A.: Possessing the Canada Health Infoway Mark of Conformity communicates to the market that your product has been independently assessed for its conformity to privacy and security standards and other optional certification modules such as those for interoperability, that have been derived from international and national normative documents. Vendors may also find that buyers will approach the market with a requirement to procure Infoway certified digital health solutions.
A.: Infoway’s certification requirements are available by request. Please contact Certification Services.
A.: The 2017 Edition builds on the original set of criteria and harmonizes privacy and security certification requirements across Canada. Its development was undertaken over the past year with involvement from the vendor community, ITAC Health, jurisdictional Ministries of Health and eHealth agencies. This should help to reduce the cost and effort of testing digital health solutions for all stakeholders.
A.: Products will now be tested against a maximum of 108 requirements. Fifty-two new requirements have been added to 56 of the original criteria. The 2017 Edition has been expanded to reflect current standards for information security management and privacy of personal health information in addition to aligning with jurisdictional requirements. Infoway’s certification requirements are available by request. Please contact Certification Services.
A.: Yes. Infoway’s interoperability certification requirements will continue to be offered to the marketplace enabling vendors to demonstrate their solution’s ability to meet functional specifications. Certifying for interoperability is optional and at an additional cost. Please contact Certification Services for more information.
A.: Beginning February 2017, the new privacy and security certification requirements will be available for use. At this same time, the original criteria will no longer be offered for use by new clients.
A.: Unless you choose to have your product tested for conformity the 2017 Edition, the certification process will continue to its conclusion using the original criteria set.
A.: Over time, all products will need to conform to the 2017 Edition of privacy and security requirements. However, you can choose to renew your product certification a maximum of two times under the original criteria set. Or, you can choose to test your product for conformity to the 2017 Edition.
We will work with you to discuss your options and plan for the timing of the 2017 Edition certification for your product. Please contact Certification Services for more information.
A.: No. The privacy and security criteria have changed – new requirements have been added. As such, conformity will need to be demonstrated to those new requirements.
However, products that have maintained their original Infoway certification will only be required to perform a gap assessment (i.e., demonstrate conformity to the new requirements that have been added to create the 2017 Edition).
A.: A solution certified under the 2017 Edition criteria will not expire unless 1) Infoway introduces a new version of requirements (e.g. 2020 Edition) or 2) product’s functionality that is within the scope of the certification requirements has been modified and product changes require assessment. Certification renewal and recertification processes have been eliminated.
A.: The cost of certification depends on the product type. However, typically costs are in the range of $20,000 to $30,000. If a product has already been certified by Infoway, and it has maintained its certification status, then a reduced fee will be charged for 2017 Edition certification.
A.: All of the requirements against which your product will be assessed are available for review prior to any commitments being required. Infoway will provide guidance to help you understand the requirements and respond to any of your questions.
A.: The standards used in the Certification Service include:
- Privacy: Canada Health Infoway Electronic Health Record Infostructure (EHRi) Privacy & Security Conceptual Architecture; Government of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA); The Canadian Standards Association's Model Code for the Protection of Personal Information (CAN-CSA-Q830-03).ISO 29100: 2011 - Information technology — Security techniques — Privacy framework
- Security: Canada Health Infoway Electronic Health Record Infostructure (EHRi) Privacy & Security Conceptual Architecture; ISO 17799:2005 - Code of Practice for Information Security Management - ; ISO 27001:2013 - Information Security Management Systems Requirements; ISO 27002:2013 - Code of Practice for Information Security Management; ISO 27005:2011 – Information security risk management; ISO 27018:2014 - Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors: ISO 27789: 2013 – Health Informatics – Audit Trail for EHR; ISO 27799:2008 - Information Security Management In Health.
- Management: The Canadian Standards Association's Risk Management: Guideline for Decision Makers - CAN-CSA-Q850-97; The Information Systems Audit and Control Association's Control Objectives for Information and Related Technology (COBIT); The Information Technology Infrastructure Library (ITIL).
- Interoperability: Health Level Seven International's - HL7v3, HL7v2, HL7 Clinical Document Architecture, Release 2, Canada Health Infoway pan-Canadian Standards and Conformance Profile Definitions for laboratory, drug, clinical reports, and demographic information.
A.: The assessment consists of two parts:
- Document Review: an expert review of your self-assessment, attestation and supporting documentation.
- Demonstration: You must use scripted test scenarios (and test data) to demonstrate your product to the assessment team in a non-production environment. This is typically done via a web conference.
A.: Names of products and/or vendors are not published or otherwise made available by Infoway at any time during the process. The Infoway assessment team is bound by strict non-disclosure agreements. In the case of pre-implementation certification for electronic medical records (EMR), vendors whose product is eligible for physician office system funding should anticipate that an application for certification will be shared with necessary jurisdiction representatives. Once a product has been certified, it is listed on Infoway's website.
A.: You may make changes to address the non-conformant areas and re-initiate the process. You are also entitled to challenge the decision, which will initiate a formal review.
A.: All certified products receive a Mark of Conformity which bears the Infoway logo. You can use this mark in your marketing and promotional material as long as certification is maintained.
A.: To maintain your certification, you are required to notify Infoway of adverse events as well as any product changes that may affect compliance to assessment criteria.
A.: Infoway's pre-implementation certification service complements other regulatory and procurement processes such as licensing by Health Canada's Medical Devices Bureau and conformance testing by the provincial and territorial physician office system programs. Infoway coordinates its certification activities with other organizations to provide a seamless process to reduce the number of times a vendor is required to demonstrate its product.
For more information about Certification Services, please contact Infoway Certification Services.
To request a copy of certification criteria, please click here.