The HIA requires that the Information and Privacy Commissioner receive a privacy impact assessment for review and comment before a custodian implements proposed administrative practices and information systems relating to the collection, use or disclosure of individually identifying health information. Privacy impact assessments are mandatory under the HIA if the project fits the foregoing definition.

The Office of the Information and Privacy Commissioner has developed a Privacy Impact Assessment (PIA) process to assist organizations in reviewing the impact that the new project may have on the individual privacy. The process is designed to ensure that the public body or custodian evaluates the program or scheme to ensure compliance with the FOIP Act or HIA.

The PIA process requires a thorough analysis of potential impacts on privacy and a consideration of measures to mitigate or eliminate any such impacts. The privacy impact assessment is a due diligence exercise, in which the organization identifies and addresses potential privacy risks that may occur in the course of its operations.

While PIA’s are focussed on specific projects, the process should also include an examination of organization-wide practices that could have an impact on privacy. Organizational privacy policy and procedures, or the lack of them, can be significant factors in the ability of the organization to ensure that privacy protecting measures are available for specific projects.

Because the onus always remains on the organization to ensure adequate levels of privacy protection, as required in the applicable legislation, the Commissioner will not “approve” a PIA submitted to him by an organization. Once satisfied that the organization has addressed the relevant considerations and is committed to the provision of the necessary level of privacy protection, the Commissioner will “accept” the PIA. Acceptance is not approval; it merely reflects the Commissioner’s acceptance that the organization has made reasonable efforts to protect privacy. A PIA cannot be used to obtain a waiver of, or relaxation from, any requirement of the relevant legislation.

Source and Full Article: http://www.oipc.ab.ca/pia/

At this time, the HIA applies only to records resulting from health services paid for in whole or in part by the public health care system.

It is a principle of the HIA that access to records be given unless the Act specifically allows the record to be withheld. This right of access is balanced by the need to protect individual privacy.

The HIA controls how health information is collected, used and disclosed. It prevents another person from seeing your health information without your consent while enabling health information to be shared and accessed to provide health services and manage the health system.

You can ask to see or have a copy of your health records if they are held by a custodian.

You have the right to request that your health information be corrected if it is not accurate. This is not an absolute right, and a request to correct information may be turned down.

The Act provides for review by the Information and Privacy Commissioner if individuals are not satisfied with the decisions of custodians in response to requests made under the Act. In cases where correction of health information has been refused, an individual may request a review of the decision by the Commissioner OR they may have a statement of disagreement attached to their health record.

Individuals can also complain to the Commissioner if they believe their personal information has been collected, used or disclosed in violation of the HIA.

Source: http://www.oipc.ab.ca/hia/principles.cfm