FNHSO Privacy and Security Framework Forum June 16, 2015 BC First Nations Panorama Support

Agenda  Roll-call  Panorama Inactive User Report Support Process  Checkpoint on state of Health Centre P&S Policy and Procedures  Roundtable discussion on support models for FNHSO P&S requirements  FNHSO Clinical and Business Oversight Forum FNSHO P&S Framework Forum

Roll Call  Kwakiutl District Council Health Services  Seabird Island Band's Health Services Department  Three Corners Health Services Society  Tla’amin Community Health Services  Westbank First Nation Health and Wellness  Saulteau First Nation Health Services  Nuu-chah-nulth Tribal Council – Community and Human Services  Okanagan Indian Band Health Services  Cowichan Tribes - Ts’ewulhtun Health Services  Scw’exmx Community Health Service Society FNSHO P&S Framework Forum

New FNHSO support function: Monitoring inactive users Context The British Columbia eHealth Professional and Software Conformance Standards - Volume 7: Information Privacy states that any user account that has not initiated activity in Panorama within the preceding five (5) months must be inactivated. A user account is considered active if it has generated one or more records in the Panorama Access Audit log. The AA004-User Activity Report has been provided to support Solution Partners in identifying their organization’s user accounts that are not being actively used. This report looks at activity in the audit log for all of the organizations assigned to the user account and considers the user account active if an audit record was created that is associated with any of the organizations. The user does not have to generate an audit record in each of the organizations assigned to their user account. Some staff may have a user account but have legitimate reasons for not using Panorama on a regular basis. For example, a nurse educator does not have to use Panorama under their own user account to provide support to staff. In this situation it is not appropriate to inactivate their user account but they should be advised to generate an audit record. FNSHO P&S Framework Forum

New FNHSO support function: Monitoring inactive users Generating an Audit Log Record To generate an audit log record, the user must actively touch a client record or generate a report. To avoid potential privacy issues by accessing a client with no clinical reason to do so, the user must, at a minimum, complete the steps identified below. It is not sufficient to just log on and then log off as these actions are not currently captured in the audit log (Note: In Release 3.0 a change will be made so that the audit log will capture the log on and log off. This bulletin will be retired when that change has migrated to production).  Log on;  Select an aggregate report (e.g. Imm008-Immunization Count by Provider);  Enter the mandatory report filters;  Select the “Generate Report” button;  Terminate the report. An audit log entry will be made whether or not the report completes execution; and  Log off. FNSHO P&S Framework Forum

New FNHSO support function: Monitoring inactive users Identifying Inactive User Accounts To identify user accounts that are candidates for making inactive, execute AA004-User Activity Report. Because it is a mandatory requirement to inactivate the user account, the inactivation does not require approval from the user’s manager. Should the user return to work (from a short leave, maternity leave, job exchange, etc.), she/he would not be able to login. The normal process is for that user to contact their manager who would request user account reactivation. If the user has not been on a leave and has simply not been using their account, the manager would become aware of the situation and could take any necessary corrective steps. Tip: To provide a warning to users who are candidates for inactivation, execute the User Activity Report and notify all users who have not been active in the preceding four months (120 days) that their user account will be inactivated in 30 days. Distribute the same report to all managers so that managers have the opportunity to address access issues with any of their staff identified on the report. Tip: Managers should be reminded when reviewing AA004-User Activity Report to consider system proficiency and data quality for their staff that are maintaining an active user account. A user who has not accessed the system for a period of time may require additional training or support. FNSHO P&S Framework Forum

Checkpoint on Health Centre P&S Policies and Procedures  Group discussion… FNSHO P&S Framework Forum

Support models for FNHSO P&S requirements  Options discussion FNSHO P&S Framework Forum

Roundtable Review  Any changes to Panorama users (add/remove) ?  Questions or concerns?  Agenda items for next meeting? FNSHO P&S Framework Forum