Requirements for PHIA Compliancy for Databases
Additional Security Requirements for PHIA Compliancy of Databases
Information required in a Research Ethics Board Application

The following information regarding PHIA compliance and databases used for research has been prepared to assist you to understand the additional requirements when personal health information is stored in a electronic database.

Requirements for PHIA Compliancy for Databases

If a database contains identifiable personal health information, then this database must be PHIA compliant under the Personal Health Information Regulation, Amendment 142/2005.

If identifiable personal health information has been replaced in the database with a unique Code then PHIA compliancy is not required.

In order for a database that contains identifiable personal health information to be PHIA compliant, the associated system must create and maintain an electronic or manual record of user activity.

Record of Use Activity - means a record about access to personal health information maintained on an electronic system, which identifies the following:

a) Individuals whose personal health information has been accessed.

b) Persons who accessed personal health information.

c) When personal health information was accessed.

d) The electronic information system or component of the system in which personal health information was accessed.

e) Whether personal health information that has been accessed is subsequently disclosed under section 22 of PHIA.

The record of user activity must be maintained for at least three years and at least one audit of the records of used activity must be conducted before the record is destroyed. NOTE: if there is no other permanent record being maintained of source documents at your site, some clinical trial records may need to be maintained for as long as 25 years as per Health Canada regulations.

The record of user activity is not required if the personal health information is only demographic or is information that qualifies or further describes information listed below:

• Name 
• Signature 
• Address
• Telecommunications information
• Sex
• Date of birth
• Date of death
• Family Associations
• Eligibility for health care coverage
• Jurisdiction of residence 
• Manitoba Health Identification Number (PHIN)
• A unique identifier equivalent to the PHIN assigned by another
• Jurisdiction that pays for health care 
• A unique identifier assigned by a trustee, when accessed by that trustee (E.g. Medical Record Number)
• A non-Canadian unique health identification number

NOTE:   Research Ethics Board approval to collect the above demographics  information for research purposes is still required.

Additional Security Requirements for PHIA Compliancy of Databases

In order to prevent unauthorized access to databases that contain personal health information, it is important that you also implement appropriate security measures as follows:

1) Password protect your database.

2) Never permanently store a database that contains identifiable personal health information on a mobile device as a laptop or a blackberry.

3) Databases that contain personal health information can never be e-mailed to another person using an Internet e-mail address unless the information is encrypted.

4) Ensure you are familiar with the PHIA policy  of the institution(s) in which you are to conduct the research.

Information required in a Research Ethics Board Application

All proposals must specify  the demographic information collected on participants by the research site.

All proposals, including those proposals that do not necessarily store data on electronic databases, must provide a description of the physical, organizational and technological security measures in place to safeguard against risks of unauthorized use, disclose, corruption or destruction of data.

Simply stating your database is  PHIA compliance  in the REB application will not be sufficient without at least providing  a brief description of how the safeguards comply with PHIA and other applicable privacy legislation. This can be outlined in the "Privacy and Confidentiality" section of the Research Ethics Board Submission Form.