EO 001.03 - CFHIS

Question 1

Describe CFHS compliance with federal privacy legislation and policies

Question 2

Describe CFHS confidentiality rules

Question 3

Describe compliance with federal and DND physical and electronic security policies

Question 4

Describe rules for CFHIS access

Question 5

What is the purpose of audit logs

Answer 5

The purpose of audit logs is for system administration, maintenance, security, and to ensure compliance with Treasury Board Secretariat, DND/CAF orders, policies, instructions, directives and standards

Question 6

Describe investigation processes and infraction penalties

Answer 6

Infraction penalties can include temporary suspension, revocation, or permanent termination

Question 7

Define Security techniques

Answer 7

Security techniques refers to the procedures and tools we use to protect information entrusted to us

Question 8

What are the three types of security levels?

Answer 8

1. Public (Unclassified)
2. Classified (Confidential, Secret, or Top Secret)
3. Designated (PROTECTED A, B, C)

Question 9

Define the Need-To-Know principle

Answer 9

Only persons who have a requirement to perform their official duties shall access PHI

Question 10

Define Disclosure

Answer 10

The release or transfer of personal information by any to any body or person

Question 11

What are three rules that must comply with “PROTECTED B” information?

Answer 11

1. Clearly label (on every header, footer, and envelope side)
2. Destroy in approved shredders/burn bags
3. Encrypt when electronically stored or sent

Question 12

Define Personal Information

Answer 12

Information about an identifiable individual

(i.e. race, national/ethnic origin, religion, educational/medical history, identifying numbers/symbols)

Question 13

Define Personal Health Information (PHI)

Answer 13

Personal information that relates to an individual’s diagnostic, treatment, or care information

(i.e. medical/dental/psychosocial information collected during care

Question 14

What type of information is NOT applicable to PHI?

Answer 14

• A CAF member’s medical employment limitations
• Anticipated absences from the workplace
• Prognosis
• General severity of an acute health condition

Question 15

True or false, all CAF health records are property of the crown

Answer 15

True

Question 16

List acceptable reasons to disclose PHI

Answer 16

• Patient authorized disclosure
• Printing/copying a CAF health record where required in the performance of official duties
• Release outlined on a court order, warrant, writ, summons, or other process issued by a court
• MELs, anticipated absences, prognosis/severity of a health condition to the CoC of the member

Question 17

CAF members are;

a) Have the right to access of their own information

b) Are only entitled to request access to their information

Answer 17

Correct answer: B

Members are only entitled to request access to their own information

Question 18

Access to CFHIS will require what?

Answer 18

• DWAN account
• CFHIS account
• Public key infrastructure card
• CFHIS equipped treatment bay (computer)

Question 19

All suspected breaches MUST be reported to:

Answer 19

• Your manager/supervisor
• CH H Svcs Gp Privacy Office
• Local ISSO
• CFHIS Local and/or National ISSO

Question 20

What are the nine responsibilities of the CFHIS user?

Answer 20

1. Only use PHI to perform official duties
2. Use and disclose PHI if needed by adhering to the Privacy Act
3. Disclose the nature of any conflict of duties to CO, immediate supervisor
4. Only request access to your own PHI as per DAOSs 1002-1 & 1002-2
5. Only use your own CFHIS user account and PKI card when electronically accessing PHI
6. Ensure terminals or workstations in use are logged off or unlocked when unattended or not in use
7. Inform the helpdesk and CFHIS local ISSO if your CFHIS user account is no longer required
8. Promptly report all known or suspected losses or compromises of PHI to your CO, immediate supervisor or ISSO
9. Read, understand and observe the directives, orders, instructions and policies in the CFHIS e-learning modules

Question 21

Audit logs record every transaction users make in CFHIS, true or false?

Answer 21

True, every transaction is recorded including the following information:

• User name
• Folder opened
• Document/record which was viewed/modified/printed
• Patient name or record assessed
• Date and time of access

Question 22

What does CFHIS stand for?

Answer 22

Canadian Forces Health Information System

Question 23

What does DAIP stand for?

Answer 23

Directorate of Access to Information and Privacy

Question 24

What does DAOD stand for?

Answer 24

Defense Administrative Orders and Directives

Question 25

What does DHSD stand for?

Answer 25

Director Health Services Delivery

Question 26

What does EHR stand for?

Answer 26

Electronic Health Record

Question 27

What does ISSO stand for?

Answer 27

Information System Security Officer

Question 28

What does PHI stand for?

Answer 28

Personal Health Information

Question 29

What does PKI stand for?

Answer 29

Public Key Infrastructure

Question 30

True or false, patients may request to see who has accessed their CFHIS records?

Answer 30

True.

The Audit log will be supplied to the Local ISSO and the patient will be provided with verbal guidance from the CFHIS Local ISSO or the CFHIS National ISSO on how to read the log.

Question 31

What is CFHIS used for?

Answer 31

• Booking and management of patient appointments
• Recording and reviewing patient history (i.e. attached documents, imaging reports, lab results, etc)
• Management of the recall list and waiting list