20111216 Privacy and Security


Date: December 14, 2011

To: All Faculty of Medicine Staff
All Faculty of Medicine Faculty
All Faculty of Medicine Students

From: Gavin C. E. Stuart, MD, FRCSC

Dean, Faculty of Medicine

Vice-Provost, Health

Subject: Privacy and Security

In light of recent reports of loss of confidential information, all staff, faculty, residents and students are reminded of the need to protect confidentiality and ensure security of data in their possession.

It is our strong preference that no Personal Health Information (PHI) resides on university networks or systems. If, in exceptional circumstances and for purposes of fulfilling your academic, research and/or administrative mandate, it is imperative that they be located on a personal desktop, laptop, or other wireless device (including tablets and smart phones) then these steps must be followed:

1. You must have received written authorization from the Head of your unit or department.

2. All data collected must be de-identified and the master file noting their patient identifier code must be kept in an encrypted and password protected file on a device that is password protected. Password availability shall be restricted to those who have a role in either patient care or quality improvement activities. If unable to be de-identified, all files must be kept in an encrypted file and have both the file and the device password protected with automatic access by password after short time out activated. MedIT provides some information on security at http://www.medit.med.ubc.ca/all-categories/information-security/education-on-it-security-best-practices.htm

3. The physical security of portable devices must be properly considered. Said devices must not be left unattended in public spaces. They must be secured in locked environments when not in use. (Note: Automobiles are high risk and are not considered secure.)

4. Any medical record must be kept in an encrypted file that is password protected.

This applies to all patient materials. There are no exceptions to these requirements.

All staff, faculty, residents and medical students will comply with the above. You must immediately report a breach of patient confidentiality to both the Office of the University Counsel’s Access and Privacy Manager (Paul.Hancock@ubc.ca) and the Faculty of Medicine’s Chief Operating Officer (coo.med@ubc.ca).