PHIA training

PHIA training and pledge of confidentiality

PHIA requires that all research personnel who handle or are exposed to personal health information take PHIA Orientation and sign a pledge of confidentiality that acknowledges that they are bound by written policy and procedures.

To access UM’s online PHIA training module for researchers please visit:

PHIA training and registration information

Provincial Health Research Privacy Committee (PHRPC)

On January 1, 2022, the Health Information Privacy Committee (HIPC) was replaced with the Provincial Health Research Privacy Committee (PHRPC).

The PHRPC reviews all health research protocols that require use of personal health information maintained by any Manitoba Trustee, including government and government agencies, and renders a decision (i.e. approved, conditionally approved or not approved/requires revision).

Authority of REB to conduct PHIA reviews

Under Section 24(2)(b) of PHIA, approval must be given by an "institutional research review committee" if the personal health information is maintained by a trustee other than the government or government agency. The institutional research review committee must be a committee established by the facility or a university to ensure that adequate safeguards are in place to protect the PHI. Under the PHIA, the "trustee" is a health professional, health care facility, public body, or health services agency that collects and maintains personal health information.

The university REB will be responsible for granting approval for health research in accordance with Section 24(2)(b) of PHIA. This approval will be limited to approval of the protocol research plan. The trustee is responsible for disclosing the PHI for research after approval has been granted by the REB.

The REB will address the following issues in their review process.

Recruitment

The REB must be provided with explicit information as to how patients are going to be recruited and approached (for example, through review of medical charts, direct contact with patients) to ensure that the importance of the research outweighs the intrusion into privacy. The REB must be assured that safeguards are in place to protect the confidentiality of PHI. The approval to access PHI (logs) and to approach individuals about a research study will be incorporated into the REB review process.

The REB submission form has been revised to ensure that appropriate questions are asked to determine how the researcher intends to recruit subjects for each specific project and, if appropriate, the REB can approve the proposed method or recommend an alternate method. For example, in some situations:

  • Access to PHI should not be granted until consent is obtained from the individual.
  • Posting posters in appropriate areas may be required. 
  • Access to patient names and addresses (for contact purposes only) can be obtained from a departmental database, if the investigator is also involved with providing health care to that group of individuals in that organization;; for example, nephrologists providing care to dialysis patients at St. Boniface Hospital. 

If the investigator is not involved with providing care to that group of individuals (patients), then the physicians who are involved with providing health care should advise their patients, where appropriate, of the research project and either ask the patient to contact the researcher or obtain the patient's permission to forward their name and address to the researcher.

The examples above are analogous to "use" and "disclosure" of personal health information as provided for in PHIA, as follows:

  • The researcher who is also involved with providing health care would "use" the personal health information for contact purposes.
  • The physician who is involved with providing health care, but not involved with the research would "disclose" the personal health information to the researcher (which requires the patient's consent).

In situations like dialysis and lung Function clinics, it is recommended that a consent form be developed. The patient obtaining care from those clinics could consent to their names and addresses being used by the group of physicians and nurses who are both providing health care and conducting research, for the purpose of contacting the patient to discuss possible participation in research studies.

In some exceptional situations, it may be potentially beneficial for individuals to be approached as quickly as possible to discuss the research study. In these situations it may be appropriate to allow access to the patient's PHI prior to discussions between the individual and researchers. 

  • Example: Stroke study
    There is no good treatment for embolic stroke at present. A new IV drug is being tested to prevent brain damage from stroke. The new drug may offer a chance to the patient that would otherwise not be provided. Drug must be started within six hours of onset of stroke symptoms. Symptom onset occurs at home, patient must physically get to hospital, be triaged and diagnosed. Already much time has elapsed. Researcher is aware of patient, but cannot begin screening process until permission is given via clinical staff for study staff to approach patient. This process may involve the family and patient asking many questions about the study and may interfere both with their time together and with clinical staff assessing the patient for direct care.

    Under these stressful circumstances the patient or family may simply decline and not be provided with an opportunity to potentially receive better treatment. This situation could be avoided if the study staff gained access to the chart to see if the patient is even a candidate for the study.

The REB must address recruitment issues for each study separately. REB approval must be study-specific.

Security

In their submission to the REB, researchers must:

  • Specify safeguards to protect PHI 
  • Specify procedures to destroy PHI 
  • Specify long-term storage of PHI. Note that only information that identifies an individual needs to be secured (locked).
  • Where appropriate, specify why the PHIN (personal health identification number) is being collected. The PHIN should not be used unless it is absolutely necessary.
  • If PHIN is being used, specify how the PHIN is going to be linked.

Consent forms

Consent forms must specify who will be accessing or copying records containing PHI and which records the will access — for example, medical records — and at which site, such as research study records or physician's office records.

Disclosure of personal health information may be made without the consent of the individual only if the committee has determined that:

  1. the research is of sufficient importance to outweigh the intrusion of privacy that would result from the disclosure of PHI
  2. the research purpose cannot reasonably be accomplished unless identifying PHI is provided in a form that identifies or may identify individuals
  3. it is unreasonable or impractical for the person proposing the research to obtain consent from the individuals the PHI is about, and 
  4. the research project contains: 
    • reasonable safeguards to protect the confidentiality and security of the personal health information, and
    • procedures to destroy the information or remove all identifying information at the earliest opportunity consistent with the purpose of the project.

Clarification

Section 24(5) of PHIA deals with disclosure of names and addresses.

If a research project will require direct contact with individuals, a trustee shall not disclose personal health information about those individuals under this section without first obtaining their consent. However, the trustee need not obtain their consent if the information consists of only the individuals' names and addresses.

With respect to the last sentence above, the research study must have been considered and approved under this section by a REB before names and addresses can be released.

Researchers (who are not involved in health care) asking Manitoba Health for random sample of persons (names and addresses) require approval by the Health Information Privacy Committee (HIPC) before Manitoba Health provides names and addresses.

Research agreement

Section 24(4) - The researcher must agree to the following:

  • Not to publish PHI in any form that could reasonably identify the individuals concerned. 
  • To use the PHI solely for the purposes of the approved research project. If researchers will be approaching individuals participating in a study about future studies, the consent to participate in the original study should include consent to same.

PHIA requirements for databases

Refer to the following information regarding PHIA compliance and databases used for research to understand the additional requirements when personal health information is stored in an electronic database.

Simply stating your database is PHIA compliant in the REB application will not be sufficient without at least providing a brief description of how the safeguards comply with PHIA and other applicable privacy legislation.

Requirements for PHIA compliance

If a database contains identifiable personal health information, then this database must be PHIA compliant under the Personal Health Information Regulation, Amendment 142/2005.

If identifiable personal health information has been replaced in the database with a unique code, then PHIA compliance is not required.

Record of user activity

For a database that contains identifiable personal health information to be PHIA compliant, the associated system must create and maintain an electronic or manual record of user activity.This is a record about access to personal health information maintained on an electronic system, which identifies the following:

  1. Individuals whose personal health information has been accessed.
  2. Persons who accessed personal health information.
  3. When personal health information was accessed.
  4. The electronic information system or component of the system in which personal health information was accessed.
  5. Whether personal health information that has been accessed is subsequently disclosed under section 22 of PHIA.

The record of user activity must be maintained for at least three years, and at least one audit of the records of user activity must be conducted before the record is destroyed.

If there is no other permanent record being maintained of source documents at your site, some clinical trial records may need to be maintained for as long as 25 years as per Health Canada regulations.

The record of user activity is not required if the personal health information is only demographic or is information that qualifies or further describes the information listed below:

  • Name 
  • Signature 
  • Address
  • Telecommunications information
  • Sex
  • Date of birth
  • Date of death
  • Family associations
  • Eligibility for health care coverage
  • Jurisdiction of residence 
  • Manitoba Health Identification Number (PHIN)
  • A unique identifier equivalent to the PHIN assigned by another jurisdiction that pays for health care 
  • A unique identifier assigned by a trustee, when accessed by that trustee, for example, a medical record number)
  • A non-Canadian unique health identification number

Research Ethics Board approval to collect the above demographics information for research purposes is still required.

Additional security requirements

To prevent unauthorized access to databases that contain personal health information, it is important that you also implement appropriate security measures as follows:

  • Password-protect your database.
  • Never permanently store a database that contains identifiable personal health information on a mobile device such as a laptop or mobile phone.
  • Never email databases that contain personal health information to another person using an internet email address unless the information is encrypted.
  • Ensure you are familiar with the PHIA policy of the institution(s) in which you are conducting the research.

Information required in a Research Ethics Board application

All proposals must specify the demographic information collected on participants by the research site.

All proposals, including those proposals that do not necessarily store data on electronic databases, must provide a description of the physical, organizational and technological security measures in place to safeguard against risks of the unauthorized use, disclosure, corruption, or destruction of data.

Simply stating your database is PHIA compliance in the REB application will not be sufficient without at least providing a brief description of how the safeguards comply with PHIA and other applicable privacy legislation. You can provide this information in the Privacy and Confidentiality section of the Research Ethics Board Submission Form.

Population Health Research Data Repository

The Manitoba Centre for Health Policy provides comprehensive collections of data through the Population Health Research Data Repository. They provide information on gaining access, approvals and example sample submissions for your HIPC and HREB submissions.

Population Health Research Data Repository

Additional privacy guidelines