Do I need an Information Sharing Agreement (ISA) or an Information Management Agreement (IMA)?
Having the right agreements in place is essential for any clinic collaborating with external vendors and organizations. Ensuring the correct agreements are used and regularly reviewed, especially after changes, is crucial.
An Information Manager Agreement (IMA) is a legislative requirement under the HIA between custodians and Information Manager(s).
An Information Manager is defined in the HIA as a person or body that:
- Processes, stores, retrieves or disposes of health information,
- In accordance with the regulations, strips, encodes or otherwise transforms individually identifying health information.
- Provides information management or information technology services.
An Information Sharing Agreement (ISA), as per the standards of the College of Physicians & Surgeons of Alberta (CPSA), is the legal contract that defines the data stewardship rules and processes that the parties have agreed to.
Many physicians enter practice and share patient charts without considering what happens to the records when one of their colleagues leaves or when there is a change in management/ownership of the clinic. When forming or joining a clinic, physicians need to ensure they have an ISA that:
- Ensures all professional obligations and legal duties related to the use and disclosure of records are fulfilled
- Outlines the terms and conditions of the exchange (sharing) of custodian duties in a common manner within a shared patient record environment
- Helps guide issues pertaining to the management, security requirements, and professional responsibilities relating to the sharing of patient records
- Outlines what will happen to the patient records as custodians enter and leave the clinic
Below is a list of various scenarios and the appropriate agreements needed to protect your clinic:
| Scenario | IMA | ISA | |
| Vendor | Generic | ||
| 1. Using a billing agent or external transcription service. | x | ||
| 2. Using a storage firm for electronic or paper records. | x | ||
| 3. Using an application service provider (ASP), remote data storage. | x | ||
| 4. Sharing patient information between clinic sites. | x | ||
| 5. Sharing information within the Primary Care Network (PCN), a large clinic group setting for the purpose of patient care. | x | ||
|
6. Individual clinics providing identifiable health information to PCN for purposes including quality improvement, performance metrics, and guiding PCN direction. Exceptions: 1. In the case of a centralized PCN, or a PCN with a small number of member clinics where the PCN is an affiliate acting under the clearly documented direction of each custodian with respect to the ongoing use of the data, no IMA is required. 2. Individual clinics exchanging identifiable patient information within the clinic for these purposes do not require an IMA. |
x | ||
| 7. Providing health information to the Health Quality Council of Alberta. | x | ||
| 8. The Pan PCN committee hires/contracts research analysts and provides clinic data collected by PCN. | x | ||
| 9. Centralized PCN staff collecting, coding and manipulating patient level data from all clinics.(non-health care related purposes) | x | ||
| 10. Completely non-identifiable data at the patient or clinic level is shared with third parties – member clinics, public, etc. for information purposes (non-health care related) | no agreement required | ||
| 11. Data identifiable at the clinic level is shared with third parties – member clinics, public, etc. for information purposes (non-health care related) | x | ||
| 12. Patient-level identifiable data is exchanged with AHS. (Sharing identifiable data with other custodians for secondary purposes) | x | ||
| 13. Completely non-identifiable data is exchanged with AHS. | no agreement required | ||
| 14. Disclosure to Minister or Department | no agreement required (HIA 46(1)) | ||
| 15. Custodian is disclosing patient information to another custodian outside of his/her clinic for the purpose of continuity of care. | no agreement required | ||
| 16. Custodians sharing patient records within a clinic. | x | ||
Learn@AMA Training
Enrol your medical clinic in AMA's free privacy training tailored to physician, privacy officer and staff roles through Learn@AMA sign-up your whole community-based clinic team today!
Enrol Today!Developed by
