The Personal Health Information Act (PHIA) is a health-sector specific privacy law that establishes rules that custodians of personal health information must follow when collecting, using and disclosing individuals’ confidential personal health information. PHIA also sets out the rights of residents of the province regarding obtaining access to and exercising control of their personal health information.
PHIA was proclaimed into force on April 1st, 2011.
A copy of the Personal Health Information Act can be found at:
The regulations that have been enacted to support PHIA can be found at:
PHIA applies to "custodians" of personal health information. Custodians that have been designated under the Act include (but are not limited to):
PHIA recognizes that people expect their health information to be kept confidential and that it should not be collected, used or disclosed for purposes not related to their care and treatment. Information is also sometimes needed to manage the health care system, for health research and other for other similar purposes. Law enforcement officials, health officials and others may also have a legitimate need to access personal health information, under limited and specific circumstances. PHIA balances an individual’s right to privacy with the legitimate needs of persons and organizations that provide health care services to collect, use and disclose his or her information.
The Department of Health and Community Services is responsible for setting the overall strategic directions and priorities for the health care system in Newfoundland and Labrador. In doing so, the department works with partners like private sector care providers (e.g., doctors and pharmacists), Regional Health Authorities, community organizations, professional associations, post-secondary educational institutions, unions, consumers and other provincial government departments.
To properly oversee programs and services intended to maintain and promote the health and well-being of the people of Newfoundland and Labrador, the department collects, uses and discloses the personal health information of individuals who use the health system in the province, in accordance with applicable laws.
This privacy statement applies to the personal health information that the department collects, uses or discloses in the course of operating and administering provincial health programs and services. This privacy statement describes:
These frequently asked questions (FAQs) provide general information about the requirements of PHIA. They were designed to help residents of the province understand their rights under PHIA and to help custodians of personal health information understand their obligations under the Act.
In partnership with provincial stakeholders, the Department of Health and Community Services has created resources to assist custodians of personal health information to meet their obligations under the Act.
Custodians are not obligated to use these resources. These resource materials are for general
information purposes only, and should be adapted to the circumstances of each custodian using
them. The materials reflect interpretations and practices regarded as valid at the time of
publication based on information available at that time. Custodians are welcome to use them to
facilitate their compliance with the Personal Health Information Act. The materials are not
intended and should not be construed as legal or professional advice or opinion. Custodians
that are concerned about the applicability of privacy legislation to their activities are
advised to seek legal or professional advice based on their particular circumstances.
This brief presentation provides an introduction to the Personal Health Information Act. The presentation also provides an overview of some of the resources that are available to custodians to assist them in implementing the Act.
The PHIA Online Education Program is intended to help custodians to understand their obligations under the Act, as well as to assist them in providing education and training to those they have a responsibility for under the Act. PHIA requires that custodians of personal health information ensure that their employees, agents, contractors and volunteers, and those health professionals who have a right to treat persons at a health care facility operated by the custodian are aware of the duties imposed by the Act and regulations and by the custodian’s information policies and procedures.
The PHIA Online Education Program is a comprehensive introduction to PHIA and may be taken by anyone wishing to better understand the Act and/or their obligations under it. The course should take approximately 30 to 45 minutes to complete
The PHIA Facilitated Education Program is a comprehensive introduction to PHIA and contains materials to enable custodians to deliver education sessions to staff to help them understand their responsibilities under PHIA by way of a facilitated, face-to-face learning session. The PHIA Facilitated Education Program may be taken by anyone wishing to better understand the Act and/or their obligations under it.
The PHIA Facilitated Education Program comes in two versions: a full-day session and a half-day session. Each of the versions contains:
PHIA requires that custodians take steps that are reasonable in the circumstances to ensure that personal health information in their custody or control is:
To meet these obligations custodians should incorporate risk management processes into their projects, activities and systems as early as possible; ideally, during the design or planning phases. Risk management can be defined as being the identification, assessment, and prioritization of risks followed by a coordinated and efficient application of resources to minimize, monitor, and control the likelihood and impact of adverse events.
The PHIA Risk Management Toolkit is intended to:
The PHIA Risk Management Toolkit contains the following items:
The Personal Health Information Act requires that custodians have policies and procedures in place that describe the ways that they collect, use and disclose personal health information. The PHIA Policy Development manual is intended to provide custodians with a framework for developing their own policies and procedures to meet this obligation.
The PHIA Policy Development Manual sets out the legal requirements of the Personal Health Information Act and arranges those requirements into a policy framework. The manual provides custodians with sample policy and procedure language: the sample policy language reflects custodians’ obligations under the Personal Health Information Act while the sample procedure language contains suggestions as to how the policies could be implemented.
Custodians should not adopt the sample policies and procedures in this policy development manual as their own. Custodians should review the samples provided and customize them in order to make them applicable to their particular activities and lines of business.
While custodians may customize the sample language provided in the PHIA Policy Development Manual, custodians should be careful to ensure that whatever policies or procedures they develop are compliant with the requirements of the Act. Custodians should consult the Act, their regulatory authority or their solicitor for guidance on the provisions of the Personal Health Information Act, where necessary and as applicable.
PHIA requires that custodians take reasonable steps to inform individuals from whom they collect personal health information of the purpose for the collection, use and/or disclosure of that information. One way that a custodian can meet this requirement is by posting a notice setting out the authorized purposes for collection, use or disclosure in appropriate locations throughout their facility where it is likely to come to peoples’ attention. A custodian may also provide the individual with a copy of such a notice in brochure form.
Additionally, a custodian is required to have available a written statement that:
The sample poster and brochure materials provided here are designed to help custodians meet these obligations. Custodians should not simply adopt the sample materials as their own; rather, custodians should review the samples provided and customize them in order to make them applicable to their particular activities and lines of business.
While custodians may customize the sample notice poster and brochure materials provided, custodians should be careful to ensure that whatever notice materials they develop are compliant with the requirements of the Act. Custodians should consult the Act, their regulatory authority or their solicitor for guidance on the provisions of the PHIA, where necessary and as applicable.
Adobe® Acrobat® Reader software can be used for viewing PDF documents. Download Acrobat® Reader for free