The University of Manitoba

1. The University of Manitoba Access & Privacy Coordinator’s Office FIPPA and PHIA at University of Manitoba

2. Access & Privacy Coordinator’s Office Access & Privacy Office Access & Privacy Coordinator’s Office 233 Elizabeth Dafoe Library University of Manitoba Winnipeg, MB. R3T 2N2 E-mail: fippa@umanitoba.ca Fax: 474-9308

3. Access & Privacy Coordinator’s Office Objectives To provide a basic understanding of FIPPA and PHIA To identify roles and responsibilities under FIPPA and PHIA To give you information to enable you to sign the PHIA Pledge of Confidentiality.

4. Access & Privacy Coordinator’s Office FIPPA/PHIA Training Program The FIPPA/PHIA Training Program consists of: a) reading the UM Policies and Procedures b) reviewing this training presentation c) signing the PHIA Pledge of Confidentiality.

5. Access & Privacy Coordinator’s Office Policies and Procedures The University has Policies and Procedures that provide specific rules about access to and protection of personal information held by the institution. The Policies and Procedures are available at the University/Access & privacy office website. website. Key in “PHIA” for information about PHIA. Key in “FIPPA” for information about FIPPA.

6. Access & Privacy Coordinator’s Office Overview What are FIPPA and PHIA? Key Definitions Access to Information Protection of Privacy and Confidentiality Collection, Use, Disclosure, Storage and Disposal Breaches of Confidentiality Pledge of Confidentiality

7. Access & Privacy Coordinator’s Office The Freedom of Information and Protection of Privacy Act (FIPPA) FIPPA is a provincial statute that: provides an individual with the legal right to access the information of a public body* and requires public bodies to protect personal information held in their records. * Subject to certain exceptions

8. Access & Privacy Coordinator’s Office The Personal Health Information Act (PHIA) Is a Manitoba law that protects the privacy of all personal health information (“PHI”) that can identify an individual. A government Act is a law or rule that must be obeyed

9. Access & Privacy Coordinator’s Office The Personal Health Information Act (PHIA) The purposes of PHIA are: to provide the right to examine or receive a copy of PHI to provide the right to request corrections to your own PHI to establish rules for collection, use and disclosure of PHI to control the collection, use and disclosure of PHIN to provide for an independent reviewof the actions of a trustee.

10. Access & Privacy Coordinator’s Office Principles of Privacy Legislation These principles summarize the requirements of FIPPA and PHIA: Controlled Collection of Personal Information Limited Use of Personal Information Limited Disclosure of Personal Information Information Management - retention, security, disposal Ensured Individual Access to Personal Information Openness Accountability Independent review – Manitoba Ombudsman/Adjuticator

11. Access & Privacy Coordinator’s Office Balancing Access and Privacy Access Privacy

12. Access & Privacy Coordinator’s Office The University of Manitoba is a local public body, which falls under both FIPPA and PHIA. Under PHIA, the University is considered a Trustee of personal health information. FIPPA and PHIA at the University of Manitoba

13. Access & Privacy Coordinator’s Office The University of Manitoba The University of Manitoba has a duty to: help individuals gain access to information, particularly their own personal information; and protect the privacy of individuals in the collection, use, disclosure, storage and destruction of Personal Information and Personal Health Information.

14. Access & Privacy Coordinator’s Office Key Definitions What is Personal Information?

15. Access & Privacy Coordinator’s Office Personal Information is: Recorded information about an identifiable person including: name, home contact information age, sex, sexual orientation, marital or family status ancestry, race, colour, nationality, national or ethnic origin religion, creed religious belief, association or activity blood type, fingerprints, hereditary characteristics political belief, association or activity education, employment or occupation, history of these three source of income, financial circumstances, activities or history criminal history, including regulatory offences individual’s own personal views, except if about another person views or opinions about the individual expressed by another person identifying number, symbol or other particular assigned to the individual personal health information

16. Access & Privacy Coordinator’s Office Key Definitions What is Personal Health Information?

17. Access & Privacy Coordinator’s Office Personal Health Information (PHI) is: Recorded information about an identifiable individual that relates to: the individual’s health, or health care history, including genetic information about the individual; the provision of health care to the individual, including a doctor’s note; payment for health care provided to the individual, and includes bills, receipts, etc.; the PHIN and any identifying number, symbol or particular assigned to an individual; and any identifying information about an individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.

18. Access & Privacy Coordinator’s Office Personal Information does NOT include: Anonymous or statistical information that does not permit individuals to be identified However, if two or more seemingly anonymous or statistical data items can be combined to readily identify an individual, the data may be considered personal information

19. Access & Privacy Coordinator’s Office Access to Personal Information Individuals have a right to: Review their personal information Request corrections be made where necessary Receive a copy upon request *Some restrictions apply to these rights

20. Access & Privacy Coordinator’s Office COLLECTION of Personal Information

21. Access & Privacy Coordinator’s Office Collection of PHI When collecting Personal Information: Individuals are to be NOTIFIED about the PURPOSE for which PI is collected. PI should be used only for the purpose for which it was originally collected. Public Bodies may only collect as much PI as is reasonably necessary to accomplish the purpose for which it is collected. Whenever possible, PI is to be collected directly from the individual concerned.

22. Access & Privacy Coordinator’s Office USE and DISCLOSURE of PI

23. Access & Privacy Coordinator’s Office Use and Disclosure of PI USE means revealing PI to someone within the trustee’s organization. DISCLOSURE means revealing PI to someone outside the trustee’s organization.

24. Access & Privacy Coordinator’s Office Use and Disclosure of PHI You may use or disclose personal health information ONLY if: you need to know this information to do your job you are a person permitted to exercise the rights of another individual (e.g., you are the son or daughter of an elderly person) you are entitled by PHIA, ss. 21, 22, or by other legislation you have consentfrom the individual the PHI is about

25. Access & Privacy Coordinator’s Office Use and Disclosure of PI You cannot use or disclose personal information: In the presence of those that are NOT entitled to the information; or In public places, such as elevators, lobbies, cafeterias, off premises, etc. Be aware of surroundings. Personal Information, especially health information, is best discussed in a closed setting.

26. Access & Privacy Coordinator’s Office • A person has a right to request a copy of his/her PI from the holding trustee/public body. • Individuals may request that a trustee make corrections to their PI. • Individuals need to be notified about how their • PI will be used and disclosed. • Access to PI should be limited to those • who need to know to do their jobs. Quick Review

27. Access & Privacy Coordinator’s Office PROTECTION of Personal Information

28. Access & Privacy Coordinator’s Office SECURITY and STORAGE of PI Personal Information is to be properly secured and maintained to protect privacy and confidentiality. Personal Information is to be protected from accidental destruction or deterioration or loss by heat, cold, moisture, theft, or vandalism.

29. Access & Privacy Coordinator’s Office Protection of Privacy General responsibilities of trustees: Limit on amount of Personal Information used or disclosed Limit access to those who NEED TO KNOW to carry out their responsibilities Restrictions on Use of PI Restrictions on Disclosure of PI Ensure Accuracy of PI Security safeguards on PI

30. Access & Privacy Coordinator’s Office • Four main types of Safeguards: • Administrative – procedures, controlled distribution of keys, combinations, codes • Technical – locked doors, deadbolts and filing cabinets, limited access to office machines, e.g. fax • Physical – office arrangement, segregation of PI, clean desks, positioning of computer so passers-by cannot observe monitor • Electronic – passwords, encryption, anti-virus software, firewalls Protecting and Safeguarding PI

31. Access & Privacy Coordinator’s Office Privacy and Confidentiality Privacy and confidentiality must be protected during: collection – taking information from a patient, client, research participant or other; having an individual give information on a form access – gaining entrance to use – transferring the information within the trustee disclosure – transferring the information beyond the trustee storage – holding the information after its day-to-day use is ended destruction – destroying the information after the need for retention is ended

32. Access & Privacy Coordinator’s Office Disposal of PI A trustee must ensure that Personal Information is destroyed by methods that protect the privacy of the individual the information is about.

33. Access & Privacy Coordinator’s Office Breach of Security A Breach of Security occurs whenever personal information records (electronic or non-electronic) are improperly collected, used, disclosed, or destroyed, or when the integrity of the information is compromised.

34. Access & Privacy Coordinator’s Office Breach of Security Examples A Breach of Security occurs when: PI is shared (used or disclosed) with those not entitled to that information. PI is removed from the custody of the trustee without authorization. PI is accessed by someone not entitled to that information. The integrity of a record is compromised.

35. Access & Privacy Coordinator’s Office Breach of Security A breach of security can result in identity theft, financial and other losses, and exposure of an individual or individuals to personal danger.

36. Access & Privacy Coordinator’s Office Breaches at the University If you know or suspect a Breach of Security has occurred, immediately notify: The head of your UM office, UM health unit, or health care agency. The head will notify the dean or director, the VP Administration, and the Access & Privacy Coordinator’s Office.

37. Access & Privacy Coordinator’s Office Breaches at the University The VP Administration, in consultation with others, will decide whether an investigation is necessary; If the decision is “yes,” the VP Administration will appoint an investigator who will: - inquire into the allegation - consult with appropriate persons - document findings - determine whether a breach has occurred - recommend disciplinary action

38. Access & Privacy Coordinator’s Office Policies and Procedures The University has FIPPA and PHIA Policies and Procedures that provide specific rules about access to and protection of personal information held by the institution. The University’s FIPPA and PHIA Policies and Procedures are available at: http://umanitoba.ca/admin/vp_admin/fippa/

39. Access & Privacy Coordinator’s Office PHIA Policies and Procedures 1) All University employees and persons associated with the University are responsible for protecting the security and confidentiality of all personal health information (verbal or recorded in any form) that is obtained, handled, viewed, heard, or learned, in the course of their work or association with the University.

40. Access & Privacy Coordinator’s Office 2) Personal health information shall be protected during its collection, access, use, retention, storage and destruction. 3) You may only use or disclose PHI in the discharge of your responsibilities and duties (including reporting duties imposed by legislation) and based on the NEED To KNOW. PHIA Policies and Procedures

41. Access & Privacy Coordinator’s Office PHIA Policies and Procedures 4) Discussion regarding personal health information shall not take place in the presence of persons not entitled to such information, or in public places (elevators, lobbies, cafeterias, off premises, etc.).

42. Access & Privacy Coordinator’s Office PHIA Policies and Procedures 5) Unauthorized use or disclosure of confidential information shall result in a disciplinary response up to and including termination of employment/contract/association/appointment. 6) A person convicted of an offence under The Personal Health Information Act may be required to pay a fine of up to $50,000.

43. Access & Privacy Coordinator’s Office PHIA Policies and Procedures 7) A confirmed breach of confidentiality may be reported to the individual’s professional body. 8) All individuals who become aware of a possible breach of the security or confidentiality of personal health information shall follow the procedures outlined under “Breach of Security.”

44. Access & Privacy Coordinator’s Office PHIA PLEDGE of CONFIDENTIALITY At the University, a Personal Health Information Pledge of Confidentiality (“Confidentiality Pledge”) is required of individuals as a condition of their employment, appointment, contract, or association with designated faculties, programs and offices,and as a condition of research involving humans. The requirement extends to student employees and researchers.

45. Access & Privacy Coordinator’s Office PLEDGE A solemn promise to do or to refrain from doing something

46. Access & Privacy Coordinator’s Office Thank You!