Skip to main content
The Personal Health Information Amendment Act

This is an unofficial version.
If you need an official copy, use the bilingual (PDF) version.

S.M. 2021, c. 47

Bill 54, 3rd Session, 42nd Legislature

The Personal Health Information Amendment Act

Explanatory Note

This note was written as a reader's aid to the Bill and is not part of the law.

This Bill amends The Personal Health Information Act. The following are the key changes:

trustees are required to give an explanation of information they provide as soon as is reasonably practicable;

giving copies of information concerning psychological tests or data is not required if doing so could interfere with the use or results of the tests, and the trustee may require a health professional be present to explain information concerning psychological tests or data when it is made available to an individual;

a person's request for personal health information may be considered abandoned if, on request, they fail to provide information necessary to process the request;

a trustee may disregard requests for information already provided, or requests that amount to an abuse of the right to make a request;

people are to be notified is there is a real risk they will be significantly harmed as a result of a privacy breach concerning their personal health information;

a trustee can use personal health information in the course of educating employees, agents, students and health professionals to provide health care;

a trustee must not use personal health information about its employees for employment-related purposes if it was collected for other purposes, unless the employee has given their express consent;

institutional research review committees are eliminated, and the minister must establish a committee to approve research;

employees of trustees and others may notify the Ombudsman if they reasonably believe the trustee is treating personal health information in an unauthorized manner, and no adverse actions may be taken against them for doing so;

the Ombudsman is authorized to disclose personal health information if necessary to protect a person's health or safety;

the provisions respecting offences and prosecutions are updated;

the Act is to be reviewed every 5 years.

Other administrative amendments are included.

(Assented to May 20, 2021)

HER MAJESTY, by and with the advice and consent of the Legislative Assembly of Manitoba, enacts as follows:

C.C.S.M. c. P33.5 amended

1

The Personal Health Information Act is amended by this Act.

2

Subsection 1(1) is amended by repealing the definition "institutional research review committee".

3

Subsection 6(1.1) is amended by striking out "or an explanation".

4(1)

Clause 7(1)(c) is amended by striking out ", and advise the individual of the right to make a complaint about the refusal under Part 5".

4(2)

The following is added after subsection 7(1):

Information about right to make a complaint

7(1.1)

A response under clause (1)(b) or (c) must include notice of the individual's right to make a complaint about the response under Part 5.

4(3)

Subsection 7(2) is amended by adding "as soon as reasonably practicable" after "the personal health information".

5

The following is added after section 7:

Information related to psychological tests and data

7.1(1)

Despite section 7, a trustee is not required to provide a copy of information related to psychological tests or data if both of the following conditions are met:

(a) the information concerns

(i) procedures or techniques relating to psychological tests or assessments,

(ii) details of psychological tests or assessments, or

(iii) raw data from a psychological test or assessment;

(b) the provision of a copy of the information could reasonably be expected to prejudice the use or results of particular psychological tests or assessments.

Explanation of psychological tests and data

7.1(2)

When making personal health information related to a psychological test or data available for examination, a trustee may require one of the following individuals to be present to provide an explanation of the information:

(a) the trustee, if the trustee is a health professional;

(b) a health professional chosen by the trustee.

6

Section 10 of the English version is replaced with the following:

Fees

10

A trustee may charge a reasonable fee for permitting examination of personal health information and providing a copy. If such a fee is charged, it must not exceed the amount provided for in the regulations.

7

The following is added after section 10 and before the centred heading that follows it:

Additional information

10.1(1)

A trustee may require an individual

(a) to provide additional information in relation to their request, including additional information that is necessary to respond to the request; and

(b) to indicate if they

(i) accept the estimate of the amount of the fee that may be charged under section 10, if the trustee gives such an estimate, or

(ii) want to modify their request in order to have the amount of the fee changed.

Request to be in writing

10.1(2)

A request made by a trustee under subsection (1) must be given in writing, except in the circumstances under clause 6(1)(a) (hospital in-patient).

Information to be provided within 30 days

10.1(3)

An individual has up to 30 days from the day the request is given to provide the additional information or accept the estimated fee, and if the additional information or acceptance is not provided within that time, the trustee may determine that the request has been abandoned.

Effect of request on time limits

10.1(4)

When a request is given to an applicant under this section, the time within which the trustee is required to respond under subsection 6(1) is suspended until the applicant provides the required information.

Notice

10.1(5)

If the trustee determines that the request has been abandoned, the trustee must notify the individual in writing of the determination, and of the individual's right to make a complaint about the determination to the Ombudsman under Part 5.

8

The following is added after section 11 and before the centred heading that follows it:

Trustee may disregard certain requests

11.1(1)

A trustee may disregard a request if the trustee reasonably believes that

(a) the request is for information already provided to the individual who made the request; or

(b) the request amounts to an abuse of the right to make a request because it is unduly repetitive or systematic, or otherwise made in bad faith.

Notice

11.1(2)

If the trustee disregards a request under this section, the trustee must notify the individual in writing of the decision and the reasons for it, and of the individual's right to make a complaint about the decision under Part 5.

9(1)

Clause 12(3)(d) is amended by striking out "and to make a complaint about the refusal under Part 5".

9(2)

The following is added after subsection 12(3):

Information about right to make a complaint

12(3.1)

A response under clause (3)(b) or (d) must include notice of the individual's right to make a complaint about the response under Part 5.

10

The heading for Division 2 of Part 3 is replaced with "SECURITY SAFEGUARDS AND PRIVACY BREACHES".

11

The following is added after section 19 as part of Division 2 of Part 3:

Definitions

19.0.1(1)

The following definitions apply in this section.

"privacy breach" means, in relation to personal health information,

(a) theft or loss; or

(b) access, use, disclosure, destruction or alteration in contravention of this Act. (« atteinte à la vie privée »)

"significant harm" includes, in relation to an individual, bodily harm, humiliation, damage to the individual's reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the individual's credit rating or report, and damage to or loss of the individual's property. (« préjudice grave »)

Notifying individual of privacy breach

19.0.1(2)

A trustee who maintains personal health information about an individual must notify the individual about a privacy breach relating to the information if, after considering the relevant factors prescribed in the regulations, the breach could reasonably be expected to create a real risk of significant harm to the individual.

Notice requirements

19.0.1(3)

Notice to the individual must

(a) be given as soon as practicable after the privacy breach becomes known to the trustee;

(b) be given in the form and manner, and include the information, required by the regulations; and

(c) be given directly to the individual except in circumstances set out in the regulations, in which case it may be given indirectly in the form and manner required by the regulations.

Notifying Ombudsman

19.0.1(4)

If the trustee is required to notify an individual about a privacy breach under subsection (2), the trustee must also notify the Ombudsman at the time and in the form and manner that the Ombudsman requires.

12

Subsection 19.1(4) is amended by striking out "or" at the end of clause (a), adding "or" at the end of clause (b) and adding the following after clause (b):

(c) a trustee requires consent under subsection 21(2) (employees' information).

13(1)

Section 21 is amended

(a) in the part before clause (a) of the French version, by striking out "si" and substituting "dans les cas suivants";

(b) by replacing clause (c) with the following:

(c) use of the information is necessary to prevent or lessen

(i) a risk of harm to the health or safety of a minor, or

(ii) a risk of serious harm to the health or safety of the individual the information is about or another individual, or to public health or public safety;

(c) by adding the following after clause (d):

(d.1) the information is used for educating individuals respecting the provision of health care, including

(i) employees and agents of the trustee,

(ii) students training to be health professionals, and

(iii) health professionals who have been granted privileges to provide services at a health care facility operated by the trustee;

13(2)

Section 21 is further amended by renumbering it as subsection 21(1) and adding the following as subsection 21(2):

Employees' information

21(2)

Despite subsection (1), if a trustee has collected or received personal health information about an employee or prospective employee for a purpose unrelated to their employment, the trustee must not use the information for a purpose related to their employment without first obtaining their consent.

14

Clause 22(2)(g.1) is amended by striking out "the quality of services" and substituting "the programs, services or benefits".

15(1)

Subsection 24(2) is replaced with the following:

Who may give an approval

24(2)

An approval may be given by the committee established under section 59.

15(2)

Subsection 24(3) is amended

(a) in the part before clause (a), by striking out "health information privacy committee or the institutional research review committee, as the case may be," and substituting "committee"; and

(b) by striking out "and" at the end of clause (c), adding "and" at the end of clause (d) and adding the following after clause (d):

(e) any other requirements specified in the regulations are complied with.

16

The following is added after section 27 as part of Division 4 of Part 3:

NOTICE OF UNAUTHORIZED ACTIVITY

Disclosure of unauthorized activity to Ombudsman

27.1(1)

An employee, officer or agent of a trustee who believes in good faith that the trustee is collecting, using, disclosing, retaining, concealing, altering or destroying personal health information in contravention of this Act may notify the Ombudsman.

Limitation

27.1(2)

In notifying the Ombudsman, the employee, officer or agent must not disclose personal health information unless the Ombudsman requests it.

No offence

27.1(3)

An employee, officer or agent is not liable to prosecution for an offence under this Act for disclosing personal health information requested by the Ombudsman under subsection (2).

Identity kept confidential

27.1(4)

An individual who notifies the Ombudsman under subsection (1) may request that the Ombudsman keep the individual's identity confidential, in which case the Ombudsman must take reasonable steps to protect the identity of the individual.

17

Section 28 is amended by striking out "and" at the end of clause (f), adding "and" at the end of clause (g) and adding the following after clause (g):

(h) exchange information with a person who, in respect of Canada or another province or territory, has duties and powers similar to those of the Ombudsman under this Act or under The Freedom of Information and Protection of Privacy Act, and enter into information sharing and other agreements with such a person for the purpose of co-ordinating activities and handling complaints involving the jurisdictions.

18

The following provisions are amended by adding "or audit" after "investigation":

(a) subsections 29(1) and (2);

(b) clause 30(a).

19

Section 31 is amended by adding "or audit" after "investigation" in the section heading and in the section.

20

The following provisions are amended by adding "or audit" after "investigation":

(a) subsection 32(1), in the part before clause (a);

(b) section 33.

21

The following is added after subsection 34(2):

Disclosure to prevent risk of harm

34(2.1)

The Ombudsman may disclose information to any person if the Ombudsman reasonably believes that the disclosure is necessary to prevent or lessen a risk of serious harm to the health or safety of the individual the information is about or to another individual.

22

Subsection 39(1) is amended

(a) by adding the following after clause (a):

(a.1) a decision of the trustee to consider a request abandoned or to disregard a request;

(b) by adding the following after clause (b):

(b.1) a response by the trustee informing the individual that the information does not exist or cannot be found;

23

Subsections 47(2) and (3) are replaced with the following:

Recommendations about access

47(2)

Without limiting subsection (1), in a report concerning a complaint about access, the Ombudsman

(a) must indicate whether, in the Ombudsman's opinion, a refusal is justified in whole or in part;

(b) may recommend that the trustee permit the complainant to examine or receive a copy of all or part of the personal health information, as the case may require;

(c) may recommend that the trustee modify or improve its procedures or practices concerning requests for access.

Recommendations about privacy

47(3)

Without limiting subsection (1), in a report concerning a complaint about privacy, the Ombudsman

(a) must indicate whether, in the Ombudsman's opinion, the complaint is well founded;

(b) may recommend that the trustee cease or modify a specified practice of collecting, using, disclosing, retaining or destroying personal health information contrary to this Act;

(c) may recommend that the trustee destroy a collection of personal health information that was collected in a manner contrary to this Act.

Opportunity to make representations

47(4)

The Ombudsman must not make a recommendation referred to in clause (3)(b) or (c) unless the trustee has been given an opportunity to make representations about the matter.

24

Subsection 48.5(3) is replaced with the following:

Ombudsman as party

48.5(3)

The Ombudsman has a right to be a party in any review conducted by the adjudicator under this Act.

25

Subsection 48.8(3) is amended by adding the following after clause (b):

(c) require that a duty imposed by this Act be performed.

26

Subsections 49(2) and (3) are replaced with the following:

Restrictions on appeal

49(2)

An appeal may be made under subsection (1) only if

(a) the individual has made a complaint about access to the Ombudsman and the Ombudsman has given the individual a report under section 47; and

(b) in the case where the Ombudsman's report contains recommendations respecting the complaint, the deadline set out in subsection 48.1(3) for the Ombudsman to request the adjudicator to review the matter has expired, and the Ombudsman has not requested a review.

Appeal within 30 days

49(3)

An appeal is to be made by filing an application with the court

(a) within 30 days after the deadline set out in subsection 48.1(3) expires, if the Ombudsman's report under section 47 contains recommendations respecting the complaint; or

(b) within 30 days after receiving the Ombudsman's report, if the report does not contain recommendations.

27

Subsection 58(2) is amended by striking out "on the staff of the public body".

28(1)

Subsection 59(1) is replaced with the following:

Research approval committee

59(1)

The minister must establish a committee in accordance with the regulations for the purpose of approving health research projects under section 24.

28(2)

Subsections 59(2) and (3) are repealed.

29

Subsection 60(1) is amended by adding the following after clause (d):

(d.1) by an attorney acting under a power of attorney granted by the individual, if the exercise of the right or power relates to the powers and duties conferred by the power of attorney;

30(1)

Subsection 63(1) is amended

(a) in clause (c), by striking out "destroys or erases" and substituting "destroys, erases, conceals, alters or falsifies"; and

(b) by striking out "or" at the end of clause (e) and adding the following after clause (f) and before the part follows it:

(g) fails to comply with section 19.0.1 (notification of privacy breach); or

(h) knowingly helps another person, or counsels another person, to do anything mentioned in clauses (a) to (g);

30(2)

Subsection 63(6) is replaced with the following:

Time limit for prosecution

63(6)

A prosecution for an offence under this Act may not be commenced later than two years after the day on which evidence sufficient to justify a prosecution for the offence came to the knowledge of the Ombudsman. The certificate of the Ombudsman as to the day on which the evidence came to their knowledge is evidence of that date.

Application

63(7)

Subsection (6) applies to an offence committed before or after the coming into force of this subsection.

31

Section 65 is replaced with the following:

Defence under other enactments

65(1)

A person is not guilty of an offence or subject to disciplinary action of any kind under any other enactment by reason of

(a) complying with a request or requirement to produce a record or provide information or evidence to the Ombudsman or adjudicator, or a person acting for or under the direction of the Ombudsman or adjudicator, under this Act; or

(b) in good faith, giving a notification or disclosing personal health information to the Ombudsman under section 27.1.

No adverse action

65(2)

A trustee or person acting on behalf of a trustee must not take any adverse employment or other action against any of the following persons for doing any of the things described in clause (1)(a) or (b):

(a) an employee, officer or agent of the trustee;

(b) a volunteer or student who performs a service for the trustee;

(c) a health professional who has been granted privileges to provide services at a health care facility operated by the trustee;

(d) an information manager.

32

Subsection 66(1) is amended

(a) by adding the following after clause (h):

(h.1) for the purpose of subsection 19.0.1(2), prescribing relevant factors to be considered in determining if a privacy breach can reasonably be expected to create a real risk of significant harm;

(h.2) for the purpose of subsection 19.0.1(3), specifying the manner and form of, and information to be included in, a notice to an individual, whether given directly or indirectly, and prescribing the circumstances in which a notice may be given indirectly;

(b) by adding the following after clause (i.1):

(i.2) for the purpose of clause 24(3)(e), setting out approval requirements for health research projects;

(c) by replacing clause (m) with the following:

(m) respecting the committee established under section 59, including regulations respecting the name, composition, duties and functions, and the appointment of committee members;

33

Subsection 67(1) is replaced with the following:

Review of Act within five years

67(1)

The minister must undertake a comprehensive review of the operation of this Act, which involves public representations, within five years after the day on which this section comes into force.

TRANSITIONAL AND COMING INTO FORCE

Transitional — committees

34

A review of a research proposal that was commenced by the health information privacy committee or an institutional research review committee but not completed before the coming into force of this Act is to be concluded as though this Act had not come into force.

Coming into force

35

This Act comes into force on a day to be fixed by proclamation.