Access and Privacy at UWinnipeg

PHIA – Collection, Use, Disclosure, and Protection of Personal Health Information

This guideline provides instructions for the collection, use, disclosure, and protection of personal health information (PHI), according to the provisions of The Personal Health Information Act (PHIA).

Under PHIA, individual employees and creating offices of the University who hold PHI are considered “trustees” of the information. Trustees must collect, use, disclose, and protect PHI according to the provisions of PHIA. Additional procedural guidelines are available to assist University employees in fulfilling their duties under PHIA.

Collection of PHI

Trustees are permitted to collect PHI only if the collection is necessary for an existing function or activity. In addition, collection must be limited to the minimum amount of information necessary to accomplish the function or activity.

When collecting PHI, trustees must also:

• Notify the individual of the purpose for which the information is being collected;
• Provide the individual with the contact information of an employee who can answer the individual’s questions about the collection; and
• Collect the information directly from the individual whenever possible.

Use of PHI

Generally speaking, PHIA limits the use of PHI to the purpose for which it was collected – or a directly related purpose– unless the individual has provided their informed consent. “Use” refers to the sharing of PHI within the University. The use of PHI should be limited to the minimum amount of information necessary to accomplish the purpose for which it was collected.

Disclosure of PHI

Similarly, PHIA limits the disclosure of PHI to the purpose for which it was collected – or a directly related purpose – unless the individual has provided their informed consent. “Disclosure” refers to the sharing of PHI outside the University. Disclosure should also be limited to the minimum amount of information necessary. Other instances where disclosure may be permitted include, but are not limited to:

• To a person who requires the information to provide health care to the individual, unless the individual has specifically instructed the trustee not to make the disclosure;
• For the purpose of contacting a relative or friend of an individual who is injured, incapacitated, or ill;
• If disclosure is necessary to prevent or lessen a serious and immediate threat to the health or safety of the individual, another individual, or the public;
• For the purposes of informing the representatives or a relative of an individual’s death;
• If disclosure is required by a subpoena, warrant, or order issued or made by a court, person, or body with jurisdiction; or
• If disclosure is authorized or required by another enactment of Manitoba or Canada.

Protection of Personal Health Information

PHIA requires trustees to establish reasonable physical, electronic, and operational security measures to safeguard against unauthorized access, use, disclosure, or destruction of PHI. Paper records should be stored in locked cabinets or specially designed rooms. Electronic records should be password protected or encrypted. Employee access to PHI should be restricted to only those employees who require the information for the performance of their duties, and consistent with the purposes for which the information was collected. PHI must be destroyed securely and completely.