Who is subject to the Personal Health Information Privacy and Access Act?
The Act applies to all individuals or organizations that collect, maintain, or use personal health information for the purpose of providing or assisting in the provision of health care or treatment, or the planning and management of the health care system, or delivering a government program or service.
Custodians include, but are not limited to:
- public bodies who handle personal health information (for example the Department of Health),
- health care providers, and includes:
- social workers registered under the New Brunswick Association of Social Workers Act
- New Brunswick members of the Canadian Health Information Management Association
- the Minister of Health;
- the following organizations and/or agencies:
- EM/ANB Inc. (formerly known as Ambulance New Brunswick),
- the New Brunswick Health Council,
- regional health authorities (Horizon Health Network and Vitalité Health Network),
- the Workplace Health, Safety and Compensation Commission,
- the Canadian Blood Services,
- research data centres (i.e. the NB Institute for Research, Data & Training at the University of New Brunswick),
- researchers conducting a research project approved in accordance with this Act
- a laboratory or a specimen collection centre,
- nursing homes and operators as those terms are defined in the Nursing Homes Act,
- a person designated in the regulations as a custodian, such as:
- a school or school district,
- a coroner appointed under the Coroners Act,
- a successor who obtains custody of records containing personal health information held by a custodian, and,
- Service New Brunswick (under the limited circumstance of compiling or maintaining a registry of personal health information).
Information Managers and Agents
Information managers are individuals or organizations working on behalf of a custodian to store, retrieve, archive, dispose, de-identify or transform personal health information handled by a custodian, or provide information management or information technology services. While information managers are not custodians in their own right under the Act, they must follow the same rules as custodians under the Act regarding the handling of personal health information.
Agents are individuals or organizations working on behalf of a custodian for a specific purpose relating to personal health information, but who is not an employee of the custodian. Information manager can also be agents. To be considered an agent for the purposes of the Act, the agent works directly for or on behalf of the custodian, and not for its own purposes. The custodian is responsible for the actions of the agent at all times in relation to the agent’s handling of personal health information.
Custodians must have a written agreement in place with either an agent or information manager before retaining their services.
Who is not subject to the Act?
While the definition of custodian is broad, the Act does not apply to individuals or organizations that handle personal health information for purposes other than health care. The Act does not apply to the handling of personal health information in the following circumstances:
- An individual or organization that collects, maintains or uses personal health information for purposes other than health care, treatment, planning, or management of the health care system, including,
- insurance companies
- regulatory bodies of health care providers
- licensed or registered health care providers who do not provide health care
- any other individual or organization prescribed by regulation;
- a note made by or for, or a communication or draft decision of a person who is acting in a judicial or quasi-judicial capacity;
- a constituency record of a Minister of the Crown;
- information in a court, judge, judicial administration record, or a record relating to support services provided to a judge or to a court official;
- anonymous or statistical information that does not, either by itself or when combined with other information available to the holder of the information, permit individuals to be identified;
- an individual’s personal health information if 50 years have passed since the death of the individual;
- the New Brunswick Insurance Board;
- the New Brunswick Human Rights Commission;
- the Labour and Employment Board established under the Labour and Employment Board Act;
- the Designation Appeal Board established under the Post-Secondary Student Financial Assistance Act;
- Premier’s Council on Disabilities;
- a review board appointed under section 30 of the Mental Health Act;
- the Mental Health Services Advisory Committee established under the Mental Health Services Act;
- a tribunal appointed under section 7.5 of the Mental Health Act;
- a person, service or organization designated as psychiatric patient advocate services under the Mental Health Act;
- a review board established by the Restigouche Hospital Center Inc.; and
- the Workers’ Compensation Appeals Tribunal established under the Workplace Health, Safety and Compensation Commission and Workers’ Compensation Appeals Tribunal Act.
Access to Personal Health Information
How to make a request for information for your personal health information
You can make a request directly to a custodian that holds your personal health information in order to examine or receive a copy of it. You may do so in person (orally) or in writing; however, a custodian may require that your request be in writing.
When making a request please be sure to indicate the following:
- your name and contact information;
- whether you wish to examine or get a copy of the record or part of the record; and
- sufficient detail to permit the custodian to identify and locate the information you are seeking access to so the information can be located with reasonable efforts.
You may find it helpful to keep a copy of the request, if you made it in writing, or make a note of the date of the oral request in case the custodian has questions or needs to clarify your request, or in the event that you are not satisfied with the custodian’s response and wish to exercise your right to file a complaint with our Office or refer the matter to the courts.
Duty to Assist
Under section 8 of the Act, custodians are required to offer assistance to you when making an access request if your request does not contain sufficient details to permit the custodian to identify and locate the information you are requesting. If this is the case, the custodian must help you reformulate your request. This means that the custodians are obligated to:
- conduct an adequate search for all the information you are seeking,
- let you examine the information and receive a copy if you wish,
- inform you in writing if the information does not exist or cannot be found, or of the reason access to any information is being refused, and
- inform you of your rights if you are not satisfied with the custodian’s decision in relation to your request.
Time Limit for the Custodian to Respond to a Request for Information
The Act allows a custodian 30 business days to respond to access requests. In certain situations, the custodian can self-extend this timeline of its own accord by up to an additional 30 business days, where:
(a) you do not give enough detail to enable the custodian to identify a requested record,
(b) you do not respond to a request for clarification by the custodian as soon as practicable,
(c) the relevant provisions of your record are being translated for a unilingual physician treating you if the record is in an official language the physician cannot understand,
(d) a large number of records is requested or must be searched or responding within 30 business days would interfere unreasonably with the operations of the custodian,
(e) time is needed to notify and receive representations from a third party or to consult with another custodian before permitting the personal health information to be examined or copied, or
(f) you request records that relate to a proceeding commenced by a Notice of Action or a Notice of Application.
If a custodian extends the time limit to respond of its own accord (i.e. without the Commissioner’s approval), you have the right to complain to our Office about the extension.
If the custodian is unable to respond to an access request within its own timeline, it may apply to our Office for a further extension of time, based on the same criteria above. If our Office grants the custodian additional time to respond, you do not have a right to complain to our Office about the extension.
If a custodian does not respond by the time limit to respond (either the original or extended time limit, as the case may be), you then have a right to either file a complaint with our Office or refer the matter to the courts.
Upon receiving a request, a custodian shall respond as promptly as required in the circumstances, but no later than 30 business days after receiving it (unless the time limit is extended – see Time Limit for the Custodian to Respond to a Request for Information above), or the request is transferred to another custodian. When responding to a request, a custodian shall:
- make the personal health information available to you for examination and provide a copy, if requested;
- inform you in writing if the information does not exist or cannot be found; or
- inform you in writing that the request is refused, in whole or in part, and that the refusal is based on one of the reasons described in section 14, and to advise you of the right to make a complaint about the refusal under Part 6.
If the custodian does not respond to the request within 30 business days and it can be treated as a refusal to provide access.
Fees to Access Personal Health Information
You can examine a record free of charge, but if copies of a record are requested, the Act allows a custodian to charge certain fees to recover costs for the search, preparation, copying and delivery of the record. These fees cannot exceed those indicated in the Regulations, which are as follows:
- the first two hours to search and prepare the health records are free; $15 dollars for every additional 30 minutes of time spent after that,
- a maximum of $0.25 for each page copied,
- computer user fees when required to access databases to search for your health records, and
- costs incurred to send the records by special courier delivery (at the request of the individual).
Request for Correction of Personal Health Information
Request for a Correction of Personal Health Information
You have the right to make a request for correction to the personal health information you are entitled to examine and copy. This request can be made directly to the custodian that holds your personal health information.
Your request for correction shall be in writing and include:
- your name and contact information;
- the particular information you wish to have corrected;
- the record where you believe the information to be incorrect.
In responding to your request for correction, the custodian shall do one of the following:
- make the requested correction to the record to the personal health information so that if forms part of the record;
- inform you, in writing, if the personal health information to be corrected no longer exists or cannot be found;
- in the event it does not hold your personal health information, that it inform you of this fact, provide you with the name and contact information of the custodian that does hold your personal information, and transfer the request to that custodian and notify you of the transfer;
- inform you, in writing of its refusal to correct your personal health information, the reason for the refusal, and your right to add a statement of disagreement to the record, and of your right to make a complaint with our Office or the courts about the refusal.
The statement of disagreement is a short note written by you that explains the correction you had requested and the reason for the request for correction.
The Act allows a custodian 30 business days to respond to requests for correction of personal health information. In certain situations, the custodian can self-extend this timeline of its own accord by up to an additional 30 business days (see Time Limit for the Custodian to Respond to a Request for Information above).
If you are not satisfied with how a public body has handled or responded to your access to information request or your request for correction, you can either file a complaint with our Office or refer the matter to a judge of the Court of Queen’s Bench. Please note you cannot do both.
How to File a Complaint with Our Office
If, after making the request to a custodian for access or correction, you are not happy with how a custodian has handled your request for information or for correction, you have the right to file a complaint with our Office, within the following timelines:
- A complaint must be received by our Office within 60 days after receiving the custodian’s response; or,
- If you did not receive a response by either the original or extended time limit to respond, you may file a complaint with our Office within 120 days from the date you submitted the request to the custodian.
If you choose to file a complaint, you will be required to submit the complaint to our Office in writing. You may do so by sending us a letter (by mail, email or facsimile) with the following details:
- a) the date you made your request,
- b) whether you made the request by letter or in person,
- c) to whom the request was made (ex. the name of the health care provider), and,
- d) what took place (ex. that your request was refused, not responded to, or you did not get all of the information you were seeking).
If you submitted a written request, we will ask that you submit a copy of this along with a copy of the response you received, if any. It is not necessary to provide us with the personal records you received, even if these are not complete because we will investigate the case directly with the custodian.
How to Refer a Matter to the Courts
If you wish to refer your case to the Court of Queen’s Bench, you must do so within 30 days after the date of the custodian’s decision. To do so, please contact the Clerk’s Office in the region where you live. See the attached link for contact information for the New Brunswick Clerks’ Offices Court Contact Information
Complaint Investigation Process
The types of complaints we generally receive under the Act are:
- No response complaint – the custodian has not responded to a request for access,
- fee complaint – the custodian has provided an invoice to an individual that is not in conformity with the Act, and,
- content complaint – the individual believes that the custodian did not provide all of the requested personal health information.
The first step when we receive a complaint is to determine whether we have received all the required information to accept a complaint and if we have jurisdiction to investigate your complaint. Where this is the case, we will then notify the custodian involved and provide it with a copy of the complaint. At that time, we will also ask the custodian to provide us with a written or verbal reply to the complaint, including explanations as to why access to information was refused, if any, the steps taken to search for relevant records, etc.
Informal Resolution Process
Once we receive the custodian’s reply, we will take appropriate steps to resolve the complaint informally to your and the custodian’s satisfaction, and in a manner consistent with the purposes of the Act. Depending on the circumstances, this may include the custodian providing you with further disclosure of information and accompanying explanations, or where we find the custodian has provided access to all of the information you were entitled to receive, we will provide you with explanations to support our findings. In both cases, we will seek your input as to whether this is satisfactory to resolve the complaint, and where this is so, this will conclude our investigation and the file will be closed.
In some cases, the Commissioner may decide to cease the investigation if the Commissioner believes the custodian has provided you with all of the information you were entitled to receive under the Act. If the Commissioner ceases the investigation at that point, our Office will inform you and the custodian of this decision and the reasons why.
Formal Investigation Process
If the Commissioner finds that further action is to be taken by the custodian to uphold the applicant’s access rights and proceeds with a formal investigation, the Commissioner will conclude the investigation with a report of findings. The Commissioner may recommend that the custodian:
- grant the access request or the request for correction, in whole or part;
- reply to the request or deny the request.
The Act states that the Commissioner has 90 days from receipt of an access complaint to issue a report of findings; however, the Commissioner has the authority to extend this time limit by giving notice to the parties to the complaint of the anticipated date for providing the report.
When the Commissioner issues a report of findings with recommendations, the custodian has 15 days from the date it received the report to decide whether it will accept the Commissioner’s recommendations or not and give notice of its decision to the parties, with a copy to our Office. The custodian’s notice must include the reasons for its decision, and where applicable, of the applicant’s appeal rights and time limits to file an appeal with the Court of Queen’s Bench.
Custodians are required to follow the requirements set out in Part 4 – Collection, use and disclosure of Personal Health Information of the Act whenever they handle personal health information. The Act defines “personal health information” to mean identifying information about you, an individual, in oral or recorded form if the information:
- relates to your physical or mental health, family history or health care history, including genetic information about you,
- is your registration information, including your Medicare number,
- relates to the provision of health care to you,
- relates to information about your payments or your eligibility for health care, or your eligibility for coverage for health care,
- relates to your donation of any body part or bodily substance or is derived from the testing or examination of any of your body part or bodily substance,
- identifies your substitute decision maker, or
- identifies your health care provider.
You can file a privacy complaint with our Office if you believe that a custodian has:
- collected, used or disclosed your personal health information contrary to the Act; or
- failed to protect your personal health information in a secure manner as required by the Act.
To file a privacy complaint with our Office, please complete our Privacy Complaint form (found here) and submit it to our Office.
Collection, Use, and Discloser of Personal Information
Under the Act, custodians are only lawfully allowed to collect your personal health information where:
- the custodian has your consent under the Act and the collection, to the best of the custodian’s knowledge, is necessary for a lawful purpose,
- the collection is permitted by the Act,
- without your consent, if you are incapable of giving consent and
- the custodian cannot get the consent of your substitute decision-maker in a timely manner, or
- you have been admitted to a psychiatric facility as an involuntary patient under the Mental Health Act.
As a general rule, custodians must collect your personal health information directly from you, unless the Act specifically authorizes the collection from another source in certain circumstances.
As for the use and disclosure of your personal health information, the following general principles apply:
- custodians can only use or disclose your personal health information as authorized under Division B of Part 4 of the Act,
- every use or disclosure of your personal health information must be limited to the minimum amount of information necessary to accomplish the purpose for which it is used or disclosed; and,
- custodians must limit the use and disclosure of your personal health information to those who need to know the information to carry out their duties.
If you are concerned about how a custodian has handled your personal health information or if you have been notified by a custodian of a privacy breach involving your personal health information, you have the right to file a complaint with our Office. Please complete our Privacy Complaint form (found here) and submit it to our Office.
Privacy Complaint Investigation Process
When we receive a privacy complaint, we will notify the custodian involved and provide it with a copy of your complaint. If you have any concerns about our Office sharing your complaint with the custodian, please let us know so that we can discuss this with you as soon as possible.
When we notify the custodian of your complaint, we will ask the custodian to provide a written reply to the concerns raised in your complaint and any other information that may be relevant to the matter.
Our Office has 90 days to complete an investigation into a privacy complaint.
Once we have received the custodian’s response to your privacy complaint, we will review the information provided, along with the applicable provisions of the Act, and determine if the custodian handled your personal information inappropriately. If we find this to be the case, and the custodian acknowledges its error and agrees to undertake appropriate corrective measures, we will then provide you with the reasons as to why the privacy breach occurred and invite your input as to whether the corrective measures undertaken by the public body are satisfactory to resolve your complaint.
Where we find that the custodian has not handled your personal information in keeping with the Act and the custodian does not agree or does not wish to take appropriate steps to undertake appropriate corrective measures, the matter will be referred to the Commissioner for review and final disposition, and may result in our Office issuing formal recommendations to the custodian. If we issue recommendations to the custodian, they will be limited to improving compliance with the Act. Our Office cannot recommend that someone be fired, recommend financial compensation for any mishandling of your personal information, or investigate or assess criminal or civil culpability on the part of the custodian.
It is important to note that while our Office is mandated to investigate privacy complaints and issue recommendations to custodians where the Commissioner deems it necessary, our mandate is to ensure that custodians implement appropriate practices, policies, and safeguards to reduce the risk of a similar situation occurring again in the future.