Version 5 - February 2005
Help on accessing alternative formats, such as Portable Document Format (PDF), Microsoft Word and PowerPoint (PPT) files, can be obtained in the alternate format help section.
Health Canada's Non-Insured Health Benefits (NIHB) Program funds registered Indians and recognized Inuit with medically necessary health-related goods and services which supplement those provided by other provincial/territorial or private programs. These benefits include drugs, medical transportation, dental care, vision care, medical supplies and equipment, crisis intervention mental health counselling and provincial health care premiums, where applicable.
In order to process these benefits, the NIHB Program collects, uses, discloses and retains clients' personal information, and does so in accordance with the applicable federal laws and policies. (Info Source - Sources of Federal Government Information 2003-2004. Section F- Privacy Act)
The NIHB Privacy Code reflects these Acts and policies and uses, as a guideline, the 10 Principles set out in the Canadian Standards Association, Model for the Protection of Personal Information (The CSA Model Code). The CSA Model Code, which incorporates a higher benchmark of privacy protection, has been formally approved by the Standards Council of Canada as a National Standard of Canada.
The objectives of the NIHB Privacy Code are:
The NIHB Program is committed to protecting privacy and safeguarding the personal information in its possession. The NIHB Privacy Code represents a consistent approach to privacy and data protection for personal information collected, used, disclosed and retained by the Program. It ensures the Program's compliance with the Privacy Act.
Since the first version of the NIHB Privacy Code was released in May 2003, significant enhancements have been made to it. First Nations and Inuit and privacy experts have all made valuable suggestions for improvement. Some of the important changes made so far include providing more detailed information on NIHB privacy procedures and simplifying the definitions of terms.
The Non-Insured Health Benefits Privacy Code will be reviewed and revised on an ongoing basis as Federal Government privacy policies, legislation and/or program changes require. The Program would be pleased to receive stakeholder advice on the Code at any time. Comments received will be reviewed for possible incorporation into a later version of the Privacy Code. Summaries of the comments received will be posted on the Non-Insured Health Benefits Program Website
Suggestions and comments may be sent to:
Attn: NIHB Privacy Code
First Nations and Inuit Health Branch
Non-Insured Health Benefits Directorate
Postal Locator 1919A, Room 1926B
Jeanne Mance Building, Tunney's Pasture
Ottawa, ON K1A 0K9
The NIHB Privacy Code applies to all Health Canada employees administering and managing the NIHB Program. Organizations or groups administering NIHB benefits through contribution agreements must comply with privacy requirements found in the schedules and the confidentiality clauses that form part of the Terms and Condition of the agreement. Health care professionals must respect the privacy codes of their regulatory or licensing bodies.
The NIHB Privacy Code applies to all NIHB Program activities in order to provide eligible clients with non-insured health benefits including:
The NIHB Privacy Code:
Deputy Ministers and Heads of Agencies are responsible for ensuring that their organizations comply with Access to Information and Privacy Acts. In addition, the President of the Treasury Board co-ordinates the administration of the Acts by preparing and distributing policies and guidelines to help institutions interpret the laws.
Health Canada employees administering and managing the NIHB Program will be held responsible for ensuring the private and secure handling of personal information collected, used, disclosed, retained and disposed by the Program.
Criteria for the uses of personal information are to be respected; any breach of these criteria by staff may result in disciplinary action, which may include suspension or dismissal.
In the case of contractors or those organizations administering NIHB, a breach may result in terminating the contract or the contribution agreement.
Managers of the NIHB Program have a duty to uphold Health Canada's reputation for integrity, honesty and ethical and legal conduct according to privacy legislation and the Treasury Board of Canada's Government Security Policy.
Should managers have concerns with the conduct of their staff in relations to the Privacy Code, it is their responsibility to address these concerns using appropriate action such as providing the individual with training or by restricting access to personal information.
Health Canada employees with the NIHB Program are responsible for the confidential and secure handling of the personal information collected, used, disclosed, retained and disposed of while administering the Program.
The NIHB Program is responsible for ensuring that a level of privacy protection comparable to the Privacy Act and policies to which the Program is subject, is in place for personal information disclosed or transferred to a third party such as a contract for claims processing or a First Nations or Inuit organization that provides NIHB benefits under the terms and conditions of a signed contribution agreement.
Contracts and Contribution agreements contain standard clauses dealing with the confidentiality and privacy of personal information, which are to form part of the Terms and Conditions.
Private claims processors are also subject to industry standards for transmitting data between themselves and the providers to ensure the security and privacy of personal information. Most of these organizations are also subject to federal, provincial or territorial data protection legislation, including the federal Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to all provinces and territories except where the Governor in Council has issued exemption orders (i.e., Quebec, British Columbia and Alberta). Business organizations in all provinces and territories must ensure their compliance with the applicable federal or provincial law that deals with protecting the collection, use and disclosure of personal information within that province.
Health care professionals who are employed by Health Canada must meet the confidentiality requirements of the NIHB Program, in addition to their professional ethical obligations. Their professional code of ethics which is established by their respective regulatory bodies encompasses privacy and confidentiality. Any breach of these ethics may result in the regulatory body requiring the health care professional to take training, suspending or withdrawing his or her licence.
The Non-Insured Health Benefits (NIHB) Program collects, uses, discloses, retains and disposes of personal information for the following purposes:
The process to provide funding for non-insured health benefits requires reviewing personal information in order to:
Personal information is collected, used, retained and disclosed for assessing criteria that need to be met before benefit claims can be approved and to allow health care providers to deliver benefits or services to clients.
The criteria are:
Generally, clients of the NIHB Program are not required to pay up front for benefits received. Once the provider has confirmed that the benefit approval criteria have been satisfied, he or she may provide the benefit or service to the client and then bill the Program directly.
Claim-specific details, including the personal information of the client involved, must be submitted by the provider to the NIHB Program within one year from the date of service to facilitate payment. In the case of drug benefits, the process for submitting the claim data electronically for approval and for payment are often completed simultaneously. Dental benefits may be claimed electronically also for those using CDAnet. In the case of other benefits, such as medical supplies and equipment, the provider must submit benefit requests to the claims processor or regional office in paper format for processing.
First Canadian Health Management Corporation Inc. (FCH) is the claims processor for drugs, medical supplies and equipment (MS&E) and dental benefits on behalf of the NIHB Program. FCH is required to conduct on-site audit and claims verification activities by reviewing claims submitted under the NIHB Program.
First Nations and Inuit Health Branch (FNIHB) regional offices are responsible for the adjudication, audit and claims verification of medical transportation, vision and mental health crisis intervention benefits provided within their region.
These activities are conducted in compliance with:
The audit activities are based on generally accepted industry practices and accounting Principles. Audits are carried out to identify potential billing irregularities; to ensure that claims are paid in accordance with Program billing requirements; to ensure that services paid for were received by eligible NIHB clients; and to ensure that providers have retained appropriate documentation that supports each claim.
As part of the audit process, the auditor may contact the prescriber to verify clients and prescriptions or contact clients to substantiate receipt of the benefit or service and the specific claim information.
In order to complete the audit, the auditor must conduct an assessment of the claims paid by the NIHB Program to ensure adequate data are available by scanning all the relevant information or the paid claims which are under review.
All personal information obtained for claims verification is maintained in accordance with the Privacy Act .
As outlined in the Scope of the NIHB Privacy Code, the NIHB Program collects, uses and discloses personal information to conduct Program reviews.
These review activities are critical for:
Program reviews include:
Program reviews, such as statistical reporting, use anonymized or non-identifiable aggregate data. The DUEs use identifiable data. However, it is important to clarify that identifiable personal information is not required for the actual review activity, but rather it may be required in very limited circumstances when client or provider-level interventions are required when a client may be at risk. More details are provided in the NIHB Policy section entitled "The Use of Personal Information in Program Reviews" (section 2.1)
Under the Privacy Act, there is no consent requirement for the collection of personal information. However there is an obligation to inform concerned individuals of the reasons for the collection of their personal information (section 5) of the Privacy Act.
Express (written or verbal) consent for the use and disclosure of the personal information is required:
As mentioned previously, under the Privacy Act, institutions must inform the concerned individuals about the reasons for collecting and using their personal information. The Non-Insured Health Benefits (NIHB) Program communicates this information to clients and stakeholders through a number of mechanisms including:
The NIHB Program has also committed to undertake a communication campaign every five years to remind clients about the collection, use and disclosure of personal information under the Program.
Personal information is primarily collected indirectly for the Non-Insured Health Benefits (NIHB) Program by physicians, nurses, pharmacists, optometrists/opticians, dentists/denturists, registered psychologists/social workers, medical supply and equipment and medical transportation providers in accordance with section 5(1) of the Privacy Act.
The NIHB Program must limit its collection of personal information for the purpose described in Principle 2 of this Code (i.e., to provide funding for non-insured health benefits and to conduct program reviews). The collection is limited to the individual claims submitted by the provider (transaction-based). Only the minimum amount of information required to assess the need for a benefit is collected. This limited collection complies with section 4 of the Privacy Act in that the information being collected is directly related to NIHB Program activity.
In cases where benefit exceptions are being considered for funding, additional client information may be collected and shared between the treating health care professional and NIHB's health care professionals, as required, to verify client need. (The NIHB Program employs or contracts health care professionals who are responsible for reviewing and approving exceptions and prior approvals. Information plays a critical role in providing evidence to support a specific need and ensuring the request is assessed according to evidence-based standards of care. These health care professionals have to comply with the NIHB Privacy Code as well as privacy requirements set out by their regulatory body.)
The table below outlines situations with the type of information that is collected by the NIHB Program.
Information that is collected for NIHB benefit requests that do not require Prior Approval:
Information that is collected for NIHB benefit requests that require Prior Approval or when a benefit is considered an exception:
The following additional information may also be required to approve the benefit:
The Non-Insured Health Benefits (NIHB) Program must use and disclose personal information only for the purposes outlined in Principle 2 of this Privacy Code, unless it is otherwise required or authorized by law. This is in compliance with sections 7 and 8 of the Privacy Act.
The NIHB Program limits the use, disclosure and retention of personal information by restricting access to client information on a need-to-know basis. It is worth noting that, in the majority of cases, a client's personal information is received from providers/professionals rather than the Program disclosing to providers/professionals. The Program limits the disclosure of information back to the provider to only what is required to process the benefit request.
For what purpose(s) and under what conditions
As outlined in Principle 2,
Use and disclose personal information:
Use and disclose anonymized data:
Program Health Care Professionals/Providers
For what purpose(s) and under what conditions
Eligible health care professionals and providers share personal information with the NIHB Program:
When clients at risk or inappropriate use are identified, personal information is disclosed to the client's provider only when express consent has been provided to supplement the provider's professional judgement.
Professional Regulatory and Licensing Bodies
For what purpose(s) and under what conditions
Client's personal information may be disclosed by the NIHB Program to professional regulatory and licensing bodies as evidence to support an investigation of health care providers who have been seen by the client.
First Nations and Inuit organizations under contribution agreements to administer non-insured health benefits
For what purpose(s) and under what conditions
As outlined in Principle 2, First Nations and Inuit organizations administering benefits under Contribution Agreements will use and disclose personal information:
Federal/Provincial/Territorial or other third-party health insurance plans
For what purpose(s) and under what conditions
Where clients have coverage either through provincial or territorial governments or private health plans that provide only partial coverage of a particular benefit, the NIHB Program may use and disclose a client's personal information to coordinate benefit coverage in order to provide further coverage.
If personal information needs to be used for a new purpose, the NIHB Program will amend the NIHB Privacy Code, the Privacy Impact Assessment and required policies. The Program will undertake a communication strategy to inform clients as required. For more information, see NIHB's Privacy Change Management section, section 3.1, of this document.
If the Program requires personal information for a new purpose as mentioned above, express consent will be required. The Program will specify to the client what information is needed and the purpose for which it will be used.
Information shall be retained and disposed of according to the Records Retention and Disposal of Personal Information policy of the Government of Canada, section 6(1) of the Privacy Act , section 12 of the Regulations and the Library and Archives of Canada Act . Health Canada has guidelines and procedures in place concerning the retention and disposal of personal information. Health Canada employees can access a policy icon through an internal database on their Lotus Notes workspace. This icon links to Health Canada policies on Information Management.
The Acts and policies mentioned above pertain to all personal information stored by the NIHB Program in the following systems:
According to the Privacy Act, section 6(2), all reasonable steps will be taken to ensure that personal information collected by the Non-Insured Health Benefits (NIHB) Program is accurate and complete. Personal information collected for processing benefit requests is not routinely updated, unless required to ensure ongoing delivery of a specific benefit or service for claims processing.
Updating the client eligibility lists on the Status Verification System is completed when Indian and Northern Affairs Canada, the Governments of Nunavut and Northwest Territories and the Labrador Inuit Association regularly provide the NIHB Program with updated information. The NIHB Program does not provide these groups with any personal information. The personal information flows only into the NIHB Program.
In order to ensure the accuracy of client information collected, the NIHB Program requires clients to identify themselves by providing three pieces of information before accessing benefits. This information includes: name, date of birth and identification number.
Each of the databases that store NIHB claims information contains mandatory information fields that must be completed before a claim can be processed and/or approved. If the fields are not completed properly, the claim will not be processed. This is to ensure the accuracy of the information that is being collected for each client.
In accordance with the Privacy Act and Regulations, the Government Security Policy, the Privacy and Data Protection Policy, the Operational Security Standard and the Library and Archives of Canada Act, the Non-Insured Health Benefits (NIHB) Program will take every reasonable precaution to protect the security and confidentiality of personal information it collects, uses, discloses, retains and disposes and by ensuring that organizational, physical and technological safeguards and controls have been put in place and are maintained.
Personal information collected by NIHB for claims processing is classified as "Designated Information" and must be marked as "Protected" (upper right corner) according to the Government Security Policy.
Documents containing medical information pertaining to individuals indicate "Medical - Confidential" and are handled only on a "need-to-know" basis.
Duplicating or taking extracts of designated information is kept to a minimum and the copies or extracts are marked with the same security marking as the original.
Health Canada employees administering and managing the NIHB Program must not remove protected materials from secure areas.
Waste materials: Designated waste is kept separate from regular paper waste and is routinely shredded, pulped or burned.
Employee Security: All employees and contractors must hold an enhanced reliability status security clearance as a minimum requirement for handling personal information in the day-to-day processing of benefits and administration of the NIHB Program. An enhanced reliability status security clearance will allow them access to designated information.
Authority for system access: The Program manager is responsible for identifying and authorizing those who require access to NIHB Program data systems. They are also responsible for maintaining control records for sensitive material and items such as keys, codes, combinations, identification badges and individual system passwords.
Withdrawal of access: This takes place when employees conclude their employment, when their duties no longer require them to have access, or when inappropriate use and disclosure is identified. When access to the NIHB Program data system is withdrawn, the employee's user number to enter a data system is no longer valid.
Staff training: Health Canada employees administering and managing the NIHB Program and contractors are given training on the secure handling of personal information. Employees receive training for their specific responsibilities, a critical part of which are the procedures that are used in NIHB units (regional or headquarters). For further information, please refer to NIHB's Privacy Training Policy section, section 2.4, of this document.
Several steps have been taken to secure the physical work environment in which personal information is stored. These include:
Identification Cards: Health Canada employees administering and managing the NIHB Program are given identification cards which must be displayed at all times. These cards act as an effective access control, to avoid admitting unauthorized personnel into FNIHB, NIHB or Health Canada buildings. Security signs are posted, as required, in Health Canada work locations.
Keys, lock and safe combinations and entry code numbers: These are issued only to authorized persons with an established need for access in order to avoid inappropriate access to any personal information.
Office security: All First Nations and Inuit Health Branch and NIHB offices are required to ensure confidentiality of personal information by using enclosed offices and secure data-sharing equipment, to avoid exposure of personal information to unauthorized individuals.
Withdrawal of access: All employees must return their identification card when their employment is terminated. Consequently, they no longer have access to Health Canada offices. All system access is withdrawn at the same time.
Random inspections: Random, unannounced inspections of offices and work-sites may be carried out to ensure Departmental information and assets are adequately protected. Breaches of security detected during an inspection are brought to the attention of the director or manager responsible for the area and the Branch Security Coordinator.
Loss or theft: The loss or theft of personal information must be reported to the manager or designated custodian of the affected information and to the Health, Safety and Security Division or the Branch Security Coordinator. A Report of Loss or Theft Form (NHW-518 1-91) must be completed, including the police occurrence report number. When the investigation is completed, the police will contact the responsible manager to identify any recovered information.
For additional information, refer to the Treasury Board Index - Physical Security Standards, Organization and Administration Standards, Information Technology Security Standards at: www.tbs-sct.gc.ca/index_e.asp.
Password protection: Access to a system (Health Information and Claims Processing System, Status Verification System, Medical Transportation Record System, Vision System) is protected by an individual password. Access is limited only to those health professionals, authorized employees and/or administrators who require access.
Central coordination of access: The NIHB manager is responsible for authorizing staff access to only those benefit databases relevant to their work assignment. All passwords for HICPS, MTRS and SVS are assigned centrally from the NIHB Directorate, Operational Support, managers must request access for staff in writing using prescribed forms.
Regional access controls: Vision systems are regionally managed, with the respective regional manager responsible for determining who requires access and assigning individual passwords relevant to assigned work. This ensures that only those who require access are given passwords.
For further information regarding the NIHB Procedure for Authorizing Access to HICPS, MTRS, SVS and Vision systems, please refer to the Privacy Procedure section, section 3, of this document.
For further information on the standards that define baseline security requirements that federal departments must fulfill to ensure the security of information and information technology (IT) assets under their control (e.g., laptops), please refer to the Management of Information Technology Security (MITS) section of the Operational Security Standard Policy.
Encryption: According to the Health Canada Government Security Policy, Protected Information may be sent by fax or e-email, unless a Threat Risk Assessment (TRA) indicates the requirements for greater safeguards such as encryption. Information designated as Protected A and Protected B information does not require encryption when transmitted internally on the Health Canada Network. (For a definition of Protected A, Protected B and Protected C information, refer to Appendix I, under "Designated Information").
The Management of Information Technology Security (Section 16.4.4 Cryptography) states: "Departments must use encryption or other safeguards endorsed or approved by the Communications Security Establishment (CSE) to protect the electronic communication of classified and Protected C information. Departments should encrypt Protected A and Protected B information, when supported by a Threat and Risk Assessment. However, departments must encrypt protected B information before transmitting it across the Internet or a wireless network."
Information designated as Protected A and Protected B transmitted externally (Internet) must be encrypted.
All Protected C information must be encrypted for both internal and external (Internet) transmission. Due to the high sensitivity requirements, the strength of the encryption system, in unison with other safeguards, is important.
All contracts with health professionals and providers include clauses stating they are subject to the same procedures and standards as Health Canada employees. According to the Personnel Security Standards in the Government Security Policy, contractors must obtain an enhanced reliability status before their involvement with the NIHB Program. This will allow them to access designated information.
Contractors/Consultants/Providers to the Program are provided only with the information they require to complete contracted responsibilities; e.g., reviewing a vision request. Should the consultant require further information, Health Canada employees administering and managing the NIHB Program would provide only that information. They are bound by the confidentiality clause in their contract.
An example of a standard clause is:
The Recipient shall ensure that all information of a personal medical nature to which the Recipient or its officers, servants, or agents become privy pursuant to or as a result of this Agreement, shall be treated as confidential and not disclosed to any person except with the consent of the individual to whom the information relates, or otherwise in accordance with applicable law.
The Minister shall ensure that all information of a personal medical nature to which the Minister or his officers, servants, or agents become privy pursuant to or as a result of this Agreement, shall be treated as confidential and not disclosed to any person except with the consent of the individuals to whom the information relates, or otherwise in accordance with applicable law.
The Non-Insured Health Benefits (NIHB) Program will make the NIHB Privacy Code and its related policies and procedures available to First Nations and Inuit clients, providers, health care professionals and stakeholders. This also includes, but is not limited to: privacy impact assessments, employee privacy training manuals and privacy provisions in third-party contracts.
The Non-Insured Health Benefits Privacy Code and Non-Insured Health Benefits Program information are available on-line or on request from FNIHB regional offices.
Under the Privacy Act section 12(1) every individual who is a Canadian citizen or a permanent resident within the meaning of the Immigration and Refugee Protection Act has a right of access to personal information about themselves that is under the control of a government institution.
According to sections 12-17 of the Act and the completed request section of the Treasury Board Secretariat Privacy and Data Protection Policy on right to access, the Non-Insured Health Benefits (NIHB) Program will inform an individual about the existence of his or her personal information and will give an individual the right to access personal information about himself or herself included in the NIHB Personal Information Banks HCan PPU 016 and HCan PPU 017. An individual also has a right to challenge the accuracy and completeness of the information and to have it amended under appropriate circumstances.
Health Canada's Access to Information and Privacy (ATIP) office is mandated to coordinate, review and evaluate privacy requests for Health Canada including the Non-Insured Health Benefits Program. This is in accordance with the Department of Health Privacy Act Designation Order. Each federal government department or agency has an Access to Information and Privacy Coordinator. The Coordinators' offices are staffed by people who can answer questions and help clients access their personal information under the Privacy Act using a Personal Information Request Form. Additional information on this issue can be found in section 3.4 entitled Individual Access and Correction of Personal Information, later in this document
According to TBS Privacy and Data Protection policies, namely Assistance to Individuals in Exercising Their Rights and Right of Access to Personal Information, government institutions should also provide individuals with informal access to their personal information whenever possible.
According to the Treasury Board Secretariat, Deputy Ministers and Heads of Agencies are responsible for ensuring that their organizations comply with Access to Information and Privacy Acts. In addition, the President of the Treasury Board co-ordinates the administration of the Acts by preparing and distributing policies and guidelines to help institutions interpret the laws.
Clients should address their concerns on the Non-Insured Health Benefits (NIHB) Program's compliance with the Privacy Code by contacting Health Canada's Access to Information and Privacy (ATIP) office. Additional information on this issue can be found in section 3.5 entitled Privacy Complaints and Inquiries, later in this document.
The Minister of Health has designated Health Canada's Privacy Coordinator as having the power to make representations on behalf of an individual or head of the government institution to the Privacy Commissioner relevant to an investigation on a privacy complaint. Please refer to section 33 of the Privacy Act.
The Privacy Act, sections 29-35 outlines the scope, powers and procedures to be followed by the Privacy Commissioner in receiving and investigating complaints by individuals regarding the access, collection, use, disclosure, retention and disposal of their personal information held by a government institution.
Program reviews, such as statistical reporting and promotional/educational strategies, will only review:
Program reviews, such as prospective and retrospective Drug Utilization Evaluation, involve the review of:
Optimal drug use means the right drug to the right client in the right dose at the right time. First Nations and Inuit Health Branch (FNIHB) recognizes that, in order to address medication issues, and improve health outcomes, the branch must work with First Nations and Inuit communities, organizations and stakeholders to develop and implement strategies around awareness, promotion, prevention and treatment.
Of urgency are a small number of clients who may be at risk as a result of their medication use. This section sets out the approach Non-Insured Health Benefits will use to ensure that client's prescriber(s) and pharmacist(s) have the information they require to support their professional judgement in ensuring optimal medication use.
The NIHB Program is not a regulatory body or a health care provider, but a program which funds drug benefits based on the professional judgement of health care providers who prescribe and dispense medications. NIHB possesses important information that prescribers and pharmacists may not have.
NIHB, like other drug benefit programs, identifies trends in medication use on both a population and client level, using established clinical review processes. NIHB performs prospective DUE which involves sending electronic messages to pharmacists, at the time of dispensing, to alert to such potential incidences as drug to drug interaction or duplicate therapy. These messages supplement the professional judgement of the pharmacist.
The program also undertakes retrospective DUE, which is a quarterly review of client level drug utilization. As a first step in retrospective DUE appropriate medication use quantities are established using expert physician, pharmacist and DUE Advisory Committee advice. Every three months a copy of the Health Information and Claims Processing System database is generated with all identifiable information removed. This database is then queried using the established medication quantities to produce anonymized files of client medication histories. These files are then reviewed by an NIHB pharmacist to determine if the client's medication use is placing them at risk. The file identified as being at risk is then relinked to the HICPS database and the client identified. The NIHB pharmacist will then contact the client's pharmacist(s) and request that the client contact the NIHB Program at the time of the next dispense. No drug benefit information will be provided until client consent is obtained.
In order to assist at risk clients, the NIHB Program must share information with the client's prescriber(s)/pharmacist(s). Only then can the prescriber and the dispensing pharmacist review the relevant client medication history and make a decision based on professional judgment, to continue to prescribe or dispense such medication.
NIHB is committed to protecting client privacy. This means that the sharing of the client's information with the prescriber(s) and
pharmacist(s) cannot occur until the client has provided consent. While the number of clients at risk is small, the consequences of inappropriate drug therapy can be serious.
Those clients who have already signed a consent form will not need to provide any further consent. Those clients who have not provided consent will be asked, by the dispensing pharmacist, to telephone the NIHB toll-free number to talk with an NIHB pharmacist who will explain that:
The client can then ask questions, and make a decision to provide consent or not. If the client does not provide consent to share their information, no information can be provided to their pharmacist. It will then be up to the pharmacist to dispense the medication or not.
If consent has been provided, the NIHB pharmacist will contact the dispensing pharmacist and share only the relevant drug use history for the medication being requested. It will then be up to the pharmacist to decide whether or not to dispense the medication.
Once the information is shared, the client, physician and/or pharmacist can address the client's medication and treatment needs, which may range from putting in place a medication management plan to addictions and mental health treatment as part of a larger set of issues.
NIHB will review the effectiveness of these procedures on a regular basis. The NIHB Program anticipates claims processing systems changes will be put in place which will further streamline the process for both the client and pharmacists. As changes are identified updates and advice will be sought through mechanisms such as the DUE Advisory Committee, discussions with First Nations and Inuit organizations and prescriber and pharmacist organizations.
Non-Insured Health Benefits will not require express consent for day-to-day processing activities and administration of the Program. The NIHB Program requires express consent only when a patient is identified as being at-risk or if inappropriate use of the system is a concern and requires the Program to disclose personal information to a service provider.
The NIHB Program communicates information on the collection, use, disclosure, retention and disposal of personal information, to clients and stakeholders through a number of mechanisms including: the NIHB Personal Information Banks HCan PPU 016 and HCan PPU 017; the NIHB Privacy Code; the NIHB Privacy Impact Assessment; the Health Canada Website with NIHB Program and privacy information; regional office staff who are available to respond to questions and provide information to clients; and through the NIHB toll-free contact number at 1-800-259-5611. The NIHB Program has also committed to undertake a communication campaign every five years to remind clients about the collection, use and disclosure of personal information.
If a client wishes to withdraw his or her written consent, he or she must clearly state this in a letter to Health Canada, addressed to the NIHB Program.
This letter must include:
The client will receive written confirmation from the NIHB Program that their written express consent has been withdrawn. The consent form will be retained by Health Canada and will be disposed of according to the records and retention schedules of the federal government.
The mailing address for the NIHB Program is:
First Nations and Inuit Health Branch
Non-Insured Health Benefits Directorate
Postal Locator 1919A, Room 1917A
Jeanne Mance Building, Tunney's Pasture
Ottawa, Ontario K1A OK9
If a client has withdrawn his or her written consent, he or she will continue to receive benefits for which he or she is eligible subject to Program policy.
All Health Canada employees administering and managing the NIHB Program are required to review and acknowledge their compliance with the NIHB Privacy Code before assuming their duties.
Managers will review the NIHB Privacy Code with new employees immediately upon appointment. Privacy training will be arranged as soon as possible.
Employees shall be required to review the NIHB Privacy Code annually or more frequently, if changes occur.
The NIHB Program has developed the NIHB On-Line Privacy Training Module.
This training module includes:
This module is available on the Internet or on a CD-ROM. A copy of the CD-ROM has been made available to NIHB managers and First Nations and Inuit communities.
The on-line privacy training is available on the NIHB Website.
There may be instances where Health Canada uses anonymized data for research purposes. In such cases Health Canada's Research Ethics Board (REB) reviews and approves any proposed research or study. It is in place to ensure that "all research involving human subjects carried out by Health Canada, or by investigators associated with Health Canada, meets the highest scientific and ethical standards" and that "safeguards are developed which provide the greatest protection to participants who serve as research subjects."
The REB is an independent, decision-making board that reports to the Chief Scientist of Health Canada. The REB is guided by the ethical principles found in the Tri-Council Policy Statement, Ethical Conduct for Research Involving Humans. The Board is concerned solely with protecting human research subjects. It will provide the Department with an independent review mechanism and fulfil an educational function for Health Canada managers and researchers. The REB also has to comply with relevant privacy legislation.
The Non-Insured Health Benefits (NIHB) Program's commitment to privacy involves the ongoing monitoring of Program activities to ensure that any changes are in accordance with the NIHB Privacy Code and are clearly reflected in the NIHB Privacy Impact Assessment (PIA). It is understood that both these documents are based on the Privacy Act , the Canadian Charter of Rights and Freedoms, the Access to Information Act, as well as Treasury Board Secretariat policies and guidelines including, the Privacy and Data Protection Policy, the Government Security Policy and the Health Canada Security Policy. The NIHB Privacy Code addresses the requirements of these Acts and policies.
The NIHB Privacy Code and PIA form the basis of the privacy documents for the NIHB Program. Any changes to the NIHB Program will be reviewed in terms of their impact on privacy requirements as outlined in the NIHB Privacy Code. Once this impact is determined, the PIA will be revised to include the changes as well as any relevant Program policy documents.
The NIHB Program is committed to ensuring that clients continue to be aware of NIHB privacy commitments. As part of this commitment, every five years, specific communication activities will be undertaken to remind clients about the collection, use, disclosure retention and disposal of personal information as well as any changes to the NIHB Program that may have occurred.
If the Program requires personal information for uses other than what is described in Principle 2 of this Code, express consent will be required from the client, which will specify what personal information is needed and the purpose for which the information will be used.
Non-Insured Health Benefits (NIHB) protects against the possibility of any form of identification or disclosure by carefully reviewing statistical material intended for use external to the NIHB Program, and modifying the information as necessary to prevent any identification.
This could include:
The Non-Insured Health Benefits (NIHB) employee who receives a request from an individual wishing to access his or her personal information held by the NIHB Program, will inform the individual that Health Canada's Access to Information and Privacy Coordinator is mandated to coordinate, review and evaluate privacy requests on the NIHB Program.
Employees with the NIHB Program will explain the procedure on how to apply for information under the Privacy Act described in the Government of Canada's Info-Source as follows:
Should an individual wish to make a formal request under the Privacy Act, they must:
There is no charge to apply for information under the Privacy Act. The requested information, in compliance with section 14 of the Privacy Act , will be provided within 30 days after the request is received with an explanation of any abbreviations or codes. As soon as the information is available, the individual will be contacted in writing.
Employees may provide assistance to clients by listing the type of information that will assist Health Canada's Access to Information and Privacy Coordinator in the processing of the request. They may also provide assistance to clients in filling out the form. These steps will ensure that information specific to the NIHB Program will be properly identified hence facilitate the processing of the request.
If a client believes his or her personal information held by a federal institution is inaccurate or misleading, the client can ask to have it corrected. Even if the department or agency does not agree to change this information, it must make a note that the client has asked for the change and attach it to the file.
When an inquiry or complaint is received at any office of the First Nations and Inuit Health Branch (FNIHB) regarding complaints on privacy compliance concerning the Non-Insured Health Benefits (NIHB) Program, the individual will be referred to Health Canada's Access to Information and Privacy (ATIP) Office. Health Canada's ATIP Office remains accessible at all times for information on the process to submit a complaint and other privacy issues. Individuals may contact the ATIP office by calling (613) 954-8744 or by mailing their request to the Access to Information and Privacy Coordinator (see section 3.4.1 for their mailing address).
These definitions have been adapted for the specific use of the Non-Insured Health Benefits (NIHB) Privacy Code.
The complete definition of personal information can be found in section 3 of the Privacy Act.
Access to Information Act
Canadian Charter of Rights and Freedom
Library and Archives of Canada Act
Financial Administration Act
Financial Administration Act - Part V1 - Public Accounts
Privacy Legislation in Canada
Access to Information and Privacy
Using the Access to Information Act and Privacy Act
Canadian Standards Association (CSA) Standards - Privacy Code
Treasury Board Secretariat (TBS) - Government Security Policy
TBS - Privacy and Data Protection Policies
TBS - Retention and Disposal of Personal Information
TBS - Policy on the Management of Government Information
TBS - Operational Security Standard - (MITS)
TBS - Management of Information Technology Security (MITS)
Privacy Commissioner of Canada
Health Canada - Info Source Publications
Health Canada - Personal Information Banks
Government Information Management
Provincial and Territorial Legislation - Protection of Personal Information
Protection of Personal Health Information