Jan 24, 2014

In light of a significant privacy breach in Alberta, Manitoba Ombudsman is reminding trustees of personal health information (PHI) to ensure that Manitobans’ PHI is safeguarded as required under Manitoba’s Personal Health Information Act (PHIA).

It has been recently confirmed that a laptop with the unencrypted PHI of 620,000 Albertans was stolen in Edmonton last September. It contained the names, birth dates, provincial health card numbers, billing codes and diagnostic codes of the individuals seen at a health care facility over a two-year period. Reportedly, the laptop belonged to an information technology consultant who was working on a database for submitting claims for billing to the Alberta government.

Manitoba Ombudsman would like to remind trustees of the following obligations to protect PHI under PHIA:

• Limit the amount of information disclosed to the minimum amount needed to accomplish the purpose of the disclosure, as required by PHIA.

• Use reasonable security safeguards such as encryption on removable devices including laptops to protect electronic PHI.

• When disclosing PHI to an information manager, including for purposes of obtaining information technology services or for information management, have a written information manager agreement that provides for the protection of PHI, as required by PHIA (see Manitoba Health’s Guide to Information Manager Agreements), and remember that the PHI provided to an information manager is deemed to be maintained by the trustee, so you are responsible for responding to any breaches of the PHI.

• Follow the requirement to have a written policy and procedures as outlined in section 2 of the Personal Health Information Regulation 245/97 that includes the recording of any security breaches, and the corrective procedures to be followed if a breach occurs.

To promote best practices, Manitoba Ombudsman has published practice notes that provide trustees with privacy and access guidance, including two that assist trustees in dealing with a privacy breach:

• If a breach occurs, follow our Key Steps in Responding to a Privacy Breach, including when and how to notify affected individuals and others about the breach
• consider Reporting a Privacy Breach to Manitoba Ombudsman to obtain help in developing your plan for responding to the breach and preventing future breaches

Reporting a privacy breach is not mandatory under PHIA, however Manitoba Ombudsman receives voluntary reports of privacy breaches from trustees.

If members of the public believe that the privacy of their PHI has been violated, a complaint can be made to Manitoba Ombudsman.