Health Information – Office of the Information and Privacy Commissioner of Alberta

Letter from OIPC to Ministers of PPHS and HSHS regarding Bill 11 – December 1 2025

Elaine Schiman — Mon, 01 Dec 2025 22:26:38 +0000

AI Scribe PIA Guidance

Elaine Schiman — Wed, 03 Sep 2025 18:15:51 +0000

Health Information Act Engagement 2024

Elaine Schiman — Fri, 14 Feb 2025 18:02:30 +0000

The Office of the Information and Privacy Commissioner (OIPC) of Alberta conducted an engagement project in late 2024 regarding the Health Information Act (HIA). The OIPC conducted a number of surveys asking members of the public, researchers and custodians (including members of regulated professional colleges) about their interactions with HIA.

The Government of Alberta had informed the OIPC in the fall of 2024 that as part of its restructuring of the health care system, it was planning to amend HIA to address any changes needed due to the restructuring and it would also consider modernizing the legislation at that time. The OIPC was invited to provide comments and recommendations on amendments to HIA.

To inform any comments and recommendations the OIPC might provide to government, the Commissioner initiated an engagement process with HIA stakeholders. As a result of this engagement process, the OIPC produced several reports.

The report that reflects the views of members of the public who were surveyed can be seen here.

The report that reflects the College of Physicians & Surgeons of Alberta members’ survey can be seen here.

The report that reflects the survey of colleges of regulated health professionals in Alberta under the Health Information Act can be seen here.

The report that summarizes the HIA engagement project can be seen here.

Joint Resolution: Responsible information-sharing in situations involving intimate partner violence (2024)

Elaine Schiman — Mon, 09 Dec 2024 22:32:48 +0000

A joint resolution on responsible information-sharing in situations involving intimate partner violence was issued by Canada’s privacy authorities after their annual meeting in Toronto in October 2024. The resolution is available on the website of the Office of the Privacy Commissioner of Canada.

Responsible information-sharing in situations involving intimate partner violence

November 2024

Joint Resolution: Securing Public Trust in Digital Healthcare (2022)

ssibbald — Wed, 21 Sep 2022 15:14:36 +0000

Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombudspersons with Responsibility for Privacy Oversight

September 21, 2022

Context

Canada’s health sector continues to experience serious resource constraints and staff shortages, aggravated by more than two years of surges in demand for emergency care brought on by the ongoing COVID-19 pandemic.
These and other complex problems facing the health sector during the pandemic have spurred innovation and change in the delivery of services, including through virtual care visits and other forms of digital health communications.
However, despite these rapid digital advancements in the health sector, breaches continue to be caused by the use of insecure communication technologies such as traditional fax¹ machines and unencrypted emails, unauthorized access to health records by employees (often in the form of ‘snooping’), and cybersecurity attacks (including ransomware).
Personal health information is one of the most sensitive types of information about an individual. Data breaches in the health sector can cause significant harm to affected individuals, including potential discrimination, stigmatization, financial and psychological distress.
If individuals begin to lose trust in the health system, they may withhold or falsify personal health information, avoid treatment, or hesitate to consult their health providers altogether – putting their own lives and health at risk in order to protect their privacy.
Furthermore, breaches can consume an inordinate amount of time and effort to contain and remediate, taking away valuable health resources from other important services. Misdirected communications and data breaches can also create delays in the delivery of care to individuals, cause harm to institutions’ reputations, and set back public trust in the health system.
Privacy is not a barrier to innovation. Ensuring that the shift to digital healthcare is secured by reasonable administrative, technical and physical safeguards is critical to maintaining Canadians’ trust in the health system. Furthermore, the adoption of secure digital technologies can provide relief from the administrative, financial and reputational costs associated with privacy breaches.
Many groups across Canada have recognized the inherent value of privacy-protective digital health innovations. For example, the Expert Advisory Group for a Pan-Canadian Health Data Strategy recently issued its final report where they recommended the adoption of a Canadian Health Data Charter that, among other things, calls for “security and privacy of health data to maximize benefit and reduce harm.”
There are now numerous modern and practical alternative ways to facilitate the legal and secure sharing of personal health information, when and as necessary to deliver health services. Examples of these include encrypted email services, secure patient portals, electronic referrals, and electronic prescribing.
These alternatives, when properly configured with built-in privacy protections and a user-centric design, can be made more auditable, secure, and resilient against unauthorized access or inadvertent disclosure.
Such digital technologies are already being successfully integrated into digital medical record systems such as electronic medical records (EMRs), electronic health records (EHRs) and hospital information systems (HIS).²
To protect and bolster public trust in digital healthcare, action must be taken across Canadian jurisdictions to modernize and protect communications involving personal health information in step with the expanding array of digital means now available to better secure the sharing and use of this highly sensitive information.

Therefore

Canada’s Privacy Commissioners and Ombudspersons with responsibility for privacy oversight across the country call on governments, health sector institutions and health providers to show concerted effort, leadership, and resolve in implementing modern, secure and interoperable digital health communication infrastructure. More specifically, we collectively urge the following stakeholders to:

Federal/Provincial/Territorial Governments

Develop a strategic plan and provide appropriate supports, funding or other incentives to phase out the use of traditional fax and unencrypted email and replace them with more modern, secure and interoperable digital alternatives in a coordinated fashion;
Ensure that all digital health information sharing infrastructure, including solutions that replace traditional fax and unencrypted email, are equitably available and accessible to all Canadians, including those living in remote areas, among marginalized communities, and within vulnerable populations;
Promote the adoption of secure digital technologies and the implementation of responsible data governance frameworks that provide reasonable protection of personal health information against unauthorized access or inadvertent disclosures; and
Amend laws and regulations, as necessary, to further provide for meaningful penalties, including administrative penalties where appropriate, for health institutions and providers that do not take reasonable measures necessary to protect personal health information as well as for individuals who unlawfully collect, use, or disclose personal health information.

Health Sector Institutions and Providers

Phase out the use of traditional fax and unencrypted email, as soon as reasonably possible, for communicating personal health information and replace them with modern, secure, and interoperable ways of transmitting personal health information such as encrypted email services, secure patient portals, electronic referrals and electronic prescribing;
Design, adopt and implement responsible data governance frameworks, including the adoption of standards such as those developed by ISO, NIST, or CIS that provide reasonable safeguards to protect personal health information, including constant monitoring of electronic systems, periodic audits of all sources of risks to privacy and security, and effective incident response plans and mitigation measures in the event of breach;
In the process of modernizing means of communicating personal health information and before procurement, seek guidance from relevant experts to understand how to evaluate new digital health solutions;
When evaluating digital health solutions, assess their compatibility with other digital assets, compliance with health information privacy laws, and how they facilitate the rights of individuals to access their own records of personal health information;
Promote transparency by completing privacy impact assessments and proactively publishing a plain-language summary in a manner that is easily accessible to the public; and
Use the procurement process to help ensure third-party compliance by establishing contractual requirements for vendors of health information software and services.

Furthermore, Canada’s Privacy Commissioners and Ombudspersons with responsibility for privacy oversight will work collaboratively in committing to:

Collaborate with governments, regulatory colleges, health sector and other relevant stakeholders to provide privacy and security guidance as the health sector transitions toward modern, secure and interoperable digital alternatives for communicating personal health information;
Educate individuals about the risks and opportunities associated with digital communications and virtual health care services, their rights to privacy and confidentiality in respect of their personal health information and how they may exercise those rights and hold others accountable;
Provide privacy and security guidance to relevant stakeholders on how to fulfill their obligations and preserve public trust;
To the extent our respective laws permit, take joint or collaborative enforcement action, as appropriate to address systemic practices in the health sector that are unreasonable because they create unacceptable and easily avoidable risks to the privacy and security of personal health information.

¹ “Traditional fax” refers to facsimiles (faxes) that require a paper copy of a record of personal health information to be scanned through a fax machine then transmitted via a telephone line to a recipient fax machine that prints the scanned transmission onto paper to re-create the original copy.

² EHRs are often regarded as secure and interoperable records of your health history that are accessible across a number of health care institutions and providers. EMRs are electronic patient record keeping systems typically constrained to a specific primary care physician or group of primary care physicians. HIS are, similarly, electronic patient record keeping systems typically constrained to a specific hospital.

Fax or Facsimile Transmission

ssibbald — Thu, 15 Sep 2022 21:48:45 +0000

The purpose of this document is to set out guidelines for public bodies and custodians to follow when developing systems and procedures to maintain the confidentiality and integrity of personal information received and transmitted by fax. Private sector organizations may also find these guidelines helpful.

One of the purposes of the Health Information Act is to protect the personal health information of individuals held by custodians.¹ Section 60(1)(c)(i) states:

60 A custodian must take reasonable steps in accordance with the regulations to maintain administrative, technical and physical safeguards that will …

(i) threat or hazard to the security or integrity of the health information or of loss of the health information.

Additionally, section 38 of the Freedom of Information and Protection of Privacy Act states:

38 The head of a public body must protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or destruction.

How can I reduce the risk of accidentally disclosing personal information when using a fax machine?

Always confirm that the receiver has taken appropriate precautions to prevent anyone else from seeing the faxed documents;
Before sending a fax, check that the receiver’s number is correct, then verify in the machine’s display window that you have keyed it in correctly;
If you must send personal information, always complete the fax cover sheet, clearly identifying both sender and intended receiver. The cover sheet should include a warning that the information is private and confidential and that you should be notified immediately if the information is received in error;
Call the recipient to verify that he or she received the complete transmission; or check the confirmation sheet to see that it went through to the correct number;
Any fax machine used to send or receive personal information should be kept in a location where unauthorized persons cannot see the documents. If there is no appropriate location, someone should be watchful of the machine while in operation;
Consider making one individual responsible for the fax machine. Otherwise, limit the chances that passers-by can see personal documents by sending the documents yourself;
Try to arrange a time to receive faxes containing personal information so you can be at the machine as they arrive;
Fax only the personal information which you would feel comfortable discussing over the telephone;
If your fax machine is equipped, use the feature requiring the receiver to enter a password before the machine will print the fax. This ensures that only the intended receiver can retrieve the document. Similarly, ask the sender to make sure you must supply a password to retrieve the document;
Security precautions should be taken for faxes received after normal office hours;
If you are sending personal information by a fax modem (a fax device contained in a computer), confirm that other users of the computer system cannot get access to the fax without a password. Likewise, if you are expecting information by fax modem, ensure that other users of your system cannot access the information without a password;
If possible, use encryption technology or other technology to secure fax transmissions;
Be aware that your fax number can be re-assigned once you have given up the number. It is possible to “purchase” the rights to that line so that the number is never re-assigned.

¹ Custodian is defined as an entity or regulated health professional (e.g. physician) in the publicly funded health system who receives and uses health information. Custodians are responsible for ensuring that the health information is collected, used, disclosed and protected appropriately.

This Guideline is based upon and imports many of the practices and guidelines from a number of organizations including: the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of British Columbia, the Office of the Information and Privacy Commissioner of Ontario, the College of Physicians and Surgeons of Alberta, and the Canadian Health Record Association. Their contributions are gratefully acknowledged.

October 2002

Disclaimer

This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws the OIPC oversees and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King's Printer.

Health Information Act Guide

ssibbald — Fri, 25 Feb 2022 20:52:36 +0000