Governing Documents: University Community
PROCEDURES:
PHIA
Effective Date:
May 7, 2008
Revised Date:
   
Review Date:
May 7, 2018
Approving Body:
Administration
Authority:
FIPPA and PHIA Policy 
Implementation:
Vice-President (Administration) delegated to FIPPA Review Committee and Access and Privacy Coordinator 
Contact:
Access and Privacy Coordinator
Applies to:
  • Members of the Board of Governors
  • Department Councils
  • Members of the Senate
  • All Employees including all Faculty members
  • President, Vice-Presidents and all Support Staff, all members of Central Administration
  • External Parties - Contractors, Agents
  • Faculties, departments, divisions, programs, units, centres, services
  • Students
  • Student Councils
  • Faculty

**Amendments are being made to this document.  Please contact Karen Meelker in the FIPPA office (474 8339) before proceeding with any FIPPA and/or PHIA matters.**

TABLE OF CONTENTS

EXECUTIVE SUMMARY

1.0 REASON FOR PROCEDURES

2.0 PROCEDURE STATEMENT

2.1. Definitions
2.2. Access to Personal Health Information
2.3. Audit of Personal Health Information
2.4. Collection of Personal Health Information
2.5. Confidentiality of Personal Health Information
2.6. Correction of Personal Health Information
2.7. Disposal of Personal Health Information
2.8. Use of Personal Health Information
2.9. Disclosure of Personal Health Information
2.10. Disclosure to Police
2.11. Consent to Disclosure of Personal Health Information
2.12. Retention and Destruction of Personal Health Information
2.13. Security of Personal Health Information
2.14. Employees and Persons Associated with the University
2.15. Transmission of Personal Health Information via Facsimile
2.16. BREACH OF SECURITY of Personal Health Information

3.0 ACCOUNTABILITY

4.0 REVIEW

5.0 EFFECT ON PREVIOUS STATEMENTS

6.0 CROSS REFERENCES

EXECUTIVE SUMMARY
PROCEDURES
THE PERSONAL HEALTH INFORMATION ACT

Purpose
The purpose of the Executive Summary is to outline the legislative requirements that are addressed by the attached PHIA Procedures.

Background
Under provincial legislation, the University of Manitoba is subject to The Freedom of Information and Protection of Privacy Act (FIPPA) and The Personal Health Information Act (PHIA). The latter relates to personal health information.

The University developed and approved the FIPPA and PHIA Policy in 2001. The new PHIA Procedures flow from the PHIA component of the Policy and they set out special guidelines for the management and protection of personal health records and information.

Personal health information is, in general, more sensitive than other personal information. Health records require a superior level of protection at all stages of their existence, from creation of the records to final disposition. The PHIA Procedures describe practices and precautions that assist individuals and the University as a whole to achieve and maintain protection of personal health records and information in accordance with the Act.

The attached detailed Procedures are meant to achieve the following legislative requirements:

  1. Use and disclosure of personal health information must be limited to the least amount that is necessary to accomplish an authorized purpose.
  2. Use and disclosure of personal health information must be limited to the fewest employees possible, that is, to only those who need it to accomplish an authorized purpose.

    These limitations are critical elements in the use and disclosure of personal health records and information. The two limitations are in effect at the same time and they are applied throughout the life cycle of personal health records. As described in PHIA, Part 3, protection of Privacy, limitations are to be practised during collection, access, use, disclosure, retention, storage and security, final disposition (whether permanent retention or destruction), transportation, and transmission or transfer.

  3. Notification: Individuals must be notified of the reason or purpose for collection of their personal health information.

  4. Use and disclosure: Personal health information can only be used or disclosed for the purpose for which it was collected, or for a closely related purpose, or for certain other purposes set out in the Act, s.22(2).

  5. Consent: Use or disclosure for a different purpose can only be undertaken with consent from the individual that it is about, or from someone who is authorized to act on behalf of the individual.

  6. Security: Security must be maintained throughout the existence of the personal health records and information. The University is required to take reasonable administrative, technical, physical, and electronic measures to protect the privacy of individuals and the confidentiality of health information about them. Electronically-held health records and information require additional security safeguards.

  7. Administrative measures are critical to security, protection of privacy and maintenance of confidentiality. The University provides orientation and ongoing training for its employees and agents about the Policy and the Procedures. The Pledge of Confidentiality must be signed by University employees, agents, and students who work at, or undertake their practica at any of the regional health authorities or agencies. In addition, the Pledge must be signed by those who work in designated University faculties and programs, and those who work in offices that hold and handle volume personal health records and information. This list will be developed and maintained by the FIPPA Office.

  8. How to handle a breach of security: A breach of security occurs whenever health information records (electronic or non-electronic) are improperly collected, used, disclosed, destroyed other than as authorized, or when the integrity of the information is compromised. The Procedures specify actions to be taken when there is a suspected or actual breach.

    The Procedures contain a Table of Contents that lists issues regarding personal health records and information. Employees and others can quickly and easily locate the section they need and be informed of steps to follow in any particular circumstance. Every employee and agent is responsible and accountable for carrying out the University PHIA Procedures.

1.0 REASON FOR PROCEDURES

1.1. These procedures (the "PHIA Procedures" or the "Procedures") are to be read in conjunction with The Personal Health Information Act (Manitoba) ("PHIA" or the "Act") and University of Manitoba Board of Governors’ Policy entitled "The FIPPA and PHIA Policy." The Procedures and Policy are intended to give effect to the provisions of the Act, and to provide a means by which the University is enabled to remain in compliance with the Act. The Procedures and Policy are in addition to PHIA and they do not supersede the Act or any parts of the Act. If any part or parts of the Procedures are found to be in conflict with the Act, the Act shall prevail.

1.2. The University of Manitoba is a public body and a Trustee of personal health information as defined in PHIA. As a Trustee, the University maintains personal health information in relation to its authorized programs and activities. Programs and activities include teaching, research, human resource services, financial services, information and technology services, programs and activities that promote the health of students, employees and other users, and health care services.

1.3. Health care services (the "services") are provided through units which, for the purposes of these procedures, will be known as University Health Care Units. The services are provided by health professionals who work in the health care units.


2.0 PROCEDURE STATEMENT

2.1. Definitions

2.1.1. Confidential Information is information that is proprietary of the University and/or to its employees and persons associated with the University; that has not been authorized for release by the President or the President’s duly designated representatives; that falls into two general categories: corporate information, which may include personal information; and personal information which includes personal health information.

a) Corporate Information means information in which the University has a proprietary interest and which the University uses to administer its mandate. Corporate information includes administrative, financial, legal, and historical information; and may include information related to employees and persons associated with the University, students, and other individuals or organizations that have a relationship with the University. Examples of corporate information include financial information held and used by Financial Services and other offices, human resources information held and used by Human Resource Services and other offices, legal information held and used by Legal Counsel and other offices, student records held by Registrar’s Office and other offices, and historical information held and used by Archives & Special Collections and other offices.

b) Personal Information has the meaning assigned to it in The Freedom of Information and Protection of Privacy Act (Manitoba) ("FIPPA"). Personal information includes name, home contact information, educational, employment, occupational history and other information, as defined in FIPPA. Personal information includes personal health information.

2.1.2. Personal Health Information or Health Information has the meaning assigned to it in The Personal Health Information Act, Part 1. "Personal health information" means recorded information about an identifiable individual that relates to:

a) the individual’s health, or health care history, including genetic information about the individual,

b) the provision of health care to the individual, or

c) payment for health care provided to the individual, and includes

d) the Personal Health Information Number ("PHIN") and any other identifying number, symbol or particular assigned to an individual, and

e) any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.

i) Personal health information is "recorded information about an identifiable individual." Personal health information may be held by any faculty, department, division, program, centre, service, professor or instructor, or by a health care unit, or by a health services agency. Personal health information may be generated on any medium, such as text, graphic including radiological and photographic, audio recording, or moving image. The information may be generated and held digitally or non-digitally. If it is textual, it includes information that occurs in a file, chart, document, report, letter, memorandum, or note.

ii) Any identifying information about an individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care is deemed to be personal health information. This may include an individual’s contact information such as home address, home telephone number, home fax or email address, financial history, salary, work history, work performance, medical history, home conditions, domestic difficulties, or other private matters such as an individual’s conduct or behaviour that may be a result of illness or the effect of treatment. "Individuals" may include co-workers and/or families of co-workers when the co-workers are clients or patients at a UM health care unit or a health services agency. Their information must be treated as personal health information in this context.

iii) A medical certificate or note constitutes personal health information, even if it only contains the doctor’s name, individual’s name, and the period of non-attendance at work, classes, tests, or examinations. Reasonable safeguards must be taken to ensure the confidentiality of information in a medical certificate or note. (See 2.12.2.(c))

2.1.3. Access means gaining entrance to, making contact with, being exposed to, or using something such as records that contain personal or personal health information. In the context of an application for access to records, access means the right of an individual, or a person permitted to exercise the rights of that individual, to examine and/or receive a copy of the individual’s personal health information maintained by the trustee.

2.1.4. Access and Privacy Coordinator or Access Coordinator means the University of Manitoba employee who has the responsibility for undertaking the implementation and the day-to-day administration of the Acts, including receiving applications for access to records, for establishing procedures and guidelines for the review of requests for access to records under FIPPA and PHIA, for receiving complaints under FIPPA and PHIA, and for assisting faculties, departments, offices, units, and agencies to comply with the Act. At the University, the head of the FIPPA Office is the Access and Privacy Coordinator.

2.1.5. Access and Privacy Coordinator’s Office or FIPPA Office means the University office that has the responsibility for the implementation and administration of The Freedom of Information and Protection of Privacy Act and The Personal Health Information Act at the University

2.1.6. Access and Privacy Officer or Access Officer means the University of Manitoba employee delegated by the President to act on behalf of the University as a whole in matters related to FIPPA and PHIA. The Access and Privacy Officer receives all reports of breaches of security of personal information and personal health information. At the University, the Vice-President (Administration) is the Access and Privacy Officer.

2.1.7. A Breach of Security occurs when personal health information is collected, accessed, used, disclosed, or destroyed other than as authorized, or when the integrity of the information is compromised. (See 2.16.)

2.1.8. A Designated Office is a faculty, department, program, office, or unit whose employees, students, or agents, as the case may be, are required to undertake PHIA Training and to sign the Pledge of Confidentiality.

2.1.9. Disclosure of personal health information means making the information known, revealing, exposing, showing, providing, selling, or sharing the information with any person or entity that is not an authorized employee or Person Associated with the University, by any means, for example, by providing copies, verbally, electronically, or other means. Disclosure also means making the information known to any person or entity beyond the University who is not authorized to receive the information.

2.1.10. FIPPA means The Freedom of Information and Protection of Privacy Act (Manitoba), S.M. 1997, c.50, as amended from time to time, or such other substitute legislation as may be passed from time to time.

2.1.11. FIPPA Office (See Access and Privacy Coordinator’s Office.)

2.1.12. FIPPA Review Committee or FRC means the University of Manitoba committee appointed to consider and approve requests for volume uses and disclosures of University-held personal information, to consider and advise regarding applications and complaints referred by the Access and Privacy Coordinator under FIPPA and PHIA, to review and approve retention schedules for University records, and to authorize the destruction of University records.

2.1.13. Health Care has the meaning attributed to it in PHIA, Part I. Health care means any care, service or procedure provided to diagnose, treat or maintain an individual’s physical or mental condition, provided to prevent disease or injury or promote health, or that affects the structure or a function of the body, and includes the sale or dispensing of a drug, device, equipment or other item pursuant to a prescription.

2.1.14. Health Care Facility means a hospital, a personal care home, a psychiatric facility, a medical clinic, a laboratory, the Manitoba Cancer Treatment and Research Foundation, and a community health centre or other facility in which health care is provided and that is designated in the regulation to PHIA. The University of Manitoba is not a health care facility. However, units such as University Pharmacy, and agencies such as Centre for Community Oral Health provide health care.

2.1.15. Health Care Unit (See University Health Care Unit)

2.1.16. Health Professional means a person who is licensed or registered to provide health care under an Act of the Legislature or who is a member of a class of persons designated as health professionals in the Regulations under the Act.

2.1.17. Health Services Agency means an organization that provides health care such as community or home-based health care pursuant to an agreement with another trustee. Examples are the Centre for Community Oral Health and the J.A. Hildes Northern Medical Unit.

2.1.18. Information Manager means an individual, corporate organization, business, or association that processes, stores or destroys personal health information, or provides information management or information technology.

2.1.19. Information Services & Technology or IST is the name of the office which, for the purposes of these procedures, works with the FIPPA Office to develop policies and procedures to safeguard the confidentiality and integrity of personal health information stored, transmitted, or processed electronically.

2.1.20. Integrity of Personal Health Information means the preservation of its content throughout collection, access, use, disclosure, retention and storage, transfer, transportation or transmission, and final disposition, so that there is confidence that the information has not been tampered with or modified other than as authorized, and that the information retains its accuracy.

2.1.21. Persons Associated with the University, for the purposes of these procedures, includes University Staff, members of the Board of Governors and Senate of the University, researchers, independent contractors, volunteers, information managers, or agents of any of the above.

2.1.22. Personal Health Information Confidentiality Pledge means a form of pledge, the signing of which binds the signee to the security and protection of privacy of personal health information in the custody or under the control of the public body. The Confidentiality Pledge form is available from the FIPPA Office. Prescribed PHIA Training is required of every individual who signs the pledge.

2.1.23. Person Permitted to exercise the rights of an individual:

a) any person with written authorization from another individual to act on that individual’s behalf;

b) by a proxy appointed by the individual under The Health Care Directives Act (Manitoba);

c) by a committee appointed for the individual under The Mental Health Act (Manitoba) if the committee has the power to make health care decisions on the individual‘s behalf;

d) by a substitute decision maker for personal care appointed for the individual under The Vulnerable Persons Living with a Mental Disability Act if the exercise of the right relates to the powers and duties of the substitute decision maker;

e) by the parent or guardian of an individual who is a minor, if the minor does not have the capacity to make health care decisions; or

f) if the individual is deceased, by his or her personal representative.

2.1.24. In the case of individuals who are deceased or no longer able to act on their own behalf, and for whom an appropriate authority has not been appointed or authorized, access may be granted to a Personal Representative. A Personal Representative includes any of the following:

a) an Executor/Executrix named in a deceased individual’s will;

b) a court appointed Administrator of a person’s estate;

c) the Public Trustee; and/or

d) an individual at the discretion of University Legal Counsel in the following suggested order:

i) the individual’s spouse, including a common law or same sex spouse who was cohabiting in a conjugal relationship with the individual for at least one year prior to death or incompetence of the individual; or
ii) if none or unavailable, a son/daughter of at least 18 years of age; or
iii) if none or unavailable, a parent or legal guardian; or
iv) if none or unavailable, a brother/sister of at least 18 years of age.

2.1.25. PHIA means The Personal Health Information Act S.M. 1997, c. 51, as amended from time to time, or such other substitute legislation as may be passed from time to time.

2.1.26. Record of User Activity means a record about access to personal health information maintained on an electronic information system, which identifies the following:

a) individuals whose personal health information has been accessed,

b) persons who accessed personal health information,

c) when personal health information was accessed,

d) the electronic information system or component of the system in which personal health information was accessed,

e) whether personal health information that has been accessed is subsequently disclosed under section 22 of the Act.

2.1.27. Record or Recorded Information means a record of information in any form, and includes information that is written, photographed, recorded or stored in any manner, on any storage medium or by any means, including by graphic, electronic or mechanical means, but does not include electronic software or any mechanism that produces records.

2.1.28. Records Administrator means a staff member who has the responsibility for maintaining the records of an office, health care unit, or a health services agency.

2.1.29. A Records Authority Schedule or RAS is a document that describes a series or group of records, specifies the period for which they must be retained, and specifies their final disposition. Records Authority Schedules are prepared in consultation between the FIPPA Office and the offices, units, or agencies that hold the records. Records Authority Schedules are submitted to the Review Committee for approval. Upon approval, a RAS becomes the official instrument by which records of a series can be destroyed. A RAS is signed by the records administrator, the dean or director, the Access and Privacy Coordinator, and the Chair of the FIPPA Review Committee.

2.1.30. Records Officer means the University employee who ensures that records and information, both electronic and non-electronic, held by the University are managed efficiently, effectively and in accordance with FIPPA and PHIA. The Records Officer is the central administrator of the Records Management Program and maintains a full set of Records Authority Schedules approved by the FIPPA Review Committee. At the University the Assistant to the Access and Privacy Coordinator is the Records Officer.

2.1.31. Secured Place is a physical environment for the temporary or permanent storage of, or for the use, processing, or transmittal of personal health information that has the following characteristics:

a) not readily accessible by unauthorized users;

b) supervised or monitored by authorized users;

c) keyed to allow entrance to authorized users only;

d) locked when authorized users are not in attendance;

e) protected by controls to minimize loss, destruction or deterioration caused by fire, water, or humidity damage; and

f) proper containers and adequate labeling are used to reduce accidental loss or destruction.

2.1.32. Security means the consistent application of standards and controls to protect the integrity and privacy of personal health information at all stages and in all aspects of its collection, access, use, processing, disclosure, transmittal, transport, storage and retention, and destruction. Where health records are converted from hard copy to electronic form, or from one medium or form to another, security standards and controls are applied throughout the conversion.

2.1.33. Trustee means a health professional, health care facility, public body including a local public body, or health care unit or health services agency that collects or maintains personal health information. The University is a trustee under the Act.

2.1.34. Unit Liaison means a University staff member who has been appointed to represent their office or unit in matters relating to FIPPA and PHIA. Sub-Unit Liaison means a University staff member of an office or unit that reports to a larger office or unit, who has been appointed to represent their office or unit in matters relating to FIPPA and PHIA.

2.1.35. University Health Care Unit or UM Health Care Unit or Unit means a unit whose main function is the provision of health care, by health professionals, and which function may include the education and training of students in the provision of health care.

2.1.36. University Office or UM Office means a faculty, department, division, centre, program, service or other office of the University, unless otherwise specified. UM office includes some offices that collect significant amounts of health information. Examples are Disability Services and Recreation Services. In addition, offices that conduct health research hold significant amounts of health information.

2.1.37. University Staff means faculty, staff and employees, whether full-time, part-time, reduced appointment, seconded, or any other type of appointment.

2.1.38. Use of personal health information means dealing with or employing personal health information. In the context of PHIA, use generally means dealing with or employing the information within the University. Use must be for an authorized purpose of the University. Use involves access to the information by the officers, employees, or agents of the University. Access means that the person has gained entrance to, made contact with, or been exposed to the information, through viewing, reading, hearing, or otherwise receiving the information. Use includes access, as well as processing, reproduction, transmission and transportation of personal health information.


2.2. Access to Personal Health Information

2.2.1. PHIA, section 5(1) states: Subject to this Act, an individual has a right, on request, to examine and receive a copy of his or her personal health information maintained by a trustee. At the University, all requests for access to personal health information shall be made first to the office where the applicant believes the records containing the health information are held. The office may be a UM office, a UM health care unit, or a health services agency.

2.2.2. Records administrators and all University Staff shall make every reasonable effort to assist an applicant and respond without delay, openly, accurately and completely. Assistance may be given in the form of explanation or in the form of direction to the FIPPA Office. Assistance must not be given by delivering the request for the applicant. The applicant must deliver the request by him or herself, or via a person permitted or a personal representative.

2.2.3. An individual who seeks information about his or her own health shall make the request under PHIA. If the request is made to a UM office the request shall be made in writing. If the request is made to a UM health care unit or to a health services agency, the unit may require the request to be in writing. No special form is required if the individual is making his or her own request.

2.2.4. The written request shall include a minimum of the following:

a) name
b) address
c) phone number; home and/or work
d) signature
e) date of signing

2.2.5. If an individual is unable to make a written request, a third party can be designated to make it with the permission of the individual; or the written request may be made by, or with the assistance of, a person permitted to exercise the rights of the individual. An individual’s inability to make a request in writing must not limit his or her access to personal health information.

2.2.6. Prior to permitting an individual to examine or receive a copy of his or her personal health information, the UM office, UM health care unit, or health services agency shall confirm the identity of the requester, through photo or other appropriate identification.

2.2.7. UM Office
When a UM office receives a written request, the office shall review the record. If the record is about the requester and if it contains no third party personal or personal health information and no otherwise confidential information, the office may permit the requester to examine it in the office and may provide a copy of the record to the requester. However, if the office is unsure about releasing the requested information, or is unable to release it, they shall contact the Access and Privacy Coordinator, or refer the applicant to the Access and Privacy Coordinator’s Office.

2.2.8. If a UM office anticipates that search and preparation of the requested records will require more than 2 hours, or if the requested records exceed 50 pages, the office shall contact the Access and Privacy Coordinator, or direct the requester to make an application through the Access and Privacy Coordinator’s Office.

2.2.9. If the request is made to a UM office by any third party, including a person permitted or a personal representative, the records administrator shall refer the applicant to the Access and Privacy Coordinator’s Office. The individual seeking the health information must present a written request to the Access and Privacy Coordinator or designate. If a request is made to a UM health care unit, or to a health services agency, the unit or agency may refer the requester to the Access and Privacy Coordinator’s Office.

2.2.10. FIPPA Office
The Access and Privacy Coordinator shall be responsible for acting on behalf of UM offices to respond to requests for access that cannot be served by a records administrator. The Access and Privacy Coordinator Office shall respond to a request as promptly as required in the circumstances but no later than 30 days after receiving it, unless the request is transferred to another trustee under section 8.

2.2.11. Upon receiving a written request, the Access and Privacy Coordinator shall determine whether the request is being made by the individual that the health information is about, or by a third party. If the application is made by the individual that the health information is about, the Access and Privacy Coordinator shall ensure that the application is in writing and is made under PHIA. The request may be made in letter form or on a FIPPA Application for Access form. The Access and Privacy Coordinator shall refer to PHIA and shall ensure that only the individual that the personal health information is about is given access to the personal health information or receives copies of the requested personal health information.

2.2.12. If the application is made by a third party or a person permitted, the Access and Privacy Coordinator shall ensure that the request is in writing and is made under FIPPA, on a FIPPA Application for Access form available from the Access and Privacy Coordinator’s Office.

2.2.13. When a third party requests personal health information on behalf of an individual, the Access and Privacy Coordinator shall ensure that the third party is authorized to do so. The third party may be a person authorized by the individual that the health information is about, a person permitted to exercise the rights of the individual, or a personal representative of the individual. Such parties must present written authorization. This authorization shall be confirmed prior to the release of any information, including whether the information exists (i.e., whether the individual is or has been a patient/client/student/employee/user of the program in question). The Access and Privacy Coordinator, and if necessary, Legal Counsel, shall verify the identity of the individual through photo or other appropriate identification. The written authorization must include:

a) name of third party, or name of person permitted, or name of personal representative

b) relationship to individual, or legal authority to request on the individual’s behalf

c) address of third party, person permitted, or personal representative

d) phone number of third party, person permitted, or personal representative

2.2.14. If it is estimated that search and preparation time may exceed 2 hours, or that the records requested may exceed 50 pages, the Access and Privacy Coordinator will prepare a written estimate of fees which will be provided to the applicant. Fees will be estimated as per the Regulations under the Act.

2.2.15. In responding to a request, the Access and Privacy Coordinator shall do one of the following:

a) make the personal health information available for examination and/or provide a copy, if requested, to the individual; or

b) inform the individual in writing if the information does not exist or cannot be found; or

c) inform the individual that the request is refused, in whole or in part, for a specified reason under PHIA, section 11, and advise the individual of the right to make a complaint to the Ombudsman about the refusal under PHIA, Part 5. A complaint must be in writing. It should be made on the official Complaint form available from the Access and Privacy Coordinator’s Office. (See also 2.2.25.)

2.2.16. Prior to permitting an individual to examine or receive a copy of his or her personal health information, the Access and Privacy Coordinator shall:

a) confirm the identity of the individual if the information is to be provided to that individual in person;

b) contact the individual who the information is about to verify the request, if there is any doubt about a request for documents to be mailed or delivered;

c) copy the information with some form of identification of the trustee on each page such as a stamp or watermark indicating "Disclosed by University of Manitoba in compliance with The Personal Health Information Act";

d) secure the information in an envelope indicating "To Be Opened by Addressee Only;" document what has been disclosed and to whom in the individual’s record, detailing any parts of the personal health information that were withheld or released with severing.

2.2.17. If the Access and Privacy Coordinator, and where necessary the FIPPA Review Committee, has determined that access should be refused, in whole or in part, the office shall:

a) inform the individual in writing in accordance with PHIA, section 7;

b) in the case of partial refusal, remove the identified portion of the record prior to access or photocopying in accordance with PHIA, section 11;

c) determine if the refusal may place the University in a position of potential litigation and, if so, advise Legal Counsel, accordingly. If Legal Counsel, agrees, counsel shall coordinate notification of the appropriate individuals and entities such as lawyer, insurance company, etc.;

d) if the individual fails to provide sufficient proof that he or she is the one that the personal health information is about, or is an authorized third party, the individual should be advised that the request will be reconsidered upon provision of the appropriate identification or authorization.

2.2.18. UM Health Care Unit, or a Health Services Agency
A UM health care unit or a health services agency shall, during assessment, consultation, care and treatment, retain the right to show or share copies of personal health information to the client/patient. This is acceptable where access is directly related to the service anticipated or being delivered by that health care unit or health services agency, with the goal of promoting or improving the individual’s understanding of and/or compliance with their diagnosis, care and treatment and where there is no compelling reason to refuse access as set forth in the Act.

2.2.19. If a request is made to a UM health care unit or to a health services agency, the unit or agency may require the request to be in writing.

2.2.20. If the UM health care unit or the health services agency anticipates that search and preparation of the requested records will require more than 2 hours, or if the requested records exceed 50 pages, the unit or agency may contact the Access and Privacy Coordinator, or direct the requester to make application through the Access and Privacy Coordinator’s Office.

2.2.21. Actions taken by a UM health care unit or by a health services agency in response to a request for access (verbal or written) shall be recorded within the individual’s health record. If a written request for access has been provided it shall be included as part of the individual’s health record. When copies of documents/records are provided, the unit or agency shall note this on the health record.

2.2.22. If the request is made by any third party, including a person permitted or a personal representative, the request must be in writing. The UM health care unit or the health services agency shall review the request under PHIA sections 20, 21, 22, and 23 and may make the disclosure if it complies with these sections.

2.2.23. If a UM health care unit or a health services agency is unsure or unable to release the requested information, they may contact the Access and Privacy Coordinator or refer the applicant to the Access and Privacy Coordinator’s Office.

2.2.24. Prior to releasing any health information to a third party, the unit or agency shall:

a) confirm the identity of the requester through photo or other appropriate identification;

b) if there is any doubt about a request that asks for documents to be mailed or delivered, contact the individual that the information is about to verify the request;

c) copy the information with some form of identification of the trustee on each page such as a stamp or watermark indicating "Disclosed by University of Manitoba in compliance with The Personal Health Information Act";

d) secure the information in an envelope indicating "To Be Opened by Addressee Only;"

e) document what has been disclosed and to whom in the individual’s record.

2.2.25. The unit or agency may charge a copying fee in accordance with the Regulations under the Act if there are more than 50 pages.

2.2.26. An individual may make a complaint to the Ombudsman alleging that the University

a) has collected, used or disclosed his or her personal health information contrary to the Act; or

b) has failed to protect his or her personal health information in a secure manner as required by the Act. The complaint must be in writing.


2.3. Audit of Personal Health Information

2.3.1. The University shall conduct an audit of security safeguards at least every two (2) years. This audit shall be an overall audit that encompasses electronic, administrative, technical and physical safeguards employed to protect personal health information held by the University.

2.3.2. The University shall document the findings of the audit along with any recommendations to monitor and ensure compliance with PHIA.

a) The Access and Privacy Coordinator shall ensure the implementation of an overall audit of security safeguards related to personal health information, via the Director of Audit Services, who will compile a summary report for the Vice-President (Administration) at least every two (2) years.

b) The Access and Privacy Coordinator shall ensure the implementation of an audit of electronic security safeguards related to personal health information via the Director of Audit Services and the Director of Information Services and Technology. The Director of Audit Services shall compile a summary report for the Vice President (Administration) at least every two (2) years.

c) The overall audit of security safeguards shall include:

i) confirmation that the Personal Health Information Confidentiality Pledge has been signed by all applicable employees and persons associated with the University;

ii) review of the restrictions on the collection, access, use, disclosure, and retention of personal health information, whether hard-copy or electronic;

iii) review of the effectiveness of the safeguards in place to protect the confidentiality, integrity and security of personal health information;

iv) confirmation that appropriate policies and procedures are in place to allow only authorized individuals to download or compile personal health information for authorized purposes;

v) compilation of reports of breaches of security, corrective procedures implemented and any disciplinary action taken.


2.4. Collection of Personal Health Information

2.4.1. The University shall collect personal health information about an individual only for a necessary purpose that is connected with an authorized function or activity of the University.

2.4.2. Whenever possible, the University shall collect personal health information directly from the individual that it is about, either verbally or in writing. If the information is collected verbally, it must be recorded by the person who is taking the information.

2.4.3. Personal health information shall be collected in a manner and location that ensures the security and confidentiality of such information, to the extent that it is reasonable to do so.

2.4.4. When the information is collected directly, the University shall notify the individual of the purpose for collection, and with whom the information may be shared.

2.4.5. The University shall collect only as much personal health information as is reasonably necessary to accomplish the purpose for which the information is collected.


2.5. Confidentiality of Personal Health Information

2.5.1. Reasonable administrative, technical and physical safeguards must be taken to ensure the confidentiality, security, accuracy and integrity of personal health information. Where an electronic information system is used to maintain personal health information, additional safeguards must be considered for the protection of the information. (See 2.14.20.) In determining the reasonableness of safeguards, the sensitivity of the health information shall be taken into account. In this regard, information that is closer to the bodily core is more sensitive than that which is superficial. For example, information about DNA or a terminal illness is more sensitive than that about a broken wrist or a case of influenza.

2.5.2. Personal health information shall be protected during its collection, access, use, disclosure, retention and storage, and during its destruction.

2.5.3. All Persons Associated with the University are responsible for protecting personal health information that is obtained, handled, viewed, or processed in the discharge of their duties and responsibilities with the University. The responsibility for protection shall include persons permitted and personal representatives.

2.5.4. Personal health information shall be used and/or disclosed only in the discharge of work responsibilities and duties (including reporting duties imposed by legislation) and based on the need to know. This applies to all Persons Associated with the University.

2.5.5. To protect the privacy of health information, persons should not discuss others’ personal health information (in their absence) in the presence of those who are not entitled to know such information. Health information should not be discussed in public places such as cafeterias, elevators, lobbies, hallways, classrooms, unsecured or open offices where those who are not entitled to the information are likely to be.

2.5.6. All Persons Associated with the University:

a) who work in a University office that collects significant amounts of personal health information as part of the delivery of its program; or

b) who work in an office that conducts or participates in health research and/or holds health information in connection with research; or

c) who work in a University health care unit; or

d) who work in a health services agency; or

e) who are health care professionals and provide health care at the University in their capacity as health care professionals must sign a Personal Health Information Pledge of Confidentiality ("Confidentiality Pledge"). Re-signing of the Pledge of Confidentiality may be required for one or more reasons and at intervals as deemed appropriate by the head of the office, unit, or agency.

2.5.7. The University of Manitoba Personal Health Information Pledge of Confidentiality form is available from the Access and Privacy Coordinator’s Office. Prescribed PHIA Training is required of every individual who signs the pledge.

2.5.8. The University Pledge of Confidentiality shall be administered by the head of a designated UM office that holds significant amounts of health information or conducts health research, a UM health care unit, or a health services agency. The signed pledge is to be retained in the office of the head. A list of signees shall be forwarded to the Access and Privacy Coordinator’s Office annually.

2.5.9. Volunteers, or persons associated, that is, contracted individuals including researchers, health professionals, information managers, and agents, who are providing a service for the University, where the service provided would expose them to health information, shall sign either the University Pledge of Confidentiality or a contract that provides, inter alia, for protection of confidential information including personal health information. Signed pledges are to be administered by the head of the office, unit, or agency that engages the individual. They are to be retained by the head. A list of signees shall be forwarded to the Access and Privacy Coordinator’s Office annually.

2.5.10. All University Board of Governors Members and Senate Members must sign the University Pledge of Confidentiality. The administration of this pledge shall be handled by the University Secretary, who shall retain the original signed pledges.

2.5.11. All University faculty, staff, and students who, through employment or training, may be exposed to health information in the custody or under the control of the Winnipeg Regional Health Authority ("WRHA") or other Regional Health Authority ("RHA") mfust sign a WRHA or other RHA Pledge of Confidentiality in accordance with that organization’s current PHIA policy.


2.6. Correction of Personal Health Information

2.6.1. The University shall ensure the right of individuals to request and make corrections to their own personal health information in accordance with PHIA.

2.6.2. For purposes of accuracy or completeness an individual may request the University to correct any personal health information that the individual may examine or copy under PHIA.

2.6.3. All requests for correction must be in writing. The request must include the following information:

a) name;
b) address;
c) phone numbers, home and/or work;
d) correction requested;
e) signature; and
f) date of signing.

2.6.4. If an individual makes a written request for correction on his or her own behalf and the request is to a UM office, the office shall review the record and, if the correction is appropriate, make the correction. The written request shall be placed in the file and form part of the file. Verbal requests will not be accepted. If the office is unsure or unable to make the correction, they shall direct the requester to the Access and Privacy Coordinator’s Office.

2.6.5. The Access and Privacy Coordinator, and where necessary the FIPPA Review Committee, shall review the request as promptly as required in the circumstances but no later than 30 days after receiving the request, and do one of the following:

a) make the requested correction by adding the correcting information to the record of the personal health information in such a manner that it will be read with and form part of the record; or

b) inform the individual if the personal health information no longer exists or cannot be found; and

c) if the University does not maintain the personal health information, so inform the individual and provide him or her with the name and address, if known, of the trustee who maintains it; or

d) inform the individual of the University’s refusal to correct the record as requested, the reason for the refusal, and the individual’s right to add a statement of disagreement to the record and to make a complaint about the refusal under section 12 of the PHIA.

2.6.6. If the request is submitted to a UM health care unit or to a health services agency, the unit or agency shall consider the request under PHIA, determine whether a correction is appropriate under the Act and make the correction if appropriate. All actions taken to facilitate an individual’s request for correction shall be documented in the individual’s health record. If the unit or agency is unsure about making the correction, they may refer to the Access and Privacy Coordinator.

2.6.7. The UM health care unit or health services agency may consult with any individuals who are currently providing direct care to the patient and/or the individual who documented the personal health information and/or the administrative staff or head in charge of the service/discipline in question to determine the appropriateness of the request for correction.

2.6.8. No fees are chargeable for the correction of health information.


2.7. Disposal of Personal Health Information

2.7.1. Personal health information shall be considered as confidential information.

2.7.2. Control procedures shall be developed and implemented in all offices, health units, and agencies to segregate confidential material from non-confidential material and other waste streams. (See 2.1.1.)

2.7.3. All confidential material shall be stored and transported in a secure manner. University staff shall process confidential material as follows:

a) pre-sort confidential, non-confidential, and other waste streams by placing in designated containers;

b) package confidential material securely for storage and/or pick up for confidential shredding;

c) clearly identify confidential material and label as "Confidential Waste." Containers shall not be loaded to the point where the container will rip or tear, or be unmanageable due to weight.

2.7.4. Confidential material shall be disposed of by shredding or other confidential method of destruction.

2.7.5. The Access and Privacy Coordinator may be consulted for advice on appropriate methods of destroying confidential material. IST may be consulted for advice on appropriate methods of destroying electronically held health information.


2.8. Use of Personal Health Information

2.8.1. Use of personal health information includes accessing and using the information.

a) Use involves records and information that are in the custody or under the control of the University.

b) Access means that the person has gained entrance to, made contact with, or been exposed to the information, through viewing, reading, hearing, or otherwise receiving the information.

c) Use means dealing with, employing, handling, processing, reproducing, transmitting and transporting of personal health information.

d) Health records or information may only be used by authorized persons for authorized purposes of the University.

2.8.2. A person authorized to use the health information is defined as Person Associated with the University, who requires access to the personal health information for the purposes outlined in their position description or under the terms of their contract/agreement. The person’s access to the health information is limited to the amount of information that is necessary to carry out the responsibilities of their position. When a person permitted or a personal representative submits the appropriate documentation, he or she is also a person authorized.

2.8.3. If there is any question as to whether a person is authorized to use the personal information, the question shall be referred to the head. The head may refer to the Access and Privacy Coordinator.

2.8.4. The University shall use health information only for the purpose for which it was collected or received, and shall not use it for any other purpose unless

a) the other purpose is directly related to the purpose for which the personal health information was collected or received; or

b) the individual the personal health information is about has given written consent for the use; and

c) use of the information is necessary to prevent or lessen a serious and immediate threat to the mental or physical health or safety of the individual the information is about or another individual, or to public health or safety;

d) under certain other strict and limited uses (See 2.8.8.)

2.8.5. Before using personal health information, the office, unit, or agency shall check to ensure that the information is accurate, up to date, complete, and not misleading.

2.8.6. Use of the personal health information must be limited to the minimum amount necessary to accomplish the purpose for which it is used.

2.8.7. Use of the personal health information must be limited to those Persons Associated with the University who need to know to carry out the purpose for which the personal health information is used.

2.8.8. Under strict and limited conditions described in PHIA, Part III, sections 21(d)(e)(f), health information may be used for certain purposes different from the purposes for which it was collected.

2.8.9. If a request for a different use is made to a UM office, the office shall refer the request to the Access and Privacy Coordinator.

2.8.10. If a request for a different use is made to a UM health care unit or to a health services agency, the unit or agency shall consider the request under sections 20 and 21 and approve the different use if it is appropriate under these sections. If the agency is unsure or unable to approve the different use, they may refer to the Access and Privacy Coordinator.

2.8.11. The use or disclosure of personal health information for administrative research shall only be made in accordance with the procedures outlined in Administrative Bulletin #79 (Vice-President Administration, rev. 2004), available at: http://www.umanitoba.ca/admin/vp_admin/media/bulletin79.pdf. (See the bulletin for the definition of "administrative research.")

2.8.12. All other types of research that require the use or disclosure of personal health information shall be initiated as research proposals made to the appropriate University of Manitoba Research Ethics Board (UMREB). (See 2.9.11.)


2.9. Disclosure of Personal Health Information

2.9.1. Disclosure of personal health information means making the information known, revealing, showing, or providing the information to any person or entity by any means, for example, by providing copies, verbally, electronically, or by other means. Disclosure may occur in an authorized manner or an unauthorized manner. PHIA does not provide for unauthorized disclosure.

2.9.2. Unauthorized disclosure occurs when information is made known to an unauthorized person or entity, within or beyond the University. An unauthorized person or entity is one who is not an employee, person associated, person permitted, personal representative, and/or a person who does not need the information to carry out the responsibilities of his or her position. PHIA does not provide for disclosure to an unauthorized person or entity.

2.9.3. Unauthorized disclosure also occurs through making the information known to any person or entity for an unauthorized purpose, within or beyond the University. PHIA does not provide for disclosure for an unauthorized purpose.

2.9.4. Certain types of disclosure are authorized and provided for by PHIA. Health information may be disclosed if the disclosure is to the individual the personal health information is about. Before making the disclosure the office, unit, or agency shall verify the identity of the individual.

2.9.5. Personal health information may be "disclosed," that is, made accessible to the person that it is about via the Access process, in accordance with PHIA, Part 2, sections 5-12.

2.9.6. Personal health information may be disclosed to another person or entity if the person the information is about has given written consent for the disclosure. Consent should be obtained in writing if practical.

2.9.7. Disclosure of personal health information without consent may be made to other persons or entities under the strict and limited conditions described in PHIA, sections 20, 22, 23, 24 and 25.

2.9.8. Disclosure may be made for the purpose of contacting a relative or friend of an individual who is injured, incapacitated, or ill; for assisting in identifying a deceased individual, or informing the representative or a relative of a deceased individual, or any other person it is reasonable to inform in the circumstances, of the individual’s death; to a relative of a deceased individual if the University reasonably believes that disclosure is not an unreasonable invasion of the deceased’s privacy.

2.9.9. Disclosure of personal health information may be made to the parent or guardian of an individual who is a minor, if the minor does not have the capacity to make health care decisions. The UM office may refer to the Access and Privacy Coordinator or Legal Counsel for advice and shall, before releasing any information, verify the identity of the parent or guardian.

2.9.10. If a request for disclosure to another person or entity (a person other than the person that the health information is about) is made to a UM office, the office shall refer the request to the Access and Privacy Coordinator. The request to the Access and Privacy Coordinator must be in writing.

2.9.11. If a request for disclosure to another person or entity (a person other than the one that the health information is about) is made to a UM health care unit or to a health services agency, the unit or agency shall consider it under sections 20, 21, 22 and 23 and make the disclosure if appropriate under these sections. The request shall be in writing. If the unit or agency is unsure or unable to make the disclosure, they may refer to the Access and Privacy Coordinator.

2.9.12. A record shall be kept of personal health information disclosed. The record may be in the form of a note in the individual’s file or patient health record, a facsimile cover sheet, entry in a log book, routine routing of documents, or "cc’s" identified on the document, such that the office, unit, agency is able to identify what personal health information was disclosed, when, and to whom, should the need arise.

2.9.13. If a request for personal health information and/or the disclosure of personal health information is made verbally, a note shall be entered in the individual’s record that contains the following information:

a) the identity and contact information of the person requesting the information;
b) the information disclosed;
c) the mode of transmittal (i.e. verbal, fax, courier, electronic, etc.).

2.9.14. A request for disclosure of personal health information for a health research purpose shall be made to the appropriate University of Manitoba Research Ethics Board (UMREB). In reviewing the request the UMREB shall ensure that security and confidentiality conditions meet or exceed those described in PHIA section 24. The UMREB shall ensure that the requester enters into an agreement with the University as per PHIA 24(4).

2.9.15. Disclosure of personal health information to an information manager shall be made in compliance with PHIA, section 25. Specifically, such disclosure can only be made under written agreement between the University and the information manager.

2.9.16. The disclosure of personal health information concerning an individual who may be subject to the Youth Criminal Justice Act is restricted in accordance with that Act.

2.9.17. Personal health information shall not be sold except under the strict and limited conditions of PHIA, section 27.


2.10. Disclosure to Police

2.10.1. Personal Health Information collected and maintained by the University shall only be disclosed to the police in strict accordance with PHIA.

a) Any request by any police force, unit, or officer to a UM office or unit, or to a health services agency for personal health information, shall be referred to Security Services.

b) Except as required herein, the police are required to obtain consent for disclosure of personal health information from the individual the personal health information is about or from a person permitted to exercise the rights of that individual.

c) During normal business hours requests for disclosure of personal health information with written consent from the individual or the person permitted to exercise the rights of that individual, shall be forwarded to Security Services who may consult with the Access and Privacy Coordinator regarding the response to the request. Requests will be reviewed to determine the urgency of the request and will be processed accordingly.

d) During normal business hours personal health information may be disclosed to the police without consent if it is established by Security Services in consultation with the Access and Privacy Coordinator and/or Legal Counsel that one of the exceptions of PHIA 22(2) applies.

e) After normal business hours requests for disclosure of personal health information must be reviewed to determine the urgency of the request. If the circumstances are urgent, copies of only the portions of the record that are required on an urgent basis may be provided.

i) If there is consent, the information that is provided shall be documented on the consent form and a copy forwarded to the Access and Privacy Coordinator’s Office on the next business day.
ii) If there is no consent and the information is urgently required, the information provided shall be otherwise documented and a copy forwarded to the Access and Privacy Coordinator’s Office on the next business day. This action must only be taken in circumstances of immediate urgency.
iii) If the circumstances are not considered to be urgent, the police are to be advised that Security Services will consult with the Access and Privacy Coordinator on the next business day.
f) The disclosure of personal health information concerning an individual that may be subject to the Youth Criminal Justice Act is restricted in accordance with that Act.

2.11. Consent to Disclosure of Personal Health Information

2.11.1. The University, as a trustee, may disclose personal health information to:

a) the individual the personal health information is about;

b) to another person authorized under Part 6, Section 60 of PHIA to exercise the rights of an individual

c) under the strict and limited conditions described in PHIA sections 20 to 25;

d) if the individual that the information is about has consented to disclosure.

2.11.2. Consent shall be in writing. All of the following elements must be considered for inclusion in the consent for disclosure. (The same elements must also be considered for inclusion in consent for collection or use, where collection or use is not the same or consistent with the original collection or use.)

a) The specific personal information to be collected, used or disclosed;

b) The identity of the person, organization or public body that the personal information may be collected from, used by, or disclosed to;

c) All the anticipated purposes for the use or disclosure;

d) A statement from the trustee/the University:

i) Affirming that a third party recipient will be instructed not to use or disclose the personal information provided by the public body, except for a purpose specified in the consent, and

ii) Specifying the subsequent disclosures, if any, that a third party recipient will be instructed it is permitted to make;

e) An acknowledgement that the consenting individual has been made aware of:

i) Why the personal information is needed, and

ii) The risks and benefits to the individual of consenting or refusing to consent to the collection, use, or disclosure;

f) The date the consent is effective, and the date the consent expires;

g) A statement that the consent may be revoked or amended at any time.

All of these elements may not be necessary in every circumstance. However, each element must be carefully considered in relation to the circumstance in which the consent is being obtained.

A form of University of Manitoba Consent for Release of Personal Health Information is available from the Access and Privacy Coordinator’s Office.

2.11.3. If consent is being given to a UM office it must be given on the University Consent for Release of Personal Health Information form. If the office is unsure or unable to obtain consent on this form, they shall refer to the Access and Privacy Coordinator.

2.11.4. If consent is being given to a UM health care unit or to a health services agency, the unit or the agency shall consider which elements are necessary in the circumstance and obtain the appropriate consent. They may require the consent to be given on the University Consent for Release of Personal Health Information form. If the unit or agency is unsure or unable to obtain appropriate consent, they may refer to the Access and Privacy Coordinator.

2.11.5. If a research project will require direct contact with individuals, the trustee shall not disclose personal health information about those individuals without first obtaining their consent. However, the trustee need not obtain consent if the information consists only of the individuals’ names and addresses (PHIA 24(5)). The research project must be approved by the appropriate University Research Ethics Board.


2.12. Retention and Destruction of Personal Health Information

2.12.1. Retention of employee health information:

a) Employee personal health information includes documents relating to disability, workers’ compensation, sick leave, return to work, maternity/parental leave, medical including psychological certificates and notes, and may include notes from social and other agencies. It may include other health information as defined at 2.1.2.

b) All employee personal health information shall be maintained in a secure environment and shall be protected by administrative, technical, physical, and electronic safeguards that are appropriate to the sensitivity of the information. (See 2.13.) In this regard, health information that is closer to the individual’s bodily core is generally more sensitive than health information that is farther from the bodily core. For example, information about DNA or blood type is more sensitive than information about a broken wrist or a case of influenza.

2.12.2. Retention of student health information

a) Student personal health information includes documents relating to disability, sick leave, return to class or course, medical including psychological certificates and notes, and may include notes from social and other agencies. It may include other health information as defined at 2.1.2.

b) All student personal health information shall be maintained in a secure environment and shall be protected by administrative, technical, physical, and electronic safeguards that are appropriate to the sensitivity of the information. (See 2.13.) As described above, the closer the health information is to the individual’s bodily core, the more highly sensitive it is.

c) A medical certificate or note submitted by a student may be handled by logging receipt of the certificate or note and returning it to the individual, or by placing the certificate or note in a separate file dedicated to that type of information. The file must be protected at a level that is appropriate to personal health information.

2.12.3. Employee and Student health records and the information in them shall only be destroyed under authority. At the University, this means only on the approval of the FIPPA Review Committee and/or the Access and Privacy Coordinator.

2.12.4. Approval is accomplished via Records Authority Schedules (“RAS”), prepared in consultation between the Access and Privacy Coordinator’s Office and the office, unit, or agency that holds the records. A RAS becomes effective as of the date of signing by Chair of the FRC.

2.12.5. If health records are not yet under the authority of a RAS, the alternative authority for destruction is a Requisition to Destroy Records (RDR). The RDR is prepared in consultation between the Access and Privacy Coordinator and the office, unit, or agency that holds the records. The RDR describes the group of records, the time period to which they relate, and the method of destruction. An RDR is used where there is a need to destroy records and no RAS exists. An RDR is also appropriate to use for any large volume destruction, even if the records are already covered by a RAS.

2.12.6. Prior to destruction a record shall be created or retained of each individual whose personal health information was destroyed and the time period to which the information relates. This may be accomplished via a file list, log, database, or other means such that the individual’s name and the time period are retained permanently.


2.13. Security of Personal Health Information

2.13.1. The University, as a trustee of health information under PHIA, shall ensure that recorded personal health information, regardless of the medium, will be properly secured and maintained in the appropriate manner to protect its confidentiality and integrity.

2.13.2. Any Persons Associated with the University who may be exposed to health information in the custody or under the control of the University shall ensure that such information is properly secured and maintained in the appropriate manner to protect its confidentiality and integrity.

2.13.3. Personal health information is to be collected, accessed, used, or disclosed only by individuals who are authorized to collect, access, use, or disclose the information. Individuals thus authorized must have a clear understanding of their authority, its purposes and parameters, of their responsibilities, and of the consequences of failing to fulfill their responsibilities.

2.13.4. Security safeguards shall include administrative, electronic, technical, and physical safeguards that prevent the unauthorized collection, access, use, or disclosure of personal health information.

2.13.5. Administrative safeguards include training and contracts, security clearances, designated and restricted access to certain offices or areas, and sanctions. Electronic safeguards include firewalls and the use of passwords and encryption. Physical security measures include safeguards such as locked offices, locked filing cabinets, lock-boxes, and other barriers separating the health information from those who do not need and should not have access. Technical safeguards include electronic door access and telephone passwords. (See 2.14 for further electronic safeguards.)


2.14. Employees and Persons Associated with the University

2.14.1. All written personal health information shall be placed in an appropriately secured file. Paper files containing such information shall be kept in a secure place at all times, other than when being updated or used by authorized persons in the discharge of their duties. Personal health information shall not be left unattended or exposed to the view of persons who do not need to view or use the information.

2.14.2. Personal health information stored in electronic form on a fixed computer server or terminal shall be properly secured from unauthorized access. Personal health information stored on electronic media (removable hard drives, DVDs, USB thumb drives, diskettes, magnetic tape, CD ROMs, disk drives, laser disk, etc.) shall be kept in a secured place at all times and shall be used only by authorized personnel having access to a protected system.

2.14.3. Where it is necessary to make electronic copies of PHIA records or information, such copies shall be tracked, and the distribution of those copies shall be tracked.

2.14.4. Individuals who sign on to a computer must not leave the computer on in accessible areas when they leave their workstation. User password protocols must be in place and utilized. Automatic shut offs after a prescribed period of disuse should be put into effect for all workstations.

2.14.5. Individuals accessing, using, or otherwise working with personal health information contained in electronic format shall follow security measures as set out by IST.

2.14.6. Personal health information should not be transmitted via electronic mail without appropriate safeguards such as encryption or transmittal within a secure firewall. If an office must transmit personal health information using electronic mail it should consult with IST or the FIPPA Office to ensure that the necessary security measures for the transmission are in place.

2.14.7. Personal health information can only be moved from University premises for a purpose authorized by the University. Security precautions must be taken, including the following:

a) All personal health information moved from a secure location shall be recorded in a tracking system.

b) If it is necessary to leave personal health information unattended in a vehicle, it must be stored in a secured place (such as a locked trunk or in an out of sight location in a locked vehicle if there is no trunk, or in a locked briefcase within a home or hotel location).

c) If personal health information is held in electronic format it must be encrypted if possible.

d) The employee or agent shall carry the file/electronic media with them and ensure secure storage at all times. This applies to laptops and all wireless access devices.

e) Removal of personal health information from the University for an unauthorized purpose is not permitted.

2.14.8. Personal health information files/electronic media shall be returned to their designated and secured storage location and not allowed to accumulate or be left unattended on desktops or any other location in a non-secured place.

2.14.9. Where removal of electronic equipment is necessary, Persons Associated with the University shall confirm with IST that health information held in the equipment has been completely erased. Note that printers and fax machines, as well as computers, have hard drives that store the information scanned into them. If these machines are leased they must have personal and personal health information entirely wiped out before they are returned to the leasing company.

2.14.10. Where personal health information is outputted via printer, the printer shall be located in a secure place where it can be used and monitored only by authorized persons. Printed output should be removed at the time of printing, used for its authorized purpose, and filed securely.

2.14.11. Similarly, where personal health information is sent or received via fax machine, the machine shall be located in a secured place where it can be used and monitored only by authorized persons. A cover sheet, with an approved University logo, should be attached to all documents, stating that the transmittal is confidential and that any unintended receiving party is prohibited from reading the information or disclosing it to anyone else (i.e. a Confidentiality Caution). Users of fax machines shall follow Transmission of Personal Health Information by Facsimile procedures. (See section 2.15.)

2.14.12. Persons leaving voice messages containing personal health information must be discreet. Personal health information should never be left on a patient’s voicemail unless the individual that the information is about has authorized it. Any personal health information relayed by voice message should be kept to the minimum required for the purpose of the communication. Persons receiving voice messages containing personal health information should listen to the message in private, and delete the message as soon as possible. Appropriate passwords and security measures should be in place for access to voice mail.

2.14.13. Radiological and digital images shall be appropriately labeled and kept in a secured place other than when required for work purposes by authorized personnel. If images are shared on a network steps should be taken to ensure that the images can only be viewed through secure access points. User name and password protocols should be used to ensure that only users who need to view personal health information to perform their duties are able to access the images.

2.14.14. All personal health information that is sent by regular postal service, interdepartmental mail, or courier service must be marked confidential and have reasonable safeguards put in place to ensure security and integrity of the information.

2.14.15. All Persons Associated with the University who are dealing with personal health information in any manner shall take reasonable precautions to protect the personal health information from fire, theft, vandalism, deterioration, accidental destruction or loss and any other hazards.

2.14.16. Personal health information shall not be transported, stored or left in a location that could result in the destruction or deterioration of the personal health information. For example, radiological images or computer disks may be destroyed if left in a locked trunk on a hot day; paper records may be destroyed if left by an open window during a rainstorm.

2.14.17. Head of the Office, Unit, or Agency
The head shall ensure that all University Staff are made aware of the procedures respecting security and storage of personal health information.

2.14.18. PHIA Regulations require the public body, that is, the University, to conduct an audit of its security safeguards at least every two years. University Audit Services will carry out the audits. The head of the office, unit, or agency shall review the practices of employees in the alternating years or more frequently as the need arises. The purpose of the review shall be to ensure that these Procedures are being implemented and that due diligence is being exercised to prevent breaches of security or confidentiality.

2.14.19. If procedures are not being implemented or due diligence is not being exercised, the head shall consult the appropriate authorities (internal and external) and take appropriate action. If there is a possible breach of security or confidentiality, the head shall take immediate action as described at 2.16, Breach of Security.

2.14.20. If personal health information is perishable in certain conditions, any agent retained to transport or deliver any personal health information for the University shall be advised in writing of any specific information regarding the perishability of the information and the conditions necessary for the safe transport of the personal health information. For example, any service contract for the transport or delivery of personal health information shall contain:

a) a provision advising the service provider of the requirements for safeguarding the confidentiality of personal health information and for physically protecting it from unintended destruction. The advice should include any appropriate cautions as to the perishability of the particular media used for the personal health information in question;

b) an agreement by the service provider that it and its employees or agents shall protect the confidentiality, security and physical integrity of personal health information.

2.14.21. IST shall ensure that appropriate safeguards are in place to safeguard the confidentiality, security and integrity of personal health information used, processed, stored or transmitted electronically.

2.14.22. IST shall ensure that every electronic system used by a trustee to maintain personal health information shall create and maintain a record of user activity (See 2.1.21.). The record of activity may be generated manually or electronically.

2.14.23. A record of user activity is not required if:

a) Personal health information is demographic or eligibility information listed in Schedule B of the Act, or is information that qualifies or further describes information listed in Schedule B. Demographic information includes name, signature, address, telecommunications information, and other data as described in Schedule B.

b) A record of user activity is not required if personal health information is disclosed under the authority of 22(2)(h) of the Act in a routine and documented transmission from one electronic information system to another.

c) A record of user activity is not required if personal health information is accessed or disclosed while a trustee is generating, distributing or receiving a statistical report, as long as the trustee

i) maintains a record of the persons authorized to generate, distribute and receive such reports, and
ii) regularly reviews the authorizations.

2.14.24. IST shall keep a log of electronic breaches of security related to personal health information and, in conjunction with the Access and Privacy Coordinator’s Office, prepare an Annual Summary Report for the President/Vice-President Administration, detailing any breaches of security and any corrective and disciplinary procedures instituted.

2.14.25. Access and Privacy Coordinator
The Access and Privacy Coordinator shall ensure that appropriate procedures and safeguards are in place to safeguard the confidentiality, security and integrity of personal health information used, processed, stored or transmitted in non-digital forms. This shall include periodic surveys of building security with regard to potential for unauthorized access to personal health information.

2.14.26. The Access and Privacy Coordinator shall keep a log of non-digital breaches of security and, in conjunction with IST, prepare an Annual Summary Report for the President/Vice President Administration, detailing any breaches of security and any corrective and disciplinary measures instituted.

2.14.27. The Access and Privacy Coordinator will advise offices, units, or agencies regarding provisions for confidential materials to be stored in a secured place.

2.14.28. The Access and Privacy Coordinator will provide orientation for employees and persons associated regarding The Procedures and The FIPPA and PHIA Policy, on an as-needed basis. The Access and Privacy Coordinator will also provide orientation for University students who anticipate working or training in WRHA facilities or other RHA facilities.


2.15. Transmission of Personal Health Information via Facsimile

The University shall take appropriate steps to prevent the unauthorized, inappropriate or unnecessary viewing of personal health information transmitted by facsimile. The University shall take appropriate steps to provide information required for urgent, emergent, or critical care in an effective and timely manner as required.

2.15.1. Any facsimile transmittal of personal health information must be in accordance with University policies and procedures on the access, use or disclosure of personal health information.

2.15.2. An individual’s personal health information shall only be disclosed to other trustees or individuals who are entitled to receive and use the personal health information, in accordance with section 22(2) of PHIA. Based on the circumstances of the request, the sender of the information is responsible for:

a) determining whether a fax transmission is a secure and appropriate method to send the information. A factor to consider in determining whether the fax transmission is an appropriate method is whether or not the information is required for urgent, emergent, or critical care;

b) determining the appropriate selection and number of documents based on the circumstances of the request;

c) ensuring security of the personal health information transmitted.

2.15.3. The criteria identified below shall be included in all fax transmissions:

a) UM office, UM health care unit, or health services agency title and address;

b) sender’s full name and telephone number;

c) destination of the information including a contact name and number whenever feasible;

d) name of individual that the health information is about and minimum identifying information;

e) recipient’s fax number;

f) number of pages sent if more than a single page is sent;

g) confidentiality statement;

h) directions to the recipient indicating procedure to follow if the fax is received in error or the number of pages received is incorrect. Any unintended receiving party is prohibited from reading or disclosing the information to anyone else.

2.15.4. Thermal paper fax documents shall not be retained on the health record, as thermal paper deteriorates quickly. The receiver shall prepare photocopies of thermal documents as necessary to meet retention requirements for personal health information. The thermal fax information shall then be destroyed by a procedure that ensures the protection of the confidentiality of the personal health information.

2.15.5. An individual’s personal health information that is received via fax transmission shall be reviewed to ensure all pages are legible and that the correct number of pages is received. Incomplete or illegible transmissions shall not be incorporated into the health record or used by a UM office, UM health care unit, or a health services agency. A complete and legible copy must be requested from the sender of the fax transmission.

2.15.6. Senders must take utmost care to ensure the accuracy of fax number dialed. Use visual check on the display to ensure that the correct number was dialed.

2.15.7. Set up speed dial directories and use them to transmit to secure machines where persons are authorized to receive the information. Periodic checks of speed dial directories should be conducted to confirm accuracy and currency of the fax numbers in the directories.

2.15.8. The following steps should be taken when sending health information via fax:

a) Use a cover page for the contact information of the receiving party. Do not place any health information on the cover page.

b) Attempt to determine whether the receiving fax machine is in a secure location. If you are unable to determine whether it is in a secure location, ask the receiving party to stand by to receive the information and ask the receiving party to call and confirm receipt.

c) Verify the number with the requester.

d) Use discretion in the selection and number of documents to be transmitted.

e) Keep a record of what personal health information has been sent.

f) When dealing with a request to fax personal health information to a new fax number, confirm the identity of the requestor and check the accuracy of the fax number.
2.15.9. A person may refuse to send personal health information by fax if he or she has reasonable grounds to be concerned about the security of the transmission. An appropriate alternative mode of transmission should be utilized.


2.16. Breach of Security of Personal Health Information

2.16.1. Reporting and Corrective Procedures
The University shall report, record, and analyze all security breaches and implement corrective procedures as necessary in order to secure the confidentiality and integrity of all personal health information. Any breach of security in which an unauthorized individual has access to personal health information must be reported. Incidents may range from unauthorized individuals being able to view a computer screen or paper file holding health information, to theft or loss of University computer equipment including electronic storage media that holds health information, to unauthorized destruction of health information by deliberate means or by human or natural accident.

2.16.2. Any individual who becomes aware of a possible or actual breach of security or confidentiality of personal health information shall immediately report the possible breach of security or confidentiality. First report shall be made to the head of the UM office, UM health care unit, or health care agency, who shall take immediate steps to contain the breach if it is still continuing.

2.16.3. The head shall report the possible or actual breach to the dean or director, the Access and Privacy Officer, that is, the Vice-President (Administration), and the Access and Privacy Coordinator.

2.16.4. The Access and Privacy Officer, in consultation with others as necessary, will take the initiative in determining whether an investigation is required. It may be decided that a possible or actual breach does not require investigation if, after consultation, the consultees are of the opinion that:

a) the length of time that has passed since the alleged breach makes an investigation no longer practicable or desirable;

b) the alleged breach is trivial or the complaint about it is not made in good faith or is frivolous; or

c) the circumstances of the alleged breach do not require investigation.

2.16.5. If the decision is made to proceed with an investigation the Access and Privacy Officer will take responsibility for initiating the investigation and for appointing an investigator. Investigation will include obtaining the alleged violator’s version of events, consulting with the appropriate sources, documenting findings, and determining whether there has been a breach of security or confidentiality of personal health information.

a) The investigator will coordinate the investigation and will provide a final report of the findings to the Access and Privacy Officer, the Access and Privacy Coordinator, the dean or director, and, where there is neither dean nor director, the head of the office, unit, or agency. Where appropriate the investigator will provide interim report(s) to the Access and Privacy Officer.

b) Where notice to the insurer is required, the insurer shall be notified via University Legal Counsel or via the University’s liaison to the insurer.

c) Where disciplinary action is contemplated, the Director of Human Resources shall be informed of the findings.

2.16.6. If it is determined that a breach of security or confidentiality of personal health information has occurred, appropriate remedial action shall be taken. Such action may be disciplinary action up to and including termination of association/appointment/employment/contract with the University.

a) The Director of Human Resources, in consultation with the dean and/or the head, shall establish the appropriate level of disciplinary action to be applied.

b) The dean and/or the head may give the employee direction as to further action to be taken.

c) The dean and/or the head should facilitate opportunity to engage staff in a debriefing session and identify corrective procedures.

2.16.7. The Access and Privacy Coordinator will act as a resource for all University employees regarding appropriate action to be taken following a security breach.

a) The Access and Privacy Coordinator shall receive notification of every possible breach of security or confidentiality and review on an incident by incident basis, making recommendations to prevent further breaches.

b) The Access and Privacy Coordinator shall provide further education to the person(s) who breached security or confidentiality if it is appropriate.

c) The Access and Privacy Coordinator shall collect and analyze information on security breaches for the purpose of preparing an Annual Summary Report to the President/Vice-President Administration.

2.16.8. A person convicted of an offence under PHIA may be required to pay a fine up to $50,000. A confirmed breach of confidentiality may be reported to the individual’s professional regulatory body if the violator is a member of a regulated profession.


3.0 ACCOUNTABILITY

3.1. The University Secretary is responsible for advising the President that a formal review of the Procedures is required.

3.2. The Vice-President Administration is responsible for approving the Procedures.

3.3. The FIPPA Office is responsible for implementing the Procedures.

4.0 REVIEW

4.1. Formal Procedure reviews will be conducted every ten (10) years. The next scheduled review date for this/these Procedure(s) are May 7, 2018.

4.2. In the interim, this/these Procedure(s) may be revised or rescinded if:

4.2.1. the Approving Body deems necessary; or

4.2.2. the relevant Bylaw, Regulation(s) or Policy is revised or rescinded.


5.0 EFFECT ON PREVIOUS STATEMENTS

5.1. This/these Procedure(s) supersede(s) the following:

5.1.1. all previous Board/Senate Procedures, and resolutions on the subject matter contained herein, with the exception of FIPPA and PHIA Policy which remains in effect;

5.1.2. all previous Administration Procedures, and resolutions on the subject matter contained herein, with the exception of Administrative Bulletin #76 which remains in effect;

5.1.3. all previous Faculty/School Council Procedures stemming from the Faculty/School Council Bylaw and academic and admission Regulations and any resolutions on the subject matter contained herein.


6.0 CROSS REFERENCES

Cross referenced to:

(1) The FIPPA and PHIA Policy

(2) Administrative Bulletin 76:
The Freedom of Information and Protection of Privacy Act (Manitoba) and The Personal Health Information Act (Manitoba)

(3) Administrative Bulletin 79:
The Ethics of Research Involving Human Subjects
Guidelines: Administrative Research, Interviews and Surveys