Health Privacy at UWinnipeg - Module 3
Module 3 explains how to safeguard PHI in accordance with the Privacy Policy.
Employees must protect the confidentiality, security, accuracy, and integrity of the PHI under their control. Protective measures should be applied throughout the lifecycle of a record: from collection to use, disclosure, storage, and destruction.
Security safeguards must be appropriate to the nature of the PHI. The more sensitive the information, the more robust the security safeguards need to be.
Security safeguards are classified into three categories:
- Administrative safeguards
- Technological safeguards
- Physical / personal safeguards
The safeguards that follow represent the minimum standard that must be followed. Additional measures should be taken where appropriate. University administrators have an obligation to ensure that the information in the custody or under the control of their office(s) is adequately protected. Assistance is available from the Information and Privacy Officer, as well as the University's Senior Information Security Administrator.
Administrative safeguards focus on policies and procedures for the protection of PHI.
The Privacy Policy is the University’s primary administrative safeguard but office-level policies and procedures may be created to:
- Designate access to PHI based on particular office role,
- Undertake a privacy impact assessment (PIA) before commencing new projects,
- Implement specific training requirements for employees that handle PHI.
If office-level privacy policies and procedures are created, please provide a copy to the Information and Privacy Officer.
Technological safeguards are focused on protecting PHI stored on electronic devices and media. These include everything from desktop and laptop computers to smart phones, tablets, all manner of storage media, flash drives, and all other movable or removable devices.
Most privacy breaches at the University involve electronic information, with computers, laptops, and flash drives most commonly associated with a breach. Technological safeguards are one of the most challenging and important considerations in protecting PHI.
Technological safeguards include:
- Limiting access to electronic PHI (such as PHI stored on shared drives) to only those who need to know,
- Using available access controls such strong passwords to help protect against unauthorized access to accounts and devices,
- Clearing display screens and logging / shutting off computers,
- Using password protection/encryption* if transporting PI / PHI on laptops, smart phones, or similar electronic devices and media,
- Consulting the Guidelines for the Communication of Personal and Personal Health Information,
- Transferring emails containing PHI from inboxes to secure network drives,
- When electronic devices and media are disposed of or used for another purpose, removing or destroying all PHI.
*Excluding Bitlocker deployments managed by TSC, be aware that the University cannot assist you in decrypting your files should you lose or forget your password. Back up your files and secure your password to prevent data loss.*
All UWinnipeg employees should be familiar with encryption, which scrambles electronic information so that it is unreadable without a special key. It is a vital aid for protecting privacy and is especially helpful for laptops, tablets, USB flash drives, and similar devices that are easily lost or stolen. PI / PHI stored on these devices must be encrypted during transport.
Encryption can be done at the file level (Word, Excel, PDF, etc.) or at the disk level, known as disk encryption. This latter form of encryption protects an entire disk drive (or a specified part thereof) and is a powerful tool to lessen the likelihood and impact of privacy breaches.
Encryption tools are often bundled with operating systems, such as Bitlocker for newer versions of Windows and FileVault for Apple iOS. 3rd party tools are also available, such as the popular (and free) VeraCrypt software available for Windows, Apple, and Linux. Even 7-Zip, which is a commonly-used, free file archiver / compressor, can be used to encrypt multiple files at once.
It is also a good plan to purchase at least one USB flash drive with built-in encryption technology. These are more affordable than ever and simplify the process of protecting PI / PHI on the go. Certain encryption tools, such as 7-Zip and Veracrypt, can also be used on regular USB drives for added security.
Remember that encryption is only as good as the password that protects it. Be sure to use a strong password at all times. Avoid reusing passwords across multiple accounts.
*Excluding Bitlocker deployments managed by TSC, be aware that the University cannot assist you in decrypting your files should you lose or forget your password. Back up your files and secure your password to prevent data loss.*
Where an office utilizes a shared network drive to maintain PHI, the responsible administrator needs to ensure the following is done:
- Ensure that access to PHI is restricted to only those who need to know,
- Maintain a record of the persons authorized to access PHI, and
- Regularly review the authorizations and update as required.
Special safeguards are required for electronic health information systems (EHIS).
An EHIS is defined in the Privacy Policy as "a computer system or systems delegated to hosting PHI for access by Authorized Persons." In essence, an EHIS is a specialized system that permits multiple persons to create, view, and share PHI as required to provide service. The eChart system, used by all healthcare regions in Manitoba, is an example of an EHIS.
Some UWinnipeg departments may use an EHIS to provide health care or other services at the University that involve PHI. As required by PHIA, where an office utilizes an EHIS, the responsible administrator of the department must:
- Create and maintain, or have created and maintained, a record of user activity for at least three years,
- Ensure that an least one audit of the record of user activity is performed to detect privacy breaches before the record is destroyed, and
- Provide a copy of the completed audit to the University's Information and Privacy Officer.
A record of user activity is defined in the privacy policy as "a record about access to PHI maintained on an electronic health information system, which identifies the following:
- Individuals whose PHI has been accessed,
- Persons who accessed PHI,
- When PHI was accessed,
- The EHIS or component of the system in which PHI was accessed, and
- Whether PHI that has been accessed is subsequently disclosed under s.22 of PHIA."
A record of user activity may be generated manually or electronically.
However, a record of user activity is not required:
- If the PHI is limited to, or qualifies or further describes, demographic or eligibility information (as defined in PHIA), or
- If PHI is accessed or disclosed while an authorized person is generating, distributing, or receiving a statistical report, as long as the responsible administrator for the office:
- maintains a record of the persons authorized to generate, distribute, and receive such reports, and
- regularly reviews the authorizations.
Physical / personal safeguards are focused on protecting PI / PHI from physical threats and harms, such as theft, tampering, and unauthorized access. They involve both physical barriers to access as well as personal behaviours.
Physical / personal safeguards include:
- Limiting physical access to PHI to only those who need-to-know,
- Not discussing PHI in the presence of those who are not authorized to know the information,
- Storing paper files and electronic devices and media containing PHI in a secured place other than when being used as a necessary function of work,
- If communicating PHI through the mail or by telephone, consulting the Guidelines for the Communication of Personal and Personal Health Information,
- Not transporting or otherwise removing PHI from a secured place unless necessary,
- If transporting or otherwise removing PHI from a secured place, taking only the minimum amount of information necessary and securing it in a briefcase or similar closed, opaque container and under the care and control of an authorized person,
- Whenever practicable, de-identifying PHI before removing it from a secured place,
- Not leaving PHI unattended or stored in a vehicle,
- Labeling file containers with the minimum amount of PI / PHI necessary for identification and use, and
- Secure destruction (i.e. shredding).
- Safeguards must be appropriate to the sensitivity of the information.
- Administrative safeguards focus on policies and procedures for handling PHI.
- Technological safeguards include:
- Access controls such as strong passwords,
- Using password protection/encryption if transporting electronic PHI,
- Removing or destroying PHI when electronic devices and media are disposed of or used for another purpose.
- Physical / personal safeguards include:
- Not discussing PHI in presence of those who are not authorized to know the information,
- Storing records containing PHI in a secured placed,
- Limiting the transportation of PHI and not taking more than the minimum amount necessary,
- Not leaving PHI unattended or stored in a vehicle.