These questions and answers have been put together to help stakeholders in understanding the agreement.
| Understanding the Agreement | |
| Question | Answer |
|---|---|
| What is DATIS’ relationship with CAMH? | DATIS is a program within CAMH, fully funded by the Ministry of Health, to provide and host a comprehensive health information management system for the community-based treatment sector and to deliver aggregate reporting to the MOHLTC and LHINs. Because DATIS is a program and not a legal entity, the Agreement is with CAMH (the entity with the authority to enter into an agreement); therefore, all references to CAMH in the contract references back to DATIS. |
| What is the Participation Agreement and why are we being asked to sign it? | The Participation Agreement is the legal document that sets out the rights and responsibilities of each of the parties. Essentially, it puts in writing the relationship that already exists between your organization and CAMH and describes the services that CAMH has already been providing to you. The services that CAMH is providing to the participating agencies through DATIS involve the use of personal health information (PHI). It is a legal requirement under PHIPA for an agreement to be in place between any organizations (custodians of PHI) that use a service provider (CAMH) to handle their PHI. |
| Why is there a need to sign a formal agreement now? Has something changed? | The legislative landscape has changed since DATIS’ services were established and therefore, this agreement ensures that both parties (CAMH and your organization) are fulfilling their obligations as required under PHIPA and mitigating any risk. As a health information custodian (HIC), your organization has certain obligations as to how you ensure that you are protecting the PHI of your clients. This Agreement provides you security that any PHI being submitted to DATIS is being done so securely and in accordance with PHIPA. |
| Are there any past agreements that have been signed with CAMH-DATIS? | Yes, many of you signed the participation agreement 1.0 version. For those of you who had not yet signed 1.0, this would be the first signed agreement. |
| Do I need this reviewed by our company lawyer/privacy department? | This is the decision of each individual organization. |
| Why do I need to have liability insurance? | Insurance provides financial protection in the event of a claim for damages or loss that is determined to be caused by your organization or someone for whom your organization is responsible. Your organization is responsible for maintaining the privacy and confidentiality of your clients’ PHI (as set out in PHIPA). If PHI of one or more clients is accessed or disclosed in breach of PHIPA, the individual(s) may have a claim against your organization. If that breach is caused by something CAMH did (negligence or failure to secure the information properly), then this would be CAMH’s responsibility. Often if people sue, they sue all the potential parties – so if there were to be an unauthorized disclosure of PHI that is stored in DATIS that results in a claim, it may be that both CAMH and your organization would be sued. If the cause of the breach was on CAMH’s end, then your organization would want to be indemnified by CAMH. Likewise if the cause of the breach was on your organization’s end, CAMH would want to be indemnified. Insurance provides the assurance that there are adequate finances to cover off such a situation. Most organizations have general liability insurance to cover off any claims by third parties that the organization should be responsible for (ie: their own actions or negligence). |
| Has my LHIN been made aware of this Agreement? | Yes, a briefing note has been sent to all MH&A Leads and an update with the changes to 2.0 has been sent. |
| Does a staff member who uses a third party electronic medical record with an Interface to DATIS qualify as a DATIS user? | For agencies that use a third party vendor, if your staff has any access to the DATIS system (Catalyst) such as read only or accessing the GAIN Q3, then those individuals must sign the Authorized User Terms of Use Agreement (Schedule D). |
| What are the financial costs of signing the DATIS Participating Agreement? | The Participating Agreement does not place any additional requirements on participants other than what they are already required to do to comply with PHIPA as HICs. Therefore there should be no new financial costs resulting from signing the the DATIS Participation Agreement. |
| DATIS and User Impact | |
| What are the changes to services being provided by DATIS? | There are no changes to the services being provided. The Agreement simply puts into writing all the uses and disclosures of the data submitted to DATIS and ensures that both parties understand their obligations with respect to maintaining the privacy and security of the data, and clearly sets out the way your organization authorizes CAMH to use the data. |
| Does this change the way we do business with DATIS? | No this formalizes the business relationship in place already. |
| Are users affected in any way? | It does not impact your day to day work. However, as set out in Section 4.5 of the Agreement, to ensure that all your users understand their obligations, all users of the DATIS system will have to sign a user agreement (form attached as Schedule D of the Agreement). You do not need to return this form to CAMH, but you do need to ensure that it is signed by all users at your organization and you must keep a copy of all signed user agreements. |
| What happens when staff leave and new staff are hired? | Each organization has a Catalyst System Administrator (CSA) and the CSA is responsible for monitoring all active staff accounts. If a person leaves, the CSA should inactivate that individual’s account. For each new user, the CSA should create an account and then have them sign the Authorized User Agreement (Schedule D). |
| Attestation Letter | |
| What is the attestation document that is referenced in the Agreement? | The attestation will be a short document that each organization will be asked to submit to CAMH on an annual basis stating that the organization is in compliance with its obligations under PHIPA, or where it is not that there are steps in place with a goal of working toward compliance. This type of document is common in shared systems, and provides assurances to all participating organizations have comfort that proper privacy protections are in place. |
| Will I lose access to the DATIS system if we are not compliant. | No, you will not lose access to the DATIS system for noncompliance. The obligations under PHIPA apply to all organizations as HIC’s but CAMH is not ‘policing’ this. It is acknowledged that organizations may be at different stages with respect to privacy and that there are some areas where you may need to continue working towards compliance. |
| Who has access to the completed attestations? | DATIS Management will confirm that attestations are submitted. Results will not be shared with other agencies, the LHIN, the MoHLTC or made public. |
| When do I sign the attestation letter? | DATIS will send the attestation letter out annually, at the beginning of the calendar year. |
| Agreement Documents | |
| What information do I need to read that is relevant to my agency? | It is the organization’s responsibility to read the full Agreement and all attached schedules. We have also provided briefing notes (the original one and the one describing the changes in version 2.0) and these FAQ’s to help address any questions. |
| Does the signed Agreement last forever or do I have to renew yearly? | The Agreement does not have a set term and will continue until terminated by the parties (or if your organization ceases to operate). If there is a change to the services or to the obligations set out in the Agreement, an amending agreement or a new agreement will need to be signed. |
| What if I want to amend/ change/ take out a few clauses in the Agreement? | Given that CAMH provides the DATIS services to over 200+ organizations, we are asking all organizations to sign the same form of agreement as it is not feasible to negotiate on a case by case basis. Any amendments to the Agreement will be applicable to all organizations. |
| What information do I need to fill in before returning? | On page 1, add the legal name under the word “AND” to indicate who the Agreement is with. On page 11, fill in 14.1 b) and c) On page 12 complete the contact information |
| Where do I sign the documents? | On page 14, insert your corporate name in here as on line above the signatures beside CAMH and sign document (as noted by the person outlined in FAQ 22). |
| Who signs the Agreement? | The person in your organization that has authority to bind your organization to a contract. |
| What if my organization has more than one database under our legal entity (ie.12345 and 12345A), do I need to sign more than one agreement. | There is only one Participating Agreement (PA) per legal entity. Therefore, if all the databases are under the same legal entity, just sign and return on PA. |
| Is Schedule D – Authorized User Terms of Use Agreement available in French? | Yes, Schedule D has been translated and can be sent to you, via a request made to privacy@datis.ca. |
| What does Section 14 of the agreement refer to? | Section 14 refers to dispute resolution. If, for some reason, there was a dispute under this agreement, Section 14 outlines how the dispute would be addressed. |
| The Data | |
| Who owns and controls the data? | Your clients own their information (PHI). Your organization is the custodian of the PHI. De-identified information derived from any PHI is governed by FIPPA. CAMH is the organization that has custody and/or control of this de-identified information. |
| What does CAMH do with the data submitted to DATIS? | DATIS facilitates the submission of PHI from your organization to a central data repository maintained by CAMH for use by your organization for your own purposes and to facilitate referral services between participating organizations, as well as for certain other purposes, including, among other things, providing reports to the MOHLTC and/or LHIN and other health system stakeholders to be used for system and resource planning within the community addictions treatment sector. A full description of the various purposes for which CAMH uses the data is set out in Schedule B of the Agreement and also described in the Plain Language Description (included in the package of documents you received). |
| What is the CAMH policy on deleting/destroying data? | It is each organization’s responsibility to delete the PHI, via the DATIS system, as per their retention schedules. |
| What type of audits will DATIS perform on our data? | Every activity done by CAMH staff and any external user of the DATIS system is logged in detail, so we can identify every action done by whom, when and with what data. |
| What happens if there is a breach of security or unauthorized use of the data? | There is a set procedure that governs the process to be followed when a breach occurs (the Service Provider Incident Management Procedure). This procedure and all relevant privacy policies are available upon request. |
| I understand that aggregate data is/has been submitted to LHIN's and MOHLTC - has there been any challenge to the deidentification policy/standard? | No, there has not been a challenge to the aggregate data that is submitted to the LHINs and MOHLTC. |
| Next Steps | |
| Who do we contact to submit questions? | Submit a question to the original email you received from privacy@datis.ca and your question will be directed to the appropriate person at CAMH to answer it. |
| When do I need to have the Agreement signed and returned by? | Add the date, the legal name, required signature(s) by Friday, November 30th, 2018 at 5pm. Scan the document and return to privacy@datis.ca. Upon completion of our project, we will open a Helpdesk issue ticket to record that your organization has returned the Participating Agreement. |
| Where will a copy of the Agreement be kept? | CAMH will store the Agreement in a secure electronic location, but your organization should keep a copy of the signed Agreement for your own records. |
| Participating Agreement 2.0 Version | |
| We already signed the Agreement, why are we being asked to sign another one? | CAMH has made some changes to the agreement based on feedback received from some of the Participating Agencies. These changes are beneficial to the Participating Agencies and are being extended to all parties, whether they have signed or not. In addition, given that there are over 200 agencies who will be signing, it is appropriate that all participating agencies sign the same version of the agreement. |
| What has changed in this new version of the Agreement? | The briefing note circulated with the agreement set out all of the changes. |
