Summary
Manitoba has updated The Personal Health Information Act (PHIA) with new privacy protections, including mandatory breach notification where there is a real risk of significant harm. The amendments, which take effect January 1, 2022, also clarify rules around psychological data, research use, employee health information, and oversight by the Manitoba Ombudsman.
Post
Manitoba has announced significant updates to The Personal Health Information Act (PHIA) that will strengthen how personal health information is protected across the province. The amendments introduce clearer privacy breach notification rules, stronger oversight powers, and additional protections for individuals whose health information is collected and used by trustees such as health authorities, clinics, and other health service providers.
The legislative changes received Royal Assent on May 20, 2021, with the province later announcing that many of the amendments will come into force on January 1, 2022. These updates modernize PHIA and clarify several areas where privacy protections and procedures needed to be strengthened.
One of the most notable changes is the introduction of mandatory notification requirements when a privacy breach creates a real risk of significant harm. In those situations, trustees must notify affected individuals and may also be required to notify the Manitoba Ombudsman. This formalizes breach reporting expectations and aligns Manitoba with privacy breach practices seen in other jurisdictions.
The amendments also clarify that when a person is given access to their health information, trustees may have a duty to provide an explanation of the records, helping individuals better understand the information they receive.
New provisions also address psychological tests and psychological data, creating specific rules around access and disclosure to protect sensitive evaluation materials while still respecting access rights.
PHIA now also allows trustees to treat certain requests for access to records as abandoned or abusive/repetitive, helping organizations manage situations where requests are excessive or not being pursued by the requester.
The legislation introduces additional safeguards regarding the use of employee personal health information. In general, employee PHI cannot be used for employment-related purposes unless the use is expressly permitted under the Act or another legal authority.
Other updates include:
- Limited educational use of personal health information in certain controlled circumstances
- Updated research approval requirements for using health information in research
- Protection for individuals who report unauthorized use or disclosure of health information to the Manitoba Ombudsman
- Expanded authority for the Ombudsman to disclose information when necessary for health or safety reasons
- Updated offences and prosecution provisions related to improper handling of health information
- A new requirement that PHIA be periodically reviewed to ensure it continues to meet modern privacy needs
For organizations that handle health information in Manitoba, these changes reinforce the importance of having clear privacy policies, breach response procedures, and strong safeguards around how health data is accessed and used.
References
Manitoba Legislative Assembly. The Personal Health Information Amendment Act, S.M. 2021.
Manitoba Legislative Assembly. The Personal Health Information Act, C.C.S.M. c. P33.5 (current consolidated version).
Manitoba Ombudsman – Guidance on privacy breaches and PHIA responsibilities.
Leave a Reply