The Personal Health Information Act (PHIA) came into force on December 11, 1997. It was unique legislation in Canada, being a distinct Act that provides access to information rights and protection of privacy rights concerning personal health information.

Significant amendments to PHIA came into effect on May 1, 2010 with additional changes effective January 1, 2011. References and links in this section are to the amended Act.

PHIA allows individuals to examine and receive a copy of their own personal health information from a trustee holding this information. PHIA imposes obligations on trustees for the protection of personal health information, specifically its collection, use, disclosure and security.

Personal health information is defined in the Act as information, recorded in any form, about an identifiable individual that relates to:

• the individual's health, or health care history, including genetic information about the individual; or,
  
  
• the provision of health care to the individual, or payment for health care provided to the individual;

and includes

• the PHIN (Personal Health Identification Number) and any other identifying number, symbol or particular assigned to an individual; and,
  
  
• any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.

PHIA does not apply to statistical health information, or to health information that does not, either by itself or when combined with other information available to the holder, allow an individual to be readily identified (section 3). Where personal health information is contained in a clinical record compiled in a psychiatric facility governed by The Mental Health Act, that Act prevails over PHIA (section 4).

 

PHIA applies to trustees who maintain (have custody or control of) personal health information. Trustees under PHIA are:

• all public bodies which fall under The Freedom of Information and Protection of Privacy Act (FIPPA), including provincial government departments and agencies and local public bodies, educational bodies (such as school divisions, universities and colleges), health care bodies (such as hospitals and regional health authorities), and local government bodies (such as the City of Winnipeg, municipalities, local government districts, planning districts and conservation districts);
  
  
• health professionals licensed or registered to provide health care under an Act of the Legislature or who are members of a class of persons designated as health professionals in the regulations (such as doctors, nurses, physiotherapists and psychologists);
  
  
• health care facilities (such as hospitals, personal care homes, psychiatric facilities, medical clinics, laboratories, CancerCare Manitoba, and community health centres or other health care facilities designated in the regulations); and,
  
  
• health services agencies providing health care under an agreement with another trustee (such as organizations that provide health services in the home).

 

Section 2 of PHIA describes the purposes of the Act, which are:

• to provide individuals with a right to examine and receive a copy of personal health information about themselves maintained by a trustee, subject to the limited and specific exceptions set out in the Act;


• to provide individuals with a right to request corrections to personal health information about themselves maintained by a trustee;


• to establish rules governing the collection, use, disclosure, retention and destruction of personal health information in a manner that recognizes;


• the right of individuals to privacy of their personal health information, and


• the need for health professionals to collect, use and disclose personal health information in order to provide health care to individuals;


• to control the collection, use and disclosure of an individual's Personal Health Identification Number (PHIN); and,
  
  
• to provide for an independent review of the decisions of trustees under PHIA.

  

PHIA sets out an individual's right to examine and receive a copy of his or her own personal health information (section 5) subject to limited exceptions set out in PHIA (section 11).

An individual's right to request access under PHIA may be exercised by another person who is authorized under section 60 to act on behalf of that individual. For example, if the person has written authorization from the individual to act on the individual's behalf, or is the parent or guardian of a minor and the minor does not have the capacity to make health care decisions, or the person is otherwise authorized under section 60 to act on the individual's behalf.

There may be circumstances where an individual is not able to authorize another person to act on his or her behalf. In these circumstances, PHIA sets out who may legally exercise the rights of the individual under the Act. If the individual does not have a legal representative, or the representative is unavailable, a family or a close friend may be able to exercise the individual's rights under PHIA on behalf of the individual (section 60).

When an access request for personal health information is made, a trustee may require that the request be in writing. The trustee maintaining the personal health information is required to assist the individual making the request and to respond to the request for access promptly, but no later than:

- 24 hours after receiving the request, if the individual is a patient admitted to hospital and the access request concerns the care the individual is currently receiving (access in this situation and time-frame consists of examining the information);

- 72 hours after receiving the request if the individual is not a patient admitted to hospital and the access request concerns the care the individual is currently receiving (access in this situation and time-frame may include receiving a copy of the information as well as examining it); and

- 30 days after receiving the request in any other case, unless the request is transferred to another trustee (section 6).

PHIA permits a trustee to refuse an individual access to his or her personal health information for the limited reasons specified in the Act. The reasons for refusing access are set out in section 11 of PHIA. The practice of severance, which involves removing information that falls within an exception to disclosure from a copy of the record to be released, provides a means of disclosing as much information as possible.

An individual who obtains access to his or her personal health information may request a correction be made to this information. This request must be made in writing to the trustee. If the trustee refuses to correct the personal health information, the individual may submit a statement of disagreement which must be added to the record (section 12).

Requests for access to personal health information about someone else -- a third party -- fall under the provisions of The Freedom of Information and Protection of Privacy Act (FIPPA) unless the individual making the request is a person recognized under section 60 of PHIA. You may refer to the section in our web site, About The Freedom of Information and Protection of Privacy Act for information concerning the process of making an application for access and to whom FIPPA applies. FIPPA requires the protection of personal health information about a third party (FIPPA section 17).

 

PHIA requires that trustees protect the privacy of individuals and imposes obligations on trustees respecting the collection, use, disclosure, security, retention and destruction of personal health information. The following are key privacy principles and practices reflected in PHIA:

Collection

• Where a trustee collects personal health information, the collection must be for a purpose authorized under PHIA and be limited to the minimum amount necessary to accomplish the purpose (section 13).
• Personal health information must be collected directly from the individual unless another method of collection is authorized under PHIA (section 14).

Accuracy

• Before using or disclosing personal health information, trustees must take reasonable steps to ensure that the personal health information is accurate, up to date, complete and not misleading (section 16).

Information Policies and Management

• Trustees must have a written policy concerning the retention and destruction of personal health information and comply with the policy (section 17).
• If a trustee provides personal health information to an information manager for the purpose of processing, storing or destroying the information, the trustee and the information manager must comply with section 25.

Security

• Trustees must protect personal health information by making reasonable security safeguards to ensure the confidentiality, security, accuracy and integrity of the information (section 18).

Use

• Every use of personal health information by a trustee must be authorized under PHIA (section 20).
• Every use of personal health information by a trustee must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used and be limited to the employees and agents of the trustee who need to know the information (section 20).
• Trustees may use personal health information for the purposes set out in section 21.

Disclosure

• Every disclosure of personal health information by a trustee must be authorized under PHIA (section 20).
• Every disclosure of personal health information by a trustee must be limited to the minimum amount of information necessary to accomplish the purpose for which it is disclosed (section 20).
• Trusees may disclose personal health information in the situations set out in section 22, 23, 23.1, 23.2, 24, 24.1 and 25.

Consent

• When PHIA requires an individual's consent for the use or disclosure of personal health information, the consent must relate to the purpose for which the information is used or disclosed and be knowledgeable, voluntary and not obtained through misrepresentation (section 19.1).
• Consent may be implied or express (section 19.1(3)), but it must be express if a trustee makes a disclosure to a person who is not a trustee, or a trustee makes a disclosure to another trustee for a purpose other than providing health care or assisting in providing health care (section 19.1).
• An individual may give consent subject to conditions, but if a condition has the effect of restricting or prohibiting a trustee from recording personal health information as required by law or standards of practice, the condition will not have effect (19.1).
• An individual who has given consent to the use or disclosure of personal health information may withdraw consent by notifying the trustee. A withdrawal of consent does not have retroactive effect (section 19.2).

Research

• A trustee may disclose personal health information to a person conducting health research only if the research has been approved under section 24 and the person proposing the research project enters into an agreement with the trustee as set out in subsection 24(4).
• A trustee may disclose personal health information to a health research organization set out in the Regulation and if the organization meets the requirements of section 24.1. The purposes for disclosure are listed in subsection 24.1(2). The health research organization must meet the privacy requirements of subsection 24.1(3) and the trustee must enter into an agreement with the organization as required by PHIA.

Personal Health Identification Number (PHIN)


• No person other than a trustee may require the production of an individual's PHIN or may collect the PHIN unless authorized to do so under PHIA (section 26).

Required Notices to Individuals

Notice of Right to Access Information

In accordance with the Regulation under PHIA, a trustee must take reasonable steps to inform individuals of their right to examine and receive a copy of their personal health information maintained by the trustee and how they can exercise that right (section 9.1 of PHIA).

The Regulation sets out that a trustee must also inform of an individual's right to authorize another person to examine and receive a copy of the individual's personal health information (section 1.4 of the Regulation).

The Regulation states that the trustee must use a sign, poster, brochure or other similar notice. The notice must be prominently displayed in as many locations and in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individual's attention.

Notice of Collection

A trustee who collects personal health information directly from the individual the information is about shall, before it is collected or as soon as practical afterwards, take reasonable steps to inform the individual:

- of the purpose for which the information is being collected; and

- if the trustee is not a health professional, how to contact an officer or employee of the trustee who can answer the individual's questions about the collection (section 15 of PHIA).

Notice for Disclosure to a Religious Organization

A hospital or personal care home (trustees) may disclose to a representative of a religious organization an in-patient's or resident's name, general health status (for example, critical, stable or satisfactory) and location in the facility, unless the individual tells the facility not to do so. The trustee may only make this disclosure if:

- it has notified the individual in writing that it might disclose personal health information about the individual to a representative of a religious organization, or has posted a notice to this effect where it is likely to come to the individual's attention;

- the notice is in a form that the individual can reasonably understand; and

- the individual has been given a reasonable opportunity to object to the disclosure and has not done so (section 23.1).

Notices involving Disclosure to a Charitable Fundraising Foundation

A hospital or personal care home, or other designated health care facility may disclose to an associated charitable fundraising foundation the name and mailing address of an individual who has received or is receiving services from the facility or agency unless the individual tells them not to do so. The trustee may only make this disclosure if:

- it has notified the individual in writing that it might disclose personal health information about the individual to a charitable fundraising organization, or has posted a notice to this effect where it is likely to come to the individual's attention;

- the notice is in a form that the individual can reasonably understand;

- the individual has been given a reasonable opportunity to object to the disclosure and has not done so; and

- the trustee and foundation comply with any additional requirements specified in the Regulation (section 23.2 of PHIA)

Section 8.1 of the Regulation sets out that a charitable fundraising foundation that receives the personal health information from a trustee and sends a solicitation under the Act to an individual must clearly inform the individual that:

-the individual may refuse any further solicitation; and

-provide a telephone number that the individual may call to communicate a refusal.

 

 

PHIA provides for an independent review of the decisions of trustees under this Act. The Ombudsman is an independent Officer of the Legislature with broad investigative powers. The responsibilities of the Ombudsman under PHIA include the investigation of complaints respecting access to information and protection of personal information, monitoring compliance with PHIA by trustees and promoting public awareness of PHIA. The Ombudsman may also initiate a complaint respecting any matter about which the Ombudsman is satisfied there are reasonable grounds to investigate under PHIA.

 

PHIA allows the individual whom the personal health information is about to make a complaint to the Ombudsman. The complaint may be made by another person who is authorized under section 60 to act on behalf of that individual.

 

PHIA allows an individual who has requested access to his or her own personal health information to make a complaint concerning any decision, act or failure to act that relates to the request, including the following:

• a refusal by the trustee to permit the individual to examine or receive a copy of the personal health information
  
  
• a refusal by the trustee to correct personal health information
  
  
• an unreasonable or unauthorized fee charged by the trustee

PHIA also allows an individual to make a complaint about privacy, alleging that the trustee:

• has collected, used or disclosed his or her personal health information contrary to PHIA
  
  
• has failed to protect his or her personal health information in a secure manner as required by PHIA

PHIA requires that a complaint be made in writing (section 39). This requirement may be met by writing a letter to the Ombudsman describing the nature of the complaint. Another option for making a privacy complaint, instead of writing a letter, is to complete a Questionnaire for a Privacy Complaint available on our website. Any additional information or relevant correspondence may be attached to the complaint.

If you have any questions concerning the making of a complaint, you may contact the Office of the Manitoba Ombudsman.

 

The Ombudsman will investigate a complaint to determine if the trustee is in compliance with PHIA. The Ombudsman may initiate a complaint concerning any matter about which the Ombudsman is satisfied there are reasonable grounds to investigate under PHIA (section 39). The Ombudsman may take any steps considered appropriate to resolve the complaint informally to the satisfaction of the parties and in a manner consistent with the legislation (section 40).

The Ombudsman may decide not to investigate a complaint if, in her opinion: the length of elapsed time makes an investigation of a privacy complaint no longer practicable or desirable; the subject matter of the complaint is trivial or the complaint is not made in good faith or is frivolous or vexatious or an abuse of process; the circumstances of the complaint do not require investigation (section 41).

The Ombudsman may also defer an access complaint if: the complaint concerns a health care facility or health services agency which has an internal appeal procedure that the complainant has not used; the complaint concerns a health professional and there is an expeditious and informal procedure for addressing the complaint through a body with statutory responsibility for regulating the practice of the health professional, which the complainant has not used (section 41).

During an investigation, the Ombudsman is required to give the complainant and the trustee an opportunity to make representations (section 43). PHIA sets out a 45-day time limit for an investigation of a complaint about access to be completed and a 90-day time limit for an investigation of a complaint about privacy to be completed, unless the Ombudsman extends this time period (section 46).

On completing an investigation of a complaint, the Ombudsman is required to prepare a report containing the findings about the complaint and any recommendations the Ombudsman considers appropriate respecting the complaint (section 47). The report will be provided to the complainant and the trustee concerned (section 48).

If the report contains recommendations, the trustee must send the Ombudsman a written response within 14 days after receiving it indicating whether the recommendations have been accepted and describing any action taken or proposed to implement them, or the reasons why the trustee refuses to take actions to implement them.

The Ombudsman shall notify the complainant of the trustee's response without delay and if the trustee refuses to provide access to personal health information, the Ombudsman shall inform the complainant of further steps. The Ombudsman must make recommendations made under this section available to the public. Recommendations will be posted on the Ombudsman website (section 48).

If a trustee does not act on a recommendation made by the Ombudsman in an access to information or privacy complaint, the Ombudsman may refer the matter to the Information and Privacy Adjudicator for review (section 48.1). The Adjudicator is an additional level of independent review and complaint resolution available to the Ombudsman. Like the Ombudsman, the Adjudicator is an Officer of the Legislative Assembly.

The matter referred by the Ombudsman to the Adjudicator may be any decision, act or failure to act by the trustee relating to an individual's request for access to his or her personal health information, for correction, or if the Ombudsman considers that an individual's personal health information has been collected, used or disclosed contrary to PHIA (section 48.1).

Upon receiving a request for review from the Ombudsman, the Adjudicator must conduct a review of the matter and decide all questions of fact and law arising in the course of the review (section 48.3). Upon completing the review, the Adjudicator has the power to make various orders. These include requiring a trustee to give the applicant access to the requested personal health information, confirming a trustee's access decision, or requiring a trustee to cease or modify a specified practice of collecting, using, disclosing, retaining or destroying personal health information contrary to PHIA. The Adjudicator must make his orders available to the public (section 48.8).

The trustee must comply with the Adjudicator's order within 30 days of being given a copy (or longer, if specified in the order) unless a person makes an application for judicial review. In that event, the Adjudicator's order will be stayed until the court deals with the application (section 48.9).

If the Ombudsman does not ask the Information and Privacy Adjudicator to review a matter relating to a trustee's refusal to permit the complainant to examine or receive a copy of his or her personal health information, the complainant may appeal to court (section 48).

 

In addition to the powers and duties respecting complaints, the Ombudsman has the following general powers and duties under PHIA (section 28) :

• to conduct investigations and audits and make recommendations to monitor and ensure compliance with PHIA;
  
  
• to inform the public about PHIA and to receive comments from the public about matters concerning the confidentiality of personal health information or access to that information;
  
  
• to comment on the implications for access to or confidentiality of personal health information of proposed legislative schemes or programs or practices of trustees;
  
  
• to comment on the implications for the confidentiality of personal health information of using or disclosing personal health information for record linkage or using information technology in the collection, storage, use or transfer of personal health information.

The Ombudsman submits an annual report to the Manitoba Legislature about complaints and investigations, compliance with the Ombudsman's recommendations, and any other matters about access to and confidentiality of personal health information that the Ombudsman considers appropriate. The Ombudsman may also issue special reports in the public interest relating to any matter respecting PHIA (section 37).

 

PHIA sets out in sections 49 to 56, the process for appealing to court. An appeal may only be filed by an individual concerning a decision of a trustee to refuse to permit the individual to examine or receive a copy of his or her personal health information. There is no appeal to court respecting other access to information matters or a trustee's collection, use or disclosure of personal health information under PHIA.

Before filing an appeal to court, the individual must have made a complaint to the Ombudsman about refused access to his or her personal health information, the Ombudsman must have provided a concluding report about the investigation and the Ombudsman not asked the Information and Privacy Adjudicator to review the matter.

Where an individual has a right to appeal a decision under PHIA, an appeal may be made by filing an application with the Manitoba Court of Queen's Bench. An application for an appeal must be made within 30 days after an individual has received the Ombudsman's report or within a longer period of time, which the Court may allow in special circumstances. The application for an appeal names the trustee as the respondent.

The Court may dismiss an appeal if it determines that the trustee was justified in refusing to permit the applicant to examine or receive a copy of his or her personal health information under section 11 of PHIA. If the Court determines that the trustee was not justified in refusing access under section 11, it may order the trustee to give access to some or all of the information. The Court may also make other orders it considers appropriate. Except with the permission of the Court of Appeal, a decision of the Court of Queen's Bench is final and binding and there is no appeal from this decision.