Information for Trustees

The Personal Health Information Act (PHIA) came into force on December 11, 1997 and governs the collection, use, disclosure, retention, disposal and destruction of personal health information. The act recognizes both the right of individuals to protect their personal health information and the need of health information trustees to collect, use and disclose personal health information to provide, support and manage health care.

The following pages provide a Brief Summary of PHIA and the obligations the act places on the different types of health information trustees in Manitoba. Click on any of the tabbed headings to display the Brief Summary for that topic.

  • Health Care
    Facilities
  • Health
    Researchers
  • Health Services
    Agencies
  • Health
    Professionals
  • Information
    Managers
  • Public
    Bodies

The Personal Health Information Act -
A Brief Summary for Health Care Facilities

INTRODUCTION

The Personal Health Information Act affects nearly every person or organization that collects or maintains health information in Manitoba, including all health information networks.

Amendments to the Act and to the Personal Health Information Regulation made under the Act will come into force on January 1, 2022. This document provides a brief summary of PHIA, which incorporates the amendments noted above. It is not comprehensive. For a better understanding, you should review the actual legislation and its regulations. Copies are available on line free of charge on the Government Laws website. Print copies are available for purchase from the King's Printer. Please call ahead or send an e-mail to kingsprinter@gov.mb.ca for prices and to place an order. You may also consult the Questions and Answers document, a reference tool intended to help trustees and other stakeholders and to explain the amendments made to legislation.

To help you, this summary refers to specific sections in the Act.

What is “personal health information”?

Personal health information is any information that:

  • is recorded in any form;
  • can be linked to an identifiable individual; and
  • relates to an individual’s health, health history, genetic makeup, health care, personal health identification number (PHIN) or other identifying information collected in the course of providing health care.  See s. 1(1) of the Act.
What is a “trustee”?

PHIA uses the term "trustee" to refer to the persons and organizations that are subject to the requirements in the Act respecting collection, use, disclosure, retention, destruction and security of personal health information. The Act divides trustees into four categories:

  • health care facilities
  • some health professionals
  • health services agencies (organizations which provide health care under an agreement with another trustee—the Victorian Order of Nurses and We Care are two examples)
  • public bodies (such as provincial government departments and agencies, municipal
    governments, educational institutions and regional health authorities) See s. 1(1) of the Act.

The Act also imposes duties on information managers (who are hired by trustees to process, store or destroy personal health information, or to manage or service information systems) as well as employees of trustees. See s. 1(1), 25, 63(2) and (3) of the Act.

How do I know if my facility is defined as a health care facility under the Act?

The Act defines “health care facility” as:

  • a hospital
  • a personal care home
  • a psychiatric facility
  • a medical clinic
  • a laboratory
  • CancerCare Manitoba, and
  • a community health centre or other facility that provides health care and which is listed in the regulations.  See s. 1(1) of the Act.
What are the obligations of a trustee?

A trustee’s obligations fall into two main categories.

  1. A duty to assist individuals in gaining access to their own personal health information.
  2. A duty to protect the privacy of individuals in the collection, use, disclosure, security, retention and destruction of their personal health information.

I. ACCESS

What does “access” mean?

The Act puts in statutory form the common-law right of an individuals to access their own personal health information. There are three elements to this right:

  1. A right to examine personal health information.
  2. A right to obtain a copy of personal health information.
  3. A right to seek a correction of personal health information.
What are my facility’s obligations to advise individuals about their right to access their own personal health information?

Trustees are required to provide individuals with notice of their right to examine and receive a copy of their personal health information and how they can exercise this right.

The notice must also state that an individual has the right to authorize another person to examine and receive a copy of their personal health information. 

A trustee must use a sign, poster, brochure or other similar type of means to provide this notice to individuals. This notice must be prominently displayed in as many locations and  in such numbers as the trustee reasonably considers adequate to ensure that the information is likely to come to the individuals’ attention. See section 9.1 and the regulation.

What are my facility’s obligations to individuals wanting to examine their own personal health information?

The Act imposes on trustees an obligation to assist individuals in gaining access to their personal health information. Trustees are to respond to access requests “without delay, openly, accurately and completely.”

An explanation of term, codes or abbreviations used in personal health information may be important to ensure that the individual accessing the information understands it. Trustees must provide an explanation of any term, code or abbreviation used in personal health information as soon as reasonably practicable after the person accessing the information requests such an explanation. This requirement applies to any personal health information accessed by an individual, including an inpatient accessing their hospital chart. See s. 6(2), 7(2) of the Act.

When can my facility inform an individual that a request is considered abandoned?

Under section 10.1, a trustee may require an individual to provide additional information in relation to their request, including additional information that is necessary to respond to the request, and/or may provide a fee estimate to provide the information and require the individual to indicate if they accept the estimate of the amount of the fee that will be charged. An individual has up to 30 days from the day the request is given to provide the additional information or accept the estimated fee or modify their request to reduce the amount of the fee. When a request is given to an individual under this section, the time within which the trustee is required to respond to the access request is suspended until the individual provides the required information. If the additional information or acceptance is not provided by the individual within 30 days, the trustee may determine that the request has been abandoned. See s.10.1 of the Act.

If a trustee determines that a request for access to personal health information has been abandoned under section 10.1, the trustee must notify the individual in writing of the determination and the reasons for it, and of the individual's right to make a complaint about the determination to the Ombudsman. For more information, please review the Guideline on Limited Authority to Make a Determination that a Request for Access Has Been Abandoned for further information.

When can my facility disregard an access request?

Section 11.1 permits a trustee to disregard a request if the trustee reasonably believes that the request is for information already provided to the individual who made the request, or the request amounts to an abuse of the right to make a request because it is unduly repetitive or systematic, or otherwise made in bad faith. See s.11.1 of the Act.

If a trustee disregards a request for access to personal health information under section 11.1, the trustee must notify the individual in writing of the decision and the reasons for it, and of the individual's right to make a complaint about the decision to the Ombudsman. For more information, please review the Guideline on Limited Authority to Disregard Certain Requests for Access for further information.

Are individuals entitled to examine all their personal health information?

The Act permits trustees to withhold personal health information that falls into certain restricted categories. For example, access to personal health information may be refused if:

  • revealing it would disclose confidential information about a third party
  • there is a reasonable expectation that it would result in harm to the individual or someone else
  • it has been compiled for litigation purposes.

For a complete list of reasons for refusing access, see s. 11(1) of the Act.

Even when trustees are allowed to refuse access to portions of an individual’s personal health information, they still have an obligation to allow access to those portions of the individual’s personal health information that are not exempted by the Act. See s. 11(2) of the Act.

When making personal health information related to a psychological test or data available for examination, a trustee may require one of the following individuals to be present to provide an explanation of the information:

  • (a) the trustee, if the trustee is a health professional;
  • (b) a health professional chosen by the trustee. See s.7.1(2) of the Act.
Are individuals entitled to copies of their personal health information?

Yes. Individuals are entitled to obtain a copy of any personal health information they are entitled to examine with the exception of psychological tests or data. If an individual is requesting information related to psychological tests or data, a trustee is not required to provide a copy if the conditions set out in Section 7.1 of PHIA are met. See ss. 5(1) and 7.1 of the Act.

How much time does my facility have to respond to a request to access my personal health information?

Trustees must respond to requests for access as promptly as required in the circumstances but no later than

  • (a) 24 hours after receiving it, if the trustee is a hospital and the information is about health care currently being provided to an in-patient;
  • (b) 72 hours after receiving it, if the information is about health care the trustee is currently providing to a person who is not a hospital in-patient; and
  • (c) 30 days after receiving it in any other case, unless the request is transferred to another trustee under section 8 of PHIA.

A failure to respond within the required time frame will be considered a refusal to permit access. See s. 6(1) of the Act.

Can individuals alter their personal health information without my facility’s consent?

No. An individual has a right to point out information he or she believes is incorrect and to ask the trustee to correct it. It is up to the trustee to decide whether a correction is needed. A trustee has 30 days to investigate the issue and make a decision about the request for a correction. See s. 12(3) of the Act.

If the trustee agrees to the correction, the mistaken information should be stroked out (not erased) and the correct information added or cross-referenced in a way that anyone reading the record would be aware of it. See s. 12(3)(a) of the Act.

If the individual and the trustee disagree about a correction, the individual has a right to file a statement of disagreement, which must be attached to and form part of the individual's health record. See s. 12(4) of the Act.

A trustee must pass on the correction or the statement of disagreement to anyone to whom the personal health information has been disclosed over the previous year. See s. 12(5) of the Act.

Besides the individual the information is about, who has a right to access personal health information?

All rights of an individual may be exercised by a representative of that individual. The Act identifies several representatives, including:

  • a person with a written authorization to act on behalf of the individual
  • the individual’s proxy appointed in a health care directive
  • the individual’s committee appointed under The Mental Health Act
  • an attorney acting under a power of attorney granted by the individual, if the exercise of the right or power relates to the powers and duties conferred by the power of attorney
  • the individual’s parent or guardian if the individual is a child who is too young to make health care decisions. For a complete list of representatives, see s. 60(1) of the Act.

If a person is incapacitated and no individual described above is available, the first adult listed below who is readily available and willing to act may exercise the person’s rights under PHIA:

  • the individual’s spouse, or common-law partner, with whom the individual is cohabiting;
  • a son or daughter;
  • a parent, if the individual is an adult;
  • a brother or sister;
  • a person with whom the individual is known to have a close personal relationship;
  • a grandparent;
  • a grandchild;
  • an aunt or uncle;
  • a nephew or niece. See s. 60(2) & (3) of the Act.

No one other than the individual the personal health information is about, that individual’s representative or, if the person is incapacitated and no representative is available, a person authorized as outlined  above has a right to access this individual's personal health information. A request for access to personal health information by anyone other than the individual or the individual’s representative must be assessed under the provisions of the Act dealing with disclosure of personal health information.

II. PROTECTION OF PRIVACY

What are my facility’s obligations concerning the protection of an individual’s privacy with respect to personal health information?

A trustee’s obligations, as set out in the Act, affect the:

  • collection
  • use
  • disclosure
  • security
  • retention and
  • destruction of personal health information.

A. COLLECTION OF PERSONAL HEALTH INFORMATION

What are my facility’s obligations when collecting personal health information?

A trustee has three main duties when collecting personal health information:

  1. To notify the individual of the purpose for the collection of personal health information.
  2. To collect only necessary personal health information—that is, the minimum amount required for the stated purpose.
  3. To collect personal health information from the individual whenever possible.
Why does the purpose for the collection of personal health information need to be determined?

Determining the purpose for collecting personal health information is a critical requirement of the Act. The Act requires trustees to notify the individual of this purpose at the time the information is collected. Besides meeting this statutory obligation, identifying the purpose for the collection will help determine what information can be collected and how it can later be used.

The purpose for collecting personal health information will depend on the function of the particular facility as well as the circumstances in which the collection takes place. For example, a psychiatric facility is likely to collect personal health information for a different purpose than the emergency ward of a hospital. The personal health information needed when an individual comes to a clinic for an inoculation will likely be different from what is needed when someone enters a personal care home.

Why do trustees have to notify the individual of the purpose for the collection of personal health  information?

This requirement is based on the principle that an individual has a right to make decisions about their own health care. Informing the individual as fully as possible about the reasons for collecting personal health information will allow them to make an informed decision about providing personal health information. This principle is so important that the Act requires that, when personal health information is collected by someone who is not a health professional, they must advise the individual about someone who can be contacted to gain more information about the purposes for collecting the information. See s.15(1) of the Act.

Must the individual always be notified of the purpose for the collection of personal health information?

Yes, except when identical or similar information is being collected for an identical or similar purpose as a recent collection. See s. 15(2) of the Act.

In what situations does the Act prohibit the collection of personal health information?

Stressing the need to respect individual privacy, the Act generally permits the collection from individuals of only as much information as is needed for specific purposes. What trustees need to know will largely depend on their purpose in collecting personal health information. The Act prohibits the collection of personal health information for:

  • illegal purposes;
  • purposes unrelated to the function or activity of the trustee; and
  • purposes other than those disclosed to the individual as the reasons for the collection of the personal health information. See. s. 13 of the Act.
Must personal health information be collected only from the individual directly?

The Act requires that, whenever possible, trustees must collect personal health information directly from the individual the information is about. See s. 14(1) of the Act.

This rule serves at least three important purposes:

  1. It helps ensure the accuracy of the information.
  2. It prevents trustees from revealing personal health information to others by the questions they pose.
  3. It ensures that personal health information the individual wants to keep private is not revealed to the trustee.
When is it legitimate to collect personal health information from someone other than the individual it is about?

The Act permits collection from other sources (including other trustees) in specified circumstances. For example, it is permissible to do so when the individual has authorized it, when circumstances do not permit collection of the information from the person, or when the information supplied by the individual is likely to be inaccurate. For a complete list of exceptions, see s. 14(2) of the Act.

B. USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION

What is the difference between use and disclosure?

For the purposes of The Personal Health Information Act, “use” refers to what is done with the personal health information within the trustee organization.

“Disclosure” involves revealing personal health information outside the trustee organization to other trustees, to the individual’s friends and family or to other individuals.

Both use and disclosure involve revealing the information to someone. This may be done by permitting others to read it, sending it to them by mail, fax, or e-mail, or by revealing the information orally.

What obligations does the Act place on my facility when using or disclosing personal health information?

The general rule concerning use and disclosure of personal health information is that no use or disclosure of the information may be made except:

   – to the extent that it is necessary to accomplish the purpose for which the personal health information was collected, or

   – with the informed consent of the individual it is about. See s. 21, 22 of the Act.

There are some exceptions to this general rule. For example, PHIA authorizes a trustee to use and disclose personal health information for research and planning that relates to the provision of health care, or payment for health care by the trustee. In some cases, personal health information may be disclosed without the individual's consent as it is required for specific humanitarian purposes such as contacting the relative or friend of someone who is ill or injured, informing relatives of someone's death, and assisting in identifying a deceased person.

Trustees may also use or disclose personal health information to prevent or lessen a serious and immediate threat to the mental or physical health or safety of the individual, another individual or the public.

Trustees may disclose to a person's immediate family or a close personal friend information about the care that the person is current receiving as a patient or resident in a health care facility or from a trustee at their home if the disclosure is made in accordance with good medical and other professional practice and the trustee reasonably believes the disclosure to be acceptable to the person.

In addition, trustees may disclose information where such disclosure is authorized or required by an enactment of Manitoba or Canada.  For example, The Gunshot and Stab Wounds Mandatory Reporting Act requires every health care facility that treats a person for a gunshot or stab wound to disclose the following information to the local police service:

(a) the person's name, if known;
(b) the fact that the person is being treated, or has been treated, for a gunshot or stab wound;
(c) the name and location of the health care facility.

See s. 2(2) of The Gunshot and Stab Wounds Mandatory Reporting Act for more information on the disclosure requirements under that Act.

Health care facilities may use or disclose personal health information without consent:

  • to deliver, monitor or evaluate a health care program; or
  • for research and planning related to health care. See s. 21(d) and 22(2)( g) of the Act

Health care facilities may also disclose information to:

  • a religious organization, unless asked by the individual not to share this information. The only information that can be shared would be the individual’s name, general health status and location in the facility.
  • a charitable fundraising foundation associated with the facility, unless the patient tells the facility not to. The only information  that can be shared would be the name and mailing address of any patients or residents or former patients or residents.

Every use and disclosure by a trustee of personal health information must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed.

For more information on the requirements for disclosure of information to a religious organization or charitable fundraising foundation, see s.  23.1 and 23.2 of the Act  and the Regulation.

For more exceptions to the general rule respecting use and disclosure of information, see s. 21, 22(2). 22(2.1) and 23 of the Act.

May personal health information be disclosed for research purposes?

The Act does not deal with statistical information that cannot be linked to an identifiable individual. This sort of information can always be used or disclosed for research purposes.

A trustee may use or disclose identifiable personal health information for research and planning that relates to the provision of health care, or payment for health care by the trustee or with the informed consent of the individual the information is about. See s. 21, 22 of the Act.

Personal health information may also be disclosed to a health research organization designated in the regulation under the Act. Currently, the Manitoba Centre for Health Policy at the University of Manitoba and the Canadian Institute for Health Information are designated.

Information may only be disclosed for purposes specified in PHIA in accordance with an agreement that meets the requirements set out in the regulation. A health research organization must only use the personal health information disclosed for the purpose for which it was disclosed; have policies and procedures in place to protect the privacy of the information; and, as soon as reasonably possible, remove information that allows for the identity of individuals to be readily ascertained.

The only other way personal health information may be used for research is if approval is provided by:

  • the Health Research Privacy Committee established by the Minister of Health under PHIA ; and
  • the Committee for Harmonized Health Impact, Privacy, and Ethics Review (CHIPER), as established by Research Manitoba. See s. 8.2 of the Regulations.

These committees can only approve such requests if the researcher signs an agreement with the trustee guaranteeing that the personal health information will not be used for any purpose other than the research project for which it is to be disclosed. The trustee remains responsible for the confidentiality of the personal health information to which the researcher has been given access. See s. 24 of the Act.

Is it permissible to disclose personal health information to information managers?

Yes. An information manager is defined in the Act as a person or body that:

  • processes, stores or destroys personal health information for a trustee, or
  • provides information management or information technology services to a trustee. See s. 1(1) of the Act.

The Act recognizes that, in order to perform their functions, information managers may require access to personal health information. Trustees may disclose personal health information to an information manager but only after the information manager has entered into a written agreement with the trustee that ensures that the personal health information is adequately protected. Moreover, a trustee remains responsible for any use an information manager makes of personal health information. See s. 25 of the Act.

C. RETENTION, SECURITY AND DESTRUCTION OF PERSONAL HEALTH INFORMATION

What security precautions must be taken with respect to personal health information?

The Act requires trustees to store personal health information in such a way that only those who need to obtain the information will have access to it. Personal health information should not be disclosed outside the trustee organization unless such a disclosure has been assessed to determine whether it is permitted by the Act. Personal health information must not be accessed even by people within the trustee organization unless it is determined that they need to have that access. See s. 20(3) of the Act.

All trustees must establish administrative, technical and physical safeguards to ensure the confidentiality and accuracy of personal health information.

Among other things, these safeguards must include procedures to limit access to the information to authorized people and ensure that the electronic transmission of personal health information is not intercepted. For more information about security safeguards, see. s. 18 of the Act and the Regulations.

Does my facility have to notify anyone if a privacy breach occurs?

Section 19.0.1 of PHIA provides that a trustee who maintains personal health information about an individual must notify the individual about a privacy breach relating to the information if, after considering the relevant factors prescribed in the regulations, the breach could reasonably be expected to create a real risk of significant harm to the individual.

Section 8.7 of the Personal Health Information Regulation sets out the list of factors that trustees must consider in determining if a privacy breach could reasonably be expected to create a real risk of significant harm to an individual, including:

  • (a)  the sensitivity of the personal health information involved;
  • (b)  the probability that the personal health information could be used to cause significant harm to the individual;
  • (c)  any other factors that are reasonably relevant in the circumstances.

Where a trustee provides notice of a privacy breach to an individual under section 19.0.1 of PHIA, the trustee must notify the Ombudsman of the privacy breach at the time and in the form and manner that the Ombudsman requires. See s.19.0.1 of the Act.

For more information, please review the Guideline on Privacy Breaches.

What are the rules concerning destruction of personal health information?

Personal health information must be destroyed in a manner that preserves its confidentiality. See s. 17(2), (3) of the Act.

All trustees must establish a written policy concerning the destruction of personal health information and must comply with it. See s. 17(1) of the Act.

III. ENFORCEMENT

A. THE OMBUDSMAN

What is the role of the Ombudsman in enforcing the Act?

The Ombudsman’s role can be divided into two broad categories:

  • supervising compliance with the Act generally, including conducting compliance audits of trustees. See Part 4 of the Act.
  • dealing with complaints about specific violations of the Act. See Part 5 of the Act.
What sort of complaints can be made to the Ombudsman?

Individuals are permitted to make complaints to the Ombudsman about a failure by a trustee to comply with the provisions of the Act with respect to:

  • access requests or
  • protection of privacy. See Part 5 of the Act.
What powers does the Ombudsman have?

Among other things, the Ombudsman is empowered to investigate complaints and may also launch an investigation or an audit on the Ombudsman's own initiative. The results of these investigations may be provided to a  professional regulatory body for disciplinary action or to Manitoba Justice for prosecution. In addition, the Ombudsman is permitted to publish reports about compliance with the Act and must file an annual report with the Manitoba Legislature. See s. 28, 34(3), 41, 48(2) of the Act.

In carrying out the duties under the Act, the Ombudsman enjoys a wide variety of powers, including the power to require evidence under oath, to require the production of documents, to enter premises, and to obtain the assistance of the police. See s. 28, 29, and 30 of the Act.

The Ombudsman will report investigation and results and recommendations to the trustee.

The Ombudsman has the ability to request a review by the Adjudicator, who may make an Order for the Trustee to comply with, in the event a Trustee does not respond to, or comply with the Ombudsman’s recommendations made as the result of an investigation. 

Recommendations made by the Ombudsman as a result of an investigation must be made available to the public.

Is there a responsibility to assist the Ombudsman in carrying the duties under PHIA?

Trustees have no general duty to assist the Ombudsman. However, they must comply with every request legitimately made by the Ombudsman. In addition, it is illegal to mislead or obstruct the Ombudsman in the performance of the duties under PHIA. See s. 29, 30, 63(1) of the Act.

The Act also protects people who comply with requests from the Ombudsman. For example, subsection 27.1(1) and section 65 of PHIA provide that employees, officers and agents of a trustee, who believe in good faith that the trustee is collecting, using, disclosing, retaining, concealing, altering or destroying personal health information in contravention of PHIA, may notify the Ombudsman of the contravention. They may also disclose personal health information to the Ombudsman in providing this notice, but only if the Ombudsman requests this information.

The identity of any person providing such notification will be kept confidential. Any individual providing such notice to the Ombudsman will also have protection from liability for disclosing personal health information requested by the Ombudsman, and amendments to subsection 65(1) provide protections from adverse employment action for, in good faith, giving notification or disclosing personal health information to the Ombudsman under section 27.1. See s.27.1(1) and s.65 of the Act.

The Information and Privacy Adjudicator

As previously noted, under PHIA the Ombudsman is responsible to investigate privacy and access complaints and to report the investigation results and any recommendations to the Trustee. If the Trustee does not  respond to, or comply with the recommendations, the Ombudsman may ask the Information and Privacy Adjudicator, appointed under The Freedom of Information and Protection of Privacy Act, to review the matter.

The referral must be made from the Ombudsman to the Adjudicator within 15 days of the Trustees’ response indicating they will not comply with the Ombudsman’s recommendations, or within 15 days after the deadline to respond to the Ombudsman with regards to compliance, has lapsed.

The Adjudicator is required to review any matter referred by the Ombudsman.

The complainant and the Trustee concerned must be given the opportunity to make representations to the Adjudicator during the review and may be represented by counsel or an agent.

For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

The Adjudicator’s review must be complete within 90 days unless extended as per the Act. For the purposes of conducting a review, the Adjudicator has the power to require evidence under oath and to require the production of documents.

After completing a review, the Adjudicator may make a binding order respecting access or privacy depending upon the matter reviewed.  Unless judicial review of the Adjudicator’s order is requested by the Trustee, the Trustee must comply with the order.

Trustees must comply with the order made by the Adjudicator within 30 days, or file for a judicial review within 25 days.

The Adjudicator must file an annual report with the Manitoba Legislature.

See ss. 48.4, 48.5, and 48.6 of the Act for more information about the review process.

See ss. 48.8 and 48.9 for more information about the Adjudicators' orders.

B. PENALTIES

What penalty is imposed for a violation of the Act?

The Act provides for a fine of up to $50,000 for a violation of the Act. This fine can be imposed for each day that an offence continues. See s. 64(1) of the Act.

The limitation period for commencing prosecutions under PHIA is two years after the day on which evidence sufficient to justify a prosecution for the offence came to the knowledge of the Ombudsman. See s. 63(6) of the Act.

To what offences will this penalty apply?

This penalty applies to a variety of offences, including:

  • deliberately erasing or destroying personal health information to prevent an individual from getting access to it;
  • collecting, using, selling or disclosing personal health information in violation of the Act; and
  • failing to protect personal health information in a secure manner.
  • failing to comply with section 19.0.1 (notification of privacy breach);
  • willfully concealing, altering or falsifying personal health information with the intent to evade an individual's request to examine or copy the information;
  • knowingly helping another person, or counseling another person, to contravene clauses 63(1)(a)-(g). See s. 63 of the Act.
To whom will the penalty apply?

The penalty for a violation of the Act may be imposed against the health care facility itself but it may also be imposed against any director or officer of the health care facility that authorized, permitted or acquiesced in the offence. See s. 64(2) of the Act.

Employees of a health care facility may be prosecuted for deliberately erasing or destroying personal health information to prevent an individual from getting access to it, or for willfully disclosing personal health information when their employer would not be permitted to disclose it. See s. 63(1)(c), 63(2) of the Act.

IV. MISCELLANEOUS

Who is responsible for ensuring that a health care facility complies with the Act?

The Act requires a health care facility to appoint at least one of its employees to be a “privacy officer.” The role of a privacy officer is to:

  • facilitate access by individuals to their personal health information, and
  • facilitate the health care facility’s compliance with the Act. See s. 57 of the Act.

The ultimate responsibility for a health care facility’s compliance with the Act rests with its board of directors and officers. As noted earlier, directors and officers may be personally prosecuted for authorizing, permitting or acquiescing in a violation of the Act by a health care facility. See s. 64(2) of the Act.

 

Return to top

 

 

 

Legislative Unit
Manitoba Health
300 Carlton Street
Winnipeg MB  R3B 3M9
Phone:  204-788-6612
Fax:  204-945-1020
Email: PHIAinfo@gov.mb.ca