This is an unofficial version.
|Search this Act
S.M. 2021, c. 47
Bill 54, 3rd Session, 42nd Legislature
The Personal Health Information Amendment Act
This note was written as a reader's aid to the Bill and is not part of the law.
This Bill amends The Personal Health Information Act. The following are the key changes:
trustees are required to give an explanation of information they provide as soon as is reasonably practicable;
giving copies of information concerning psychological tests or data is not required if doing so could interfere with the use or results of the tests, and the trustee may require a health professional be present to explain information concerning psychological tests or data when it is made available to an individual;
a person's request for personal health information may be considered abandoned if, on request, they fail to provide information necessary to process the request;
a trustee may disregard requests for information already provided, or requests that amount to an abuse of the right to make a request;
people are to be notified is there is a real risk they will be significantly harmed as a result of a privacy breach concerning their personal health information;
a trustee can use personal health information in the course of educating employees, agents, students and health professionals to provide health care;
a trustee must not use personal health information about its employees for employment-related purposes if it was collected for other purposes, unless the employee has given their express consent;
institutional research review committees are eliminated, and the minister must establish a committee to approve research;
employees of trustees and others may notify the Ombudsman if they reasonably believe the trustee is treating personal health information in an unauthorized manner, and no adverse actions may be taken against them for doing so;
the Ombudsman is authorized to disclose personal health information if necessary to protect a person's health or safety;
the provisions respecting offences and prosecutions are updated;
the Act is to be reviewed every 5 years.
Other administrative amendments are included.
(Assented to May 20, 2021)
HER MAJESTY, by and with the advice and consent of the Legislative Assembly of Manitoba, enacts as follows:
The following is added after subsection 7(1):
The following is added after section 7:
Despite section 7, a trustee is not required to provide a copy of information related to psychological tests or data if both of the following conditions are met:
(a) the information concerns
(i) procedures or techniques relating to psychological tests or assessments,
(ii) details of psychological tests or assessments, or
(iii) raw data from a psychological test or assessment;
(b) the provision of a copy of the information could reasonably be expected to prejudice the use or results of particular psychological tests or assessments.
When making personal health information related to a psychological test or data available for examination, a trustee may require one of the following individuals to be present to provide an explanation of the information:
(a) the trustee, if the trustee is a health professional;
Section 10 of the English version is replaced with the following:
A trustee may charge a reasonable fee for permitting examination of personal health information and providing a copy. If such a fee is charged, it must not exceed the amount provided for in the regulations.
The following is added after section 10 and before the centred heading that follows it:
A trustee may require an individual
(a) to provide additional information in relation to their request, including additional information that is necessary to respond to the request; and
(b) to indicate if they
(i) accept the estimate of the amount of the fee that may be charged under section 10, if the trustee gives such an estimate, or
(ii) want to modify their request in order to have the amount of the fee changed.
A request made by a trustee under subsection (1) must be given in writing, except in the circumstances under clause 6(1)(a) (hospital in-patient).
An individual has up to 30 days from the day the request is given to provide the additional information or accept the estimated fee, and if the additional information or acceptance is not provided within that time, the trustee may determine that the request has been abandoned.
When a request is given to an applicant under this section, the time within which the trustee is required to respond under subsection 6(1) is suspended until the applicant provides the required information.
If the trustee determines that the request has been abandoned, the trustee must notify the individual in writing of the determination, and of the individual's right to make a complaint about the determination to the Ombudsman under Part 5.
The following is added after section 11 and before the centred heading that follows it:
A trustee may disregard a request if the trustee reasonably believes that
(a) the request is for information already provided to the individual who made the request; or
(b) the request amounts to an abuse of the right to make a request because it is unduly repetitive or systematic, or otherwise made in bad faith.
If the trustee disregards a request under this section, the trustee must notify the individual in writing of the decision and the reasons for it, and of the individual's right to make a complaint about the decision under Part 5.
The following is added after subsection 12(3):
The following is added after section 19 as part of Division 2 of Part 3:
The following definitions apply in this section.
"privacy breach" means, in relation to personal health information,
(a) theft or loss; or
(b) access, use, disclosure, destruction or alteration in contravention of this Act. (« atteinte à la vie privée »)
"significant harm" includes, in relation to an individual, bodily harm, humiliation, damage to the individual's reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the individual's credit rating or report, and damage to or loss of the individual's property. (« préjudice grave »)
A trustee who maintains personal health information about an individual must notify the individual about a privacy breach relating to the information if, after considering the relevant factors prescribed in the regulations, the breach could reasonably be expected to create a real risk of significant harm to the individual.
Notice to the individual must
(a) be given as soon as practicable after the privacy breach becomes known to the trustee;
(b) be given in the form and manner, and include the information, required by the regulations; and
(c) be given directly to the individual except in circumstances set out in the regulations, in which case it may be given indirectly in the form and manner required by the regulations.
If the trustee is required to notify an individual about a privacy breach under subsection (2), the trustee must also notify the Ombudsman at the time and in the form and manner that the Ombudsman requires.
Subsection 19.1(4) is amended by striking out "or" at the end of clause (a), adding "or" at the end of clause (b) and adding the following after clause (b):
Section 21 is amended
(a) in the part before clause (a) of the French version, by striking out "si" and substituting "dans les cas suivants";
(b) by replacing clause (c) with the following:
(c) use of the information is necessary to prevent or lessen
(i) a risk of harm to the health or safety of a minor, or
(ii) a risk of serious harm to the health or safety of the individual the information is about or another individual, or to public health or public safety;
(c) by adding the following after clause (d):
(d.1) the information is used for educating individuals respecting the provision of health care, including
(i) employees and agents of the trustee,
(ii) students training to be health professionals, and
Section 21 is further amended by renumbering it as subsection 21(1) and adding the following as subsection 21(2):
Despite subsection (1), if a trustee has collected or received personal health information about an employee or prospective employee for a purpose unrelated to their employment, the trustee must not use the information for a purpose related to their employment without first obtaining their consent.
Subsection 24(2) is replaced with the following:
Subsection 24(3) is amended
(a) in the part before clause (a), by striking out "health information privacy committee or the institutional research review committee, as the case may be," and substituting "committee"; and
(b) by striking out "and" at the end of clause (c), adding "and" at the end of clause (d) and adding the following after clause (d):
The following is added after section 27 as part of Division 4 of Part 3:
NOTICE OF UNAUTHORIZED ACTIVITY
An employee, officer or agent of a trustee who believes in good faith that the trustee is collecting, using, disclosing, retaining, concealing, altering or destroying personal health information in contravention of this Act may notify the Ombudsman.
In notifying the Ombudsman, the employee, officer or agent must not disclose personal health information unless the Ombudsman requests it.
An employee, officer or agent is not liable to prosecution for an offence under this Act for disclosing personal health information requested by the Ombudsman under subsection (2).
An individual who notifies the Ombudsman under subsection (1) may request that the Ombudsman keep the individual's identity confidential, in which case the Ombudsman must take reasonable steps to protect the identity of the individual.
Section 28 is amended by striking out "and" at the end of clause (f), adding "and" at the end of clause (g) and adding the following after clause (g):
(h) exchange information with a person who, in respect of Canada or another province or territory, has duties and powers similar to those of the Ombudsman under this Act or under The Freedom of Information and Protection of Privacy Act, and enter into information sharing and other agreements with such a person for the purpose of co-ordinating activities and handling complaints involving the jurisdictions.
The following provisions are amended by adding "or audit" after "investigation":
(a) subsections 29(1) and (2);
The following provisions are amended by adding "or audit" after "investigation":
(a) subsection 32(1), in the part before clause (a);
The following is added after subsection 34(2):
The Ombudsman may disclose information to any person if the Ombudsman reasonably believes that the disclosure is necessary to prevent or lessen a risk of serious harm to the health or safety of the individual the information is about or to another individual.
Subsection 39(1) is amended
(a) by adding the following after clause (a):
(a.1) a decision of the trustee to consider a request abandoned or to disregard a request;
(b) by adding the following after clause (b):
Subsections 47(2) and (3) are replaced with the following:
Without limiting subsection (1), in a report concerning a complaint about access, the Ombudsman
(a) must indicate whether, in the Ombudsman's opinion, a refusal is justified in whole or in part;
(b) may recommend that the trustee permit the complainant to examine or receive a copy of all or part of the personal health information, as the case may require;
(c) may recommend that the trustee modify or improve its procedures or practices concerning requests for access.
Without limiting subsection (1), in a report concerning a complaint about privacy, the Ombudsman
(a) must indicate whether, in the Ombudsman's opinion, the complaint is well founded;
(b) may recommend that the trustee cease or modify a specified practice of collecting, using, disclosing, retaining or destroying personal health information contrary to this Act;
(c) may recommend that the trustee destroy a collection of personal health information that was collected in a manner contrary to this Act.
Subsection 48.5(3) is replaced with the following:
Subsection 48.8(3) is amended by adding the following after clause (b):
Subsections 49(2) and (3) are replaced with the following:
An appeal may be made under subsection (1) only if
(a) the individual has made a complaint about access to the Ombudsman and the Ombudsman has given the individual a report under section 47; and
(b) in the case where the Ombudsman's report contains recommendations respecting the complaint, the deadline set out in subsection 48.1(3) for the Ombudsman to request the adjudicator to review the matter has expired, and the Ombudsman has not requested a review.
An appeal is to be made by filing an application with the court
(a) within 30 days after the deadline set out in subsection 48.1(3) expires, if the Ombudsman's report under section 47 contains recommendations respecting the complaint; or
Subsection 59(1) is replaced with the following:
Subsection 60(1) is amended by adding the following after clause (d):
Subsection 63(1) is amended
(a) in clause (c), by striking out "destroys or erases" and substituting "destroys, erases, conceals, alters or falsifies"; and
(b) by striking out "or" at the end of clause (e) and adding the following after clause (f) and before the part follows it:
(g) fails to comply with section 19.0.1 (notification of privacy breach); or
Subsection 63(6) is replaced with the following:
A prosecution for an offence under this Act may not be commenced later than two years after the day on which evidence sufficient to justify a prosecution for the offence came to the knowledge of the Ombudsman. The certificate of the Ombudsman as to the day on which the evidence came to their knowledge is evidence of that date.
Section 65 is replaced with the following:
A person is not guilty of an offence or subject to disciplinary action of any kind under any other enactment by reason of
(a) complying with a request or requirement to produce a record or provide information or evidence to the Ombudsman or adjudicator, or a person acting for or under the direction of the Ombudsman or adjudicator, under this Act; or
(b) in good faith, giving a notification or disclosing personal health information to the Ombudsman under section 27.1.
A trustee or person acting on behalf of a trustee must not take any adverse employment or other action against any of the following persons for doing any of the things described in clause (1)(a) or (b):
(a) an employee, officer or agent of the trustee;
(b) a volunteer or student who performs a service for the trustee;
(c) a health professional who has been granted privileges to provide services at a health care facility operated by the trustee;
Subsection 66(1) is amended
(a) by adding the following after clause (h):
(h.1) for the purpose of subsection 19.0.1(2), prescribing relevant factors to be considered in determining if a privacy breach can reasonably be expected to create a real risk of significant harm;
(h.2) for the purpose of subsection 19.0.1(3), specifying the manner and form of, and information to be included in, a notice to an individual, whether given directly or indirectly, and prescribing the circumstances in which a notice may be given indirectly;
(b) by adding the following after clause (i.1):
(i.2) for the purpose of clause 24(3)(e), setting out approval requirements for health research projects;
(c) by replacing clause (m) with the following:
Subsection 67(1) is replaced with the following:
The minister must undertake a comprehensive review of the operation of this Act, which involves public representations, within five years after the day on which this section comes into force.
COMING INTO FORCE
A review of a research proposal that was commenced by the health information privacy committee or an institutional research review committee but not completed before the coming into force of this Act is to be concluded as though this Act had not come into force.
This Act comes into force on a day to be fixed by proclamation.