Privacy Guidelines for Learners
The Personal Health Information Protection Act, 2004 provides, among other things, rules governing the collection, use and disclosure of patient health information. As a learner at the Hospital, you are considered an “agent” of the Hospital under the Act.
As an “agent”, the Act provides some rules that you must follow. These guidelines are provided to give you some more detailed advice as to how to meet your privacy obligations.
Stick to Only What You Need to Know
– As a student, you may be asked to collect and use patient health information. If the nature of the assistance you are providing involves collecting, accessing or disclosing health information, apply the “need to know” rule. Only collect, access, use and disclose as much information as you need to in order to be able to perform the task. For example, only access those record of patients to whom you are directly providing care. Do not look at records of friends or family out of curiousity and consult the institutional policy to determine if you may access your own record directly.
– Use information and Hospital technologies only for your job purposes.
– If you are provided with access to any application containing patient health information, like PowerChart, the Mount Sinai Hospital electronic patient record, ensure that you never share your password with anyone; don’t use others’ logins and passwords; always log out of the application prior to walking away from the computer; and keep in mind that your access to electronically stored patient health information may be audited.
Taking Care of Information Generally
– Never leave the paper or electronic health records unattended. This prohibition includes never leaving the record alone with the patient. If a patient wants access to his/her health record, contact the primary care giver to arrange a time when the patient can access the record, with a care giver knowledgeable about that patient’s care plan present. Log out of, or lock, applications when leaving the area and lock paper files in an office, desk or cabinet.
– When you no longer have any use for a paper document containing health information that does not belong in the patient’s health record, always place it in one of the “shred-it” bins; don’t recycle it. For patient health information recorded on other media to be disposed of, refer to your institution’s guidelines for the secure disposal of confidential information or ask someone for guidance, including the Privacy Officer.
– Never remove any paper records containing patient health information or electronically stored health information from a Hospital site, network or system. This means not taking health information home to complete assignments or catch up on your tasks. If you must, the information must be de-identified by removing identifiable references, like name, MRN, dates of birth etc. If the information identifies a specific person, the person’s express consent is needed before the information can be used outside the hospital – including before presenting or publishing case studies.
– Research using PHI requires approval of the hospital’s Research Ethics Board (REB) before any patient information can be used – this includes reviewing charts for feasibility (e.g. to see whether there would be enough patients available who satisfy a certain criteria), Check with the REB to see if your project counts as research.
Special Considerations for Electronic Information
– If de-identifying information is not possible, the device storing the information needs to be encrypted. If you need assistance with that, contact the HELP Desk (ext. 4357). Password protection alone is not enough.
– Where PHI must be stored on mobile computing devices, only the minimal amount of information necessary should be stored, and for the minimal amount of time necessary to complete the work. Hospital-issued devices should be used, unless unavailable. Before removing any information from the hospital system/network, you must obtain approval for doing so, document what is being removed, and ensure that the information is adequately protected during transport and storage (e.g. encrypted, locked).
– Electronic devices that are used to access, store, or record health information, or by which health information is transmitted must use some type of authentication mechanism such as a power-on password, two-factor authentication, locking screen saver etc. to prevent access by unauthorized users.
– Return any hospital-issued electronic devices and paper records to the hospital when your time ends.
Be Careful with Email!
– If you need to email health information, you should limit sending emails to persons within our firewall, like UHN, SLRI and MSH users. You should definitely not use an “@utoronto.ca” or internet based account to send or receive email containing health information.
– If you email health information to a person outside of the protection of the firewall, you must employ appropriate safeguards like obtaining consent of the patient and/or encrypting the message.
– You must not access health information by email or by other means on public access terminals.
– Never discuss patient information “outside” your job – in public areas of the hospital, outside the hospital, or at home. Even then, ensure that those at the Hospital with whom you are sharing the information need to know the information and that anyone who will overhear you is allowed to know the information.
– If any non-staff members, including patient family members, request information about a patient, ensure you have the patient’s consent or check with your supervising clinician first prior to disclosing any information.
– Information should never be released to the news media without first contacting Communications and Marketing, which can be reached at 416-586-4800 ext. 3161 or after hours through Locating.
– You may not post photos, videos or other recordings of patients or patient information on any internet site, including Facebook, MySpace etc., even if access to the site is limited to other hospital workers.
You Have Concerns – What do you do?
– If you are ever concerned that the nature of the activity you are being asked to perform may breach one of the privacy “rules”, ask your supervising clinician about how patient’s privacy is being respected or contact the Privacy Officer.
– If you witness a breach of privacy, report it to the Privacy Officer.
– If a patient asks you for information or has a complaint related to accessing or correcting health information or about how his/her health information has been collected, used or disclosed, refer them to his/her primary caregiver, the Privacy: A Guide for Patients brochure and/or the Privacy Officer.
– For more information, please reference the Privacy and Confidentiality site on the Intranet.
– If you have any unanswered questions or comments, please do not hesitate to contact the Hospital’s Privacy Officer.
– If you are found to have breached any of these rules, your placement at the Hospital may be terminated.
– This policy does not replace legal or ethical standards defined by other organizations, like a professional College.
Action by an assessing body does not preclude action under a University policy, or other civil remedies (under statute including PHIPA, the Criminal Code; or civil action).
Professional and Ethical Issues
As a junior member of the health care team, you will almost certainly have to deal with some difficult issues either with patients, colleagues or other health care workers. You may want to talk to someone about these problems, or you may feel that someone’s conduct needs to be brought to attention. Students are often reluctant to discuss these issues other than with fellow students, due to fear of reprisal or lack of understanding of the hospital system.
It is important for your professional education that you do discuss these issues in a timely manner and come to some understanding of how one might deal with them. There are a number of people who can be called upon, depending on your comfort level and the type of problem: Your resident, or the staff supervisor with whom you are working may be appropriate, especially in a patient-related matter, or to help you understand the hospital system.
If the problem involves your resident or supervisor, or another staff member, you may feel more comfortable talking to someone uninvolved with the rotation. In these circumstances feel free to contact Dr. Katina Tzanetos and your concerns will be dealt in a confidential manner.
Please remember to use Student Assistance (formerly known as RED BUTTON) on the UME website.