Statement on Protection of Personal Health Information
Date of original approval: February 11, 2013
Date of last revision and approval: HUEC May 17, 2017; Faculty Council October 16, 2023
1. Scope
This statement was developed to provide guidance for the protection of Personal Health Information (PHI) by Temerty Medicine learners in the context of Health Information Custodians (HICs) as integral components of the learning environment. This statement applies to all Temerty Medicine learners, including those registered or participating in educational activities affiliated with Temerty Medicine, who may in the course of their studies, training and/or research activities have contact with patients and/or patient information.
2. Background and Rationale
Personal health information is defined in the Personal Health Information Protection Act (PHIPA) as any information about an individual, in oral or recorded form, where the information “identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual”. This includes identifiable information such as name, address, identifying numbers and other unique characteristics.
This statement sets out requirements to ensure that all recorded (hardcopy and digital) forms of Personal Health Information (PHI) in our affiliated teaching sites’ custody is properly protected.
- PHI is information about the health or health care of an identifiable individual. An individual is considered to be identifiable if the information outright identifies the person, or if it is reasonably foreseeable in the circumstances that the information could be used (either alone or with other information) to identify the person. Thus, whether information is PHI depends on the context of its use.
- If it is reasonably foreseeable that a person could be re-identified, then the information is considered to be PHI. From the perspective of a custodian such as a hospital or other placement site (primary care practice, clinics etc.), this means that a learner (who is an agent of the placement site or primary care physician) must not disclose the information outside the circle of care unless either the individual consents, or it is not reasonably foreseeable, within the context of the information’s use, that the individual could be re-identified.
- Even where information is considered to be de-identified to the point where the patient cannot be reidentified, if context and other information known outside of the circle of care could still be used to reidentify that individual; then that de-identified information would still be considered PHI.
- Access to PHI brings special responsibilities with respect to patient privacy and supporting public confidence in our hospitals, institutions and practices.
Obligations in regard to PHI are set out in the PHIPA, which requires Health Information Custodians (HICs) such as hospitals or other placement sites (primary care practice, clinics etc.) to take reasonable steps to ensure that PHI is protected against theft, loss and unauthorized use or disclosure, and to ensure that records containing PHI are protected against unauthorized copying, modification or disposal. Learners engage in patient care and education/research involving access to PHI through the affiliation agreements between the University of Toronto and the Hospitals and in other healthcare placements. As agents of HICs, learners are permitted to use PHI. Accordingly, learners must be aware of and comply with the HICs’ requirements and the HICs must make those requirements known to learners.
Learners need access to systems containing PHI to provide appropriate clinical service and to fully benefit from their clinical education experience. Learners should only access PHI when doing so is relevant to patient care and/or research. Once PHI is no longer required by the learner to provide patient care within a given institution or proceed with their research experience, access should no longer be granted or be made available within that institution. Use or disclosure of material that identifies patients without proper authority constitutes a breach of law and standards of professionalism, privacy and confidentiality that potentially harms patients, the learner, the profession, and our organizations. This includes intentionally or unintentionally placing material that identifies patients in the public domain. It is recognized that learners may require access to PHI stored in a secure institutional environment when they are physically outside institutions or, even when mobile within institutions.
Furthermore, it is recognized that learners, being involved in both university and hospital environments, are exposed to varying perspectives on the use of information. Universities by their nature are intended to be open and collaborative where information is encouraged to be shared, and existing university-based portals, learning tools or email systems allow this to occur; hospitals are intended to be confidential within the circle of care. University information systems are not designed to support the transmission and storage of PHI and therefore should not be used for this purpose.
Learners must comply with this statement in respect of all formats (including hard copy, digital, and any form of information technology) that could be used to store or transmit PHI. This includes but is not limited to posting/commenting on blogs; direct messaging (DM), instant messaging (IM), private messaging (PM) on social networking sites; posting to public media sites, mailing lists and video-sites; and emails. Further guidance regarding appropriate use of the Internet, electronic networking and other media by Temerty Medicine leaners is provided in the Temerty Medicine Guidelines for Appropriate Use of the Internet, Electronic Networking and Other Media.
3. Guiding Principles
This statement is based on the following foundational principles:
- Learners need access to PHI to fully benefit from their clinical education and research experience and to provide safe patient care, including at times when they are not physically in the relevant clinical environment.
- The University and the affiliated hospitals and placements sites recognize that learners work at multiple sites and are expected to be able to access multiple systems.
- HICs have a responsibility to provide a data environment that is secure when properly used (a “secure institutional environment”), and to ensure mechanisms are available so learners can continue to provide patient care, if expected of them, outside of the clinical environment.
- HICs have a responsibility to ensure that their institutional requirements are disseminated to learners.
- Learners should not remove PHI from the secure (physical or virtual) central environment provided by the HIC unless there is no other reasonable means to provide safe and expedient patient care; and even when using PHI outside the secure central environment, learners must follow HIC policies for secure storage and use of PHI outside that environment.
- Data used for teaching and/or learning purposes should be de-identified prior to transport out of the HIC’s secure institutional environment, and confirmation should be obtained that the data will be accessed only by those needing to do so for those purposes, and that those accessing it will not attempt to re-identify individuals from the data. If identifiable information is necessary for the teaching and/or learning task, then it should be encrypted in accordance with HIC policy.
- The HIC can disclose PHI with the express consent of the patient or substitute decision maker.
- In certain circumstances, PHI must be disclosed (i.e. Child Protection, Ministry of Transportation, Health Protection and Promotion Act, Public Health).
- PHI should be handled appropriately within the secure institutional environment. Learners must comply with all PHI and privacy policies and procedures of the HIC with custody of that PHI. When there is no alternative but to remove PHI from a secure institutional environment, the PHI must be fully deidentified, or otherwise fully protected. Hard copy data should not be left unattended; it should be kept hidden from unauthorized viewing, and kept in a locked case when not being used (for example, printed patient lists should be kept in a locked case or securely on the learner’s person). Portable equipment used to transport PHI must be properly encrypted and password protected in accordance with HIC policy.
- As professionals, learners must make fully informed decisions that take into account relevant risks and benefits. When faced with decisions regarding use of PHI to affect safe and efficient patient care, learners must consider both the relative risks posed by possible decisions on patient safety and possible breaches of confidentiality with respect to PHI. In the exceptional case where protecting privacy may significantly interfere with patient safety, patient safety must prevail. Specifically, if a HIC reasonably believes that a disclosure of PHI is needed to eliminate or reduce a significant risk of serious bodily harm, it is permitted to make that disclosure, without the consent of the individual to whom the PHI relates.
4. Access to and Authentication and Transmission of Personal Health Information
Storage of PHI:
- The Information and Privacy Commissioner of Ontario has specifically advised all HICs that PHI must never be stored outside of secure institutional servers unless properly encrypted. PHI should be fully de-identified if held outside the secure institutional servers or networks if it is not encrypted. Electronic devices that are used to access, store, or record PHI, or by which PHI is transmitted must meet HIC approved standards for information protection.
- If a learner chooses to use a personal handheld device to manage PHI, the learner must follow the applicable policies of the HIC to ensure that PHI will be sufficiently protected.
- Original hardcopy records must always remain in the secure institutional environment unless HIC policy permits otherwise.
Access to PHI:
- Learners must not access PHI on public access electronic devices or services.
- Using one’s institutional login to access one’s own personal health information or that of family and friends held within that institution, or network data, is not permitted. Learners wishing to access information in their own personal patient record, must follow the same processes for acquiring access as any other patient would within the relevant institution.
- Access to network data should only be done by those within the direct circle of care.
Transmission of PHI:
- Learners may need to transmit PHI in connection with their clinical care responsibilities and educational needs. PHI must in these cases be protected in accordance with HIC policies. HICs, such as hospitals will provide access to secure methods and systems to support such transmission, provided that such transmission is in accordance with HIC policies. Learners must ensure that all systems and means through which PHI is transmitted be appropriately secured, including, for example, recipient email servers, networks, and storage media.
Removal of PHI:
- Learners may need to remove PHI from a secure institutional environment. PHI must in these cases be protected in accordance with HIC policies. Where necessary, HICs will provide HIC-approved equipment or applications, guidance and instructions to assist learners in encrypting data in accordance with their organizational policies.
- When learners take PHI outside of the secure institutional environment for approved purposes of teaching and learning (including at other HICs or in pure learning environments), all reasonable efforts to protect patient confidentiality must be undertaken. Specifically, participants should:
- obtain the consent of the individuals to whom the PHI relates, if practical; or
- adopt practices to de-identify PHI in accordance with HIC policy; and
- ensure there are no patient identifiers associated with presentation materials; and
- only disclose information that is general enough to preclude re-identification of the individuals ; and
- ensure that anyone using the information is committed to using it only for the approved purposes and to refraining from attempting to re-identify any individual.
5. Reporting:
Learners must report any breach of information privacy or security, or the theft or loss of any device containing or permitting access to PHI, immediately to both the educational authority to whom the learner reports and to the institutional HIC Privacy Officer.
6. Implications:
Breaches of PHI will be addressed under HIC policies and procedures, consistent with the PHIPA. Breach of any part of this statement may, after appropriate evaluation of the learner and the circumstances of the breach, may result in further actions such as education, remediation, probation, failure to promote, dismissal from a course or program. In each case, consideration of the matter by Temerty Medicine, including the range of academic sanctions, will be informed by the relevant guidelines and procedures.
This statement does not replace legal or ethical standards defined by organizations or bodies such as the College of Physicians and Surgeons of Ontario, the Canadian Medical Association, the Royal College of Physicians and Surgeons of Canada, the College of Family Physicians of Canada, or the College of Physiotherapists of Ontario.
Action by an assessing body does not preclude action under other University or Institutional policy, or other legal remedies (under statute including PHIPA, the Criminal Code; or civil action).