Requirements for PHIA Compliancy for Databases
Additional Security Requirements for PHIA Compliancy of Databases
Information required in a Research Ethics Board Application
The following information regarding PHIA compliance and databases used for research has been prepared to assist you to understand the additional requirements when personal health information is stored in a electronic database.
If a database contains identifiable personal health information, then this database must be PHIA compliant under the Personal Health Information Regulation, Amendment 142/2005.
If identifiable personal health information has been replaced in the database with a unique Code then PHIA compliancy is not required.
In order for a database that contains identifiable personal health information to be PHIA compliant, the associated system must create and maintain an electronic or manual record of user activity.
Record of Use Activity - means a record about access to personal health information maintained on an electronic system, which identifies the following:
a) Individuals whose personal health information has been accessed.
b) Persons who accessed personal health information.
c) When personal health information was accessed.
d) The electronic information system or component of the system in which personal health information was accessed.
e) Whether personal health information that has been accessed is subsequently disclosed under section 22 of PHIA.
The record of user activity must be maintained for at least three years and at least one audit of the records of used activity must be conducted before the record is destroyed. NOTE: if there is no other permanent record being maintained of source documents at your site, some clinical trial records may need to be maintained for as long as 25 years as per Health Canada regulations.
The record of user activity is not required if the personal health information is only demographic or is information that qualifies or further describes information listed below:
NOTE: Research Ethics Board approval to collect the above demographics information for research purposes is still required.
In order to prevent unauthorized access to databases that contain personal health information, it is important that you also implement appropriate security measures as follows:
1) Password protect your database.
2) Never permanently store a database that contains identifiable personal health information on a mobile device as a laptop or a blackberry.
3) Databases that contain personal health information can never be e-mailed to another person using an Internet e-mail address unless the information is encrypted.
4) Ensure you are familiar with the PHIA policy of the institution(s) in which you are to conduct the research.
All proposals must specify the demographic information collected on participants by the research site.
All proposals, including those proposals that do not necessarily store data on electronic databases, must provide a description of the physical, organizational and technological security measures in place to safeguard against risks of unauthorized use, disclose, corruption or destruction of data.
Simply stating your database is PHIA compliance in the REB application will not be sufficient without at least providing a brief description of how the safeguards comply with PHIA and other applicable privacy legislation. This can be outlined in the "Privacy and Confidentiality" section of the Research Ethics Board Submission Form.