PHIA Investigation Reports
Upon completion of our investigation of an access or privacy complaint under PHIA, we provide a report to the complainant and the public body/trustee containing our findings and any recommendations the ombudsman considers appropriate about the complaint.
In cases where we have made recommendations, the act requires that we make our recommendations available to the public and we may do so by publishing them on a website. We are publishing our reports containing recommendations along with our summary of the response to the recommendations by the public body/trustee.
We are also publishing selected investigation reports issued by the ombudsman in cases where recommendations were not made. These reports contain our findings about how specific provisions of the act are applied.
Note: A web version of a report may have been edited from the original version.
Reports are available in alternate formats upon request.
Reports with Recommendations and Response
Case 2014-0500 – 2017-12-12
Manitoba Health, Seniors and Active Living (MHSAL); unauthorized access to personal health information in the databases of the Provincial Drug Program (PDP) branch; privacy investigation – collection, use, disclosure, security; ombudsman found that the department failed to respond in a timely way to the incidents of unauthorized access by one of its employees and that the department did not, at the time, have in place sufficient policies, procedures and other safeguards to meet its obligations under PHIA.case-2014-0500-en.pdfDownload
Case 2013-0419 – 2015-03-03
Health professional (psychologist); refusal of access in response to an individual’s request to view and receive copies of the individual’s own personal health information; provisions 7(1)(a), 7(1)(c) and 11(1); ombudsman found that the trustee did not respond to the request and did not provide reasons for refusing access; trustee did not accept the ombudsman’s recommendations and the matter was referred to the information and privacy adjudicator for review.
Read the Information and Privacy Adjudicator Decision issued March 23, 2015case-2013-0419-en.pdfDownload
Cases 2011-0513 and 2011-0514 (Report on Compliance with Recommendations) – 2014-04-29
CancerCare Manitoba; report on compliance with recommendations issued in 2012. In September 2013 CancerCare reported to the ombudsman that it had completed implementation of all the recommendations contained in the report.cases-2011-0513-0514-web-version-en.pdfDownload
Cases 2011-0513 and 2011-0514 – 2012-09-12
CancerCare Manitoba; use of personal health information and security of personal health information; provisions 18, 19, 20, 21, 39, 60, 63, 64 of The Personal Health Information Act; 2, 4, 5, 6, 7, 8 of the Personal Health Information Regulation; and Manitoba Health's Guideline for Auditing Records of User Activity; ombudsman found that the employee's use of personal health information contravened PHIA and that additional measures should be taken to protect electronic health information.cases2011-0513-0514-en.pdfDownload
Case 2011-0079 – 2011-11-28
Flin Flon Clinic; failure to destroy personal health information in a secure manner; provisions 17(1), 17(2), 17(3), 25(3) and Regulation 245/97; ombudsman found that the trustee was not in compliance with PHIA regarding destruction of personal health information.case2011-0079-en.pdfDownload
Case 2014-0153 – 2015-03-17
St. Boniface General Hospital; complaint about unreasonable fee for access to personal health information; provision – section 10; ombudsman found that the fee was reasonable in the circumstances.case-2014-0153-en.pdfDownload
Case 2014-0451 – 2015-03-17
Health Sciences Centre; refused access to a hospital in-patient’s chart within the 24 hour time frame as set out in PHIA; provisions 6(1)(a), 6(1.1) and 6(3); ombudsman found that the complaint was supported.case-2014-0451-en.pdfDownload
Case 2017-0143 – 2019-04-23
Winnipeg Regional Health Authority. This case concerned a privacy breach involving the personal health information of 91 patients who received magnetic resonance imaging (MRI) scans within the Winnipeg Regional Health Authority (WRHA) between 2008 and 2016. The patients’ health information was disclosed in violation of PHIA to several media organizations. The ombudsman found that the WRHA responded appropriately to the privacy breach. The ombudsman was not able to determine the identity of the person(s) who made the unauthorized disclosures to media organizations and was not able to determine whether the breach originated within the WRHA. However, the review identified several measures that trustees should consider in an effort to minimize the risk of intentional or inadvertent privacy breaches in the case of bulk disclosures of personal health information.case-2017-0143-en.pdfDownload
Case 2017-0479 – 2018-12-17
Victoria General Hospital. Provisions considered: 18(1), 19. While attending the Victoria General Hospital for a medical procedure, a nurse collected an individual’s medical history through a verbal discussion in a semi-public area of the hospital, where others could hear the discussion. The individual complained about the hospital’s failure to safeguard her personal health information. Our office found that the hospital did not adequately protect personal health information from the risk of inadvertent unauthorized disclosure, and we supported the complaint. During our investigation, the hospital made changes to the layout of the unit to provide greater physical and visual separation of patients during the intake procedure. Our office concluded that because of these changes, the hospital implemented reasonable safeguards to protect personal health information discussed with patients during the intake process.case-2017-0479-en.pdfDownload
Case 2018-0299 – 2018-11-13
Manitoba Public Insurance. Provisions considered: 19.1(1), 20(1), 20(2), 22(2)(k), 22(2)(o), 22(3). An individual made an injury claim with Manitoba Public Insurance (MPI) and subsequently appealed MPI’s decision to the Automobile Injury Compensation Appeal Commission (AICAC). As part of the appeal process, MPI provided copies of four reports containing the individual’s personal health information to AICAC. In a complaint to our office, the individual alleged that MPI disclosed his personal health information to AICAC without his consent, and therefore was contrary to PHIA. Our office found that the disclosure of the individual’s personal information was authorized. The complaint was not supported.case-2018-0299-en.pdfDownload
Case 2017-0297 – 2017-12-20
Health-care facility; collection of information about an individual’s religion; provision 13(1); ombudsman found that the collection of information about the individual’s religion was not necessary for the purpose of providing health care. The hospital agreed to implement procedures to limit the collection of this information to circumstances that may reasonably involve the provision of spiritual care to patients.case-2017-0297-en.pdfDownload
Case 2015-0142 – 2016-11-30
Appeal Commission (Workers Compensation Board); disclosure of personal health information by the commission to the complainant’s former employer; provisions 20(1), 20(2), 22(2)(o); ombudsman found that the disclosure was authorized under clause 22(2)(o) of PHIA and that the disclosure was not limited as required under subsections 22(2) and 22(3) of PHIA.case-2015-0142-en.pdfDownload
Cases 2015-0352, 2015-0353, 2015-0354 – 2016-11-30
Health services agency; unauthorized collection, use and disclosure of personal health information by the complainant’s employer, a Winnipeg health services agency; provisions 13(1), 13(2), 14(1), 14(2)(a)(c.1), 20(2)(3), 22(2)(n); ombudsman found that the collection of personal health information was authorized under clauses 13(1)(a) and (b) of PHIA, that the indirect collection from someone other than the complainant was authorized in the circumstances of this complaint, and that routine indirect collection of personal health information is not suggested or recommended as this is inconsistent with clause 14(1) of PHIA. The ombudsman found that the use of the complainant’s personal health information by the agency was in compliance with PHIA and that disclosure of the complainant’s personal health information to his union without express consent was authorized under clause 22(2)(n) of PHIA in the particular circumstances of this complaint.cases-2015-0352-0353-0354-en.pdfDownload
Case 2014-0050, 2014-0052 and 2014-0254 – 2015-03-17
Manitoba Public Insurance; unauthorized collection, use and disclosure of personal health information; provisions 13(1), 13(2), 20(2), 22(2)(o); ombudsman found that there had been an unauthorized collection of personal health information and subsequent unauthorized use and disclosure of the personal health information.case-2014-0050-0052-0254-en.pdfDownload
Case 2014-0053 – 2015-03-17
Appeal Commission (Workers Compensation Board); disclosure of personal health information by the commission to an individual’s employer; provision 22(2)(o); ombudsman found that PHIA permits disclosure of personal health information where authorized or required by an enactment of Manitoba or Canada, in this case The Workers Compensation Act.case-2014-0053-en.pdfDownload
Case 2014-0012 – 2014-04-29
Misericordia Health Centre and Misericordia Health Centre Foundation; disclosure of personal health information; provisions clause 22(2)(f) and subsections 23.2(1)(2) of PHIA and subsection 8.1(4) of the Personal Health Information Regulation; ombudsman found that the trustee had authority under PHIA to have disclosed the information to the foundation, however, the trustee did not fully comply with the requirement to give notice about the disclosure of personal health information to its charitable foundation for fundraising purposes.case-2014-0012-web-version-en.pdfDownload
Cases 2013-0111 and 2013-0113 – 2014-04-29
Winnipeg Regional Health Authority; use and disclosure of personal health information by an employee of the Winnipeg Health Sciences Centre; provisions 18(1), 19, 21(a), 22(1); ombudsman found that the employee's use and disclosure of the personal health information was carried on outside the employee's work related duties and was therefore not authorized by PHIA.cases-2013-0111-0113-web-version-en.pdfDownload
Case 2013-0016 – 2013-06-04
Workers Compensation Board; disclosure of personal health information (prescribed medications) to an employer, in respect of an appeal filed by the complainant; provision 22(2); ombudsman found the complaint supported as the disclosure of personal health information to the complainant’s employer was not authorized under PHIA.case-2013-0016-en.pdfDownload