Lesa Semmler on Question 1285-20(1): Electronic Health Records System

Thank you, Mr. Speaker. Mr. Speaker, privacy risks were identified during the early planning and requirements gathering before the RFP was issued. These risks include unauthorized access to personal health information, privacy breaches, weak access controls, and securing sharing of information across systems and jurisdictions. To reduce these risks, strong privacy and security requirements are built directly into the RFP, including encryption, access controls, audit logging, and compliance with territorial privacy laws. Privacy impact assessments and threat risk assessments will be completed and updated throughout procurement and implementation, and the selected vendor will be required to meet these requirements and address any additional risks identified before and during system rollout. Thank you, Mr. Speaker.