I. Introduction
The Alberta Health Information Act is a comprehensive regulation in Alberta, Canada, that governs health information collection, use, and disclosure. It applies to "custodians," including healthcare providers, health authorities, and other government agencies managing health data.
It aims to establish strong safeguards to protect health information and grants individuals rights of access and correction to any of their collected data. Violations of this Act, including alterations, falsifications, and disclosures without appropriate authorization, can result in penalties ranging from $200,000 to $1,000,000, depending on who committed the violation.
Read on to learn more about the Act and, more importantly, how you can ensure compliance with it.
II. Who Needs to Comply
A. Material Scope
The law applies to a custodian who collects, uses, or discloses health information.
A "custodian" is any entity or individual responsible for handling health information under privacy laws. This includes, but is not limited to, the following:
- Healthcare operators;
- Boards of hospitals, care homes, and ambulance services;
- Provincial Health Organizations;
- Health boards, agencies, and councils;
- Quality and Recovery Institutions;
- Health Quality Council of Alberta;
- Canadian Centre for Recovery Excellence;
- Designated Health Providers and Pharmacies;
- Government Health Departments and Ministers; and
- Committees and Agencies Created by Custodians.
Limitations of the Law
This Act does not:
- Limit the information available by law to a party to legal proceedings;
- Affect the power of any court or tribunal in Canada to compel a witness to testify or produce documents;
- Prohibit the transfer, storage, or destruction of a record enacted under the law of Alberta or Canada.
However, if any provision of this Act is inconsistent or otherwise in conflict with the provisions of another regulation, the provisions of this Act will prevail unless stated otherwise.
III. Definitions of Key Terms
A. Affiliate
Affiliate, in relation to a custodian, means:
- an individual employed by the custodian,
- a person who performs a service for the custodian as an appointee, volunteer or student or under a contract or agency relationship with the custodian,
- a health services provider who is exercising the right to admit and treat patients at a hospital as defined in the Hospitals Act,
- an information manager, and
- a person who is designated to be an affiliate, but does not include
- an agent as defined in the Health Insurance Premiums Act, or
- a health information repository other than a health information repository that is designated in the regulations as an affiliate.
B. Applicant
An individual who makes a request for access to a record or for a correction or amendment of health information.
C. Commissioner
The Information and Privacy Commissioner appointed under the Freedom of Information and Protection of Privacy Act.
D. Custodian
Any entity or individual responsible for handling health information under privacy laws. This includes, but is not limited to, the following:
- Healthcare operators;
- Boards of hospitals, care homes, and ambulance services;
- Provincial Health Organizations;
- Health boards, agencies, and councils;
- Quality and Recovery Institutions;
- Health Quality Council of Alberta;
- Canadian Centre for Recovery Excellence;
- Designated Health Providers and Pharmacies;
- Government Health Departments and Ministers; and
- Committees and Agencies Created by Custodians.
E. Department
The Department administered by the Minister.
Health information means one or both of the following:
- diagnostic, treatment and care information;
- registration information.
An agency, corporation, or any other entity designated by the Minister to act as a health information repository.
H. Individually Identifying
Individually identifying, when used to describe health information, means that the identity of the individual who is the subject of the information can be readily ascertained from the information.
I. Personal Health Number
The number assigned to an individual by the Department to uniquely identify the individual.
J. Health Service
To a service provided to an individual for the following purposes:
- Protection, promotion, or maintenance of physical and mental health;
- Preventing illness;
- Diagnosis and treatment of illness;
- Rehabilitation;
- Care for the health needs of the ill, disabled, injured, or dying.
However, this does not include any service excluded by regulations.
IV. Obligations for Organizations Under this Law
No custodian can collect health information except in accordance with this Act. However, a custodian may collect non-identifying health information for any purpose. In certain cases, a custodian may collect individually identifying health information if:
- Another Act in Alberta or Canada expressly authorizes the collection of such information;
- The information relates directly to and is necessary to enable the custodian to carry out a purpose authorized per this Act.
Only the following entities have the right to require an individual to provide their personal health number:
- Custodians;
- Persons authorized by regulations to do so.
When requesting personal health information, the individual must be advised about the entity's authority to do so. Similarly, the individual may refuse to provide their personal health number if it is requested by an entity other than the ones mentioned above.
A custodian must collect the individually identifying health information directly from the individual subject of the information unless:
- The individual has authorized the collection of information from someone else;
- The individual is unable to provide the information, and the custodian can collect the information from another person acting on the individual's behalf.
The custodian believes that collection from the individual would prejudice:
- The interests of the individual;
- The purposes of collection;
- The safety of any other individual; or
- Results in the collection of inaccurate information.
- The collection from the individual is not reasonably practicable;
- The collection is for the following purposes:
- Assembling a family or genetic history where the information collected will be used in providing a health service to the individual;
- Determining the eligibility of the individual to participate in a program or receive benefits from the custodian and the information necessary to process their application;
- Verifying the eligibility of the individual participating in a program or receiving benefits from the custodian and the information necessary to process their application;
- Informing the Public Trustee or Public Guardian about the clients or potential clients.
- Use of information is allowed per this Act;
- The custodian is conducting data matching for a purpose authorized by this Act where:
- The information is available to the public;
- The disclosure of information is authorized per this Act;
- The disclosure of the information is authorized per another Act in Alberta or Canada.
When collecting individually identifiable health information about an individual directly from the individual, the custodian must take reasonable steps to inform the individual about:
- The purpose of the collection;
- The specific legal authority for the collection;
- The title, business address, and telephone number of the custodian's affiliate who can answer the individual's queries about the collection.
In cases where the custodian collects health information from an individual using a device that may not be visible to the individual, the custodian must obtain their consent before using such a device.
In any case, an affiliate of a custodian must not collect health information in a manner that is not in accordance with the provisions of this Act or with the affiliate's duties towards the custodian.
No custodian can use the collected health information except by this Act. However, a custodian may use all non-identifying health information for any purpose. In case of individually identifying health information in its custody or under its control, it may use it for the following purposes:
- Providing health services;
- Verifying the eligibility of an individual to receive a health service;
- Conducting an investigation, disciplinary proceedings, or inspections related to the members of a health profession;
- Conducting research or performing data matching or other services to facilitate another person's research:
- If the custodian or researcher has submitted their proposed research protocol to the ethics board;
- If the research ethics board is satisfied with the submitted protocol;
- If the custodian or researcher has complied with or undertaken to comply with the conditions set by the research ethics board;
- The research ethics board recommends that consent be obtained from and who will be subject to health information to be used in the project.
- Providing health services provider education;
- Carrying out any other purpose authorized by law in Alberta or Canada;
- For internal management purposes, including planning, resource allocation, policy development, quality improvement, monitoring, audit, evaluation, reporting, obtaining or processing payment for health services, and human resource management.
A custodian can also use individually identifying health information in its custody or control to carry out the following functions if the custodian has the jurisdiction to promote any of the objectives they are obligated to:
- Planning and resource allocation;
- Health system management;
- Public health surveillance;
- Health policy development.
An affiliate of the custodian must not use any health information in a way that is not in accordance with the provisions of this Act or their responsibilities towards the custodian.
The custodian, who collects information that is not written, photographed, recorded, or stored in some manner in a record, may only use that information for the purpose for which it was provided to the custodian.
General Disclosure Rules
No custodian must disclose any health information except as permitted by this Act. However, a custodian may disclose non-identifying health information for any purpose. Suppose a disclosure is made to a person who is not a custodian. In that case, the custodian must inform the person that the person must notify the Commissioner of their intention to use the information for data matching before performing the data matching.
E. Alberta Electronic Health Record (Alberta EHR)
“Alberta EHR” means the integrated electronic health information system established to provide shared access by authorized custodians to prescribed health information in a secure environment as may be further defined or described in the regulations. And “prescribed health information” means health information about an individual that is of a class or type prescribed by the regulations that a regulated health professional or an authorized custodian may or must make accessible to authorized custodians via the Alberta EHR.
The health professional body of a regulated health professional may direct the regulated health professional to make prescribed health information under the control of the regulated health professional accessible to authorized custodians via the Alberta EHR in accordance with this Act if:
- The Minister or the Minister of Mental Health and Addiction determines that it is in the public interest to have the information in the custody of one or more regulated health professionals made accessible to custodians via the Alberta EHR;
- The health professional body of the regulated health professionals has not directed the regulated health professionals to make the prescribed health information accessible via the Alberta EHR.
Maintaining Record Of Alberta EHR Information
If an authorized custodian uses the prescribed health information, they must keep an electronic log of the following information:
- Name or number identifying the custodian using the information;
- Date and time the information is used;
- Description of the information that is used.
The information mentioned above must be retained by the authorized custodian for 10 years after its use date. An individual subject to such information may exercise their rights to access and copy the information. If an individual asks the information manager of the Alberta EHR for access and a copy of the information, the information manager of Alberta EHR must provide that information in respect of all custodians who used that individual’s prescribed health information.
General Duties & Powers
Duty Collect, Use, or Disclose Information with the Highest Anonymity Possible
A custodian must maintain the highest level of anonymity while processing personal information. The first step for a custodian is to assess whether the aggregate health information is adequate for the intended use. If not, they should consider utilizing additional non-identifying health information. Here, aggregate health information means non-identifying health information about a group of individuals. A custodian may only gather, use, or disclose personally identifiable health information if both are insufficient, as long as it is permitted and carried out in compliance with the Act.
However, this does not apply to the collection, use, or disclosure of health information for the purpose of:
- Providing health service;
- Determining or verifying the eligibility of an individual to receive a health service.
Data Minimization
When collecting, using, or disclosing health information, a custodian must only collect, use, and disclose the amount of health information necessary to enable them or the recipient of the information to carry out the intended purpose.
In deciding how much information to disclose, a custodian must consider the wishes of the individual who is the subject of the information related to the disclosure of information, along with any other relevant factors.
Duty to Protect Health Information
A custodian must take appropriate steps to maintain the administrative, technical, and physical safeguards that:
- Protect the confidentiality of the health information in its custody along with the privacy of the individuals who are subjects of that information;
- Protect the confidentiality of all health information stored or used outside Alberta that is to be disclosed by a custodian to an entity outside Alberta, along with the privacy of the individuals who are subjects of that information;
- Protect against any anticipated:
- Threats or hazards to the safety and integrity of the health information;
- Unauthorized use, disclosure, or modification of the health information, along with any unauthorized access.
- Ensures compliance with the provisions of the Act by the custodian and its affiliates.
- The safeguards must include appropriate measures for:
- Security and confidentiality of records while addressing the risks associated with electronic records;
- Proper disposal of records to prevent any authorized use or disclosure of health information, along with any unauthorized access to the health information after its disposal.
Duty to Notify in Case of Data Breach
Any affiliate of a custodian must notify the custodian as soon as possible about the loss of individually identifiable health information or any unauthorized access to or disclosure of such information that is in the custodian's control or custody.
Once given the notice, the custodian must notify the Commissioner, the Minister, and the subject individuals about unauthorized access to or disclosure of individually identifying health information if there is a risk of harm to an individual.
A custodian must consider all relevant factors while determining the risk of harm to an individual.
If a custodian considers that giving notice to an individual can reasonably be expected to result in a risk of harm to the individual's mental or physical health, the custodian may decide not to give notice to the individual. In such a case, the custodian must inform the Commission of this decision along with the reason for doing so.
Duty to Ensure Accuracy of Health Information
Before using or disclosing health information that is in the custodian's custody or control, it must make a reasonable effort to ensure that all such information is accurate and complete.
Duty to Identify Responsible Affiliates
Each custodian must identify all affiliates responsible for ensuring compliance with all policies and procedures of this Act. Any collection, use, or disclosure of health information by an affiliate of a custodian will be considered a collection, use, or disclosure by that custodian. Similarly, any disclosure of health information to a custodian's affiliate will be considered a disclosure to the custodian. Each affiliate must comply with this Act and the policies and procedures established under this Act.
Duty to Establish or Adopt Policies & Procedures
Each custodian must establish or adopt policies and procedures that facilitate the implementation of this Act. Additionally, at the Minister's or the Department's request, the custodian must provide the Minister or the Department with a copy of all the established or adopted policies and procedures.
Duty to Prepare Privacy Impact Assessment
Each custodian must prepare a Privacy Impact Assessment (PIA) that describes how the administrative practices and information systems related to the collection, use, and disclosure of individually identifiable health information may affect the privacy of the individual who is the subject of the information.
A custodian may submit the PIA to the Commissioner for review and obtain their comments before implementing any of the proposed administrative practices and information systems or making any changes to these practices or systems.
A custodian may, in accordance with the Act, strip, encode, or transform individually identifiable health information to create non-identifiable health information.
Power to Charge Fees
A custodian may charge fees for services provided per this Act. However, this does not permit a custodian to charge a fee for a request for access to an applicant's own health information, except for the cost of producing a copy.
A custodian must give the applicant an estimate of this fee before providing the service. However, it may waive this fee if it feels the applicant cannot afford it or in any other circumstance this Act provides.
If an applicant requests to be excused from paying the fee and refuses the request, the custodian may notify the applicant that they may ask for a review by the Commissioner.
The fees referred to must not exceed the actual cost of the services.
G. Data Matching
Prohibition
A custodian or health information repository must not:
- Collect health information to be used in data matching; or
- Use or disclose the health information to be used in data matching or created through data matching in a manner that contravenes the provisions of this Act.
A custodian or health information repository may perform data matching using information in its custody or control.
A custodian or health information repository may perform data matching by combining information already in its custody with the information in control of another custodian or health information repository.
Before performing such data matching, the custodian or health information repository in control of the information created as a result must prepare a privacy impact assessment and submit it to the Commissioner for review and comment.
A privacy impact assessment must:
- Describe how the information to be used in the data matching will be collected;
- Establish how information created through data matching is to be used or disclosed.
A custodian or health information repository may perform data matching by combining information already in its control with information in the control of a person who is not a custodian or health information repository.
Before performing such data matching, the custodian or health information repository must perform a privacy impact assessment and submit it to the Commissioner for review and comment. Such an assessment describes how the information to be used in data matching is to be collected, and the use of information created as a result of data matching.
The Minister may designate an agency, corporation, or any other entity as a health information repository.
A custodian may disclose individually identifiable information to a health information repository. Suppose a custodian makes a correction or amendment to health information. In that case, the custodian must notify a health information repository to which the custodian has disclosed the information that a correction has been made and advise the repository about how the information must be corrected.
A health information repository that is notified must do the following within 30 days:
- Make the correction or amendment per the advice of the custodian;
- Provide written notice that the correction or amendment has been made to the custodian, and the custodian must notify the individual who is the subject of the information.
The individual may ask the Commissioner to review a custodian's failure to notify a health information repository to make the correction or amendment, or a failure of the health care repository to make the correction.
V. Data Subject Rights
This Act grants users the following rights:
An individual has the right to access any of their records containing health information that is in the direct custody or control of a custodian.
However, this right of access does not extend to information that the custodian is legally authorized or required to refuse. If such information can reasonably be severed from a record, an individual has the right to access the remainder of that record.
A fee may be charged to the individual before granting them access to their records.
How to make an Access Request
An individual can request any custodian to obtain access to a record they believe has custody or control of their records in a written submission. In this submission, the applicant may ask:
- For a copy of the record;
- Examination of the record.
Abandoned Request
Suppose a custodian contacts an applicant regarding his request, asking for further information necessary to process his request or asking for the required fee, and the applicant fails to respond within 30 days of initial contact. In that case, the custodian can declare the request abandoned via a notice. However, the applicant must be informed of their right to ask the Commissioner to review the abandonment decision.
Duty to Assist the Applicant
At the same time, the custodian must assist the applicants by responding openly, accurately, and completely. Additionally, it must provide a reasonably understandable explanation of any term, code, or abbreviation used in the record and create a record for an applicant if:
- The record can be created from the information that is in electronic form and the control of the custodian via normal computer hardware, software, and technical expertise;
- Creating the record does not interfere with the operations of the custodian.
Alternatively, the custodian has the right to deny an applicant's request to access their health information records:
- If the disclosure can be expected:
- To result in immediate and grave harm to the applicant's mental and physical health or safety;
- To threaten the mental and physical health or safety of another individual;
- To pose a threat to public safety.
- If the disclosure can reasonably lead to the identification of a person who provided health information to the custodian explicitly or implicitly in confidence and their identity needs to be kept confidential;
- If the disclosure can be expected to reveal:
- Advise, proposals, recommendations, or policy options developed by or for a member of the Executive Council;
- Consultations or deliberations involving a member of the Executive Council.
- If the disclosure can be expected to reveal advice, proposals, recommendations, or policy options developed by or for a custodian;
- If the information is related to:
- Procedures or techniques related to audits that need to be conducted;
- Details of the specific audits that need to be conducted;
- The standardized diagnostic tests or assessments used by custodians.
Such disclosures would reasonably be expected to prejudice the use or results of the diagnostic test.
- On the other hand, a custodian is obligated to refuse the disclose health information to an applicant if:
- The health information is about an individual other than the applicant unless the applicant originally provided the health information;
- The health information contains information on procedures or results of an investigation;
- The health information would reveal the deliberations of the Executive Council or any of its committees or those of the Treasury Board, unless the health information:
- Has been in existence for 15 years or more;
- Is part of a record of a decision made by the Executive Council on an appeal under this Act;
- Is part of a record whose purpose is to present the background facts to the Executive Council or any of its committees or the Treasury Board or any of its committees, in making a decision where:
- The decision has been made public;
- The decision has been implemented;
- Five years or more have passed since the decision was made or considered.
- The disclosure is prohibited by another law in Alberta.
Timeline to Respond to Access Request
A custodian must make sure they respond to applicant requests within 30 days of receiving the request and must respond with details about:
- Whether access to the record or part of it is granted or refused;
- If access to the record or part of it is granted, where, when, and how access will be given;
- If access to the record or part of it is refused, if so, additional details must include:
- The reasons for the refusal and the provisions of the Act on which the refusal was based;
- The name, title, business address, and business telephone number of an affiliate of the custodian that can answer the applicant's questions about the refusal;
- How the applicant may ask for a review of the decision by the Commission.
In case the custodian fails to respond to the request within 30 days or any extension period, it will be treated as a decision to refuse access to the record.
If an individual believes an error or omission exists in their health information, they may submit a written request to the custodian, asking them to correct the information. Once such a request is received, the custodian must decide whether they will make or refuse the request.
If the custodian agrees to make the correction, the custodian must do the following within 30 days of receiving the request:
- Make the correction;
- Notify the applicant in writing about the correction having been made;
- Notify any other person(s) to whom the health information has been shared one year before the correction or amendment was requested about correction.
However, it is not required to provide such a notification if:
- The custodian agrees to make the correction but believes the applicant will not be in danger of any harm if not informed about the correction; and
- The applicant agrees.
The custodian may refuse to make the correction requested due to the following reasons:
- A professional opinion or observation by a health service provider about the applicant;
- The custodian did not originally create the record.
If the custodian fails to respond to a request within 30 days or for an extended period, it will be treated as a decision to refuse to make the requested correction.
In cases where the custodian refuses to make a correction, they must inform the applicant of the decision as well as their choice to pursue any one of the following options:
- Ask for a review of the custodian's decision by the Commissioner;
- Submit a statement of disagreement in 500 words or less detailing their correction request and their reasoning for the disagreement.
An applicant who submits the statement of disagreement must submit it to the custodian within 30 days of receiving the refusal. On receiving the statement of disagreement, the custodian must:
- Attach the statement to the record of the information subject to the correction request, if reasonably practical;
- Provide a copy of the statement of disagreement to any person to whom the custodian has disclosed the record in the past 1 year prior to the applicant's correction request.
Time Extension
The custodian may extend the time for responding to a request for an additional period of 30 days or longer with the Commissioner's permission if:
- The request does not provide enough details for the identification of the records subject to the correction request;
- A large number of records are involved in the request, and responding would interfere in the custodian's operations;
- More time is needed to consult another custodian before deciding on an access or correction request.
If the time is extended, the custodian must inform the applicant of:
- The reason for the extension;
- When to expect a response;
- How the applicant may complain to the Commissioner about the extension.
The Commission may extend the time under the submitted statement of disagreement if:
- It is unreasonable to expect the applicant to submit the statement of disagreement within the stipulated period;
- It is fair to extend the time for any other reason.
VI. Regulatory Authority
Along with other powers, a Commissioner has the authority to nominate a mediator to investigate and attempt a settlement in any matter that is subject to a review. In case a matter cannot be settled, the Commissioner will conduct an inquiry and decide all questions of fact and law arising as a result of the inquiry. This inquiry will be conducted in private.
Any inquiry must be completed within 90 days after the Commissioner receives the request for review unless the Commissioner:
- Notifies the person asking for the review, the concerned custodian, or any other relevant persons to be given a copy of the request that the Commissioner is extending that period; and
- Provides an anticipated date for the completion of the review.
Refusal to Conduct Inquiry
The Commissioner may refuse to conduct an inquiry if, in the opinion of the Commissioner:
- The subject of the request has been dealt with in an order or investigation report of the Commissioner;
- The circumstances warrant not conducting an inquiry.
Commissioner's Orders
The Commissioner must dispose of the issues by making an order once an inquiry is completed. No later than 50 days after being given a copy of an order from the Commissioner, the concerned custodian must comply with the order. They must not take any steps to comply with the Commissioner's order, other than the initial order, until the period for bringing an application for judicial review ends.
An application for judicial review of a Commissioner's order must not be made later than 45 days after the person making the application is provided a copy of the order. If the application for judicial review is subject to the Court of Queen's Bench, the Commissioner's order is stayed until that application is dealt with.
The Court may extend that period if it deems it appropriate before or after the period of the initial judicial review ends.
Powers of the Commissioner in Conducting Investigations or Inquiries
When conducting an investigation or giving advice and recommendations, the Commissioner has the powers, privileges, and immunities of a commissioner under the Public Inquiries Act.
The Commissioner can require any relevant record to be produced and may examine this information, whether or not the record was subject to the provisions of this Act.
A custodian is required to produce a record to the Commissioner within 10 days or a copy of any record whenever requested for examination. If it cannot produce a copy, it must request the Commissioner to examine the original at the site.
Once the investigation or review is complete, the Commissioner must return any record or copy of it produced.
VII. Penalties for Non-compliance
No custodian or affiliate of the custodian must knowingly:
- Alter, falsify, or conceal any record or direct any other person to do so with the intent of evading a request for access to a record;
- Destroy any record subject to this Act or direct any other person to do so to evade a request for access to a record.
No custodian must:
- Fail to take reasonable steps to maintain administrative, technical, and physical safeguards to protect against any reasonably foreseeable threat to the security of that health information;
- Fail to comply with the provisions of this Act;
- Fail to comply with an order made by the Commissioner.
No person will knowingly:
- Collect, use, disclose, or create health information in contravention of this Act;
- Gain or attempt to gain access to health information in contravention of this Act;
- Make false statements to the Commissioner or another person performing his duties per the provisions of this Act;
- Obstruct the Commissioner from performing his duties per the provisions of this Act;
- Fail to comply with an order issued by the Commissioner;
- Use individually identifiable health information to market a service for a commercial purpose or to solicit money unless the individual subject of the information has consented to it.
Any person who contravenes the aforementioned provisions is guilty of an offense and will be liable for the following:
- In the case of an individual, a fine of not more than $200,000 and;
- In case of any other persons, a fine of not more than $1,000,000.
Prosecution of an offense under this section can commence within 2 years after the day of the alleged offense first coming to the Commissioner's attention.
VIII. How Securiti Can Help
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data+AI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Several of the world's most prestigious corporations rely on Securiti's Data Command Center for their data security, privacy, governance, and compliance needs.
The Data Command Center comes equipped with several individual modules and solutions that are designed to ensure compliance with all major obligations a business may be subject to under Alberta's Health Information Act. These include DSR automation, consent management, vendor management, and notice management, among several others.
Furthermore, the centralized dashboard allows for real-time insights into a business's obligations and compliance activities, thus enabling proactive interventions whenever necessary or convenient.
Request a demo now to learn more about how Securiti can help you comply with nearly all major data protection and privacy regulations worldwide.
