PHIA and research ethics
Learn the details and expectations around the application of the Personal Health Information Act (PHIA) to research involving personal health information when requesting Research Ethics Board approval for research.
This information will help inform both researchers requesting Research Ethics Board (REB) approval for research involving PHIA, and Research Ethics Boards (REBs) considering approval of research proposals involving PHIA.
PHIA training and pledge of confidentiality
PHIA requires that all research personnel who handle or are exposed to personal health information take PHIA Orientation and sign a pledge of confidentiality that acknowledges that they are bound by written policy and procedures.
To access UM’s online PHIA training module for researchers please visit:
Provincial Health Research Privacy Committee (PHRPC)
On January 1, 2022, the Health Information Privacy Committee (HIPC) was replaced with the Provincial Health Research Privacy Committee (PHRPC).
The PHRPC reviews all health research protocols that require use of personal health information maintained by any Manitoba Trustee, including government and government agencies, and renders a decision (i.e. approved, conditionally approved or not approved/requires revision).
PHIA requirements for databases
Refer to the following information regarding PHIA compliance and databases used for research to understand the additional requirements when personal health information is stored in an electronic database.
Simply stating your database is PHIA compliant in the REB application will not be sufficient without at least providing a brief description of how the safeguards comply with PHIA and other applicable privacy legislation.
Requirements for PHIA compliance
If a database contains identifiable personal health information, then this database must be PHIA compliant under the Personal Health Information Regulation, Amendment 142/2005.
If identifiable personal health information has been replaced in the database with a unique code, then PHIA compliance is not required.
Record of user activity
For a database that contains identifiable personal health information to be PHIA compliant, the associated system must create and maintain an electronic or manual record of user activity.This is a record about access to personal health information maintained on an electronic system, which identifies the following:
- Individuals whose personal health information has been accessed.
- Persons who accessed personal health information.
- When personal health information was accessed.
- The electronic information system or component of the system in which personal health information was accessed.
- Whether personal health information that has been accessed is subsequently disclosed under section 22 of PHIA.
The record of user activity must be maintained for at least three years, and at least one audit of the records of user activity must be conducted before the record is destroyed.
If there is no other permanent record being maintained of source documents at your site, some clinical trial records may need to be maintained for as long as 25 years as per Health Canada regulations.
The record of user activity is not required if the personal health information is only demographic or is information that qualifies or further describes the information listed below:
- Telecommunications information
- Date of birth
- Date of death
- Family associations
- Eligibility for health care coverage
- Jurisdiction of residence
- Manitoba Health Identification Number (PHIN)
- A unique identifier equivalent to the PHIN assigned by another jurisdiction that pays for health care
- A unique identifier assigned by a trustee, when accessed by that trustee, for example, a medical record number)
- A non-Canadian unique health identification number
Research Ethics Board approval to collect the above demographics information for research purposes is still required.
Additional security requirements
To prevent unauthorized access to databases that contain personal health information, it is important that you also implement appropriate security measures as follows:
- Password-protect your database.
- Never permanently store a database that contains identifiable personal health information on a mobile device such as a laptop or mobile phone.
- Never email databases that contain personal health information to another person using an internet email address unless the information is encrypted.
- Ensure you are familiar with the PHIA policy of the institution(s) in which you are conducting the research.
Information required in a Research Ethics Board application
All proposals must specify the demographic information collected on participants by the research site.
All proposals, including those proposals that do not necessarily store data on electronic databases, must provide a description of the physical, organizational and technological security measures in place to safeguard against risks of the unauthorized use, disclosure, corruption, or destruction of data.
Simply stating your database is PHIA compliance in the REB application will not be sufficient without at least providing a brief description of how the safeguards comply with PHIA and other applicable privacy legislation. You can provide this information in the Privacy and Confidentiality section of the Research Ethics Board Submission Form.
Population Health Research Data Repository
The Manitoba Centre for Health Policy provides comprehensive collections of data through the Population Health Research Data Repository. They provide information on gaining access, approvals and example sample submissions for your HIPC and HREB submissions.
Additional privacy guidelines