Submit your PIA and privacy questions:
What is a Privacy Impact Assessment (PIA)?
A PIA is an in depth look at how an organization, office or clinic proposes to use and handle patient information and is meant to address potential risks to patient privacy. It is a declaration to the OIPC that your clinic understands how, and has sufficient processes in place, to protect the information of your patients.
Section 64 of the Health Information Act (HIA) mandates submission of a Privacy Impact Assessment for review by the Office of the Information and Privacy Commissioner (OIPC).
Who needs a PIA?
According to the Health Information Act every custodian of patient data (any person or organization involved in the collection, use and disclosure of health information) must prepare a privacy impact assessment.
Section 2 of the Health Information Act Regulation (“HIAR”) designates certain health professionals as custodians:
- Regulated members of the Alberta College of Pharmacists;
- Regulated members of the Alberta College of Optometrists;
- Registered members of the Alberta Opticians Association;
- Regulated members of the Alberta College and Association of Chiropractors;
- Regulated members of the College of Physicians and Surgeons of the Province of Alberta;
- Registered members of the Alberta Association of Midwives;
- Registered members of the Alberta Podiatry Association;
- Regulated members of the College of Alberta Denturists;
- Regulated members of the Alberta Dental Association and College (as of March 1, 2011):
- Regulated members of the College of Registered Dental Hygienists of Alberta (as of March 1, 2011); and
- Regulated members of the College and Association of Registered Nurses of Alberta (as of September 1, 2011).
Operating as a custodian without an approved PIA does constitute a privacy breach. In the case of a breach investigation, the governing body will first ask to see your PIA. A PIA is an internal document that can be used to defend the actions of a clinic in the event of a breach if that clinic was operating within the approved processes and procedures established within the PIA.
What happens if a clinic doesn’t have a PIA?
Do I need to have all required policies and procedures in place before submitting my PIA?
No. A PIA is a declaration that your clinic understands its responsibilities and will implement the enclosed policies and procedures. However, simply having an approved PIA does not make your clinic compliant. You will need to enact the policies and procedures outlined within your PIA.
Can I write a PIA myself?
Yes. Anyone can complete a PIA given enough time to dedicate toward learning the requirements, understanding the document, and writing the clinic’s declaration of patient privacy control in alignment with the expectations of the OIPC.
How long does it take to complete a PIA?
Depending on the clinic, a PIA can be 350 pages or more. The document must cover all aspects of how patient information is handled including staff training and access, physical and digital chart storage and destruction, software used and more. Time to completion can vary. Inexperienced individuals have reportedly taken 600 hours to complete a clinic PIA.
Once a PIA is compiled and written, it must be submitted to the OIPC for approval. Currently PIA processing times range from 4 to 6 months. Certain privacy professionals and technologies qualify for an expedited process that can take as little as one month.
The OIPC has not been conducting audits of individual clinics. Investigations are launched upon receipt of a complaint. If a patient, collaborating clinic, or employee feels compelled to report a mishandling of patient information, the OIPC will examine that clinic’s policies and procedures as well as the reported incident.
The Health Information Act specifically states that:
“An individual who makes a request to a custodian for access to or for correction or amendment of health information may ask the Commissioner to review any decision, act or failure to act of the custodian that relates to the request.”
Who is checking to make sure clinics are in compliance?
Am I done with privacy compliance after my PIA is accepted by the OIPC?
No. If you make major changes to your clinic such as a new electronic records management software, a move, or change in custodians, you need to notify the OIPC in the form of an amendment.
who requires an information Manager agreement?
The Information Managers are defined by section 66 (1) of the HIA.
66(1) In this section, “information manager” means a person or body that
(a) processes, stores, retrieves or disposes of health information,
(b) in accordance with the regulations, strips, encodes or otherwise transforms individually identifying health information to create non-identifying health information, or
(c) provides information management or information technology services.
All Information Managers require an Information Management Agreement and are bound by the Health Information Act pursuant to Section 66(2) of the Health Information Act (Alberta)
Do you have a checklist that can help fill out some of my PIA?
We have not yet created a checklist to help you fill out the PIA. We do have a checklist that helps you understand the elements required for on-going compliance and comes in pretty handy when you're evaluating privacy consultants. Download our checklist here.
Have there been any fines for misuse of private information in Alberta?
Yes. The fines and other consequences resulting from a breach are reported in a few places in Alberta. The first is through press releases, like this one from Sept 27, 2016 which has the headline Conviction, Fine for Breaching Health Information. Further, there is a more general listing of Alberta privacy infractions at the OIPC web page titled: Breach Notification Decisions.
In 2017 an Alberta pharmacists was sentenced to three months of house arrest for inappropriately accessing the records of 104 patients.
Ransomware is a type of malicious software (malware) that infects local computer networks, such as those in clinics, identifies important information, and encrypts it so that it is no longer accessible to users. The encrypted information is only released after a ransom, usually thousands of dollars, is paid.
The most common way ransomware gets into clinic networks is through unsecured email. Ransomware attackers send familiar looking links and files in an attempt to trick clinicians and staff into accidentally downloading the malicious software.
The number of ransomware attacks is growing every year. The FBI reported that ransomware attacks had cost over $209 million in the first three months of 2016 (and that's just reported cases). In a statement, the Calgary Police Service explained that ransomware attackers around the world earn between $100,000 and $200,000 every day.