Hire Professionals to Carry out PIA in Alberta and To be Compliant with HIA

3 years ago

We're an Ontario-based team of healthcare technology and compliance professionals. 

With our in-house compliance experts, we’ve been aiming to solve all compliance-related challenges of healthcare entities and startups for 7 years. 

We have extensive experience executing PIA for different healthcare providers and making them compliant with HIA and other data privacy laws of Canada. 

We not only provide you with compliance and PIA consulting services but also ‘technically’ implement PIA and HIA requirements into mobile apps, websites, platforms or any healthcare system with our in-house developers. 

Today, in this blog, we are sharing everything about PIA in Alberta. 

What is PIA and what is its objective? 

PIA (Privacy Impact Assessment) is the process or assessment of your organization including software, app, systems, policies, business relationships and business processes to identify and mitigate privacy risks. 

Yes, PIA is not only subject to your app or software. It must be carried out at the organizational-level. 

The objective of carrying out PIA is to discover privacy vulnerabilities in your organization that puts crucial patient data at risk. 

Once the privacy gaps are known, the organization can ensure to fill it up to avoid any security breach of private data. 

Is PIA mandatory in Alberta and who should execute PIA?  

Yes, PIA is mandatory under the HIA (Health Information Act) of Alberta. In fact, PIA is one of the requirements of HIA which you have to address to be HIA compliant. 

Since PIA is the requirement of the HIA, if HIA applies to your organization, you’re subject to carrying out PIA as well. 

HIA applies to several custodians including, 

  • Hospital boards, nursing home operators, provincial health boards
  • Healthcare providers 
  • Licensed pharmacy 
  • Healthcare professionals that are designated under the Health Information Regulation

Meaning, all these custodians must carry out PIA to be HIA compliant. 

Who validates or approves your PIA and how long does it take? 

You should submit the PIA only in the suggested document format to the Office of Information and Privacy Commissioner of Alberta (OIPC). 

The OIPC then reviews your PIA document. The OIPC may ask you several questions regarding your submitted PIA to gain more clarity. 

The OIPC may ask you to revise some of the PIA points. They may even ask you to be present at their office if they find any complexity in your project. 

The OIPC takes at least 45 business days to review your PIA. 

Once they approve your PIA, you will receive a letter of confirmation. However, it is not a PIA certificate because there is no such thing called PIA certification. 

When do you need to execute PIA in Alberta? 

You need to carry out and then submit PIA to OIPC when you plan to implement new administrative practices or any information systems that handle the data. 

The following are some of the situations when you have to carry out PIA. 

  • When you collect, use and share the personal information of the patients. 
  • You give access to data to other or new parties. 
  • You implement a new service delivery and management technology that interacts with data. 
  • You deploy a new EHR system or make changes to the existing system. 

Talking about the timing, it is crucial to carry out PIA at the appropriate stage of the project. 

The best time to carry out PIA is before completing detailed design or development work. 

Because the earlier you identify the privacy issues, the easier you can fix them and get approval from OIPC.  

What if you don’t carry out PIA? 

Without carrying out PIA, you simply can't comply with the HIA. That means you are violating HIA requirements. And for each violation, you will be fined up to $50000 - as per HIA. 

PIA Alberta Requirements: Your PIA submission to OIPC should contain the following information

1) Cover Letter

Your cover letter should have the signature of some executive authority. 

2) Cover Page

You should add the following information on the cover page. 

  • Official project name
  • The legal name of the custodial who has drafted the PIA
  • Contact information of the person responsible for PIA
  • PIA submission date
  • The expected project implementation date
  • OIPC file references for any previously accepted PIAs

3)  Project Summary

This section must contain the objective of the project and why you need to collect, use and share the personal data. 

4)  Organizational Privacy Management

  • Management Structure: How is your senior-level management staff involved in privacy-related decision-making?  
  • Policy Management: How do you create, approve and execute privacy policies? 
  • Training & Awareness: How do you train your employees regarding privacy? 
  • Incident Response: How do you discover and investigate any privacy incident? 
  • Access and Correction Request: How do you handle the access and correction requests of individuals?

5)  Project Privacy Analysis

  • Health Information Listing: Mention the personal data of individuals that you collect, use and share. 
  • Information Flow Analysis: Show how you handle the data in flowcharts. 
  • Notice: Mention how you will notify users regarding the reason their information is being collected and how it is being used. 
  • Consent and Expressed Wishes: Describe how you will address the wishes of individuals regarding how much information to share.  
  • Data Matching: Will you match or combine the information of this project to another project? If yes, mention how you will combine it and its purpose. 
  • Contracts and Agreements: Describe contracts or agreements with third-parties involved in your project.
  • Use of Collected Information Outside of Alberta: Mention how and why you will use this data outside of Alberta.

6)  Project Privacy Risk Mitigation

  • Access Controls: Mention the way you give access to your collected data to your stakeholders.
  • Privacy Risk Assessment and Mitigation Plans: Mention the privacy risks you discover in your project and how will you solve them.  
  • Monitoring: Describe how you monitor privacy protection measures.  
  • PIA Compliance: Add how often you will review your PIA and update OIPC. 

 7)  Policy and Procedures Attachments

You have to attach copies of general privacy policies and project-specific policies. 

Read this PDF to know all requirements in detail. 

Conclusion: 

PIA is compulsory under section 64 of HIA. However, you should not consider PIA just because it is legally required, but to not experience a severe data breach incident in the future. 

PIA reveals all hidden privacy issues your organization has. It also helps you to be compliant with HIA. 

However, there are many complex requirements of the PIA. If you submit an immature or poor PIA, there are higher chances to receive a rejection. 

Thus, always pay attention to PIA. It is one of the major pillars of your organization!