Glossary: Privacy and Security

The HIA is an Alberta Act that applies to the collection, use and disclosure of health information.

PIPA provides a framework regarding the collection, use and disclosure
of personal information applies to private sector businesses which includes community-based medical clinics.

FOIP provides a framework regarding the collection, use and disclosure of personal information and applies to public bodies such as Alberta Health or Alberta Education.

Health Information is information about an individual that is collected, used, and disclosed in health care by custodians or their affiliates. This includes:

• Diagnostic, treatment, and care information
• Registration information

Diagnostic, treatment, and care information is recorded information about an individual such as physical and mental health status, prescribed drugs or devices, a health service provided or any information that is collected
during that service.

Registration information are  details relating to an individual such as demographic, location, telephone number or billing information.

Personal information is information that can identify an individual (i.e., name, date of birth or address). The protection of this type of information for private sector organizations falls under the Personal Information Protection Act (PIPA) and for public bodies it is the Freedom of Information and Protection of Privacy Act (FOIP Act).

Custodian is a person or organization that has custody (or control) of health information as set out in the Health Information Act (HIA). The custodian is ultimately responsible for the privacy of health information.

Affiliates are people (E.g., employees, volunteers, students, contractors, and agencies) who provide services on behalf of the custodian.

Privacy Officer is a role that is designated by the custodian and is responsible for overseeing the organization’s overall approach to privacy and ensuring that the privacy policy and procedures are implemented and working effectively in the clinic.

Information Manager is a person or organization that:

• Processes, stores, or disposes of patient health information
• Strips or encodes individual identifying health information
• Provides information management or information technology service.

EMR vendors are the most common examples of information managers.

Alberta Ministry of Health oversees the development of legislation (Act and regulations) that applies to privacy of health information of Albertans.

Office of the Information and Privacy Commissioner of Alberta (OIPC) performs the legislative and regulatory responsibilities set out in Alberta’s three access and privacy Acts (PIPA, FOIP and HIA). They investigate privacy complaints regarding health information, review and provide comments on privacy impact assessments created by clinics and acts a resource for privacy matters in Alberta.

Colleges and associations have the responsibility to ensure that the public is protected, and its members provide health services in a manner the protects the privacy of health information

The Health Information Act enables a patient to access their recorded health information. All efforts must be made to ensure that the health information in your custody is accurate and complete.

Collection means to gather, receive, or obtain health information. A principle of the Health Information Act is to limit the amount and type of information you collect, to only what is necessary.

Consent is an approval or agreement for something to happen and it must be informed and meaningful. Generally, consent must be obtained to share information about an individual but there are some exceptions outlined in the Health Information Act.

Disclose means sharing of health information about an individual. Generally, a consent is required for disclosure of information to another individual, unless it is stated as an exception in the HIA (i.e. sharing with another custodian for continuity of care).

Prior to collection of information, you are required to explain the purposes, and authority for the collection of the information. You are also required to provide the contact person to connect with if there are concerns. In the clinic, this is generally done by having a poster in a visible location.

Record refers documented health information in any form (E.g., written notes, audiovisual recordings, X-rays, photographs, letters, etc.).

Safeguards are the strategies you use to protect patient's health information from unauthorized access, use, disclosure, or destruction. There are three categories of safeguards include (PAT): physical, administrative and technical.