IAR Privacy Self Assessment 2023 |
Organization Identification
As defined in the Data Sharing Agreement, each participant shall conduct a privacy and security self-assessment on an annual basis. The results of the self-assessment must be acknowledged by the participating HSP’s senior management and submitted to the Privacy and Security Committee for review.
For your convenience, we have created an electronic version. Each question should be answered “Yes” or “No”. If the answer is “No” the organization should provide an explanation in the corresponding comment box. A “No” answer to a question indicates a gap or deficiency that the organization should address in order to meet the requirements of the IAR Data Sharing Agreements.
· The “Comment” Field should provide a high level description of the identified deficiency.
· The organization should develop a plan, or work with CCIM to develop a plan, to address the identified deficiency.
Organizations are accountable for resolving (or mitigating) identified deficiencies. As deficiencies are resolved the organizations IAR privacy officer should update the self-assessment form and forward to the HINP Privacy Office.
Note: PHIPA requirements apply to your organization as a HIC, not just to the IAR. If your organization has policies in procedures in place to meet PHIPA, it is expected to be the case that these policies and procedures would apply to IAR information at your organization and therefore you would NOT have to treat IAR data any differently. Please bear this in mind when completing the questionnaire below. (i.e. your organization policies and procedures may well be sufficient to answer “Yes” to many of the questions below if you are in compliance with PHIPA.)
For your convenience, we have created an electronic version. Each question should be answered “Yes” or “No”. If the answer is “No” the organization should provide an explanation in the corresponding comment box. A “No” answer to a question indicates a gap or deficiency that the organization should address in order to meet the requirements of the IAR Data Sharing Agreements.
· The “Comment” Field should provide a high level description of the identified deficiency.
· The organization should develop a plan, or work with CCIM to develop a plan, to address the identified deficiency.
Organizations are accountable for resolving (or mitigating) identified deficiencies. As deficiencies are resolved the organizations IAR privacy officer should update the self-assessment form and forward to the HINP Privacy Office.
Note: PHIPA requirements apply to your organization as a HIC, not just to the IAR. If your organization has policies in procedures in place to meet PHIPA, it is expected to be the case that these policies and procedures would apply to IAR information at your organization and therefore you would NOT have to treat IAR data any differently. Please bear this in mind when completing the questionnaire below. (i.e. your organization policies and procedures may well be sufficient to answer “Yes” to many of the questions below if you are in compliance with PHIPA.)
Please view section 2.1 of the hard copy sent to you by email for examples.