If you’re a healthcare provider practicing in Alberta or you are working with or for a healthcare provider, this blog is for you! 

Our most experienced compliance consultants offering HIA compliance consulting for 7 years are here sharing everything about Alberta Health Information Act (HIA). 

What is HIA? 

HIA is the healthcare-specific data privacy law imposed by the provincial government. 

It governs the collection, usage and disclosure of personal information of the patients in Alberta. 

It also offers ultimate control to residents of Alberta over their data collected by healthcare providers.  

If any healthcare provider does not adhere to the HIA requirements, he can be liable for a fine of up to $200,000. 

Does the Act Apply to You? 

Yes, HIA applies to everybody living in Alberta. After all, it gives the right to access to all Albertans. 

However, talking about the HIA regulations, it applies to individual health services providers and organizations in Alberta. 

Most of these people fall under two major categories - Custodians and Affiliates. 

Meaning, every Custodian and Affiliate should adhere to HIA. 

List of Custodians:

• Nursing home operators 
• Licensed pharmacies
• Physicians
• Dentists 
• Denturists
• Dental hygienists
• Optometrists
• Opticians
• Chiropractors
• Podiatrists
• Registered nurses

List of Affiliates:

HIA considers an individual or organization as an affiliate if he is, 

• Employed by custodian 
• Performing service for a custodian as an appointee, volunteer or student
• Performing service for custodian under contracts as business partner or service provider 

For example, if you as the healthcare provider (custodian) sign a contract with Amazon to use its cloud service - AWS, Amazon is called an affiliate. 

Here, it is worth mentioning that insurance companies are neither custodians nor affiliates.

Types of Information/Data Protected by Health Information Act Alberta 

1) Diagnostic, Treatment and Care Information

• Physical and mental health information of the patients 
• The treatment patients are receiving through healthcare providers
• Patients’ data related to medication and drugs 
• Data related to healthcare products they are using 
• The free and paid healthcare services or benefits of patients 
• Donation of body parts 

2) Registration Information

• Patients’ name, address, signature, gender, photos, health card number
• Citizenship 
• Immigration status 
• Billing data 
• Health service eligibility information 
• Telecommunications data 

3) Recorded Information

• X-rays
• Notes
• Letters
• Audio-video recordings
• Lab reports 

You should know this: 

Any information which is non-identifying information can be collected, used and disclosed freely. 

Because non-identifying information does not disclose the identity of the person. 

Alberta Health Information Act Requirements

1) General Requirements:

• Ensure administrative, physical and technical safeguards of personal health information 
• Regularly validate or assess your implemented safeguards 
• Hire or designate an affiliate who is responsible for the overall privacy and security 
• If storing data outside of Alberta, sign agreements with service providers/business partners to maintain the confidentiality of the data 
• Make sure your affiliates have enough awareness of safeguards and HIA 
• Define the penalty structure for affiliates who breach or attempt to breach the data

2) Physical Safeguards:

• Whiteboards having patient information should not be placed in public areas 
• Lock building or rooms where you physically store data 
• Only authorized persons should have access to server rooms 
• There should be an alarm system 
• Consider the use of access cards 
• Secure the laptops 
• Implement a clean desk policy 
• Use lock shredding bins for disposal of sensitive records
  

3) Technical Safeguards:

• Implement access control to all your digital systems 
• Make sure each digital system user has a unique username 
• Implement a strong password policy 
• Maintain system logs and regularly check who has viewed or edited health information 
• Detect unauthorized activities 
• Use password-protected screensavers and security screens
• Install anti-virus system, firewalls and intrusion detection system  
• Implement encryption on mobile devices
• Implement document-tracking system 
• Implement data-integrity controls 
• Encrypt sensitive emails
• Implement security mechanisms to protect wireless networks from eavesdropping
• Implement and periodically validate data backup and business recovery plans 

4) Administrative Safeguards

• You must implement privacy policies and procedures 
• You must train your staff based on policies and procedures so that they can avoid any data breach 
• Carry out a Privacy Impact Assessment to discover the risks and later mitigate them 
• Use the most secure method for sharing health information 
• Periodically evaluate the policies and procedures 

5) Staff or Affiliates Access

• Affiliates working for or with healthcare providers must have access to necessary data only. 
• Staff taking online/offline appointments should not have access to see all medical treatment details. 
• Staff handling billing should not have access to see the treatment information. 
• Doctors and nurses should have access to see data of patients they are directly involved with. 

6) Retention and Disposal of Records

• Continue to hold data for 10 years 
• Shred paper-based data 
• In the case of digitally-stored data, use professional data wiping software or destroy the media drive itself 

How to be Compliant with HIA and Carry out PIA at the Same Time? - The Most Easiest Method 

(Under section 64 of HIA, PIA is mandatory.) 

Suppose you’re developing a healthcare mobile app in Alberta. 

Here is how your app and organization can be HIA compliant and you can carry out PIA at the same time. 

Step #1: You need to draft a compliance strategy before even starting to develop your app as there are many technical requirements your app should work accordingly. 

Step #2: You need to make sure that APIs you’re using in your app are also HIA compliant APIs. 

Step #3: Sign a business associate agreement with your 3rd party business partners or service providers. 

Step #4: You should carry out TRA (Threat and Risk Assessment) on the app - with respect to applicable laws. 

Step #5: TRA reveals the app’s security vulnerabilities which you have to fix. Once you fix it, your app would become compliant with the law you’ve considered while carrying out TRA. 

Step #6: You need to carry out a separate compliance audit in case there are regulations you missed out to meet during TRA. 

Step #7 Lastly, you should carry out PIA (Privacy Impact Assessment)  which validates the compliance-readiness of your entire organization including the mobile app.

This way, your app and organization would become compliant with HIA and you can carry out PIA at the same time.

Finding This Difficult? Let Our Compliance Consultants Help You to Be HIA Compliant and Carry Out PIA

We are an Ontario-based team of technical and compliance experts - has been helping Canadian healthcare entities for 7 years. 

We not only provide compliance consulting services but also help entities to address the technical and operational requirements of several compliance laws.

Being a Canadian company, we understand the gravity of compliance. Thus we only provide you with quality and proactive service.

In addition to compliance, our team has ultimate expertise in carrying out PIA and TRA. 

We are also clever enough to let you get access to Alberta Netcare. On a concluding note, we would like to share a case study that talks about how we helped an app agency to fill 47 security gaps and develop a HIPAA compliant app.