The Personal Health Information Act (PHIA) Access and Privacy Office

Transcription

1 The Personal Health Information Act (PHIA) Updated: November 2017

2 The University of Manitoba is committed to the principles of access to information and the protection of privacy as they are outlined within the Province s access and privacy legislation The Freedom of Information and Protection of Privacy Act (FIPPA) and The Personal Health Information Act (PHIA). These Acts provide the public with the right of access to records in the custody or under the control of the University of Manitoba, while safeguarding the privacy of individuals.

3 The is a part of the Office of Fair Practices and Legal Affairs, and is located on the second floor of the Elizabeth Dafoe Library, Fort Garry Campus: 233 Elizabeth Dafoe Library University of Manitoba Winnipeg, MB, R3T 2N2 Fax: (204) fippa@umanitoba.ca

4 The Office consists of the following staff members: Karen Meelker, r Rachelle Ross, Records Manager/Archivist Robyn Wellman, Access and Privacy Coordinator Mary Grace Golfo-Barcelona, Office Assistant Jeanette Mockford, NCTR Access and Privacy Coordinator

5 PHIA Training This training slide show is made available to health care and nonhealth care employees, associates, appointees, agents (through contract or agreement), students, and researchers of the University of Manitoba. This content references PHIA directly, representing the perspectives of a higher education institution. This slide show takes about 1 hour to complete. Please give yourself enough time to familiarize yourself with the material.

6 PHIA Training This training is intended to provide participants with sufficient knowledge of The Personal Health Information Act in order to sign the University of Manitoba Personal Health Information Pledge of Confidentiality. Researchers, research assistants, lab technicians, and all employees, appointees, associates, and contractors who access or may be exposed to personal health information in connection with research are required to complete an institutional PHIA Training Program.

7 PHIA Training The PHIA Training Program consists of: a) Reviewing the Access and Privacy Policy and Procedures The University has Access and Privacy Policies and Procedures that provide specific rules about access to and protection of Personal Health Information held by the institution. b) Reviewing this PHIA training presentation Refer to the overview on the next slide. c) Signing the Pledge of Confidentiality

8 PHIA Training Overview The Personal Health Information Act (PHIA) Key Definitions Protection of Privacy and Confidentiality Access, Collection, Use, Disclosure, Security Safeguards, Storage and Disposal of Personal Health Information PHIA and Research Breaches of Confidentiality PHIA Quiz UM s PHIA Pledge of Confidentiality

9 Personal Health Information Act The Personal Health Information Act (PHIA) provides the legislation framework for managing the information practices of Personal Health Information (PHI) in Manitoba. PHIA applies to Manitoba government departments, agencies and public bodies, including educational bodies, and health information Trustees (health care professionals, facilities, and agencies).

10 Personal Health Information Act The purposes of PHIA are: to provide the right to examine or receive a copy of PHI to provide the right to request corrections to your own PHI to establish rules for collection, use and disclosure of PHI to control the collection, use and disclosure of the Personal Health Identification Number (PHIN) to provide for an independent review of the actions of a trustee under the Act

11 Key Definitions What is Personal Information? What is Personal Health Information? What is a Record? What is a Trustee? What is Privacy? What is Confidentiality?

12 Key Definitions What is Personal Information? istock.com/dragonimages

13 Personal Information is Recorded information about an identifiable individual including: name, home contact information age, sex, sexual orientation, marital or family status ancestry, race, colour, nationality, national or ethnic origin religion, creed, religious belief, association or activity person health information blood type, fingerprints, hereditary characteristics political belief, association or activity education, employment or occupation, history of these three source of income, financial circumstances, activities or history criminal history including regulatory offences

14 Personal Information is Continued own personal views, except if about another person views or opinions about the individual expressed by another person identifying number, symbol or other particular assigned to the individual (i.e. student number or employee number) It is important to note that the views or opinions that you have regarding another individual belongs to that individual. When a view or opinion about an individual is recorded, that information becomes that individual s Personal Information.

15 Key Definitions What is Personal Health Information? istock.com/twinsterphoto

16 Personal Health Information is Recorded information about an identifiable individual that relates to: the individual s health, or health care history, including genetic information about the individual; the provision of health care to the individual, including a doctor s note; payment for health care provided to the individual, and includes bills, receipts, etc.;

17 Personal Health Information is Recorded information about an identifiable individual that relates to: the PHIN and any identifying number, symbol or particular assigned to an individual; and any identifying information about an individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.

18 Personal Health Information is Personal Health Information may also include: Behaviour resulting from illness or treatment Financial position Home conditions Domestic difficulties Other private matters

19 Personal Health Information is Personal Health Information does not include: Anonymous or statistical information that does not permit individuals to be identified. However, if two or more seemingly anonymous or statistical data items can be combined to readily identify an individual, the data may be considered Personal Health Information.

20 Key Definitions What is a Record? Photo supplied by istock

21 What is a Record? A Record or Recorded Information Means a record of information In any form: written, photographed, recorded or stored in any manner, on any storage medium; or By any means: electronic, graphic, or mechanical means. Examples include X-ray, voic , fax or .

22 What is a Record? Examples of Records Files s Databases Documents Photographs Rough notes and drafts Annotations and sticky notes

23 Key Definitions What is a Trustee? istock.com/chris2766

24 What is a Trustee? A Trustee means any of the following: health professional, health care facility, public body, health services agency that collects or maintains Personal Health Information.

25 What is a Trustee? Health Professionals: Doctor, Dentist, Pharmacist, Nurse, Chiropractor, Therapist, Social Worker, Midwife Health Care Facilities: Hospital, Personal Care Home, Medical Clinic, Laboratory, Psychiatric Facility

26 What is a Trustee? Public Bodies: University of Manitoba, School Divisions, City of Winnipeg The University is a Public Body, and is therefore a Trustee. However, it is not a Health Facility. Health Services Agencies: J.A. Hildes Northern Medical Unit, Centre for Community Oral Health, V.O.N.

27 What is a Trustee? Certain health care units that operate within the University, which hold Personal Health Information, are also Trustees: Dental Clinics Bannatyne Campus University Health Services University Pharmacy Athletic Therapy Centre The University also holds student and employee Personal Health Information, e.g., medical notes.

28 What is a Trustee? A Trustee has a duty to: Help individuals gain access to their own PHI; and Protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of PHI.

29 Health Professionals as Trustees A health professional with a private practice conducts the administrative side of their business under the federal act, The Personal Information and Protection of Electronic Documents Act, PIPEDA. However, the health care side of the business falls under PHIA, with the health professional as the Trustee. Where a health professional works for the provincial government, a health care facility, a public body, or an agency, that other entity (provincial government, health care facility, public board or agency) is the Trustee. In Manitoba, the Trustee operates under the provincial act, PHIA.

30 Health Professionals as Trustees Some health professionals have dual or multiple roles (i.e. A private practice that operates within a public body). Records created and received in each role should be managed separately. If there is overlap in the records they need to be coordinated to meet the highest requirements of all the legislation.

31 Key Definitions What is Privacy? istock.com/alexlmx

32 What is Privacy? Privacy means an individual s right to be free from intrusion or interference from others. An important aspect of privacy is the individual s right to control access to their Personal Information and Personal Health Information.

33 Key Definitions What is Confidentiality? istock.com/ziquiu

34 What is Confidentiality? The obligation of a Trustee to protect the Personal Information and Personal Health Information entrusted to it, to maintain the secrecy of the information and not misuse or wrongfully disclose it.

35 What is Confidentiality? All persons associated with the University of Manitoba are responsible to protect all Personal Information and Personal Health Information. Accessing, using and disclosing information is acceptable only when required to do your job. Discussions about identifiable individuals should not take place in public places or in the presence of people who do not need to know the information.

36 What is Confidentiality? Individuals have an expectation that the University of Manitoba will protect the privacy, confidentiality and security of the Personal Information and Personal Health Information in it s custody. As a person associated with the University of Manitoba, it is your responsibility to hold all Personal Information and Personal Health Information in the highest of confidence.

37 Privacy and Confidentiality General responsibilities of Trustees: Limit on amount of PHI used or disclosed Limit access to employees who NEED TO KNOW to carry out their responsibilities Apply restrictions on the use of PHI Apply restrictions on the disclosure of PHI Ensure the accuracy of PHI Implement and adhere to security safeguards on PHI Protect individuals privacy

38 Privacy and Confidentiality Access only the minimum amount of information that you need to know in order to do your job. This is the minimum amount, need to know rule. Snooping means to look for information about yourself or someone else in an attempt to find out details about them you do not need in order to do your job. If you are found snooping, you may face disciplinary action and a report to your professional regulatory body (if applicable).

39 Privacy and Confidentiality Privacy and confidentiality must be protected during: Collection taking information from a patient, client, research participant or other; having an individual give information on a form Access retrieving the information Use sharing the information within the Trustee Disclosure releasing the information beyond the Trustee Storage holding the information after its day-to-day use is ended Destruction destroying the information after the need for retention is ended

40 Privacy and Confidentiality Privacy and confidentiality must be protected regardless of how information is accessed, whether it is: heard; viewed; learned; handled; or otherwise, obtained.

41 Quick Review Personal Information (PI) is recorded personal information about identifiable individuals. Personal Health Information (PHI) is recorded health information about identifiable individuals. A record may come in many forms (electronic, paper, text, image). Trustees are public bodies entrusted to collect, use, disclose, store and dispose of PI and PHI. Trustees are required to help people gain access to their own PI and PHI, and to protect the information under it s control.

42 Quick Review An important aspect of privacy is the individual s right to control access to their PI and PHI. Trustees are obliged to maintain the confidentiality, or secrecy, of the PI and PHI entrusted to them. The minimum amount, need to know rule. The privacy and confidentiality of the information in the custody of a Trustee must be maintained throughout it s entire lifespan, from collection to destruction. Privacy and confidentiality must be protected regardless if it is heard, viewed, learned, handled or otherwise obtained.

43 Access to PHI

44 Access to PHI - Individuals Individuals have a right to: Review their Personal Health Information Request corrections be made where necessary Receive a copy of their Personal Health Information upon written request Requests for access to, and correction of, PHI should first be made to the UM office where the information is held.

45 Access to PHI - Individuals A request for access must be responded to as promptly as possible, but no later than: 24 hours if the individual is a hospital in-patient and the information is about care currently being provided; 72 hours to a person who is not a hospital in-patient and the information is about care currently being provided; 30 days in any other case.

46 Access to PHI - Trustees In order to maintain the privacy and confidentiality of the PHI in the custody and under the control of the University of Manitoba, access to PHI by UM employees must be limited to: those who need to know in order to carry out their responsibilities the least amount of information necessary to carrying out the responsibility. These limitations apply to records in any form. This follows the minimum amount, need to know rule.

47 Collection of PHI istock.com/dolgachov

48 Collection of PHI Individuals are to be notified about the purpose for which their Personal Health Information is being collected. Whenever possible, Personal Health Information should be collected directly from the individual the Personal Health Information is concerning. Personal Health Information should be used only for the purpose for which it was originally collected.

49 Collection of PHI Trustees may only collect as much Personal Health Information as is reasonably necessary to accomplish the purpose for which it is collected. This follows the minimum amount, need to know rule.

50 Collection of PHI Notice of Collection Practices A Trustee who collects Personal Health Information directly from the individual the information is about must take reasonable steps to inform the individual: a) Of the purpose for which the information is being collected; and b) How to contact an employee of the Trustee who can answer the individual s questions about collection.

51 Collection of PHI Here s an example of a UM Notification Statement, which is typically placed at the bottom of the form in which the information is being collected. Note the sections in blue, which makes the form it is placed on compliant with the notice of collection practices outlined in PHIA: Notice Regarding Collection, Use, and Disclosure of Personal Health Information by the University Your personal health information is being collected under the authority of The University of Manitoba Act. The information you provide will be used by the University to provide health care services at University Health Services. Your personal health information will not be used or disclosed for other purposes, unless permitted by The Personal Health Information Act (PHIA). If you have any questions about the collection of your personal health information, contact the Access & Privacy Office (tel ), 233 Elizabeth Dafoe Library, University of Manitoba, Winnipeg, MB, R3T 2N2.

52 Use and Disclosure of PHI istock.com/xixinxing

53 Use and Disclosure of PHI USE means revealing PHI to someone within the Trustee s organization. Example: Sending a requisition that contains a patient s name and PHIN to the X-ray technician within the hospital in order to take X-rays of a patient. DISCLOSURE means revealing PHI to someone outside the Trustee s organization. Example: Disclosing a patient s name, contact information and PHIN to a specialist outside of the hospital in which you work.

54 Use and Disclosure of PHI You cannot use or disclose Personal Health Information: In the presence of those that are NOT entitled to the information; or In public places, such as elevators, lobbies, cafeterias, off premises, etc. Be aware of surroundings. Personal Health Information is best discussed in a closed setting.

55 Use and Disclosure of PHI You may use or disclose Personal Health Information ONLY if you: need to know this information to do your job; have consent from the individual the PHI is about; are a person permitted to exercise the rights of another individual (e.g., you are the child of an elderly person); or are authorized by PHIA, ss. 21, 22, or by other legislation Always remember to apply the minimum amount, need to know rule.

56 Use and Disclosure of PHI When is consent required? If the proposed use or disclosure of Personal Health Information is not outlined in Sections 21, 22 and 23 of PHIA, consent is required. When consent is required, it must: a) Relate to the purpose for which the information is used or disclosed; b) Be knowledgeable; c) Be voluntary; and d) Not be obtained through misrepresentation.

57 Use and Disclosure of PHI Knowledgeable Consent Consent is knowledgeable if the individual who gives it has been provided with the information that a reasonable person in the same circumstances would need in order to make a decision about the use or disclosure of the information. Consent With Conditions An individual may give consent subject to conditions, such as limiting which information can be used or disclosed, or setting a time frame in which the consent applies.

58 Use and Disclosure of PHI Express or Implied Consent Consent can be express or implied. Express Consent is clearly and unmistakably stated. Implied Consent is judged by conduct, rather than stated. When Express Consent is Required Consent must be express and not implied if: The disclosure is to someone who is not a Trustee; or The consent is to a Trustee, but not for the original purpose of providing health care.

59 Use and Disclosure of PHI Consent May Be Withdrawn An individual who has given consent, whether express or implied, to the use or disclosure of Personal Health Information may withdraw their consent by notifying the Trustee. A withdrawal does not have retroactive effect. Verbal Consent Express Consent need not be in writing. However, it is good practice to make a record of a consent that has been given verbally.

60 Use and Disclosure of PHI Disclosing PHI with Family and Friends If an individual is a patient or resident in a health care facility, the Trustee may provide information to family/friends about health care currently being provided: If this is in keeping with good medical and professional practice, and If the Trustee believes the individual would not object. Remember, limit the disclosure to the minimum amount about the care currently being provided.

61 Use and Disclosure of PHI Disclosing General Information Trustees may provide general health information to any person, unless the patient/client specifies otherwise. This information is limited to: The individual s name General health status Location within the facility, unless this would reveal specific information about the health of that person

62 Quick Review A person has a right to request a copy of his/her PHI from the holding trustee. Individuals need to be notified about how their PHI will be used and disclosed. Access to PHI should be limited to those who need to know to do their jobs. The use or disclosure of PHI is limited to only those who need to know the information to do their job.

63 Quick Review Consent is required to use or disclose PHI unless authorized under Sections 21, 22 and 23 of PHIA. Consent may be express or implicit, verbal or written, and may contain conditions. Disclosing PHI to family and friends is permitted. It must be limited to care currently being provided, in keeping with good practice, and if the individual would not object. General information can be disclosed unless the individual objects.

64 Security and Storage of PHI istock.com/oliver_le_moal

65 Security and Storage of PHI Personal Health Information is to be properly secured and maintained to protect privacy and confidentiality. Personal Health Information is to be protected from accidental destruction or deterioration or loss by heat, cold, moisture, theft, or vandalism.

66 Security and Storage of PHI PHIA Requires Trustees to: Adopt reasonable safeguards: administrative, technical, physical and electronic; Protect the security, confidentiality, accuracy, and integrity of the Personal Health Information; and Apply reasonable security throughout the lifetime of a record containing Personal Health Information.

67 Security and Storage of PHI Protecting the integrity of PHI means the preservation of its content. This would provide confidence that the information has not been tampered with or modified other than as authorized. Preservation of content is maintained by protecting and securing the PHI throughout collection, access/retrieval, use, disclosure/transfer, and storage.

68 Security and Storage of PHI A Trustee is obligated to protect Personal Health Information by adopting reasonable administrative, technical, physical and electronic safeguards, that ensure the confidentiality, security, accuracy and integrity of the information. In determining the reasonableness of the safeguards to be adopted, a Trustee should take into account the degree of sensitivity of the Personal Health Information to be protected.

69 Security and Storage of PHI Administrative Safeguards: Policies and Procedures; Guidelines and Resources PHIA training and signing of the Pledge of Confidentiality Proper management of swipe cards or key access Secure print codes at printers/fax machines

70 Security and Storage of PHI Technical Safeguards: Role-based profiles on new or existing information management systems Base profiles on the individual s role, which determines the level of access required Multiple levels of authentication for high degree of sensitive information

71 Security and Storage of PHI Physical Safeguards: Arrange office furniture to limit the ability of others to access your files Locks on doors and filing cabinets Clean off your desk at the end of the day (implement a Clean Desk Policy as an Administrative Safeguard)

72 Security and Storage of PHI Electronic Safeguards: Encryption of files for transmission or transport Passwords on all devices Up-to-date anti-virus software Firewalls

73 Security and Storage of PHI Additional Safeguards for Electronic Information: All Trustees must create and maintain a record of user activity for any electronic information system that is used to maintain PHI. This applies to all PHI, including research information, unless: the information is demographic, it is used or disclosed for statistical purposes, or it is disclosed under PHIA 22(2)(h) as part of an approved transfer to a health information network.

74 Security and Storage of PHI Laptops and Removable Storage Personal Health Information should not be carried on electronic portable devices unless it is for an authorized purpose. If the movement of Personal Health Information from the premises of the Trustee is absolutely necessary, and authorized, appropriate safeguards, such as encryption and passwords, must be put in place to ensure that the information is protected. Refer to the University s Travelling with Records Guidelines.

75 Security and Storage of PHI Confidentiality Maintaining the confidentiality of the information in your custody or control is another way to safeguard Personal Health Information. In your life you play several roles, such as family member, friend, relative, student, researcher, or employee. As a person associated with the University of Manitoba, you may learn confidential information about people you know. You cannot share the information you learn at the UM with people not entitled to know the information in other parts of your life.

76 Disposal of PHI istock.com/uwe_merkel

77 Disposal of PHI A Trustee must ensure that Personal Health Information is destroyed by methods that protect the privacy of the individual the information is about. Records in all University departments should be destroyed according to a destruction schedule using a Requisition to Destroy Records (RDR) form. This form serves as a destruction log for all records that contain Personal Health Information.

78 Disposal of PHI Once the RDR has been approved, confidential records may be destroyed using a secure method. The best and most secure way for destroying confidential records is shredding. The records can either be shredded using the University s preferred supplier, or using an in-office shredder. Both of these options comply with the standards for the secure destruction of confidential records.

79 Disposal of PHI The University of Manitoba s preferred shredding supplier is Shred-It, which provides bulk pick-up service for large quantities of materials, or a secure console that is serviced as required. Certificates of Destruction are provided by Shred-It for both services. Refer to our Document Disposal website for more information.

80 Disposal of PHI Small amounts can be destroyed using an in-office shredder. When the in-office shredder is full, seal the shredded material in a clear plastic bag and deposit the bag in one of the large blue recycling bins placed in or near your department. The bins are collected by Physical Plant and the shredding is sent off-site to be recycled.

81 Disposal of PHI Electronically held personal health information should be destroyed by deleting the files off the network drive. Personal Health Information should not be stored on the computer s hard drive. IST will assist any office requiring destruction of electronic records, or with the confidential destruction of hard drives, including the hard drives from multi-purpose printer/fax/scanner units.

82 Quick Review It is everyone s responsibility to ensure reasonable safeguards are in place to protect PHI. Laptops are particularly vulnerable to burglary and theft. Personal Health Information contained on a laptop must be encrypted and the laptop must be password protected. Part of protecting PHI is making sure that records are not accessed, altered or destroyed without authorization. Remember the four main types of safeguards: Administrative, Technical, Physical, and Electronic.

83 Quick Review Records in all University departments should be destroyed according to a destruction schedule. Before destruction occurs, a Requisition to Destroy Records (RDR) should be submitted and approved. Shredding is the best and most secure method of destruction. For help with the destruction of electronic records and hard drives, contact IST.

84 Research at the University istock.com/bee32

85 Research at the University Research involving humans requires Research Ethics Board (REB) approval, including: Research that involves clinical trials and other biomedical interventions; and Research that uses Personal Health Information (PHI). If the Personal Health Information is maintained by the government or a government agency, review and approval must come from the Health Information Privacy Committee (HIPC).

86 Research at the University If the research is conducted in connection with the University of Manitoba, review and approval must come from one of the five Research Ethics Boards: Psychology/Sociology REB Education/Nursing REB Joint-Faculty REB Biomedical Research Ethics Board (BREB) Health Research Ethics Board (HREB)

87 Research at the University At the Bannatyne Campus, most research is reviewed and approved by the BREB or the HREB. The BREB reviews all research ethics protocols involving clinical trials and other biomedical research interventions. The HREB reviews research involving the behavioral sciences, surveys, examinations of medical records and protocols of generally lesser risk.

88 Research at the University At the Fort Garry Campus, three boards review and approve research: Education/Nursing REB: Faculties of Education, Kinesiology and Recreation Management, Extended Education, Engineering, and the College of Nursing Psychology/Sociology REB: Faculty of Social Work, Departments of Sociology, Psychology, and Counseling Services Joint-Faculty REB: Remaining Faculties and Departments

89 Research at the University Researchers using information/data held by Manitoba Centre for Health Policy (MCHP) must fulfill several reviews and approvals: HIPC Health Information Privacy Committee; HREB approval from the UM. An HREB from another institution will be considered if it is accompanied by a letter indicating that the review is accepted by that institution; MCHP internal review. Depending on the data source other approvals may be required. A full explanation is found at U of M website: Manitoba Centre for Health Policy (MCHP) Applying for Access

90 Research at the University Disclosures of PHI for Health Research A Trustee may disclose Personal Health Information to a person conducting health research if the requirements outlined in Section 24 of PHIA are met. Outlines who can approve disclosure of PHI for health research; Establishes conditions for approval; Details required agreements for disclosure of PHI; and Sets limits on disclosure of PHI for health research. See The Personal Health Information Act, Section 24 for details.

91 Research at the University Researchers collect, access, use, and share information about research participants during the course of research. Tri-Council Policy Statement defines five classes of information to be aware of: a) Identifying b) Identifiable c) De-identified/coded d) Anonymized e) Anonymous

92 Research at the University a) Identifying information: The information identifies an individual through direct identifiers (e.g., name, address, social insurance number, or personal health identification number). b) Identifiable information: The information could be used to reidentify an individual through a combination of indirect identifiers (e.g., date of birth, place of residence, or unique personal characteristic) using reasonably foreseeable means.

93 Research at the University c) De-identified/coded information: Identifiers are removed and replaced with a code. Depending on access to the code, it may be possible to re-identify specific individuals (e.g., individuals are assigned a code name and the principal investigator retains a list that links the code name with the individual s actual name so data can be re-linked if necessary). Researchers who have access to the code and the data have identifiable information.

94 Research at the University d) Anonymized information: Information is irrevocably stripped of identifiers, and a code is not kept to allow future re-linkage. e) Anonymous information: Information never had identifiers associated with it (e.g., anonymous surveys).

95 Research at the University Retention of Research Records Researchers must outline policies and procedures to destroy or remove identifying information as soon as possible. Researchers must identify intended retention periods in the REB submission for all data. Researchers may be asked to justify the rationale for a certain period of retention in the application.

96 Quick Review All research involving humans requires REB or HIPC approval. Disclosure of Personal Health Information for health research is governed by Section 24 of PHIA. Different classes of Personal Health Information (identifiable, deidentified, anonymized, anonymous) require different levels of security protection.

97 Breach of Privacy istock.com/xixinxing

98 Breach of Privacy A Breach of Privacy occurs when Personal Information, including Personal Health Information, is collected, accessed, used, disclosed, transported, transmitted, transferred or destroyed other than as authorized, or when the accuracy, confidentiality or integrity of the information is compromised. Examples may include, but are not limited to, the viewing of confidential information by unauthorized individuals, the access, theft or loss of University Records and the unauthorized destruction of such information.

99 Breach of Privacy Snooping is an example of a breach of privacy. Under The Personal Health Information Act, snooping is a fineable offence. Any individual who willfully uses, discloses, gains access to or attempts to gain access to another person s Personal Health Information is guilty of an offence, and can be fined. Some recent examples of snooping into Personal Health Information

100 Breach of Privacy

101 Breach of Privacy A Breach of Privacy occurs when: PHI is accessed by someone not entitled to that information, including snooping. PHI is shared (used or disclosed) with those not entitled to that information. PHI is removed from the custody of the trustee without authorization. The integrity of a record is compromised. Collect more PHI than is required to do the job. Do not appropriately safeguard PHI.

102 Breach of Privacy If you know or suspect a Breach of Privacy has occurred, immediately notify: The head of your UM office, UM health unit, or health care agency. The head will notify the dean or director, the Vice-President (Administration), and the.

103 Breach of Privacy The, in consultation with others, will decide whether an investigation is necessary; If the decision is yes, the will: inquire into the incident/allegation consult with appropriate persons to determine whether a breach has occurred document findings recommend disciplinary action, if applicable

104 PHIA Quiz istock.com/cacaroot

105 PHIA Quiz True or False? In order to maintain the privacy and confidentiality of the Personal Health Information held in electronic systems, access to the electronic systems by UM employees must be limited to only those who need access in order to do their jobs. However, once they have access to the electronic system, they are permitted to view all records and information within that system. True False

106 PHIA Quiz True or False? In order to maintain the privacy and confidentiality of the Personal Health Information held in electronic systems, access to the electronic systems by UM employees must be limited to only those who need access in order to do their jobs. However, once they have access to the electronic system, they are permitted to view all records and information within that system. True False You are only permitted to view the records and information within the system that you require for your job. Remember the minimum amount, need to know rule.

107 PHIA Quiz True or False? A Trustee who collects Personal Health Information directly from the individual the information is about must take reasonable steps to inform the individual of the purpose in which the information is being collected, and how to contact an employee of the Trustee who can answer the individual s questions about collection. True False

108 PHIA Quiz True or False? A Trustee who collects Personal Health Information directly from the individual the information is about must take reasonable steps to inform the individual of the purpose in which the information is being collected, and how to contact an employee of the Trustee who can answer the individual s questions about collection. True False

109 PHIA Quiz Which of the following statements are true about consent? An individual may give consent subject to conditions, such as limiting which information can be used or disclosed, or setting a time frame in which the consent applies. An individual who has given consent to the use or disclosure of personal health information may withdraw their consent by notifying the trustee. A withdrawal of consent does not have to be retroactive. Express consent does not need to be in writing. All of the above.

110 PHIA Quiz Which of the following statements are true about consent? An individual may give consent subject to conditions, such as limiting which information can be used or disclosed, or setting a time frame in which the consent applies. An individual who has given consent to the use or disclosure of personal health information may withdraw their consent by notifying the trustee. A withdrawal of consent does not have to be retroactive. Express consent does not need to be in writing. All of the above.

111 PHIA Quiz A co-worker needs some information quickly and tells you they can t remember their password to get into a clinical database. The coworker asks if you could do them a favor and just log into the system and they will take over and get the information they need. What should you do? Give the co-worker your password. She is in a hurry and needs the information quickly to do her job. What s the big deal?! Log into the database and let the co-worker access the information she needs. Don t share your password

112 PHIA Quiz A co-worker needs some information quickly and tells you they can t remember their password to get into a clinical database. The coworker asks if you could do them a favor and just log into the system and they will take over and get the information they need. What should you do? Give the co-worker your password. She is in a hurry and needs the information quickly to do her job. What s the big deal?! Log into the database and let the co-worker access the information she needs. Don t share your password. Passwords are a safeguard that only work if they are kept confidential.

113 PHIA Quiz What type of disciplinary action may be taken if it is confirmed that you used or disclosed Personal Health Information in violation of PHIA? A verbal or written warning Suspension Termination of employment, contract, association or appointment with the University of Manitoba A report to the appropriate professional regulatory body Any of the above

114 PHIA Quiz What type of disciplinary action may be taken if it is confirmed that you used or disclosed Personal Health Information in violation of PHIA? A verbal or written warning Suspension Termination of employment, contract, association or appointment with the University of Manitoba A report to the appropriate professional regulatory body Any of the above

115 PHIA Quiz You are involved in the care of a high profile person. Your involvement in this person s care has been documented by media reports, so it has become public knowledge. Your friends and family keep asking questions about the person. Your involvement is already public knowledge, so you tell them what you know so far. Is this a breach of privacy? Yes No

116 PHIA Quiz You are involved in the care of a high profile person. Your involvement in this person s care has been documented by media reports, so it has become public knowledge. Your friends and family keep asking questions about the person. Your involvement is already public knowledge, so you tell them what you know so far. Is this a breach of privacy? Yes Disclosing information about an individual with those who have no business or health-care related purpose for knowing the information is a breach of privacy. No

117 PHIA Quiz You are training a new employee on the electronic health record system your clinic uses and want to show the new employee an example of what a completed record looks like. You are also a patient at the clinic, so you use your record as a training tool. Is this a breach? Yes No

118 PHIA Quiz You are training a new employee on the electronic health record system your clinic uses and want to show the new employee an example of what a completed record looks like. You are also a patient at the clinic, so you use your record as a training tool. Is this a breach? Yes Even though it is your record, your role as a patient is different from your role as an employee. You should only access records you require for your job. No

119 PHIA Quiz You are organizing a curling team to compete with other teams in your community. You want a ringer. You recall a former student who mentioned she was quite good at the sport but had not played for some time and was eager to start again. You access her student record to get her telephone number. You make sure to ignore all other information. Is this a breach of privacy? No, because telephone numbers are public information. You simply accessed it in a different way. Yes, because the phone number was collected for educational purposes.

120 PHIA Quiz You are organizing a curling team to compete with other teams in your community. You want a ringer. You recall a former student who mentioned she was quite good at the sport but had not played for some time and was eager to start again. You access her student record to get her telephone number. You make sure to ignore all other information. Is this a breach of privacy? No, because telephone numbers are public information. You simply accessed it in a different way. Yes, because the phone number was collected for educational purposes. Using the information for a use that is not consistent with the original purpose it was collected for is a breach.

121 PHIA Quiz You notice student counselling records sticking out of a garbage can, which includes the students names, student numbers, PHINs and contact information. Is discarding these papers in this manner a violation of PHIA? Yes No

122 PHIA Quiz You notice student counselling records sticking out of a garbage can, which includes the students names, student numbers, PHINs and contact information. Is discarding these papers in this manner a violation of PHIA? Yes. Confidential records must be destroyed appropriately (shredding). No

123 PHIA Quiz You are leaving work after a long day. Just as you get to the parking lot you notice a USB drive lying on the ground. What should you do? Do nothing and leave it there. Pick it up and take it home for your own personal use. Take it to the. Take it to the nearest lost and found.

124 PHIA Quiz You are leaving work after a long day. Just as you get to the parking lot you notice a USB drive lying on the ground. What should you do? Do nothing and leave it there. Pick it up and take it home for your own personal use. Take it to the. Take it to the nearest lost and found.

125 PHIA Quiz You meet an individual through your involvement in a research project. You feel that there is a connection and would like to contact them about meeting up for coffee. You were too shy to ask them in person, so you look up their contact information in the electronic system you are using for research and copy down their address. When you are at home, you send them an using your Yahoo account (not your work account) to see if they are interested in meeting. Is this a violation of that individual s privacy? Yes No

126 PHIA Quiz You meet an individual through your involvement in a research project. You feel that there is a connection and would like to contact them about meeting up for coffee. You were too shy to ask them in person, so you look up their contact information in the electronic system you are using for research and copy down their address. When you are at home, you send them an using your Yahoo account (not your work account) to see if they are interested in meeting. Is this a violation of that individual s privacy? Yes You have access to that information only for the purpose in which it was collected, for research, not for any other use. No

127 PHIA Pledge of Confidentiality

128 PHIA Pledge of Confidentiality At the University, a Personal Health Information Pledge of Confidentiality ( Confidentiality Pledge ) is required of individuals as a condition of their employment, appointment, contract, or association with designated faculties, programs and offices, and as a condition of research involving humans. The requirement extends to student employees and researchers.

129 PHIA Pledge of Confidentiality 1. All University employees and persons associated with the University are responsible for protecting the security and confidentiality of all Personal Health Information (verbal or recorded in any form) that is obtained, handled, viewed, heard, or learned, in the course of their work or association with the University. 2. Personal Health Information shall be protected during its collection, access, use, retention, storage and destruction.

130 PHIA Pledge of Confidentiality 3. You may only use or disclose Personal Health Information in the discharge of your responsibilities and duties (including reporting duties imposed by legislation) on a need to know basis. 4. Discussion regarding Personal Health Information shall not take place in the presence of persons not entitled to such information, or in public places (elevators, lobbies, cafeterias, off premises, etc.).

131 PHIA Pledge of Confidentiality 5. Unauthorized use or disclosure of confidential information shall result in a disciplinary response up to and including termination of employment, contract, association, or appointment with the University of Manitoba. 6. A confirmed breach of confidentiality may result in disciplinary action and be reported to the individual s professional body. 7. All individuals who become aware of a possible breach of the security or confidentiality of Personal Health Information shall follow the procedures outlined under Breach of Privacy.

132 PHIA Pledge of Confidentiality To obtain your University of Manitoba Personal Health Information Pledge of Confidentiality declaration form, click here. Submit your completed form by saving your completed form to your computer and send it as an attachment to

133 PHIA Pledge of Confidentiality Please note, it is best to view and complete the declaration form using Adobe Acrobat products. Click here to access free downloads of Adobe Reader for a variety of computer systems. If you have any questions about the declaration form, please contact our office at fippa@umanitoba.ca or

134 Thank you! If you have questions about the training presentation, please contact the at: Phone: All images are used with permission from Microsoft unless otherwise noted.

135