Access and Privacy at UWinnipeg

Responding to a PHIA Request

This guideline provides instructions for responding to a request for access or correction made under The Personal Health Information Act (PHIA). It provides guidance on:

• Roles and Responsibilities for Providing Access or Correction
• Receiving an Access or Correction Request
• Responding to an Access or Correction Request

This guideline is intended for all University employees and is applicable to all personal health information (PHI) collected, used, or disclosed in the conduct of official University business. Additional procedural guidelines are available to assist University employees in fulfilling their duties under PHIA.

Roles and Responsibilities for Providing Access or Correction

Under PHIA, individual employees and creating offices of the University who hold PHI are considered “trustees” of the information. Trustees have a duty to assist individuals in obtaining access to, or correction of, their own PHI. Trustees also have a duty to protect PHI from unauthorized access, use, and disclosure.

Receiving an Access or Correction Request

An individual seeking access to their PHI may make a request to a trustee orally or in writing. Unlike FIPPA, PHIA does not require applicants to use a formal request form to gain access to their own PHI. However, trustees may ask for a written request at their discretion and requests for correction must always be in writing.

Once a PHIA request has been received, trustees must respond within:

• 24 hours, if the individual requesting the information is a patient admitted to a hospital and wants to see information about the care he or she is currently receiving. In this particular case, the trustee is only required to make the information available for examination. The trustee need not provide a copy of the information or an explanation of any term, code, or abbreviation used in the PHI.
• 72 hours, if the individual is not a patient admitted to a hospital and wants to see or get a copy of information about the care he or she is currently receiving; and
• 30 days, in all other circumstances.

Responding to an Access Request

PHIA requests are made directly to the trustee who maintains the PHI. By default, individuals (or their representative) should be given the opportunity to examine and receive a copy of the information they request.

If requested, trustees must provide an explanation of any term, code, or abbreviation used in the PHI. In addition, when a request is made for PHI that is maintained in electronic form, the trustee must provide the information to the individual in that form provided that it can be produced using the trustee’s normal computer hardware and software and technical expertise.

However, PHIA also allows trustees to refuse access in part or full if:

• There is a reasonable expectation that revealing the information would result in harm to the individual or someone else;
• Disclosure would reveal the PHI of another individual who has not consented to having his or her PHI disclosed;
• There is a reasonable expectation that disclosure would identify a third part, other than another trustee, who supplied the PHI in confidence;
• The information was compiled and is used solely for review or assessment purposes; or
• The information has been compiled for litigation purposes.

If an individual if refused access to their PHI in part, the trustee must, where possible, sever the information that cannot be examined or copied and release the remainder of the information.

If an individual if granted full access to their PHI, the trustee may respond either orally or in writing. If the information requested does not exist or cannot be found, the trustee must inform the requester in writing. If access is refused in full or part, the trustee must inform the applicant in writing of the refusal. As part of this response, the trustee must provide the reason(s) for the refusal and inform the individual of his or her right to complain to the Manitoba Ombudsman.

Trustees must be satisfied with the requester’s identity before allowing access to their PHI. Trustees should request photo identification and take all reasonable steps to ensure that any PHI intended for an individual is received only by that individual.

Responding to a Request for Correction

Individuals may make a request in writing to have their PHI corrected if they believe it to be inaccurate or incomplete. Trustees are not obligated to provide correction but must respond within 30 days. If the request is refused, the trustee must inform the individual in writing of the refusal. The trustee must also inform the individual of their right to complain to the Manitoba Ombudsman. If a correction is made, the trustee is required, where practical, to notify any other trustee or person to whom the PHI has been disclosed within the year before the request was made that the record has been amended.