Alberta’s Health Information Act (HIA) sets strict rules for the collection, use, disclosure, and protection of health information. As a health custodian (e.g., physicians, clinics, pharmacies, hospitals, or other designated entities), staying compliant is both a legal requirement and essential for maintaining patient trust.
Here are the key areas to focus on, with practical guidance especially relevant for smaller clinics and custodians.
1. Privacy Impact Assessments (PIAs)
Under Section 64 of the HIA, custodians must submit a Privacy Impact Assessment to the Office of the Information and Privacy Commissioner (OIPC) before implementing:
- New administrative practices
- New information systems (e.g., new EMR/EHR software)
- Significant changes to existing practices or systems that involve individually identifying health information
Practical Tips for Smaller Clinics:
- Use the Annotated PIA Template from Alberta Health as a starting point.
- Focus on real risks relevant to your size — you don’t need an overly complex document.
- Submit early — the OIPC now provides review comments and recommendations rather than formal approval/rejection.
- Common triggers: Implementing telehealth platforms, AI tools, new patient portals, or cloud storage solutions.
Official Resources:
- OIPC Privacy Impact Assessments Page
- PIA Submission Assessment Tool
- Annotated PIA Template (Alberta Health)
2. Breach Notification Requirements
The HIA has mandatory breach notification rules (in force since 2018):
If there is a loss, unauthorized access, or unauthorized disclosure of individually identifying health information and a reasonable risk of harm to the individual, the custodian must notify:
- The affected individual(s)
- The OIPC
- The Minister of Health
Key Practical Steps:
- Conduct a prompt risk of harm assessment using the factors in Section 8.2 of the Health Information Regulation.
- Have a pre-prepared breach response plan (who is notified, what to say, timelines).
- Document everything — even breaches that don’t meet the notification threshold.
- Train staff to report potential incidents immediately to the Privacy Officer.
Official Resources:
3. Other Current OIPC Expectations
- Maintain up-to-date policies and procedures for safeguarding health information (Section 60).
- Ensure proper contracts (Information Management Agreements) with any third-party service providers who handle health information.
- Provide privacy training to affiliates (staff, contractors, volunteers).
- Respect individual rights to access and correct their own health information (with limited exceptions).
Citadel Privacy Angle: Practical Implementation for Smaller Custodians
Many small clinics feel overwhelmed by HIA requirements. The good news is that the OIPC expects proportionate compliance — your program should match your organization’s size, risk profile, and volume of health information.
Focus on the basics first:
- Appoint a responsible Privacy Officer (can be you or a trusted senior person)
- Maintain a simple but effective Privacy Management Program
- Prioritize high-risk areas like electronic systems and third-party vendors
A well-designed, practical approach not only reduces compliance risk but also strengthens patient confidence.