The Personal Health Information Act (PHIA) Training

Access and Privacy OfficeThe University of Manitoba is committed to the principles of access to information and the protection of privacy as they are outlined within the Province’s access and privacy legislation The Freedom of Information and Protection of Privacy Act (FIPPA) and The Personal Health Information Act (PHIA).

These Acts provide the public with the right of access to records in the custody or under the control of the University of Manitoba, while safeguarding the privacy of individuals.

Access and Privacy Office

Access and Privacy OfficeThe Access and Privacy Office is responsible for the implementation and central administration of FIPPA and PHIA at the University of Manitoba.

The Office responds to all access to information requests for the University, investigates breaches of personal information or personal health information, and provides privacy training to University staff, students, faculty and researchers. The Office also provides advisory and administrative support services for the management of University records.


Access and Privacy OfficeThe Access and Privacy Office is a part of the Office of Fair Practices and Legal Affairs, and is located on the second floor of the Elizabeth Dafoe Library, Fort Garry Campus:

Access and Privacy Office233 Elizabeth Dafoe LibraryUniversity of ManitobaWinnipeg, MB, R3T 2N2Fax: (204) 474-9308Email: [email protected]


mailto:[email protected]

PHIA TrainingThis training slide show is made available to health care and non-health care employees, associates, appointees, agents (through contract or agreement), students, and researchers of the University of Manitoba.

This content references PHIA directly, representing the perspectives of a higher education institution.

This slide show takes about 1 hour to complete. Please give yourself enough time to familiarize yourself with the material.


PHIA TrainingThis training is intended to provide participants with sufficient knowledge of The Personal Health Information Act in order to sign the University of Manitoba Personal Health Information Pledge of Confidentiality.

Researchers, research assistants, lab technicians, and all employees, appointees, associates, and contractors who access or may be exposed to personal health information in connection with research are required to complete an institutional PHIA Training Program.


PHIA TrainingThe PHIA training program consists of:

a) Reviewing the Access and Privacy Policy and Procedures The University has Access and Privacy Policies and Procedures that provide specific rules about access to and protection of Personal Information held by the institution.

b) Reviewing the PHIA training presentation c) Signing the PHIA Pledge of Confidentiality


http://umanitoba.ca/access_and_privacy/governance.html

PHIA Training Overview• The Personal Health Information Act (PHIA)• Key Definitions• Protection of Privacy and Confidentiality• Access, Collection, Use, Disclosure, Security Safeguards,

Storage, and Disposal of Personal Health Information • PHIA and Research• Breach of Privacy• PHIA Quiz• PHIA Pledge of Confidentiality


Privacy at the UniversityThe Personal Health Information Act (PHIA)What is PHIA?• PHIA provides the legislative framework for managing the information

practices of Personal Health Information in Manitoba.

• PHIA applies to Manitoba government departments, agencies, local public bodies, educational bodies, and health information trustees.

• The University of Manitoba is defined as a Trustee under PHIA.


Privacy at the UniversityThe Personal Health Information Act (PHIA)How does PHIA affect the University of Manitoba?• PHIA applies to all Records containing Personal Health Information in the

custody or under the control of the University of Manitoba and its Colleges.

• This includes, but is not limited to, Records held at the: Athletic Therapy Clinic, University Health Services, Dentistry Clinics, Student Counselling Services, Student Accessibility Services, Employee Wellness, Active Living Centre, etc.


Privacy at the UniversityThe Personal Health Information Act (PHIA)How does PHIA affect the University of Manitoba?• PHIA provides individuals with a right to examine and receive a copy of

their Personal Health Information maintained by the University (subject to specific exceptions);

• PHIA provides individuals with a right to request corrections to Personal Health Information maintained by the University;

• PHIA controls the manner in which the University may collect Personal Health Information;


Privacy at the UniversityThe Personal Health Information Act (PHIA)How does PHIA affect the University of Manitoba?• PHIA protects individuals against the unauthorized use, disclosure or

destruction of Personal Health Information by the University;

• PHIA controls the manner in which the University may collect, use and disclose an individual’s Personal Health Information Number (PHIN); and

• PHIA provides for an independent review of the decisions made by the University by the Manitoba Ombudsman’s Office.


Privacy at the UniversityThe Personal Health Information Act (PHIA)How does PHIA affect the University of Manitoba?The University of Manitoba has a duty to:

• Assist individual with the right to access their own Personal Health Information; and

• Protect the privacy of individuals in the collection, use, disclosure, storage and destruction of Personal Health Information.


Key Definitions• What is Personal Information? • What is Personal Health Information?• What is a Record?• What is a Trustee?• What is Privacy?• What is Confidentiality?


Key DefinitionsWhat is Personal Information?


iStock.com/DragonImages

http://www.istockphoto.com/

Personal Information is…Recorded information about an identifiable individual including: • name, home contact information• age, sex, sexual orientation, marital or family status• ancestry, race, colour, nationality, national or ethnic origin• religion, creed, religious belief, association or activity• person health information • blood type, fingerprints, hereditary characteristics• political belief, association or activity• education, employment or occupation, history of these three• source of income, financial circumstances, activities or history


Personal Information is…Continued…• own personal views, except if about another person• views or opinions about the individual expressed by another person*• identifying number, symbol or other particular assigned to the individual (i.e.

student number or employee number)

• criminal history including regulatory offences

* It is important to note that the views or opinions that you have regarding another individual belongs to that individual. When a view or opinion about an individual is recorded, that information becomes that individual’s Personal Information.


Key DefinitionsWhat is Personal Health Information?


iStock.com/twinsterphoto


Personal Health Information is…Recorded information about an identifiable individual that relates to:• the individual’s health, or health care history, including genetic information about

the individual;

• the provision of health care to the individual, including a doctor’s note; • payment for health care provided to the individual, and includes bills, receipts,

etc.;

• the PHIN and any identifying number, symbol or particular assigned to an individual; and

• any identifying information about an individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.


Key DefinitionsWhat is a Record?

Photo supplied by iStock


http://www.istockphoto.com/stock-photo-19482462-online-news-concept.php?st=7765bcf

What is a Record?A Record or Recorded Information

Means a record of information…

In any form: written, photographed, recorded or stored in any manner, on any storage medium; or

By any means: electronic, graphic, or mechanical means. Examples include X-ray, voicemail, fax or email.


What is a Record?Examples of Records

• Files• Emails• Databases• Documents• Photographs• Rough notes and drafts• Annotations and sticky notes


Key DefinitionsWhat is a Trustee?


iStock.com/chris2766


What is a Trustee?A Trustee means any of the following:

• health professional,• health care facility,• public body, or• health services agency

that collects or maintains Personal Health Information.


What is a Trustee?Health Professionals:• Doctor, Dentist, Pharmacist, Nurse, Chiropractor, Therapist,

Social Worker, Midwife

Health Care Facilities:• Hospital, Personal Care Home, Medical Clinic, Laboratory,

Psychiatric Facility


What is a Trustee?Public Bodies: • University of Manitoba, School Divisions, City of Winnipeg• The University is a Public Body, and is therefore a Trustee.

However, it is not a Health Facility.

Health Services Agencies: • Ongomiizwin, Centre for Community Oral Health, V.O.N.


What is a Trustee?Certain health care units that operate within the University, which hold Personal Health Information, are also Trustees:

• Dental Clinics – Bannatyne Campus• University Health Services• University Pharmacy• Athletic Therapy Centre

The University also holds student and employee Personal Health Information, e.g., medical notes.


What is a Trustee?A Trustee has a duty to:

• Help individuals gain access to their own PHI; and

• Protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of PHI.


Health Professionals as Trustees• A health professional with a private practice conducts the

administrative side of their business under the federal act, The Personal Information and Protection of Electronic Documents Act, PIPEDA. However, the health care side of the business falls under PHIA, with the health professional as the Trustee.

• Where a health professional works for the provincial government, a health care facility, a public body, or an agency, that other entity (provincial government, health care facility, public board or agency) is the Trustee. In Manitoba, the Trustee operates under the provincial act, PHIA.


Health Professionals as Trustees• Some health professionals have dual or multiple roles (i.e. A

private practice that operates within a public body).

• Records created and received in each role should be managed separately. If there is overlap in the records they need to be coordinated to meet the highest requirements of all the legislation.


Key DefinitionsWhat is Privacy?


iStock.com/AlexLMX


What is Privacy?Privacy means an individual’s right to be free from intrusion or interference from others.

An important aspect of privacy is the individual’s right to control access to their Personal Information and Personal Health Information.


Key DefinitionsWhat is Confidentiality?


iStock.com/ziquiu


What is Confidentiality?The obligation of a Trustee to protect the Personal Information and Personal Health Information entrusted to it, to maintain the secrecy of the information and not misuse or wrongfully disclose it.

All persons associated with the University of Manitoba are responsible to protect all Personal Information and Personal Health Information.


What is Confidentiality?Accessing, using and disclosing Personal Information and/or Personal Health Information is acceptable only when required to do your job.

Discussions about identifiable individuals should not take place in public places or in the presence of people who do not need to know the information.


What is Confidentiality?Individuals have an expectation that the University of Manitoba will protect the privacy, confidentiality and security of the Personal Information and Personal Health Information in it’s custody.

As a person associated with the University of Manitoba, it is your responsibility to hold all Personal Information and Personal Health Information in the highest of confidence.


Privacy and ConfidentialityGeneral responsibilities of Trustees:• Limit on amount of PHI used or disclosed• Limit access to employees who NEED TO KNOW to carry out their

responsibilities

• Apply restrictions on the use of PHI • Apply restrictions on the disclosure of PHI• Ensure the accuracy of PHI• Implement and adhere to security safeguards on PHI• Protect individuals’ privacy


Privacy and ConfidentialityAccess only the minimum amount of information that you need to know in order to do your job.This is the “minimum amount, need to know” rule. “Snooping” means to look for information about yourself or someone else in an attempt to find out details about them you do not need in order to do your job.If you are found snooping, you may face disciplinary action and a report to your professional regulatory body (if applicable).


Privacy and ConfidentialityPrivacy and confidentiality must be protected during:• Collection – taking information from a patient, client, research

participant or other; having an individual give information on a form

• Access – retrieving the information• Use – sharing the information within the Trustee• Disclosure – releasing the information beyond the Trustee• Storage – holding the information after its day-to-day use is ended• Destruction – destroying the information after the need for

retention is ended


Privacy and ConfidentialityPrivacy and confidentiality must be protected regardless of how information is accessed, whether it is:

• heard; • viewed;• learned;• handled;• or otherwise, obtained.


Quick Review


• Personal Information (PI) is recorded personal information about identifiable individuals.

• Personal Health Information (PHI) is recorded health information about identifiable individuals.

• A record may come in many forms (electronic, paper, text, image).• Trustees are public bodies entrusted to collect, use, disclose, store

and dispose of PI and PHI.• Trustees are required to help people gain access to their own PI

and PHI, and to protect the information under it’s control.

Quick Review


• An important aspect of privacy is the individual’s right to control access to their PI and PHI.

• Trustees are obliged to maintain the confidentiality, or secrecy, of the PI and PHI entrusted to them.

• The “minimum amount, need to know” rule. • The privacy and confidentiality of the information in the custody

of a Trustee must be maintained throughout it’s entire lifespan, from collection to destruction.

• Privacy and confidentiality must be protected regardless if it is heard, viewed, learned, handled or otherwise obtained.

Access to Personal Health Information




Individuals have a right to:

• Review their Personal Health Information• Request corrections be made where necessary• Receive a copy of their Personal Health Information upon written request

Requests for access to, and correction of, Personal Health Information should first be made to the UM office where the information is held.



A request for access must be responded to as promptly as possible, but no later than:

• 24 hours – if the individual is a hospital in-patient and the information is about care currently being provided;

• 72 hours – to a person who is not a hospital in-patient and the information is about care currently being provided;

• 30 days – in any other case.

Access to Personal Information


In order to maintain the privacy and confidentiality of the Personal Health Information in the custody and under the control of the University of Manitoba, access to Personal Health Information by UM employees must be limited to:

• those who need to know in order to carry out their responsibilities• the minimum amount of information necessary to carrying out the

responsibility.

These limitations apply to records in any form.

This follows the “minimum amount, need to know” rule.

Collection of Personal Health Information


iStock.com/dolgachov




Individuals are to be notified about the purpose for which their Personal Health Information is being collected.

Whenever possible, Personal Health Information should be collected directly from the individual the Personal Health Information is concerning.

Personal Health Information should be used only for the purpose for which it was originally collected.



Trustees may only collect as much Personal Health Information as is reasonably necessary to accomplish the purpose for which it is collected.

This follows the “minimum amount, need to know” rule.



Notice of Collection Practices

A Trustee who collects Personal Health Information directly from the individual the information is about must take reasonable steps to inform the individual:

a) of the purpose for which the information is being collected; and

b) how to contact an employee of the Trustee who can answer the individual’s questions about collection.



Here’s an example of a UM Notification Statement, which is typically placed at the bottom of the form in which the information is being collected.

Note the sections in blue, which makes the form it is placed on compliant with the notice of collection practices outlined in PHIA:

Notice Regarding Collection, Use, and Disclosure of Personal Health Information by the UniversityYour personal health information is being collected under the authority of The University of Manitoba Act. The information you provide will be used by the University to provide health care services at University Health Services. Your personal health information will not be used or disclosed for other purposes, unless permitted by The Personal Health Information Act (PHIA). If you have any questions about the collection of your personal health information, contact the Access & Privacy Office (tel. 204-474-9462), 233 Elizabeth Dafoe Library, University of Manitoba, Winnipeg, MB, R3T 2N2.

Use and Disclosure of PHI


iStock.com/XiXinXing




USE means revealing Personal Health Information to someone within the Trustee’s organization (i.e. the University).Example: Sending a requisition that contains a patient’s name and PHIN to the X-ray technician within the hospital in order to take X-rays of a patient.

DISCLOSURE means revealing Personal Health Information to someone outside the Trustee’s organization.Example: Disclosing a patient’s name, contact information, and PHIN to outside insurance companies.



You cannot use or disclose Personal Health Information:

• In the presence of those that are NOT entitled to the information; or

• In public places, such as elevators, lobbies, cafeterias, off premises, etc.



You may use or disclose Personal Health Information ONLY if you:• need to know this information to do your job;• have consent from the individual the PHI is about; • are a person permitted to exercise the rights of another individual

(e.g., you are the child of an elderly person); or

• are authorized by PHIA, ss. 21, 22, or by other legislationAlways remember to apply the “minimum amount, need to know” rule.



When is consent required?If the proposed use or disclosure of Personal Health Information is not outlined in Sections 21, 22 and 23 of PHIA, consent is required. When consent is required, it must:a) Relate to the purpose for which the information is used or disclosed;

b) Be knowledgeable;

c) Be voluntary; and

d) Not be obtained through misrepresentation.

http://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.php#21



Knowledgeable ConsentConsent is knowledgeable if the individual who gives it has been provided with the information that a reasonable person in the same circumstances would need in order to make a decision about the use or disclosure of the information.

Consent With ConditionsAn individual may give consent subject to conditions, such as limiting which information can be used or disclosed, or setting a time frame in which the consent applies.



Express or Implied ConsentConsent can be express or implied. Express Consent is clearly and unmistakably stated. Implied Consent is judged by conduct, rather than stated.

When Express Consent is RequiredConsent must be express and not implied if:• The disclosure is to someone who is not a Trustee; or• The consent is to a Trustee, but not for the original purpose

of providing health care.



Consent May Be WithdrawnAn individual who has given consent, whether express or implied, to the use or disclosure of Personal Health Information may withdraw their consent by notifying the Trustee.

A withdrawal does not have retroactive effect.

Verbal ConsentExpress Consent need not be in writing. However, it is good practice to make a record of a consent that has been given verbally.



Disclosing PHI with Family and FriendsIf an individual is a patient or resident in a health care facility, the Trustee may provide information to family/friends about health care currently being provided:

• If this is in keeping with good medical and professional practice, and

• If the Trustee believes the individual would not object.

Remember, limit the disclosure to the minimum amount about the care currently being provided.



Disclosing General InformationTrustees may provide general health information to any person, unless the patient/client specifies otherwise. This information is limited to: • The individual’s name• General health status• Location within the facility, unless this would reveal specific

information about the health of that person

Quick Review


• A person has a right to request a copy of his/her PHI from the holding trustee.

• Individuals need to be notified about how their PHI will be used and disclosed.

• Access to PHI should be limited to those who need to know to do their jobs.

• The use or disclosure of PHI is limited to only those who need to know the information to do their job.

Quick Review


• Consent is required to use or disclose PHI unless authorized under Sections 21, 22 and 23 of PHIA.

• Consent may be express or implicit, verbal or written, and may contain conditions.

• Disclosing PHI to family and friends is permitted. It must be limited to care currently being provided, in keeping with good practice, and if the individual would not object.

• General information can be disclosed unless the individual objects.

http://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.php#21

Security and Storage of PHI


iStock.com/Oliver_Le_Moal




Personal Health Information is to be properly secured and maintained to protect privacy and confidentiality.

Personal Health Information is to be protected from accidental destruction or deterioration or loss by heat, cold, moisture, theft, or vandalism.

This can be achieved by apply reasonable safeguards throughout the lifetime of a record containing Personal Information.



PHIA Requires Trustees to:

• Adopt reasonable safeguards: administrative, technical, physical and electronic;

• Protect the security, confidentiality, accuracy, and integrityof the Personal Health Information; and

• Apply reasonable security throughout the lifetime of a record containing Personal Health Information.



Protecting the integrity of Personal Information means the preservation of its content. This would provide confidence that the information has not been tampered with or modified other than as authorized.

Preservation of content is maintained by protecting and securing the Personal Information throughout collection, access/retrieval, use, disclosure/transfer, and storage.

Security and Storage of PI


The University of Manitoba is obligated to protect Personal Health Information by adopting reasonable administrative, technical, physical and electronic safeguards, that ensure the confidentiality, security, accuracy and integrity of the information.

In determining the reasonableness of the safeguards to be adopted, the University should take into account the degree of sensitivity of the Personal Health Information to be protected.



Administrative Safeguards:

• Policies and Procedures; Guidelines and Resources• PHIA training and signing of the Pledge of Confidentiality• Proper management of swipe cards or key access• Secure print codes at printers/fax machines

http://umanitoba.ca/access_and_privacy/governance.htmlhttp://umanitoba.ca/access_and_privacy/resources.html



Technical Safeguards:

• Role-based profiles on new or existing information management systems

• Base profiles on the individual’s role, which determines the level of access required

• Multiple levels of authentication for high degree of sensitive information



Physical Safeguards:

• Arrange office furniture to limit the ability of others to access your files

• Locks on doors and filing cabinets• Clean off your desk at the end of the day (implement a Clean

Desk Policy as an Administrative Safeguard)



Electronic Safeguards:

• Encryption of files for transmission or transport• Passwords on all devices• Up-to-date anti-virus software• Firewalls



Additional Safeguards for Electronic Information:

All Trustees must create and maintain a record of user activity for any electronic information system that is used to maintain PHI.

This applies to all PHI, including research information, unless:• the information is demographic,• it is used or disclosed for statistical purposes, or • it is disclosed under PHIA 22(2)(h) as part of an approved transfer

to a health information network.



Laptops and Removable Storage

Personal Health Information should not be carried on electronic portable devices unless it is for an authorized purpose.

If the movement of Personal Health Information from the premises of the Trustee is absolutely necessary, and authorized, appropriate safeguards, such as encryption and passwords, must be put in place to ensure that the information is protected.

Refer to the University’s “Travelling with Records Guidelines”.

http://umanitoba.ca/admin/vp_admin/ofp/fippa/media/Travelling_With_Records.pdf



ConfidentialityMaintaining the confidentiality of the information in your custody or control is another way to safeguard Personal Health Information.

In your life you play several roles, such as family member, friend, relative, student, researcher, or employee. As a person associated with the University of Manitoba, you may learn confidential information about people you know.

You cannot share the information you learn at the UM with people not entitled to know the information in other parts of your life.

Disposal of Personal Health Information


iStock.com/Uwe_Merkel




A Trustee must ensure that Personal Health Information isdestroyed by methods that protect the privacy of the individualthe information is about.

Records in all University departments should be destroyedaccording to a destruction schedule using a Requisition toDestroy Records (RDR) form. This form serves as a destructionlog for all records that contain Personal Health Information.

http://umanitoba.ca/access_and_privacy/rm/RDR.html



Once the RDR has been approved, confidential records may bedestroyed using a secure method. The best and most secureway for destroying confidential records is shredding.

The records can either be shredded using the University’spreferred supplier, or using an in-office shredder. Both of theseoptions comply with the standards for the secure destruction ofconfidential records.



The University of Manitoba’s preferred shredding supplier is Shred-It, which provides bulk pick-up service for large quantities of materials, or a secure console that is serviced as required.

Certificates of Destruction are provided by Shred-It for both services.

Refer to our Document Disposal website for more information.

http://umanitoba.ca/admin/vp_admin/ofp/fippa/rm/disposal.html



Small amounts can be destroyed using an in-office shredder.When the in-office shredder is full, seal the shredded materialin a clear plastic bag and deposit the bag in one of the largeblue recycling bins placed in or near your department.

The bins are collected by Physical Plant and the shredding issent off-site to be recycled.



Electronically held Personal Health Information should be destroyed by deleting the files off the network drive. Personal Health Information should not be stored on the computer’s hard drive.

IST will assist any office requiring destruction of electronic records, or with the confidential destruction of hard drives, including the hard drives from multi-purpose printer/fax/scanner units.

Quick Review


• It is everyone’s responsibility to ensure reasonable safeguards are in place to protect Personal Health Information.

• Laptops are particularly vulnerable to burglary and theft. Personal Health Information contained on a laptop must be encrypted and the laptop must be password protected.

• Part of protecting Personal Health Information is making sure that records are not accessed, altered or destroyed without authorization.

• Remember the four main types of safeguards: Administrative, Technical, Physical, and Electronic.

Quick Review


• Records in all University departments should be destroyed according to a destruction schedule.

• Before destruction occurs, a Requisition to Destroy Records (RDR) should be submitted and approved.

• Shredding is the best and most secure method of destruction.• For help with the destruction of electronic records and hard

drives, contact IST.

Research at the University


iStock.com/bee32




Research involving humans requires Research Ethics Board (REB) approval, including:

• Research that involves clinical trials and other biomedical interventions; and

• Research that uses Personal Health Information (PHI).If the Personal Health Information is maintained by the government or a government agency, review and approval must come from the Health Information Privacy Committee (HIPC).



If the research is conducted in connection with the University of Manitoba, review and approval must come from one of the five Research Ethics Boards:• Psychology/Sociology REB• Education/Nursing REB• Joint-Faculty REB• Biomedical Research Ethics Board (BREB)• Health Research Ethics Board (HREB)



At the Bannatyne Campus, most research is reviewed and approved by the BREB or the HREB.

The BREB reviews all research ethics protocols involving clinical trials and other biomedical research interventions.

The HREB reviews research involving the behavioral sciences, surveys, examinations of medical records and protocols of generally lesser risk.



At the Fort Garry Campus, three boards review and approve research:

Education/Nursing REB: Faculties of Education, Kinesiology and Recreation Management, Extended Education, Engineering, and the College of Nursing

Psychology/Sociology REB: Faculty of Social Work, Departments of Sociology, Psychology, and Counseling Services

Joint-Faculty REB: Remaining Faculties and Departments



Researchers using information/data held by Manitoba Centre for Health Policy (MCHP) must fulfill several reviews and approvals:

• HIPC Health Information Privacy Committee;• HREB approval from the UM. An HREB from another institution will be

considered if it is accompanied by a letter indicating that the review is accepted by that institution;

• MCHP internal review.

Depending on the data source other approvals may be required. A full explanation is found at U of M website:

Manitoba Centre for Health Policy (MCHP) Applying for Access

http://umanitoba.ca/faculties/medicine/units/community_health_sciences/departmental_units/mchp/resources/access.html



Disclosures of PHI for Health ResearchA Trustee may disclose Personal Health Information to a person conducting health research if the requirements outlined in Section 24 of PHIA are met.

• Outlines who can approve disclosure of PHI for health research;• Establishes conditions for approval;• Details required agreements for disclosure of PHI; and• Sets limits on disclosure of PHI for health research.

See The Personal Health Information Act, Section 24 for details.

http://web2.gov.mb.ca/laws/statutes/ccsm/p033-5e.php



Researchers collect, access, use, and share information about research participants during the course of research.

Tri-Council Policy Statement defines five classes of information to be aware of:

a) Identifyingb) Identifiablec) De-identified/codedd) Anonymizede) Anonymous



a) Identifying information: The information identifies an individual through direct identifiers (e.g., name, address, social insurance number, or personal health identification number).

b) Identifiable information: The information could be used to re-identify an individual through a combination of indirect identifiers (e.g., date of birth, place of residence, or unique personal characteristic) using reasonably foreseeable means.



c) De-identified/coded information: Identifiers are removed and replaced with a code. Depending on access to the code, it may be possible to re-identify specific individuals (e.g., individuals are assigned a code name and the principal investigator retains a list that links the code name with the individual’s actual name so data can be re-linked if necessary). Researchers who have access to the code and the data have identifiable information.



d) Anonymized information: Information is irrevocably stripped of identifiers, and a code is not kept to allow future re-linkage.

e) Anonymous information: Information never had identifiers associated with it (e.g., anonymous surveys).



Retention of Research Records• Researchers must outline policies and procedures to destroy

or remove identifying information as soon as possible.• Researchers must identify intended retention periods in the

REB submission for all data.• Researchers may be asked to justify the rationale for a

certain period of retention in the application.

Quick Review


• All research involving humans requires REB or HIPC approval.• Disclosure of Personal Health Information for health research

is governed by Section 24 of PHIA.• Different classes of Personal Health Information (identifiable,

de-identified, anonymized, anonymous) require different levels of security protection.

Breach of Privacy


iStock.com/XiXinXing


Breach of Privacy


A Breach of Privacy occurs when Personal Health Information is collected, accessed, used, disclosed, transported, transmitted, transferred or destroyed other than as authorized, or when the accuracy, confidentiality or integrity of the information is compromised.

Examples may include, but are not limited to, the viewing of confidential information by unauthorized individuals, the access, theft or loss of University Records and the unauthorized destruction of such information.

Breach of Privacy


Snooping is an example of a breach of privacy.

Snooping occurs when an individual willfully uses, discloses, gains access to or attempts to gain access to another person’s Personal Information and/or Personal Health Information.

Breach of Privacy


Snooping is an example of a breach of privacy.

Under The Personal Health Information Act, snooping is a fineable offence. Any individual who willfully uses, discloses, gains access to or attempts to gain access to another person’s Personal Health Information is guilty of an offence, and can be fined.

Some recent examples of snooping from across Canada…

Breach of Privacy


Breach of Privacy


A Breach of Privacy occurs when: • PHI is accessed by someone not entitled to that information,

including snooping.

• PHI is shared (used or disclosed) with those not entitled to that information.

• PHI is removed from the University without authorization.• The integrity of a record is compromised. • Collect more PHI than is required to do the job.• Do not appropriately safeguard PHI.

Breach of Privacy


A Breach of Privacy can result in the following for the individuals impacted by the breach: • Identity theft• Financial losses• Damage to reputation• Exposure to personal danger• Personal embarrassment

Breach of Privacy


A Breach of Privacy can result in the following for the Trustee in which the breach occurred: • Severely challenging institutional resources

• Notification of individuals affected by the breach• Implementation of new systems to mitigate the risk of it happening

again

• Auditing processes

• Changes in policy and procedures• Internal and/or external investigations

Breach of Privacy


What can the University do to lower it’s risk of a Breach of Privacy?

• Privacy Training and Awareness• Policies and Procedures• Privacy Impact Assessments• Records Management Program• Service-Oriented Assistance

http://umanitoba.ca/access_and_privacy/privacy_training.htmlhttp://umanitoba.ca/access_and_privacy/governance.htmlhttp://umanitoba.ca/access_and_privacy/impact_assessment.htmlhttp://umanitoba.ca/access_and_privacy/rm/http://umanitoba.ca/access_and_privacy/about.html

Breach of Privacy


If you know or suspect a Breach of Privacy has occurred, immediately notify:

• The head of your UM office or department• The dean or director of your unit• The Access and Privacy Office

Breach of Privacy


The Access and Privacy Office, in consultation with others, will decide whether an investigation is necessary;

If the decision is “yes,” the Access and Privacy Office will:• inquire into the incident/allegation• consult with appropriate persons to determine whether a

breach has occurred

• document findings• recommend disciplinary action, if applicable

PHIA Quiz


iStock.com/cacaroot


PHIA Quiz


True or False? In order to maintain the privacy and confidentiality of thePersonal Health Information held in electronic systems, access to theelectronic systems by UM employees must be limited to only those whoneed access in order to do their jobs. However, once they have access to theelectronic system, they are permitted to view all records and informationwithin that system.

• True• False

PHIA Quiz


True or False? In order to maintain the privacy and confidentiality of thePersonal Health Information held in electronic systems, access to theelectronic systems by UM employees must be limited to only those whoneed access in order to do their jobs. However, once they have access to theelectronic system, they are permitted to view all records and informationwithin that system.

• True• False – You are only permitted to view the records and information within the

system that you require for your job. Remember the “minimum amount, need to know” rule.

PHIA Quiz


True or False? A Trustee who collects Personal Health Information directlyfrom the individual the information is about must take reasonable steps toinform the individual of the purpose in which the information is beingcollected, and how to contact an employee of the Trustee who can answerthe individual’s questions about collection.

• True• False

PHIA Quiz


Which of the following statements are true about consent?

• An individual may give consent subject to conditions, such as limitingwhich information can be used or disclosed, or setting a time frame inwhich the consent applies.

• An individual who has given consent to the use or disclosure of personalhealth information may withdraw their consent by notifying the trustee.

• A withdrawal of consent does not have to be retroactive.• Express consent does not need to be in writing.• All of the above.

PHIA Quiz


A co-worker needs some information quickly and tells you they can’tremember their password to get into a clinical database. The co-worker asksif you could do them a favor and just log into the system and they will takeover and get the information they need. What should you do?

• Give the co-worker your password. She is in a hurry and needs the informationquickly to do her job. What’s the big deal?!

• Log into the database and let the co-worker access the information she needs.• Don’t share your password

PHIA Quiz


A co-worker needs some information quickly and tells you they can’tremember their password to get into a clinical database. The co-worker asksif you could do them a favor and just log into the system and they will takeover and get the information they need. What should you do?

• Give the co-worker your password. She is in a hurry and needs the informationquickly to do her job. What’s the big deal?!

• Log into the database and let the co-worker access the information she needs.• Don’t share your password. Passwords are a safeguard that only work if they are

kept confidential.

PHIA Quiz


What type of disciplinary action may be taken if it is confirmed that youused or disclosed Personal Health Information in violation of PHIA?• A verbal or written warning• Suspension• Termination of employment, contract, association or appointment with the

University of Manitoba

• A report to the appropriate professional regulatory body• Any of the above

PHIA Quiz


You are involved in the care of a high profile person. Your involvement in thisperson’s care has been documented by media reports, so it has becomepublic knowledge. Your friends and family keep asking questions about theperson. Your involvement is already public knowledge, so you tell them whatyou know so far. Is this a breach of privacy?

• Yes • No

PHIA Quiz


You are involved in the care of a high profile person. Your involvement in thisperson’s care has been documented by media reports, so it has becomepublic knowledge. Your friends and family keep asking questions about theperson. Your involvement is already public knowledge, so you tell them whatyou know so far. Is this a breach of privacy?

• Yes – Disclosing information about an individual with those who have no businessor health-care related purpose for knowing the information is a breach of privacy.

• No

PHIA Quiz


You are training a new employee on the electronic health record systemyour clinic uses and want to show the new employee an example of what acompleted record looks like. You are also a patient at the clinic, so you useyour record as a training tool. Is this a breach?

• Yes • No

PHIA Quiz


You are training a new employee on the electronic health record systemyour clinic uses and want to show the new employee an example of what acompleted record looks like. You are also a patient at the clinic, so you useyour record as a training tool. Is this a breach?

• Yes – Even though it is your record, your role as a patient is different from your roleas an employee. You should only access records you require for your job.

• No

PHIA Quiz


You are organizing a curling team to compete with other teams in yourcommunity. You want a “ringer”. You recall a former student who mentionedshe was quite good at the sport but had not played for some time and waseager to start again. You access her student record to get her telephonenumber. You make sure to ignore all other information. Is this a breach ofprivacy?

• No, because telephone numbers are public information. You simply accessed it ina different way.

• Yes, because the phone number was collected for educational purposes.

PHIA Quiz


You are organizing a curling team to compete with other teams in yourcommunity. You want a “ringer”. You recall a former student who mentionedshe was quite good at the sport but had not played for some time and waseager to start again. You access her student record to get her telephonenumber. You make sure to ignore all other information. Is this a breach ofprivacy?

• No, because telephone numbers are public information. You simply accessed it ina different way.

• Yes, because the phone number was collected for educational purposes. Using theinformation for a use that is not consistent with the original purpose it wascollected for is a breach.

PHIA Quiz


You notice student counselling records sticking out of a garbage can, whichincludes the students’ names, student numbers, PHINs and contactinformation. Is discarding these papers in this manner a violation of PHIA?

• Yes • No

PHIA Quiz


You notice student counselling records sticking out of a garbage can, whichincludes the students’ names, student numbers, PHINs and contactinformation. Is discarding these papers in this manner a violation of PHIA?

• Yes. Confidential records must be destroyed appropriately (shredding).• No

PHIA Quiz


You are leaving work after a long day. Just as you get to the parking lot younotice a USB drive lying on the ground. What should you do?• Do nothing and leave it there.• Pick it up and take it home for your own personal use.• Take it to the Access and Privacy Office.• Take it to the nearest lost and found.

PHIA Quiz


You meet an individual through your involvement in a research project. You feel thatthere is a connection and would like to contact them about meeting up for coffee.You were too shy to ask them in person, so you look up their contact information inthe electronic system you are using for research and copy down their email address.When you are at home, you send them an email using your Yahoo account (not yourwork account) to see if they are interested in meeting. Is this a violation of thatindividual’s privacy?

• Yes • No

PHIA Quiz


You meet an individual through your involvement in a research project. You feel thatthere is a connection and would like to contact them about meeting up for coffee.You were too shy to ask them in person, so you look up their contact information inthe electronic system you are using for research and copy down their email address.When you are at home, you send them an email using your Yahoo account (not yourwork account) to see if they are interested in meeting. Is this a violation of thatindividual’s privacy?

• Yes – You have access to that information only for the purpose in which it wascollected, for research, not for any other use.

• No

Pledge of Confidentiality




At the University, a Personal Health Information Pledge ofConfidentiality (“Confidentiality Pledge”) is required ofindividuals as a condition of their employment, appointment,contract, or association with designated faculties, programsand offices, and as a condition of research involving humans.

The requirement extends to student employees andresearchers.



1. All University employees and persons associated with the University are responsible for protecting the security and confidentiality of all Personal Information and Personal Health Information that is obtained, handled, viewed, heard, or learned, in the course of their work or association with the University.

2. Personal Information and Personal Health Information shall be protected during its collection, access, use, retention, storage and destruction.



3. You may only use or disclose Personal Information and/or Personal Health Information in the discharge of your responsibilities and duties (including reporting duties imposed by legislation) on a need to know basis.

4. Discussion regarding Personal Information and/or Personal Health Information shall not take place in the presence of persons not entitled to such information, or in public places (elevators, lobbies, cafeterias, off premises, etc.).



5. Unauthorized use or disclosure of confidential information shall result in a disciplinary response up to and including termination of employment, contract, association, or appointment with the University of Manitoba.

6. A confirmed breach of confidentiality may result in disciplinary action and be reported to the individual’s professional body.



7. All individuals who become aware of a possible breach of the security or confidentiality of Personal Information and/or Personal Health Information shall follow the procedures outlined under “Breach of Privacy.”



To obtain your University of Manitoba Personal Health Information Pledge of Confidentiality declaration form, click here.

Submit your completed form by saving your completed form to your computer and send it as an attachment to [email protected].

http://umanitoba.ca/access_and_privacy/pledge.htmlmailto:[email protected]



Please note, it is best to view and complete the declaration form using Adobe Acrobat products. Click here to access free downloads of Adobe Reader for a variety of computer systems.

If you have any questions about the declaration form, please contact our office at [email protected].

https://get.adobe.com/reader/otherversions/mailto:[email protected]

Thank you!


If you have questions about the training presentation, please contact the Access and Privacy Office at:

E-mail: [email protected]

All images are used with permission from Microsoft unless otherwise noted.

mailto:[email protected]

The Personal Health Information Act (PHIA) TrainingAccess and Privacy OfficeAccess and Privacy OfficeAccess and Privacy OfficePHIA TrainingPHIA TrainingPHIA TrainingPHIA Training OverviewPrivacy at the UniversityPrivacy at the UniversityPrivacy at the UniversityPrivacy at the UniversityPrivacy at the UniversityKey DefinitionsKey DefinitionsPersonal Information is…Personal Information is…Key DefinitionsPersonal Health Information is…Key DefinitionsWhat is a Record?What is a Record?Key DefinitionsWhat is a Trustee?What is a Trustee?What is a Trustee?What is a Trustee?What is a Trustee?Health Professionals as TrusteesHealth Professionals as TrusteesKey DefinitionsWhat is Privacy?Key DefinitionsWhat is Confidentiality?What is Confidentiality?What is Confidentiality?Privacy and ConfidentialityPrivacy and ConfidentialityPrivacy and ConfidentialityPrivacy and ConfidentialityQuick ReviewQuick ReviewAccess to Personal Health InformationAccess to Personal Health InformationAccess to Personal Health InformationAccess to Personal InformationCollection of Personal Health InformationCollection of Personal Health InformationCollection of Personal Health InformationCollection of Personal Health InformationCollection of Personal Health InformationUse and Disclosure of PHIUse and Disclosure of PHIUse and Disclosure of PHIUse and Disclosure of PHIUse and Disclosure of PHIUse and Disclosure of PHIUse and Disclosure of PHIUse and Disclosure of PHIUse and Disclosure of PHIUse and Disclosure of PHIQuick ReviewQuick ReviewSecurity and Storage of PHISecurity and Storage of PHISecurity and Storage of PHISecurity and Storage of PHISecurity and Storage of PISecurity and Storage of PHISecurity and Storage of PHISecurity and Storage of PHISecurity and Storage of PHISecurity and Storage of PHISecurity and Storage of PHISecurity and Storage of PHIDisposal of Personal Health InformationDisposal of Personal Health InformationDisposal of Personal Health InformationDisposal of Personal Health InformationDisposal of Personal Health InformationDisposal of Personal Health InformationQuick ReviewQuick ReviewResearch at the UniversityResearch at the UniversityResearch at the UniversityResearch at the UniversityResearch at the UniversityResearch at the UniversityResearch at the UniversityResearch at the UniversityResearch at the UniversityResearch at the UniversityResearch at the UniversityResearch at the UniversityQuick ReviewBreach of PrivacyBreach of PrivacyBreach of PrivacyBreach of PrivacyBreach of PrivacyBreach of PrivacyBreach of PrivacyBreach of PrivacyBreach of PrivacyBreach of PrivacyBreach of PrivacyPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPHIA QuizPledge of ConfidentialityPledge of ConfidentialityPledge of ConfidentialityPledge of ConfidentialityPledge of ConfidentialityPledge of ConfidentialityPledge of ConfidentialityPledge of ConfidentialityThank you!Slide Number 140

Date post:	03-Feb-2021
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

The Personal Health Information Act (PHIA) Training · 2020. 2. 18. · PHIA Training This training...

Documents