Health Privacy at UWinnipeg - Module 1
Module 1 introduces important concepts and definitions related to health privacy.
Privacy is a common term. But what does privacy really mean?
Privacy is an individual's right to understand and control how their information is collected, used, and shared by others.
At UWinnipeg, privacy includes all of the ways that we collect, use, store, share, and protect the information of our students, fellow employees, and others with whom we engage.
This type of privacy is often referred to as "informational privacy".
In a basic sense, respecting privacy demonstrates care - for students, for fellow employees, and for anyone with whom we have a relationship. UWinnipeg strives to provide a community which appreciates, fosters, and promotes values of human dignity, equality, nondiscrimination, and appreciation of diversity. Showing care for people's sensitive, private information helps to achieve this goal.
Privacy is of particular importance in the context of personal health. Almost no information is more sensitive than health information. Not only does health information relate directly to an individual's physical and mental health and well-being, the consequences of a breach of privacy can be highly detrimental to the individual when sensitive health information is lost, stolen, or used inappropriately. For example, the individual may no longer feel comfortable sharing their information with health care providers, which may lead to negative impacts on their health and well-being.
Other benefits of respecting privacy include:
- Contributing to a safe and welcoming work and learning environment,
- Lessening the likelihood and potential impact of privacy breaches,
- Developing and preserving a positive reputation,
- Adhering to law.
Manitoba has two main laws that protect personal privacy: The Freedom of Information and Protection of Privacy Act (FIPPA) and The Personal Health Information Act (PHIA).
FIPPA and PHIA apply to various public bodies in Manitoba, including all colleges and universities. They require that we handle information about students, employees, and other individuals with respect and safeguard it against misuse. Violating FIPPA and PHIA can lead to serious consequences.
UWinnipeg's Privacy Policy was created, among other reasons, to enhance compliance with FIPPA and PHIA.
This course will briefly discuss FIPPA before turning to PHIA's requirements regarding health information privacy, as set out in the Privacy Policy.
Privacy is focused on the respectful handling and protection of personal information (PI).
PI is defined in the Privacy Policy as "recorded information about an identifiable individual." Basically, any information contained in a record (paper or electronic) that can be linked to an identifiable individual is considered that individual's PI.
PI includes but is not limited to an individual’s:
- Name, home address, and personal contact information,
- Age, sex, sexual orientation, marital or family status,
- Ancestry, race, colour, nationality, or national or ethnic origin,
- Personal health information,
- Education, employment or occupation, or educational, employment, or occupational history,
- Source of income or financial circumstances, activities, or history.
With a few exceptions, all PI is protected under the Privacy Policy. One such exception is business contact information (i.e., information found in the University's employee directory), which may be shared freely without consent.
In the case of students, examples of PI include:
- Name and student number,
- Contact information (including WebMail address),
- Student card photo,
- Grades, assignments, and assessments,
- Financial standing.
You may have noticed that personal health information (PHI) is included within the definition of PI.
PHI is one of the most sensitive types of PI and is defined in the Privacy Policy as "recorded information about an identifiable individual that relates to:
- The individual's health, or health care history, including genetic information about the individual,
- The provision of health care to the individual, or
- Payment for health care provided to the individual,"
And includes but is not limited to:
- "The personal health identification number (PHIN) and any other identifying number, symbol, or particular assigned to an individual, and
- Any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care."
PHI can relate to any care, service, or procedure provided:
- To diagnose, treat, or maintain an individual’s physical or mental condition,
- To prevent disease or injury or promote health, or
- That affects the structure or function of the body,
including the sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription.
However, PHI does not include:
- Statistical health information, or
- Health information that does not, either by itself or when combined with other information, allow an individual to be readily identified.
Be careful before deciding that information that does not readily identify an individual is anonymous. Is there no reasonable way that the individual could be identified?
PHI is commonly found in records such as:
- Medical notes, information, and records,
- Counselling / therapy notes, information, and records,
- Prescriptions,
- Accessibility and accommodation records,
- Health evaluations, incidents, and reports,
- Any other record created or received in the course of providing health care services or accepting payment for health care services.
Because PHI is so sensitive, it is vital to treat it with the highest level of care and protection. All types of PI / PHI should be protected accordingly to their sensitivity. The more sensitive the information, the more care and protection required. A breach of privacy involving PHI can have particularly severe consequences for the affected individuals, as well as for the organization and individuals responsible for the breach.
Under PHIA, UWinnipeg is considered a "trustee" of PHI. Trustees and employees of trustees are responsible for handling, protecting, and providing access to PHI in accordance with PHIA's requirements.
A trustee can be a:
- health professional (doctors, dentists, nurses, pharmacists, social workers, etc.),
- health care facility (hospital, personal care home, clinic, laboratory, etc.),
- public body (university, college, municipality, etc.), or
- health services agency (e.g. community- or home-based health care service providers).
Key Points
- Privacy is an individual's right to control how their information is collected, used, and shared by others.
- Personal information (PI) is recorded information about an identifiable individual and when this information relates to health, it becomes personal health information (PHI).
- PHI is especially sensitive and must be handled and protected with great care.
- Manitoba has two laws – FIPPA and PHIA – that regulate UWinnipeg's handling of PI and PHI, respectively.
- All information must be handled and protected according to its sensitivity.
- UWinnipeg is a trustee of PHI under PHIA.