Information for Trustees

The Personal Health Information Act (PHIA) came into force on December 11, 1997 and governs the collection, use, disclosure, retention, disposal and destruction of personal health information. The act recognizes both the right of individuals to protect their personal health information and the need of health information trustees to collect, use and disclose personal health information to provide, support and manage health care.

The following pages provide a Brief Summary of PHIA and the obligations the act places on the different types of health information trustees in Manitoba. Click on any of the tabbed headings to display the Brief Summary for that topic.

  • Health Care
    Facilities
  • Health
    Researchers
  • Health Services
    Agencies
  • Health
    Professionals
  • Information
    Managers
  • Public
    Bodies

The Personal Health Information Act -
A Brief Summary for Health Care Facilities

INTRODUCTION

The Personal Health Information Act affects nearly every person or organization that collects or maintains health information in Manitoba, including all health information networks.

Amendments to the Act and to the Personal Health Information Regulation made under the Act will come into force on January 1, 2022. This document provides a brief summary of PHIA, which incorporates the amendments noted above. It is not comprehensive. For a better understanding, you should review the actual legislation and its regulations. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5; phone 204-945-3101 or can be accessed online on the Government Laws website. You may also consult the Questions and Answers document, a reference tool intended to help trustees and other stakeholders and to explain the amendments made to legislation.

To help you, this summary refers to specific sections in the Act.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care.  See s. 1(1) of the Act.
What is a “trustee”?

PHIA uses the term "trustee" to refer to the persons and organizations that are subject to the requirements in the Act respecting collection, use, disclosure, retention, destruction and security of personal health information. The Act divides trustees into four categories:

  • health care facilities
  • some health professionals
  • health services agencies (organizations which provide health care under an agreement with another trustee—the Victorian Order of Nurses and We Care are two examples)
  • public bodies (such as provincial government departments and agencies, municipal
    governments, educational institutions and regional health authorities) See s. 1(1) of the Act.

The Act also imposes duties on information managers (who are hired by trustees to process, store or destroy personal health information, or to manage or service information systems) as well as employees of trustees. See s. 1(1), 25, 63(2) and (3) of the Act.

How do I know if my facility is defined as a health care facility under the Act?

The Act defines “health care facility” as:

  • a hospital
  • a personal care home
  • a psychiatric facility
  • a medical clinic
  • a laboratory
  • CancerCare Manitoba, and
  • a community health centre or other facility that provides health care and which is listed in the regulations.  See s. 1(1) of the Act.
What are the obligations of a trustee?

A trustee’s obligations fall into two main categories.

  1. A duty to assist individuals in gaining access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of their personal health information.

I. ACCESS

What does “access” mean?

The Act puts in statutory form the common-law right of an individuals to access their own personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.
What are my facility’s obligations to advise individuals about their right to access their own personal health information?

Trustees are required to provide individuals with notice of their right to examine and receive a copy of their personal health information and how they can exercise this right.

The notice must also state that an individual has the right to authorize another person to examine and receive a copy of their personal health information. 

A trustee must use a sign, poster, brochure or other similar type of means to provide this notice to individuals. This notice must be prominently displayed in as many locations and  in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention. See section 9.1 and the regulation.

What are my facility’s obligations to individuals wanting to examine their own personal health information?

The Act imposes on trustees an obligation to assist individuals in gaining access to their personal health information. Trustees are to respond to access requests “without delay, openly, accurately and completely.”

An explanation of term, codes or abbreviations used in personal health information may be important to ensure that the individual accessing the information understands it. Trustees must provide an explanation of any term, code or abbreviation used in personal health information as soon as reasonably practicable after the person accessing the information requests such an explanation. This requirement applies to any personal health information accessed by an individual, including an inpatient accessing their hospital chart. See s. 6(2), 7(2) of the Act.

When can my facility inform an individual that a request is considered abandoned?

Under section 10.1, a trustee may require an individual to provide additional information in relation to their request, including additional information that is necessary to respond to the request, and/or may provide a fee estimate to provide the information and require the individual to indicate if they accept the estimate of the amount of the fee that will be charged. An individual has up to 30 days from the day the request is given to provide the additional information or accept the estimated fee or modify their request to reduce the amount of the fee. When a request is given to an individual under this section, the time within which the trustee is required to respond to the access request is suspended until the individual provides the required information. If the additional information or acceptance is not provided by the individual within 30 days, the trustee may determine that the request has been abandoned. See s.10.1 of the Act.

If a trustee determines that a request for access to personal health information has been abandoned under section 10.1, the trustee must notify the individual in writing of the determination and the reasons for it, and of the individual's right to make a complaint about the determination to the Ombudsman. For more information, please review the Guideline on Limited Authority to Make a Determination that a Request for Access Has Been Abandoned for further information.

When can my facility disregard an access request?

Section 11.1 permits a trustee to disregard a request if the trustee reasonably believes that the request is for information already provided to the individual who made the request, or the request amounts to an abuse of the right to make a request because it is unduly repetitive or systematic, or otherwise made in bad faith. See s.11.1 of the Act.

If a trustee disregards a request for access to personal health information under section 11.1, the trustee must notify the individual in writing of the decision and the reasons for it, and of the individual's right to make a complaint about the decision to the Ombudsman. For more information, please review the Guideline on Limited Authority to Disregard Certain Requests for Access for further information.

Are individuals entitled to examine all their personal health information?

The Act permits trustees to withhold personal health information that falls into certain restricted categories. For example, access to personal health information may be refused if:

  • revealing it would disclose confidential information about a third party
  • there is a reasonable expectation that it would result in harm to the individual or someone else
  • it has been compiled for litigation purposes.

For a complete list of reasons for refusing access, see s. 11(1) of the Act.

Even when trustees are allowed to refuse access to portions of an individual’s personal health information, they still have an obligation to allow access to those portions of the individual’s personal health information that are not exempted by the Act. See s. 11(2) of the Act.

When making personal health information related to a psychological test or data available for examination, a trustee may require one of the following individuals to be present to provide an explanation of the information:

  • (a) the trustee, if the trustee is a health professional;
  • (b) a health professional chosen by the trustee. See s.7.1(2) of the Act.
Are individuals entitled to copies of their personal health information?

Yes. Individuals are entitled to obtain a copy of any personal health information they are entitled to examine with the exception of psychological tests or data. If an individual is requesting information related to psychological tests or data, a trustee is not required to provide a copy if the conditions set out in Section 7.1 of PHIA are met. See ss. 5(1) and 7.1 of the Act.

How much time does my facility have to respond to a request to access my personal health information?

Trustees must respond to requests for access as promptly as required in the circumstances but no later than

  • (a) 24 hours after receiving it, if the trustee is a hospital and the information is about health care currently being provided to an in-patient;
  • (b) 72 hours after receiving it, if the information is about health care the trustee is currently providing to a person who is not a hospital in-patient; and
  • (c) 30 days after receiving it in any other case, unless the request is transferred to another trustee under section 8 of PHIA.

A failure to respond within the required time frame will be considered a refusal to permit access. See s. 6(1) of the Act.

Can individuals alter their personal health information without my facility’s consent?

No. An individual has a right to point out information he or she believes is incorrect and to ask the trustee to correct it. It is up to the trustee to decide whether a correction is needed. A trustee has 30 days to investigate the issue and make a decision about the request for a correction. See s. 12(3) of the Act.

If the trustee agrees to the correction, the mistaken information should be stroked out (not erased) and the correct information added or cross-referenced in a way that anyone reading the record would be aware of it. See s. 12(3)(a) of the Act.

If the individual and the trustee disagree about a correction, the individual has a right to file a statement of disagreement, which must be attached to and form part of the individual's health record. See s. 12(4) of the Act.

A trustee must pass on the correction or the statement of disagreement to anyone to whom the personal health information has been disclosed over the previous year. See s. 12(5) of the Act.

Besides the individual the information is about, who has a right to access personal health information?

All rights of an individual may be exercised by a representative of that individual. The Act identifies several representatives, including:

  • a person with a written authorization to act on behalf of the individual
  • the individual’s proxy appointed in a health care directive
  • the individual’s committee appointed under The Mental Health Act
  • an attorney acting under a power of attorney granted by the individual, if the exercise of the right or power relates to the powers and duties conferred by the power of attorney
  • the individual’s parent or guardian if the individual is a child who is too young to make health care decisions. For a complete list of representatives, see s. 60(1) of the Act.

If a person is incapacitated and no individual described above is available, the first adult listed below who is readily available and willing to act may exercise the person’s rights under PHIA:

  • the individual’s spouse, or common-law partner, with whom the individual is cohabiting;
  • a son or daughter;
  • a parent, if the individual is an adult;
  • a brother or sister;
  • a person with whom the individual is known to have a close personal relationship;
  • a grandparent;
  • a grandchild;
  • an aunt or uncle;
  • a nephew or niece. See s. 60(2) & (3) of the Act.

No one other than the individual the personal health information is about, that individual’s representative or, if the person is incapacitated and no representative is available, a person authorized as outlined  above has a right to access this individual's personal health information. A request for access to personal health information by anyone other than the individual or the individual’s representative must be assessed under the provisions of the Act dealing with disclosure of personal health information.


II. PROTECTION OF PRIVACY

What are my facility’s obligations concerning the protection of an individual’s privacy with respect to personal health information?

A trustee’s obligations, as set out in the Act, affect the:

  • collection
  • use
  • disclosure
  • security
  • retention and
  • destruction of personal health information.

A. COLLECTION OF PERSONAL HEALTH INFORMATION

What are my facility’s obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information:

  1. To notify the individual of the purpose for the collection of personal health information.
  2. To collect only necessary personal health information—that is, the minimum amount required for the stated purpose.
  3. To collect personal health information from the individual whenever possible.
Why does the purpose for the collection of personal health information need to be determined?

Determining the purpose for collecting personal health information is a critical requirement of the Act. The Act requires trustees to notify the individual of this purpose at the time the information is collected. Besides meeting this statutory obligation, identifying the purpose for the collection will help determine what information can be collected and how it can later be used.

The purpose for collecting personal health information will depend on the function of the particular facility as well as the circumstances in which the collection takes place. For example, a psychiatric facility is likely to collect personal health information for a different purpose than the emergency ward of a hospital. The personal health information needed when an individual comes to a clinic for an inoculation will likely be different from what is needed when someone enters a personal care home.

Why do trustees have to notify the individual of the purpose for the collection of personal health  information?

This requirement is based on the principle that an individual has a right to make decisions about their own health care. Informing the individual as fully as possible about the reasons for collecting personal health information will allow them to make an informed decision about providing personal health information. This principle is so important that the Act requires that, when personal health information is collected by someone who is not a health professional, they must advise the individual about someone who can be contacted to gain more information about the purposes for collecting the information. See s.15(1) of the Act.

Must the individual always be notified of the purpose for the collection of personal health information?

Yes, except when identical or similar information is being collected for an identical or similar purpose as a recent collection. See s. 15(2) of the Act.

In what situations does the Act prohibit the collection of personal health information?

Stressing the need to respect individual privacy, the Act generally permits the collection from individuals of only as much information as is needed for specific purposes. What trustees need to know will largely depend on their purpose in collecting personal health information. The Act prohibits the collection of personal health information for:

  • illegal purposes;
  • purposes unrelated to the function or activity of the trustee; and
  • purposes other than those disclosed to the individual as the reasons for the collection of the personal health information. See. s. 13 of the Act.
Must personal health information be collected only from the individual directly?

The Act requires that, whenever possible, trustees must collect personal health information directly from the individual the information is about. See s. 14(1) of the Act.

This rule serves at least three important purposes:

  1. It helps ensure the accuracy of the information.
  2. It prevents trustees from revealing personal health information to others by the questions they pose.
  3. It ensures that personal health information the individual wants to keep private is not revealed to the trustee.
When is it legitimate to collect personal health information from someone other than the individual it is about?

The Act permits collection from other sources (including other trustees) in specified circumstances. For example, it is permissible to do so when the individual has authorized it, when circumstances do not permit collection of the information from the person, or when the information supplied by the individual is likely to be inaccurate. For a complete list of exceptions, see s. 14(2) of the Act.

B. USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

What is the difference between use and disclosure?

For the purposes of The Personal Health Information Act, “use” refers to what is done with the personal health information within the trustee organization.

“Disclosure” involves revealing personal health information outside the trustee organization to other trustees, to the individual’s friends and family or to other individuals.

Both use and disclosure involve revealing the information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, or e-mail, or by revealing the information orally.

What obligations does the Act place on my facility when using or disclosing personal health information?

The general rule concerning use and disclosure of personal health information is that no use or disclosure of the information may be made except:

   – to the extent that it is necessary to accomplish the purpose for which the personal health information was collected, or

   – with the informed consent of the individual it is about. See s. 21, 22 of the Act.

There are some exceptions to this general rule. For example, PHIA authorizes a trustee to use and disclose personal health information for research and planning that relates to the provision of health care, or payment for health care by the trustee. In some cases, personal health information may be disclosed without the individual's consent as it is required for specific humanitarian purposes such as contacting the relative or friend of someone who is ill or injured, informing relatives of someone's death, and assisting in identifying a deceased person.

Trustees may also use or disclose personal health information to prevent or lessen a serious and immediate threat to the mental or physical health or safety of the individual, another individual or the public.

Trustees may disclose to a person's immediate family or a close personal friend information about the care that the person is current receiving as a patient or resident in a health care facility or from a trustee at their home if the disclosure is made in accordance with good medical and other professional practice and the trustee reasonably believes the disclosure to be acceptable to the person.

In addition, trustees may disclose information where such disclosure is authorized or required by an enactment of Manitoba or Canada.  For example, The Gunshot and Stab Wounds Mandatory Reporting Act requires every health care facility that treats a person for a gunshot or stab wound to disclose the following information to the local police service:

(a) the person's name, if known;
(b) the fact that the person is being treated, or has been treated, for a gunshot or stab wound;
(c) the name and location of the health care facility.

See s. 2(2) of The Gunshot and Stab Wounds Mandatory Reporting Act for more information on the disclosure requirements under that Act.

Health care facilities may use or disclose personal health information without consent:

  • to deliver, monitor or evaluate a health care program; or
  • for research and planning related to health care. See s. 21(d) and 22(2)( g) of the Act

Health care facilities may also disclose information to:

  • a religious organization, unless asked by the individual not to share this information. The only information that can be shared would be the individual’s name, general health status and location in the facility.
  • a charitable fundraising foundation associated with the facility, unless the patient tells the facility not to. The only information  that can be shared would be the name and mailing address of any patients or residents or former patients or residents.

Every use and disclosure by a trustee of personal health information must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed.

For more information on the requirements for disclosure of information to a religious organization or charitable fundraising foundation, see s.  23.1 and 23.2 of the Act  and the Regulation.

For more exceptions to the general rule respecting use and disclosure of information, see s. 21, 22(2). 22(2.1) and 23 of the Act.

May personal health information be disclosed for research purposes?

The Act does not deal with statistical information that cannot be linked to an identifiable individual. This sort of information can always be used or disclosed for research purposes.

A trustee may use or disclose identifiable personal health information for research and planning that relates to the provision of health care, or payment for health care by the trustee or with the informed consent of the individual the information is about. See s. 21, 22 of the Act.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act. Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated.

Information may only be disclosed for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation. A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

The only other way personal health information may be used for research is if approval is provided by:

  • the Health Research Privacy Committee established by the Minister of Health under PHIA ; and
  • the Committee for Harmonized Health Impact, Privacy, and Ethics Review (CHIPER), as established by Research Manitoba. See s. 8.2 of the Regulations.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the researcher has been given access. See s. 24 of the Act.

Is it permissible to disclose personal health information to information managers?

Yes. An information manager is defined in the Act as a person or body that:

  • processes, stores or destroys personal health information for a trustee, or
  • provides information management or information technology services to a trustee. See s. 1(1) of the Act.

The Act recognizes that, in order to perform their functions, information managers may require access to personal health information. Trustees may disclose personal health information to an information manager but only after the information manager has entered into a written agreement with the trustee that ensures that the personal health information is adequately protected. Moreover, a trustee remains responsible for any use an information manager makes of personal health information. See s. 25 of the Act.

C. RETENTION, SECURITY AND DESTRUCTION OF PERSONAL HEALTH INFORMATION

What security precautions must be taken with respect to personal health information?

The Act requires trustees to store personal health information in such a way that only those who need to obtain the information will have access to it. Personal health information should not be disclosed outside the trustee organization unless such a disclosure has been assessed to determine whether it is permitted by the Act. Personal health information must not be accessed even by people within the trustee organization unless it is determined that they need to have that access. See s. 20(3) of the Act.

All trustees must establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information.

Among other things, these safeguards must include procedures to limit access to the information to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more information about security safeguards, see. s. 18 of the Act and the Regulations.

Does my facility have to notify anyone if a privacy breach occurs?

Section 19.0.1 of PHIA provides that a trustee who maintains personal health information about an individual must notify the individual about a privacy breach relating to the information if, after considering the relevant factors prescribed in the regulations, the breach could reasonably be expected to create a real risk of significant harm to the individual.

Section 8.7 of the Personal Health Information Regulation sets out the list of factors that trustees must consider in determining if a privacy breach could reasonably be expected to create a real risk of significant harm to an individual, including:

  • (a)  the sensitivity of the personal health information involved;
  • (b)  the probability that the personal health information could be used to cause significant harm to the individual;
  • (c)  any other factors that are reasonably relevant in the circumstances.

Where a trustee provides notice of a privacy breach to an individual under section 19.0.1 of PHIA, the trustee must notify the Ombudsman of the privacy breach at the time and in the form and manner that the Ombudsman requires. See s.19.0.1 of the Act.

For more information, please review the Guideline on Privacy Breaches.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s. 17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.


III. ENFORCEMENT

A. THE OMBUDSMAN

What is the role of the Ombudsman in enforcing the Act?

The Ombudsman’s role can be divided into two broad categories:

  • supervising compliance with the Act generally, including conducting compliance audits of trustees. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Act. See Part 5 of the Act.
What sort of complaints can be made to the Ombudsman?

Individuals are permitted to make complaints to the Ombudsman about a failure by a trustee to comply with the provisions of the Act with respect to:

  • access requests or
  • protection of privacy. See Part 5 of the Act.
What powers does the Ombudsman have?

Among other things, the Ombudsman is empowered to investigate complaints and may also launch an investigation or an audit on the Ombudsman's own initiative. The results of these investigations may be provided to a  professional regulatory body for disciplinary action or to Manitoba Justice for prosecution. In addition, the Ombudsman is permitted to publish reports about compliance with the Act and must file an annual report with the Manitoba Legislature. See s. 28, 34(3), 41, 48(2) of the Act.

In carrying out the duties under the Act, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises, and to obtain the assistance of the police. See s. 28, 29, and 30 of the Act.

The Ombudsman will report investigation and results and recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations made as the result of an investigation. 

Recommendations made by the Ombudsman as a result of an investigation must be made available to the public.

Is there a responsibility to assist the Ombudsman in carrying the duties under PHIA?

Trustees have no general duty to assist the Ombudsman. However, they must comply with every request legitimately made by the Ombudsman. In addition, it is illegal to mislead or obstruct the Ombudsman in the performance of the duties under PHIA. See s. 29, 30, 63(1) of the Act.

The Act also protects people who comply with requests from the Ombudsman. For example, subsection 27.1(1) and section 65 of PHIA provide that employees, officers and agents of a trustee, who believe in good faith that the trustee is collecting, using, disclosing, retaining, concealing, altering or destroying personal health information in contravention of PHIA, may notify the Ombudsman of the contravention. They may also disclose personal health information to the Ombudsman in providing this notice, but only if the Ombudsman requests this information.

The identity of any person providing such notification will be kept confidential. Any individual providing such notice to the Ombudsman will also have protection from liability for disclosing personal health information requested by the Ombudsman, and amendments to subsection 65(1) provide protections from adverse employment action for, in good faith, giving notification or disclosing personal health information to the Ombudsman under section 27.1. See s.27.1(1) and s.65 of the Act.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. If the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9 for more information about the Adjudicators' orders.

B. PENALTIES

What penalty is imposed for a violation of the Act?

The Act provides for a fine of up to $50,000 for a violation of the Act. This fine can be imposed for each day that an offence continues. See s. 64(1) of the Act.

The limitation period for commencing prosecutions under PHIA is two years after the day on which evidence sufficient to justify a prosecution for the offence came to the knowledge of the Ombudsman. See s. 63(6) of the Act.

To what offences will this penalty apply?

This penalty applies to a variety of offences, including:

  • deliberately erasing or destroying personal health information to prevent an individual from getting access to it;
  • collecting, using, selling or disclosing personal health information in violation of the Act; and
  • failing to protect personal health information in a secure manner.
  • failing to comply with section 19.0.1 (notification of privacy breach);
  • willfully concealing, altering or falsifying personal health information with the intent to evade an individual's request to examine or copy the information;
  • knowingly helping another person, or counseling another person, to contravene clauses 63(1)(a)-(g). See s. 63 of the Act.
To whom will the penalty apply?

The penalty for a violation of the Act may be imposed against the health care facility itself but it may also be imposed against any director or officer of the health care facility that authorized, permitted or acquiesced in the offence. See s. 64(2) of the Act.

Employees of a health care facility may be prosecuted for deliberately erasing or destroying personal health information to prevent an individual from getting access to it, or for willfully disclosing personal health information when their employer would not be permitted to disclose it. See s. 63(1)(c), 63(2) of the Act.

IV. MISCELLANEOUS

Who is responsible for ensuring that a health care facility complies with the Act?

The Act requires a health care facility to appoint at least one of its employees to be a “privacy officer.” The role of a privacy officer is to:

  • facilitate access by individuals to their personal health information, and
  • facilitate the health care facility’s compliance with the Act. See s. 57 of the Act.

The ultimate responsibility for a health care facility’s compliance with the Act rests with its board of directors and officers. As noted earlier, directors and officers may be personally prosecuted for authorizing, permitting or acquiescing in a violation of the Act by a health care facility. See s. 64(2) of the Act.

The Personal Health Information Act -
A Brief Summary for Health Researchers

INTRODUCTION

The Personal Health Information Act (PHIA) regulates the collection, use, disclosure, security and destruction of personal health information by trustees. It has important implications for health researchers.

Amendments to the Act and to the Personal Health Information Regulation made under the Act will come into force on January 1, 2022. This document provides a brief summary of PHIA, which incorporates the amendments noted above. It is not comprehensive. For a better understanding, you should review the legislation (both PHIA and The Personal Health Information Amendment Act) and the regulation under PHIA. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5, phone 204-945-3103 or can be accessed online of the Government Laws website. You may also consult the Questions and Answers document, which provides more information on the amendments.

To help you, this summary refers to specific sections in the Act.

What is “personal health information”?

Personal health information is any information that:

  – is recorded in any form;
  – can be linked to an identifiable individual; and
  – relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

It is important for researchers to note that PHIA only applies to health information that can be connected to a particular individual either on its own or when combined with other available information. The Act does not apply to health information that is about anonymous individuals who cannot be identified.

What is a “trustee”?

PHIA uses the term "trustee" to refer to the persons and organizations that are subject to the requirements in the Act respecting collection, use, disclosure, retention, destruction and security of personal health information. The Act identifies four categories of trustees:

  – health care facilities
  – some health professionals
  – health services agencies (organizations that provide health care under an agreement with another trustee - the Victorian Order of Nurses and We Care are two examples)
  – public bodies (such as provincial government departments and agencies, municipal governments, educational institutions and regional health authorities) See s. 1(1) of the Act.

Some of these categories are defined more fully in the regulations.

The Act also imposes duties on information managers (who are hired by trustees to process, store or destroy personal health information, or to manage or service information systems) as well as employees of trustees. See s. 1(1), 25, 63(2) and (3) of the Act.

What are the obligations of a trustee?

A trustee’s obligations fall into two main categories.

  – A duty to assist individuals in gaining access to their own personal health information.
  – A duty to protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of their personal health information.

I. ACCESS

What does “access” mean?

The Act puts in statutory form the common law right of individuals to access their own personal health information. There are three elements to this right:

  – A right to examine personal health information.
  – A right to obtain a copy of personal health information.
  – A right to seek a correction of personal health information.

II. PROTECTION OF PRIVACY

What are a trustee’s obligations concerning the protection of an individual’s privacy with respect to personal health information?

The obligations of a trustee as set out in the Act affect the:

  – collection
  – use
  – disclosure
  – security
  – retention and
  – destruction of personal health information.

What are a trustee’s obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information.

  – To notify the individual of the purpose for the collection of personal health information.
  – To collect only necessary personal health information.
  – To collect personal health information from the individual whenever possible.

Why does the purpose for the collection of personal health information need to be determined?

Determining the purpose for collecting personal health information is a critical requirement of the Act. Not only does the Act impose a requirement on trustees to notify the individual of this purpose at the time the information is collected, but the identified purpose for the collection will help determine what information can be collected and how it can later be used.

The purpose for collecting personal health information will depend on the function of the particular trustee as well as the circumstances in which the collection takes place. For example, a psychiatric facility is likely to collect personal health information for a different purpose than the emergency ward of a hospital. The personal health information needed when an individual comes to a clinic for an inoculation will likely be different from what is needed when someone enters a personal care home. If the trustee is a teaching hospital, one of the stated purposes of collection of personal health information may be research by staff within the facility.

Why do trustees have to notify the individual of the purpose for the collection of personal health information?

This requirement is based on the principle that individuals have rights to make decisions about their own health care. Informing the individual as fully as possible about the reasons for collecting personal health information will allow him or her to make an informed decision about providing personal health information.

This principle is so important that the Act requires that, when personal health information is collected by someone who is not a health professional, that person must advise the individual about someone who can be contacted to gain more information about the purposes for collecting the information. See s. 15(1) of the Act.

In what situations does PHIA prohibit the collection of personal health information?

Stressing the need to respect individual privacy, the Act generally permits the collection from individuals of only as much information as is needed for specific purposes. What trustees need to know will largely depend on their purpose in collecting personal health information. The Act prohibits the collection of personal health information for illegal purposes, purposes unrelated to the function or activity of the trustee, and purposes other than those disclosed to the individual as the reasons for the collection of the personal health information. See. s. 13 of the Act.

What is the difference between use and disclosure?

For the purposes of PHIA, “use” refers to what is done with the personal health information within the trustee organization. If research is being done within the trustee organization by its staff, it is a “use.”

For example, PHIA says a public body or a health care facility can use personal health information for research and planning that relates to the provision of health care or payment for health care by those trustees. See s. 21(d)(ii) of the Act.

“Disclosure” involves revealing personal health information outside the trustee organization to other trustees, the individual’s friends and family, or to other individuals. For example, if a trustee is requested to reveal personal health information to a university student to use in a thesis, it would be a disclosure.

Both use and disclosure involve revealing personal health information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, e-mail, or by revealing the information orally.

A trustee is permitted to disclose personal health information without the consent of the individual it is about for the purpose of research related to the provision of health care or payment for health care where the researcher is performing the research for the trustee on a contract basis. See s. 22(2)(g)(ii) of the Act.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act.  Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated. 

Information may only be disclosed to a health research organization for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation.A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

The only other way personal health information may be used for research is if approval is provided by:

  • the Health Research Privacy Committee established by the Minister of Health under PHIA ; and
  • the Committee for Harmonized Health Impact, Privacy, and Ethics Review (CHIPER), as established by Research Manitoba. See s. 8.2 of the Regulation.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the researcher has been given access. See s. 24 of the Act.

What obligations are placed on a trustee by the Act when using or disclosing personal health information?

The general rule concerning use and disclosure of personal health information is that no use or disclosure of the information may be made except:

  – to the extent that it is necessary to accomplish the purpose for which the personal health information was collected, or
  – with the informed consent of the individual it is about. See s. 21, 22 of the Act.

There are some exceptions to this general rule. PHIA authorizes a trustee to use and disclose personal health information for research and planning that relates to the provision of health care or payment for health care by the trustee,  Every such use or disclosure by a trustee of personal health information must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed See s. 21, 22 of the Act.

What are the Act’s goals with regard to health research?

While PHIA is designed to protect and safeguard personal health information, it recognizes that such information may sometimes be needed by health researchers. So researchers may be given access to personal health information as long as they follow rules required for approval of their research projects and safeguard its confidentiality.

As a researcher, how do I get the personal health information I need for my project?

PHIA provides that proposals for research that is not undertaken by or on behalf of a trustee relating to the provision of health care or payment for health care by the trustee that require the disclosure of personal health information by a trustee must be approved by the following two new committees:

  1. The Committee for Harmonized Health Impact, Privacy, and Ethics Review (CHIPER) - established by Research Manitoba.
  2. The Health Research Privacy Committee established by the Minister of Health under PHIA.

More details on this topic are available at www.rithim.ca/rithimlaunchfaq

What are the minimum requirements for approval of any research project that uses personal health information?

An approval may be given only if:

(a) the research is of sufficient importance to outweigh the intrusion into privacy that would result from the disclosure of personal health information;
(b) the research purpose cannot reasonably be accomplished unless the personal health information is provided in a form that identifies or may identify individuals;
(c) it is unreasonable or impractical for the person proposing the research to obtain consent from the individuals the personal health information is about;
(d) the research proposal contains
      (i) reasonable safeguards to protect the confidentiality and security of the personal health information, and
     (ii) procedures to destroy or remove, at the earliest opportunity consistent with the purposes of the research, any information that, either by itself or when combined with other information available to the holder, allows individuals to be readily identified; and
(e) any other requirements specified in the regulations are complied with. See s. 24(3) of the Act.

What do I have to do to get personal health information from a trustee?

If your research project is approved, you have to sign an agreement with the trustee:

  – not to publish identifiable personal health information
  – to use personal health information only for the approved project
  – to protect adequately the confidentiality of the personal health information during the project. See s. 24(4) of the Act.

What if I need to contact the individuals the personal health information is about?

If your project will require direct contact with individuals, the trustee your agreement is with must get the individuals’ consent before disclosing the personal health information to you.

There is one exception to this rule. The trustee doesn’t need the individuals’ consent if you just need a random sample of Manitobans and only need the individuals’ names and  addresses. See s. 24(5) of the Act.

What security precautions must be taken with respect to personal health information?

The Act requires trustees to store personal health information in such a way that only those who need to obtain the information will have access to it. Personal health information should not be disclosed outside the trustee organization unless such a disclosure has been assessed to determine whether it is permitted by the Act. Personal health information must not even be accessed by people within the trustee organization unless it is determined that they need to have that access. See s. 20(3) of the Act.

All trustees must establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information. Among other things, these safeguards must include procedures to limit access to the information to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more information about security safeguards, see. s. 18 of the Act and the Regulation.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s. 17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.

OTHER GENERAL PROVISIONS

Is it permissible to disclose personal health information to information managers?

The Act defines an information manager as a person or body that:

  – processes, stores or destroys personal health information for a trustee, or
  – provides information management or information technology services to a trustee.
  – See s. 1(1) of the Act.

The Act recognizes that, in order to perform their functions, information managers require access to personal health information. If you are a trustee, you may disclose personal health information to an information manager only after the information manager has a written agreement with you that ensures the personal health information is adequately protected. And, as the trustee, you remain responsible for any use an information manager makes of personal health information. See s. 25 of the Act.

What is the role of the Ombudsman in enforcing the Act?

The Ombudsman's role can be divided into two broad categories:

 – supervising compliance with the Act generally. See Part 4 of the Act.
 – dealing with complaints about specific violations of the Act. See Part 5 of the Act.

In carrying out the duties under the Act, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises, and to obtain the assistance of the police. See s. 28, 29, and 30 of the Act.

The Ombudsman will report investigation results and recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations made as a result of an investigation.

Recommendations made by the Ombudsman as a result of an investigation must be made available to the public.

Is there a responsibility to assist the Ombudsman in carrying the duties under PHIA?

Trustees have no general duty to assist the Ombudsman. However, they must comply with every request legitimately made by the Ombudsman. In addition, it is illegal to mislead or obstruct the Ombudsman in the performance of the duties under PHIA. See s. 29, 30, 63(1) of the Act.

The Act also protects people who comply with requests from the Ombudsman. For example, subsection 27.1(1) and section 65 of PHIA provide that employees, officers and agents of a trustee, who believe in good faith that the trustee is collecting, using, disclosing, retaining, concealing, altering or destroying personal health information in contravention of PHIA, may notify the Ombudsman of the contravention. They may also disclose personal health information to the Ombudsman in providing this notice, but only if the Ombudsman requests this information.

The identity of any person providing such notification will be kept confidential. Any individual providing such notice to the Ombudsman will also have protection from liability for disclosing personal health information requested by the Ombudsman, and amendments to subsection 65(1) provide protections from adverse employment action for, in good faith, giving notification or disclosing personal health information to the Ombudsman under section 27.1. See s.27.1(1) and s.65 of the Act.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. If the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9 for more information about the Adjudicators' orders.

The Personal Health Information Act -
A Brief Summary for Health Services Agencies

INTRODUCTION

The Personal Health Information Act affects nearly every person or organization that collects or maintains personal health information in Manitoba, including all health information networks.

Amendments to the Act and to the Personal Health Information Regulation made under the Act will come into force on January 1, 2022. This document provides a brief summary of PHIA, which incorporates the amendments noted above. It is not comprehensive. For a better understanding, you should review the legislation (both PHIA and The Personal Health Information Amendment Act) and the regulation under PHIA. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5, phone 945-3103 or can be accessed online on the Government Laws website. You may also consult the Questions and Answers document, which provides more information on the amendments at www.gov.mb.ca/health/phia/docs/amendments_faq.pdf. To help you, this summary will refer to specific sections in PHIA.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

What is a “trustee”?

PHIA uses the term “trustee” to refer to the persons and organizations who maintain personal health information and who are subject to the requirements in the Act respecting the collection, use, disclosure, retention, security and destruction of personal health information. The Act divides trustees into four categories:

  • health care facilities
  • some health professionals
  • health services agencies
  • public bodies See s. 1(1) of the Act.

The Act also imposes duties on information managers (who are hired by trustees to process, store or destroy personal health information, or to manage or service information systems) as well as employees of trustees. See s. 1(1), 25, 63(2) and (3) of the Act.

How do I know if my health services agency is defined as a trustee under the Act?

A “health services agency” is defined under the Act as an organization that provides community or home based health care under an agreement with another trustee. See s. 1(1) of the Act.

The other three categories of trustees comprise large numbers of institutions and professionals. That is,

  • health care facilities include hospitals, personal care homes, psychiatric facilities, medical clinics, laboratories and X-ray clinics, CancerCare Manitoba, community health centers and other facilities designated in the regulations.
  • health professionals include people licensed to practice under an Act (doctors, nurses, chiropractors, mid-wives and others) and other professionals designated in the regulations.
  • public bodies include provincial government departments or agencies, city and municipal governments, educational institutions and regional health authorities.

Therefore, if you are providing health care under an agreement with any of the above trustees and collect or maintain personal health information, then you are also a trustee under the Act.

What are the obligations of a trustee?

A trustee’s obligations fall into two main categories.

  1. A duty to assist individuals in gaining access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of their personal health information.

I. ACCESS

What does “access” mean under PHIA?

The Act puts in statutory form the common law right of individuals to access their own personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.

When individuals are requesting access to a record containing their own personal health information, Part 2 of FIPPA does not apply. They must request access under PHIA. See s. 6 of FIPPA

What are a trustee’s obligations to advise individuals about their right to access their own personal health information?

Trustees are required to provide individuals with notice of their right to examine and receive a copy of their personal health information and how they can exercise this right.

The notice must also state that an individual has the right to authorize another person to examine and receive a copy of their personal health information. 

A trustee must use a sign, poster, brochure or other similar type of means to provide this notice to individuals.  This notice must be prominently displayed in as many locations and in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention. See section 9.1 and the regulation.

What are my agency’s obligations to individuals wanting to examine their own personal health information?

The Act imposes on trustees an obligation to assist individuals in gaining access to their personal health information. Trustees must respond to access requests “without delay, openly, accurately and completely.”

An explanation of term, codes or abbreviations used in personal health information may be important to ensure that person accessing the information understands it. Trustees must provide an explanation of any term, code or abbreviation used in personal health information as soon as reasonably practicable after the person accessing the information requests such an explanation. This requirement applies to any personal health information provided to an individual in response to an access request, including to an inpatient accessing their hospital chart. See s. 6(2) and 7(2) of the Act.

When can my agency inform an individual that a request is considered abandoned?

Under section 10.1, a trustee may require an individual to provide additional information in relation to their request, including additional information that is necessary to respond to the request, and/or may provide a fee estimate to provide the information and require the individual to indicate if they accept the estimate of the amount of the fee that will be charged. An individual has up to 30 days from the day the request is given to provide the additional information or accept the estimated fee or modify their request to reduce the amount of the fee. When a request is given to an individual under this section, the time within which the trustee is required to respond to the access request is suspended until the individual provides the required information or acceptance. If the additional information or acceptance is not provided by the individual within 30 days, the trustee may determine that the request has been abandoned. See s.10.1 of the Act.

If a trustee determines that a request for access to personal health information has been abandoned under section 10.1, the trustee must notify the individual in writing of the determination and the reasons for it, and of the individual's right to make a complaint about the determination to the Ombudsman. For more information, please review the Guideline on Limited Authority to Make a Determination that a Request for Access Has Been Abandoned.

When can my agency inform an individual that a request is being disregarded?

Section 11.1 permits a trustee to disregard a request if the trustee reasonably believes that the request is for information already provided to the individual who made the request, or the request amounts to an abuse of the right to make a request because it is unduly repetitive or systematic, or otherwise made in bad faith. See s.11.1 of the Act.

If a trustee disregards a request for access to personal health information under section 11.1, the trustee must notify the individual in writing of the decision and the reasons for it, and of the individual's right to make a complaint about the decision to the Ombudsman. For more information, please review the Guideline on Limited Authority to Disregard Certain Requests for Access.

Are individuals entitled to examine all of their personal health information?

The Act permits trustees to withhold personal health information that falls into certain restricted categories. For example, access to personal health information may be refused if:

  • there is a reasonable expectation that it would result in harm to the individual or someone else
  • revealing it would disclose confidential information about a third party
  • it has been compiled for litigation purposes.

For a complete list of reasons for refusing access, See s. 11(1) of the Act.

Even when trustees are permitted to refuse access to portions of an individual’s personal health information, they still have an obligation to allow access to those portions not exempted by the Act. See s. 11(2) of the Act.

When making personal health information related to a psychological test or data available for examination, a trustee may require one of the following individuals to be present to provide an explanation of the information:

  • (a) the trustee, if the trustee is a health professional;
  • (b) a health professional chosen by the trustee. See s. 7.1 of the Act.

Are individuals entitled to copies of their personal health information?

Yes. The Act gives individuals the right to obtain a copy of any personal health information they are entitled to examine except information related to psychological tests or data. 

If an individual is requesting information related to psychological tests or data, a trustee is not required to provide a copy if the conditions set out in Section 7.1 of PHIA are met. See ss. 5(1) and 7.1 of the Act.

How much time does my agency have to respond to a request to access personal health information?

The Act requires trustees to respond to an access request as promptly as required in the circumstances, but no later than

(a) 24 hours after receiving it, if the trustee is a hospital and the information is about health care currently being provided to an in-patient;
(b) 72 hours after receiving it, if the information is about health care the trustee is currently providing to a person who is not a hospital in-patient; and
(c) 30 days after receiving it in any other case, unless the request is transferred to another trustee under section 8 of PHIA. 

A failure to respond within the required time frame will be considered a refusal to permit access. See s. 6(1) of the Act.

Can an individual alter his or her personal health information without my agency’s consent?

No. Individuals have a right to point out information they believe is incorrect and to ask the trustee to correct it. It is up to the trustee to decide whether a correction is needed. A trustee has 30 days to investigate the issue and make a decision about the request for a correction. See s. 12(3) of the Act.

If the trustee agrees to the correction, the mistaken information should be stroked out (not erased) and the correct information added or cross-referenced in a way that anyone reading the record would be aware of it. See s. 12(3)(a) of the Act.

If the individual and the trustee disagree about a correction, the individual has a right to file a
statement of disagreement, which must be attached to and form part of the health record for this individual. See s. 12(4) of the Act.

A trustee must pass on the correction or the statement of disagreement to anyone to whom the personal health information has been disclosed over the previous year. See s. 12(5) of the Act.

Besides the individual the information is about, who has a right to access personal health information?

All rights of an individual may be exercised by a representative of that individual. The Act identifies several representatives, including:

  • a person with a written authorization to act on behalf of the individual
  • the individual’s proxy appointed in a health care directive
  • the individual’s committee appointed under The Mental Health Act
  • an attorney acting under a power of attorney granted by the individual, if the exercise of the right or power relates to the powers and duties conferred by the power of attorney
  • the individual’s parent or guardian if the individual is a child who is too young to make his or her own health care decisions.

For a complete list of representatives, see s. 60(1) of the Act.

If a person is incapacitated and no individual described above is available, the changes to the Act will authorize the first adult who is readily available and willing to act may exercise the person’s rights under PHIA:

  • The individual’s spouse, or common-law partner, with whom the individual is cohabiting;
  • a son or daughter;
  • a parent, if the individual is an adult;
  • a brother or sister;
  • a person with whom the individual is known to have a close personal relationship;
  • a grandparent;
  • a grandchild;
  • an aunt or uncle;
  • a nephew or niece.

See s. 60(2) & (3) of the Act.

No one other than the individual the personal health information is about, that individual’s representative or if the person is incapacitated and no representative is available, a person authorized as outlined above has a right to access this individual's personal health information. A request for access to personal health information by anyone other than the individual or the individual’s representative must be assessed under the provisions of the Act dealing with use and disclosure of personal health information.

II. PROTECTION OF PRIVACY

What are my agency’s obligations concerning the protection of an individual’s privacy with respect to personal health information?

A trustee’s obligations, as set out in the Act, affect the:

  • collection
  • use
  • disclosure
  • security
  • retention and
  • destruction of personal health information.

A. COLLECTION OF PERSONAL HEALTH INFORMATION

What are my agency’s obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information:

  1. To notify the individual of the purpose for the collection of personal health information.
  2. To collect only necessary personal health information—that is, the minimum amount required for the stated purpose.
  3. To collect personal health information from the individual whenever possible.

Why does the purpose for the collection of personal health information need to be determined?

Determining the purpose for collecting personal health information is a critical requirement of the Act. Not only does the Act impose a requirement on trustees to notify the individual of this purpose at the time the information is collected, but the identified purpose for the collection will help determine what information can be collected and how it can later be used.

The purpose for collecting personal health information will depend on the function of your particular agency as well as the circumstances in which the collection takes place.

Why do trustees have to notify the individual of the purpose for the collection of personal health information?

This requirement is based on the principle that individuals have a right to make decisions about their own health care. Informing the individual as fully as possible about the reasons for collecting personal health information will allow him or her to make an informed decision about providing personal health information.

This principle is so important that the Act requires that, when personal health information is collected by someone who is not a health professional, this person must advise the individual about someone who can be contacted to gain more information about the purposes for collecting the information. See s. 15(1) of the Act.

Must the individual always be notified of the purpose for the collection of personal health information?

Yes, except when identical or similar information is being collected for an identical or similar purpose as a recent collection. See s. 15(2) of the Act.

In what situations does the Act prohibit the collection of personal health information?

Stressing the need to respect individual privacy, the Act generally permits the collection from individuals of only as much information as is needed for specific purposes. What trustees need to know will largely depend on their purpose in collecting personal health information. The Act prohibits the collection of personal health information for illegal purposes, purposes unrelated to the function or activity of the trustee, and purposes other than those disclosed to the individual as the reasons for the collection of the personal health information. See. s. 13 of the Act.

Must my agency collect personal health information only from the individual directly?

The Act requires that, whenever possible, trustees must collect personal health information directly from the individual the information is about. See s. 14(1) of the Act.

This rule serves at least three important purposes.

  1. It helps ensure the accuracy of the information.
  2. It prevents trustees from revealing personal health information to others by the questions they pose.
  3. It ensures that personal health information the individual wants to keep private is not revealed to the trustee.

When is it legitimate to collect personal health information from someone other than the individual it is about?

The Act permits collection from other sources (including other trustees) in specified circumstances. For example, it is permissible to do so when the individual has authorized it, when circumstances do not permit collection of the information from the person, or when the information supplied by the individual is likely to be inaccurate. For a complete list of exceptions, see s. 14(2) of the Act.

B. USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

What is the difference between use and disclosure?

For the purposes of PHIA, “use” refers to what is done with the personal health information within the trustee organization, that is, within your own agency. “Disclosure” involves revealing personal health information outside the trustee organization to other trustees, to friends and family of the individual or to other  individuals.

Both use and disclosure involve revealing personal health information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, e-mail or by revealing the information verbally.

What obligations are placed on my agency by PHIA when using or disclosing personal health information?

Trustees cannot use or disclose personal health information unless:

  • it is necessary to accomplish the purpose for which the personal health information was collected, or
  • the trustee has the informed consent of the individual it is about. See s. 21 and 22 of the
    Act.

There are some exceptions to this general rule. For example, trustees may use personal health information for a purpose directly related to the purpose for which it was collected. In some cases, personal health information may be disclosed without the individual’s consent to the extent that it is necessary to provide health care or for specific humanitarian purposes such as contacting the relative or friend of someone who is ill or injured, informing relatives of someone’s death and assisting in identifying a deceased person.

Trustees may also use or disclose personal health information to prevent or ease a serious and immediate threat to the mental or physical health or safety of the individual, another individual or the public. For more exceptions to the general rule, see s. 21, 22(2) and 23 of the Act.

Every such use or disclosure by a trustee of personal health information must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed.

May personal health information be disclosed for research purposes?

The Act does not deal with statistical information that cannot be linked to an identifiable individual. This sort of information can always be used or disclosed for research purposes. A trustee may use or disclose identifiable personal health information for research and planning that relates to the provision of health care, or payment for health care by the trustee or with the informed consent of the individual the information is about. See s. 21, 22 of the Act.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act.  Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated. 

Information may only be disclosed for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation.  A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

The only other way personal health information may be used for research is if approval is provided by:

  • the Health Research Privacy Committee established by the Minister of Health under PHIA; and
  • the Committee for Harmonized Health Impact, Privacy, and Ethics Review (CHIPER), established by Research Manitoba. See s. 8.2 of the Regulations.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the researcher has been given access. See s. 24 of PHIA.

Is it permissible to disclose personal health information to information managers?

Yes. An information manager is defined in the Act as a person or body that

  • processes, stores or destroys personal health information for a trustee, or
  • provides information management or information technology services to a trustee. See s. 1(1) of the Act.

The Act recognizes that, in order to perform their functions, information managers may require access to personal health information. Trustees may disclose personal health information to an information manager but only after the information manager has entered into a written agreement with the trustee that ensures that the personal health information is adequately protected. Moreover, a trustee remains responsible for any use an information manager makes of personal health information. See s. 25 of the Act.

C. SECURITY AND DESTRUCTION OF PERSONAL HEALTH  INFORMATION

What security precautions must be taken with respect to personal health information?

PHIA requires trustees to store personal health information in such a way that only those who need to obtain the information will have access to it. Personal health information should not be disclosed outside the trustee organization unless such a disclosure has been assessed to determine whether it is permitted by the Act. Personal health information must not even be accessed by people within the trustee organization unless it is determined that they need to have that access. See s. 20(3) of the Act.

All trustees must establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information.

Among other things, these safeguards must include procedures to limit access to the information to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more information about security safeguards, see. s. 18 of the Act and the Regulation.

Does my agency have to notify anyone if a privacy breach occurs?

Section 19.0.1 of PHIA provides that a trustee who maintains personal health information about an individual must notify the individual about a privacy breach relating to the information if, after considering the relevant factors prescribed in the regulations, the breach could reasonably be expected to create a real risk of significant harm to the individual.

Section 8.7 of the Personal Health Information Regulation sets out the list of factors that trustees must consider in determining if a privacy breach could reasonably be expected to create a real risk of significant harm to an individual, including:

(a) the sensitivity of the personal health information involved;
(b) the probability that the personal health information could be used to cause significant harm to the individual;
(c) any other factors that are reasonably relevant in the circumstances.

Where a trustee provides notice of a privacy breach to an individual under section 19.0.1 of PHIA, the trustee must notify the Ombudsman of the privacy breach at the time and in the form and manner that the Ombudsman requires. For more information, please review the Guideline on Privacy Breaches. See s.19.0.1 of the Act.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s. 17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.

III ENFORCEMENT

What is the role of the Ombudsman in enforcing PHIA?

The Ombudsman’s role can be divided into two broad categories:

  • supervising compliance with the Act generally. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Act. See Part 5 of the Act.

What sort of complaints can be made to the Ombudsman?

Individuals are permitted to make complaints to the Ombudsman about a failure by a trustee to comply with the provisions of PHIA with respect to:

  • access requests or
  • protection of privacy. See Part 5 of PHIA.

What powers does the Ombudsman have?

Among other things, the Ombudsman is empowered to investigate complaints and may also launch an investigation or an audit on Ombudsman’s own initiative. The results of these investigations may be provided to a professional regulatory body for disciplinary action or to Manitoba Justice for prosecution. In addition, the Ombudsman is permitted to publish reports about compliance with the Act and must file an annual report with the Manitoba Legislature. See s. 28, 34(3), 41, 48(2) of the Act.

In carrying out the duties under the Act, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises, and to obtain the assistance of the police. See s. 28, 29, 30 of the Act.

The Ombudsman will report investigation results and recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations in relation to the investigation of a complaint. 

Recommendations made by the Ombudsman must be made available to the public.

Is there a responsibility to assist the Ombudsman in carrying the duties under PHIA?

Trustees have no general duty to assist the Ombudsman. However, they must comply with every request legitimately made by the Ombudsman. In addition, it is illegal to mislead or obstruct the Ombudsman in the performance of the duties under PHIA. See s. 29, 30, 63(1) of the Act.

The Act also protects people who comply with requests from the Ombudsman. For example, subsection 27.1(1) and section 65 of PHIA provide that employees, officers and agents of a trustee, who believe in good faith that the trustee is collecting, using, disclosing, retaining, concealing, altering or destroying personal health information in contravention of PHIA, may notify the Ombudsman of the contravention. They may also disclose personal health information to the Ombudsman in providing this notice, but only if the Ombudsman requests this information.

The identity of any person providing such notification will be kept confidential. Any individual providing such notice to the Ombudsman will also have protection from liability for disclosing personal health information requested by the Ombudsman, and amendments to subsection 65(1) provide protections from adverse employment action for, in good faith, giving notification or disclosing personal health information to the Ombudsman under section 27.1. See s.27.1(1) and s.65 of the Act.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. If the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9 for more information about the Adjudicators’ orders.

What penalty is imposed for a violation of the Act?

The Act permits a fine of up to $50,000 for a violation of the Act. This fine can be imposed for each day that an offence continues. See s. 64(1) of the Act.

The limitation period for commencing prosecutions under PHIA is two years after the day on which evidence sufficient to justify a prosecution for the offence came to the knowledge of the Ombudsman. See s. 63(6) of the Act.

To what offences will this penalty apply?

This penalty applies to a variety of offences, including:

  • deliberately erasing or destroying personal health information to prevent an individual from getting access to it;
  • collecting, using, selling or disclosing personal health information in violation of the Act; and
  • failing to protect personal health information in a secure manner
  • failing to comply with section 19.0.1 (notification of privacy breach)
  • willfully concealing, altering or falsifying personal health information with the intent to evade an individual’s request to examine or copy the information
  • knowingly helping another person, or counseling another person, to contravene clauses 63(1)(a)-(g).  See s. 63 of the Act.

To whom will the penalty apply?

If the agency is a corporation, directors or officers who authorize, permit or acquiesce in an offence can also be guilty. See s. 64(2) of the Act.

Employees of a health services agency may be prosecuted for deliberately erasing or destroying personal health information to prevent an individual from getting access to it or for willfully disclosing personal health information when their employer would not be permitted to disclose it. See s. 63(1)(c), 63(2) of the Act.

IV. MISCELLANEOUS

Who is responsible for ensuring that a health services agency complies with the Act?

The Act requires a health services agency to appoint at least one of its employees to be a “privacy officer.” The role of a privacy officer is to:

  • facilitate access by individuals to their personal health information, and
  • facilitate the health services agency’s compliance with the Act. See s. 57 of the Act.

Ultimate responsibility for a health services agency’s compliance with the Act rests with its board of directors and officers, if it is a corporation. As noted earlier, directors and officers may be personally prosecuted for authorizing, permitting or acquiescing in a violation of the Act by a health services agency. See s. 64(2) of the Act.

The Personal Health Information Act -
A Brief Summary for Health Professionals

INTRODUCTION

As a health professional, you are affected by The Personal Health Information Act. Whether you are considered a “trustee” or are employed by a trustee, the Act will affect the way you deal with the personal health information of your patients, clients or residents.

Amendments to the Act and to the Personal Health Information Regulation made under the Act will come into force on January 1, 2022. This document provides a brief summary of PHIA, which incorporates the amendments noted above. It is not comprehensive. For a better understanding, you should review the legislation (both PHIA and The Personal Health Information Amendment Act) and the regulation under PHIA. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5; phone 204-945-3103 or can be accessed online on the Government Laws website. You may also consult the Questions and Answers document, which provides more information on the amendments.

To help you, this summary will refer to specific sections in PHIA. You should note that where personal health information is contained in a clinical record compiled and held in a psychiatric facility governed by The Mental Health Act, that Act prevails over PHIA. See s. 4(3) of PHIA.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

What is a “trustee”?

PHIA uses the term "trustee" to refer to the persons and organizations who maintain personal health information and who are subject to the requirements in the Act respecting the collection, use, disclosure, retention, security and destruction of personal health information. The Act identifies trustees as:

  • some health professionals;
  • health care facilities (such as hospitals, psychiatric facilities and personal care homes);
  • health-services agencies (organizations that provide health care under an agreement with another trustee—the Victorian Order of Nurses and We Care are two examples); and
  • public bodies (such as provincial government departments and agencies, municipal governments, educational institutions and regional health authorities). See s. 1(1) of the Act.

The Act also imposes duties on information managers (who are hired by trustees to process, store or destroy personal health information or to manage or service information systems), as well as employees of trustees. See s. 1(1), 25, 63(2) and (3) of the Act.

As a health professional, how do I know if I am a trustee or not?

Health professionals:

  • are licensed or registered to provide health care under a statute; or
  • belong to a group listed in the regulations. See s. 1(1) of the Act and s.1.2 of the Regulation.

Health professionals are trustees if they are:

  • self-employed (that is, in “private practice”) or in a partnership arrangement; or
  • employed by a non-trustee.

Health professionals employed by a trustee (such as a hospital, personal care home or government department) are not considered trustees. However, as employees, these health professionals will also be affected by the Act. For example, it is an offence for an employee willfully to disclose personal health information when his or her employer is prohibited from doing so. See s. 61, 63(2) of the Act.

What are my obligations as a trustee?

A trustee’s obligations fall into two main categories:

  1. A duty to help individuals gain access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of their personal health information.

I. ACCESS

What does “access” mean?

The Act puts in statutory form the common-law right of individuals to access their own personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.

When individuals are requesting access to records containing their own personal health information, Part 2 of FIPPA does not apply. They must request access under PHIA. See s. 6 of FIPPA.

What are a trustee’s obligations to advise individuals about their right to access their own personal health information?

Trustees are required to provide individuals with notice of their right to examine and receive a copy of their personal health information and how they can exercise this right.

The notice must also state that an individual has the right to authorize another person to examine and receive a copy of their personal health information.

A trustee must use a sign, poster, brochure or other similar type of means to provide this notice to individuals. This notice must be prominently displayed in as many locations and in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention. See section 9.1 of the Act and s.1.4 of the Regulation.

What are my facility's obligations to individuals wanting to examine their own personal health information?

The Act obliges trustees to help an individual gain access to his or her personal health information.

Trustees must respond to access requests “without delay, openly, accurately and completely.” An explanation of term, codes or abbreviations used in personal health information may be important to ensure that person accessing the information understands it. Trustees must provide an explanation of any term, code or abbreviation used in personal health information as soon as reasonably practicable after the person accessing the information requests such an explanation. This requirement applies to any personal health information provided to an individual in response to an access request, including to an inpatient accessing their hospital chart. See s. 6(2), 7(2) of the Act.

When can a trustee inform an individual that a request is considered abandoned?

Under section 10.1, a trustee may require an individual to provide additional information in relation to their request for access to their personal health information maintained by the trustee, including additional information that is necessary to respond to the request, and/or may provide a fee estimate to provide the information and require the individual to indicate if they accept the estimate of the amount of the fee that will be charged. An individual has up to 30 days from the day the request is given to provide the additional information or accept the estimated fee or modify their request to reduce the amount of the fee. When a request is given to an individual under this section, the time within which the trustee is required to respond to the access request is suspended until the individual provides the required information or acceptance. If the additional information or acceptance is not provided by the individual within 30 days, the trustee may determine that the request has been abandoned. See s.10.1 of the Act.

If a trustee determines that a request for access to personal health information has been abandoned under section 10.1, the trustee must notify the individual in writing of the determination and the reasons for it, and of the individual's right to make a complaint about the determination to the Ombudsman. For more information, please review the Guideline on Limited Authority to Make a Determination that a Request for Access Has Been Abandoned.

When can a trustee inform an individual that a request is being disregarded?

Section 11.1 permits a trustee to disregard a request for access to personal health information maintained by the trustee, if the trustee reasonably believes that the request is for information already provided to the individual who made the request, or the request amounts to an abuse of the right to make a request because it is unduly repetitive or systematic, or otherwise made in bad faith. See s.11.1 of the Act.

If a trustee disregards a request for access to personal health information under section 11.1, the trustee must notify the individual in writing of the decision and the reasons for it, and of the individual's right to make a complaint about the decision to the Ombudsman. For more information, please review the Guideline on Limited Authority to Disregard Certain Requests for Access.

Are individuals entitled to examine all their personal health information?

The Act permits trustees to withhold personal health information that falls into certain restricted categories. For example, access to personal health information may be refused if:

  • revealing it would disclose confidential information about a third party;
  • there is a reasonable expectation that it would result in harm to the individual or someone else;
  • it has been compiled for litigation purposes. For a complete list of reasons for refusing access, see s. 11(1) of the Act.

For a complete list of reasons for refusing access, see s. 11(1) of the Act.

Even when trustees are allowed to refuse access to some of an individual’s personal health information, they still have an obligation to allow access to the portions of an individual’s personal health information that are not exempted by the Act. See s. 11(2) of the Act.

When making personal health information related to a psychological test or data available for examination, a trustee may require one of the following individuals to be present to provide an explanation of the information:

  • (a) the trustee, if the trustee is a health professional;
  • (b) a health professional chosen by the trustee. See s. 7.1 of the Act.

Am I required to provide copies of an individual's personal health information?

Yes. Individuals are entitled to obtain a copy of any personal health information they are entitled to examine except psychological tests or data.

If an individual is requesting information related to psychological tests or data, a trustee is not required to provide a copy if the conditions set out in Section 7.1 of PHIA are met. See ss. 5(1) and 7.1 of the Act.

How much time do I have to respond to a request to examine personal health information?

The Act requires trustees to respond to an access request as promptly as possible in the circumstances but no later than

  • (a) 24 hours after receiving it, if the trustee is a hospital and the information is about health care currently being provided to an in-patient;
  • (b) 72 hours after receiving it, if the information is about health care the trustee is currently providing to a person who is not a hospital in-patient; and
  • (c) 30 days after receiving it in any other case, unless the request is transferred to another trustee under section 8 of PHIA. 

A failure to respond within the required timeframe will be considered a refusal to permit access. See s. 6(1) of the Act.

Can individuals alter their personal health information without my consent?

No. Individuals have a right to point out information they believe is incorrect and to ask the trustee to correct it. It is up to the trustee to decide whether or not a correction is needed. A trustee has 30 days to investigate the issue and make a decision about the request. See s. 12(3) of the Act.

If the trustee agrees to the correction, the mistaken information should be stroked out (not erased) and the correct information added or cross-referenced in a way that anyone reading the record would be aware of it. See s. 12(3)(a) of the Act.

If the individual and the trustee disagree about a correction, the individual has a right to file a statement of disagreement. This must be attached to and form part of  the health record for this individual. See s. 12(4) of the Act.

A trustee must pass on the correction or the statement of disagreement to anyone to whom the personal health information has been disclosed over the previous year. See s. 12(5) of the Act.

Besides the individual the information is about, who has a right to access personal health information?

All the rights of an individual may be exercised by his or her representative.

The Act identifies several representatives, including:

  • a person with a written authorization to act on behalf of the individual
  • the individual's proxy appointed in a health care directive
  • the individual's committee appointed under The Mental Health Act
  • an attorney acting under a power of attorney granted by the individual, if the exercise of the right or power relates to the powers and duties conferred by the power of attorney
  • the individual's parent or guardian if the individual is a child who is too young to make his or her own health care decisions.

For a complete list of representatives see s. 60(1).

If a person is incapacitated and no individual described above is available,  the first adult who is readily available and willing to act, on the following list may exercise the individual's rights under PHIA:

  • the individual's spouse, or common-law partner, with whom the individual is cohabiting;
  • a son or daughter;
  • a parent, if the individual is an adult;
  • a brother or sister;
  • a person with whom the individual is known to have a close personal relationship;
  • a grandparent;
  • a grandchild;
  • an aunt or uncle;
  • a nephew or niece. See s. 60(2) and (3) of PHIA.

No one other than the individual the personal health information is about, that individual's representative or if, the person is incapacitated and no representative is available, a person authorized as outlined above has a right to access the individual's personal health information. A request for access to personal health information by anyone other than the individual or the individual's representative must be accessed under the provisions of the Act dealing with use and disclosure of personal health information.

II. PROTECTION OF PRIVACY

What are my obligations concerning the protection of an individual's privacy with respect to personal health information?

A trustee's obligations, as set out in the Act, affect the:

  • collection
  • use
  • disclosure
  • security
  • retention, and
  • destruction of personal health information.

A. COLLECTION OF PERSONAL HEALTH INFORMATION

What are my obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information:

  • To notify the individual of the purpose for collecting personal health information.
  • To collect only necessary personal health information—that is, the minimum amount required for the stated purpose.
  • To collect personal health information from the individual whenever possible.

Why do I have to determine the purpose for collecting personal health information?

Determining the purpose for collecting this information is a critical requirement of the Act. Not only does the Act require trustees to notify the individual of this purpose at the time the information is collected, but the identified purpose for collecting information will help determine what can be collected and how it can later be used.

The purpose for collecting personal health information will depend on who is collecting it as well as the circumstances in which the collection takes place. For example, a general practitioner physician may have a different purpose for collecting such information than a dentist or a physiotherapist. The purpose of a general practitioner in collecting personal health information may even differ from that of a physician in an emergency room.

Why do I have to notify the individual of the purpose for collecting personal health information?

This requirement is based on the principle that individuals have a right to make informed decisions about their own health care. Notifying the individual as fully as possible about the reasons for collecting personal health information will allow the individual to make an informed decision about disclosing personal health information.

This principle is so important that the Act requires that, when personal health information is collected by someone who is not a health professional, this person must advise the individual about someone who can be contacted to gain more information about the reason personal health information is being collected. See s. 15(1) of the Act.

Do I always have to notify the individual of the purpose for collecting personal health information?

Yes, except when identical or similar information is being collected for an identical or similar purpose as a recent collection. See s. 15(2) of the Act.

In what situations does the Act prohibit the collection of personal health information?

Stressing the need to respect individual privacy, the Act generally permits the collection from individuals of only as much information as is needed for specific purposes. What trustees need to know will largely depend on their purpose in collecting personal health information. The Act prohibits the collection of personal health information for:

  • illegal purposes;
  • purposes unrelated to the function or activity of the trustee; and
  • purposes other than those disclosed to the individual as the reasons for collecting the
    personal health information. See. s. 13 of the Act.

Must I collect personal health information only from the individual directly?

The Act requires that, whenever possible, trustees must collect personal health information directly from the individual the information is about. See s. 14(1) of the Act.

This rule serves at least three important purposes:

  • It helps ensure the accuracy of the information.
  • It prevents trustees from revealing personal health information to others by the questions they pose.
  • It ensures that personal health information the individual wants to keep private is not revealed to the trustee.

When am I permitted to collect personal health information from someone other than the individual it is about?

The Act permits collection from other sources (including other trustees) in specified circumstances. For example, collection is permissible when the individual has authorized it, when circumstances do not permit collection from the individual or when the information the individual supplies is likely to be inaccurate. For a complete list of exceptions, see s. 14(2) of the Act.

B. USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

What is the difference between use and disclosure?

For the purposes of PHIA, "use" refers to what is done with the personal health information within the trustee organization.
"Disclosure" involves revealing personal health information outside the trustee organization to other trustees, to the individual's friends and family or to other individuals.
Both use and disclosure involve revealing the information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, e-mail or by revealing the information orally.

What obligations does the Act place on me when I use or disclose personal health information?

Trustees cannot use or disclose personal health information unless:

  • it is necessary to accomplish the purpose for which the personal health information was collected, or
  • the trustee has the informed consent of the individual it is about. See s. 21, and 22 of the Act.

There are some exceptions to this general rule. For example, trustees may use personal health information for a purpose directly related to the purpose for which it was collected. In some cases, personal health information may be disclosed without the individual's consent as it is required to provide health care or for specific humanitarian purposes such as contacting the relative or friend of someone who is ill or injured, informing relatives of someone's death, and assisting in identifying a deceased person.

Trustees may also use or disclose personal health information to prevent or ease a serious and immediate threat to the mental or physical health or safety of the individual, another individual or the public.  Every such use or disclosure by a trustee of personal health information must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed.

For more exceptions to the general rule, see s. 21, s. 22, s. 23 and s. 23.1 of the Act.

May personal health information be disclosed for research purposes?

The Act does not deal with anonymous or statistical information that cannot be linked to an identifiable individual. This sort of information can always be used or disclosed for research purposes.

A trustee may use or disclose identifiable personal health information for research and planning that relates to the provision of health care, or payment for health care by the trustee or with the informed consent of the individual the information is about. See s. 21, 22 of the Act.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act. Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated.

Information may only be disclosed for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation. A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

Personal health information may be used for research is if approval is provided by:

  • the Health Research Privacy Committee established by the Minister of Health under PHIA; and
  • the Committee for Harmonized Health Impact, Privacy, and Ethics Review (CHIPER), established by Research Manitoba. See s. 8.2 of the Regulations.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the researcher has been given access. See s. 24 of the Act.

Is it permissible to disclose personal health information to information managers?

Yes. An information manager is defined in the Act as a person or body that:

  • processes, stores or destroys personal health information for a trustee, or
  • provides information management or information technology services to a trustee

See s. 1(1) of the Act.

The Act recognizes that, in order to perform their functions, information managers may require access to personal health information. Trustees may disclose personal health information to an information manager but only after the information manager has entered into a written agreement with the trustee that ensures that the personal health information is adequately protected. Moreover, a trustee remains responsible for any use an information manager makes of personal health information. See s. 25 of the Act.

May I sell my health records when I sell my professional practice?

Yes. The Act permits the sale of personal health information to another trustee as part of the sale or disposition of a professional practice or a pharmacy in compliance with The Pharmaceutical Act. However, selling personal health information or disclosing it for gain for any other purpose is strictly prohibited. See s. 27 of the Act.

C. RETENTION, SECURITY AND DESTRUCTION OF PERSONAL HEALTH INFORMATION

What security precautions must I take with respect to personal health information?

Personal health information must be stored in such a way that only those who need to obtain the information will have access to it. The information should not be disclosed outside the trustee organization unless such a disclosure has been assessed to determine whether it is permitted by the Act. Moreover, personal health information must not be accessed even by people within the trustee organization unless it is determined that they need to have that access in order to perform their duties. See s. 20(3) of the Act.
All trustees must establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information.

Among other things, these safeguards must include procedures to limit access to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more details about security safeguards, See. s. 18 of the Act and the Regulations.

Do I have to notify anyone if a privacy breach occurs?

Section 19.0.1 of PHIA provides that a trustee who maintains personal health information about an individual must notify the individual about a privacy breach relating to the information if, after considering the relevant factors prescribed in the regulations, the breach could reasonably be expected to create a real risk of significant harm to the individual.

Section 8.7 of the Personal Health Information Regulation sets out the list of factors that trustees must consider in determining if a privacy breach could reasonably be expected to create a real risk of significant harm to an individual, including:

  • (a)  the sensitivity of the personal health information involved;
  • (b)  the probability that the personal health information could be used to cause significant harm to the individual;
  • (c)  any other factors that are reasonably relevant in the circumstances.

Qhere a trustee provides notice of a privacy breach to an individual under section 19.0.1 of PHIA, the trustee must notify the Ombudsman of the privacy breach at the time and in the form and manner that the Ombudsman requires. For more information, please review the Guideline on Privacy Breaches. Insert link to Guideline See s.19.0.1 of the Act.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s. 17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.

III. ENFORCEMENT

A. THE OMBUDSMAN

What is the role of the Ombudsman in enforcing the Act?

The Ombudsman's role can be divided into two broad categories:

  • supervising compliance with the Act generally. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Act. See Part 5 of the Act.

What sort of complaints can be made to the Ombudsman?

Individuals may complain to the Ombudsman about a failure by a trustee to comply with the provisions of the Act with respect to:

  • access requests; or
  • protection of privacy. See Part 5 of the Act.

What powers does the Ombudsman have?

Among other things, the Ombudsman may investigate complaints and may also launch an investigation or an audit on Ombudsman's own initiative. The results of these investigations may be provided to a professional regulatory body for disciplinary action or to Manitoba Justice for prosecution. In addition, the Ombudsman is permitted to publish reports about compliance with PHIA. See s. 28, 34(3), 41, 48(2) of PHIA.

In carrying out the duties under PHIA, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises and to obtain the assistance of the police. See s. 28, 29, 30 of PHIA.

The Ombudsman will report investigation results and make recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman's recommendations in relation to an investigation of a complaint.

Recommendations made by the Ombudsman as a result of the investigation of a complaint must be made available to the public.

Do I have a responsibility to assist the Ombudsman in carrying out the duties under PHIA?

Trustees have no general duty to assist the Ombudsman. However, they must comply with every order or request legitimately made by the Ombudsman. In addition, it is illegal to mislead or obstruct the Ombudsman in the performance of the Ombudsman's duties. See s. 29, 30 and 63(1) of the Act.

The Act also protects people who comply with requests from the Ombudsman. For example, subsection 27.1(1) and section 65 of PHIA provide that employees, officers and agents of a trustee, who believe in good faith that the trustee is collecting, using, disclosing, retaining, concealing, altering or destroying personal health information in contravention of PHIA, may notify the Ombudsman of the contravention. They may also disclose personal health information to the Ombudsman in providing this notice, but only if the Ombudsman requests this information.

The identity of any person providing such notification will be kept confidential. Any individual providing such notice to the Ombudsman will also have protection from liability for disclosing personal health information requested by the Ombudsman, and amendments to subsection 65(1) provide protections from adverse employment action for, in good faith, giving notification or disclosing personal health information to the Ombudsman under section 27.1. See s.27.1(1) and s.65 of the Act.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. If the Trustee does not respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees' response indicating they will not comply with the Ombudsman's recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator's review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed. Unless judicial review of the Adjudicator's order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9 for more information about the Adjudicators' orders.

B. PENALTIES

What penalty does the Act provide for its violation?

The Act provides for a fine of up to $50,000 for a violation of the Act. This fine can be imposed for each day that an offence continues. See s. 64(1) of the Act.

The limitation period for commencing prosecutions under PHIA is two years after the day on which evidence sufficient to justify a prosecution for the offence came to the knowledge of the Ombudsman. See s. 63(6) of the Act.

To what offences will this penalty apply?

This penalty applies to a variety of offences, including:

  • deliberately erasing or destroying personal health information to prevent an individual from getting access to it
  • collecting, using, selling or disclosing personal health information in violation of the Act
  • failing to protect personal health information in a secure manner
  • failing to comply with section 19.0.1 (notification of privacy breach);
  • willfully concealing, altering or falsifying personal health information with the intent to evade an individual's request to examine or copy the information;
  • knowingly helping another person, or counseling another person, to contravene clauses 63(1)(a)-(g). See s. 63 of the Act.

The Personal Health Information Act -
A Brief Summary for Information Managers

INTRODUCTION

As an information manager, you may be affected by The Personal Health Information Act. If you have a service contract with a trustee, then the Act will affect the way you deal with the personal health information maintained by a trustee.

Amendments to the Act and to the Personal Health Information Regulation made under the Act will come into force on January 1, 2022. This document provides a brief summary of PHIA, which incorporates the amendments noted above. It is not comprehensive. For a better understanding, you should review the legislation (both PHIA and The Personal Health Information Amendment Act) and the regulation under PHIA. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5, phone 945-3101 or online on the Manitoba Government Laws website. You may also consult the Questions and Answers document which provides more information on the amendments. To assist you, this summary will refer to specific sections in the Act.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

Whom does the Act affect?

PHIA uses the term “trustee” to refer to the persons and organizations who maintain personal health information and who are subject to the requirements in the Act respecting the collection, use, disclosure, retention, security and destruction of personal health information. The Act divides trustees into four categories:

  • health care facilities (such as hospitals, laboratories, psychiatric facilities and medical clinics);
  • some health professionals;
  • health-services agencies (organizations that provide health care under an agreement with another trustee—the Victorian Order of Nurses and We Care are two examples); and
  • public bodies (such as provincial government departments and agencies, municipal governments, educational institutions and regional health authorities) See s. 1(1) of the Act.

However, the Act also recognizes the importance of “information managers” in the health care system and imposes obligations on them in their dealings with personal health information. See s. 1(1), 25, 63(2) and (3) of the Act.

What is an “information manager”?

An information manager is a person or body that:

  • processes, stores or destroys personal health information for a trustee, or
  • provides information management or information technology services to a trustee See s. 1(1) of the Act.

What are my obligations as an information manager?

The Personal Health Information Act imposes two types of obligations on information managers:

  1. Restrictions and duties set out in the Act or regulations.
  2. Restrictions and duties contained in agreements with trustees.

What specific restrictions are imposed on information managers by the Act and the regulations?

As an information manager you must abide by two restrictions:

  1. You may take possession of or gain access to the personal health information contained in records only if this is necessary to perform your legitimate functions within the health care system. That is, you can use personal health information only to:
    • process, store or destroy personal health information for a trustee, or
    • provide information management or information technology services to a trustee See s. 25(2) of the Act.
  2. Further to these limits, you may use personal health information only in circumstances in which the trustee on whose behalf you are acting would be permitted to access the information. In other words, it would be a violation of the Act for you to possess or access personal health information if the trustee who had contracted that service was not permitted to do so. See s. 25(2) of the Act.

You should learn as much as possible about the limitations and duties the Act places on the trustees with which you do business, including reviewing the Act to determine the limitations placed on these trustees.

What duties are imposed by the Act on information managers?

Essentially, the Act imposes only one duty—to comply with the Act and the regulations in ensuring the security of the personal health information in your control.

What are the security safeguards set out in the Act and regulations?

You must create and comply with written security policies. Among other things, these policies must contain:

  • methods to identify individuals (people/employees) who are required to have access to specific personal health information;
  • procedures for preventing unauthorized access to personal health information; and
  • plans for recording security breaches and responding to them.

In addition, each employee and agent of an information manager must sign a pledge of confidentiality before dealing with personal health information.

Specific regulations address physical and environmental security arrangements used by information managers, as well as safeguards for personal health information stored or transferred electronically.

Like trustees, information managers must conduct an annual review of their security arrangements and remedy any deficiencies that are identified.

What obligations are imposed on information managers by contracts with trustees?

By definition, individuals or corporations cannot be information managers unless they provide specific services to a trustee. Trustees may not provide personal health information to an information manager without a written agreement, which must contain provisions that ensure that the personal health information will be adequately protected from unauthorized access, use, disclosure, destruction or alteration. See. s. 25(3) of the Act. Information managers who fail to observe such an agreement will violate the Act. See s. 25(4)(b) of the Act.

What penalties does the Act provide for?

The Act permits a judge to impose a fine of up to $50,000 for a violation of the Act. See s. 64(1) of the Act. Moreover, this fine may be imposed for every day that a violation continues. See s. 63(5) of the Act.

The Act applies to all information managers, whether individuals or corporations. However, in addition to allowing the prosecution of a corporation, the Act specifically permits the prosecution and punishment of any director or officer of a corporation who has “authorized, permitted or acquiesced” in an offence. See. s. 64(2) of the Act.

CONCLUSION

The obligations and restrictions placed on information managers by the Act are similar, and in many cases, identical to those placed on the trustees for which they provide information services. In order to comply with the Act and avoid significant penalties for non-compliance, you should fully acquaint yourself with how the Act applies to the trustees with which you do business.

The Personal Health Information Act -
A Brief Summary for Public Bodies

INTRODUCTION

As an employee or administrator of a public body, The Personal Health Information Act (PHIA), affects the way you carry out your duties if you maintain personal health information.

Amendments to the Act and to the Personal Health Information Regulation made under the Act will come into force on January 1, 2022. This document provides a brief summary of PHIA, which incorporates the amendments noted above. It is not comprehensive. For a better understanding, you should review the legislation (both PHIA and The Personal Health Information Amendment Act) and the regulation under PHIA. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5, phone 945-3101 or on the Manitoba Government Laws website. You may also consult the Questions and Answers document, which provides more information on the amendment.

To help you, this summary will refer to specific sections in PHIA and The Personal Health Information Amendment Act.  It will also refer to specific sections of the companion legislation to PHIA, The Freedom of Information and Protection of Privacy Act to help you understand the relationship between these Acts.  You should note that where personal health information is contained in a clinical record compiled and held in a psychiatric facility governed by The Mental Health Act, That Act prevails over PHIA. See s. 4(3) of the Act.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

Personal health information includes health information your organization collects about individual clients of programs you administer. It also includes health information about your employees.

What is a “public body”?

Public bodies are defined in the same way in PHIA as in FIPPA. The list of public bodies as defined in these Acts includes:

  • provincial government departments;
  • provincial government agencies (defined as any board, commission, association, agency or similar body whose entire board of management is appointed by statute or the provincial Cabinet or any other organization designated in the regulations);
  • the Executive Council Office;
  • the office of a Minister; and
  • local public bodies.

Local public bodies are defined as:

  • education bodies, including:
    • school divisions or school districts;
    • universities;
    • colleges; and
    • other educational institutions designated in regulations.
  • health care bodies, including:
    • hospitals;
    • regional health authorities;
    • health and social services district boards; and other bodies designated in regulations.
  • local government bodies, including:
    • the City of Winnipeg;
    • all other municipalities;
    • local government districts;
    • local committee and community councils;
    • planning districts; and conservation districts. See PHIA s. 1(1) and FIPPA s. 1.

PHIA uses the term “trustee” to refer to the persons and organizations that are subject to the requirements in the Act respecting the collection, use, disclosure, retention, security and destruction of personal health information. Public bodies are identified in PHIA as “trustees” of personal health information.  Other trustees include:

  • health care facilities (such as hospitals, psychiatric facilities and personal care homes);
  • health services agencies (organizations that provide health care under an agreement with another trustee—the Victorian Order of Nurses and We Care are two examples); and
  • health professionals in private practice or employed by non-trustees. See s. 1(1) of the Act.

The Act also imposes duties on information managers (who are hired by trustees to process, store or destroy personal health information, or to manage or service information systems) as well as employees of trustees. See s. 1(1), 25, 63(2) and (3) of the Act.

Who is responsible for making decisions and ensuring that a public body complies with PHIA?

PHIA states that decisions made or opinions formed by public bodies may be made or formed by the “head” as defined in FIPPA, or an appointed delegate. See s. 58 of PHIA and s. 81 of FIPPA.

“Head” is defined in FIPPA as:

  • the Minister of a government department
  • the chief executive officer of an incorporated government agency
  • the Minister responsible for an unincorporated government agency
  • for all other public bodies, the individual or group designated in the regulations. See FIPPA s. 1.

What are the obligations of a public body as a trustee of personal health information?

A trustee’s obligations fall into two main categories.

  1. A duty to assist individuals in gaining access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of their personal health information.

I. ACCESS

What does “access” mean under PHIA?

PHIA puts in statutory form the common law right of individuals to gain access to their own personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.

When individuals are requesting access to a record containing their personal health information Part 2 of FIPPA does not apply. They must request access under PHIA. See s. 6 of FIPPA.

What are a trustee’s obligations to advise individuals about their right to access their own personal health information?

Trustees are required to provide individuals with notice of their right to examine and receive a copy of their personal health information and how they can exercise this right.

The notice must also state that an individual has the right to authorize another person to examine and receive a copy of their personal health information. 

A trustee must use a sign, poster, brochure or other similar type of means to provide this notice to individuals.  This notice must be prominently displayed in as many locations and  in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention. See section 9.1 of the Act, and the regulation.

What are a trustee’s obligations to individuals wishing to examine their own personal health information?

PHIA imposes on trustees an obligation to assist individuals in gaining access to their personal health information. Trustees must respond to access requests “without delay, openly, accurately and completely.”

An explanation of term, codes or abbreviations used in personal health information may be important to ensure that person accessing the information understands it. Trustees must provide an explanation of any term, code or abbreviation used in personal health information as soon as reasonably practicable after the person accessing the information requests such an explanation. This requirement applies to any personal health information provided to an individual in response to an access request, including to an inpatient accessing their hospital chart. See s. 6(1), 6(2) and 7(2) of the Act.

When can a trustee inform an individual that a request is considered abandoned?

Under section 10.1, a trustee may require an individual to provide additional information in relation to their request for access to their personal health information, including additional information that is necessary to respond to the request, and/or may provide a fee estimate to provide the information and require the individual to indicate if they accept the estimate of the amount of the fee that will be charged. An individual has up to 30 days from the day the request is given to provide the additional information or accept the estimated fee or modify their request to reduce the amount of the fee. When a request is given to an individual under this section, the time within which the trustee is required to respond to the access request is suspended until the individual provides the required information or acceptance. If the additional information or acceptance is not provided by the individual within 30 days, the trustee may determine that the request has been abandoned. See s.10.1 of the Act.

If a trustee determines that a request for access to personal health information has been abandoned under section 10.1, the trustee must notify the individual in writing of the determination and the reasons for it, and of the individual's right to make a complaint about the determination to the Ombudsman. For more information, please review the Guideline on Limited Authority to Make a Determination that a Request for Access Has Been Abandoned.

When can a trustee inform an individual that a request is being disregarded?

Section 11.1 permits a trustee to disregard a request for access to personal health information if the trustee reasonably believes that the request is for information already provided to the individual who made the request, or the request amounts to an abuse of the right to make a request because it is unduly repetitive or systematic, or otherwise made in bad faith. See s.11.1 of the Act.

If a trustee disregards a request for access to personal health information under section 11.1, the trustee must notify the individual in writing of the decision and the reasons for it, and of the individual's right to make a complaint about the decision to the Ombudsman. For more information, please review the Guideline on Limited Authority to Disregard Certain Requests for Access.

Are individuals entitled to examine all their personal health information?

PHIA permits trustees to withhold personal health information that falls into certain restricted categories. For example, access to personal health information may be refused if:

  • there is a reasonable expectation that it would result in harm to the individual or someone else;
  • revealing it would disclose confidential information about a third party; or
  • it has been compiled for litigation purposes.

For a complete list of reasons for refusing access, see s. 11(1) of the Act.

Even when trustees are allowed to refuse access to some of an individual’s personal health information, they still have an obligation to allow access to those portions of an individual’s personal health information that are not exempted by PHIA. See s. 11(2) of the Act.

When making personal health information related to a psychological test or data available for examination, a trustee may require one of the following individuals to be present to provide an explanation of the information:

  • (a) the trustee, if the trustee is a health professional;
  • (b) a health professional chosen by the trustee. See s. 7.1 of the Act.

Is a trustee required to provide copies of an individual’s personal health information?

Yes. Individuals are entitled to obtain a copy of any personal health information they are entitled to examine, except psychological tests or data. 

If an individual is requesting information related to psychological tests or data, a trustee is not required to provide a copy if the conditions set out in Section 7.1 of PHIA are met. See s.7.1 of the Act.

How much time does a trustee have to respond to a request to examine personal health information?

Trustees must respond to requests for access as promptly as required in the circumstances but no later than

(a) 24 hours after receiving it, if the trustee is a hospital and the information is about health care currently being provided to an in-patient;
(b) 72 hours after receiving it, if the information is about health care the trustee is currently providing to a person who is not a hospital in-patient; and
(c) 30 days after receiving it in any other case, unless the request is transferred to another trustee under section 8 of PHIA. 

A failure to respond within the required timeframe will be considered a refusal to permit access.
See s. 6(1) of the Act.

Can individuals alter their personal health information without a trustee’s consent?

No. An individual has a right to point out information he or she believes is incorrect and to ask the trustee to correct it. It is up to the trustee to decide whether or not a correction is needed. A trustee has 30 days to investigate and make a decision about the request for a correction. See s. 12(3) of the Act.

If the trustee agrees to the correction, the mistaken information should be stroked out (not erased) and the correct information added or cross-referenced in a way that anyone reading the record would be aware of it. See s. 12(3)(a) of the Act.

If the individual and the trustee disagree about a correction, the individual has a right to file a statement of disagreement which must be attached to and form part of the health record for this individual. See s. 12(4) of the Act.

A trustee must pass on the correction or the statement of disagreement, to anyone to whom the personal health information has been disclosed over the previous year. See s. 12(5) of the Act.

Besides the individual the information is about, who has a right to access personal health information?

All rights of an individual may be exercised by a representative of that individual. PHIA identifies several representatives, including:

  • a person with a written authorization to act on behalf of the individual;
  • the individual’s proxy appointed in a health care directive;
  • the individual’s committee appointed under The Mental Health Act;
  • an attorney acting under a power of attorney granted by the individual, if the exercise of the right or power relates to the powers and duties conferred by the power of attorney
  • the individual’s parent or guardian if the individual is a child who is too young to
    make his or her own health care decisions.

For a complete list of representatives, see ss. 60(1) of the Act.

If a person is incapacitated and no individual described above is available, then the first adult, who is readily available and willing to act, on the following list may exercise them:

  • the individual’s spouse, or common-law partner, with whom the individual is cohabiting;
  • a son or daughter;
  • a parent, if the individual is an adult;
  • a brother or sister;
  • a person with whom the individual is known to have a close personal relationship;
  • a grandparent;
  • a grandchild;
  • an aunt or uncle;
  • a nephew or niece. see s. 60(2) & (3) of the Act.

No one other than the individual the personal health information is about, that individual’s representative or if, the person is incapacitated and no representative is available, a person authorized as outlined above has a right to access this individual's personal health information. A request for access to personal health information by anyone other than the individual or the individual’s representative must be assessed under the provisions of the Act dealing with use and disclosure of personal health information.

What if an individual requests access to a file that contains both his or her personal health information and other personal information?

It is important to note the difference between personal information and personal health information. “Personal information” means recorded information about an identifiable individual, including the individual’s

  • name;
  • home address, telephone or facsimile number, or e-mail address;
  • age, sex, sexual orientation, marital or family status;
  • ancestry, race, colour, national or ethnic origin;
  • religion or creed, religious beliefs, association or activity;
  • personal health information;
  • blood type, fingerprints or hereditary characteristics;
  • political belief, association or activity;
  • education, employment or occupation, or educational, employment or occupational history;
  • source of income or financial circumstances, activities or history;
  • criminal history, including regulatory offences;
  • personal views or opinions, except if they are about another person;
  • views and opinions expressed about the individual by another person; and
  • identifying number, symbol or other particular assigned to the individual. See s. 1 of FIPPA.

For the definition of personal health information please refer to the “What is personal health information” section of this summary. See also s. 1(1) of the Act.

When a file contains both personal health information and personal information, the individual must request access to:

  • personal health information under PHIA. A request for access under PHIA for personal health information may be verbal or written and must contain enough detail to identify the portion of the record the individual wishes to access. See s. 5(2), (3) of the Act.
  • personal information under FIPPA. A request for access under FIPPA for personal information must be made in writing and must provide enough detail to enable an experienced officer or employee of the public body to identify the record with a reasonable effort. See s. 8 of FIPPA.

II. PROTECTION OF PRIVACY

What are a trustee’s obligations concerning the protection of an individual’s privacy with respect to personal health information?

A trustee’s obligations, as set out in PHIA, affect the:

  • collection
  • use
  • disclosure
  • security
  • retention and
  • destruction of personal health information.

A. COLLECTION OF PERSONAL HEALTH INFORMATION

What are a trustee’s obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information:

  1. To notify the individual of the purpose for the collection of personal health information.
  2. To collect only necessary personal health information—that is, the minimum amount required for the stated purpose.
  3. To collect personal health information from the individual whenever possible.

How is the purpose for the collection of personal health information determined?

Determining the purpose for collecting personal health information is a critical requirement of PHIA. Not only does PHIA impose a requirement on trustees to notify the individual of this purpose at the time the information is collected, but the identified purpose for the collection will help determine which information can be collected and how it can later be used. The purpose for collecting personal health information will depend on the particular trustee collecting the information as well as the circumstances in which the collection takes place. For example, a university or school board is likely to have a different purpose for collecting personal health information about its students than Manitoba Labour will.

Why do trustees have to notify the individual of the purpose for the collection of personal health information?

This requirement is based on the principle that individuals have a right to make decisions about their own health care. Informing the individual as fully as possible about the reasons for collecting personal health information will allow him or her to make an informed decision about providing personal health information.

This principle is so important that PHIA requires that, when personal health information is collected by someone who is not a health professional, he or she must advise the individual about someone who can be contacted to gain more information about the reason personal health information is being collected. See s. 15(1) of the Act.

Must the individual always be notified of the purpose for the collection of personal health information?

Yes, except when identical or similar information is being collected for an identical or similar purpose as a recent collection. See s. 15(2) of the Act.

In what situations does PHIA prohibit the collection of personal health information?

Stressing the need to respect individual privacy, PHIA generally permits the collection from individuals of only as much information as is needed for specific purposes. What trustees need to know will largely depend on their purpose in collecting personal health information. PHIA prohibits the collection of personal health information for illegal purposes, purposes unrelated to the function or activity of the trustee, and purposes other than those disclosed to the individual as the reasons for the collection of the personal health information. See. s. 13 of the Act.

Must personal health information be collected only from the individual directly?

PHIA requires that, whenever possible, the trustee must collect personal health information directly from the individual the information is about. See s. 14(1) of the Act.

This rule serves at least three important purposes:

  1. It helps ensure the accuracy of the information.
  2. It prevents trustees from revealing personal health information to others by the questions they pose.
  3. It ensures that personal health information that the individual wants to keep private is not revealed to the trustee.

When is it legitimate to collect personal health information from someone other than the individual it is about?

PHIA permits collection from other sources (including other trustees) in specified circumstances. For example, it is permissible to do so when:

  • the individual has authorized it;
  • circumstances do not permit collection of the information from the individual; or
  • the information supplied by the individual is likely to be inaccurate.

For a complete list of exceptions, see s. 14(2) of the Act.

B. USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

What is the difference between use and disclosure?

For the purposes of PHIA, “use” refers to what is done with the personal health information within the trustee organization.

“Disclosure” involves revealing personal health information outside the trustee organization to other trustees, to friends and family of the individual or to other individuals.

Both use and disclosure involve revealing personal health information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, e-mail, or by revealing the information orally. The terms “use” and “disclosure” have the same meaning under FIPPA.

What obligations are placed on trustees by PHIA when using or disclosing personal health information?

Trustees cannot use or disclose personal health information unless:

  • it is necessary to accomplish the purpose for which the personal health information was collected; or
  • the trustee has the informed consent of the individual it is about. See s. 21, 22 of the Act.

There are some exceptions to this general rule. For example, trustees may use the personal health information for a purpose directly related to the purpose for which it was collected. In some cases, personal health information may be disclosed without the individual’s consent to the extent necessary to provide health care or for specific humanitarian purposes such as:

  • contacting the relative or friend of someone who is ill or injured;
  • informing relatives of someone’s death; and
  • assisting in identifying a deceased person.

Trustees may also use or disclose personal health information to prevent or ease a serious and immediate threat to the mental or physical health or safety of the individual, another individual or the public.

In addition, public bodies and health care facilities may use or disclose personal health information without consent:

  • to deliver, monitor or evaluate a health care program; or
  • for research and planning related to health care. See s. 21(d) and 22(2)(g) of the Act.

Every such use or disclosure by a trustee of personal health information must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed.

For a complete list of permitted uses and disclosures see s. 21, 22(2), 22(2.1) and 23 of the Act

May personal health information be disclosed for research purposes?

PHIA does not deal with statistical information that cannot be linked to an identifiable individual. This sort of information can always be used or disclosed for research purposes.

A trustee may use or disclose identifiable personal health information for research and planning that relates to the provision of health care, or payment for health care by the trustee or with the informed consent of the individual the information is about. See s. 21, 22 of the Act.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act. Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated.

Information may only be disclosed for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation. A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

The only other way personal health information may be used for research is if approval is provided by:

  • the Health Research Privacy Committee established by the Minister of Health under PHIA; and
  • the Committee for Harmonized Health Impact, Privacy, and Ethics Review (CHIPER), established by Research Manitoba. See s. 8.2 of the Regulation.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the researcher has been given access. See s. 24 of the Act.

What if another statute of Manitoba prohibits or restricts disclosing the individual’s personal health information?

A trustee must refuse to disclose personal health information if prohibited or restricted by another law of Manitoba. See s. 4(2) of the Act.

Is it permissible to disclose personal health information to information managers?

PHIA defines an information manager as a person or body that:

  • processes, stores or destroys personal health information for a trustee, or
  • provides information management or information technology services to a trustee. See s. 1(1) of the Act.

PHIA recognizes that, in order to perform their functions, information managers may require access to personal health information. Trustees may disclose personal health information to an information manager but only after the information manager has entered into a written agreement with the trustee that ensures the personal health information is adequately protected. Moreover, a trustee remains responsible for any use an information manager makes of the information. See s. 25 of the Act.

C. RETENTION, SECURITY AND DESTRUCTION OF PERSONAL HEALTH INFORMATION

What security precautions must be taken with respect to personal health information?

PHIA requires trustees to store personal health information in such a way that only those who need to obtain the information will have access to it. Personal health information should not be disclosed outside the trustee organization unless such a disclosure has been assessed to determine whether it is permitted by PHIA. The information must not even be accessed by people within the trustee organization unless it is determined that they need to have that access. See s. 20(3) of the Act.

All trustees are required to establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information. Among other things, these safeguards must include procedures to limit access to the information to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more about security safeguards, see. s. 18 of the Act and Regulation.

Do trustees have to notify anyone if a privacy breach occurs?

Section 19.0.1 of PHIA provides that a trustee who maintains personal health information about an individual must notify the individual about a privacy breach relating to the information if, after considering the relevant factors prescribed in the regulations, the breach could reasonably be expected to create a real risk of significant harm to the individual.

Section 8.7 of the Personal Health Information Regulation sets out the list of factors that trustees must consider in determining if a privacy breach could reasonably be expected to create a real risk of significant harm to an individual, including:

(a) the sensitivity of the personal health information involved;
(b) the probability that the personal health information could be used to cause significant harm to the individual;
(c) any other factors that are reasonably relevant in the circumstances.

Where a trustee provides notice of a privacy breach to an individual under section 19.0.1 of PHIA, the trustee must notify the Ombudsman of the privacy breach at the time and in the form and manner that the Ombudsman requires. For more information, please review the Guideline on Privacy Breaches. See s.19.0.1 of the Act.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s.17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.

III. ENFORCEMENT

A. THE OMBUDSMAN

What is the role of the Ombudsman in enforcing PHIA?

The role of the Ombudsman is the same under both PHIA and FIPPA and can be divided into two broad categories:

  • supervising compliance with the Acts generally. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Acts. See Part 5 of the Act.

What sort of complaints can be made to the Ombudsman?

Individuals are permitted to make complaints to the Ombudsman about a failure by a trustee to comply with the provisions of PHIA with respect to:

  • access requests, or
  • protection of privacy. See Part 5 of the Act.

What powers does the Ombudsman have?

Among other things, the Ombudsman is empowered to investigate complaints and may also launch an investigation or an audit on the Ombudsman's own initiative. The results of these investigations may be provided to a professional regulatory body for disciplinary action or to Manitoba Justice for prosecution. In addition, the Ombudsman is permitted to publish reports about compliance with PHIA. See s. 28, 34(3), 41, 48(2) of the Act.

In carrying out the duties under PHIA, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises and to obtain the assistance of the police. See s. 28, 29, 30 of the Act.

The Ombudsman will report investigation results and make recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations. 

Recommendations made by the Ombudsman must be made available to the public.

Is there a responsibility to assist the Ombudsman in carrying out the duties under PHIA?

Trustees have no general duty to assist the Ombudsman. However, they must comply with every order or request legitimately made by the Ombudsman. In addition, anyone who misleads or obstructs the Ombudsman in the performance of his or her duties is guilty of an offence. See s. 29, 30, 63(1) of the Act.

PHIA also protects people who comply with requests from the Ombudsman. For example, an employer may not punish or penalize any employee who has provided information to the Ombudsman in response to the Ombudsman’s request. See. s. 65(2) of the Act.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. If the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9 for more information about the Adjudicators’ orders.  

B. PENALTIES

What penalty is imposed for a violation of PHIA?

PHIA permits a fine of up to $50,000 for a violation of the Act. This fine can be imposed for each day that an offence continues. See s. 64(1) of the Act.

The limitation period for commencing prosecutions under PHIA is two years after the day on which evidence sufficient to justify a prosecution for the offence came to the knowledge of the Ombudsman. See s. 63(6) of the Act.

To what offences will this penalty apply?

This penalty applies to a variety of offences, including:

  • deliberately erasing or destroying personal health information to prevent an individual from getting access to it;
  • collecting, using, selling or disclosing personal health information in violation of PHIA;
  • failing to protect personal health information in a secure manner;
  • failing to comply with section 19.0.1 (notification of privacy breach);
  • willfully concealing, altering or falsifying personal health information with the intent to evade an individual’s request to examine or copy the information;
  • knowingly helping another person, or counseling another person, to contravene clauses 63(1)(a)-(g). See s. 63 of the Act.

To whom will the penalty apply?

The penalty for a violation of PHIA may be imposed against the trustee itself but it may also be imposed against any director or officer of a trustee who authorized, permitted or acquiesced in the offence. See s. 64(2) of the Act.

Employees may also be personally prosecuted for willfully disclosing personal health information in circumstances where their employer would be prohibited from doing so or for deliberaltely erasing or destroying personal health information to prevent an individual from getting access to it or for willfully disclosing personal health information when their employer would not be permitted to disclose it. See s. 63(1)(c), 63(2) of the Act.

 

Return to top

 

 

 

Legislative Unit
Manitoba Health

300 Carlton Street
Winnipeg MB  R3B 3M9
Phone:  204-788-6612
Fax:  204-945-1020
Email: PHIAinfo@gov.mb.ca