Submit your PIA and privacy questions:
What is a Privacy Impact Assessment (PIA)?
A PIA is an in depth look at how an organization, office or clinic proposes to use and handle patient information and is meant to address potential risks to patient privacy. It is a declaration to the OIPC that your clinic understands how, and has sufficient processes in place, to protect the information of your patients.
Section 64 of the Health Information Act (HIA) mandates submission of a Privacy Impact Assessment for review by the Office of the Information and Privacy Commissioner (OIPC).
Who needs a PIA?
According to the Health Information Act every custodian of patient data (any person or organization involved in the collection, use and disclosure of health information) must prepare a privacy impact assessment.
Section 2 of the Health Information Act Regulation (“HIAR”) designates certain health professionals as custodians:
Regulated members of the Alberta College of Pharmacists;
Regulated members of the Alberta College of Optometrists;
Registered members of the Alberta Opticians Association;
Regulated members of the Alberta College and Association of Chiropractors;
Regulated members of the College of Physicians and Surgeons of the Province of Alberta;
Registered members of the Alberta Association of Midwives;
Registered members of the Alberta Podiatry Association;
Regulated members of the College of Alberta Denturists;
Regulated members of the Alberta Dental Association and College (as of March 1, 2011):
Regulated members of the College of Registered Dental Hygienists of Alberta (as of March 1, 2011); and
Regulated members of the College and Association of Registered Nurses of Alberta (as of September 1, 2011).
Operating as a custodian without an accepted PIA means you're not certain your clinic is operating in compliance with the law, and that you likely haven't evaluated all of the business security risks facing your practice. In the case of a breach investigation, the governing body will first ask to see your PIA. A PIA is an internal document that can be used to defend the actions of a clinic in the event of a breach if that clinic was operating within the approved processes and procedures established within the PIA.
What happens if a clinic doesn’t have a PIA?
Do I need to have all required policies and procedures in place before submitting my PIA?
No. A PIA is a declaration that your clinic understands its responsibilities and will implement the enclosed policies and procedures. However, simply having an accepted PIA does not make your clinic compliant. You will need to enact the policies and procedures outlined within your PIA.
Can I write a PIA myself?
Yes. Anyone can complete a PIA given enough time to dedicate toward learning the requirements, understanding the document, and writing the clinic’s declaration of patient privacy control in alignment with the expectations of the OIPC.
How long does it take to complete a PIA?
Depending on the clinic, a PIA can be 350 pages or more. The document must cover all aspects of how patient information is handled including staff training and access, physical and digital chart storage and destruction, software used and more. Time to completion can vary. Inexperienced individuals have reportedly taken 200 hours to complete a clinic PIA.
Once a PIA is compiled and written, it must be submitted to the OIPC for approval. Currently PIA processing times can take 12 months. Certain privacy professionals and technologies qualify for an expedited process that can take as little as one month.
The OIPC has not been conducting audits of individual clinics. Investigations are launched upon receipt of a complaint. If a patient, collaborating clinic, or employee feels compelled to report a mishandling of patient information, the OIPC will examine that clinic’s policies and procedures as well as the reported incident.
The Health Information Act specifically states that:
“An individual who makes a request to a custodian for access to or for correction or amendment of health information may ask the Commissioner to review any decision, act or failure to act of the custodian that relates to the request.”
Who is checking to make sure clinics are in compliance?
Am I done with privacy compliance after my PIA is accepted by the OIPC?
No. If you make major changes to your clinic such as a new electronic records management software, a move, or change in custodians, you need to notify the OIPC in the form of an amendment.
who requires an information Manager agreement?
The Information Managers are defined by section 66 (1) of the HIA.
66(1) In this section, “information manager” means a person or body that
(a) processes, stores, retrieves or disposes of health information,
(b) in accordance with the regulations, strips, encodes or otherwise transforms individually identifying health information to create non-identifying health information, or
(c) provides information management or information technology services.
All Information Managers require an Information Management Agreement and are bound by the Health Information Act pursuant to Section 66(2) of the Health Information Act (Alberta)
Do you have a checklist that can help fill out some of my PIA?
We have not yet created a checklist to help you fill out the PIA. We do have a checklist that helps you understand the elements required for on-going compliance and comes in pretty handy when you're evaluating privacy consultants. Download our checklist here.
Have there been any fines for misuse of private information in Alberta?
Yes. The fines and other consequences resulting from a breach are reported in a few places in Alberta. The first is through press releases, like this one from Sept 27, 2016 which has the headline Conviction, Fine for Breaching Health Information. Further, there is a more general listing of Alberta privacy infractions at the OIPC web page titled: Breach Notification Decisions.
In 2017 an Alberta pharmacists was sentenced to three months of house arrest for inappropriately accessing the records of 104 patients.
Ransomware is a type of malicious software (malware) that infects local computer networks, such as those in clinics, identifies important information, and encrypts it so that it is no longer accessible to users. The encrypted information is only released after a ransom, usually thousands of dollars, is paid.
The most common way ransomware gets into clinic networks is through unsecured email. Ransomware attackers send familiar looking links and files in an attempt to trick clinicians and staff into accidentally downloading the malicious software.
The number of ransomware attacks is growing every year. The FBI reported that ransomware attacks had cost over $209 million in the first three months of 2016 (and that's just reported cases). In a statement, the Calgary Police Service explained that ransomware attackers around the world earn between $100,000 and $200,000 every day.
What is ransomware?
Yes, privacy training is necessary. Without proper training on the regulations, and clinic policies and procedures, staff pose a threat to the integrity of patient information and clinic security. Training helps to delegate responsibility off the shoulders of the lead custodian in a clinic. In one case of a breach at Alberta Health Services involving 48 staff, a lack of training made AHS responsible for the breach, not the staff. Privacy training should be given to all staff, and temp staff should be made aware of their responsibility to follow privacy regulations and comply with your policies and procedures.
Is privacy training necessary for clinic staff?
Compliance is critical as regulations are in place to protect your clinic and keep patients safe. Applications developed for use in healthcare must include certain components such as authentication to verify users accessing patient information. Chain of custody is an important requirement in the world of privacy compliance. We liken it to driving in your car. It would be faster to climb in and drive away, but you always buckle up before you hit the gas pedal because you want to be protected in the unlikely event that you get into an accident.
Going through the due diligence of a Privacy Impact Assessment is like putting on your seatbelt. Thoughtful application designers find ways to incorporate necessary security measures while also providing utility. Your seatbelt has an easy buckle rather than a complicated knot you need to tie and untie. An experienced privacy support team will be able to help you establish policies and procedures that work for your clinic in the most convenient way while ensureing you're keeping your clinic and patients safe.