It's easy to think of accreditation as a clinical and infection-control exercise. But CPSA's Information Systems (NHS.5) standard holds the software and data your facility runs on to a real bar — because a lost record, an unauthorized access, or a system down mid-procedure is a patient-safety problem, not just an IT one. Here's what it asks for.
It starts with the law
Your information systems have to meet national and provincial requirements for health data — in Alberta, the Health Information Act (HIA) — and protect data integrity by design. That's the frame everything else sits in.
Access, security & confidentiality
- Defined access. Policies state who may use the system, who can view, enter, or change patient data, who can release reports, and who can alter programs.
- Right-sized permissions. Each user gets an access level appropriate to their role, with a defined process to add and remove access as people join, change roles, or leave.
- Account hygiene. Passwords are managed and changed periodically; users can't install software at will; programs are protected from casual alteration.
- Confidentiality everywhere — including data sent over the internet or stored in the cloud.
Resilience: backups, downtime & maintenance
- Backups that are verified, not just scheduled — with an integrity check after backup and restoration, and errors documented and reported.
- Downtime procedures. Written steps to protect data and equipment in a fire, flood, or hardware/software failure, and to restore service with a data-integrity check — plus a contingency for accessing information when the system is offline.
- Preventive maintenance for hardware, with records, and an uninterruptible power supply that allows an orderly shutdown without data loss.
Change management & accountability
- Approved changes. The medical director or designate approves changes to the system that could affect patient care.
- Trained users. A training program, with evidence staff are trained on new or modified systems.
- Malfunctions reported promptly to designated personnel, and report content and format reviewed and approved so results communicate clearly.
Where facilities get caught
- Backups nobody has ever restored — the check that proves they work is the one that's missing.
- Stale access. Departed staff still have logins; no record of who can do what.
- No downtime plan — when the system is down, the facility improvises.
- Cloud and vendor gaps — patient data sits in a third-party tool with no documented safeguards.
How Zosimos helps
This standard is also a bar for the software you choose — so we build to it. Our tools run on the Zosimos Enterprise identity hub: single sign-on with multi-factor authentication and passkeys, role-based access control, and a full audit trail of every change — with encrypted data and verified backups as defaults. The platform (PolicyHUB, the Accreditation Audit Tool, the Compliance Tracker, Assets Management, Inventory & Procurement, and more, all launching soon) is designed so the system itself helps you meet NHS.5 rather than working against it. PolicyHUB also keeps your IS policies and downtime procedures controlled and current, and our consulting team helps you map access, backup, and contingency procedures to the HIA.
See our CPSA NHSF accreditation support, or get in touch to talk through where your data practices stand. Related: the document and records control that governs every record your systems hold.