Pledge of Confidentiality

The Interlake-Eastern Regional Health Authority, as a Trustee, is bound by The Personal Health Information Act (hereinafter called PHIA). Pursuant to PHIA, the Interlake-Eastern RHA is required to protect the confidentiality and privacy of its patients’ and clients’ personal health information. As a result, the Interlake-Eastern RHA will not disclose personal health information except as may be allowed and required by PHIA. The Interlakeu0002Eastern RHA requires that its employees, volunteers, students, and others associated with the Interlake-Eastern RHA act in this manner. All employees and those associated with the Interlake-Eastern RHA must be provided with PHIA education and understand their obligation to comply with PHIA and the Interlakeu0002Eastern RHA’s policies regarding the confidentiality of personal and personal health information. WHAT IS THE PERSONAL HEALTH INFORMATION ACT (PHIA)? PHIA is provincial legislation that incorporates the common law right of an individual to examine and receive a copy of his or her personal health information. It also limits and controls the manner in which personal health information is collected, used, disclosed, stored and destroyed. We are required to protect the privacy and confidentiality of all personal health information obtained, handled, learned, heard or viewed in the course of our work or association with the Interlake-Eastern RHA. The purpose of PHIA is to protect the confidentiality of information provided by individuals to health care professionals so as to ensure that personal health information is protected and individuals are not afraid to seek health care or to disclose sensitive information to health care professionals. PHIA policies are found in the Interlake-Eastern RHA’s General Administration Manual, under section 7, Health Information. WHAT IS PERSONAL HEALTH INFORMATION? All information, whether recorded or exchanged verbally about an identifiable individual that relates to:  The individual’s name, health or health care history, including genetic information, about the individual or the individual’s family;  What is learned or observed, including conduct or behaviour, which may be a result of illness or the effect of treatment;  The provision of health care to the individual. Individuals include co-workers or families of co-workers when they are patients/clients of the Interlake-Eastern RHA;  Payment for health care provided to the individual and includes:  the personal health identification number (“PHIN”) and any other identifying number, symbol or particular assigned to an individual, and  any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.  The individual’s personal information, including financial position, home conditions, domestic difficulties or any other private matters relating to the patient/client which have been disclosed to staff or persons associated with the Interlake-Eastern RHA. GA-7-F-6131 PHIA Education Document Pledge of Confidentiality Revised: May 26, 2023 Page 2 of 7 DEMOGRAPHIC INFORMATION  Means an individual’s name, address, telephone number and e-mail address. If information is demographic or his or her PHIN, it can be used to confirm eligibility for health care or payment for health care, verify the accuracy of the demographic information or PHIN, used to collect a debt the individual owes to the trustee, to verify the individual’s eligibility for a program services or benefit, and to assist police in locating an individual reported as being missing. While you are performing your duties with the Interlake-Eastern RHA, you are responsible to:  Keep all patient and client personal health information confidential and private. Do not discuss any patient or client information with anyone who does not need to know this information to do his or her Interlake-Eastern RHA job.  Do not share any patient or client personal health information or any other information provided to you:  In the presence of someone who does not need to know this information  In public places, (i.e., cafeteria, elevators, off premises)  You are required to ensure that all personal health information is properly secured and maintained to protect its confidentiality and to ensure that it is safe from accidental loss or destruction.  Authorized personnel who need to transport personal health information outside the Interlakeu0002Eastern RHA’s premises are required to store laptops, charts, or files in the trunk of their vehicle during transportation and must never leave this information in the trunk of a vehicle in an area of high risk of theft.  All confidential material must be disposed of by an approved method (i.e. shredding).  Anyone faxing personal health information needs to take precautions by using an approved fax cover sheet which clearly indicates that the fax contains privileged or confidential information, that unauthorized disclosure is prohibited, and that the sender should be notified immediately and the original destroyed in the event that it is received by someone other than the intended recipient.  If you are not sure what is the appropriate thing to do in a specific situation, discuss it with your supervisor, manager, site Privacy Officer, or the Interlake-Eastern RHA Regional Privacy Advisor at 785-7240.  Report all suspected breaches of confidentiality immediately to your supervisor/manager. The supervisor/manager must report the suspected breach to the Regional Privacy Advisor in a timely manner and complete an occurrence report. A Breach of Confidentiality Occurs When:  Information is accessed when you don’t need it to do your job.  Personal health information is shared with another employee who does not need it to do their job.  Personal health information is shared with someone outside of the Interlake-Eastern RHA who is not authorized to know the information.  Where consent is required and there is a lack of consent from the patient or authorized representative to share the information.  Patients or clients are identifiable when information is disclosed and patient identification is not authorized. IF a breach of confidentiality is confirmed, discipline may include:  Verbal warning  Written warning  Suspension  Termination of employment GA-7-F-6131 PHIA Education Document Pledge of Confidentiality Revised: May 26, 2023 Page 3 of 7 If convicted of an offence under PHIA, the courts may fine you up to $50,000. A confirmed breach of confidentiality may be reported to the individual’s professional regulatory body. PHIA Policies You are required to have read and understand the following Interlake-Eastern RHA PHIA policies. These policies are summarized below. The complete policies are found in the Interlake-Eastern RHA General Administration Manual, Section 7. Confidentiality of Personal Health Information GA-7-P-50  To ensure that personal health information is protected so that individuals are not afraid to seek health care or to disclose sensitive information to health professionals.  To ensure that personal health information is protected during its collection, use, disclosure, storage, and destruction within the Interlake-Eastern RHA.  All employees and persons associated with the Interlake-Eastern RHA are required to sign a Personal Health Information Pledge of Confidentiality (Appendix A) after having read the PHIA Education Document provided to them.  All employees are required to attend a supplemental PHIA education session provided at regional orientation.  All employees are responsible for protecting the security of all personal health information (oral or recorded in any form) that is obtained, handled, learned, heard or viewed in the course of his/her work or association with the Interlake-Eastern RHA.  Use or disclosure of personal health information is acceptable only in the discharge of one’s responsibilities and duties (including reporting duties imposed by legislation) and based on the need to know. Discussion regarding personal health information shall not take place in the presence of persons not entitled to such information or in public places (elevators, lobbies, cafeterias, off premises, etc.).  Unauthorized use or disclosure of confidential information may result in disciplinary action up to and including termination of employment/contract/association/appointment. Access to Personal Health Information GA-7-P-52  The provisions of The Mental Health Act (Manitoba) take precedence over any conflicting provisions in The Personal Health Information Act.  Individuals have the right to examine and receive copies of their personal health information.  Requests for access to information should be in writing. A Request to Access Personal Health Information form is available for completion (attached to Policy GA 7-52).  Responding to requests for personal health information regarding care currently being provided:  Where a request to examine Personal Health Information is about a hospital in-patient, a member of the Health Care Team or designate shall be present and make the Personal Health Information available for examination only within 24 hrs. after receiving the request. Copies requested must be provided as soon as reasonably possible.  Where a request is from an individual who is not a hospital in-patient, a member of the Health Care team or designate shall make the Personal Health Information available for examination and if requested, a copy of the information must be provided to the requestor within 72 hrs. after receiving the request.  All other requests for information must be provided within 30 days.  Privacy Officers or designates coordinate requests for access to information.  Health care providers may show or share copies of personal health information to clients during assessment, consultation, care and treatment. Access must be documented on the health record.  The request and response for personal health information shall be included in the client’s health record. GA-7-F-6131 PHIA Education Document Pledge of Confidentiality Revised: May 26, 2023 Page 4 of 7  Requests for personal health information may be refused for reasons specified in The Personal Health Information Act. Collection of Personal Health Information GA-7-P-54  Collect only as much personal health information as needed to do your job.  Inform the individual why you are collecting the information and with whom the information may be shared.  Collect information directly from the individual. The exceptions are listed within the policy.  Collect information in a manner and location that protects the confidentiality, security and integrity of that information.  A trustee shall inform the individual of the purpose for collecting information. This may be done by posting notices within the health care facility and/or providing individuals with a brochure. Correction of Personal Health Information GA-7-P-55  Requests for correction of personal health information must be made in writing to the Privacy Officer or designate using the standard correction form or in a covering letter which includes the same information. Disposal of Confidential Material, Including Personal Health Information GA-7-P-56  Confidential material must be disposed of by supervised incineration, shredding or otherapproved methods. Use and Disclosure of Personal Health Information GA-7-P-57  Use is revealing personal health information to someone within the Interlake-Eastern RHA.  Disclosure is revealing personal health information to someone outside of the Interlakeu0002Eastern RHA.  Before using or disclosing health information, reasonable steps must be taken to ensure the information is accurate, up to date, complete and not misleading.  Use of personal health information is limited to “the need to know” for your job.  Requests for disclosure of personal health information are coordinated with the Privacy Officer or designate.  A record of all personal health information disclosed shall be kept on the health record. A Record of Disclosure of Personal Health Information must be completed for every disclosure (see Policy GA 7-57).  The individual’s consent is required to disclose personal health information except under circumstances listed in this policy.  Personal health information may be disclosed without consent if authorized or required to do so by an enactment of Manitoba or Canada, for example, The Child and Family Services Act, The Fatality Inquiries Act, The Missing Persons Act and The Gunshot and Stab Wounds Mandatory Reporting Act.  PHIA allows disclosure to any person requesting information such as the client’s name, condition and location (as long as the location does not reveal specific information about the individual) and provided that such disclosure is not contrary to the express request of the individual or his or her representative.  PHIA allows for demographic information or PHIN to be used to confirm eligibility for health care or payment for health care or verifying the accuracy of the demographic information or PHIN. Security and Storage of Personal Health Information GA-7-P-60  Security safeguards shall be in place to protect personal health information, i.e., locked cabinets, restricted access, security clearances, and passwords.  Users must log off their computers when they leave the workstation.  Computer users must not share their user IDs and passwords.  Personal health information shall not be transmitted via e-mail outside the Interlake-Eastern RHA network. GA-7-F-6131 PHIA Education Document Pledge of Confidentiality Revised: May 26, 2023 Page 5 of 7  Files containing personal health information will be kept in a designated secure storage area and not left unattended on desktops.  Health care providers removing personal health information from the premises on authorized business shall ensure the secure storage of the information at all times. Transmission of Personal Health Information Via Facsimile GA-7-P-61  Use the Record of Disclosure of Personal Health Information and a fax cover sheet whenever faxing personal health information.  The sender is responsible for the security of all personal health information being sent by fax.  Ensure the fax number is correct and the fax machine is located in a secure place. A confirmation sheet must be kept for all personal health information sent via fax.  A guideline is available for use and is attached to this policy. Retention and Destruction of Personal Health Information GA-7-P-65  Personal health information will be retained as per retention periods outlined in the policy. Disclosure of Personal Health Information to Police GA-7-P-66  The Interlake-Eastern RHA will only disclose personal health information to the police which is maintained and collected by the Interlake-Eastern RHA in accordance with PHIA and the regional policies related to PHIA.  Police are required to obtain consent for disclosure of personal health information from the individual the personal health information is about or from a person permitted to exercise the rights of that individual. If the police do not have such consent, a subpoena, warrant, or court order is required.  During normal business hours requests for disclosure of personal health information shall be forwarded to the site Health Information Services Department for processing. Requests will be reviewed to determine the urgency of the request and will be processed accordingly.  After normal business hours, requests for disclosure of personal health information must be discussed with the Clinical Team Manager or management designate who is on call. If the circumstances are not considered to be urgent, the police should be advised to contact the site Health Information Services Department on the next business working day. The only urgent request from Police will be regarding the Missing Persons Act.  Under The Missing Persons Act Police may request access and/or copies of information via a Record Access Order or Emergency Demand when they have a reported missing person. They may also request access to information on a person who may be accompanying the missing person. A guideline is available for reference. Personal Health Information Disclosure Due to Risk of Serious Harm GA-10-P-300  In compliance with provincial legislation and MHSAL policy, all trustees/health professionals are to follow the processes outlined in the policy for the determination, disclosure, and documentation of an individual’s personal health information related to the risk for serious harm to an individual and/or public health or public safety.  Individuals seeking health related services are encouraged and supported to provide consent to disclose PHI when there is an assessed risk of serious harm to the individual and/or public health or public safety.  An individual’s consent to disclose PHI remains best practice. PHI belongs to the individual and trustees are entrusted to use it appropriately. Where a risk of serious harm has been identified through assessment and the individual does not consent to the disclosure of relevant PHI to mitigate this risk disclosure may occur to an identified family member or natural support individual.  Determination of risk must not remove an individual’s basic rights and dignity to determine their own lifestyle choices and acceptable personal risks. Self-determination and personal autonomy are integral principles of personal recovery.  Discussions to build natural supports and preferred contacts into the individual’s profile should be asked for and be part of every episode of care. GA-7-F-6131 PHIA Education Document Pledge of Confidentiality Revised: May 26, 2023 Page 6 of 7  Collaborative decision: When risk is not immediate, the determination to disclose PHI without consent in order to lessen risk of serious harm is reviewed by at least two trustees/health professionals within the interdisciplinary care team.  The decision to disclose PHI is clearly determined based on the individual’s needs and best interests. Disclosure is never considered solely or principally from the perspective of risk mitigation to the health professional.  Once the risk has passed, the disclosure of further PHI without consent is no longer authorized. Data Collection and Research Activities GA 7- P-95  Personal health information may be disclosed for health research after approval from the Institutional Research Review Committee or designate.  Consent will be obtained from the individual when personal health information will be disclosed. Disclosure of Personal Health Information to Religious Organizations GA-7-P-49  Notices must be posted to inform hospital in-patients and residents of personal care homes that their names, condition and location may be provided to a representative of their religious organization. Notices will also advise of the ability to object to the disclosure of their information.  The Spiritual Care Coordinator(s) will provide sites with a list of religious organizations and their representatives that may receive this information.  A consent to visitation by spiritual representatives form will be completed for every patient at sites that do not have 24 hr. admitting coverage. Sites that have 24 hr. coverage will record this information in their ADT system upon admission. Disclosure of Personal Health Information to Affiliated Foundations GA-7-P-47  Hospitals and personal care homes may disclose an individual’s name and mailing address, if they have received services from the hospital/personal care home, to a charitable fundraising foundation affiliated with the health care facility unless: 1. The individual has objected to the disclosure 2. The individual has died while in the hospital/personal care home 3. The individual is under the age of 18.  Notice must be provided to individuals advising that their names and addresses may be provided to the fundraising foundation affiliated with the facility. Notices will also advise of the ability to object to the disclosure of their information