The Personal Health Information Act

What is the Personal Health Information Act?

The Personal Health Information Act (PHIA) is a health-sector specific privacy law that establishes rules that custodians of personal health information must follow when collecting, using and disclosing individuals’ confidential personal health information. PHIA also sets out the rights of residents of the province regarding obtaining access to and exercising control of their personal health information.

PHIA was proclaimed into force on April 1st, 2011.

A copy of the Personal Health Information Act can be found at:

The regulations that have been enacted to support PHIA can be found at:

PHIA applies to “custodians” of personal health information. Custodians that have been designated under the Act include (but are not limited to):

  • Health care professionals (for example, physicians, pharmacists, nurses and dentists),
  • Eastern Health, Western Health, Central Health and Labrador-Grenfell Health,
  • Provincial government departments when engaged in health care activities,
  • The Public Health Laboratory,
  • The Newfoundland and Labrador Centre for Health Information, and
  • The Workplace Health and Safety Compensation Commission.

PHIA recognizes that people expect their health information to be kept confidential and that it should not be collected, used or disclosed for purposes not related to their care and treatment. Information is also sometimes needed to manage the health care system, for health research and other for other similar purposes. Law enforcement officials, health officials and others may also have a legitimate need to access personal health information, under limited and specific circumstances. PHIA balances an individual’s right to privacy with the legitimate needs of persons and organizations that provide health care services to collect, use and disclose his or her information.

Privacy Statement

The Department of Health and Community Services is responsible for setting the overall strategic directions and priorities for the health care system in Newfoundland and Labrador. In doing so, the department works with partners like private sector care providers (e.g., doctors and pharmacists), Regional Health Authorities, community organizations, professional associations, post-secondary educational institutions, unions, consumers and other provincial government departments.

To properly oversee programs and services intended to maintain and promote the health and well-being of the people of Newfoundland and Labrador, the department collects, uses and discloses the personal health information of individuals who use the health system in the province, in accordance with applicable laws.

This privacy statement applies to the personal health information that the department collects, uses or discloses in the course of operating and administering provincial health programs and services. This privacy statement describes:

  • How to contact the department if you have a question about our information handling practices
  • How the department collects, uses and discloses your personal health information
  • How the department safeguards your personal health information
  • Your right to access and request correction of records containing your personal health information
  • How to contact the Office of the Information and Privacy Commissioner to discuss a concern you might have about the department’s information handling practices

Public Awareness Materials

Frequently Asked Questions

These frequently asked questions (FAQs) provide general information about the requirements of PHIA. They were designed to help residents of the province understand their rights under PHIA and to help custodians of personal health information understand their obligations under the Act.

Resources for Custodians

In partnership with provincial stakeholders, the Department of Health and Community Services has created resources to assist custodians of personal health information to meet their obligations under the Act.

  1. PHIA Overview
  2. PHIA Online Education Program
  3. PHIA Facilitated Education Program
  4. PHIA Risk Management Toolkit
  5. PHIA Policy Development Manual
  6. PHIA Sample Notice Materials

Custodians are not obligated to use these resources. These resource materials are for general information purposes only, and should be adapted to the circumstances of each custodian using them. The materials reflect interpretations and practices regarded as valid at the time of publication based on information available at that time. Custodians are welcome to use them to facilitate their compliance with the Personal Health Information Act. The materials are not intended and should not be construed as legal or professional advice or opinion. Custodians that are concerned about the applicability of privacy legislation to their activities are advised to seek legal or professional advice based on their particular circumstances.

PHIA Overview

This brief presentation provides an introduction to the Personal Health Information Act. The presentation also provides an overview of some of the resources that are available to custodians to assist them in implementing the Act.

^ Top of Page

PHIA Online Education Program

The PHIA Online Education Program is intended to help custodians to understand their obligations under the Act, as well as to assist them in providing education and training to those they have a responsibility for under the Act. PHIA requires that custodians of personal health information ensure that their employees, agents, contractors and volunteers, and those health professionals who have a right to treat persons at a health care facility operated by the custodian are aware of the duties imposed by the Act and regulations and by the custodian’s information policies and procedures.

The PHIA Online Education Program is a comprehensive introduction to PHIA and may be taken by anyone wishing to better understand the Act and/or their obligations under it. The course should take approximately 30 to 45 minutes to complete

^ Top of Page

PHIA Facilitated Education Program

The PHIA Facilitated Education Program is a comprehensive introduction to PHIA and contains materials to enable custodians to deliver education sessions to staff to help them understand their responsibilities under PHIA by way of a facilitated, face-to-face learning session. The PHIA Facilitated Education Program may be taken by anyone wishing to better understand the Act and/or their obligations under it.

The PHIA Facilitated Education Program comes in two versions: a full-day session and a half-day session. Each of the versions contains:

  • Information on adult learning for facilitators;
  • Materials for facilitators to assist with organizing and delivering information sessions, including a detailed outline of the program with explanatory notes; and
  • Materials to provide to persons attending information sessions, including a participant’s workbook and resources for further reading.

^ Top of Page

PHIA Risk Management Toolkit

PHIA requires that custodians take steps that are reasonable in the circumstances to ensure that personal health information in their custody or control is:

  1. Protected against theft, loss and unauthorized access, use or disclosure;
  2. Protected against unauthorized copying or modification; and,
  3. Retained, transferred and disposed of in a secure manner.

To meet these obligations custodians should incorporate risk management processes into their projects, activities and systems as early as possible; ideally, during the design or planning phases. Risk management can be defined as being the identification, assessment, and prioritization of risks followed by a coordinated and efficient application of resources to minimize, monitor, and control the likelihood and impact of adverse events.

The PHIA Risk Management Toolkit is intended to:

  • Assist custodians of personal health information and other stakeholders in understanding their legislative obligations as they relate to the safeguarding of personal health information;
  • Assist custodians in assessing their current state of compliance with PHIA;
  • Assist custodians in assessing the effectiveness of the physical, administrative and technological controls that they have established to protect the personal health information in their custody or control; and,
  • Assist custodians in identifying any gaps or areas for improvement that there might be in their physical, administrative and technological controls.

The PHIA Risk Management Toolkit contains the following items:

  1. Information Security Management Overview
  2. Privacy Checklist
  3. Short Form Privacy Impact Assessment
  4. Long Form Privacy Impact Assessment
  5. Privacy Audit
  6. Privacy Breach Guidelines
  7. Privacy Breach Reporting Form

^ Top of Page

PHIA Policy Development Manual

The Personal Health Information Act requires that custodians have policies and procedures in place that describe the ways that they collect, use and disclose personal health information. The PHIA Policy Development manual is intended to provide custodians with a framework for developing their own policies and procedures to meet this obligation.

The PHIA Policy Development Manual sets out the legal requirements of the Personal Health Information Act and arranges those requirements into a policy framework. The manual provides custodians with sample policy and procedure language: the sample policy language reflects custodians’ obligations under the Personal Health Information Act while the sample procedure language contains suggestions as to how the policies could be implemented.

Custodians should not adopt the sample policies and procedures in this policy development manual as their own. Custodians should review the samples provided and customize them in order to make them applicable to their particular activities and lines of business.

While custodians may customize the sample language provided in the PHIA Policy Development Manual, custodians should be careful to ensure that whatever policies or procedures they develop are compliant with the requirements of the Act. Custodians should consult the Act, their regulatory authority or their solicitor for guidance on the provisions of the Personal Health Information Act, where necessary and as applicable.

^ Top of Page

PHIA Sample Notice Materials

PHIA requires that custodians take reasonable steps to inform individuals from whom they collect personal health information of the purpose for the collection, use and/or disclosure of that information. One way that a custodian can meet this requirement is by posting a notice setting out the authorized purposes for collection, use or disclosure in appropriate locations throughout their facility where it is likely to come to peoples’ attention. A custodian may also provide the individual with a copy of such a notice in brochure form.

Additionally, a custodian is required to have available a written statement that:

  1. gives a general description of the custodian’s information policies and procedures;
  2. sets out the name and access information of the custodian or the custodian’s contact person;
  3. describes how people can obtain access to or request correction of their personal health information; and,
  4. describes how a complaint may be made to the Privacy Commissioner.

The sample poster and brochure materials provided here are designed to help custodians meet these obligations. Custodians should not simply adopt the sample materials as their own; rather, custodians should review the samples provided and customize them in order to make them applicable to their particular activities and lines of business.

While custodians may customize the sample notice poster and brochure materials provided, custodians should be careful to ensure that whatever notice materials they develop are compliant with the requirements of the Act. Custodians should consult the Act, their regulatory authority or their solicitor for guidance on the provisions of the PHIA, where necessary and as applicable.

^ Top of Page

Adobe® Acrobat® Reader software can be used for viewing PDF documents. Download Acrobat® Reader for free