PHIA – Personal Health Information Act
Why – Privacy law
- 1980 – OECD Fair Information Practices
- European Union – 1990s – principles enshrined
- Canadian Standards Association – model code for the protection of personal information – 10 principles
- Provincial Government Departments and Government Agencies
- Local Government Bodies
- Municipalities
- Northern Affairs Councils
- Conservation and Planning Districts
- Health Care Bodies
- Regional Health Authorities
- Hospitals
- Educational Bodies
- School Divisions/School Districts
- Universities
- Colleges
- Public bodies under FIPPA
- Licensed, registered or designated Health Professionals
- Health care facilities
- Hospitals, Personal care homes
- Health services agencies
- VON, We Care, Lab/X-Ray Clinics, Cancer Care, Community clinics
Definitions
- FIPPA
- Record
- Electronic, handwritten, photo, fax, e-mail
- Personal Information
- Recorded about an identified individual – name, address, belief, numbers assigned
- Limits
- Court system, exam question, behalf act
- Exercising the rights of another person
- Parents, guardian, child can act under minor requires privacy, based upon their maturity
- PHIA
- Personal Health Information
- Records identification number
- Health Care
- Provision
- Exercising the rights of another person
- Require rights, judgement, be compatible on someone else’s behalf
- Rights under FIPPA
- Prescribed form, time frame and fees
- Section 17 and Section 30
- Correction
- Rights under PHIA
- Requesting one’s own personal health information
- Section 11
- Correction
Privacy
- Provides for privacy and confidentiality by imposing some restrictions on the:
- Collection
- Use
- Disclosure
- Retention, and
- Destruction
- Of personal/personal health information
Privacy limitations
- Less is Best – Public Bodies/Trustees/Organizations should only collect, use and disclose the minimum amount of information for an identified purpose
- Employee access should be limited to and based on the need to know principle
10 privacy principles
- Accountability
- Identifying purposes
- Consent
- Limiting collection
- Limiting use, disclosure, and retention
- Accuracy
- Safeguards
- Openness
- Individual access
- Challenging compliance
Accountability
- Responsible for the information under the organization’s control
- FIPPA – Access and Privacy Officer; Access and Privacy Coordinator
- PHIA – Privacy Officer
- Responsibility assigned, know legislation, rights responsibility
- Any information in the profession, custody or control of the organization
- Inside or outside of organization
- If in custody of a 3rd party, ensure confidentiality by contract
- Clauses bounded rules
- Policies, procedures to protect, an internal review process, training
Identifying purposes
- Notice – FIPPA/PHIA
- Orally or in writing
- Why was the personal information collected?
- Explanation
- Re use or disclosure
- How will this information be shared?
Consent
- Required for collection, use and disclosure
- Exceptions – FIPPA/PHIA
- At time of collection
- Informed consent
- Explicitly specified and legitimate purposes
- Time limited
- Ability to withdraw
- Forms of consent
- Written/oral
- Check-off box
- Implicit/Explicit
- Don’t want information
- Need consent
Limiting collection
- To the necessary information for purpose identified
- By fair and lawful means
- Collection with consent
FIPPA – Section 37
- While determining eligibility
- Time and circumstances
- Harm
- Inaccurate information
- Law enforcement
- HR activities
- Parole/Probation
- Enforcing maintenance orders
- Auditing, evaluating programs
- Informing Public Trustee/Vulnerable Persons Commissioner
- Endanger the mental or physical health or safety of individual or another person
- Time and circumstances
- Inaccurate information
- Court order or another Manitoba or Federal Act
Limiting use, disclosure, and retention
Use
- Sharing within an organization
- For the purpose it was collected
- Other authorized purposes – FIPPA/PHIA
FIPPA – Section 43
- For the purpose identified at collection
- Consistent purpose – Section 45
- For the reason it was disclosed to the program
- For the purpose directly related to what was identified at collection
- To prevent or lessen a serious or immediate threat
- Authorized by a Manitoba or Federal Act
- Sharing outside the organization’s boundaries
- With consent or with authorization
- FIPPA/PHIA
FIPPA – Section 44
- For the purpose identified at collection
- Complying with acts/treaties/arrangements/agreements
- Authorized/required by federal/provincial Act
- Determining/verifying eligibility
- Protecting mental/physical health or safety
- Law enforcement
- Subpoena/Court order/Warrant
- Determining/collecting fine, debt, tax or payment owing
- Existing or anticipated legal proceedings
- If already public
- To a person who is providing or has provided health care
- To any person if disclosure is necessary to prevent/lessen a serious and immediate threat to
- Contacting a relative/friend of an injured/incapacitated or ill individual
- Authorized/required by federal/provincial act
- Complying with arrangement/agreement under provincial/federal law
Retention
- Archives and Record Keeping Act
- Records Authority Schedules
- Records Management
Destruction
- Do not destroy before retention period
- In a manner that preservers the confidentiality
- PHIA – record of destruction
Accuracy
- Accurate, complete, up-to-date
- Request for correction – FIPPA/PHIA
- Timeframes
- Recourse
Safeguards
- Appropriate to the sensitivity of information
- Higher the sensitivity – higher the security
- FIPPA – reasonable protection for personal information
- PHIA
- Physical safeguards
- E.g. locked filing cabinets/rooms
- Technical safeguards
- E.g. passwords, secure networks, encryption
- Administrative safeguards
- E.g. policies, orientation/training, pledge
Examples of insufficient security
- Lack of policies outline appropriate use and access by staff
- Paper records stored in an area accessible by the public
- Improperly stored passwords
- Emailing personal health information over an unprotected network (i.e. Internet) without encryption
- Providing personal health information over the phone without verifying the identity of the individual
Openness
- Name, title, address of Privacy Officer/Access and Privacy Coordinator
- Means of gaining access to personal information
- Description of the personal information held by the organization
- Access and Privacy Directory
- How personal information is shared with other organizations
- How is the information made available
Individual access
Individuals must be informed of the existence, use and disclosure
- Access
- FIPPA application form
- PHIA orally or in writing
- Timeframe of a request
- FIPPA/PHIA
- 30 days
- Extension – FIPPA
- Fees
- No cost recovery
- Exceptions to access – reasons for refusal
- FIPPA
- Sections 17, 24, and 30
- Another 3rd party’s privacy
- Harm to individual or public safety
- Confidential evaluations
- PHIA
- Section 11
- 3rd party’s personal information
- Identity of someone who provided information in confidence
- Harm to individual or to public safety
- FIPPA/PHIA
- Provincial Ombudsman
- Court of Queen’s Bench
- Only Access complaints The Provincial Ombudsman receives complaints and initiate investigations regarding said complaints.
Privacy pyramid
The more sensitive the information, the higher the level of legislative protection
Adoption Act: sensitivity, Manitoba
Youth Justice Criminal Act: clear override, sensitive information, conviction principal only
Child & Family Services Act: absolute protection
Mental Health Act: Limited, Record created whilst in
PHIA: January 2004, private sector only
PIPEDA: Privacy policies
FIPPA: personal information
No comments:
Post a Comment