Manitoba
Printer Friendly

Manitoba Health

Personal Health Information Act (PHIA)

A Brief Summary for Health Professionals

INTRODUCTION

As a health professional, you are affected by The Personal Health Information Act. Whether you are considered a “trustee” or are employed by a trustee, the Act will affect the way you deal with the personal health information of your patients, clients or residents.

Important changes were made to PHIA through the proclamation of The Personal Health Information Amendment Act. This document provides a brief summary of PHIA, which incorporates the changes to PHIA. It is not comprehensive. For a better understanding you should review the legislation (both PHIA and The Personal Health Information Amendment Act) and the regulation under PHIA. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5, phone 945-3101.

To help you, this summary will refer to specific sections in PHIA and The Personal Health Information Amendment Act.  It will also refer to specific sections of the companion legislation to PHIA, The Freedom of Information and Protection of Privacy Act to help you understand the relationship between these Acts.  You should note that where personal health information is contained in a clinical record compiled and held in a psychiatric facility governed by The Mental Health Act, That Act prevails over PHIA. See s. 4(3) of PHIA.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

What is a “trustee”?

For the most part, the Act focuses on the obligations of trustees in dealing with personal
health information. The Act identifies trustees as:

  • some health professionals;
  • health care facilities (such as hospitals, psychiatric facilities and personal care
    homes);
  • health-services agencies (organizations that provide health care under an agreement with
    another trustee—the Victorian Order of Nurses and We Care are two examples); and
  • public bodies (such as provincial government departments and agencies, municipal
    governments, educational institutions and regional health authorities). See s. 1(1) of the
    Act.

The Act also imposes duties on information managers (who are hired by trustees to process,
store or destroy personal health information or to manage or service information systems), as well as employees of trustees. See s. 1(1), 25, 63(2) and (3) of the Act.

As a health professional, how do I know if I am a trustee or not?

Health professionals:

  • are licensed or registered to provide health care under a statute; or
  • belong to a group listed in the regulations. See s. 1(1) of the Act.

Health professionals are trustees if they are:

  • self-employed (that is, in “private practice”) or in a partnership arrangement; or
  • employed by a non-trustee.

Health professionals employed by a trustee (such as a hospital, personal care home or government department) are not considered trustees. However, as employees, these health professionals will also be affected by the Act. For example, it is an offence for an employee willfully to disclose personal health information when his or her employer is prohibited from doing so. See s. 61, 63(2) of the Act.

What are my obligations as a trustee?

A trustee’s obligations fall into two main categories:

  1. A duty to help individuals gain access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security,
    retention and destruction of their personal health information.

I. ACCESS

What does “access” mean?

The Act puts in statutory form the common-law right of an individual to access his or her own
personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.

When an individual is requesting access to a record containing his or her personal health information Part 2 of FIPPA does not apply. They must request access under PHIA. See s. 6 of FIPPA.

What are a trustee’s obligations to advise individuals about their right to access their own personal health information?

Under the changes to PHIA, a trustee is required to provide individuals with notice of their right to examine and receive a copy of their personal health information and how they can exercise this right.

The notice must also state that an individual has the right to authorize another person to examine and receive a copy of their personal health information. 

A trustee must use a sign, poster, brochure or other similar type of means to provide this notice to individuals.  This notice must be prominently displayed in as many locations and  in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention. See section 9.1 and the regulation.

What are my obligations to someone wanting to examine his or her own personal health information?

The Act obliges trustees to help an individual gain access to his or her personal health information.

Trustees must respond to access requests “without delay, openly, accurately and completely.” In fact, upon request, trustees must explain any terms, codes or abbreviations that the individual does not understand. See s. 6(2), 7(2) of the Act.

Is an individual entitled to examine all his or her personal health information?

The Act permits trustees to withhold personal health information that falls into certain restricted categories. For example, access to personal health information may be refused if:

  • revealing it would disclose confidential information about a third party;
  • there is a reasonable expectation that it would result in harm to the individual or
    someone else; and/or
  • it has been compiled for litigation purposes. For a complete list of reasons for refusing access, see s. 11(1) of the Act.

Even when trustees are allowed to refuse access to some of an individual’s personal health information, they still have an obligation to allow access to the portions of an individual’s personal health information that are not exempted by the Act. See s. 11(2) of the Act.

How much time do I have to respond to a request to examine personal health
information?

The Act requires trustees to respond to an access request as promptly as required in the circumstances but no later than

  • 24 hours after receiving a request from an in-patient in a hospital to see information about his or her current care,
  • 72 hours after receiving a request from a person who is not a hospital in-patient for information about his or her current care, and
  • 30 days after receiving the request for any other requests.

A failure to respond within the required timeframe will be considered a refusal to permit access.
See s. 6(1) of the Act.

Am I required to provide copies of an individual’s personal health information?
Yes. An individual is entitled to obtain a copy of any personal health information he or she is
entitled to examine. See s. 5(1) of the Act.

Can an individual alter his or her personal health information without my consent?

No. An individual has a right to point out information he or she believes is incorrect and to ask the trustee to correct it. It is up to the trustee to decide whether or not a correction is needed. A trustee has 30 days to investigate the issue and make a decision about the request. See s. 12(3) of the Act.

If the trustee agrees to the correction, the mistaken information should be stroked out (not erased) and the correct information added or cross-referenced in a way that anyone reading the record would be aware of it. See s. 12(3)(a) of the Act.

If the individual and the trustee disagree about a correction, the individual has a right to file a
statement of disagreement. This must be attached to and form part of his or her health record. See s. 12(4) of the Act.

A trustee must pass on the correction or the statement of disagreement to anyone to whom the personal health information has been disclosed over the previous year. See s. 12(5) of the Act.

Besides the individual the information is about, who has a right to access personal health information?

All the rights of an individual may be exercised by his or her representative.

The Act identifies several representatives, including:

  • a person with a written authorization to act on behalf of the individual;
  • the individual’s proxy appointed in a health care directive;
  • the individual’s committee appointed under The Mental Health Act; and
  • the individual’s parent or guardian if the individual is a child who is too young to
    make his or her own health care decisions.

For a complete list of representatives see s. 60(1).

If a person is incapacitated and no individual described above is available then the first adult who is readily available and willing to act, on the following list may exercise the individual’s rights under PHIA:

  • The individual’s spouse, or common-law partner, with whom the individual is cohabiting;
  • a son or daughter;
  • a parent, if the individual is an adult;
  • a brother or sister;
  • a person with whom the individual is known to have a close personal relationship;
  • a grandparent;
  • an aunt or uncle;
  • a nephew or niece. see s. 60(2) and (3) of PHIA.

No one other than the individual the personal health information is about, that individual’s
representative or if, the person is incapacitated and no representative is available, a person authorized as outlined above has a right to access his or her personal health information.    A request for access to personal health information by anyone other than the individual or the individual’s representative must be accessed under the provisions of the Act dealing with use and disclosure of personal health
information.

II. PROTECTION OF PRIVACY

What are my obligations concerning the protection of an individual’s privacy with
respect to personal health information?

A trustee’s obligations, as set out in the Act, affect the:

  • collection;
  • use;
  • disclosure;
  • security;
  • retention; and
  • destruction of personal health information.

A. COLLECTION OF PERSONAL HEALTH INFORMATION

What are my obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information:

  1. To notify the individual of the purpose for collecting personal health information.
  2. To collect only necessary personal health information—that is, the minimum amount
    required for the stated purpose.
  3. To collect personal health information from the individual whenever possible.

How do I determine the purpose for collecting personal health information?

Determining the purpose for collecting this information is a critical requirement of the Act.
Not only does the Act require trustees to notify the individual of this purpose at the time the
information is collected, but the identified purpose for collecting information will help determine what can be collected and how it can later be used.

The purpose for collecting personal health information will depend on who is collecting it as well as the circumstances in which the collection takes place. For example, a general practitioner physician may have a different purpose for collecting such information than a dentist or a physiotherapist. The purpose of a general practitioner in collecting personal health
information may even differ from that of a physician in an emergency room.

Why do I have to notify the individual of the purpose for collecting personal health information?

This requirement is based on the principle that an individual has a right to make decisions about his or her own health care. Notifying the individual as fully as possible about the reasons for collecting personal health information will allow him or her to make an informed decision about disclosing personal health information.

This principle is so important that the Act requires that, when personal health information is collected by someone who is not a health professional, he or she must advise the individual about someone who can be contacted to gain more information about the reason personal health information is being collected. See s. 15(1) of the Act.

Do I always have to notify the individual of the purpose for collecting personal health
information?

As a rule, yes. However, when identical or similar information is being collected for the same or similar purpose as a recent collection, the trustee does not need to notify the individual a second time. See s. 15(2) of the Act.

In what situations does the Act prohibit the collection of personal health information?

Stressing the need to respect individual privacy, the Act generally permits the collection from
individuals of only as much information as is needed for specific purposes. What a trustee needs to know will largely depend on his or her purpose in collecting personal health information. The Act prohibits the collection of personal health information for:

  • illegal purposes;
  • purposes unrelated to the function or activity of the trustee; and
  • purposes other than those disclosed to the individual as the reasons for collecting the
    personal health information. See. s. 13 of the Act.

Must I collect personal health information only from the individual directly?

The Act requires that, whenever possible, trustees must collect personal health information directly from the individual the information is about. See s. 14(1) of the Act.

This rule serves at least three important purposes:

  1. It helps ensure the accuracy of the information.
  2. It prevents trustees from revealing personal health information to others by the questions
    they pose.
  3. It ensures that personal health information the individual wants to keep private is not revealed to the trustee.

When am I permitted to collect personal health information from someone other than the individual it is about?

The Act permits collection from other sources (including other trustees) in specified
circumstances. For example, collection is permissible when the individual has authorized it, when circumstances do not permit collection from the person or when the information he/she supplies is likely to be inaccurate. For a complete list of exceptions, see s. 14(2) of the Act.

B. USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

What is the difference between use and disclosure?

For the purposes of The Personal Health Information Act, “use” refers to what is done with the personal health information within the trustee organization.

“Disclosure” involves revealing personal health information outside the trustee organization to
other trustees, to the individual’s friends and family or to other individuals.

Both use and disclosure involve revealing the information to someone. This may be done by
permitting others to read it, sending it to them by mail, fax, e-mail or by revealing the information orally.

What obligations does the Act place on me when I use or disclose personal health
information?

Trustees cannot use or disclose personal health
information unless:

  • it is necessary to accomplish the purpose for which the personal health information was
    collected; or
  • the trustee has the informed consent of the individual it is about.

See s. 21, and 22 of the Act.

There are some exceptions to this general rule.

For example, trustees may use personal health information for a purpose directly related to the
purpose for which it was collected. In some cases, personal health information may be disclosed without the individual’s consent as it is required to provide health care or for specific humanitarian purposes such as contacting the relative or friend of someone who is ill or injured, informing relatives of someone’s death, and assisting in identifying a deceased person.

Trustees may also use or disclose personal health information to prevent or ease a serious and immediate threat to the mental or physical health or safety of the individual, another individual or the public.

For more exceptions to the general rule, see s. 21, s. 22(2), and s. 23 of the Act.

May personal health information be disclosed for research purposes?

The Act does not deal with anonymous or statistical information that cannot be linked to an identifiable individual. This sort of information can always be used or disclosed for research purposes.

It is also possible to obtain information that does identify an individual if he or she was advised at the time the information was collected that it would be used for research purposes, or if the trustee subsequently obtains the individual’s informed consent.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act.  Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated. 

Information may only be disclosed for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation.  A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

Personal health information may be used for research is if approval is provided by:

  • a health information privacy committee (described in s. 59 of the Act and the
    Regulations), if the trustee is the government or a government agency; or
  • an institutional research review committee, if the trustee is not the government or a
    government agency.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the researcher has been given access. See s. 24 of the Act.

Is it permissible to disclose personal health information to information managers?

Yes. An information manager is defined in the Act as a person or body that:

  • processes, stores or destroys personal health information,
  • provides information management, or
  • provides information technology services for or to a trustee. See s. 1(1) of the Act.

The Act recognizes that, in order to perform their functions, information managers may require access to personal health information. Trustees may disclose personal health information to an information manager but only after the information manager has entered into a written agreement with the trustee that ensures that the personal health information is adequately protected. Moreover, a trustee remains responsible for any use an information manager makes of personal health information. See s. 25 of the Act.

May I sell my health records when I sell my professional practice?

Yes. The Act permits the sale of personal health information to another trustee as part of the sale of a professional practice or in compliance with The Pharmaceutical Act. However, selling personal health information or disclosing it for gain for any other purpose is strictly prohibited. See s. 27 of the Act.

C. SECURITY AND DESTRUCTION OF PERSONAL HEALTH INFORMATION

What security precautions must I take with respect to personal health information?

Personal health information must be stored in such a way that only those who need to obtain the information will have access to it. The information should not be disclosed outside the unit unless such a disclosure has been assessed to determine whether it is permitted by the Act.

Moreover, personal health information must not even be used by someone within the trustee “unit” unless the trustee determines that the person needs to have access to it. See s. 20(3) of the Act.

All trustees must establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information. Among other things, these safeguards must include procedures to limit access to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more
details about security safeguards, See. s. 18 of the Act and the Regulations.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality.
See s. 17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health
information and must comply with it. See s. 17(1) of the Act.

III. ENFORCEMENT

A. THE OMBUDSMAN

What is the role of the Ombudsman in enforcing the Act?

The Ombudsman’s role can be divided into two broad categories:

  • supervising compliance with the Act generally. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Act. See Part 5 of the Act.

What sort of complaints can be made to the Ombudsman?

Individuals may complain to the Ombudsman about a failure by a trustee to comply with the
provisions of the Act with respect to:

  • access requests; or
  • protection of privacy. See Part 5 of the Act.

What powers does the Ombudsman have?

Among other things, the Ombudsman may investigate complaints and may also launch an
investigation or an audit on his or her own initiative. The results of these investigations may be provided to a professional regulatory body for disciplinary action or to Manitoba Justice for prosecution. In addition, the Ombudsman is permitted to publish reports about compliance with PHIA. See s. 28, 34(3), 41, 48(2) of PHIA.

In carrying out his or her duties under PHIA, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises and to obtain the assistance of the police. See s. 28, 29, 30 of PHIA.

The Ombudsman will report investigation results and make recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations. 

Recommendations made by the Ombudsman must be made available to the public.

Do I have a responsibility to assist the Ombudsman in carrying out his or her duties?

Trustees have no general duty to assist the Ombudsman. However, they must comply with
every order or request legitimately made by the Ombudsman. In addition, it is illegal to mislead or obstruct the Ombudsman in the performance of his or her duties. See s. 29, 30 and 63(1) of the Act.

The Act also protects people who comply with requests from the Ombudsman. For example, an employer may not punish or penalize an employee who has provided information to the Ombudsman in response to the Ombudsman’s request. See. s. 65(2) of the Act.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. Under the changes to PHIA, if the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9

B. PENALTIES

What penalty does the Act provide for its violation?

The Act provides for a fine of up to $50,000 for a violation of the Act. This fine can be imposed for each day that an offence continues. See s. 64(1) of the Act.

To what offences will this penalty apply?

This penalty applies to a variety of offences, including:

  • deliberately erasing or destroying personal health information to prevent an individual
    from getting access to it;
  • collecting, using, selling or disclosing personal health information in violation of
    the Act; and
  • failing to protect personal health information in a secure manner. See s. 63 of the Act.

For more information, please contact:

Legislative Unit
Manitoba Health
300 Carlton Street
Winnipeg MB  R3B 3M9
Phone:  (204) 788-6612
Fax:  (204) 945-1020