Frequently Asked Questions about PHIA

What is personal health information?

Personal health information means recorded information that can be linked to a specific person, and that relates to:

     — that person's health or health care history, including genetic information;

     — the provision of health care to that person; and,

     — payment for health care provided to that person.

This definition even includes general information about a person (such as name, address, gender and date of birth) if that information is collected during a health care service or if it is used to administer payment for a health care service.

PHIA does not apply to statistical or anonymous information that cannot be linked to a specific person.  

^ back to top

 

What is a trustee?

PHIA uses the term "trustee" to refer to the persons and organizations who maintain personal health information and who are subject to the requirements in the Act respecting the collection, use, disclosure, retention, security and destruction of personal health information. They are called trustees because they hold your information "in trust" for you. Some examples of trustees are health professionals, hospitals, personal care homes, community health centres, medical clinics, ambulance services, laboratories, regional health authorities, and public bodies such as government departments, crown corporations and school divisions.

^ back to top

 

What are my rights under PHIA?

PHIA gives you two primary rights:  the right to access your own personal health information and the right to expect that the privacy of that information will be protected. The right to access includes the right to see your personal health information, get a copy of it, and request a correction to it. You may also name another person, such as a family member, to access information on your behalf. The right to privacy includes the right to know why your information is being collected, and the right to have that information kept confidential and secure by trustees who collect and maintain it.

^ back to top

 

Why would I want to access my personal health information?

You might want:

     — to learn more about your health history and treatments;

     — to provide the information to another health professional;

     — to get information for life and health insurance purposes;

     — to prepare for a legal claim; or,

     — to file a complaint against a trustee.

^ back to top

 

Do I have a right to all my personal health information?

The right to access your personal health information does have some limitations. For example, if a trustee believes that knowledge of certain information could endanger you or someone else, the trustee can deny you access to it. For a compete list of exceptions, see Section 11(1) of PHIA.

^ back to top

 

Does the right of access include the right to take my original medical record with me?

No. The right of access includes the right to see or get a copy of your personal health information. It does not include the right to remove an original record from a trustee’s custody. This helps to ensure that your health care providers have information they need to provide you with services in the future and to satisfy records retention requirements imposed by regulatory bodies.

^ back to top

 

How do I access my personal health information?

PHIA requires you to make the request directly to the trustee that maintains your records. The trustee may ask that you make your request in writing.

If the information you want to access is in a doctor’s office, you should make your request directly to the doctor. If the information is maintained in a larger facility like a hospital or a personal care home, you should direct your request to the facility’s Privacy Officer.

^ back to top

 

Can I get a copy of my personal health information?

Yes. Not only are you entitled to see your personal health information, you have the right to receive a copy of it. However, if you are requesting information related to psychological tests or data, a trustee is not required to provide a copy if the conditions set out in Section 7.1 of PHIA are met.

^ back to top

 

Are there any fees involved?

Perhaps. The trustee may charge a reasonable fee for allowing you to examine, or for providing you with a copy of, your personal health information. The purpose of these fees is to help cover administration and staff costs involved in retrieving and/or reviewing the record, as well as the costs associated with creating copies.

^ back to top

 

If the reason I want a copy of my record is to provide it to another health professional, can I avoid fees by requesting that the record be transferred?

Not necessarily. PHIA doesn’t speak to fees associated with the transfer of medical records. However, it should be noted that regulatory bodies normally allow health professionals to charge reasonable fees for transferring records. For an example, see the College of Physicians and Surgeons of Manitoba Fee By-LawPDF.

^ back to top

 

How long will it take to get a copy of the information I requested?

PHIA requires trustees to respond to requests for access as promptly as required in the circumstances but not later than

(a) 24 hours after receiving it, if the trustee is a hospital and the information is about health care currently being provided to an in-patient;

(b) 72 hours after receiving it, if the information is about health care the trustee is currently providing to a person who is not a hospital in-patient; and

(c) 30 days after receiving it in any other case, unless the request is transferred to another trustee under section 8 of PHIA.

The response must:

  – make the personal health information available for examination or include a copy

  – inform you that the information does not exist or cannot be found

  – inform you that additional information is necessary to respond to your request

  – inform you that an estimate of the amount of the fee charged under section 10 is issued by the trustee, or

  – inform you that your request cannot be granted and why.

^ back to top

 

Why does the trustee's response say that my request is considered abandoned?

Under section 10.1, a trustee may require an individual to provide additional information in relation to their request, including additional information that is necessary to respond to the request, and/or may provide a fee estimate to provide the information and require the individual to indicate if they accept the estimate of the amount of the fee that will be charged. An individual has up to 30 days from the day the request is given to provide the additional information or accept the estimated fee or modify their request to reduce the amount of the fee. When a request is given to an applicant under this section, the time within which the trustee is required to respond to the access request is suspended until the applicant provides the required information. If the additional information or acceptance is not provided by the individual within 30 days, the trustee may determine that the request has been abandoned.

If a trustee determines that a request for access to personal health information has been abandoned under section 10.1, the trustee must notify the individual in writing of the determination and the reasons for it, and of the individual's right to make a complaint about the determination to the Ombudsman. For more information, please review the Guideline on Limited Authority to Make a Determination that a Request for Access Has Been AbandonedPDF.

^ back to top

 

Why does the trustee's response say that my request is being disregarded?

Section 11.1 permits a trustee to disregard a request if the trustee reasonably believes that the request is for information already provided to the individual who made the request, or the request amounts to an abuse of the right to make a request because it is unduly repetitive or systematic, or otherwise made in bad faith.

If a trustee disregards a request for access to personal health information under section 11.1, the trustee must notify the individual in writing of the decision and the reasons for it, and of the individual's right to make a complaint about the decision to the Ombudsman. For more information, please review the Guideline on Limited Authority to Disregard Certain Requests for AccessPDF.

^ back to top

 

What if I do not understand terminology used in the copy of the information I requested?

An explanation of term, codes or abbreviations used in personal health information may be important to ensure that person accessing the information understands it. Trustees must provide an explanation of any term, code or abbreviation used in personal health information as soon as reasonably practicable after the person accessing the information requests such an explanation. This requirement applies to an inpatient accessing their hospital chart. 

^ back to top

 

What if my personal health information, as recorded, is incorrect?

To ensure that your personal health information is accurate and complete, PHIA gives you the right to request corrections to your recorded personal health information. Requests for corrections must be in writing. A trustee must respond to your request within 30 days of receiving it.

When a correction is made, the mistaken information is stroked out, not erased, and the correct information is added.

^ back to top

 

What if the trustee does not agree that there is a mistake in my record?

If a trustee disagrees that there is a need for a correction, PHIA requires them to inform you of this fact in writing, state the reason for refusing to make the change, and advise you of your right to add a statement of disagreement to your file.

^ back to top

 

What is a statement of disagreement?

If a trustee refuses to make a change to your record, you may submit a statement of disagreement, declaring that you believe information in your file to be inaccurate. The trustee must then add this statement to your file.

^ back to top

 

Will it cost me anything to request a correction?

No. While trustees may charge a fee for allowing you to access your files, they may not charge you a fee for requesting a correction.

^ back to top

 

Does just anyone have the right to collect my health information?

No. When gathering your health information, trustees must:

  – have a legitimate reason for collecting it;

  – tell you why it’s needed;

  – collect only as much information as they need for the stated purpose; and

  – get the information from you directly whenever possible.

^ back to top

 

What about my Personal Health Identification Number (PHIN)?

Your Personal Health Identification Number, or PHIN, is protected like any other personal health information.  Only people who need it to ensure that you can get a publicly funded health care service should ask for it.  If someone outside of the health sector, a retailer say, asks for and documents your PHIN, they may be committing an offence under PHIA.

^ back to top

 

How is a trustee required to protect my personal health information?

Trustees must take precautions to ensure that your personal health information remains confidential and secure.  Personal health information must be kept in a designated area and safeguards must be in place to ensure that only those who require your information for a legitimate reason can access it.

Trustees must have written policies regarding the security of personal health information, and must ensure that all employees are fully aware of them.

Trustees must notify the individual whose information was subject to the privacy breach as soon as practicable where a privacy breach could reasonably be expected to create a real risk of significant harm to an individual.

^ back to top

 

Could my personal health information be used or shared without my consent?

Yes. While the general rule is that trustees must obtain your consent before using or sharing your personal health information, there are some exceptions. A few examples are explored below on this page.

For a more complete list of authorized uses and disclosures without consent, see sections 21 through 25 of PHIA.

^ back to top

 

What if a family member is in hospital and I want to find out how he or she is doing?

Certain information about patients can be revealed to anyone without the patient's consent (unless the patient specifically requests otherwise), such as the patient’s general health status (e.g. critical, poor, fair, or stable) and the patient’s location (as long as revealing the location doesn’t reveal anything about a patient’s specific health condition).

Recognizing that family members should be able to check on the status of a loved one, PHIA allows for information about a patient or a resident of a health care facility to be shared with an immediate family member, or anyone else with whom the patient is known to have a close personal relationship, without the patient's consent. Only information about health care currently being delivered can be disclosed under this clause, and the trustee must have reason to believe that the disclosure would be acceptable to the patient.

^ back to top

 

What if a family member is receiving care in the community and I want to find out about it?

Generally speaking, if a person is receiving health care outside a hospital or personal care home, information about their care would not be shared with family members or friends without the consent of the patient.

There are some exceptions. For example, a parent or guardian of a child who does not have the ability to make health care decisions would be able to access the child's personal health information. A person who is legally designated to make health care decisions for another individual would also have access to that individual's personal health information. In addition, if an individual is receiving health care services from a trustee at home, the trustee may disclose personal health information about the individual to an immediate family member, or to anyone else with whom the individual is known to have a close personal relationship if the information relates to the care currently being provided, the disclosure is made in accordance with good medical or other professional practice and the trustee reasonably believes that the disclosure is acceptable to the individual.

In most cases, however, even close relatives (e.g. spouses, siblings, parents, children) cannot access another person’s health information without that person's consent.

^ back to top

 

What if someone I know works at a health care facility that I’ve been to?  Can this person access my file?

PHIA requires trustees to keep personal health information in a designated area where access to the documents is restricted. No one, not even an employee of a health care facility, can go into your file unless they need to do so to carry out their duties.  

^ back to top

 

What if another facility wants to receive a copy of my file from my doctor’s office or from another facility?

By default, PHIA permits trustees to disclose personal health information to other health care providers so that they can provide you with the health services you need; however, if you request that your information not be shared with other providers, the trustee would be required to keep the information confidential.

^ back to top

 

What if a trustee has information about me that is not related to my health? Do I have a right to access it? Will it be kept confidential?

Information about you held by government departments, regional health authorities, hospitals and other public bodies that is not related to your health is considered "personal information." This information is still protected but under a separate law: The Freedom of Information and Protection of Privacy Act (FIPPA). PHIA and FIPPA were both introduced in 1997 and are based on the same principles.

FIPPA provides you with the right to access your personal information when held by public bodies, and the right to expect that the privacy of your information will be protected. Visit the FIPPA website for more information, including instructions on how to file a request for access under FIPPA.

If personal information about you is maintained by a health care provider who works in private practice, and the information was collected for a purpose other than health care, PHIA and FIPPA may not apply.

^ back to top

 

What if a trustee maintains personal health information about me and wants to use it for employment purposes?

Trustees, depending on their function, sometimes maintain the personal health information of their employees that they have collected for the purpose of providing health care or other services to them. For example, an employee of a hospital may have visited that hospital as a patient prior to becoming an employee of the hospital, or even during the course of their employment.

Subsection 19.1(4) and subsection 21(2) of PHIA explicitly provide that personal health information of an employee or prospective employee, which was collected or received for a purpose unrelated to their employment, cannot be used by a trustee for a purpose related to their employment without first obtaining the consent of the employee or prospective employee.

^ back to top

 

What if I believe that my rights to privacy and access have been violated?

If a trustee:

  – fails to respond to a request for access or a correction within the time required by PHIA

  – refuses to grant you access to your personal health information, or to make a correction to this information, without justification

  – refuses to attach a statement of disagreement to your file

  – charges you an unreasonable or unauthorized fee

  – decides to consider your request abandoned, or decided to disregard your request

  – informs you that the requested information does not exist or cannot be found

  – collects, uses, or discloses your personal health information in a way that is not authorized by PHIA, or

  – fails to protect your personal health information in a secure manner as required by this Act

you may file a complaint with the Manitoba Ombudsman. The Ombudsman is empowered to investigate complaints under PHIA and may also launch an investigation or audit on his or her own. The results of the Ombudsman’s investigations may be provided to professional regulatory bodies for disciplinary action or to Manitoba Justice for prosecution.

^ back to top

 

What is the penalty for an offence under PHIA?

A person who is found guilty of an offence under PHIA may be subject to a fine. Fines may range up to a maximum of $50,000.

Not all breaches end in prosecution. However, trustees and their employees should note that even if a breach is not prosecuted, it may still result in disciplinary action from an employer or regulatory body, public scrutiny, and the loss of a patient or client’s trust.

^ back to top

 

 

 

 

 

 

 

 

 

 

 

Legislative Unit
Manitoba Health
300 Carlton Street
Winnipeg MB  R3B 3M9
Phone:  204-788-6612
Fax:  204-945-1020
Email: PHIAinfo@gov.mb.ca