Date of original approval: February 11, 2013Date of last revision and approval: HUEC May 17, 2017; Faculty Council October 16, 2023
This statement was developed to provide guidance for the protection of Personal Health Information (PHI) by Temerty Medicine learners in the context of Health Information Custodians (HICs) as integral components of the learning environment. This statement applies to all Temerty Medicine learners, including those registered or participating in educational activities affiliated with Temerty Medicine, who may in the course of their studies, training and/or research activities have contact with patients and/or patient information.
Personal health information is defined in the Personal Health Information Protection Act (PHIPA) as any information about an individual, in oral or recorded form, where the information “identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual”. This includes identifiable information such as name, address, identifying numbers and other unique characteristics.
This statement sets out requirements to ensure that all recorded (hardcopy and digital) forms of Personal Health Information (PHI) in our affiliated teaching sites’ custody is properly protected.
Obligations in regard to PHI are set out in the PHIPA, which requires Health Information Custodians (HICs) such as hospitals or other placement sites (primary care practice, clinics etc.) to take reasonable steps to ensure that PHI is protected against theft, loss and unauthorized use or disclosure, and to ensure that records containing PHI are protected against unauthorized copying, modification or disposal. Learners engage in patient care and education/research involving access to PHI through the affiliation agreements between the University of Toronto and the Hospitals and in other healthcare placements. As agents of HICs, learners are permitted to use PHI. Accordingly, learners must be aware of and comply with the HICs’ requirements and the HICs must make those requirements known to learners.
Learners need access to systems containing PHI to provide appropriate clinical service and to fully benefit from their clinical education experience. Learners should only access PHI when doing so is relevant to patient care and/or research. Once PHI is no longer required by the learner to provide patient care within a given institution or proceed with their research experience, access should no longer be granted or be made available within that institution. Use or disclosure of material that identifies patients without proper authority constitutes a breach of law and standards of professionalism, privacy and confidentiality that potentially harms patients, the learner, the profession, and our organizations. This includes intentionally or unintentionally placing material that identifies patients in the public domain. It is recognized that learners may require access to PHI stored in a secure institutional environment when they are physically outside institutions or, even when mobile within institutions.
Furthermore, it is recognized that learners, being involved in both university and hospital environments, are exposed to varying perspectives on the use of information. Universities by their nature are intended to be open and collaborative where information is encouraged to be shared, and existing university-based portals, learning tools or email systems allow this to occur; hospitals are intended to be confidential within the circle of care. University information systems are not designed to support the transmission and storage of PHI and therefore should not be used for this purpose.
Learners must comply with this statement in respect of all formats (including hard copy, digital, and any form of information technology) that could be used to store or transmit PHI. This includes but is not limited to posting/commenting on blogs; direct messaging (DM), instant messaging (IM), private messaging (PM) on social networking sites; posting to public media sites, mailing lists and video-sites; and emails. Further guidance regarding appropriate use of the Internet, electronic networking and other media by Temerty Medicine leaners is provided in the Temerty Medicine Guidelines for Appropriate Use of the Internet, Electronic Networking and Other Media.
This statement is based on the following foundational principles:
Learners must report any breach of information privacy or security, or the theft or loss of any device containing or permitting access to PHI, immediately to both the educational authority to whom the learner reports and to the institutional HIC Privacy Officer.
Breaches of PHI will be addressed under HIC policies and procedures, consistent with the PHIPA. Breach of any part of this statement may, after appropriate evaluation of the learner and the circumstances of the breach, may result in further actions such as education, remediation, probation, failure to promote, dismissal from a course or program. In each case, consideration of the matter by Temerty Medicine, including the range of academic sanctions, will be informed by the relevant guidelines and procedures.
This statement does not replace legal or ethical standards defined by organizations or bodies such as the College of Physicians and Surgeons of Ontario, the Canadian Medical Association, the Royal College of Physicians and Surgeons of Canada, the College of Family Physicians of Canada, or the College of Physiotherapists of Ontario.
Action by an assessing body does not preclude action under other University or Institutional policy, or other legal remedies (under statute including PHIPA, the Criminal Code; or civil action).