One university. Many futures.
The University of Manitoba
FIPPA and PHIA at University of Manitoba
Access & Privacy Coordinator’s Office
One university. Many futures.
Access & Privacy Coordinator’s Office
Access & Privacy Office
Access & Privacy Coordinator’s Office233 Elizabeth Dafoe LibraryUniversity of ManitobaWinnipeg, MB.R3T 2N2
E-mail: [email protected] Fax: 474-9308
One university. Many futures.
To provide a basic understanding of FIPPA and PHIA
To identify roles and responsibilities under FIPPA and PHIA
To give you information to enable you to sign the PHIA Pledge of Confidentiality.
Access & Privacy Coordinator’s Office
Objectives
One university. Many futures.
FIPPA/PHIA Training Program
The FIPPA/PHIA Training Program consists of:
a) reading the UM Policies and Procedures b) reviewing this training presentation c) signing the PHIA Pledge of Confidentiality.
Access & Privacy Coordinator’s Office
One university. Many futures.
Policies and Procedures
Access & Privacy Coordinator’s Office
The University has Policies and Procedures thatprovide specific rules about access to and protection of personal information held by the institution.The Policies and Procedures are available atthe University/Access & privacy office website. website.
Key in “PHIA” for information about PHIA.Key in “FIPPA” for information about FIPPA.
One university. Many futures.
Overview
Access & Privacy Coordinator’s Office
• What are FIPPA and PHIA?
• Key Definitions
• Access to Information
• Protection of Privacy and Confidentiality
• Collection, Use, Disclosure, Storage and Disposal
• Breaches of Confidentiality
• Pledge of Confidentiality
One university. Many futures.
The Freedom of Information and Protection of Privacy Act (FIPPA)
FIPPA is a provincial statute that:
•provides an individual with the legal right to access the information of a public body*
•and requires public bodies to protect personal information held in their records.
* Subject to certain exceptions
Access & Privacy Coordinator’s Office
One university. Many futures.
The Personal Health Information Act (PHIA)
Is a Manitoba law that protects the privacy of all personal health information (“PHI”) that can identify an individual.
Access & Privacy Coordinator’s Office
A government Actis a law or rule that
must be obeyed
One university. Many futures.
The Personal Health Information Act (PHIA)
The purposes of PHIA are:
•to provide the right to examine or receive a copy of PHI
•to provide the right to request corrections to your own PHI
•to establish rules for collection, use and disclosure of PHI
•to control the collection, use and disclosure of PHIN
•to provide for an independent review of the actions of a trustee.
Access & Privacy Coordinator’s Office
One university. Many futures.
Principles of Privacy LegislationThese principles summarize the requirements of FIPPA
and PHIA:1. Controlled Collection of Personal Information2. Limited Use of Personal Information3. Limited Disclosure of Personal Information4. Information Management - retention, security, disposal5. Ensured Individual Access to Personal Information6. Openness7. Accountability8. Independent review – Manitoba
Ombudsman/Adjuticator
Access & Privacy Coordinator’s Office
One university. Many futures.
Balancing Access and Privacy
Access & Privacy Coordinator’s Office
Access Privacy
One university. Many futures.
FIPPA and PHIA at the University of Manitoba
Access & Privacy Coordinator’s Office
The University of Manitoba is a local public body, which falls under both FIPPA and PHIA.
Under PHIA, the University is considered a Trustee of personal health information.
One university. Many futures.
The University of Manitoba
The University of Manitoba has a duty to:
• help individuals gain access to information, particularly their own personal information; and
• protect the privacy of individuals in the collection, use, disclosure, storage and destruction of Personal Information and Personal Health Information.
Access & Privacy Coordinator’s Office
One university. Many futures.
Key Definitions
What is Personal Information?
Access & Privacy Coordinator’s Office
One university. Many futures.
Personal Information is:Recorded information about an identifiable person including:• name, home contact information• age, sex, sexual orientation, marital or family status• ancestry, race, colour, nationality, national or ethnic origin• religion, creed religious belief, association or activity• blood type, fingerprints, hereditary characteristics• political belief, association or activity• education, employment or occupation, history of these three• source of income, financial circumstances, activities or history• criminal history, including regulatory offences• individual’s own personal views, except if about another person• views or opinions about the individual expressed by another person• identifying number, symbol or other particular assigned to the individual• personal health information
Access & Privacy Coordinator’s Office
One university. Many futures.
Key Definitions
What is Personal Health Information?
Access & Privacy Coordinator’s Office
One university. Many futures.
Personal Health Information (PHI) is:
Access & Privacy Coordinator’s Office
Recorded information about an identifiable individual that relates to:
1.the individual’s health, or health care history, including genetic information about the individual;
2.the provision of health care to the individual, including a doctor’s note;
3.payment for health care provided to the individual, and includes bills, receipts, etc.;
4.the PHIN and any identifying number, symbol or particular assigned to an individual; and
5.any identifying information about an individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.
One university. Many futures.
Personal Information does NOT include:
Anonymous or statistical information that does notpermit individuals to be identified
However, if two or more seemingly anonymous or statistical data items can be combined to readily identify an individual, the data may be considered personal information
Access & Privacy Coordinator’s Office
One university. Many futures.
Individuals have a right to:
• Review their personal information
• Request corrections be made where necessary
• Receive a copy upon request
*Some restrictions apply to these rights
Access & Privacy Coordinator’s Office
Access to Personal Information
One university. Many futures.
COLLECTION of Personal Information
Access & Privacy Coordinator’s Office
One university. Many futures.
Collection of PHIWhen collecting Personal Information:
• Individuals are to be NOTIFIED about the PURPOSE for which PI is collected.
• PI should be used only for the purpose for which it was originally collected.
• Public Bodies may only collect as much PI as is reasonably necessary to accomplish the purpose for which it is collected.
• Whenever possible, PI is to be collected directly from the individual concerned.
Access & Privacy Coordinator’s Office
One university. Many futures.
USE and DISCLOSURE of PI
Access & Privacy Coordinator’s Office
One university. Many futures.
Use and Disclosure of PI
USE means revealing PI to someone within the trustee’s organization.
DISCLOSURE means revealing PI to someone outside the trustee’s organization.
Access & Privacy Coordinator’s Office
One university. Many futures.
Use and Disclosure of PHIYou may use or disclose personal health
information ONLY if:
• you need to know this information to do your job
• you are a person permitted to exercise therights of another individual (e.g., you are
the son or daughter of an elderly person)
• you are entitled by PHIA, ss. 21, 22, or by other legislation
• you have consent from the individual the PHI is about
Access & Privacy Coordinator’s Office
One university. Many futures.
Use and Disclosure of PIYou cannot use or disclose personal information:
• In the presence of those that are NOT entitled to the information; or
• In public places, such as elevators, lobbies, cafeterias, off premises, etc.
Be aware of surroundings. Personal Information,especially health information, is best discussed in a closed setting.
Access & Privacy Coordinator’s Office
One university. Many futures.
Quick Review
Access & Privacy Coordinator’s Office
A person has a right to request a copy of his/her PI from the holding trustee/public body.
Individuals may request that a trustee make corrections to their PI.
Individuals need to be notified about how theirPI will be used and disclosed.
Access to PI should be limited to those who need to know to do their jobs.
One university. Many futures.
PROTECTION of Personal Information
Access & Privacy Coordinator’s Office
One university. Many futures.
SECURITY and STORAGE of PI
• Personal Information is to be properly secured and maintained to protect privacy and confidentiality.
• Personal Information is to be protected from accidental destruction or deterioration or loss by heat, cold, moisture, theft, or vandalism.
Access & Privacy Coordinator’s Office
One university. Many futures.
Protection of PrivacyGeneral responsibilities of trustees:
oLimit on amount of Personal Information used or disclosed
oLimit access to those who NEED TO KNOW to carry out their responsibilities
• Restrictions on Use of PI • Restrictions on Disclosure of PI• Ensure Accuracy of PI• Security safeguards on PI
Access & Privacy Coordinator’s Office
One university. Many futures.
Protecting and Safeguarding PI
Access & Privacy Coordinator’s Office
Four main types of Safeguards:1. Administrative – procedures, controlled
distribution of keys, combinations, codes2. Technical – locked doors, deadbolts and filing
cabinets, limited access to office machines, e.g. fax
3. Physical – office arrangement, segregation of PI, clean desks, positioning of computer so passers-by cannot observe monitor
4. Electronic – passwords, encryption, anti-virus software, firewalls
One university. Many futures.
Privacy and ConfidentialityPrivacy and confidentiality must be protected during:• collection – taking information from a patient, client, research participant or other; having an individual give information on a form• access – gaining entrance to• use – transferring the information within the trustee• disclosure – transferring the information beyond the trustee•storage – holding the information after its day-to-day use is ended•destruction – destroying the information after the need for retention is ended
Access & Privacy Coordinator’s Office
One university. Many futures.
Disposal of PI A trustee must ensure that Personal Information is destroyed by methods that protect the privacy of the individual the information is about.
Access & Privacy Coordinator’s Office
One university. Many futures.
Breach of Security
A Breach of Security occurs whenever personal information records (electronic or non-electronic) are improperly collected, used, disclosed, or destroyed, or when the integrity of the information is compromised.
Access & Privacy Coordinator’s Office
One university. Many futures.
Breach of Security Examples
A Breach of Security occurs when:
•PI is shared (used or disclosed) with those not entitled to that information.
•PI is removed from the custody of the trustee without authorization.
•PI is accessed by someone not entitled to that information.
•The integrity of a record is compromised.
Access & Privacy Coordinator’s Office
One university. Many futures.
Breach of Security
Access & Privacy Coordinator’s Office
A breach of security can result in identity theft, financial and other losses, and exposure of an individual or individuals to personal danger.
One university. Many futures.
Breaches at the University
If you know or suspect a Breach of Security has occurred, immediately notify:
• The head of your UM office, UM health unit, or health care agency.
• The head will notify the dean or director, the VP Administration, and the Access & Privacy Coordinator’s Office.
Access & Privacy Coordinator’s Office
One university. Many futures.
Breaches at the UniversityThe VP Administration, in consultation with others, will decide whether an investigation is necessary;If the decision is “yes,” the VP Administration will appoint an investigator who will:
- inquire into the allegation
- consult with appropriate persons- document findings- determine whether a breach has occurred- recommend disciplinary action
Access & Privacy Coordinator’s Office
One university. Many futures.
Policies and Procedures
Access & Privacy Coordinator’s Office
The University has FIPPA and PHIA Policies and Procedures that provide specific rules about access to and protection of personal information held by the institution.
The University’s FIPPA and PHIA Policies and Procedures are available at:
http://umanitoba.ca/admin/vp_admin/fippa/
One university. Many futures.
PHIA Policies and Procedures
1) All University employees and persons associated with the University are responsible for protecting the security and confidentiality of all personal health information (verbal or recorded in any form) that is obtained, handled, viewed, heard, or learned, in the course of their work or association with the University.
Access & Privacy Coordinator’s Office
One university. Many futures.
PHIA Policies and Procedures
Access & Privacy Coordinator’s Office
2) Personal health information shall be protected during its collection, access, use, retention, storage and destruction.
3) You may only use or disclose PHI in the discharge of your responsibilities and duties (including reporting duties imposed by legislation) and based on the NEED To KNOW.
One university. Many futures.
PHIA Policies and Procedures
Access & Privacy Coordinator’s Office
4) Discussion regarding personal health information shall not take place in the presence of persons not entitled to such information, or in public places (elevators, lobbies, cafeterias, off premises, etc.).
One university. Many futures.
PHIA Policies and Procedures
5) Unauthorized use or disclosure of confidentialinformation shall result in a disciplinary response up to and including termination of employment/contract/association/appointment.
6) A person convicted of an offence under The Personal Health Information Act may be required to pay a fine of up to $50,000.
Access & Privacy Coordinator’s Office
One university. Many futures.
PHIA Policies and Procedures
Access & Privacy Coordinator’s Office
7) A confirmed breach of confidentiality may be reported to the individual’s professional body.
8) All individuals who become aware of a possible breach of the security or confidentiality of personal health information shall follow the procedures outlined under “Breach of Security.”
One university. Many futures.
PHIA PLEDGE of CONFIDENTIALITY At the University, a Personal Health Information
Pledge of Confidentiality (“Confidentiality Pledge”) is required of individuals as a condition of their employment, appointment, contract, or association with designated faculties, programs and offices, and as a condition of research involving humans. The requirement extends to student employees and researchers.
Access & Privacy Coordinator’s Office
One university. Many futures.
PLEDGE
Access & Privacy Coordinator’s Office
A solemn promise to do or to refrain
from doing something
One university. Many futures.
Access & Privacy Coordinator’s Office
Thank You!
Top Related