, termination, change of job function).
Every user who accesses a ministry system must first sign a legal agreement acknowledging their obligations. Contact the ministry at HLTH.HnetConnection@gov.bc.ca to assist with user enrolment and account changes.
The designate must ensure all POS staff receives the required training on ministry system interfaces, and read and sign the Acceptable Use Policy for Non-Production Environments.
The designate must provide technical support for their POS application, which includes:
- receiving and reviewing release notes from their software provider;
- receiving and communicating system messages from the software provider (e.g., outages); and
- working with the software provider to ensure the Business Continuity Plan is in place for the point of service.