fb pixel
The University of Winnipeg

Health Privacy at UWinnipeg - Module 2

Module 2 presents the five key health privacy requirements that every UWinnipeg employee with access to PHI should understand and follow.

Requirement #1 - Limited and Informed Collection

UWinnipeg may only collect PHI where the information is necessary for an approved University function or activity. PHI cannot be collected "just in case" - there needs to be a valid, necessary purpose to collect the information.

Collection includes all of the ways that the University gathers, compiles, receives, or otherwise brings in PHI, such as through:

  • Verbal requests,
  • Forms, sign-up sheets, notes, reports, surveys, etc.,
  • Receiving PHI from third parties,
  • Taking photos / creating audio-visual recordings,
  • Specialized equipment and software (e.g., x-ray, MRI).

When collection is approved, we may only collect the least amount of PHI necessary carry out the task at hand. And whenever possible, PI / PHI must be collected directly from the individual to whom it relates and with their written consent.

Privacy Notices

When collecting PHI directly from an individual, they must be provided with a privacy notice.

A privacy notice sets out key information regarding the University's collection of PHI and is typically included on documents such as forms, surveys, and online submission pages. Other forms of notice are possible and notice may also be given verbally (if necessary).

A privacy notice must provide the:

  • Purpose for the collection, including information regarding intended use and sharing, and
  • Contact information of a UWinnipeg employee who can answer questions about the collection.

An example notice for a therapy intake form might be:

Personal health information on this form is collected to process your request for therapy and to assist your therapist's work with you. It will be used by your therapist to provide you with therapy and may also be used for administrative functions related to the provision of therapy. Questions can be directed to your therapist or the Information and Privacy Officer, 515 Portage Avenue, Winnipeg, MB R3B 2E9, phone 204-988-7538.

Requirement #2 - Limited Use and Disclosure

UWinnipeg's use and disclosure of PHI is also strictly regulated by PHIA.

Restrictions on the and disclosure of PHI help to avoid "creep", where information collected for one purpose is utilized for another purpose without the knowledge and consent of the affected individual. It also prevents against other inappropriate uses and disclosures of PHI, such as employee snooping.

The term "use" covers all of the ways that employees use and share PHI within UWinnipeg. Examples include viewing documents containing PHI, sharing them with other employees, and all other handling of PHI at work.

The term "disclosure" covers all of the ways that employees share, or provide access to, PHI outside of UWinnipeg. Examples include sharing PHI with:

  • parents,
  • other health trustees,
  • students (who are not also employees),
  • product vendors,
  • other universities,
  • anyone else outside of UWinnipeg.
Purpose Limitation

PHI may only be used to carry out the purpose for which it was collected or received. Otherwise, the affected individual must consent to the new use. There are some exceptions to this rule, but these are rarely utilized by universities. So, for the overwhelming part, we only use PHI for the purpose(s) set out in the privacy notice provided at time of collection.

In the case of disclosure of PHI, the rule is similar - UWinnipeg may only disclose PHI to carry out the purpose for which the PHI was collected or received. Otherwise, the individual's consent is required. As with use, there are exceptions to this rule. One worth noting is the exception that permits disclosure without consent if we believe that disclosure is necessary to prevent or lessen:

  • a risk of harm to the health or safety of a minor, or
  • a risk of serious harm to the health or safety of the individual the information is about or another individual, or to public health or public safety.

In the case of emergencies as described above, it is important to take whatever action is reasonably necessary to prevent or lessen the harm. This is an occasion where safety concerns may override privacy rights. Do whatever is reasonable to protect the individual.

In non-emergencies, speak with your supervisor or the Information and Privacy Officer to ensure that a disclosure absent of consent is permitted. In emergencies, do not hesitate to take action.

Least Amount Necessary

Finally, all use and disclosure of PHI must be limited to the least amount of information necessary to accomplish the task at hand.

This applies to use with an office, sharing with other offices, and sharing with third parties. In all cases, no more information than is necessary should be accessed or shared.

This rule of minimum use also prohibits employee snooping. This involves viewing information without a valid purpose. Even if a University employee has legitimate access to a large database of PHI, for example, that information must only be viewed as required for necessary work purposes.

Use and disclosure should also be limited to the fewest persons reasonably necessary to carry out the purpose for which the information is used or disclosed. As always, the more sensitive the information, the more important this rule becomes.

Requirement #3 - Need to Know

All use and disclosure of PHI must be on a strict need-to-know basis. This rule applies for the entire life cycle of a record, from the first point of collection until final destruction.

As before, access to PHI should be limited to the fewest number of individuals reasonably necessary to carry out a given task. This is particularly important with especially sensitive PHI.

Implementing the need-to-know principle also relates to how you organize your records. Access to records should be segregated along a need-to-know basis. Separating records so that only certain categories of employees have ready access is an important privacy protection.

Requirement #4 - Accuracy and Integrity

Because PHI is often used to make decisions that affect individuals, it is important to collect and maintain accurate information. As always, the more sensitive the information, the most crucial this rule becomes.

Before using or disclosing PHI, take reasonable steps to ensure that the information is accurate, up-to-date, complete, and not misleading. This is of particular importance if information in your custody is dated, incomplete, or was collected from a third party source (i.e., not from the individual to whom the information relates).

It's also important to ensure, when dealing with requests for disclosure of PHI, that the request contains sufficient detail to uniquely identify the individual the PHI is about.

Ensuring the integrity of PHI is also of issue. Integrity is defined in the Privacy Policy as “the preservation of the content of PI or PHI throughout its storage, use, transfer, and retrieval so that there is confidence that the information has not been tampered with or modified other than as authorized.” You may wish to create logs and similar records of access and changes to information to ensure sensitive PHI is updated only when appropriate.

 

Requirement #5 - Consent Standards

As before, it is good practice to obtain consent before collecting, using, or disclosing PHI. This is of particular importance for especially sensitive information. And in some instances, express consent is required under PHIA.

If consent is obtained for the collection, use, or disclosure of PHI, that consent must:

  • Be in writing or otherwise electronically or manually recorded,
  • Relate to the purpose for which the PHI is being collected,
  • Be knowledgeable, so that it is reasonable to expect that an individual to whom the University’s activities are directed would understand the nature, purpose, and consequences of the collection to which they are consenting, including the implications of withdrawal of consent where applicable,
  • Be voluntary, and
  • Not be obtained through misrepresentation.

Additionally, consent must be express, and not implied, when consent is the basis for:

  • A disclosure to a person that is not a health trustee under PHIA, or
  • A disclosure to another health trustee under PHIA, but the disclosure is not for the purpose of providing health care or assisting in providing health care.
Module 2: Recap

Key Points

  • Ensure that all collection of PHI is necessary, limited to the minimum amount of information, and accompanied by a privacy notice.
  • Ensure that all use and disclosure of PHI is necessary to carry out the purpose of collection and limited to the minimum amount of information required.
  • Use and disclose PHI on a need to know basis.
  • Don't snoop.
  • Maintain accuracy and integrity.
  • Obtain valid consent whenever possible and when necessary.