Research Ethics Tutorial

Tutorial For Researchers Conducting Retrospective Review of Health Records

Why is this tutorial being offered, when do I have to complete it, how long will it take and what will I get out of it?

You are required to successfully complete this tutorial before your Application for Retrospective Review will be processed or reviewed by Windsor Regional Hospital Research Ethics Board.

Researchers are asked to complete this brief tutorial to ensure that they are aware of the privacy issues which arise in research involving the retrospective review, and to ensure that they are aware of how to complete the Application for Retrospective Review form so that there will be no delay in the approval process.

The tutorial will take 15 minutes to complete. It consists of:

  • Guidance to researchers
  • Several privacy scenarios
  • A quiz with five questions at the bottom of the page

Read the content, answer the quiz below and upon successful competition, you will receive a certificate by email.

Please send questions or comments about the tutorial to WRH REB at



What is PHIP?

The Ontario "Health Information Protection Act" (HIPA) came into effect on November 1, 2004. Schedule "A" of the HIPA Act is the "Personal Health Information Protection Act" (PHIPA). PHIPA is provincial legislation that provides, for the first time in Ontario, consistent comprehensive rules governing the collection, use, and disclosure of personal health information. It codifies many of the current practices and codes of conduct of health care providers in Ontario.

Who does PHIPA Apply to?

PHIPA applies to Health Information Custodians (HIC's) who collect, use, and disclose personal health information (PHI) AND to persons or companies who receive PHI from HICs (e.g. researchers, insurance companies, employers, and others).

What is Personal Health Information?

  • Personal health information is written or oral "identifying information" collected about an individual. It is information about an individual's health or health care history in relation to:
  • The individual's physical or mental condition, including family medical history;
  • The provision of health care to the individual;
  • Long-term health care services;
  • The Individual's health care number;
  • Blood or body-part donations;
  • Payment or eligibility for health care: and
  • The identity of a health care provider or a substitute decision-maker for the individual.

Who are Health Information Custodians (HIC)?

Windsor Regional Hospital is considered Health Information Custodians (HICs) and will ensure that the records of personal health information (PHI) that they have within their custody and under their control are retained, transferred, and disposed of in a secure manner and in accordance with PHIPA and its corresponding regulations.

Physicians who are affiliated with Windsor Regional Hospital and maintain their own patient records for healthcare purposes (i.e. records which are not included in the health records of Windsor Regional Hospital), are also considered to be HICs.

HIC's are permitted to authorize designated agents to act on behalf of the HIC in relation to the HIC's activities, including the collection, use, and disclosure of PHI.

Who are the Agents of a Health Information Custodian?

PHIPA assumes that PHI is in the custody of the HIC. The HIC may permit its agents to collect, use or disclose, retain or dispose of PHI on the HIC's behalf. An agent of the HIC is someone authorized to act on behalf of the HIC (e.g. residents and trainees, hospital employees, volunteers, and others); and perform activities for the purposes of the HIC (generally health-care purposes).

Agents are not HICs in and of themselves. Agents may be internal or external to the HIC. The HIC has a responsibility to ensure that its agents are informed of the provisions of PHIPA and that they comply with them.

Does PHIPA Apply to Research and Researchers?

PHIPA applies to all researchers who obtain PHI in the course of their responsibilities as health care practitioners (including everyone regulated by the Regulated Health Professional Act, anyone regulated by the Drugless Practitioners Act, and Social or Social Service workers or any persons providing health care for payments).

PHIPA also applies to all researchers who obtain PHI from any HIC.

Research is defined in PHIPA in substantially the same way as it is defined in the Tri-Council Policy Statement, i.e. "a systematic investigation designed to develop or establish principles, facts or generalizable knowledge, or any combination of these, and includes the development, testing, and evaluation of research".

What are the requirements of PHIPA?

In general terms, PHIPA requires an individual's consent to the collection, use, or disclosure of PHI. To be valid, the consent must be knowledgeable, it must relate to the information provided, and it must not be obtained through deception or coercion.

PHIPA specifically allows for either express or implied consent, requiring express consent in certain defined circumstances.

What are the differences between Express and Implied Consent?

Express consent is consent obtained specifically and directly from the individual or his or her authorized legal guardian.

Implied consent is consent that may be assumed to have been given, if it is reasonable, under all of the circumstances to assume that it has been given. PHIPA expressly provides that a HIC which receives PHI about an individual from the individual or from another HIC for the purposes of providing health care to the individual, is entitled to assume that it has the individual's implied consent to collect, use or disclose the information for the purposes of providing health care (not research) to the individual, unless the HIC that receives the PHI is aware that the individual has expressly withheld or withdrawn the consent.

What type of Consent Does PHIPA Require for Research Purposes?

PHIPA specifically provides [Section 18(3)] that consent must be express and not implied if a HIC is disclosing PHI to:

A person who is not a HIC (e.g. a researcher or a research assistant) OR

For a purpose other than providing health care or assisting in providing health care. (e.g. research)

Most, but not all, of the research conducted at Windsor Regional Hospital will entail obtaining express consent from the participants in the research. Most of the research will have undergone a research review by the Research Ethics Board, and the consent form (and process for obtaining it), will have been approved by the Research Ethics Board.


Generally, if the researcher has REB approval and provides for express consent, the requirements of PHIPA will have been met.

How Do I comply with PHIPA without Getting Express Consent?


Some research, particularly large epidemiological studies, would not be possible to conduct if express consent to the use and disclosure of personal health information had to be obtained from every individual involved.

PHIPA expressly recognizes this reality and provides for the possibility of a waiver of express consent for research purposes, provided that certain criteria apply, and specific requirements are met.

A HIC cannot use or disclose personal health information for research purposes, without the express consent of the individual, unless the provisions of Section 44 of PHIPA are complied with.

The Act requires that the HIC obtain from the researcher a written application, a research plan that has been approved by the Research Ethics Board, and a copy of the Research Ethics Board approval.

What are the requirements of the Application and the Research Plan?

The research plan must include:
  • The name, affiliation, roles, and qualifications of everyone working on the research and accessing PHI
  • Adequate justification for disclosing PHI to these persons
  • The nature of the research
  • The particular research objectives and related research questions
  • The duration of the research
  • The anticipated public and scientific benefit of the research
  • The required PHI
  • The sources of the PHI
  • The use of PHI, including details on information linkage (if any)
  • Adequate justification for using the PHI
  • Adequate justification for linking the PHI
  • Adequate consent process/form OR adequate justification for proceeding without the consent
  • The reasonably foreseeable harms and benefits of the information use
  • Adequate explanation of how foreseeable harms will be addressed
  • Adequate privacy and security safeguards
  • How long the information will remain identifiable and why
  • How and when the information will be destroyed or returned to the source
  • Details on research funding
  • Details on whether the researcher has applied for other REB approval and its response or the status of the application
  • Details on the researcher's conflicts of interest
The WRHREB Application for Archival/Secondary use of Data (chart abstraction) captures all of the information required by the provision of PHIPA. The form satisfies the requirement for both the Application and the Research Plan.

What will the REB Consider When Deciding if a Waiver of Express Consent Should be Granted?

The Research Ethics Board is required to consider any matters which it considers relevant, including all of the following:
  1. Whether the research purposes cannot be achieved without the information;
  2. Whether it is impracticable to obtain consent;
  3. What safeguards for the protection of the information are in place and whether the information will be used in a manner that will ensure its confidentiality; and
  4. Whether the public interest in conducting the research exceeds the public interest in protecting the privacy of the individuals.

What are my Duties as a Researcher with Respect to PHI?

As a researcher, you must:
  • Comply with the approved research plan, including any conditions imposed by the REB, 
  • Implement the safeguards for protecting the information outlined in your plan,
  • Use PHI only for the purposes described in your research plan,
  • Not publish PHI in a way that could reasonably allow others to identify the individual whose information was used in the research,
  • Only disclose the information when required by law,
  • Not contact individuals whose information is used in the research unless they have given consent to the disclosing HIC to be contacted by you (even if the PHI you hold is stolen, lost or accessed by unauthorized individuals), Note: The HIC which collects the information would obtain consent,
  • Comply with the terms and conditions of the written agreement that you enter into with the disclosing HIC, and
  • Provide written notice of any breach of the written agreement or any of these duties to the disclosing HIC.

If you work under a research plan approved outside of Ontario, you must follow the same requirements that researchers whose plans are approved in Ontario must follow.

Researchers may use or disclose PHI originating outside of Ontario for research purposes without consent if an REB (or other body Outside of Ontario responsible for approved research) has approved the research.

Privacy Scenario 1: Use of PHI by Agents of the HIC

Does a Medical Student or Resident in the Hospital have to obtain REB approval to access hospital health records for research purposes?

Yes. The Medical Student/Resident is considered to be an agent of the HIC. If the Medical Student/Resident wishes to access hospital health records for research purposes, this would be considered a use of the PHI by the HIC for non-healthcare purposes. The Medical Student/Resident is required to obtain REB approval before proceeding with the research, and if the express consent of the patient is not contemplated, the criteria for granting a waiver must be met.

If the Medical Student/Resident develops a research study and creates a database of PHI obtained through the review of patient health records, is the Medical Student/Resident permitted to take the database when he/she leaves the hospital?

No. If PHI is collected from within the hospital, in other words, it is PHI in the custody of the hospital as HIC, then the PHI must stay within the hospital and it does not belong to the Medical Student/Registry or any other agent of the hospital.

Privacy Scenario 2: Screening through laboratory services

The research question: Are patients with elevated serum bilirubin more likely to be taking triglyceride-lowering drugs?

The researcher is designing a study to address the above question and will submit it to the REB for review and approval. In the proposed study, the researcher plans to as Laboratory Services in the Hospital to flag all abnormal serum bilirubins in adult patients and then plans to go through the patients' charts to find out whether the patients are taking specific medications. For those patients with abnormal test results, the researcher will ask the attending physician to contact their patient, asking the patients' permission for the researcher to contact them. Does Lab Services have the right to disclose this information to the researcher?

Yes. Prior to the Lab disclosing the PHI to the researcher, the Lab must be assured that the researcher has obtained REB and Health Records approval and if the express consent of the patients is not contemplated, the criteria for granting a waiver must be met.

Privacy Scenario 2a: Contacting patients identified by the lab

The researcher now has a list from Lab Services of patients with abnormal serum bilirubins, and a list of 50 attending physicians (also HIC's). Twenty of the attending physicians will only participate in the study if the researcher does all the contact work, citing a lack of time and resources to do it themselves.

Is it acceptable for the researcher to then propose to the physician that the researcher pay for someone to contact the patient on the physician's behalf?

What if the physician doesn't want to be involved with this at all? Let's say they do not want to give their patients the opportunity to be asked if they are interested in participating. Assuming this is really "important research", what are the researcher's options?

The physician (or his/her agent) must obtain the individual's express consent before the researcher can contact the individual, however, the physician may appoint someone to act as their agent to contact the patient. The physician could approve the researcher to contact the patient on his/her behalf as an authorized agent. However, best practice (see CIHR Privacy Best Practices Guideline) would caution the physician with respect to the patient's expectations with respect to access, undue influence, etc.

The REB would need to approve the research plan which details who is contacting the patient, the telephone or contact script to be used, etc.

It would be more appropriate to offer to compensate the physician for his/her staff's time spent contacting the patients. For the person to be the authorized agent of the physician, she/he should be paid and supervised by the physician, not by the researcher.

Privacy Scenario 3: Sampling from an established database

There is a large database in a mental health program that was originally established for administrative purposes and quality assurance, but now they want to use it for research. They want to do an intervention and see the impact on outcomes. The database was set up 10 years ago. Information collected includes the date of birth, the first 3 digits of the HIN, and the patient's initials, which are used to come up with a unique identifier, and this number is used in the database.
  • Can the existing information be used for research purposes? Yes
  • Should patients give express consent for the use of their information from this point forward? Yes
  • Patients are not being contacted, but their anonymized data are being used. Can the REBs provide a waiver of consent in this case? Yes


Test Questions for Certification

Questions 1: Which of the following would best define what personal health information is?

Question 2: The Personal Health Information Protection Act (PHIPA), applies to

Question 3: Health Information Custodians (HIC) mentioned in this tutorial are

Question 4: Waiver of express consent for research purposes is permitted when

Question 5: As a researcher I must


We are processing your submission.
Please do not press back or refresh.