Connect with us!
Home | About | In The News | Contact

Personal Health Information Act

Background Information on the PHIA for Registered Massage Therapist's

The Personal Health Information Act dictates that:

●      health information is personal, and sensitive and its confidentiality must be protected to ensure individuals are confident (or comfortable) in seeking health care and disclosing sensitive information to health professionals;

●      individuals need access to their own health information as a matter of fairness, to enable them to make informed decisions about their health care and to request the correction of inaccurate or incomplete information about themselves;

Massage therapists are considered trustees under the PHIA, and as such are bound to hold a patient’s information “in trust”. 

Definition: PHIA is the Personal Health Information Act (1997). It is a piece of legislation that applies to all Manitobans who collect, maintain, and have access to personal health information. 

Repercussions: A person who is found guilty of an offense under PHIA may be subjected to a fine. Fines may range up to a maximum of $50,000. Not all breaches end in prosecution. However, trustees and their employees should note that even if a breach is not prosecuted, it may still result in disciplinary action from an employer, the MTAM, and the loss of a patient’s trust.

Government of Manitoba Website:

PHIA Resources and Links - Privacy Toolkit for Health Professionals

Next Event for Members

Next PHIA Event for Members:

Frequently Asked Questions from our members

Q: Do my patients have the right to see the chart and treatment notes I have for them?

A: Yes. An individual has a right to view or obtain a copy of any personal health information.

Q: How much time do I have to respond to a request from a patient to examine their personal health information?


●       24 hours after receiving a request from a hospital admitted in-patient for information about their current care,

●      72 hours after receiving a request from a person who is not a hospital in-patient for information about their current care,

●      30 days after receiving a request for any other information not directly involving their current care.

Q: How long is a patient under my “current care” versus an inactive patient?

A: The MTAM defines care currently provided as treatment that you have provided to a patient within the last 6 months.

Q: My chart contains a lot of abbreviations. Do I have to explain the abbreviations to my patients if they request their chart?

A: Many massage therapists use abbreviations when charting. When you receive a request for a chart you must also provide a key for any abbreviations that are used. Under PHIA, it is not good enough to only provide a patient with their chart. They must also be able to understand the information that is in the chart.

Q: Can I charge a fee to my patients to provide them with copy of their chart?

A: Yes, you can charge a reasonable fee. The MTAM suggests a photocopying fee of $0.10 per page for photocopying/printing of a patient’s chart. 

Q: Do I have to let my patients know about their rights under PHIA? 

A: Yes, you must use a sign, poster, brochure, or similar means to provide notice to your patients. This notice must be prominently displayed in as many locations as necessary to ensure that it is likely to come to the patient’s attention. The MTAM has a downloadable poster that you can use.

Q: I do reminder calls/emails to my patients - do I need consent?

A: Yes, you need consent to send emails or to leave voice/text messages that contain appointment information. The MTAM suggests that you include this consent as part of your initial intake process.

Q: What security measures do I need for securing my paper files? Electronic files?

A: Personal health information must be stored in such a way that only those who need to obtain the information will have access to it. Massage therapists must have physical, technical, and administrative safeguards in place. 

All about storing on Canadian Servers:

In speaking with MTAM's PHIA representative with respect to using a Canadian based server for cloud schedulers and patient files he had the following things to say; Ideally a Trustee's patients health information would be stored in Canada, but there are currently no specific laws indicating that it must be stored in Canada.
It is generally accepted practice that health information can be saved on US servers, as Canada and US have similar practices/safeguards in place with regards to security and health information. Should health information be stored on international servers (outside of the US and Canada), this may pose a problem if a trustee has not done their homework with regards to the assurance of Canadian levels of security.
In the end it is the duty of the trustee to ensure that the services/products they use meet the obligations of trustee's in Manitoba and have safeguards in place should a breach occur.   
As a health care provider in Manitoba your obligations are to ensure that your patient files are kept private and accessed only by relevant personnel.   To ensure the security of patient health information, trustees must have: 
1. Physical safeguards – E.G. proximity reader ID badges, locked rooms and sections, lockable filing cabinets 
2. Technical safeguards – E.G. passwords, secure networks, encryption software, firewalls, antivirus 
3. Administrative safeguards – E.G. policies, procedures, training, pledges Safeguards must be appropriate to the sensitivity of the information.
Please review the link below from the Province of Manitoba website for more information.

Q: How long do I have to keep my patient files?

A: PHIA does not dictate how long you keep patient files, however, you do need a written document outlining your retention policy. The National Standards of Practice advises that medical records should be retained for 10 years from the date of last entry, or in the case of a minor, age of majority plus 10 years.

Q: If I receive a call, email or letter of request from a third-party insurance provider, can I tell them that a patient came in for treatment? 

A: The insurance company needs consent from the patient before ANY information is disclosed from you on their behalf. You cannot even disclose if the patient came to see you without that patient's consent.

Q: Can I sell my health records when I sell my clinic?

A: Yes. The act allows you to sell health information to another trustee as part of the sale of a professional practice. However, selling personal health information or disclosing it for gain for ANY other purpose is strictly prohibited.

Q: How do old patient files need to be destroyed?

A: Patient files need to be destroyed in a secure manner. The MTAM, recommends that all personal health information be destroyed by a cross-cut shredder.

Q: I am leaving the clinic that I work at, do I get to take patient files with me?

A: PHIA does not say who owns patient files. How patient files are managed when a therapist leaves a clinic should be outlined in your contract with the clinic. If there is no contract, or if it is not expressly outlined in the contract, then patient files usually stay at their current location.

Q: What is a privacy breach? 

A: A privacy breach is the improper or unauthorized collection, use, disclosure, or destruction of personal health information.  Should you have a privacy breach you can contact the Ombudsman to help you deal with the breach in the best way possible.


1 – A player from the Winnipeg Jets comes into the clinic where you work, and sees a fellow therapist for treatment. After the Jets' player leaves, you look at his chart to see what treatment he received.

●      This is not appropriate. It is a breach of PHIA, and is called snooping. You are not allowed to look at the chart since you do not need to know the health information of that person. They are not under your care. This type of breach would be dealt with internally at the clinic.

2 - Your home-based business is broken into, and your computer with all your patient records has been stolen.

●      This is a breach because the health information on the computer may become available to the person that stole your computer. In this case, it is recommended that you contact the Ombudsman for the best way to handle the breach. KEY RESOURCES IN MANAGING A PRIVACY BREACH

Q: What happens when a trustee passes away or becomes incapacitated? 

A: All trustees have the responsibility to ensure that records are available for patients to access, even after the death or incapacitation of the trustee. However, PHIA does not set out specific instruction as to how this should occur. Sometimes the spouse of a deceased or incapacitated trustee stores the records on their own, and provides access to the records to the former patients. In other cases, a record management company is hired.

Q: Do I need any written policies in place?

A: You need to have written policies in place for how you will handle requests for personal health information, disclosure, retention, and destruction of personal health information. You will also need a policy outlining how you will handle breaches of personal health information.

Policies & Procedures required to comply with PHIA