COVID-19 Updates

Personal Health Information Act

Background Information on the PHIA for Registered Massage Therapists

The Personal Health Information Act dictates that:

  • health information is personal, and sensitive and its confidentiality must be protected to ensure individuals are confident (or comfortable) in seeking health care and disclosing sensitive information to health professionals;
  • individuals need access to their own health information as a matter of fairness, to enable them to make informed decisions about their health care and to request the correction of inaccurate or incomplete information about themselves;

Massage therapists are considered trustees under the PHIA, and as such are bound to hold a patient’s information “in trust”.

Definition: PHIA is the Personal Health Information Act (1997). It is a piece of legislation that applies to all Manitobans who collect, maintain, and have access to personal health information.

Repercussions: A person who is found guilty of an offense under PHIA may be subjected to a fine. Fines may range up to a maximum of $50,000. Not all breaches end in prosecution. However, trustees and their employees should note that even if a breach is not prosecuted, it may still result in disciplinary action from an employer, the MTAM, and the loss of a patient’s trust.

Government of Manitoba Website:

PHIA Resources and Links - Privacy Toolkit for Health Professionals

Trustee Policies & Procedures required comply with PHIA

Click to Download PDF:
MTAM - Policies & Procedures required comply with PHIA

Pledge of Confidentiality

Trustees and any designated privacy staff/officers are obligated under the Act to sign a Pledge of Confidentiality.

Frequently Asked Questions from our members

Q: Do my patients have the right to see the chart and treatment notes I have for them?

A: Yes. An individual has a right to view or obtain a copy of any personal health information.

PHIA patient access request form

Q: How much time do I have to respond to a request from a patient to examine their personal health information?


  • 24 hours after receiving a request from a hospital admitted in-patient for information about their current care,
  • 72 hours after receiving a request from a person who is not a hospital in-patient for information about their current care,
  • 30 days after receiving a request for any other information not directly involving their current care.

Q: How do I communicate to my clients their rights regarding accessing their personal health information?

A: All trustees are required to communicate a patients rights to access their personal health information. The Act stipulates having the information in a public location within your practice. Posters and brochures are available for free from the Government of Manitoba.  MTAM has created posters that can be printed and used in your practice as well.

PHIA Poster MTAM Poster MTAM Poster (ink friendly)

Q: How long is a patient under my “current care” versus an inactive patient?

A: The MTAM defines care currently provided as treatment that you have provided to a patient within the last 6 months.

Q: My chart contains a lot of abbreviations. Do I have to explain the abbreviations to my patients if they request their chart?

A: Many massage therapists use abbreviations when charting. When you receive a request for a chart you must also provide a key for any abbreviations that are used. Under PHIA, it is not good enough to only provide a patient with their chart. They must also be able to understand the information that is in the chart.

Q: Can I charge a fee to my patients to provide them with copy of their chart?

A: Yes, you can charge a reasonable fee. The MTAM suggests a photocopying fee of $0.10 per page for photocopying/printing of a patient’s chart.

Q: I do reminder calls/emails to my patients - do I need consent?

A: Yes, you need consent to send emails or to leave voice/text messages that contain appointment information. The MTAM suggests that you include this consent as part of your initial intake process.

Q: What security measures do I need for securing my paper files? Electronic files?

A: Regardless of the format (paper or electronic), personal health information must be stored in such a way that only those who need to obtain the information will have access to it. Massage therapists must have the following safeguards in place; 

  1. Physical safeguards – E.G. proximity reader ID badges, locked rooms and sections, lockable filing cabinets
  2. Technical safeguards (for electronic records/computer access etc.) – E.G. passwords, secure networks, encryption software, firewalls, antivirus
  3. Administrative safeguards – E.G. policies, procedures, training, pledges Safeguards must be appropriate to the sensitivity of the information

Q: Is downloading patient files to an external hard drive or a flash drive acceptable? Do these drives need to be password protected?

A: Yes, as long as reasonable security safeguards are employed to protect the drives. Password protection AND encryption should also be considered as well as other technical, physical and administrative safeguards put in place to protect the information.

Q: Is keeping an external hard drive or flash drive in a locked cabinet acceptable?  

A: Yes, but this alone is not enough of a safeguard, further safeguards that are appropriate to the sensitive type of information may also need to be employed. (Think password, encryption, fire protection etc.)

Q: What about my software files?  I use a booking and charting software program. What are the PHIA rules around this?

A: Something to consider when purchasing booking and charting software is the location of the program servers;

All about storing on Canadian Servers:

The National Standards set by the Canadian Massage Therapist Alliance (CMTA) state that records must be stored in Canada and, if in digital format, stored on servers based in Canada.

Even though there are are no specific rules under PHIA regarding the use of Canadian servers, it is common for healthcare organizations to set a higher standard regarding the storage of personal health information. As we are progressing toward the massage therapy profession being regulated in Manitoba, the MTAM voluntarily follows the National Standards as set by the CMTA.

Should health information be stored on international servers (outside of Canada), this may pose a problem if a trustee has not done their homework with regards to the assurance of Canadian levels of security.

In the end it is the duty of the trustee to ensure that the services/products they use meet the obligations of trustee's in Manitoba and have safeguards in place should a breach occur.

As a health care provider in Manitoba your obligations are to ensure that your patient files are kept private and accessed only by relevant personnel.   To ensure the security of patient health information, trustees must have:

  1. Physical safeguards – E.G. proximity reader ID badges, locked rooms and sections, lockable filing cabinets 
  2. Technical safeguards (for electronic records/computer access etc.) – E.G. passwords, secure networks, encryption software, firewalls, antivirus 
  3. Administrative safeguards – E.G. policies, procedures, training, pledges Safeguards must be appropriate to the sensitivity of the information

Please review the link below from the Province of Manitoba website for more information.

PHIA resources and links - Privacy toolkit for Health Professionals

Q: What if I no longer use the online program and have a request to access information?

A: PHIA states patients have a right to access their personal health information, therefore Trustees must have accessible possession of the information. Contact your software program and inquire about accessing information if you no longer subscribe to the program.  You may be able to download Health History forms and SOAP notes and store them on an external hard drive.  Each company will have its own policy.  Best to check with them before purchasing the program to ensure you will have access to your clients personal health information for the next 10 years.

Q: How long do I have to keep my patient files?

A: PHIA does not dictate how long you keep patient files, however, you do need a written document outlining your retention policy. The National Standards of Practice advises that medical records should be retained for 10 years from the date of last entry, or in the case of a minor, age of majority plus 10 years.

Q: If I receive a call, email or letter of request from a third-party insurance provider, can I tell them that a patient came in for treatment?

A: The insurance company needs consent from the patient before ANY information is disclosed from you on their behalf. You cannot even disclose if the patient came to see you without that patient's consent.

Q: Can I sell my health records when I sell my clinic?

A: Yes. The act allows you to sell health information to another trustee as part of the sale of a professional practice. However, selling personal health information or disclosing it for gain for ANY other purpose is strictly prohibited.

Q: How do old patient files need to be destroyed?

A: Patient files need to be destroyed in a secure manner. The MTAM, recommends that all personal health information be destroyed by a cross-cut shredder.

Q: I am leaving the clinic that I work at, do I get to take patient files with me?

A: PHIA does not say who "owns" patient files. How patient files are managed when a therapist leaves a clinic should be outlined in your contract with the clinic. If there is no contract, or if it is not expressly outlined in the contract, then patient files usually stay at their current location. The MTAM recommends and remind both the MT and the Clinic Owners to keep in mind that the patient's needs should come first. Continuity of care is really important so settling on a fair way to ensure patients can access their health care provider, is the ethical thing to do. Please put the patient and professionalism before protectionism and profit.

Q: What is a privacy breach? 

A: A privacy breach is the improper or unauthorized collection, use, disclosure, or destruction of personal health information.  Should you have a privacy breach you can contact the Ombudsman to help you deal with the breach in the best way possible.


1 – A player from the Winnipeg Jets comes into the clinic where you work, and sees a fellow therapist for treatment. After the Jets' player leaves, you look at his chart to see what treatment he received.

  • This is not appropriate. It is a breach of PHIA, and is called snooping. You are not allowed to look at the chart since you do not need to know the health information of that person. They are not under your care. This type of breach would be dealt with internally at the clinic.

2 – Your home-based business is broken into, and your computer with all your patient records has been stolen.

  • This is a breach because the health information on the computer may become available to the person that stole your computer. In this case, it is recommended that you contact the Ombudsman for the best way to handle the breach.

Key Resources in Managing a Privacy Breach

Q: What happens when a trustee passes away or becomes incapacitated?

A: All trustees have the responsibility to ensure that records are available for patients to access, even after the death or incapacitation of the trustee. However, PHIA does not set out specific instruction as to how this should occur. Sometimes the spouse of a deceased or incapacitated trustee stores the records on their own, and provides access to the records to the former patients. In other cases, a record management company is hired.

Q: Do I need any written policies in place?

A: You need to have written policies in place for how you will handle requests for personal health information, disclosure, retention, and destruction of personal health information. You will also need a policy outlining how you will handle breaches of personal health information.

Policies & Procedures required to comply with PHIA

Q: Can I audio record my massage sessions with clients, as a way of protecting my practice?

A: The Manitoba Ombudsman's office acknowledges there is a need for guidance when organizations consider using surveillance systems. Implementing a surveillance system requires careful consideration and forethought to minimize the impact on the privacy rights of individuals. There are several factors to consider so the MTAM highly recommends contacting the Ombudsman directly to ask: