Privacy Agreements Frequently Asked Questions

Data is non identifiable when the identity of the individual cannot be ascertained from the data provided. Any data that on its own or part of a record would allow for the patient to be identified, is considered identifiable data. Removing the Provincial Health Number, name and address does not always make the data non identifiable.  

Patient consent is required unless otherwise authorized, such as for continuing care and treatment purposes under HIA 35(1)(b).

Data can be disclosed without consent for purposes such as the prevention of fraud and the protection of public safety.  

Details can be found in Sections 35 – 47 of the HIA.The exchange of data as part of an ongoing program may require require an ISA along with patient consent.

Patient consent is not required when identifiable health information is shared for the purpose of continuity of care.  It is also not required if the health information is completely non identifiable.

If identifiable data is shared for any reason other than continuity of care, then patient consent is required. 

Exceptions exist for extenuating circumstances.  Details can be found in Sections 35 – 47 of the HIA.

Completely non identifiable data can be shared with AHS without a privacy agreement in place. Any level of identifiable data that is shared must have a supporting IMA in place.  

PIAs and privacy agreements should be reviewed on a regular basis along with other clinic technical, physical and administrative safeguards. In addition, reviews should take place whenever there is a change in the clinic systems or data sharing/exchanging environment.  Such changes include but are not limited to:

• Data exchanged with new parties
• Adoption of new practices within the clinic and/or PCN
• Change in the type of data exchanged
• Change in staff functions/responsibilities
• New EMR functionality
• Change in provincial privacy legislation/policy (CPSA, CMPA, AH)
• Implementation of or change in provincial EHR (Alberta Netcare)

If your PIA is current, any change to the systems within your office may only require an amendment to your PIA and/or a letter to the Office of the Information and Privacy Commissioner of Alberta (OIPC) with details on the change.  The actual requirements will depend on the nature and complexity of the change.

PIAs are customized risk assessments for each clinic and subsequent amendments can be complex. We recommend that the creation and amendment of PIAs be undertaken by a privacy expert

A PIA is a legislative requirement.  It is a risk management exercise that exists to protect the privacy of individuals and their health information.  Specifically, it provides details on administrative practices, information systems, protection of data and authority relating to the collection, use and disclosure of individually identifying health information. 

An IMA is an agreement between a custodian and a person or body performing information management activities as detailed in Section 66 of the HIA.  The agreement includes the level of data exchanged, the obligations of the information manager and a description of all services provided by the information manager.
 
The following are examples of situations where IMAs are required:

• PCNs or member clinics are using an external billing agent or external transcription service
• PCNs or member clinics are using an external storage firm for electronic or paper records
• Improvement facilitators or other external consultants are being given access to EMR data
• PCN staff are performing information manager functions as identified in the HIA
• PCN staff are sharing EMR data with AHS and receiving altered data in return
• PCNs or member clinics are using an application service provider or remote data storage hosted by an external body
• Data is processed, stored, retrieved, or disposed of by a party other than the custodian, including non-clinical PCN staff
• Data is stripped, encoded, or transformed by a party other than the custodian, including non-clinical PCN staff
• A party other than the custodian provides information technology services

The AMA has worked with legal counsel to create IMA and Information Sharing Agreement (ISA) templates. These templates are available on the AMA website and will need to be customized to reflect the needs of each individual clinic and situation.

Privacy experts within your clinic and/or PCN can assist with this customization or there are external consultants that can be hired for a moderate fee to perform this work for you.

OIPC reviews PIAs only.

IMAs and ISAs are not generally reviewed by OIPC but must be kept on file as they part of the privacy obligations of custodians and may at some point be requested by OIPC.

No. Under the HIA a custodian can disclose individually identifying health information to another custodian for the purpose of providing a health service and enabling the continuity of care for a patient, such as transferring between service providers and consulting with another provider on that patient’s care.

Yes. It is recommend an ISA be in place in all multi-physician clinics.

Generally, the disclosing of patient data to another custodian for the purpose of patient care does not require an ISA. However, there are obligations to consider when sharing patient records in a clinic with multiple custodians.  Specifically, CPSA guidelines and the HIA require that custodians have the appropriate policies, procedures and agreements in place for the management and protection of the data, including details on accountability and access when data is being shared.

CPSA Standards of Practice on Record Retention require an ISA be in place to meet these requirements.

No. Although in some cases PCN staff are affiliates of the custodian, physicians are the custodians of patient data and are ultimately responsible to ensure privacy obligations are met to ensure the data remains protected.

An IMA is required for any external consultants or facilitators in an information manager role.  If the consultants are not performing as information managers, an agreement in some form is still required detailing the description of duties and nondisclosure expectations.

An IMA is recommended for purposes other than patient care, including situations where:

• Data is processed, stored, retrieved, or disposed of by a party other than the custodian, including non-clinical PCN staff
• Data is stripped, encoded, or transformed by a party other than the custodian, including non-clinical PCN staff.

This includes situations where the data is extracted from the clinic EMR and where PCN non-clinical staff are given direct access to the clinic EMR.

If the employee is performing information manager duties as defined in the HIA, an agreement is required.  An IMA can include multiple position titles/roles as long as the description of services is clear for each position. This IMA can then be referred to in each employee’s employment contract.

Employment contracts should be in place with all employees to address information handling, confidentiality, nondisclosure, etc.