Privacy Impact Assessments: Alberta Netcare PIA vs. PIA

Under Section 64 of the Health Information Act (HIA), all custodians of patient data are required by law to conduct and submit a privacy impact assessment (PIA) for review by the Office of the Information and Privacy Commissioner (OIPC).

If your clinic is using the Alberta Netcare portal, this shouldn’t be news to you. Before accessing Alberta Netcare’s electronic health records, you would have had to complete an ANP PIA. Meaning your clinic is covered and complying with privacy laws and regulations, rightNot quite.

Alberta Netcare PIAs are not the same as PIAs.

Since 2006, Alberta Health and the OIPC have agreed to follow an expedited process for custodians to submit PIAs for the Alberta Netcare Portal. Under the expedited PIA process, clinics must submit a formal cover letter, which acknowledges that the ANP PIA does not apply to the use of any other proposed systems within your clinic that collect, use and disclose health information.

In other words, your ANP PIA only covers access to Netcare.

Often more than 300 pages long, full PIAs must look at how your clinic collects, uses, and discloses protected patient information from an administrativephysical, and technology standpoint.

  • Administrative: Are all staff authorized to access patient files? Do you leave files out in the open? Are workstations locked and secure? How do you talk about patients?
  • Physical: Are patient files locked away securely behind doors and cabinets? What kind of security system do you have in place? Are there barriers between unauthorized people and patient information?
  • Technology: Are your passwords strong and secure? Do you change them often? Do you have IT security in place? How do you store digital data?

Unlike the Alberta Netcare PIA, the full PIA process looks at all processes and software that touch patient data, identifies risks to the security of that information, and establishes risk management strategies.

A PIA is good for business.

Full PIAs are mandatory for healthcare organizations, and they safeguard your clinic against the damaging effects of a privacy breach. Failing to have the proper privacy procedures in place can result in fines of up to $100,000. A full PIA establishes compliant policies and procedures designed to avoid privacy breaches in your practice and keep you, your staff, and your patients safe. If a patient lodges a complaint about the privacy practices or a breach in your clinic, the first thing that the Privacy Commissioner will review to gather information about your privacy practices is your PIA.

Don’t be left unprotected.

Understand your risk and level of compliance with a comprehensive Privacy Impact Assessment. Our team of privacy compliance experts will work with you to examine every aspect of how patient information is managed in your clinic and develop a complete plan to protect your patients and your practice to the letter of the law.

To learn more about Brightsquid’s Complete Compliance Package visit