fb pixel
The University of Winnipeg

Health Privacy Orientation for Researchers - Module 1

Module 1 introduces PHIA and the University's Privacy Policy.

Privacy Legislation in Manitoba

Manitoba was one of the first provinces in Canada to create legislation to protect personal privacy. While Manitoba's laws are designed foremost to safeguard individual privacy rights, they also recognize that ethical uses of personal information may provide benefits to individuals and society as a whole.

Many researchers will be familiar with FIPPA, the Freedom of Information and Protection of Privacy Act. Although FIPPA applies to UWinnipeg's handling of personal information (PI), it does not apply to "research information of an employee of an educational institution." Discussion of FIPPA is therefore excluded from this course.

Research involving personal health information (PHI) is different. Although research information of a University faculty member is not within the University's custody or under its control, the Personal Health Information Act (PHIA) nevertheless places certain limited requirements on all university employees who engage with PHI - even in a research capacity.

The requirements applicable to researchers relate to training and security measures for the protection of PHI. Ensuring that these requirements are satisfied is the purpose of this orientation.

PHIA Overview

PHIA regulates the practices of health information "trustees" in Manitoba, which include:

  • Designated health professionals including doctors and nurses,
  • Health care facilities such as hospitals, clinics, and personal care homes,
  • Health services agencies, and
  • Public bodies that collect and maintain personal health information, such as school divisions, universities and colleges, and government departments.

The purposes of PHIA are:

  • Provide individuals with a right to examine and receive a copy of their personal health information maintained by a trustee,
  • Provide individuals with a right to request corrections to their personal health information maintained by a trustee,
  • Establish rules governing the collection, use, disclosure, retention, and destruction of personal health information by trustees,
  • Control the collection, use, and disclosure of personal health identification numbers, and
  • Provide for an independent review of the decisions of trustees under PHIA.
UWinnipeg's Privacy Policy

To assist University employees in complying with the requirements of FIPPA and PHIA, the Privacy Policy was created in 2016. It also satisfies the University's requirement under PHIA to create a security policy regarding the handling of PHI.

The University recognizes that PHIA was created for a primary audience of health care facilities and practitioners. Some of its requirements are not easily relatable to a university context. As such, the Privacy Policy focuses primarily on those requirements of PHIA that are applicable to UWinnipeg. In addition, where PHIA contains a general requirement but not prescriptive guidance on how that requirement is to be met, the Privacy Policy provides the required detail.

With this in mind, this course will generally focus on the requirements of the Privacy Policy regarding the protection of PHI that arise out of PHIA, rather than on the Act itself.

Defining Personal Health Information

Under the Privacy Policy (and PHIA itself), PHI is defined broadly as “recorded information about an identifiable individual” that relates to:

  • The individual's health, or health care history, including genetic information about the individual,
  • The provision of health care to the individual, or
  • Payment for health care provided to the individual,

And includes but is not limited to:

  • The personal health identification number (PHIN) and any other identifying number, symbol, or particular assigned to an individual, and
  • Any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care.

PHI can relate to any care, service, or procedure provided:

  • To diagnose, treat, or maintain an individual’s physical or mental condition,
  • To prevent disease or injury or promote health, or
  • That affects the structure or function of the body,

And includes but is not limited to:

  • The sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription.

However, PHI does not include:

  • Statistical health information, or
  • Health information that does not, either by itself or when combined with other information available to the holder, allow an individual to be readily identified.

Unlike in certain other Canadian jurisdictions, in Manitoba the age of the record containing the PHI and the status of the individual to whom the PHI relates (as alive or deceased) has no bearing on PHIA's applicability to the information.

Identifiable Information

As noted on the last slide, anonymous health information is not considered PHI and is thus exempt from PHIA. But what about anonymized information? Or coded information?

TCPS 2: CORE provides useful guidance by breaking down information into five classes:

  • Directly identifying: information that identifies a specific individual through direct identifiers (e.g., name, SIN, PHIN).
  • Indirectly identifying: information that can reasonably be expected to identify an individual through a combination of indirect identifiers (e.g., date of birth, place of residence, or unique personal characteristic).
  • Coded information: direct identifiers are removed from the information and replaced with a code. Depending on access to the code, it may be possible to re-identify specific participants (e.g., the principal investigator retains a list that links the participants' code names with their actual name so data can be re-linked if necessary).
  • Anonymized information: the information is irrevocably stripped of direct identifiers, a code is not kept to allow future re-linkage, and risk of re-identification of individuals is low or very low.
  • Anonymous information: the information never had identifiers associated with it (e.g., anonymous surveys) and risk of identification of individuals is low or very low.

The first three classes - directly identifying, indirectly identifying, and coded information - will be considered PHI when in the possession of a researcher (provided the researcher holds the code, in the case of coded information). The latter two classes - anonymized and anonymous - are not considered PHI.

Defining Health and Health Care

As PHIA has a very broad scope - any information related to an identifiable individual's health or health care - it's worth defining a few more terms.

"Health" is defined as the condition of being sound in mind, body, and spirit.

"Health care" means any care, service, or procedure:

  • provided to diagnose, treat, or maintain an individual's health,
  • provided to prevent disease or injury or promote health, or
  • that affects the structure or a function of the body.

Taking into account these broad definitions, PHIA applies to many types of records. Some examples are provided on the next slide.

Example Records

PHI includes:

  • Any identifying information that is collected in the course of providing health care services or accepting payment for health care services,
  • Medical, counselling, or therapy information, notes, and records,
  • Accessibility and accommodation records,
  • Sick notes,
  • Doctor's notes and recommendations,
  • Prescriptions,
  • Health evaluations,
  • Health treatments,
  • Health questionnaires, and
  • Health incidents and reports.

Because PHI is so sensitive, it is vital to treat it with the highest level of care and protection. As a general rule, all forms of information should be protected accordingly to their sensitivity. The more sensitive the information, the more care and protection required. A breach of privacy involving PHI can have particularly severe consequences for the affected individuals, as well as for the organization and individuals responsible for the breach.

Module 1: Recap

Key Points

  • PHIA obligates training and security requirements for University personnel who work with PHI, including in a research capacity.
  • PHI is recorded, identifiable information broadly relating to an individual's health.
  • The definition of PHI does not account for the age of the individual and their status as alive or deceased.
  • PHI can be found in myriad records and requires a high level of care and protection.