Definition of Policy Terms:

Term Definition
Informed Consent Informed Consent is the voluntary agreement to a course of action, based on a process of clear communication between the client and the service provider. Informed Consent is a legal requirement for the sharing of written and verbal information.
Personal Health Information Personal Health Information refers to information that can be linked to a specific person, and that relates to: the person’s health or health care history or the provision of health care services. All information collected from an individual for provision of services is included under this term.
Privacy Breach Loss, unauthorized access to, or unauthorized disclosure of Personal Health Information resulting from a breach of the organization’s security safeguards or from a failure to establish those safeguards.
Privacy Officer Assigned employee who is responsible for handling requests for access to Personal Health Information held by Manitoba Possible. Responsibilities also include monitoring compliance with relevant privacy legislation.
Security Safeguards Administrative, technical and physical requirements that ensure the confidentiality and security of information held by Manitoba Possible.
Substitute Decision Maker A Substitute Decision Maker is an individual appointed by the Vulnerable Persons’ Commissioner to make decisions for a vulnerable person who is unable to make certain decisions for themselves in the area of personal care or property or both.

Purpose:
To establish the procedure for ensuring Manitoba Possible contractors take all reasonable steps to protect client privacy and ensure compliance with relevant legislation. This involves the collecting, using, processing, sharing, storing and destroying of client’s Personal Health Information.

Policy:

  1. Manitoba Possible will take reasonable steps to inform individuals of their right to make a request to review and receive a copy of their Personal Health Information.
  2. All contractors are responsible for protecting all Personal Health Information they receive over the course of their contract work with Manitoba Possible.
  3. Personal Heath Information will be protected during its collection, use, storage and destruction within Manitoba Possible.
  4. Manitoba Possible may collect only Personal Health Information that is reasonably necessary, and relevant in the course of conducting its business and in the provision of services.

Procedures:

  1. Access to Personal Health Information
    1. If an contractor receives a request from a client to access their Personal Health Information held by Manitoba Possible the contractor is to forward the request by email to the Privacy Officer. The contractor may also provide the client with the contact information for the Privacy Officer and the Access to Information Form.
      1. If the individual making the request is unable to make the request in writing an oral request will be accepted by the Privacy Officer. The contractor receiving the oral request should complete and forward the Access to Information Form to the Privacy Officer.
      2. An individual’s right to request information may be exercised by a family member or Substitute Decision Maker in accordance with the Personal Health Information Act.
    2. The Privacy Officer will date stamp the request for access when received.
    3. Where permitted by law Manitoba Possible may charge a fee for access requests.
    4. The Privacy Officer will respond to a request for Personal Health Information as promptly as required by the circumstances but no later than:
      1. 72 hours after receiving the request if the information is about provision of services Manitoba Possible is currently providing;
      2. 30 days in any other cases unless the request is transferred to another trustee;
      3. Such other timeline as permitted by law.
    5. In response to an individual’s request the Privacy Officer will do one of the following:
      1. Indicate in their response where, when and how access to the Personal Health Information will be granted;
      2. Inform the individual in writing if the information does not exist or cannot be found;
      3. Inform the individual in writing that the request is refused or where information is exempt from disclosure by law.
    6. Requests may be refused if the individual failed to provide sufficient proof that he or she is the person that the Personal Health Information is about or that they are a person authorized by the person the Personal Health Information is about.
    7. Manitoba Possible may refuse partial access to Personal Health Information where permitted by law including if the disclosure of the information would reveal Personal Health Information about another individual, a disclosure by a third party in confidence or confidential information protected under the Child and Family Services Act.
    8. Where a single document contains both Personal Health Information to which access has been granted and Personal Health Information to which access has been refused Manitoba Possible will provide a copy of the document in which the refused portions have been either blacked out or blocked from being photocopied so that they are completely illegible.
    9. Should the individual contact the Privacy Officer regarding the refusal the Privacy Officer will discuss the reason for refusal and advise the individual on their right to make a complaint about the refusal to the Provincial Ombudsman.
    10. When a challenge is made regarding the accuracy of completeness of the Personal Health Information held by Manitoba Possible, Manitoba Possible may make a correction, amendment or add a statement of disagreement to the record.
    11. The Privacy Officer will retain a record of the written requests for access to Personal Health Information as well as the responses to the requests.
    12. In circumstances where a client, legal guardian or Substitute Decision Maker is requesting a copy of a report in an open Manitoba Possible client file, the Privacy Officer may release the report if the individual requesting the report is already copied on the report or the Privacy Officer has received consent to release this report from the author of the report. Release of this report should be documented in the file.
  2. Collection of Personal Health Information
    1. Individual program intake forms will gather only the information required by the program for provision of services.
    2. Before Personal Health Information is collected the client, parent/ legal guardian or Substitute Decision Maker will be informed of the purpose for which the information is being collected and how the information will be used and disclosed.
    3. A consent form is signed, or verbal consent is received prior to requesting information about a client from a third party as per the Consent for Sharing of Information Policy.
  3. Use and Disclosure of Personal Health Information
    1. Prior to disclosing Personal Health Information a contractor will confirm they have a signed consent form, or verbal consent, to disclose information to a third party as per the Consent for Sharing of Information Policy.
    2. Contractors will take reasonable steps to ensure that the information disclosed is accurate, up to date, complete and not misleading.
    3. Information shared will be limited to the minimum amount of information necessary to accomplish the purpose for which the information was collected or received.
    4. Exceptional circumstances exist where information may be shared without Informed Consent as directed by the Child and Family Services Act, The Mental Health Act, The Protecting Children (Information Sharing) Act and The Vulnerable Persons Living with a Mental Disability Act. Additional information is included in the Reporting a Child in Need of Protection and Reporting Suspected Abuse or Neglect of an Adult Policy.
  4. Privacy Breach
    1. All privacy breaches must be immediately reported to Manitoba Possible management and the Privacy Officer.
    2. The Privacy Officer will investigate any reports of potential privacy breaches to determine whether there has been a breach of privacy. This investigation may include interviewing all persons involved.
      1. Privacy Officer will complete a log of privacy breaches for the record.
      2. Following the investigation the Privacy Officer will complete a report to be provided to the CEO.
      3. If it has been determined that there has been a Privacy Breach, Manitoba Possible will undertake corrective procedures to prevent future instances where necessary. This may include further education regarding the Manitoba Possible policy and relevant legislation or discipline up to and including dismissal of the contractor(s) responsible for the breach.
  5. Safeguards
    1. This policy will be provided to all new contractors and will also be available for review on the envoyy.ca website.
    2. The CEO or designate will conduct an audit of security safeguards at least every two years to ensure compliance with relevant legislation. The CEO or designate will document the findings of the audit along with any recommendations to monitor or ensure compliance.
    3. The Privacy Officer will provide the CEO with a quarterly compliance report. The CEO will then provide a compliance report to the Board of Directors in advance of the Annual General Meeting.
    4. Personal Health Information will be stored in locked filing cabinets, desks, offices or other secure areas. Only Manitoba Possible employees who require access to these areas to carry out the reasonable functions of their job may have keys/passcodes.
    5. Personal Health Information removed from one of the secure areas will be returned by the Manitoba Possible employee when it is no longer required.
    6. Manitoba Possible employees will never delete, remove or otherwise strip Personal Health Information from client files. All information recorded in a file will be retained.
    7. In circumstances where Manitoba Possible employees have a working file, the existence of the working file should be noted in the main file. When a main file is closed the contents of the working file should be integrated into the main client file and duplications will be shredded.
    8. Manitoba Possible employees will only remove from Manitoba Possible premises the information necessary in order to carry out reasonable functions of their job and are responsible for taking appropriate measures to ensure the security of this information when working out in the community, including not leaving Personal Health Information in a locked vehicle.
    9. Manitoba Possible mail will be stored in a secure area at all times. All envelopes or packages containing Personal Health Information to be mailed out will be stamped ‘Confidential’ and should include a Manitoba Possible return address.
    10. Access to client’s electronic information is limited to authorized Manitoba Possible employees who require access to carry out the functions of their job.
    11. Manitoba Possible employees will store electronic Personal Health Information on the Manitoba secure server.
    12. Manitoba Possible employees must protect electronic Personal Health Information, including email, from unauthorized access through the use of passwords. Manitoba Possible requires the use of passwords on all assigned electronic devices.
    13. Inactive computer stations will be locked and require an employee password after thirty minutes of inactivity.
    14. Manitoba Possible employees will not download or retain Personal Health Information onto USB devices.
    15. Manitoba Possible employees must take reasonable privacy precautions when faxing and emailing electronic communications including use of a confidentiality clause specifying the material is confidential and only for the intended recipient.
  6. Destruction of Personal Health Information
    1. All closed records of Personal Health Information will be retained in the possession of Manitoba Possible for a maximum of ten years at a secure, offsite archiving facility, or as required by law.
    2. Where Manitoba Possible disposes of Personal Health Information, the disposal will be conducted by authorized personnel by shredding or other approved method.
      1. Manitoba Possible is responsible for keeping a log of files that have been destroyed and the date which they were destroyed.
    3. Where computer hardware is being disposed of or used for another purpose, Manitoba Possible will take reasonable steps to ensure Personal Health Information has been entirely deleted and cannot be retrieved in any readable form.