Health Privacy at UWinnipeg - Module 4
Module 4 explains certain additional requirements of the Privacy Policy.
A privacy breach can be any collection, use, disclosure, or destruction of PHI in contravention of applicable privacy legislation. But in most instances, a privacy breach is caused when PHI is stolen, lost, or accessed inappropriately. Snooping is also an issue, with electronic information is particularly susceptible to breaches.
Examples of privacy breaches include:
- Theft of electronic or paper records from vehicles and homes,
- Losing laptops, USB sticks, and similar electronic devices and media,
- Sending emails and email attachments to the wrong recipient,
- Employee snooping,
- Paper records being recycled or thrown out instead of shredded,
- Disposal of computer hard drives, cellphones, fax machines, and copiers without adequate data deletion.
If you receive a complaint about a privacy breach, have any knowledge of a privacy breach, or have a reasonable suspicion that a privacy breach has occurred, immediately report the breach to your supervisor and the University's Information and Privacy Officer.
Quick reporting is crucial to enable the University to take appropriate measures to contain and investigate the breach.
The Privacy Policy does not set out specific retention periods for records containing PHI. However, any information that is used to make a decision that directly affects an individual must be kept long enough to permit the individual to request access to the information.
One year is generally a suitable minimum retention period but the total time that a record must be retained will vary based on legislation, regulation, and University policy. It is important to not retain records containing PHI longer than is necessary.
Records that are awaiting destruction can be moved, if reasonable, to more secure forms of storage. An example would be saving emails containing PHI to a secure network drive and then deleting the email from Outlook.
Any record containing PHI that is scheduled for destruction needs to be securely destroyed in the manner set out in the previous module, such as:
- Shredding of all paper records, and
- Deletion of the information on all electronic devices and media.
The Information and Privacy Officer is able to assist University departments in the creation of records schedules that set out the retention period for various University records.
The ability to request access to PHI is important for individuals to make informed decisions about their health care.
Individuals who wish to examine or receive a copy of their PHI must submit a request to the department that retains the information or to the Information and Privacy Officer. Upon receipt of a request, a department typically has 30 days to respond.
Should you receive a request, review the Privacy Policy for the steps required to respond to an access request or consult the Information and Privacy Officer for more information.
Offices that retain PHI must use a sign, poster, brochure, or other similar type of notice to inform individuals of their rights to examine and receive a copy of their PHI and to authorize another person to examine and receive a copy of the PHI. This access is subject to the right of the University to refuse as set out under .
The sign, poster, brochure, or similar type of notice must be prominently displayed in as many locations and in such numbers as the head of the office reasonably considers adequate to ensure that the information is likely to come to the individuals' attention.
Key Points
- Immediately report all privacy breaches, even if you only have a reasonable suspicion that a privacy breach has occurred, to enable the University to take immediate action.
- Retain records containing PHI that have been used to make a decision that affected an individual for at least one year but not longer than necessary.
- Adhere to the procedures for providing access to PHI.
- Display a notice of right to access PHI sign, poster, or brochure as required.