Quick Tips: Health Information Act

What is the Health Information Act?

The Health Information Act (HIA) is an Alberta-based legislation that establishes the rules to protect the privacy of individuals' health information. This Act regulates how health information can be collected, used and disclosed.

What is Health Information?

Health information is data related to an individual's medical history. This includes:

• Diagnostic, treatment and care information
• Registration information (e.g. patient identifying information such as provincial health care number, name, address, etc.)

Ten HIA Principles

These ten key HIA principles can help your clinic maintain compliance and build strong day-to-day privacy practices.

1. Accountability and Management
   • You are accountable for the health information individuals give you. Your clinic is responsible for all the health information in your possession and you must establish policies and procedures to ensure patient privacy is maintained.
2. Notice
   • You will explain why you collect individually identifying health information before you collect it. It is important to explain to patients why your clinic collects the information it does. Common practice is to post Notice of Collection posters in the clinic. You will collect individually identifying health information only for the purpose of providing a health service, or as otherwise permitted by law.
3. Collection
   • You limit the amount and type of health information you collect. Your clinic should only collect the information that is essential for providing care.
4. Use and Disclosure
   • You will use and disclose patient health information only for the reasons for which it was provided to you, unless otherwise permitted by law. Information can only be used for the purpose identified to the patient and can only be shared to third parties with written consent by the patient. (e.g. insurance companies, legal counsel, etc.)
5. Consent
   • You may disclose health information to a third party with patients’ written consent to that disclosure. It is important to note that patients can withdraw consent at any time.
6. Access
   • Patients have a right to access their health information that is in your clinic’s custody or control within the provisions of HIA. Patients own the health information in their record, but the clinic manages the medical record itself. This means that physicians and their teams are responsible for accurately collecting, using and disclosing the health information, and the patient has the right to control what is being collected and how it’s being used.
7. Safeguards
   • You will protect patients’ health information from unauthorized access, use, disclosure or destruction.
     Your clinic must assess any risks to unauthorized access, use or disclosure of health information and you must implement administrative, technical and physical safeguards. Minimizing and mitigating risks is a necessity in all clinics.
8. Quality
   • You make efforts to ensure that the health information in your custody or control is accurate and complete before using or disclosing that health information. Ensuring the quality of information can include updating registration and billing data, making sure clinic records are complete and accurate, as well as tracking any additions and changes.
9. Retention and Destruction of Records
   • You will retain patients’ health information per the College of Physicians and Surgeons of Alberta (CPSA) guidelines, and securely destroy their health information when it is no longer needed. The CPSA outlines the requirements for record retention and provides the retention guidelines that must be followed. (e.g. Records must be kept for 10 years from the last visit.)
10. Monitoring and Enforcement
    • You monitor compliance with your privacy policies and procedures and have a process for addressing complaints about the handling of health information. It is a clinic’s responsibility to regularly assess health information safeguards and ensure that all physicians and staff are properly trained in privacy best practices. All privacy complaints and suspected breaches must be investigated, reviewed and handled as outlined by the Office of the Information and Privacy Commissioner of Alberta (OIPC).