A feature of the VCUR 2008 electronic medical record (EMR)
solutions is the requirement that they be hosted in and provided
from an approved central data centre. This service is often
referred to as an application service provider (ASP) environment
where data and the EMR application software is hosted offsite and
not within the clinic.
For physicians this means that the EMR solutions are hosted
in the data centre selected by the qualified service providers (EMR
The ASP environment offers several enhanced security features
for patient information over those provided in stand-alone local
- Data security
- Data privacy
- Data encryption
- Access management
- Reliability and availability
- Performance monitoring
- Data centre security
* In cases where a physician resides in an area without
access to high speed Internet service, a local install of the EMR
system may be permitted and supported.
Download ASP Environment: Security Features
Application Service Provider FAQs
Does my clinic have to use an application service provider model
rather than a local install?
Yes, unless reliable and adequate telecommunications links to
the data centre are not available. Local installations are
exception-based and require evidence of network connectivity
What are some exceptions that would see a local server
If your clinic meets one of the following exceptions, a local
server installation will be allowed:
- Application service provider (ASP) connectivity is not
available at a reasonable cost. Reasonable cost is assessed on an
individual basis. Cost of ASP connectivity must be substantially
higher than the cost to provide a local installation (including
infrastructure costs such as the server room).
- Sufficient or reliable telecommunications are not technically
available for a clinic to support an ASP solution.
What are the implications to my clinic for choosing a local
Your clinic will realize the following implications, if you
choose to pursue a local install:
- Your clinic's privacy impact assessment (PIA) will still be a
streamlined PIA but it will be more detailed than the PIA that is
used for an application service provider (ASP) hosted
- Day-to-day ongoing security will be the responsibility of your
clinic, however, your electronic medical record (EMR) provider will
be responsible for setup of appropriate security.
- If your clinic will be connecting to provincial assets like
Netcare and PIN, it will require a provincial Organizational
Readiness Assessment (pORA) that will review security steps.
- A disaster recovery plan for the local install would be
required as well as a business continuity plan for when the server
is down. Your EMR provider will be responsible for the portions of
the backups to be done from the local install.
- Many service levels will need to be measured locally.
Availability, response time, schedule downtimes, and backup and
restore will have to be measured within the local applications.
Service levels related to the help desk will remain the same as
those for ASP.
- A site visit will be required to determine if the server and
other hardware meet the physical, technical and administrative
security requirements and all risks are adequately addressed.