If you need a PIA, you're in the right place.
Custodians of patient information in Alberta are required by section 64 of the Health Information Act (HIA) to submit a Privacy Impact Assessment (PIA) to the Office of the Information and Privacy Commissioner (OIPC). The purpose of the document is two-fold. First, to demonstrate your commitment and ability to protect patient privacy. Second, to protect you and your patients from the preventable and dangerous loss or exposure of sensitive information.
Use this site as a resource to learn more about your clinic's responsibilities under the HIA and the requirements for submitting a PIA. The answers you'll find here are curated by experts with decades of experience in privacy compliance in Alberta, with over 1,000 approved Privacy Impact Assessments.
Tips For Getting Started With Your PIA
The First 5 Steps to Privacy Compliance
What do you need from a privacy compliance partner?
Choosing the right professionals to help with your PIA will expedite your process and diminish time and effort required on your end significantly. Properly experienced consultants with the right resources offer a great deal more than a basic Privacy Impact Assessment. Your privacy compliance and security needs will continue to evolve after the initial assessment is accepted. This list helps you identify the support you will need on an ongoing basis from your compliance support partner.
Top privacy risks clinics face:
Healthcare clinics are particularly susceptible to privacy and security breaches.
The cost of theft:
Private patient information is 50 times more valuable on the black market than credit card data. Criminals can use stolen patient data to assume a patient’s identity, causing severe financial and reputational damage, but also putting patient health at risk by contaminating their medical record.
The cost of non-compliance:
Privacy regulations in healthcare exist to keep patient information safe, and protect your practice from the consequences of a breach or malicious attack. Failure to comply with regulations can constitute a breach and cost heavily in fines and other punitive measures including loss of patients.
The cost of losing patients:
Clinics publically known to have lost private patient information have seen as much as a 70% drop in patient loyalty. And it’s hard to get them back. Research shows Canadians are willing to travel up to 50km if local providers aren’t careful with their confidential information.
The real threat of ransomware:
Ransomware is malicious software that infects clinic networks and locks away important information such as digital patient files until a ransom is paid. Clinics are a target because of the black market value of patient records and the fact that most clinics believe they are too insignificant to be a target. In reality, attackers can make over $1,000,000 from the patients records taken from just one clinic - and that's after they've already taken a ransom to release the information.
When ransomware locks away patient records, clinics are typically shut down for a few days until they're able to recover the lost data. Attacks like this are considered a privacy breach because the clinic has lost control of their patients' private information. In jurisdictions where breach reporting is mandatory, infected clinics are likely required to notify patients (by phone and/or letter) and even the news to make all affected parties aware that their private information has leaked and their identity is at risk. Typically regulations require identity monitoring for each impacted patient for one to two years.