What is a PIA?
A Privacy Impact Assessment (PIA) is a due diligence process used to analyze, identify and address potential privacy risks within a clinic. By working through the requirements of a PIA, you will discover potential privacy impacts and have the opportunity to mitigate those risks.
What’s the OIPC’s role?
The Office of the Information and Privacy Commissioner of Alberta (OIPC) has a number of very important responsibilities regarding privacy, some of which include ensuring that health custodians uphold the access and privacy rights outlined in Alberta legislation, advocating for the access and privacy rights of Albertans, and reviewing and investigating privacy concerns.
Another key role the OIPC holds is reviewing and making recommendations of clinic PIA's.
Who needs a PIA?
Under the Health Information Act (HIA) custodians must submit PIAs to the Commissioner before implementing practices or information systems that will collect, use or disclose health information.
This includes such practices and systems as:
- Enabling new technology like a virtual appointment, patient portal or secure email
- Alberta Netcare participation
- Implementing an Electronic Medical Record (EMR)
- Accessing diagnostic laboratories
Sections of a Privacy Impact Assessement
-
Cover Letter and Cover Page
The cover page should include:
- Official name of your practice or system to be implemented
- Legal name of the lead custodian
- Name(s) of the privacy officer(s)
- PIA submission date
- Expected start date of administrative practice or information system
- OIPC file reference number for previously reviewed and related PIAs if applicable
Refer to the Annotated Template for more details.
Alberta Health - Annotated Template -
Section A: Project Overview
The project summary describes the proposed information system or administrative practice including its objectives. It also outlines why the information system or administrative practice requires the collection, use or disclosure of health information.
Refer to the Annotated Template for more details.
-
Section B: Privacy Management
This section describes how you will meet your legislative requirements under the Health Information Act (HIA) by demonstrating your clinic's administrative practices and how you will safeguard patient information when collecting, using and disclosing information.
Some items to include:
Management Structure Policy Management Privacy Training Privacy Incident and Breach Response Access and Correction Request Process -
Section C: Privacy Analysis
This section is used to address privacy topics related to your information system or administrative practice including a list of the health information that is collected, used or disclosed, how and where the information flows and what authorizes those flows.
Some items to include:
Health Information Listing Information Flow Analysis Notice of Collection Consent and Expressed Wishes -
Section D: Privacy Risks and Mitigation Plans
This section of the PIA is used to describe the privacy risks and mitigation measures you have identified for the project. It is important to include how access to health information it will be controlled, plans for monitoring compliance, and the continual review process for your PIA.
Some items to include:
Access Controls Privacy and Security Risk Assessment -
Section E: Policies and Procedures
This section is used the policies and procedures you have developed that address your obligations under the Health Information Act (HIA).
Items to include:
Policies and Procedures Table
Updating a PIA
If you have adopted new administrative practices or information systems that collect, use, or disclose patient information, an amendment to your PIA may be required. Use the PIA Update Self-Assessment tool to check if you need to update your clinic's PIA.
Do you need help developing or amending your PIA? Professional PIA consultant's are available for hire.