CII/CPAR: Privacy Impact Assessment (PIA) Overview

Overview

Under section 64 of the Health Information Act (HIA), custodians of health information must submit a PIA to the Office of Information and Privacy Commissioner (OIPC) of Alberta prior to implementing new administrative practices or information systems relating to the collection, use and disclosure of individually identifying health information. A PIA update must also be submitted before implementing any significant changes to those practices or systems.

It is a best practice for a custodian to perform a regular review of PIAs and inform the OIPC of any significant changes or updates made. Keeping PIAs current will allow clinics to manage privacy and security risk as well as to participate in new initiatives in a timely manner.

Participation in CII/CPAR

In order to participate in CII/CPAR, a clinic must have an up-to-date EMR PIA that reflects the clinic’s current EMR and practice setting.
Conducting a PIA Update Self-Assessment is one way to determine whether an EMR PIA is outdated and requires updates.

CII/CPAR Participation Steps:

  1. Clinic submits a CII/CPAR Confirmation of Participation (CoP). Attaching a PIA Self-Assessment if completed.
  2. CII/CPAR Implementation team acknowledges receipt of document, and connects Site Liaison and PCN Improvement Facilitator with an eHealth Privacy expert.
  3. eHealth privacy expert contacts the site to conduct a PIA Risk Assessment.
    1. To prepare for this assessment, gather your PIA information; PIA content, acceptance letters and dates are particularly useful. Completing a PIA self-assessment may also be helpful. If you don’t have this information available to you, or know where to find this information, eHealth Privacy will identify steps for you to obtain what you need.
    2. eHealth privacy will complete the risk assessment in consultation with the custodian(s) or a representative of the clinic. It can take anywhere from 10 – 60 minutes depending on availability and awareness of documentation.
      Note: If you have an up to date EMR PIA, the assessment will take a short time and you will be able to move forward with CII/CPAR implementation right away.
  4. Based on the risk assessment, there will be one of three outcomes, which will be outlined in an email to the Site Liaison and PCN Improvement Facilitator:
    1. Move ahead right away as PIA is up to date (low risk). No remedial work to submit to OIPC.
    2. Move ahead and complete minor updates in parallel with CII/CPAR implementation (low risk). Remedial work must be submitted to OIPC within 12 months.
    3. Be required to wait to implement CII/CPAR until PIA or PIA update has been submitted (higher risk). Once submitted, CII/CPAR implementation may begin.

Scenarios

Examples are categorized as major or minor based on material risk clinics. The categorization is also based on whether the update is relatively easy to do. The list is not exhaustive, and there may be other situations that would be evaluated on a case-by-case basis.

Minor PIA Update

  • New types of users added
  • HIA policy updates
  • New custodians added to clinic
  • Custodians have left clinic
  • Added wifi to clinic network
  • Enabling mobile device access to EMR
  • Enabling remote access to EMR
  • Enabling patient portal in EMR

Major PIA Update

  • Custodian’s previous PIA submission was not accepted by OIPC
  • New EMR and/or new EMR vendor
  • Moved EMR from locally hosted to data centre or cloud-hosted
  • Custodian has given direct access to EMR or discloses from EMR to previously a person or group that was not included in the previous PIA, e.g. researchers, transcriptionists, or 3rd party billing provider

Support Tools

Need further help?

Please contact the eHealth Support Services Contact Centre at 1-855-643-8649 or eHealthsupportservices@cgi.com.