the university of manitoba

One university. Many futures.

The University of Manitoba

FIPPA and PHIA at University of Manitoba

Access & Privacy Coordinator’s Office



Access & Privacy Office

Access & Privacy Coordinator’s Office233 Elizabeth Dafoe LibraryUniversity of ManitobaWinnipeg, MB.R3T 2N2

E-mail: [email protected] Fax: 474-9308


To provide a basic understanding of FIPPA and PHIA

To identify roles and responsibilities under FIPPA and PHIA

To give you information to enable you to sign the PHIA Pledge of Confidentiality.


Objectives


FIPPA/PHIA Training Program

The FIPPA/PHIA Training Program consists of:

a) reading the UM Policies and Procedures b) reviewing this training presentation c) signing the PHIA Pledge of Confidentiality.



Policies and Procedures


The University has Policies and Procedures thatprovide specific rules about access to and protection of personal information held by the institution.The Policies and Procedures are available atthe University/Access & privacy office website. website.

Key in “PHIA” for information about PHIA.Key in “FIPPA” for information about FIPPA.


Overview


• What are FIPPA and PHIA?

• Key Definitions

• Access to Information

• Protection of Privacy and Confidentiality

• Collection, Use, Disclosure, Storage and Disposal

• Breaches of Confidentiality

• Pledge of Confidentiality


The Freedom of Information and Protection of Privacy Act (FIPPA)

FIPPA is a provincial statute that:

•provides an individual with the legal right to access the information of a public body*

•and requires public bodies to protect personal information held in their records.

* Subject to certain exceptions



The Personal Health Information Act (PHIA)

Is a Manitoba law that protects the privacy of all personal health information (“PHI”) that can identify an individual.


A government Actis a law or rule that

must be obeyed


The Personal Health Information Act (PHIA)

The purposes of PHIA are:

•to provide the right to examine or receive a copy of PHI

•to provide the right to request corrections to your own PHI

•to establish rules for collection, use and disclosure of PHI

•to control the collection, use and disclosure of PHIN

•to provide for an independent review of the actions of a trustee.



Principles of Privacy LegislationThese principles summarize the requirements of FIPPA

and PHIA:1. Controlled Collection of Personal Information2. Limited Use of Personal Information3. Limited Disclosure of Personal Information4. Information Management - retention, security, disposal5. Ensured Individual Access to Personal Information6. Openness7. Accountability8. Independent review – Manitoba

Ombudsman/Adjuticator



Balancing Access and Privacy


Access Privacy


FIPPA and PHIA at the University of Manitoba


The University of Manitoba is a local public body, which falls under both FIPPA and PHIA.

Under PHIA, the University is considered a Trustee of personal health information.


The University of Manitoba

The University of Manitoba has a duty to:

• help individuals gain access to information, particularly their own personal information; and

• protect the privacy of individuals in the collection, use, disclosure, storage and destruction of Personal Information and Personal Health Information.



Key Definitions

What is Personal Information?



Personal Information is:Recorded information about an identifiable person including:• name, home contact information• age, sex, sexual orientation, marital or family status• ancestry, race, colour, nationality, national or ethnic origin• religion, creed religious belief, association or activity• blood type, fingerprints, hereditary characteristics• political belief, association or activity• education, employment or occupation, history of these three• source of income, financial circumstances, activities or history• criminal history, including regulatory offences• individual’s own personal views, except if about another person• views or opinions about the individual expressed by another person• identifying number, symbol or other particular assigned to the individual• personal health information



Key Definitions

What is Personal Health Information?



Personal Health Information (PHI) is:


Recorded information about an identifiable individual that relates to:

1.the individual’s health, or health care history, including genetic information about the individual;

2.the provision of health care to the individual, including a doctor’s note;

3.payment for health care provided to the individual, and includes bills, receipts, etc.;

4.the PHIN and any identifying number, symbol or particular assigned to an individual; and

5.any identifying information about an individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.


Personal Information does NOT include:

Anonymous or statistical information that does notpermit individuals to be identified

However, if two or more seemingly anonymous or statistical data items can be combined to readily identify an individual, the data may be considered personal information



Individuals have a right to:

• Review their personal information

• Request corrections be made where necessary

• Receive a copy upon request

*Some restrictions apply to these rights


Access to Personal Information


COLLECTION of Personal Information



Collection of PHIWhen collecting Personal Information:

• Individuals are to be NOTIFIED about the PURPOSE for which PI is collected.

• PI should be used only for the purpose for which it was originally collected.

• Public Bodies may only collect as much PI as is reasonably necessary to accomplish the purpose for which it is collected.

• Whenever possible, PI is to be collected directly from the individual concerned.



USE and DISCLOSURE of PI



Use and Disclosure of PI

USE means revealing PI to someone within the trustee’s organization.

DISCLOSURE means revealing PI to someone outside the trustee’s organization.



Use and Disclosure of PHIYou may use or disclose personal health

information ONLY if:

• you need to know this information to do your job

• you are a person permitted to exercise therights of another individual (e.g., you are

the son or daughter of an elderly person)

• you are entitled by PHIA, ss. 21, 22, or by other legislation

• you have consent from the individual the PHI is about



Use and Disclosure of PIYou cannot use or disclose personal information:

• In the presence of those that are NOT entitled to the information; or

• In public places, such as elevators, lobbies, cafeterias, off premises, etc.

Be aware of surroundings. Personal Information,especially health information, is best discussed in a closed setting.



Quick Review


A person has a right to request a copy of his/her PI from the holding trustee/public body.

Individuals may request that a trustee make corrections to their PI.

Individuals need to be notified about how theirPI will be used and disclosed.

Access to PI should be limited to those who need to know to do their jobs.


PROTECTION of Personal Information



SECURITY and STORAGE of PI

• Personal Information is to be properly secured and maintained to protect privacy and confidentiality.

• Personal Information is to be protected from accidental destruction or deterioration or loss by heat, cold, moisture, theft, or vandalism.



Protection of PrivacyGeneral responsibilities of trustees:

oLimit on amount of Personal Information used or disclosed

oLimit access to those who NEED TO KNOW to carry out their responsibilities

• Restrictions on Use of PI • Restrictions on Disclosure of PI• Ensure Accuracy of PI• Security safeguards on PI



Protecting and Safeguarding PI


Four main types of Safeguards:1. Administrative – procedures, controlled

distribution of keys, combinations, codes2. Technical – locked doors, deadbolts and filing

cabinets, limited access to office machines, e.g. fax

3. Physical – office arrangement, segregation of PI, clean desks, positioning of computer so passers-by cannot observe monitor

4. Electronic – passwords, encryption, anti-virus software, firewalls


Privacy and ConfidentialityPrivacy and confidentiality must be protected during:• collection – taking information from a patient, client, research participant or other; having an individual give information on a form• access – gaining entrance to• use – transferring the information within the trustee• disclosure – transferring the information beyond the trustee•storage – holding the information after its day-to-day use is ended•destruction – destroying the information after the need for retention is ended



Disposal of PI A trustee must ensure that Personal Information is destroyed by methods that protect the privacy of the individual the information is about.



Breach of Security

A Breach of Security occurs whenever personal information records (electronic or non-electronic) are improperly collected, used, disclosed, or destroyed, or when the integrity of the information is compromised.



Breach of Security Examples

A Breach of Security occurs when:

•PI is shared (used or disclosed) with those not entitled to that information.

•PI is removed from the custody of the trustee without authorization.

•PI is accessed by someone not entitled to that information.

•The integrity of a record is compromised.



Breach of Security


A breach of security can result in identity theft, financial and other losses, and exposure of an individual or individuals to personal danger.


Breaches at the University

If you know or suspect a Breach of Security has occurred, immediately notify:

• The head of your UM office, UM health unit, or health care agency.

• The head will notify the dean or director, the VP Administration, and the Access & Privacy Coordinator’s Office.



Breaches at the UniversityThe VP Administration, in consultation with others, will decide whether an investigation is necessary;If the decision is “yes,” the VP Administration will appoint an investigator who will:

- inquire into the allegation

- consult with appropriate persons- document findings- determine whether a breach has occurred- recommend disciplinary action



Policies and Procedures


The University has FIPPA and PHIA Policies and Procedures that provide specific rules about access to and protection of personal information held by the institution.

The University’s FIPPA and PHIA Policies and Procedures are available at:

http://umanitoba.ca/admin/vp_admin/fippa/


PHIA Policies and Procedures

1) All University employees and persons associated with the University are responsible for protecting the security and confidentiality of all personal health information (verbal or recorded in any form) that is obtained, handled, viewed, heard, or learned, in the course of their work or association with the University.





2) Personal health information shall be protected during its collection, access, use, retention, storage and destruction.

3) You may only use or disclose PHI in the discharge of your responsibilities and duties (including reporting duties imposed by legislation) and based on the NEED To KNOW.




4) Discussion regarding personal health information shall not take place in the presence of persons not entitled to such information, or in public places (elevators, lobbies, cafeterias, off premises, etc.).



5) Unauthorized use or disclosure of confidentialinformation shall result in a disciplinary response up to and including termination of employment/contract/association/appointment.

6) A person convicted of an offence under The Personal Health Information Act may be required to pay a fine of up to $50,000.





7) A confirmed breach of confidentiality may be reported to the individual’s professional body.

8) All individuals who become aware of a possible breach of the security or confidentiality of personal health information shall follow the procedures outlined under “Breach of Security.”


PHIA PLEDGE of CONFIDENTIALITY At the University, a Personal Health Information

Pledge of Confidentiality (“Confidentiality Pledge”) is required of individuals as a condition of their employment, appointment, contract, or association with designated faculties, programs and offices, and as a condition of research involving humans. The requirement extends to student employees and researchers.



PLEDGE


A solemn promise to do or to refrain

from doing something



Thank You!

the university of manitoba

Documents