When you want to know everything there is to know about Privacy Impact Assessments (PIA), Alberta privacy expert, Ingrid Ruys, is the person to ask. Ms. Ruys has over 30 years of experience helping organizations with regulatory compliance and has served as the Chief Privacy Officer for the Physician Office System Program (POSP) for the last 12 years. She is the founder and owner of RJK General Services Ltd, a privacy, security, and regulatory compliance consultancy. With over 1000 successful PIA’s under her belt, no one is more qualified to advise clinics on PIAs. As all dentists in Alberta and several other health profession including optometrists and chiropractors are now required to submit PIAs
as part of their regulatory responsibilities, I wanted to get the facts about what a PIA is, what should be included, and who is qualified to complete one. Here is what Ms. Ruys taught me about getting a PIA right to avoid the serious fines clinics risk by not completing a PIA, or completing it improperly.
What is a Privacy Impact Assessment?
IR: Section 64 of the Health Information Act (HIA) mandates submission of a Privacy Impact Assessment for review by the Office of the Information and Privacy Commissioner (OIPC)
. A PIA is an in depth look at how an organization, office or clinic proposes to use and handle patient information and is meant to address potential risks to patient privacy. It is a declaration to the OIPC that your clinic understands how, and has sufficient processes in place, to protect the information of your patients.
Depending on the clinic, a PIA can be 350 pages or more. It’s not light reading.
Who can complete a PIA?
IR: Technically anyone can complete and submit a PIA. I certainly don’t advise it. PIAs are complex documents that require a deep level of understanding of the provincial privacy regulations and the process through which applications are assessed.
I have been called in to fix too many PIAs completed by IT people or office staff that didn’t take the time (because it’s not their job or expertise) to learn the intricacies of writing an acceptable PIA, or don’t realize that the system or practice they are implementing has privacy/security risks. To properly complete a PIA the first time takes weeks of dedicated work. Clinics are much better off, in the long and short run, working with a privacy professional
and certified privacy expert who really knows the process and can adapt their understanding to unique office situations. It’ll save a lot of time, avoid disruptions to the work staff are really supposed to be doing, and pretty much guarantee compliance to the Acts and Regulations, as well as acceptance of the PIA. Anyone that hasn’t submitted a successful PIA already, will likely have additional comments and concerns to address and more follow-up, which means additional time before it’s accepted. There are a handful of privacy professionals in Alberta that have many years of experience writing and submitting hundreds of PIAs. They have developed relationships with reviewers and can quickly address concerns if they do arise. Here's a privacy consultant comparison checklist
to help evaluate your options.
What certifications will a qualified privacy professional have?
IR: There are two certifications you want see on the resume of any professional you hire to execute your PIA.
Either of these certifications prove you are working with a person that knows privacy and can set your clinic up with a successful application. The first certification to look for is from the Canadian Institute of Access and Privacy Professionals - CIAPP. This one can have one of three designations; Certified (C), Professional (P), or Master (M). This certification was originally established with funding from the Privacy Commission of Canada and the Information Commissioner and is supported by access and privacy commissions across the country. The other certification to look for is from the Privacy and Access Council of Canada (IAPP) The CAPP represents national leadership and excellence in information privacy, information access, and data governance. Anyone who has their CAPP certification knows their stuff. There are additional certifications such as HIPAA (US) or CHIMS that prove in depth knowledge of privacy regulations.
What other factors do clinics need to consider when completing a PIA?
IR: For dentists, optometrists, and chiros in Alberta, it’s very important to be thinking about Netcare access requirements.
A PIA that doesn’t have the proper Netcare references can stand in the way of getting access down the road and will necessitate, at the very least, an amendment to your PIA. That’ll just slow things down, and can get quite expensive. The technology you’re using to solve privacy issues around how you store and share patient information matters. If a service is brand new and hasn’t been reviewed by the OIPC yet, you need to question if you want to be the first one to try it. You’re much more likely to get approval for technology and services that have already been approved on other PIAs.
Does a completed PIA last forever?
IR: No. Rules change. Legislation is updated all the time. Clinics adapt their processes, change the way they administer the practice, and add new technology. All of that means your PIA needs to be updated.
Seasoned privacy professionals will automatically update PIAs they have submitted to conform with regulation changes. Working with an organization that isn’t focused on Alberta’s privacy regulations everyday means you risk missing these important changes and falling out of compliance. Make sure those legislative refreshes are included in your original PIA. When you do need to submit a PIA or an amendment to address process changes, hiring a professional familiar with your original submission (if possible) will expedite that process so that you’re not waiting months for approval to proceed with your desired changes.
The bottom line on PIAs
Writing and submitting a PIA can be an intimidating endeavor to the point that your practice avoids doing it until it’s too late. You’ll know it’s too late when the OIPC audits your practice or investigates a patient complaint and you don’t have a Privacy Impact Assessment in place. The fines associated with not having the proper privacy procedures in place (which is the purpose of writing a PIA) can reach $50,000. Your PIA doesn’t have to be difficult or time consuming. You don’t need to become an expert in patient privacy.
Engage an expert and you’ll actually save time and money. Established experts understand the PIA process and can quickly suggest changes to your plans and processes to ensure you are in compliance with privacy regulations and write a PIA document that will get accepted the first time, so that you can be confident your clinic is operating within the letter of the law.