Ombudsman Manitoba: Access and Privacy Division: About the Personal Health Information Act

The Personal Health Information Act (PHIA) was proclaimed as law in Manitoba on December 11, 1997. It was unique legislation in Canada, being a distinct Act that provides access to information rights and protection of privacy rights concerning personal health information.

Significant amendments to PHIA came into effect on May 1, 2010. References and links in this section are to the amended Act.

PHIA allows individuals to examine and receive a copy of their own personal health information from a trustee holding this information. PHIA imposes obligations on trustees for the protection of personal health information, specifically its collection, use, disclosure and security.

Personal health information is defined in the Act as information, recorded in any form, about an identifiable individual that relates to:

the individual's health, or health care history, including genetic information about the individual; or,

the provision of health care to the individual, or payment for health care provided to the individual;
and includes

the PHIN (Personal Health Identification Number) and any other identifying number, symbol or particular assigned to an individual; and,

any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.
PHIA does not apply to statistical health information, or to health information that does not, either by itself or when combined with other information available to the holder, allow an individual to be readily identified (section 3). Where personal health information is contained in a clinical record compiled in a psychiatric facility governed by The Mental Health Act, that Act prevails over PHIA [section 4(3)].

PHIA applies to trustees who maintain (have custody or control of) personal health information. Trustees under PHIA are:

all public bodies which fall under The Freedom of Information and Protection of Privacy Act (FIPPA), including provincial government departments and agencies and local public bodies, educational bodies (such as school divisions, universities and colleges), health care bodies (such as hospitals and regional health authorities), and local government bodies (such as the City of Winnipeg, municipalities, local government districts, planning districts and conservation districts);

health professionals licensed or registered to provide health care under an Act of the Legislature or who are members of a class of persons designated as health professionals in the regulations (such as doctors, nurses, physiotherapists and psychologists);

health care facilities (such as hospitals, personal care homes, psychiatric facilities, medical clinics, laboratories, The Manitoba Cancer Treatment and Research Foundation, and community health centres or other health care facilities designated in the regulations); and,

health services agencies providing health care under an agreement with another trustee (such as organizations that provide health services in the home).

Section 2 of PHIA describes the purposes of the Act, which are:

to provide individuals with a right to examine and receive a copy of personal health information about themselves maintained by a trustee, subject to the limited and specific exceptions set out in the Act;

to provide individuals with a right to request corrections to personal health information about themselves maintained by a trustee;

to establish rules governing the collection, use, disclosure, retention and destruction of personal health information in a manner that recognizes;

the right of individuals to privacy of their personal health information, and

the need for health professionals to collect, use and disclose personal health information in order to provide health care to individuals;

to control the collection, use and disclosure of an individual's Personal Health Identification Number (PHIN); and,

to provide for an independent review of the decisions of trustees under PHIA.

PHIA sets out an individual's right to examine and receive a copy of his or her own personal health information (section 5(1)) subject to limited exceptions set out in PHIA (section 11(1) and 11(2)).

An individual's right to request access under PHIA may be exercised by another person who is authorized under section 60(1) to act on behalf of that individual. For example, if the person has written authorization from the individual to act on the individual's behalf, or is the parent or guardian of a minor and the minor does not have the capacity to make health care decisions, or the person is otherwise authorized under section 60 to act on the individual's behalf.

There may be circumstances where an individual is not able to authorize another person to act on his or her behalf. In these circumstances, PHIA sets out who may legally exercise the rights of the individual under the Act. If the individual does not have a legal representative, or the representative is unavailable, a family or a close friend may be able to exercise the individual's rights under PHIA on behalf of the individual (section 60(2) and 60(3)).

When an access request for personal health information is made, a trustee may require that the request be in writing. The trustee maintaining the personal health information is required to assist the applicant and to respond to the request for access promptly, but no later than:

- 24 hours after receiving the request, if the individual is a patient admitted to hospital and the access request concerns the care the individual is currently receiving (access in this situation and time-frame consists of examining the information);

- 72 hours after receiving the request if the individual is not a patient admitted to hospital and the access request concerns the care the individual is currently receiving (access in this situation and time-frame may include receiving a copy of the information as well as examining it); and

- 30 days after receiving the request in any other case, unless the request is transferred to another trustee (section 6(1)).

PHIA permits a trustee to refuse an individual access to his or her personal health information for the limited reasons specified in the Act. The reasons for refusing access are set out in section 11(1) of PHIA. The practice of severance, which involves removing information that falls within an exception to disclosure from a copy of the record to be released, provides a means of disclosing as much information as possible (section 11(2)).

An individual who obtains access to his or her personal health information may request a correction be made to this information. This request must be made in writing to the trustee (section 12(1) and 12(2)). If the trustee refuses to correct the personal health information (section 12(3)), the individual may submit a statement of disagreement which must be added to the record (section 12(4), 12(5), 12(6)).

Requests for access to personal health information about someone else -- a third party -- fall under the provisions of The Freedom of Information and Protection of Privacy Act (FIPPA) unless the applicant is a person recognized under section 60 of PHIA. You may refer to the section in our web site, About The Freedom of Information and Protection of Privacy Act for information concerning the process of making an application for access and to whom FIPPA applies. FIPPA requires the protection of personal health information about a third party (FIPPA section 17(2)(a)).

PHIA requires that trustees protect the privacy of individuals and imposes obligations on trustees respecting the collection, use, disclosure, security, retention and destruction of personal health information. The following are key privacy principles and practices reflected in PHIA:

Collection

Where a trustee collects personal health information, the collection must be for a purpose authorized under PHIA and be limited to the minimum amount necessary to accomplish the purpose (section 13(1) and (2)).
Personal health information must be collected directly from the individual unless another method of collection is authorized under PHIA (section 14(1) and 14(2)).
Accuracy

Before using or disclosing personal health information, trustees must take reasonable steps to ensure that the personal health information is accurate, up to date, complete and not misleading (section 16).
Information Policies and Management

Trustees must have a written policy concerning the retention and destruction of personal health information and comply with the policy (section 17(1), 17(2), 17(3) and 17(5)).
If a trustee provides personal health information to an information manager for the purpose of processing, storing or destroying the information, the trustee and the information manager must comply with section 25(1), 25(2), 25(3), 25(4) and 25(5).
Security

Trustees must protect personal health information by making reasonable security safeguards to ensure the confidentiality, security, accuracy and integrity of the information (section 18(1), 18(2) and 18(3)).
Use

Every use of personal health information by a trustee must be authorized under PHIA (section 20(1)).
Every use of personal health information by a trustee must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used and be limited to the employees and agents of the trustee who need to know the information (section 20(2) and 20(3)).
Trustees may use personal health information for the purposes set out in section 21.

Disclosure

Every disclosure of personal health information by a trustee must be authorized under PHIA (section 20(1)).
Every disclosure of personal health information by a trustee must be limited to the minimum amount of information necessary to accomplish the purpose for which it is disclosed (section 20(2) and 20(3)).
Trusees may disclose personal health information in the situations set out in section 22(1), 22(2), 22(2.1), 22(2.2), 23(1), 23(2), 23.1(1), 23.2(1), 24(1), 24.1(1) and 25(1).

Consent

When PHIA requires an individual's consent for the use or disclosure of personal health information, the consent must relate to the purpose for which the information is used or disclosed and be knowledgeable, voluntary and not obtained through misrepresentation (section 19.1(1)).

Consent may be implied or express (section 19.1(3)), but it must be express if a trustee makes a disclosure to a person who is not a trustee, or a trustee makes a disclosure to another trustee for a purpose other than providing health care or assisting in providing health care (section 19.1(4)).

An individual may give consent subject to conditions, but if a condition has the effect of restricting or prohibiting a trustee from recording personal health information as required by law or standards of practice, the condition will not have effect (19.1(7)).

An individual who has given consent to the use or disclosure of personal health information may withdraw consent by notifying the trustee. A withdrawal of consent does not have retroactive effect (section 19.2).

Research

A trustee may disclose personal health information to a person conducting health research only if the research has been approved under section 24 (section 24(1), 24(2) and 24(3) and the person proposing the research project enters into an agreement with the trustee as set out in section 24(4).
A trustee may disclose personal health information to a health research organization set out in the Regulation and if the organization meets the requirements of section 24.1(1). The purposes for disclosure are listed in section 24.1(2). The health research organization must meet the privacy requirements of section 24.1(3) and the trustee must enter into an agreement with the organization as required by PHIA (section 24.1(4) and 24.1(5)).

Personal Health Identification Number (PHIN)

No person other than a trustee may require the production of an individual's PHIN or may collect the PHIN (section 26(1)), unless authorized to do so under section 26(2) of PHIA.

Required Notices to Individuals

Notice of Right to Access Information

In accordance with the Regulation under PHIA, a trustee must take reasonable steps to inform individuals of their right to examine and receive a copy of their personal health information maintained by the trustee and how they can exercise that right (section 9.1 of PHIA).

The Regulation sets out that a trustee must also inform of an individual's right to authorize another person to examine and receive a copy of the individual's personal health information (section 1.4(2) of the Regulation).
The Regulation states that the trustee must use a sign, poster, brochure or other similar notice (section 1.4(1) of the Regulation). The notice must be prominently displayed in as many locations and in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individual's attention (section 1.4(4) of the Regulation).

Notice of Collection

A trustee who collects personal health information directly from the individual the information is about shall, before it is collected or as soon as practical afterwards, take reasonable steps to inform the individual:

- of the purpose for which the information is being collected; and

- if the trustee is not a health professional, how to contact an officer or employee of the trustee who can answer the individual's questions about the collection (section 15(1) of PHIA).

Notice for Disclosure to a Religious Organization

A hospital or personal care home (trustees) may disclose to a representative of a religious organization an in-patient's or resident's name, general health status (for example, critical, stable or satisfactory) and location in the facility, unless the individual tells the facility not to do so (section 23.1(1) of PHIA). Under section 23.1(2)), the trustee may only make this disclosure if:

- it has notified the individual in writing that it might disclose personal health information about the individual to a representative of a religious organization, or has posted a notice to this effect where it is likely to come to the individual's attention;

- the notice is in a form that the individual can reasonably understand; and

- the individual has been given a reasonable opportunity to object to the disclosure and has not done so.

Notices involving Disclosure to a Charitable Fundraising Foundation

A hospital or personal care home, or other designated health care facility may disclose to an associated charitable fundraising foundation the name and mailing address of an individual who has or is receiving services from the facility or agency unless the individual tells them not to do so (section 23.2(1) of PHIA). Under section 23.2(2)), the trustee may only make this disclosure if:

- it has notified the individual in writing that it might disclose personal health information about the individual to a charitable fundraising organization, or has posted a notice to this effect where it is likely to come to the individual's attention;

- the notice is in a form that the individual can reasonably understand;

- the individual has been given a reasonable opportunity to object to the disclosure and has not done so; and

- the trustee and foundation comply with any additional requirements specified in the Regulation.

Section 8.1 (4) of the Regulation sets out that a charitable fundraising foundation that receives the personal health information from a trustee and sends a solicitation under the Act to an individual must clearly inform the individual that:
-the individual may refuse any further solicitation; and

-provide a telephone number that the individual may call to communicate a refusal.

PHIA provides for an independent review of the decisions of trustees under this Act. The Ombudsman is an independent Officer of the Legislature with broad investigative powers. The responsibilities of the Ombudsman under PHIA include the investigation of complaints respecting access to information and protection of personal information, monitoring compliance with PHIA by trustees and promoting public awareness of PHIA.

PHIA allows the individual whom the personal health information is about to make a complaint to the Ombudsman. The complaint may be made by another person who is authorized under section 60 to act on behalf of that individual.

PHIA allows an individual who has requested access to his or her personal health information to make a complaint concerning the following:

a refusal by the trustee to permit the individual to examine or receive a copy of the personal health information

a refusal by the trustee to correct personal health information

an unreasonable or unauthorized fee charged by the trustee
PHIA also allows an individual to make a complaint about privacy, alleging that the trustee:

has collected, used or disclosed his or her personal health information contrary to PHIA

has failed to protect his or her personal health information in a secure manner as required by PHIA

PHIA requires that a complaint be made in writing [section 39(3)]. This requirement may be met by writing a letter to the Ombudsman describing the nature of the complaint. Another option for making a privacy complaint, instead of writing a letter, is to complete a Questionnaire for a Privacy Complaint. Any additional information or relevant correspondence may be attached to the complaint.

If you have any questions concerning the making of a complaint, you may contact the Office of the Manitoba Ombudsman.

The Ombudsman will investigate a complaint to determine if the trustee is in compliance with PHIA. The Ombudsman may initiate a complaint concerning any matter about which the Ombudsman is satisfied there are reasonable grounds to investigate under PHIA [section 39(4)]. The Ombudsman may take any steps considered appropriate to resolve the complaint informally to the satisfaction of the parties and in a manner consistent with the legislation [section 40(2)].

The Ombudsman may decide not to investigate a complaint if, in his opinion: the length of elapsed time makes an investigation of a privacy complaint no longer practicable or desirable; the subject matter of the complaint is trivial or the complaint is not made in good faith or is frivolous or vexatious; the circumstances of the complaint do not require investigation [section 41(1)].

The Ombudsman may also defer an access complaint if: the complaint concerns a health care facility or health services agency which has an internal appeal procedure that the complainant has not used; the complaint concerns a health professional and there is an expeditious and informal procedure for addressing the complaint through a body with statutory responsibility for regulating the practice of the health professional, which the complainant has not used [section 41(2)].

During an investigation, the Ombudsman is required to give the complainant and the trustee an opportunity to make representations (section 43(1), 43(2) and 43(3)). PHIA sets out a 45-day time limit for an investigation of a complaint about access to be completed and a 90-day time limit for an investigation of a complaint about privacy to be completed, unless the Ombudsman extends this time period (section 46).

On completing an investigation of a complaint, the Ombudsman is required to prepare a report containing the findings about the complaint and any recommendations the Ombudsman considers appropriate respecting the complaint (section 47(1), 47(2) and 47(3)). The report will be provided to the complainant and the trustee concerned (section 48(1), 48(2), 48(3)).

If the report contains recommendations, the trustee must send the Ombudsman a written response within 14 days after receiving it indicating whether the recommendations have been accepted and describing any action taken or proposed to implement them, or, the reasons why the trustee refuses to take actions to implement them (section 48(4)). The Ombudsman shall notify the complainant of the trustee's response without delay and if the trustee refuses to provide access to personal health information, the Ombudsman shall inform the complainant of further steps (section 48(4), 48(5) and 48(6)). The Ombudsman must make recommendations made under this section available to the public (section 48(7))

In addition to the powers and duties respecting complaints, the Ombudsman has the following general powers and duties under PHIA (section 28) :

to conduct investigations and audits and make recommendations to monitor and ensure compliance with PHIA;

to inform the public about PHIA and to receive comments from the public about matters concerning the confidentiality of personal health information or access to that information;

to comment on the implications for access to or confidentiality of personal health information of proposed legislative schemes or programs or practices of trustees;

to comment on the implications for the confidentiality of personal health information of using or disclosing personal health information for record linkage or using information technology in the collection, storage, use or transfer of personal health information.
The Ombudsman submits an annual report to the Manitoba Legislature about complaints and investigations, compliance with the Ombudsman's recommendations, and any other matters about access to and confidentiality of personal health information that the Ombudsman considers appropriate. The Ombudsman may also issue special reports in the public interest relating to any matter respecting PHIA (section 37(1), 37(2) and 37(3)).

PHIA sets out, in sections 49 to 56, who may appeal a decision of a trustee to the Manitoba Court of Queen's Bench and the process of making an appeal. An appeal may only be made concerning a decision of a trustee to refuse to permit an individual to examine or receive a copy of his or her personal health information. There is no appeal to court respecting a trustee's collection, use or disclosure of personal health information under PHIA.
Prior to making an appeal, PHIA requires that an individual make a complaint to the Ombudsman. After receiving a report from the Ombudsman, an individual may appeal a decision of a trustee to refuse access. The Ombudsman may appeal a decision concerning a refusal of access, with the consent of the individual.
Where an individual has a right to appeal a decision under PHIA, an appeal may be made by filing an application with the Manitoba Court of Queen's Bench. An application for an appeal must be made within 30 days after an individual has received the Ombudsman's report or within a longer period of time, which the Court may allow in special circumstances. The application for an appeal names the trustee as the respondent.
The Court may dismiss an appeal if it determines that the trustee was justified in refusing to permit the applicant to examine or receive a copy of his or her personal health information under section 11 of PHIA. If the Court determines that the trustee was not justified in refusing access under section 11, it may order the trustee give access to some or all of the information. The Court may also make other orders it considers appropriate. Except with the permission of The Court of Appeal, a decision of the Court of Queen's Bench is final and binding and there is no appeal from this decision.