Information for Trustees

The Personal Health Information Act (PHIA) came into force on December 11, 1997 and governs the collection, use, disclosure, retention, disposal and destruction of personal health information. The act recognizes both the right of individuals to protect their personal health information and the need of health information trustees to collect, use and disclose personal health information to provide, support and manage health care.

The following pages provide a Brief Summary of PHIA and the obligations the act places on the different types of health information trustees in Manitoba. Click on any of the tabbed headings to display the Brief Summary for that topic.

  • Health Care
    Facilities
  • Health
    Researchers
  • Health Services
    Agencies
  • Health
    Professionals
  • Information
    Managers
  • Public
    Bodies

The Personal Health Information Act - A Brief Summary for Health Care Facilities

INTRODUCTION

The Personal Health Information Act affects nearly every person or organization that collects or maintains health information in Manitoba, including all health information networks.

Important changes were made to PHIA through the proclamation of The Personal Health Information Amendment Act. This document provides a brief summary of PHIA, which incorporates these changes to PHIA. It is not comprehensive. For a better understanding you should review the legislation (both PHIA and The Personal Health Information Amendment Act) and the regulation under PHIA. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5, phone 945-3101.

To help you, this summary will refer to specific sections in PHIA and The Personal Health Information Amendment Act.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health careSee s. 1(1) of the Act.

What is a “trustee”?

For the most part, the Act focuses on the obligations of trustees in dealing with personal health information. The Act divides trustees into four categories:

  • health care facilities
  • some health professionals
  • health services agencies (organizations which provide health care under an agreement with another trustee—the Victorian Order of Nurses and We Care are two examples)
  • public bodies (such as provincial government departments and agencies, municipal
    governments, educational institutions and regional health authorities) See s. 1(1) of the Act.

The Act also imposes duties on information managers (who are hired by trustees to process, store or destroy personal health information, or to manage or service information systems) as well as employees of trustees. See s. 1(1), 25, 63(2) and (3) of the Act.

How do I know if my facility is defined as a health care facility under the Act?

The Act defines “health care facility” as:

  • a hospital
  • a personal care home
  • a psychiatric facility
  • a medical clinic
  • a laboratory
  • The Manitoba Cancer Treatment and Research Foundation
  • a community health centre or other facility that provides health care and which is listed in the regulations.  See s. 1(1) of the Act.

What are the obligations of a trustee?

A trustee’s obligations fall into two main categories.

  1. A duty to assist individuals in gaining access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of their personal health information.

I. ACCESS

What does “access” mean?

The Act puts in statutory form the common-law right of an individual to access his or her own personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.

What are my facility’s obligations to advise individuals about their right to access their own personal health information?

Under the changes to PHIA, a trustee is required to provide individuals with notice of their right to examine and receive a copy of their personal health information and how they can exercise this right.

The notice must also state that an individual has the right to authorize another person to examine and receive a copy of their personal health information. 

A trustee must use a sign, poster, brochure or other similar type of means to provide this notice to individuals.  This notice must be prominently displayed in as many locations and  in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention. See section 9.1 and the regulation.

What are my facility’s obligations to someone wanting to examine his or her own personal health information?

The Act imposes on trustees an obligation to assist an individual in gaining access to his or her personal health information. Trustees are to respond to access requests “without delay, openly, accurately and completely.” Upon request, trustees must provide an explanation of any terms, codes or abbreviations that the individual does not understand. See s. 6(2), 7(2) of the Act.

Is an individual entitled to examine all his or her personal health information?

The Act permits trustees to withhold personal health information that falls into certain restricted categories. For example, access to personal health information may be refused if:

  • revealing it would disclose confidential information about a third party
  • there is a reasonable expectation that it would result in harm to the individual or someone else
  • it has been compiled for litigation purposes.

For a complete list of reasons for refusing access, see s. 11(1) of the Act.

Even when trustees are allowed to refuse access to portions of an individual’s personal health information, they still have an obligation to allow access to those portions of the individual’s personal health information that are not exempted by the Act. See s. 11(2) of the Act.

How much time does my facility have to respond to a request to examine personal health information?

Trustees must respond to requests for access as promptly as required in the circumstances but no later than

  • 24 hours after receiving a request from an in-patient in a hospital to see information about his or her current care,
  • 72 hours after receiving a request from a person who is not a hospital in-patient for information about his or her current care, and
  • 30 days after receiving the request for any other requests.

A failure to respond within the required time frame will be considered a refusal to permit access.  See s. 6(1) of the Act.

Is an individual entitled to copies of his or her personal health information?

Yes. The Act gives an individual the right to obtain a copy of any personal health information he or she is entitled to examine. See s. 5(1) of the Act.

Can an individual alter his or her personal health information without my facility’s consent?

No. An individual has a right to point out information he or she believes is incorrect and to ask the trustee to correct it. It is up to the trustee to decide whether a correction is needed. A trustee has 30 days to investigate the issue and make a decision about the request for a correction. See s. 12(3) of the Act.

If the trustee agrees to the correction, the mistaken information should be stroked out (not erased) and the correct information added or cross-referenced in a way that anyone reading the record would be aware of it. See s. 12(3)(a) of the Act.

If the individual and the trustee disagree about a correction, the individual has a right to file a statement of disagreement, which must be attached to and form part of his or her health record. See s. 12(4) of the Act.

A trustee must pass on the correction or the statement of disagreement to anyone to whom the personal health information has been disclosed over the previous year. See s. 12(5) of the Act.

Besides the individual the information is about, who has a right to access personal health information?

All rights of an individual may be exercised by a representative of that individual. The Act identifies several representatives, including:

  • a person with a written authorization to act on behalf of the individual
  • the individual’s proxy appointed in a health care directive
  • the individual’s committee appointed under The Mental Health Act
  • the individual’s parent or guardian if the individual is a child who is too young to make his or her own health care decisions. For a complete list of representatives, see s. 60(1) of the Act.

If a person is incapacitated and no individual described above is available the first adult listed below who is readily available and willing to exercise the person’s rights under PHIA:

  • The individual’s spouse, or common-law partner, with whom the individual is cohabiting;
  • a son or daughter;
  • a parent, if the individual is an adult;
  • a brother or sister;
  • a person with whom the individual is known to have a close personal relationship;
  • a grandparent;
  • an aunt or uncle;
  • a nephew or niece. See s. 60(2) & (3) of the Act.

No one other than the individual the personal health information is about, that individual’s representative or, if the person is incapacitated and no representative is available, a person authorized as outlined  above has a right to access his or her personal health information. A request for access to personal health information by anyone other than the individual or the individual’s representative must be assessed under the provisions of the Act dealing with use and disclosure of personal health information.

II. PROTECTION OF PRIVACY

What are my facility’s obligations concerning the protection of an individual’s privacy with respect to personal health information?

A trustee’s obligations, as set out in the Act, affect the:

  • collection
  • use
  • disclosure
  • security
  • retention and
  • destruction of personal health information.

A. COLLECTION OF PERSONAL HEALTH INFORMATION

What are my facility’s obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information:

  1. To notify the individual of the purpose for the collection of personal health information.
  2. To collect only necessary personal health information—that is, the minimum amount required for the stated purpose.
  3. To collect personal health information from the individual whenever possible.

How is the purpose for the collection of personal health information determined?

Determining the purpose for collecting personal health information is a critical requirement of the Act. The Act requires trustees to notify the individual of this purpose at the time the information is collected. Besides meeting this statutory obligation, identifying the purpose for the collection will help determine what information can be collected and how it can later be used.

The purpose for collecting personal health information will depend on the function of the particular facility as well as the circumstances in which the collection takes place. For example, a psychiatric facility is likely to collect personal health information for a different purpose than the emergency ward of a hospital. The personal health information needed when an individual comes to a clinic for an inoculation will likely be different from what is needed when someone enters a
personal care home.

Why do trustees have to notify the individual of the purpose for the collection of personal health  information?

This requirement is based on the principle that an individual has a right to make decisions about his or her own health care. Informing the individual as fully as possible about the reasons for collecting personal health information will allow him or her to make an informed decision about providing personal health information. This principle is so important that the Act requires that, when personal health information is collected by someone who is not a health professional, he or she must advise the individual about someone who can be contacted to gain more information about the purposes for collecting the information. See s.15(1) of the Act.

Must the individual always be notified of the purpose for the collection of personal health information?

Yes, except when identical or similar information is being collected for an identical or similar purpose as a recent collection. See s. 15(2) of the Act.

In what situations does the Act prohibit the collection of personal health information?

Stressing the need to respect individual privacy, the Act generally permits the collection from individuals of only as much information as is needed for specific purposes. What a trustee needs to know will largely depend on his or her purpose in collecting personal health information. The Act prohibits the collection of personal health information for:

  • illegal purposes;
  • purposes unrelated to the function or activity of the trustee; and
  • purposes other than those disclosed to the individual as the reasons for the collection of
    the personal health information. See. s. 13 of the Act.

Must personal health information be collected only from the individual directly?

The Act requires that, whenever possible, trustees must collect personal health information directly from the individual the information is about. See s. 14(1) of the Act.

This rule serves at least three important purposes:

  1. It helps ensure the accuracy of the information.
  2. It prevents trustees from revealing personal health information to others by the questions they pose.
  3. It ensures that personal health information the individual wants to keep private is not revealed to the trustee.

When is it legitimate to collect personal health information from someone other than the individual it is about?

The Act permits collection from other sources (including other trustees) in specified circumstances. For example, it is permissible to do so when the individual has authorized it, when circumstances do not permit collection of the information from the person, or when the information supplied by the individual is likely to be inaccurate. For a complete list of exceptions, see s. 14(2) of the Act.

B. USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

What is the difference between use and disclosure?

For the purposes of The Personal Health Information Act, “use” refers to what is done with the personal health information within the trustee organization.

“Disclosure” involves revealing personal health information outside the trustee organization to other trustees, to the individual’s friends and family or to other individuals.

Both use and disclosure involve revealing the information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, or e-mail, or by revealing the information orally.

What obligations does the Act place on my facility when using or disclosing personal health information?

Trustees cannot use or disclose personal health information unless:

  • it is necessary to accomplish the purpose for which the personal health information was collected; or
  • the trustee has the informed consent of the individual it is about. See s. 21, and 22 of the Act.

There are some exceptions to this general rule. For example, trustees may use personal health information for a purpose directly related to the purpose for which it was collected. In some cases, personal health information may be disclosed without the individual’s consent as it is required to provide health care or for specific humanitarian purposes such as contacting the relative or friend of someone who is ill or injured, informing relatives of someone’s death, and assisting in identifying a deceased person.

Trustees may also use or disclose personal health information to prevent or ease a serious and immediate threat to the mental or physical health or safety of the individual, another individual or the public.

Trustees may disclose to a person’s immediate family or a close personal friend information about the care that the person is current receiving as a patient or resident in a health care facility if the disclosure is made in accordance with good medical and other professional practice and the trustee reasonably believes the disclosure to be acceptable to the person.

In addition, trustees may disclose information where such disclosure is authorized or required by   an enactment of Manitoba or Canada.  For example, The Gunshot and Stabwounds Mandatory Reporting Act, whichcame into force on December 1, 2008 requires a health care facility to report to police gunshot and stab wounds treated by the facility.

See s. 22(2) and The Gunshot and Stabwounds Mandatory Reporting Act for more information on the reporting requirements under that Act.

Health care facilities may use or disclose personal health information without consent:

  • to deliver, monitor or evaluate a health care program; or
  • for research and planning related to health care. See s. 21(d) and 22(2)( g) of the Act

Health Care Facilities may also disclose information to:

  • A religious organization, unless asked by the individual NOT to share this information. The only information that can be shared would be the individual’s name, general health status and location in the facility.
  • A charitable fundraising foundation associated with the facility, unless the patient tells the facility not to. The only information  that can be shared would be the name and mailing address of any patients or residents or former patients or residents.

For more information on the requirements for disclosure of information to a religious organization or charitable fundraising foundation, see s.  23.1 and 23.2 of the Act  and the regulation under the Act.

For more exceptions to the general rule respecting use and disclosure of information, see s. 21, 22(2). 22(2.1) and 23 of the Act.

May personal health information be disclosed for research purposes?

The Act does not deal with statistical information that cannot be linked to an identifiable individual. This sort of information can always be used or disclosed for research purposes.

It is also possible to access information that does identify an individual if the individual has been advised at the time the information was collected that it would be used for research purposes, or if the trustee obtains the individual’s informed consent.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act.  Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated. 

Information may only be disclosed for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation.  A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

The only other way personal health information may be used for research is if approval is provided by:

  • a health information privacy committee (described in s. 59 of the Act and the Regulations), if the trustee is the government or a government agency; or
  • an institutional research review committee, if the trustee is not the government or a government agency.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the
researcher has been given access. See s. 24 of the Act.

Is it permissible to disclose personal health information to information managers?

Yes. An information manager is defined in the Act as a person or body that:

  • processes, stores or destroys personal health information,
  • provides information management, or
  • provides information technology services for or to a trustee. See s. 1(1) of the Act.

The Act recognizes that, in order to perform their functions, information managers may require access to personal health information. Trustees may disclose personal health information to an information manager but only after the information manager has entered into a written agreement with the trustee that ensures that the personal health information is adequately protected. Moreover, a trustee remains responsible for any use an information manager makes of personal health information. See s. 25 of the Act.

C. SECURITY AND DESTRUCTION OF PERSONAL HEALTH INFORMATION

What security precautions must be taken with respect to personal health information?

The Act requires trustees to store personal health information in such a way that only those who need to obtain the information will have access to it. Personal health information should not be disclosed outside the trustee organization unless such a disclosure has been assessed to determine whether it is permitted by the Act. Personal health information must not be accessed even by people within the trustee organization unless it is determined that they need to have that access. See s. 20(3) of the Act.

All trustees must establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information.

Among other things, these safeguards must include procedures to limit access to the information to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more information about security safeguards, see. s. 18 of the Act and the Regulations.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s. 17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.
          
III. ENFORCEMENT

A. THE OMBUDSMAN

What is the role of the Ombudsman in enforcing the Act?

The Ombudsman’s role can be divided into two broad categories:

  • supervising compliance with the Act generally. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Act. See Part 5 of the Act.

What sort of complaints can be made to the Ombudsman?

Individuals are permitted to make complaints to the Ombudsman about a failure by a trustee to comply with the provisions of the Act with respect to:

  • access requests or
  • protection of privacy. See Part 5 of the Act.

What powers does the Ombudsman have?

Among other things, the Ombudsman is empowered to investigate complaints and may also launch an investigation or an audit on his or her own initiative. The results of these investigations may be provided to a  professional regulatory body for disciplinary action or to Manitoba Justice for prosecution. In addition, the Ombudsman is permitted to publish reports about compliance with the Act and must file an annual report with the Manitoba Legislature. See s. 28, 34(3), 41, 48(2) of the Act.

In carrying out his or her duties under the Act, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises, and to obtain the assistance of the police. See s. 28, 29, and 30 of the Act.

The Ombudsman will report investigation results and recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations. 

Recommendations made by the Ombudsman must be made available to the public.

Is there a responsibility to assist the Ombudsman in carrying his or her duties?

Trustees have no general duty to assist the Ombudsman. However, they must comply with every request legitimately made by the Ombudsman. In addition, it is illegal to mislead or obstruct the Ombudsman in the performance of his or her duties. See s. 29, 30, 63(1) of the Act.

The Act also protects people who comply with requests from the Ombudsman. For example, an employer may not punish or penalize any employee who has provided information to the Ombudsman in response to the Ombudsman’s request.  See s. 65(2) of the Act.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. Under the changes to PHIA, if the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9

B. PENALTIES

What penalty is imposed for a violation of the Act?

The Act provides for a fine of up to $50,000 for a violation of the Act. This fine can be imposed for each day that an offence continues. See s. 64(1) of the Act.

To what offences will this penalty apply?

This penalty applies to a variety of offences, including:

  • deliberately erasing or destroying personal health information to prevent an individual from getting access to it;
  • collecting, using, selling or disclosing personal health information in violation of the Act; and
  • failing to protect personal health information in a secure manner. See s. 63 of the Act.

To whom will the penalty apply?

The penalty for a violation of the Act may be imposed against the health care facility itself but it may also be imposed against any director or officer of the health care facility that authorized, permitted or acquiesced in the offence. See s. 64(2) of the Act.

Employees of a health care facility may be prosecuted for deliberately erasing or destroying personal health information to prevent an individual from getting access to it, or for willfully disclosing personal health information when his or her employer would not be permitted to disclose it. See s. 63(1)(c), 63(2) of the Act.

IV. MISCELLANEOUS

Who is responsible for ensuring that a health care facility complies with the Act?

The Act requires a health care facility to appoint at least one of its employees to be a “privacy officer.” The role of a privacy officer is to:

  • facilitate access by individuals to their personal health information, and
  • facilitate the health care facility’s compliance with the Act. See s. 57 of the Act.

The ultimate responsibility for a health care facility’s compliance with the Act rests with its board of directors and officers. As noted earlier, directors and officers may be personally prosecuted for authorizing, permitting or acquiescing in a violation of the Act by a health care facility. See s. 64(2) of the Act.

The Personal Health Information Act - A Brief Summary for Health Researchers

INTRODUCTION

The Personal Health Information Act (PHIA) regulates the collection, use, disclosure, security and destruction of “personal health information” by “trustees.” It has important implications for health researchers.

This document provides a brief summary of The Personal Health Information Act (PHIA).

For a better understanding, you should review the actual legislation and its regulations. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C IT5, phone 945-3101.
To help you, this summary refers to specific sections in the Act.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

It is important for researchers to note that PHIA only applies to health information that can be connected to a particular individual either on its own or when combined with other available information. The Act does not apply to health information that is about anonymous individuals who cannot be identified.

What is a “trustee”?

The Act identifies four categories of trustees:

  • health care facilities
  • some health professionals
  • health services agencies (organizations that provide health care under an agreement with
    another trustee—the Victorian Order of Nurses and We Care are two examples)
  • public bodies (such as provincial government departments and agencies, municipal governments, educational institutions and regional health authorities) See s. 1(1) of the Act.

Some of these categories are defined more fully in the regulations.

What are the obligations of a trustee?

A trustee’s obligations fall into two main categories.

  1. A duty to assist individuals in gaining access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security,
    retention and destruction of their personal health information.

ACCESS

What does “access” mean?

The Act puts in statutory form the common law right of an individual to access his or her own personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.

PROTECTION OF PRIVACY

What are a trustee’s obligations concerning the protection of an individual’s privacy with respect to personal health information?

The obligations of a trustee as set out in the Act affect the:

  • collection
  • use
  • disclosure
  • security
  • retention and
  • destruction of personal health information.

What are a trustee’s obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information.

  1. To notify the individual of the purpose for the collection of personal health information.
  2. To collect only necessary personal health information.
  3. To collect personal health information from the individual whenever possible.

How is the purpose for the collection of personal health information determined?

Determining the purpose for collecting personal health information is a critical requirement of the Act. Not only does the Act impose a requirement on trustees to notify the individual of this purpose at the time the information is collected, but the identified purpose for the collection will help determine what information can be collected and how it can later be used.

The purpose for collecting personal health information will depend on the function of the
particular trustee as well as the circumstances in which the collection takes place. For example, a psychiatric facility is likely to collect personal health information for a different purpose than the emergency ward of a hospital. The personal health information needed when an individual comes to a clinic for an inoculation will likely be different from what is needed when someone enters a personal care home. If the trustee is a teaching hospital, one of the stated purposes of collection of personal health information may be research by staff within the facility.

Why do trustees have to notify the individual of the purpose for the collection of personal health information?

This requirement is based on the principle that an individual has a right to make decisions about his or her own health care. Informing the individual as fully as possible about the reasons for collecting personal health information will allow him or her to make an informed decision about providing personal health information.

This principle is so important that the Act requires that, when personal health information is collected by someone who is not a health professional, he or she must advise the individual about someone who can be contacted to gain more information about the purposes for collecting the information. See s. 15(1) of the Act.

In what situations does PHIA prohibit the collection of personal health information?

Stressing the need to respect individual privacy, the Act generally permits the collection from individuals of only as much information as is needed for specific purposes. What a trustee needs to know will largely depend on his or her purpose in collecting personal health information. The Act prohibits the collection of personal health information for illegal purposes, purposes unrelated to the function or activity of the trustee, and purposes other than those disclosed to the individual as the reasons for the collection of the personal health information. See. s. 13 of the Act.

What is the difference between use and disclosure?

For the purposes of PHIA, “use” refers to what is done with the personal health information within the trustee organization. If research is being done within the trustee organization by its staff, it is a “use.”

For example, PHIA says a public body or a health care facility can use personal health information for research and planning that relates to the provision of health care or payment for health care by those trustees. See s. 21(d)(ii) of the Act.

“Disclosure” involves revealing personal health information outside the trustee organization to other trustees, the individual’s friends and family, or to other individuals. For example, if a trustee is requested to reveal personal health information to a university student for his or her thesis, it would be a disclosure.

A trustee is permitted to disclose personal health information without the consent of the individual it is about for the purpose of research related to the provision of health care or payment for health care where the researcher is performing the research for the trustee on a contract basis. See s. 22(2)(g)(ii) of the Act.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act.  Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated. 

Information may only be disclosed to a health research organization for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation. 

Both use and disclosure involve revealing personal health information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, e-mail, or by revealing the information orally.

What obligations are placed on a trustee by the Act when using or disclosing personal health information?

The general rule concerning use and disclosure of personal health information is that no use or disclosure of the information may be made except:

  • to the extent that it is necessary to accomplish the purpose for which the personal health information was collected, or
  • with the informed consent of the individual it is about. See s. 21, 22 of the Act.

Therefore, if the individual was informed that one of the purposes of the collection of the information was for internal research, then the trustee is permitted to use it for such research. Otherwise, the trustee must get the individual’s consent for use of the information for research.

The specific rules governing disclosure for research purposes are addressed in s. 24 of the Act.

What are the Act’s goals with regard to health research?

While PHIA is designed to protect and safeguard personal health information, it recognizes that such information may sometimes be needed by health researchers. So researchers may be given access to personal health information as long as they follow rules required for approval of their research projects and safeguard its confidentiality.

As a researcher, how do I get the personal health information I need for my project?

If the information is held by government, you apply to the health information privacy committee established under the regulations.

If the information is held by a trustee other than government, you apply to the organization’s own research review committee (defined in s. 1(1) of the Act) such as the ethics committee of a hospital or university, for example. See s. 24(2)of the Act.

What are the minimum requirements for approval of any research project that uses
personal health information?

  • the research has to be important enough to outweigh any invasion of privacy involved
  • the research cannot be done without using identifiable personal health care information
  • it is impossible or impractical to get consent from the people the personal health
    information is about
  • the project ensures the security of the personal health information and its destruction when finished. See s. 24(3) of the Act.

What do I have to do to get personal health information from a trustee?

If your research project is approved by one of the committees referred to above, you have to sign an agreement with the trustee:

  • not to publish identifiable personal health information
  • to use personal health information only for the approved project
  • to protect adequately the confidentiality of the personal health information during the
    project. See s. 24(4) of the Act.

What if I need to contact the individuals the personal health information is about?

If your project will require direct contact with individuals, the trustee your agreement is with must get the individuals’ consent before disclosing the personal health information to you.

There is one exception to this rule. The trustee doesn’t need the individuals’ consent if you just need a random sample of Manitobans and only need the individuals’ names and  addresses. See s. 24(5) of the Act.

What security precautions must be taken with respect to personal health information?

The Act requires trustees to store personal health information in such a way that only those who need to obtain the information will have access to it. Personal health information should not be disclosed outside the trustee organization unless such a disclosure has been assessed to determine whether it is permitted by the Act. Personal health information must not even be accessed by people within the trustee organization unless it is determined that they need to have that access. See s. 20(3) of the Act.

All trustees must establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information. Among other things, these safeguards must include procedures to limit access to the information to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more information about security safeguards, see. s. 18 of the Act and regulation 245/97.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s. 17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.

OTHER GENERAL PROVISIONS

Is it permissible to disclose personal health information to information managers?

The Act defines an information manager as a person or body that:

  • processes, stores or destroys personal health information;
  • provides information management; or
  • provides information technology services for or to a trustee. See s. 1(1) of the Act.

The Act recognizes that, in order to perform their functions, information managers require access to personal health information. If you are a trustee, you may disclose personal health information to an information manager only after the information manager has a written agreement with you that ensures the personal health information is adequately protected. And, as the trustee, you remain responsible for any use an information manager makes of personal health information. See s. 25 of the Act.

What is the role of the Ombudsman in enforcing the Act?

The Ombudsman’s role can be divided into two broad categories:

  • supervising compliance with the Act generally. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Act. See Part 5 of the Act.

In carrying out his or her duties under the Act, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises, and to obtain the assistance of the police. See s. 28, 29, and 30 of the Act.

The Ombudsman will report investigation results and recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations. 

Recommendations made by the Ombudsman must be made available to the public.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. Under the changes to PHIA, if the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9

The Personal Health Information Act - A Brief Summary for Health Services Agencies

INTRODUCTION

The Personal Health Information Act affects nearly every person or organization that collects or maintains personal health information in Manitoba, including all health information networks.

Important changes were made to PHIA through the proclamation of The Personal Health Information Amendment Act. This document provides a brief summary of PHIA and its changes. It is not comprehensive.

For further detail, please review the legislation itself, including the regulations. Copies of the Act and regulations are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB, R3C 1T5, Phone 945-3101.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

What is a “trustee”?

For the most part, the Act focuses on the obligations of trustees in dealing with personal health information. The Act divides trustees into four categories:

  • health care facilities
  • some health professionals
  • health services agencies
  • public bodies See s. 1(1) of the Act.

The Act also imposes duties on information managers (who are hired by trustees to process, store or destroy personal health information, or to manage or service information systems) as well as employees of trustees. See s. 1(1), 25, 63(2) and (3) of the Act.

How do I know if my health services agency is defined as a trustee under the Act?

A “health services agency” is defined under the Act as an organization that provides community or home based health care under an agreement with another trustee. See s. 1(1) of the Act.

The other three categories of trustees comprise large numbers of institutions and professionals. That is,

  • health care facilities include hospitals, personal care homes, psychiatric facilities, medical clinics, laboratories and X-ray clinics, the Manitoba Cancer Treatment and Research Foundation, community health centers and other facilities designated in the regulations.
  • health professionals include people licensed to practice under an Act (doctors, nurses, chiropractors, mid-wives and others) and other professionals designated in the regulations.
  • public bodies include provincial government departments or agencies, city and municipal governments, educational institutions and regional health authorities.

Therefore, if you are providing health care under an agreement with any of the above trustees and collect or maintain personal health information, then you are also a trustee under the Act.

What are the obligations of a trustee?

A trustee’s obligations fall into two main categories.

  1. A duty to assist individuals in gaining access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of their personal health information.

I. ACCESS

What does “access” mean under PHIA?

The Act puts in statutory form the common law right of an individual to access his or her own personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.

When an individual is requesting access to a record containing his or her personal health information Part 2 of FIPPA does not apply. They must request access under PHIA. See s. 6 of FIPPA

What are a trustee’s obligations to advise individuals about their right to access their own personal health information?

Under the changes to PHIA, a trustee is required to provide individuals with notice of their right to examine and receive a copy of their personal health information and how they can exercise this right.

The notice must also state that an individual has the right to authorize another person to examine and receive a copy of their personal health information. 

A trustee must use a sign, poster, brochure or other similar type of means to provide this notice to individuals.  This notice must be prominently displayed in as many locations and in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention. See section 9.1 and the regulation.

What are my agency’s obligations to someone wanting to examine his or her own personal health information?

The Act imposes on trustees an obligation to assist an individual in gaining access to his or her personal health information. Trustees must respond to access requests “without delay, openly, accurately and completely.” Upon request, trustees must provide an explanation of any terms, codes or abbreviations that the individual does not understand. See s. 6(2) and 7(2) of the Act.

Is an individual entitled to examine all of his or her personal health information?

The Act permits trustees to withhold personal health information that falls into certain restricted categories. For example, access to personal health information may be refused if:

  • there is a reasonable expectation that it would result in harm to the individual or someone else
  • revealing it would disclose confidential information about a third party
  • it has been compiled for litigation purposes.

For a complete list of reasons for refusing access, See s. 11(1) of the Act.

Even when trustees are permitted to refuse access to portions of an individual’s personal health information, they still have an obligation to allow access to those portions not exempted by the Act. See s. 11(2) of the Act.

How much time does my agency have to respond to a request to examine personal health information?

The Act requires trustees to respond to an access request as promptly as required in the circumstances, but no later than the specified time limits. If an in-patient in a hospital requests information about his or her current care, the trustee must respond within 24 hours. If a person is not an in-patient and requests information about his or her current care, the trustee must respond within 72 hours.  For any other requests the trustee must respond within 30 days. A failure to respond within the required time frame will be considered a refusal to permit access. See s. 6(1) of the Act.

Is an individual entitled to copies of his or her personal health information?

Yes. The Act gives an individual the right to obtain a copy of any personal health information he or she is entitled to examine. See s. 5(1) of the Act.

Can an individual alter his or her personal health information without my agency’s consent?

No. An individual has a right to point out information he or she believes is incorrect and to ask the trustee to correct it. It is up to the trustee to decide whether a correction is needed. A trustee has 30 days to investigate the issue and make a decision about the request for a correction. See s. 12(3) of the Act.

If the trustee agrees to the correction, the mistaken information should be stroked out (not erased) and the correct information added or cross-referenced in a way that anyone reading the record would be aware of it. See s. 12(3)(a) of the Act.

If the individual and the trustee disagree about a correction, the individual has a right to file a
statement of disagreement, which must be attached to and form part of his or her health record. See s. 12(4) of the Act.

A trustee must pass on the correction or the statement of disagreement to anyone to whom the personal health information has been disclosed over the previous year. See s. 12(5) of the Act.

Besides the individual the information is about, who has a right to access personal health information?

All rights of an individual may be exercised by a representative of that individual. The Act identifies several representatives, including:

  • a person with a written authorization to act on behalf of the individual
  • the individual’s proxy appointed in a health care directive
  • the individual’s committee appointed under The Mental Health Act
  • the individual’s parent or guardian if the individual is a child who is too young to make his or her own health care decisions.

For a complete list of representatives, see s. 60(1) of the Act.

If a person is incapacitated and no individual described above is available, the changes to the Act will authorize the first adult who is readily available and willing to exercise the person’s rights under PHIA:

  • The individual’s spouse, or common-law partner, with whom the individual is cohabiting;
  • a son or daughter;
  • a parent, if the individual is an adult;
  • a brother or sister;
  • a person with whom the individual is known to have a close personal relationship;
  • a grandparent;
  • an aunt or uncle;
  • a nephew or niece.

See s. 60(2) & (3) of the Act.

No one other than the individual the personal health information is about, that individual’s representative or if the person is incapacitated and no representative is available, a person authorized as outlined  above has a right to access his or her personal health information. A request for access to personal health information by anyone other than the individual or the individual’s representative must be assessed under the provisions of the Act dealing with use and disclosure of personal health information.

II. PROTECTION OF PRIVACY

What are my agency’s obligations concerning the protection of an individual’s privacy with respect to personal health information?

A trustee’s obligations, as set out in the Act, affect the:

  • collection
  • use
  • disclosure
  • security
  • retention and
  • destruction of personal health information.

A. COLLECTION OF PERSONAL HEALTH INFORMATION

What are my agency’s obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information:

  1. To notify the individual of the purpose for the collection of personal health information.
  2. To collect only necessary personal health information—that is, the minimum amount required for the stated purpose.
  3. To collect personal health information from the individual whenever possible.

How is the purpose for the collection of personal health information determined?

Determining the purpose for collecting personal health information is a critical requirement of the Act. Not only does the Act impose a requirement on trustees to notify the individual of this purpose at the time the information is collected, but the identified purpose for the collection will help determine what information can be collected and how it can later be used.

The purpose for collecting personal health information will depend on the function of your particular agency as well as the  circumstances in which the collection takes place.

Why do trustees have to notify the individual of the purpose for the collection of personal health  information?

This requirement is based on the principle that an individual has a right to make decisions about his or her own health care. Informing the individual as fully as possible about the reasons for collecting personal health information will allow him or her to make an informed decision about providing personal health information.

This principle is so important that the Act requires that, when personal health information is collected by someone who is not a health professional, he or she must advise the individual about someone who can be contacted to gain more information about the purposes for collecting the information. See s. 15(1) of the Act.

Must the individual always be notified of the purpose for the collection of personal health information?

Yes, except when identical or similar information is being collected for an identical or similar purpose as a recent collection. See s. 15(2) of the Act.

In what situations does the Act prohibit the collection of personal health information?

Stressing the need to respect individual privacy, the Act generally permits the collection from individuals of only as much information as is needed for specific purposes. What a trustee needs to know will largely depend on his or her purpose in collecting personal health information. The Act prohibits the collection of personal health information for illegal purposes, purposes unrelated to the function or activity of the trustee, and purposes other than those disclosed to the individual as the reasons for the collection of the personal health information. See. s. 13 of the Act.

Must my agency collect personal health information only from the individual directly?

The Act requires that, whenever possible, trustees must collect personal health information directly from the individual the information is about. See s. 14(1) of the Act.

This rule serves at least three important purposes.

  1. It helps ensure the accuracy of the information.
  2. It prevents trustees from revealing personal health information to others by the questions they pose.
  3. It ensures that personal health information the individual wants to keep private is not revealed to the trustee.

When is it legitimate to collect personal health information from someone other than the individual it is about?

The Act permits collection from other sources (including other trustees) in specified circumstances. For example, it is permissible to do so when the individual has authorized it, when circumstances do not permit collection of the information from the person, or when the information supplied by the individual is likely to be inaccurate. For a complete list of exceptions, see s. 14(2) of the Act.

B. USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

What is the difference between use and disclosure?

For the purposes of The Personal Health Information Act, “use” refers to what is done with the personal health information within the trustee organization, that is, within your own agency. “Disclosure” involves revealing personal health information outside the trustee organization to other trustees, to friends and family of the individual or to other  individuals.

Both use and disclosure involve revealing personal health information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, e-mail or by revealing the information verbally.

What obligations are placed on my agency by PHIA when using or disclosing personal health information?

Trustees cannot use or disclose personal health information unless:

  • it is necessary to accomplish the purpose for which the personal health information was collected, or
  • the trustee has the informed consent of the individual it is about. See s. 21 and 22 of the
    Act.

There are some exceptions to this general rule. For example, trustees may use personal health information for a purpose directly related to the purpose for which it was collected. In some cases, personal health information may be disclosed without the individual’s consent to the extent that it is necessary to provide health care or for specific humanitarian purposes such as contacting the relative or friend of someone who is ill or injured, informing relatives of someone’s death and assisting in identifying a deceased person.

Trustees may also use or disclose personal health information to prevent or ease a serious and immediate threat to the mental or physical health or safety of the individual, another individual or the public. For more exceptions to the general rule, see s. 21, 22(2) and 23 of the Act.

Health care facilities can also use or disclose personal health information without consent:

  • to deliver, monitor or evaluate a health care program; or
  • for research and planning related to health care.

May personal health information be disclosed for research purposes?

The Act does not deal with statistical information that cannot be linked to an identifiable individual. This sort of information can always be used or disclosed for research purposes. It is also possible to access information that does identify an individual if the individual has been advised at the time the information was collected that it would be used for research purposes, or if the trustee obtains the individual’s informed consent.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act.  Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated. 

Information may only be disclosed for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation.  A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

The only other way personal health information may be used for research is if approval is provided by:

  • a health information privacy committee (described in s. 24(2)(a), 59 of PHIA and the Regulations), if the trustee is the government or a government agency;
  • or an institutional research review committee, if the trustee is other than the government or a government agency.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the researcher has been given access. See s. 24 of PHIA.

Is it permissible to disclose personal health information to information managers?

Yes. An information manager is defined in the Act as a person or body that

  • processes, stores or destroys personal health information,
  • provides information management, or
  • provides information technology services for or to a trustee. See s. 1(1) of the Act.

The Act recognizes that, in order to perform their functions, information managers may require access to personal health information. Trustees may disclose personal health information to an information manager but only after the information manager has entered into a written agreement with the trustee that ensures that the personal health information is adequately protected. Moreover, a trustee remains responsible for any use an information manager makes of personal health information. See s. 25 of the Act.

C. SECURITY AND DESTRUCTION OF PERSONAL HEALTH  INFORMATION

What security precautions must be taken with respect to personal health information?

PHIA requires trustees to store personal health information in such a way that only those who need to obtain the information will have access to it. Personal health information should not be disclosed outside the trustee organization unless such a disclosure has been assessed to determine whether it is permitted by the Act. Personal health information must not even be accessed by people within the trustee organization unless it is determined that they need to have that access. See s. 20(3) of the Act.

All trustees must establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information. Among other things, these safeguards must include procedures to limit access to the information to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more information about security safeguards, see. s. 18 of the Act and  Regulation 245/97.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s. 17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.

III ENFORCEMENT

What is the role of the Ombudsman in enforcing PHIA?

The Ombudsman’s role can be divided into two broad categories:

  • supervising compliance with the Act generally. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Act. See Part 5 of the Act.

What sort of complaints can be made to the Ombudsman?

Individuals are permitted to make complaints to the Ombudsman about a failure by a trustee to comply with the provisions of PHIA with respect to:

  • access requests or
  • protection of privacy. See Part 5 of PHIA.

What powers does the Ombudsman have?

Among other things, the Ombudsman is empowered to investigate complaints and may also launch an investigation or an audit on his or her own initiative. The results of these investigations may be provided to a  professional regulatory body for disciplinary action or to Manitoba Justice for prosecution. In addition, the Ombudsman is permitted to publish reports about compliance with the Act and must file an annual report with the Manitoba Legislature. See s. 28, 34(3), 41, 48(2) of the Act.

In carrying out his or her duties under the Act, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises, and to obtain the assistance of the police. See s. 28, 29, 30 of the Act.

The Ombudsman will report investigation results and recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations. 

Recommendations made by the Ombudsman must be made available to the public.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. Under the changes to PHIA, if the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9

What penalty is imposed for a violation of the Act?

The Act permits a fine of up to $50,000 for a violation of the Act. This fine can be imposed for each day that an offence continues. See s. 64(1) of the Act.

To what offences will this penalty apply?

This penalty applies to a variety of offences, including:

  • deliberately erasing or destroying personal health information to prevent an individual from getting access to it;
  • collecting, using, selling or disclosing personal health information in violation of the Act; and
  • failing to protect personal health information in a secure manner. See s. 63 of the Act.

To whom will the penalty apply?

If the agency is a corporation, directors or officers who authorize, permit or acquiesce in an offence can also be guilty. See s. 64(2) of the Act.

Employees of a health services agency may be prosecuted for deliberately erasing or destroying personal health information to prevent an individual from getting access to it or for willfully disclosing personal health information when his or her employer would not be permitted to disclose it. See s. 63(1)(c), 63(2) of the Act.

IV. MISCELLANEOUS

Who is responsible for ensuring that a health services agency complies with the Act?

The Act requires a health services agency to appoint at least one of its employees to be a “privacy officer.” The role of a privacy officer is to:

  • facilitate access by individuals to their personal health information, and
  • facilitate the health care agency’s compliance with the Act. See s. 57 of the Act.

Ultimate responsibility for a health services agency’s compliance with the Act rests with its board of directors and officers, if it is a corporation. As noted earlier, directors and officers may be personally prosecuted for authorizing, permitting or acquiescing in a violation of the Act by a health services agency. See s. 64(2) of the Act.

The Personal Health Information Act - A Brief Summary for Health Professionals

INTRODUCTION

As a health professional, you are affected by The Personal Health Information Act. Whether you are considered a “trustee” or are employed by a trustee, the Act will affect the way you deal with the personal health information of your patients, clients or residents.

Important changes were made to PHIA through the proclamation of The Personal Health Information Amendment Act. This document provides a brief summary of PHIA, which incorporates the changes to PHIA. It is not comprehensive. For a better understanding you should review the legislation (both PHIA and The Personal Health Information Amendment Act) and the regulation under PHIA. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5, phone 945-3101.

To help you, this summary will refer to specific sections in PHIA and The Personal Health Information Amendment Act.  It will also refer to specific sections of the companion legislation to PHIA, The Freedom of Information and Protection of Privacy Act to help you understand the relationship between these Acts.  You should note that where personal health information is contained in a clinical record compiled and held in a psychiatric facility governed by The Mental Health Act, That Act prevails over PHIA. See s. 4(3) of PHIA.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

What is a “trustee”?

For the most part, the Act focuses on the obligations of trustees in dealing with personal health information. The Act identifies trustees as:

  • some health professionals;
  • health care facilities (such as hospitals, psychiatric facilities and personal care homes);
  • health-services agencies (organizations that provide health care under an agreement with another trustee—the Victorian Order of Nurses and We Care are two examples); and
  • public bodies (such as provincial government departments and agencies, municipal governments, educational institutions and regional health authorities). See s. 1(1) of the Act.

The Act also imposes duties on information managers (who are hired by trustees to process, store or destroy personal health information or to manage or service information systems), as well as employees of trustees. See s. 1(1), 25, 63(2) and (3) of the Act.

As a health professional, how do I know if I am a trustee or not?

Health professionals:

  • are licensed or registered to provide health care under a statute; or
  • belong to a group listed in the regulations. See s. 1(1) of the Act.

Health professionals are trustees if they are:

  • self-employed (that is, in “private practice”) or in a partnership arrangement; or
  • employed by a non-trustee.

Health professionals employed by a trustee (such as a hospital, personal care home or government department) are not considered trustees. However, as employees, these health professionals will also be affected by the Act. For example, it is an offence for an employee willfully to disclose personal health information when his or her employer is prohibited from doing so. See s. 61, 63(2) of the Act.

What are my obligations as a trustee?

A trustee’s obligations fall into two main categories:

  1. A duty to help individuals gain access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of their personal health information.

I. ACCESS

What does “access” mean?

The Act puts in statutory form the common-law right of an individual to access his or her own personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.

When an individual is requesting access to a record containing his or her personal health information Part 2 of FIPPA does not apply. They must request access under PHIA. See s. 6 of FIPPA.

What are a trustee’s obligations to advise individuals about their right to access their own personal health information?

Under the changes to PHIA, a trustee is required to provide individuals with notice of their right to examine and receive a copy of their personal health information and how they can exercise this right.

The notice must also state that an individual has the right to authorize another person to examine and receive a copy of their personal health information. 

A trustee must use a sign, poster, brochure or other similar type of means to provide this notice to individuals.  This notice must be prominently displayed in as many locations and  in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention. See section 9.1 and the regulation.

What are my obligations to someone wanting to examine his or her own personal health information?

The Act obliges trustees to help an individual gain access to his or her personal health information.

Trustees must respond to access requests “without delay, openly, accurately and completely.” In fact, upon request, trustees must explain any terms, codes or abbreviations that the individual does not understand. See s. 6(2), 7(2) of the Act.

Is an individual entitled to examine all his or her personal health information?

The Act permits trustees to withhold personal health information that falls into certain restricted categories. For example, access to personal health information may be refused if:

  • revealing it would disclose confidential information about a third party;
  • there is a reasonable expectation that it would result in harm to the individual or someone else; and/or
  • it has been compiled for litigation purposes. For a complete list of reasons for refusing access, see s. 11(1) of the Act.

Even when trustees are allowed to refuse access to some of an individual’s personal health information, they still have an obligation to allow access to the portions of an individual’s personal health information that are not exempted by the Act. See s. 11(2) of the Act.

How much time do I have to respond to a request to examine personal health information?

The Act requires trustees to respond to an access request as promptly as required in the circumstances but no later than

  • 24 hours after receiving a request from an in-patient in a hospital to see information about his or her current care,
  • 72 hours after receiving a request from a person who is not a hospital in-patient for information about his or her current care, and
  • 30 days after receiving the request for any other requests.

A failure to respond within the required timeframe will be considered a refusal to permit access. See s. 6(1) of the Act.

Am I required to provide copies of an individual’s personal health information?

Yes. An individual is entitled to obtain a copy of any personal health information he or she is entitled to examine. See s. 5(1) of the Act.

Can an individual alter his or her personal health information without my consent?

No. An individual has a right to point out information he or she believes is incorrect and to ask the trustee to correct it. It is up to the trustee to decide whether or not a correction is needed. A trustee has 30 days to investigate the issue and make a decision about the request. See s. 12(3) of the Act.

If the trustee agrees to the correction, the mistaken information should be stroked out (not erased) and the correct information added or cross-referenced in a way that anyone reading the record would be aware of it. See s. 12(3)(a) of the Act.

If the individual and the trustee disagree about a correction, the individual has a right to file a
statement of disagreement. This must be attached to and form part of his or her health record. See s. 12(4) of the Act.

A trustee must pass on the correction or the statement of disagreement to anyone to whom the personal health information has been disclosed over the previous year. See s. 12(5) of the Act.

Besides the individual the information is about, who has a right to access personal health information?

All the rights of an individual may be exercised by his or her representative.

The Act identifies several representatives, including:

  • a person with a written authorization to act on behalf of the individual;
  • the individual’s proxy appointed in a health care directive;
  • the individual’s committee appointed under The Mental Health Act; and
  • the individual’s parent or guardian if the individual is a child who is too young to make his or her own health care decisions.

For a complete list of representatives see s. 60(1).

If a person is incapacitated and no individual described above is available then the first adult who is readily available and willing to act, on the following list may exercise the individual’s rights under PHIA:

  • The individual’s spouse, or common-law partner, with whom the individual is cohabiting;
  • a son or daughter;
  • a parent, if the individual is an adult;
  • a brother or sister;
  • a person with whom the individual is known to have a close personal relationship;
  • a grandparent;
  • an aunt or uncle;
  • a nephew or niece. see s. 60(2) and (3) of PHIA.

No one other than the individual the personal health information is about, that individual’s representative or if, the person is incapacitated and no representative is available, a person authorized as outlined above has a right to access his or her personal health information.    A request for access to personal health information by anyone other than the individual or the individual’s representative must be accessed under the provisions of the Act dealing with use and disclosure of personal health information.

II. PROTECTION OF PRIVACY

What are my obligations concerning the protection of an individual’s privacy with respect to personal health information?

A trustee’s obligations, as set out in the Act, affect the:

  • collection;
  • use;
  • disclosure;
  • security;
  • retention; and
  • destruction of personal health information.

A. COLLECTION OF PERSONAL HEALTH INFORMATION

What are my obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information:

  1. To notify the individual of the purpose for collecting personal health information.
  2. To collect only necessary personal health information—that is, the minimum amount required for the stated purpose.
  3. To collect personal health information from the individual whenever possible.

How do I determine the purpose for collecting personal health information?

Determining the purpose for collecting this information is a critical requirement of the Act. Not only does the Act require trustees to notify the individual of this purpose at the time the information is collected, but the identified purpose for collecting information will help determine what can be collected and how it can later be used.

The purpose for collecting personal health information will depend on who is collecting it as well as the circumstances in which the collection takes place. For example, a general practitioner physician may have a different purpose for collecting such information than a dentist or a physiotherapist. The purpose of a general practitioner in collecting personal health
information may even differ from that of a physician in an emergency room.

Why do I have to notify the individual of the purpose for collecting personal health information?

This requirement is based on the principle that an individual has a right to make decisions about his or her own health care. Notifying the individual as fully as possible about the reasons for collecting personal health information will allow him or her to make an informed decision about disclosing personal health information.

This principle is so important that the Act requires that, when personal health information is collected by someone who is not a health professional, he or she must advise the individual about someone who can be contacted to gain more information about the reason personal health information is being collected. See s. 15(1) of the Act.

Do I always have to notify the individual of the purpose for collecting personal health
information?

As a rule, yes. However, when identical or similar information is being collected for the same or similar purpose as a recent collection, the trustee does not need to notify the individual a second time. See s. 15(2) of the Act.

In what situations does the Act prohibit the collection of personal health information?

Stressing the need to respect individual privacy, the Act generally permits the collection from individuals of only as much information as is needed for specific purposes. What a trustee needs to know will largely depend on his or her purpose in collecting personal health information. The Act prohibits the collection of personal health information for:

  • illegal purposes;
  • purposes unrelated to the function or activity of the trustee; and
  • purposes other than those disclosed to the individual as the reasons for collecting the
    personal health information. See. s. 13 of the Act.

Must I collect personal health information only from the individual directly?

The Act requires that, whenever possible, trustees must collect personal health information directly from the individual the information is about. See s. 14(1) of the Act.

This rule serves at least three important purposes:

  1. It helps ensure the accuracy of the information.
  2. It prevents trustees from revealing personal health information to others by the questions they pose.
  3. It ensures that personal health information the individual wants to keep private is not revealed to the trustee.

When am I permitted to collect personal health information from someone other than the individual it is about?

The Act permits collection from other sources (including other trustees) in specified circumstances. For example, collection is permissible when the individual has authorized it, when circumstances do not permit collection from the person or when the information he/she supplies is likely to be inaccurate. For a complete list of exceptions, see s. 14(2) of the Act.

B. USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

What is the difference between use and disclosure?

For the purposes of The Personal Health Information Act, “use” refers to what is done with the personal health information within the trustee organization.

“Disclosure” involves revealing personal health information outside the trustee organization to other trustees, to the individual’s friends and family or to other individuals.

Both use and disclosure involve revealing the information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, e-mail or by revealing the information orally.

What obligations does the Act place on me when I use or disclose personal health information?

Trustees cannot use or disclose personal health information unless:

  • it is necessary to accomplish the purpose for which the personal health information was collected; or
  • the trustee has the informed consent of the individual it is about.

See s. 21, and 22 of the Act.

There are some exceptions to this general rule.

For example, trustees may use personal health information for a purpose directly related to the purpose for which it was collected. In some cases, personal health information may be disclosed without the individual’s consent as it is required to provide health care or for specific humanitarian purposes such as contacting the relative or friend of someone who is ill or injured, informing relatives of someone’s death, and assisting in identifying a deceased person.

Trustees may also use or disclose personal health information to prevent or ease a serious and immediate threat to the mental or physical health or safety of the individual, another individual or the public.

For more exceptions to the general rule, see s. 21, s. 22(2), and s. 23 of the Act.

May personal health information be disclosed for research purposes?

The Act does not deal with anonymous or statistical information that cannot be linked to an identifiable individual. This sort of information can always be used or disclosed for research purposes.

It is also possible to obtain information that does identify an individual if he or she was advised at the time the information was collected that it would be used for research purposes, or if the trustee subsequently obtains the individual’s informed consent.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act.  Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated. 

Information may only be disclosed for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation.  A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

Personal health information may be used for research is if approval is provided by:

  • a health information privacy committee (described in s. 59 of the Act and the Regulations), if the trustee is the government or a government agency; or
  • an institutional research review committee, if the trustee is not the government or a government agency.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the researcher has been given access. See s. 24 of the Act.

Is it permissible to disclose personal health information to information managers?

Yes. An information manager is defined in the Act as a person or body that:

  • processes, stores or destroys personal health information,
  • provides information management, or
  • provides information technology services for or to a trustee. See s. 1(1) of the Act.

The Act recognizes that, in order to perform their functions, information managers may require access to personal health information. Trustees may disclose personal health information to an information manager but only after the information manager has entered into a written agreement with the trustee that ensures that the personal health information is adequately protected. Moreover, a trustee remains responsible for any use an information manager makes of personal health information. See s. 25 of the Act.

May I sell my health records when I sell my professional practice?

Yes. The Act permits the sale of personal health information to another trustee as part of the sale of a professional practice or in compliance with The Pharmaceutical Act. However, selling personal health information or disclosing it for gain for any other purpose is strictly prohibited. See s. 27 of the Act.

C. SECURITY AND DESTRUCTION OF PERSONAL HEALTH INFORMATION

What security precautions must I take with respect to personal health information?

Personal health information must be stored in such a way that only those who need to obtain the information will have access to it. The information should not be disclosed outside the unit unless such a disclosure has been assessed to determine whether it is permitted by the Act.

Moreover, personal health information must not even be used by someone within the trustee “unit” unless the trustee determines that the person needs to have access to it. See s. 20(3) of the Act.

All trustees must establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information. Among other things, these safeguards must include procedures to limit access to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more
details about security safeguards, See. s. 18 of the Act and the Regulations.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s. 17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.

III. ENFORCEMENT

A. THE OMBUDSMAN

What is the role of the Ombudsman in enforcing the Act?

The Ombudsman’s role can be divided into two broad categories:

  • supervising compliance with the Act generally. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Act. See Part 5 of the Act.

What sort of complaints can be made to the Ombudsman?

Individuals may complain to the Ombudsman about a failure by a trustee to comply with the provisions of the Act with respect to:

  • access requests; or
  • protection of privacy. See Part 5 of the Act.

What powers does the Ombudsman have?

Among other things, the Ombudsman may investigate complaints and may also launch an investigation or an audit on his or her own initiative. The results of these investigations may be provided to a professional regulatory body for disciplinary action or to Manitoba Justice for prosecution. In addition, the Ombudsman is permitted to publish reports about compliance with PHIA. See s. 28, 34(3), 41, 48(2) of PHIA.

In carrying out his or her duties under PHIA, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises and to obtain the assistance of the police. See s. 28, 29, 30 of PHIA.

The Ombudsman will report investigation results and make recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations. 

Recommendations made by the Ombudsman must be made available to the public.

Do I have a responsibility to assist the Ombudsman in carrying out his or her duties?

Trustees have no general duty to assist the Ombudsman. However, they must comply with every order or request legitimately made by the Ombudsman. In addition, it is illegal to mislead or obstruct the Ombudsman in the performance of his or her duties. See s. 29, 30 and 63(1) of the Act.

The Act also protects people who comply with requests from the Ombudsman. For example, an employer may not punish or penalize an employee who has provided information to the Ombudsman in response to the Ombudsman’s request. See. s. 65(2) of the Act.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. Under the changes to PHIA, if the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9

B. PENALTIES

What penalty does the Act provide for its violation?

The Act provides for a fine of up to $50,000 for a violation of the Act. This fine can be imposed for each day that an offence continues. See s. 64(1) of the Act.

To what offences will this penalty apply?

This penalty applies to a variety of offences, including:

  • deliberately erasing or destroying personal health information to prevent an individual from getting access to it;
  • collecting, using, selling or disclosing personal health information in violation of the Act; and
  • failing to protect personal health information in a secure manner. See s. 63 of the Act.

The Personal Health Information Act - A Brief Summary for Information Managers

INTRODUCTION

As an information manager, you may be affected by The Personal Health Information Act. If you have a service contract with a trustee, then the Act will affect the way you deal with the personal health information maintained by a trustee.

This brief summary is intended to give you some idea of your responsibilities under the Act. It is not comprehensive. For a better understanding, you should review the actual legislation and its regulations. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5, phone 945-3101. To assist you, this summary will refer to specific sections in the Act.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

Whom does the Act affect?

For the most part, the Act focuses on the obligations of “trustees” of personal health information. The Act divides trustees into four categories:

  • health care facilities (such as hospitals, laboratories, psychiatric facilities and medical clinics);
  • some health professionals;
  • health-services agencies (organizations that provide health care under an agreement with another trustee—the Victorian Order of Nurses and We Care are two examples); and
  • public bodies (such as provincial government departments and agencies, municipal governments, educational institutions and regional health authorities) See s. 1(1) of the Act.

However, the Act also recognizes the importance of “information managers” in the health care system and imposes obligations on them in their dealings with personal health information. See s. 1(1), 25, 63(2) and (3) of the Act.

What is an “information manager”?

An information manager is a person or body that:

  • processes, stores or destroys personal health information;
  • provides information management; or
  • provides information technology services for or to a trustee. See s. 1(1) of the Act.

What are my obligations as an information manager?

The Personal Health Information Act imposes two types of obligations on information managers:

  1. Restrictions and duties set out in the Act or regulations.
  2. Restrictions and duties contained in agreements with trustees.

What specific restrictions are imposed on information managers by the Act and the regulations?

As an information manager you must abide by two restrictions:

  1. You may take possession of or gain access to the personal health information contained in records only if this is necessary to perform your legitimate functions within the health care system. That is, you can use personal health information only to:
    • process, store or destroy personal health information;
    • provide information management; or
    • provide information technology services for or to a trustee. See s. 25(2) of the Act.
  2. Further to these limits, you may use personal health information only in circumstances in which the trustee on whose behalf you are acting would be permitted to access the information. In other words, it would be a violation of the Act for you to possess or access personal health information if the trustee who had contracted that service was not permitted to do so. See s. 25(2) of the Act.

Clearly, you should learn as much as possible about the limitations and duties the Act places on the trustees with which you do business. You would be well advised to examine the Act to determine the limitations placed on these trustees.

What duties are imposed by the Act on information managers?

Essentially, the Act imposes only one duty—to comply with the Act and the regulations in ensuring the security of the personal health information in your control.

What are the security safeguards set out in the Act and regulations?

You must create and comply with written security policies. Among other things, these policies must contain:

  • methods to identify individuals (people/employees) who are required to have access to specific personal health information;
  • procedures for preventing unauthorized access to personal health information; and
  • plans for recording security breaches and responding to them.

In addition, each employee and agent of an information manager must sign a pledge of confidentiality before dealing with personal health information.

Specific regulations address physical and environmental security arrangements used by information managers, as well as safeguards for personal health information stored or transferred electronically.

Like trustees, information managers must conduct an annual review of their security arrangements and remedy any deficiencies that are identified.

What obligations are imposed on information managers by contracts with trustees?

By definition, individuals or corporations cannot be information managers unless they provide specific services to a trustee. Trustees may not provide personal health information without a written agreement, which must contain provisions that ensure that the personal health information will be adequately protected from unauthorized access, use, disclosure, destruction or alteration. See. s. 25(3) of the Act. Information managers who fail to observe such an agreement will violate the Act. See s. 25(4)(b) of the Act.

What penalties does the Act provide for?

The Act permits a judge to impose a fine of up to $50,000 for a violation of the Act. See s. 64(1) of the Act. Moreover, this fine may be imposed for every day that a violation continues. See s. 63(5) of the Act.

The Act applies to all information managers, whether individuals or corporations. However, in addition to allowing the prosecution of a corporation, the Act specifically permits the prosecution and punishment of any director or officer of a corporation who has “authorized, permitted or acquiesced” in an offence. See. s. 64(2) of the Act.

CONCLUSION

The obligations and restrictions placed on information managers by the Act are similar, and in many cases, identical to those placed on the trustees for which they provide information services. In order to comply with the Act and avoid significant penalties for non-compliance, you should fully acquaint yourself with how the Act applies to the trustees with which you do business.

The Personal Health Information Act - A Brief Summary for Public Bodies

INTRODUCTION

As an employee or administrator of a public body, The Personal Health Information Act (PHIA), affects the way you carry out your duties if you maintain personal health information.

Important changes were made to PHIA through the proclamation of The Personal Health Information Amendment Act. This document provides a brief summary of PHIA, which incorporates the changes to PHIA. It is not comprehensive. For a better understanding you should review the legislation (both PHIA and The Personal Health Information Amendment Act) and the regulation under PHIA. Copies are available from Statutory Publications, 200 Vaughan St., Winnipeg, MB R3C 1T5, phone 945-3101.

To help you, this summary will refer to specific sections in PHIA and The Personal Health Information Amendment Act.  It will also refer to specific sections of the companion legislation to PHIA, The Freedom of Information and Protection of Privacy Act to help you understand the relationship between these Acts.  You should note that where personal health information is contained in a clinical record compiled and held in a psychiatric facility governed by The Mental Health Act, That Act prevails over PHIA. See s. 4(3) of the Act.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care. See s. 1(1) of the Act.

Personal health information includes health information your organization collects about individual clients of programs you administer. It also includes health information about your employees.

What is a “public body”?

“Public bodies” are defined in the same way in PHIA as in FIPPA. The list of public bodies as defined in these Acts includes:

  • provincial government departments;
  • provincial government agencies (defined as any board, commission, association, agency or similar body whose entire board of management is appointed by statute or the provincial Cabinet or any other organization designated in the regulations);
  • the Executive Council Office;
  • the office of a Minister; and
  • local public bodies.

Local public bodies” are:

  • education bodies, including:
    • school divisions or school districts;
    • universities;
    • colleges; and
    • other educational institutions designated in regulations.
  • health care bodies, including:
    • hospitals;
    • regional health authorities;
    • hospital district boards;
    • health and social services district boards; and other bodies designated in regulations.
  • local government bodies, including:
    • the City of Winnipeg;
    • all other municipalities;
    • local government districts;
    • local committee and community councils;
    • planning districts; and conservation districts. See PHIA s. 1(1) and FIPPA s. 1.

Public bodies are identified in PHIA as “trustees” of personal health information.  Other trustees include:

  • health care facilities (such as hospitals, psychiatric facilities and personal care homes);
  • health services agencies (organizations that provide health care under an agreement with another trustee—the Victorian Order of Nurses and We Care are two examples); and
  • health professionals in private practice or employed by non-trustees. See s. 1(1) of the Act.

Who is responsible for making decisions and ensuring that a public body complies with PHIA?

PHIA states that decisions made or opinions formed by public bodies may be made or formed by the “head” as defined in FIPPA, or an appointed delegate. See s. 58 of PHIA and s. 81 of FIPPA.

“Head” is defined in FIPPA as:

  • the Minister of a government department
  • the chief executive officer of an incorporated government agency
  • the Minister responsible for an unincorporated government agency
  • for all other public bodies, the individual or group designated in the regulations. See FIPPA s. 1.

What are the obligations of a public body as a trustee of personal health information?

A trustee’s obligations fall into two main categories.

  1. A duty to assist individuals in gaining access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of their personal health information.

I. ACCESS

What does “access” mean under PHIA?

PHIA puts in statutory form the common law right of an individual to gain access to his or her own personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.

When an individual is requesting access to a record containing his or her personal health information Part 2 of FIPPA does not apply. They must request access under PHIA. See s. 6 of FIPPA.

What are a trustee’s obligations to advise individuals about their right to access their own personal health information?

Under the changes to PHIA, a trustee is required to provide individuals with notice of their right to examine and receive a copy of their personal health information and how they can exercise this right.

The notice must also state that an individual has the right to authorize another person to examine and receive a copy of their personal health information. 

A trustee must use a sign, poster, brochure or other similar type of means to provide this notice to individuals.  This notice must be prominently displayed in as many locations and  in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention. See section 9.1 of the Act, and the regulation.

What are a trustee’s obligations to someone wishing to examine his or her own personal health information?

PHIA imposes on trustees an obligation to assist an individual in gaining access to his or her personal health information. Trustees must respond to access requests “without delay, openly, accurately and completely.” Upon request, trustees must provide an explanation of any terms, codes or abbreviations the individual does not understand. See s. 6(1), 6(2) and 7(2) of the Act.

Is an individual entitled to examine all of his or her personal health information?

PHIA permits trustees to withhold personal health information that falls into certain restricted categories. For example, access to personal health information may be refused if:

  • there is a reasonable expectation that it would result in harm to the individual or someone else;
  • revealing it would disclose confidential information about a third party; or
  • it has been compiled for litigation purposes.

For a complete list of reasons for refusing access, see s. 11(1) of the Act.

Even when trustees are allowed to refuse access to some of an individual’s personal health information, they still have an obligation to allow access to those portions of an individual’s personal health information that are not exempted by PHIA. See s. 11(2) of the Act.

How much time does a trustee have to respond to a request to examine personal health information?

Trustees must respond to requests for access as promptly as required in the circumstances but no later than

  • 24 hours after receiving a request from an in-patient in a hospital to see information about his or her current care,
  • 72 hours after receiving a request from a person who is not a hospital in-patient for information about his or her current care, and
  • 30 days after receiving the request for any other requests.

A failure to respond within the required timeframe will be considered a refusal to permit access.
See s. 6(1) of the Act.

Is a trustee required to provide copies of an individual’s personal health information?

Yes. An individual is entitled to obtain a copy of any personal health information he or she is entitled to examine. See s. 5(1) of the Act.

Can an individual alter his or her personal health information without a trustee’s consent?

No. An individual has a right to point out information he or she believes is incorrect and to ask the trustee to correct it. It is up to the trustee to decide whether or not a correction is needed. A trustee has 30 days to investigate and make a decision about the request for a correction. See s. 12(3) of the Act.

If the trustee agrees to the correction, the mistaken information should be stroked out (not erased) and the correct information added or cross-referenced in a way that anyone reading the record would be aware of it. See s. 12(3)(a) of the Act.

If the individual and the trustee disagree about a correction, the individual has a right to file a statement of disagreement which must be attached to and form part of his or her health record. See s. 12(4) of the Act.

A trustee must pass on the correction or the statement of disagreement, to anyone to whom the personal health information has been disclosed over the previous year. See s. 12(5) of the Act.

Besides the individual the information is about, who has a right to access personal health information?

All rights of an individual may be exercised by a representative of that individual. PHIA identifies several representatives, including:

  • a person with a written authorization to act on behalf of the individual;
  • the individual’s proxy appointed in a health care directive;
  • the individual’s committee appointed under The Mental Health Act; or
  • the individual’s parent or guardian if the individual is a child who is too young to
    make his or her own health care decisions.

For a complete list of representatives, see ss. 60(1) of the Act.

If a person is incapacitated and no individual described above is available then the first adult, who is readily available and willing to act, on the following list may exercise them:

  • The individual’s spouse, or common-law partner, with whom the individual is cohabiting;
  • a son or daughter;
  • a parent, if the individual is an adult;
  • a brother or sister;
  • a person with whom the individual is known to have a close personal relationship;
  • a grandparent;
  • an aunt or uncle;
  • a nephew or niece. see s. 60(2) & (3) of the Act.

No one other than the individual the personal health information is about, that individual’s representative or if, the person is incapacitated and no representative is available, a person authorized as outlined above has a right to access his or her personal health information. A request for access to personal health information by anyone other than the individual or the individual’s representative must be assessed under the provisions of the Act dealing with use and disclosure of personal health information.

What if an individual requests access to a file that contains both his or her personal health information and other personal information?

It is important to note the difference between personal information and personal health information. “Personal information” means recorded information about an identifiable individual, including the individual’s

  • name;
  • home address, telephone or facsimile number, or e-mail address;
  • age, sex, sexual orientation, marital or family status;
  • ancestry, race, colour, national or ethnic origin;
  • religion or creed, religious beliefs, association or activity;
  • personal health information;
  • blood type, fingerprints or hereditary characteristics;
  • political belief, association or activity;
  • education, employment or occupation, or educational, employment or occupational history;
  • source of income or financial circumstances, activities or history;
  • criminal history, including regulatory offences;
  • personal views or opinions, except if they are about another person;
  • views and opinions expressed about the individual by another person; and
  • identifying number, symbol or other particular assigned to the individual. See s. 1 of FIPPA.

For the definition of personal health information please refer to page 1 of this summary. See also s. 1(1) of the Act.

When a file contains both personal health information and personal information, the individual must request access to:

  1. personal health information under PHIA. A request for access under PHIA for personal health information may be verbal or written and must contain enough detail to identify the portion of the record the individual wishes to access. See s. 5(2), (3) of the Act.
  2. personal information under FIPPA. A request for access under FIPPA for personal information must be in the prescribed form and contain enough detail to identify the portion of the record the individual wishes to access. See s. 8 of FIPPA.

II. PROTECTION OF PRIVACY

What are a trustee’s obligations concerning the protection of an individual’s privacy with respect to personal health information?

A trustee’s obligations, as set out in PHIA, affect the:

  • collection
  • use
  • disclosure
  • security
  • retention and
  • destruction of personal health information.

A. COLLECTION OF PERSONAL HEALTH INFORMATION

What are a trustee’s obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information:

  1. To notify the individual of the purpose for the collection of personal health information.
  2. To collect only necessary personal health information—that is, the minimum amount required for the stated purpose.
  3. To collect personal health information from the individual whenever possible.

How is the purpose for the collection of personal health information determined?

Determining the purpose for collecting personal health information is a critical requirement of PHIA. Not only does PHIA impose a requirement on trustees to notify the individual of this purpose at the time the information is collected, but the identified purpose for the collection will help determine which information can be collected and how it can later be used. The purpose for collecting personal health information will depend on the particular trustee collecting the information as well as the circumstances in which the collection takes place. For example, a university or school board is likely to have a different purpose for collecting personal health information about its students than Manitoba Labour will.

Why do trustees have to notify the individual of the purpose for the collection of personal health information?

This requirement is based on the principle that an individual has a right to make decisions about his or her own health care. Informing the individual as fully as possible about the reasons for collecting personal health information will allow him or her to make an informed decision about providing personal health information.

This principle is so important that PHIA requires that, when personal health information is collected by someone who is not a health professional, he or she must advise the individual about someone who can be contacted to gain more information about the reason personal health information is being collected. See s. 15(1) of the Act.

Must the individual always be notified of the purpose for the collection of personal health information?

Yes, except when identical or similar information is being collected for an identical or similar purpose as a recent collection. See s. 15(2) of the Act.

In what situations does PHIA prohibit the collection of personal health information?

Stressing the need to respect individual privacy, PHIA generally permits the collection from individuals of only as much information as is needed for specific purposes. What a trustee needs to know will largely depend on his or her purpose in collecting personal health information. PHIA prohibits the collection of personal health information for illegal purposes, purposes unrelated to the function or activity of the trustee, and purposes other than those disclosed to the individual as the reasons for the collection of the personal health information. See. s. 13 of the Act.

Must personal health information be collected only from the individual directly?

PHIA requires that, whenever possible, the trustee must collect personal health information directly from the individual the information is about. See s. 14(1) of the Act.

This rule serves at least three important purposes:

  1. It helps ensure the accuracy of the information.
  2. It prevents trustees from revealing personal health information to others by the questions they pose.
  3. It ensures that personal health information that the individual wants to keep private is not revealed to the trustee.

When is it legitimate to collect personal health information from someone other than the individual it is about?

PHIA permits collection from other sources (including other trustees) in specified circumstances. For example, it is permissible to do so when:

  • the individual has authorized it;
  • circumstances do not permit collection of the information from the individual; or
  • the information supplied by the individual is likely to be inaccurate.

For a complete list of exceptions, see s. 14(2) of the Act.

B. USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

What is the difference between use and disclosure?

For the purposes of PHIA, “use” refers to what is done with the personal health information within the trustee organization.

“Disclosure” involves revealing personal health information outside the trustee organization to other trustees, to friends and family of the individual or to other individuals.

Both use and disclosure involve revealing personal health information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, e-mail, or by revealing the information orally. The terms “use” and “disclosure” have the same meaning under FIPPA.

What obligations are placed on trustees by PHIA when using or disclosing personal health information?

Trustees cannot use or disclose personal health information unless:

  • it is necessary to accomplish the purpose for which the personal health information was collected; or
  • the trustee has the informed consent of the individual it is about. See s. 21, 22 of the Act.

There are some exceptions to this general rule. For example, trustees may use the personal health information for a purpose directly related to the purpose for which it was collected. In some cases, personal health information may be disclosed without the individual’s consent to the extent necessary to provide health care or for specific humanitarian purposes such as:

  • contacting the relative or friend of someone who is ill or injured;
  • informing relatives of someone’s death; and
  • assisting in identifying a deceased person.

Trustees may also use or disclose personal health information to prevent or ease a serious and immediate threat to the mental or physical health or safety of the individual, another individual or the public.

In addition, public bodies and health care facilities may use or disclose personal health information without consent:

  • to deliver, monitor or evaluate a health care program; or
  • for research and planning related to health care. See s. 21(d) and 22(2)(g) of the Act.

For a complete list of permitted uses and disclosures see s. 21, 22(2), 22(2.1) and 23 of the Act

May personal health information be disclosed for research purposes?

PHIA does not deal with statistical information that cannot be linked to an identifiable individual. This sort of information can always be used or disclosed for research purposes. It is also possible to disclose, for research purposes, health information that does identify an individual if the individual has been advised at the time the information was collected that it would be used for research purposes, or if the trustee obtains the individual’s informed consent.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act.  Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated. 

Information may only be disclosed for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation.  A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

The only other way personal health information may be used for research is if approval is provided by:

  • a health information privacy committee (described in s. 24(2)(a), and 59 of the Act and the Regulations), if the trustee is the government or a government agency; or an institutional research review committee, if the trustee is other than the government or a government agency.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the researcher has been given access. See s. 24 of the Act.

What if another statute of Manitoba prohibits or restricts disclosing the individual’s personal health information?

A trustee must refuse to disclose personal health information if prohibited or restricted by another law of Manitoba. See s. 4(2) of the Act.

Is it permissible to disclose personal health information to information managers?

PHIA defines an information manager as a person or body that:

  • processes, stores or destroys personal health information;
  • provides information management; or
  • provides information technology services for or to a trustee. See s. 1(1) of the Act.

PHIA recognizes that, in order to store or destroy data or to assist in managing information, information managers may require access to personal health information. Trustees may disclose personal health information to an information manager but only after the information manager has entered into a written agreement with the trustee that ensures the personal health information is adequately protected. Moreover, a trustee remains responsible for any use an information manager makes of the information. See s. 25 of the Act.

C. SECURITY AND DESTRUCTION OF PERSONAL HEALTH INFORMATION

What security precautions must be taken with respect to personal health information?

PHIA requires trustees to store personal health information in such a way that only those who need to obtain the information will have access to it. Personal health information should not be disclosed outside the trustee organization unless such a disclosure has been assessed to determine whether it is permitted by PHIA. The information must not even be accessed by people within the trustee organization unless it is determined that they need to have that access. See s. 20(3) of the Act.

All trustees are required to establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information. Among other things, these safeguards must include procedures to limit access to the information to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more about security safeguards, see. s. 18 of the Act and Regulation 245/97.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s.17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.

III. ENFORCEMENT

A. THE OMBUDSMAN

What is the role of the Ombudsman in enforcing PHIA?

The role of the Ombudsman is the same under both PHIA and FIPPA and can be divided into two broad categories:

  • supervising compliance with the Acts generally. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Acts. See Part 5 of the Act.

What sort of complaints can be made to the Ombudsman?

Individuals are permitted to make complaints to the Ombudsman about a failure by a trustee to comply with the provisions of PHIA with respect to:

  • access requests or
  • protection of privacy. See Part 5 of the Act.

What powers does the Ombudsman have?

Among other things, the Ombudsman is empowered to investigate complaints and may also launch an investigation or an audit on his or her own initiative. The results of these investigations may be provided to a professional regulatory body for disciplinary action or to Manitoba Justice for prosecution. In addition, the Ombudsman is permitted to publish reports about compliance with PHIA. See s. 28, 34(3), 41, 48(2) of the Act.

In carrying out his or her duties under PHIA, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises and to obtain the assistance of the police. See s. 28, 29, 30 of the Act.

The Ombudsman will report investigation results and make recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations. 

Recommendations made by the Ombudsman must be made available to the public.

Is there a responsibility to assist the Ombudsman in carrying out his or her duties?

Trustees have no general duty to assist the Ombudsman. However, they must comply with every order or request legitimately made by the Ombudsman. In addition, anyone who misleads or obstructs the Ombudsman in the performance of his or her duties is guilty of an offence. See s. 29, 30, 63(1) of the Act.

PHIA also protects people who comply with requests from the Ombudsman. For example, an employer may not punish or penalize any employee who has provided information to the Ombudsman in response to the Ombudsman’s request. See. s. 65(2) of the Act.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. Under the changes to PHIA, if the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9

B. PENALTIES

What penalty is imposed for a violation of PHIA?

PHIA permits a fine of up to $50,000 for a violation of the Act. This fine can be imposed for each day that an offence continues. See s. 64(1) of the Act.

To what offences will this penalty apply?

This penalty applies to a variety of offences, including:

  • deliberately erasing or destroying personal health information to prevent an individual from getting access to it;
  • collecting, using, selling or disclosing personal health information in violation of PHIA; and
  • failing to protect personal health information in a secure manner. See s. 63 of the Act.

To whom will the penalty apply?

The penalty for a violation of PHIA may be imposed against the trustee itself but it may also be imposed against any director or officer of a trustee who authorized, permitted or acquiesced in the offence. see s. 64(2) of the Act.

Employees may also be personally prosecuted for willfully disclosing personal health information in circumstances where their employer would be prohibited from doing so or for deliberaltely erasing or destroying personal health information to prevent an individual from getting access to it or for willfully disclosing personal health information when his or her employer would not be permitted to disclose it. See s. 63(1)(c), 63(2) of the Act.

Is there a defense to a charge for violating PHIA?

Yes. Trustees can escape conviction if they can demonstrate that they took all reasonable steps to comply with PHIA. See s. 63(4) of the Act.

Return to top

 

 

 

Legislative Unit
Manitoba Health, Seniors and Active Living

300 Carlton Street
Winnipeg MB  R3B 3M9
Phone:  204-788-6612
Fax:  204-945-1020
Email: PHIAinfo@gov.mb.ca