fb pixel

Health Privacy Orientation for Researchers - Module 2

Module 2 discusses the security requirements of the Privacy Policy that apply to research involving PHI.

Overview of Safeguards

The Privacy Policy requires that University employees take measures to ensure the confidentiality, security, accuracy, and integrity of the PHI under their control.

Safeguarding PHI is a crucial element of maintaining privacy. Security safeguards must be appropriate to the nature of the information. In other words, the more sensitive the PHI, the more robust the security safeguards need to be. Always consider the sensitivity of the information in your custody.

The goal of these safeguards is to protect PHI from such risks as unauthorized access, use, disclosure, and destruction.

Security safeguards are classified into three categories:

  1. Administrative safeguards
  2. Technical safeguards
  3. Physical/personal safeguards

The safeguards described in this module represent the minimum standard that must be followed.

Administrative Safeguards

Administrative safeguards focus on policies, procedures, and similar directives for the handling of PHI.

The Privacy Policy, supported by this orientation and the PHIA Pledge of Confidentiality, is the University’s primary administrative safeguard. Additional requirements enforced at the level of specific office units would also be considered administrative safeguards. For example, any collection, use, or disclosure of PHI for a research purpose must be authorized under a University Human Research Ethics Board-approved Protocol approved pursuant to the UHREB's policies and procedures.

Technical Safeguards

Technical safeguards are focused on protecting PHI stored on electronic devices and media. These include everything from desktop and laptop computers to smart phones, tablets, scanners, all manner of storage media, thumb or jump drives, and all other movable or removable devices.

Most privacy breaches at the University involve electronic information, with computers, laptops, and flash drives most commonly associated with a breach.

Minimum technical safeguards include:

  • Limiting access to electronic PHI to only those who need-to-know the information,
  • Using software, hardware, or operating system access controls such as strong passwords to help protect against unauthorized access,
  • Clearing display screens without delay,
  • Logging off or shutting down computers when not in use,
  • Using password protection/encryption* if transporting PHI on electronic devices and media, and
  • When electronic devices and media are disposed of or used for another purpose, completely and effectively removing or destroying all PHI by overwriting deleted information, reformatting the electronic storage medium, or physically destroying the electronic storage medium.

*Excluding Bitlocker deployments managed by TSC, be aware that the University cannot assist you in decrypting your files should you lose or forget your password. Back up your files and secure your password to prevent data loss.

Encryption

Encryption is a vital tool for protecting privacy. It is a process by which information is scrambled so that it is unreadable without a password. Encryption is useful for all electronic PHI but it is especially helpful for information stored on laptops, tablets, phones, USB flash drives, and similar small devices that are easily lost or stolen. Encryption can be done at the file level (Word, Excel, PDF, etc.) or at the disk level, known as full-disk encryption.

Encryption tools are often bundled with operating systems, such as Bitlocker for newer versions of Windows and FileVault for Apple iOS. 3rd party tools are also available, such as the popular (and free) VeraCrypt software available for Windows, Apple, and Linux. Even 7-Zip, which is a commonly-used file archiver / compressor, can be used to encrypt multiple files at once.

If you use USB flash devices, consider purchasing models with built-in encryption technology. These flash drives, such as the Kingston DataTraveler Locker or the Verbatim Store 'n' Go Secure Pro, are very affordable and can simplify the process of protecting PHI on the go. Certain encryption tools, such as 7-Zip and Veracrypt, can also be installed on regular USB drives for added security.

Remember that encryption is only as good as the password that protects it! Be sure to use a strong password at all times.

*Excluding Bitlocker deployments managed by TSC, be aware that the University cannot assist you in decrypting your files should you lose or forget your password. Back up your files and secure your password to prevent data loss.*

Physical/Personal Safeguards

These safeguards are focused on protecting PHI from physical threats and harms, such as theft, tampering, and unauthorized access. They involve both physical barriers to access as well as personal behaviours.

Physical/personal safeguards include:

  • Limiting physical access to PHI to only those who need-to-know the information,
  • Not discussing PHI in the presence of those who are not authorized to know the information,
  • Storing paper files and electronic devices and media containing PHI in a secured place at all times other than when being used as a necessary function of research,
  • Not transporting or otherwise removing PHI from a secured place unless necessary,
  • If transporting or otherwise removing PHI from a secured place, taking only the minimum amount of information necessary and securing it in a briefcase or similar closed, opaque container and under the care and control of an authorized person,
  • Whenever practicable, de-identifying PHI before removing it from a secured place,
  • Not leaving PHI unattended or stored in a vehicle, and
  • Where file folders, records storage boxes, electronic devices and media, and other storage containers contain PHI, using labeling or other means of identification that reveal only the minimum amount of information that is necessary for identification and use.
Secure Records Destruction

Records containing PHI need to be destroyed in a manner that takes into account the sensitivity of the information and protects its security, accuracy, integrity, and confidentiality.

At a minimum, this involves:

  • Shredding of all paper records, and
  • Effective and complete deletion of the information on all electronic devices and media.
Electronic Health Information Systems

Special technical safeguards are required for electronic health information systems (EHIS).

An EHIS is defined in the Privacy Policy as "a computer system or systems delegated to hosting PHI for access by Authorized Persons." In essence, an EHIS is a system or database that permits multiple persons to create, view, and share PHI as required. The eChart system, used by all healthcare regions in Manitoba, is an example of an EHIS.

Some researchers may use an EHIS in the course of their research. Where this is the case, a record of user activity is required. PHIA requires that this record be created and maintained for at least three years. Additionally, at least one audit of the record of user activity must be performed to detect privacy breaches before the record is destroyed.

A record of user activity is defined in the privacy policy as "a record about access to PHI maintained on an electronic health information system, which identifies the following:

  • Individuals whose PHI has been accessed,
  • Persons who accessed PHI,
  • When PHI was accessed,
  • The EHIS or component of the system in which PHI was accessed, and
  • Whether PHI that has been accessed is subsequently disclosed under s.22 of PHIA."

A record of user activity may be generated manually or electronically.

However, a record of user activity is not required:

  • If the PHI is limited to, or qualifies or further describes, demographic or eligibility information, or
  • If PHI is accessed or disclosed while an authorized person is generating, distributing, or receiving a statistical report, as long as the responsible administrator for the EHIS:
    • maintains a record of the persons authorized to generate, distribute, and receive such reports, and
    • regularly reviews the authorizations.
Privacy Breach Reporting

A privacy breach can be any collection, use, disclosure, or destruction of PHI in contravention of applicable privacy legislation. In most instances, a privacy breach is caused when PHI is stolen, lost, or accessed inappropriately.

Examples of privacy breaches include:

  • Theft of electronic or paper records from vehicles and homes,
  • Losing laptops, USB sticks, and similar electronic devices and media,
  • Sending emails and email attachments to the wrong recipient,
  • Employee snooping,
  • Paper records being recycled or thrown out instead of shredded,
  • Hacking, phishing, and similar cyber attacks, and
  • Disposal of computer hard drives, cellphones, fax machines, and copiers without deletion of data.

If you receive a complaint about a privacy breach, have any knowledge of a privacy breach, or have a reasonable suspicion that a privacy breach has occurred, you must immediately report the breach to the University's Information and Privacy Officer and the Research Office or UHREB (as the case may be).

Quick reporting is crucial to enable the University to take appropriate measures to contain and investigate the breach.

Module 2: Recap

Key Points

  • Safeguards must be appropriate to the sensitivity of the information.
  • Administrative safeguards focus on policies and procedures for handling PHI.
  • Technical safeguards include:
    • Access controls such as strong passwords,
    • Clearing display screens and logging off computers,
    • Using password protection/encryption if transporting electronic PHI,
    • Removing or destroying PHI when electronic devices and media are disposed of or used for another purpose, and
    • If using an EHIS, ensuring a record of user activity is created and maintained.
  • Physical safeguards include:
    • Not discussing PHI in presence of those who are not authorized to know the information,
    • Storing records containing PHI in a secured placed,
    • Limiting the transportation of PHI and not taking more than the minimum amount necessary,
    • Not leaving PHI unattended or stored in a vehicle, and
    • Discreet labeling of file folders, records storage boxes, etc.