Remote Care Management (TELUS): Description of Services

Ontario Health’s Remote Care Management (RCM) is a model of care enabled by technology to provide high quality evidence-based care and promote patient self-management. Ontario Health has engaged TELUS Health Solutions Inc. (TELUS) to provide the new RCM solution.  The TELUS RCM solution, branded as Home Health Monitoring (HHM), is a Software as a Service (SaaS) solution procured by TELUS.  TELUS hosts the service and supports the software and managed service.  RCM supports chronic disease management and preventive care, palliative care, surgical care and many other clinical pathways.  Up until fiscal year 2021/22, Ontario Health provided a provincial platform that supported RCM programs in Ontario, which had approximately 40 participating Member Organization sites with more than 12,000 unique patients enrolled in one of the 25 different clinical pathways available. It is expected that the new RCM solution will support the similar number of participating Member Organizations and patients with plans to continue to expand and scale significantly over the next several years.  

Ontario Health’s role is to foster and support the development of an effective and sustainable RCM program to support various regions within the province and the health authorities responsible for regional administration of public health care services in the province.  

The HHM solution offers patients:  

• Access to an application on a mobile tablet, over the web or on their own device that can be used from their home.  
• Use of an intuitive, step-by-step application based on pre-scheduled questions that patients can answer.   
• Seamless integration with electronic medical devices (such as blood pressure cuffs) that can capture health data and share with health care providers via the HHM solution.  Ability to communicate with their health care provider using instant chat, secure messaging and video conferencing.  
• Ability to communicate with their health care provider using secure messaging and video conferencing.
• Access to educational material uploaded by health care providers on their specific care needs.

The HHM solution offers health care providers: 

• Access to a centralized view of their patients allowing health care providers to tailor workflows, protocols and interventions, creating customized care plans according to a patient’s condition and status.  
• Easy analysis of results, empowering health care providers to adjust treatment based on best-practice guidelines and protocols.  
• Alerts and reminders to health care providers based on triggers set up for patients such as high blood pressure alert.  
• Sophisticated care coordination through monitoring of patient health data and suitable health coaching strategies.  
• Asset management, making it easy to manage devices including location and to whom they are assigned.

How the Technology Works

In late 2020, Ontario Health began a project (eVisit 4.9.1) to improve the workflow for scheduling Patient Access Network (PAN) sites, which host patients for e Visits. These hosting services are critical for patients who may experience barriers to their participation in Direct to Patient eVisits, including a lack of high-speed internet access or a requirement for nursing support during an eVisit. The eVisit 4.9.1 release is intended to streamline the process for booking events with PAN sites by introducing a new scheduling workflow for consultants and their schedulers on the OTNhub. The new workflow allows consultants and/or schedulers to search for and locate an appropriate PAN site (based on the patient’s location and any supports required), view the site’s availability and schedule a Hosted eVisit all in the same place, without having to navigate to other applications such as the Ncompass scheduling tool (also available on the OTNhub).

SAFEGUARDS

For information about Ontario Health safeguards, visit Safeguards for the Protection of Personal Information and Personal Health Information.

Ontario Health Administrative Safeguards

• Ontario Health has entered into a Master Agreement with TELUS that details privacy and security related requirements, obligations, roles and responsibilities. Ontario Health relies on such an agreement and the accompanying Statement of Work with TELUS to build, operate and define deliverables and accountabilities for the end-to-end privacy and security of the solution.
• A Privacy Impact Assessment (PIA) and Threat and Risk Assessment (TRA) have been conducted on the RCM Program and TELUS HHM Solution concurrently to identify, assess, and mitigate privacy and security risks. The RCM PIA and TRA should be considered companion documents in providing a comprehensive overview of safeguards.
• Ontario Health has a comprehensive set of information security and privacy policies which are regularly reviewed and enhanced. Ontario Health staff and contractors are required to read the relevant policies and sign an attestation that they have read, understood and are committed to comply with them.
• Employees receive mandatory privacy and security training upon hire and annually thereafter.
• All Ontario Health staff and contractors must sign confidentiality agreements and undergo criminal background checks prior to joining or providing services to Ontario Health. We have a security screening policy that requires staff to have an appropriate level of clearance for the sensitivity of the information they may access.
• There are dedicated full-time Privacy and Security employees to lead the assurance and compliance efforts.
• Ontario Health has established procedures to address policy violations by employees.
• Ontario Health staff and contractors generally have no ability or permission to access PHI. If access to personal health information is required in the course of providing Ontario Health services, individuals are required to adhere to our policies and are prohibited from using or disclosing such information for any other purposes.
• Ontario Health has audit log that log every access, modification, or disclosure of PHI, together with the time and identity of the accessing user.
• Ontario Health routinely monitor audit logs for unauthorized access to PHI by staff.
• Ontario Health staff, consultants, suppliers and clients must promptly report any privacy and security breaches to us for investigation. An enterprise security and privacy incident management program is in place to ensure management of incidents and regular training and awareness for staff members involved in incident management.
• Ontario Health has established a formal risk management program, including an enterprise risk management policy and guidelines. A management forum, the security leadership group, provides strategic direction and governance oversight for the security program, including regular review of risks and the corresponding risk treatment plans.

Ontario Health Technical Safeguards

Ontario Health’s overall quality assurance process includes detailed security testing. This testing not only includes validation that components and services are operational, and that key security safeguards are implemented and operated to the necessary degree to minimize the organization’s exposures.

• Strong passwords, secure tokens, and other authentication solutions are required for access to sensitive information.
• Administrative access to all IT equipment and applications is provided on a need to know basis controlled via proper authorization and strong, multi-factor authentication. All system and application access activities are logged.
• Network traffic is monitored and managed using security mechanisms such as routers, switches, network firewalls, intrusion detection systems, and anti-virus programs.
• All sensitive data is encrypted in traffic between external sources and Ontario Health systems.
• All data stored on staff computers is encrypted. If laptops are lost or stolen, data confidentiality and integrity are not at risk.
• Data integrity controls are implemented as a quality assurance activity on the personal health information provided to us by health information custodians. Data integrity controls are also used to prevent the unauthorized modification and destruction of this data.
• Data and applications are backed up on a regular basis and can be easily restored in case of operational incidents.
• Comprehensive disaster recovery and business continuity plans were developed and are tested and are updated as needed on a regular basis.

Ontario Health Physical Safeguards

• Ontario Health data centres are purpose-built facilities, with appropriate environmental controls and physically secured against unauthorized access. They are staffed and monitored continuously by trained security personnel.
• Specific physical security zones are implemented to separate and control access to public zone, delivery and loading area, office space, and computer rooms, with increasing physical security controls.
• Access to office areas is controlled with access badges, and traffic in the office areas is recorded by security cameras.
• Access to office areas where business processes require access to PI or PHI is physically restricted to only the staff members whose role involves handling of PI or PHI. Other staff members do not have physical or logical access to those areas.
• Visitors and third-party vendors to Ontario Health require visitor badges and are escorted at all times by full time staff members.
• Decommissioned equipment that was used to process or store PI or PHI is securely disposed of, according to approved procedures.
• Procedures and appropriate equipment are in place for secure disposal of paper, CDs, or other media that may have sensitive information.

TELUS Administrative Safeguards

• All TELUS personnel, including contractors, must successfully complete privacy and security training when joining TELUS and on a periodic basis thereafter. Individuals with privileged permissions receive additional role-specific security training.
• TELUS information security controls follow risk-based industry standards to protect against real-world threats targeting PHI.
• Security controls are reviewed on an annual basis and updated as required to reflect the evolving threat climate.
• Change management practices are governed within detailed QMS release controls, including quality assurance practices.
• TELUS Cloud Health Solutions maintains SOC2 certification
• TELUS Health has documented Disaster Recovery Plans that are reviewed and tested annually, for systems that require this as per contractual obligations
• TELUS Health performs risk assessment on vendors integrated into the service delivery process under the Vendor Management Framework provided by the enterprise Procurement function.

TELUS Physical Safeguards

• The TELUS Health Cloud undergoes annual certification for SOC2 compliance to ensure its Data Centers meet specified control objectives or criteria.

TELUS Technical Safeguards

• The security controls reflect the sensitivity of the PHI held within the platform.
• All data is encrypted throughout the lifecycle, including both in transit (TLS) and at rest (AES).
• Back-ups are tested periodically and subject to annual business continuity tests.
• Multi-factor authentication is supported through various technologies.
• Services undergo periodic third-party penetration testing, and identified vulnerabilities are triaged and remediated or mitigated according to risk-based prioritization.
• All software activity is logged, including both front-end usage as well as any changes made to back-end production infrastructure.
• The solution is monitored by hosted application security agents to identify and alert threats in real-time.
• The solution leverages a highly available architecture via the cloud hosting provider and its associated cloud resources to ensure availability SLAs are met.

See our Contact page to find information on how to contact the Ontario Health Privacy Office.