<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Virtual Care &#8211; Office of the Information and Privacy Commissioner of Alberta</title>
	<atom:link href="https://oipc.ab.ca/resources/virtual-care/feed/" rel="self" type="application/rss+xml" />
	<link>https://oipc.ab.ca</link>
	<description>Office of the Information and Privacy Commissioner of Alberta</description>
	<lastBuildDate>Mon, 01 Dec 2025 22:34:22 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	

<image>
	<url>https://oipc.ab.ca/wp-content/uploads/2022/01/cropped-OIPC-Icon-32x32.png</url>
	<title>Virtual Care &#8211; Office of the Information and Privacy Commissioner of Alberta</title>
	<link>https://oipc.ab.ca</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Letter from OIPC to Ministers of PPHS and HSHS regarding Bill 11 &#8211; December 1 2025</title>
		<link>https://oipc.ab.ca/resource/letter-from-oipc-to-ministers-of-pphs-and-hshs-regarding-bill-11-december-1-2025/</link>
		
		<dc:creator><![CDATA[Elaine Schiman]]></dc:creator>
		<pubDate>Mon, 01 Dec 2025 22:26:38 +0000</pubDate>
				<guid isPermaLink="false">https://oipc.ab.ca/?post_type=resource&#038;p=17186</guid>

					<description><![CDATA[]]></description>
										<content:encoded><![CDATA[]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Health Information Act Engagement 2024</title>
		<link>https://oipc.ab.ca/resource/health-information-act-engagement-2024/</link>
		
		<dc:creator><![CDATA[Elaine Schiman]]></dc:creator>
		<pubDate>Fri, 14 Feb 2025 18:02:30 +0000</pubDate>
				<guid isPermaLink="false">https://staging.oipc.ab.ca/?post_type=resource&#038;p=16641</guid>

					<description><![CDATA[The Office of the Information and Privacy Commissioner (OIPC) of Alberta conducted an engagement project in late 2024 regarding the&#8230;]]></description>
										<content:encoded><![CDATA[<p>The Office of the Information and Privacy Commissioner (OIPC) of Alberta conducted an engagement project in late 2024 regarding the <em>Health Information Act</em> (HIA). The OIPC conducted a number of surveys asking members of the public, researchers and custodians (including members of regulated professional colleges) about their interactions with HIA.</p>
<p>The Government of Alberta had informed the OIPC in the fall of 2024 that as part of its restructuring of the health care system, it was planning to amend HIA to address any changes needed due to the restructuring and it would also consider modernizing the legislation at that time. The OIPC was invited to provide comments and recommendations on amendments to HIA.</p>
<p>To inform any comments and recommendations the OIPC might provide to government, the Commissioner initiated an engagement process with HIA stakeholders. As a result of this engagement process, the OIPC produced several reports.</p>
<p>The report that reflects the views of members of the public who were surveyed can be seen <a href="https://oipc.ab.ca/wp-content/uploads/2025/02/OIPC-HIA-Public-Engagement-Survey-Topline-Report.pdf" target="_blank" rel="noopener">here</a>.</p>
<p>The report that reflects the College of Physicians &amp; Surgeons of Alberta members&#8217; survey can be seen <a href="https://oipc.ab.ca/wp-content/uploads/2025/02/2024-HIA-engagement-CPSA-Members-Survey-Analysis-and-Summary-Final.pdf" target="_blank" rel="noopener">here</a>.</p>
<p>The report that reflects the survey of colleges of regulated health professionals in Alberta under the <em>Health Information Act</em> can be seen <a href="https://oipc.ab.ca/wp-content/uploads/2025/02/2024-HIA-engagement-Regulatory-Colleges-Survey-Analysis-and-Summary-Public-Final.pdf" target="_blank" rel="noopener">here</a>.</p>
<p>The report that summarizes the HIA engagement project can be seen <a href="https://oipc.ab.ca/wp-content/uploads/2025/02/2024-OIPC-Health-Information-Act-Surveys-Engagement-Report-Final.pdf" target="_blank" rel="noopener">here</a>.</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Joint Resolution: Securing Public Trust in Digital Healthcare (2022)</title>
		<link>https://oipc.ab.ca/resource/joint-resolution-digital-healthcare/</link>
		
		<dc:creator><![CDATA[ssibbald]]></dc:creator>
		<pubDate>Wed, 21 Sep 2022 15:14:36 +0000</pubDate>
				<guid isPermaLink="false">https://staging.oipc.ab.ca/?post_type=resource&#038;p=15286</guid>

					<description><![CDATA[Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombudspersons with Responsibility for Privacy Oversight September 21, 2022 Context&#8230;]]></description>
										<content:encoded><![CDATA[
<h4 class="wp-block-heading" id="wb-cont">Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombudspersons with Responsibility for Privacy Oversight</h4>



<p><strong>September 21, 2022</strong></p>



<h3 class="wp-block-heading">Context</h3>



<ol class="wp-block-list"><li>Canada’s health sector continues to experience serious resource constraints and staff shortages, aggravated by more than two years of surges in demand for emergency care brought on by the ongoing COVID-19 pandemic.</li><li>These and other complex problems facing the health sector during the pandemic have spurred innovation and change in the delivery of services, including through virtual care visits and other forms of digital health communications.</li><li>However, despite these rapid digital advancements in the health sector, breaches continue to be caused by the use of insecure communication technologies such as traditional fax<sup>1</sup> machines and unencrypted emails, unauthorized access to health records by employees (often in the form of ‘snooping’), and cybersecurity attacks (including ransomware).</li><li>Personal health information is one of the most sensitive types of information about an individual. Data breaches in the health sector can cause significant harm to affected individuals, including potential discrimination, stigmatization, financial and psychological distress.</li><li>If individuals begin to lose trust in the health system, they may withhold or falsify personal health information, avoid treatment, or hesitate to consult their health providers altogether – putting their own lives and health at risk in order to protect their privacy.</li><li>Furthermore, breaches can consume an inordinate amount of time and effort to contain and remediate, taking away valuable health resources from other important services. Misdirected communications and data breaches can also create delays in the delivery of care to individuals, cause harm to institutions’ reputations, and set back public trust in the health system.</li><li>Privacy is not a barrier to innovation. Ensuring that the shift to digital healthcare is secured by reasonable administrative, technical and physical safeguards is critical to maintaining Canadians’ trust in the health system. Furthermore, the adoption of secure digital technologies can provide relief from the administrative, financial and reputational costs associated with privacy breaches.</li><li>Many groups across Canada have recognized the inherent value of privacy-protective digital health innovations. For example, the Expert Advisory Group for a Pan-Canadian Health Data Strategy recently issued its final <a href="https://www.canada.ca/en/public-health/corporate/mandate/about-agency/external-advisory-bodies/list/pan-canadian-health-data-strategy-reports-summaries/expert-advisory-group-report-03-toward-world-class-health-data-system.html">report</a> where they recommended the adoption of a Canadian Health Data Charter that, among other things, calls for “security and privacy of health data to maximize benefit and reduce harm.”</li><li>There are now numerous modern and practical alternative ways to facilitate the legal and secure sharing of personal health information, when and as necessary to deliver health services. Examples of these include encrypted email services, secure patient portals, electronic referrals, and electronic prescribing.</li><li>These alternatives, when properly configured with built-in privacy protections and a user-centric design, can be made more auditable, secure, and resilient against unauthorized access or inadvertent disclosure.</li><li>Such digital technologies are already being successfully integrated into digital medical record systems such as electronic medical records (EMRs), electronic health records (EHRs) and hospital information systems (HIS).<sup>2</sup></li><li>To protect and bolster public trust in digital healthcare, action must be taken across Canadian jurisdictions to modernize and protect communications involving personal health information in step with the expanding array of digital means now available to better secure the sharing and use of this highly sensitive information.</li></ol>



<h3 class="wp-block-heading">Therefore</h3>



<ol class="wp-block-list" start="13"><li>Canada’s Privacy Commissioners and Ombudspersons with responsibility for privacy oversight across the country call on governments, health sector institutions and health providers to show concerted effort, leadership, and resolve in implementing modern, secure and interoperable digital health communication infrastructure. More specifically, we collectively urge the following stakeholders to:</li></ol>



<h4 class="wp-block-heading">Federal/Provincial/Territorial Governments</h4>



<ol class="wp-block-list" start="14"><li>Develop a strategic plan and provide appropriate supports, funding or other incentives to phase out the use of traditional fax and unencrypted email and replace them with more modern, secure and interoperable digital alternatives in a coordinated fashion;</li><li>Ensure that all digital health information sharing infrastructure, including solutions that replace traditional fax and unencrypted email, are equitably available and accessible to all Canadians, including those living in remote areas, among marginalized communities, and within vulnerable populations;</li><li>Promote the adoption of secure digital technologies and the implementation of responsible data governance frameworks that provide reasonable protection of personal health information against unauthorized access or inadvertent disclosures; and</li><li>Amend laws and regulations, as necessary, to further provide for meaningful penalties, including administrative penalties where appropriate, for health institutions and providers that do not take reasonable measures necessary to protect personal health information as well as for individuals who unlawfully collect, use, or disclose personal health information.</li></ol>



<h4 class="wp-block-heading">Health Sector Institutions and Providers</h4>



<ol class="wp-block-list" start="18"><li>Phase out the use of traditional fax and unencrypted email, as soon as reasonably possible, for communicating personal health information and replace them with modern, secure, and interoperable ways of transmitting personal health information such as encrypted email services, secure patient portals, electronic referrals and electronic prescribing;</li><li>Design, adopt and implement responsible data governance frameworks, including the adoption of standards such as those developed by ISO, NIST, or CIS that provide reasonable safeguards to protect personal health information, including constant monitoring of electronic systems, periodic audits of all sources of risks to privacy and security, and effective incident response plans and mitigation measures in the event of breach;</li><li>In the process of modernizing means of communicating personal health information and before procurement, seek guidance from relevant experts to understand how to evaluate new digital health solutions;</li><li>When evaluating digital health solutions, assess their compatibility with other digital assets, compliance with health information privacy laws, and how they facilitate the rights of individuals to access their own records of personal health information;</li><li>Promote transparency by completing privacy impact assessments and proactively publishing a plain-language summary in a manner that is easily accessible to the public; and</li><li>Use the procurement process to help ensure third-party compliance by establishing contractual requirements for vendors of health information software and services.</li></ol>



<h4 class="wp-block-heading">Furthermore, Canada’s Privacy Commissioners and Ombudspersons with responsibility for privacy oversight will work collaboratively in committing to:</h4>



<ol class="wp-block-list" start="24"><li>Collaborate with governments, regulatory colleges, health sector and other relevant stakeholders to provide privacy and security guidance as the health sector transitions toward modern, secure and interoperable digital alternatives for communicating personal health information;</li><li>Educate individuals about the risks and opportunities associated with digital communications and virtual health care services, their rights to privacy and confidentiality in respect of their personal health information and how they may exercise those rights and hold others accountable;</li><li>Provide privacy and security guidance to relevant stakeholders on how to fulfill their obligations and preserve public trust;</li><li>To the extent our respective laws permit, take joint or collaborative enforcement action, as appropriate to address systemic practices in the health sector that are unreasonable because they create unacceptable and easily avoidable risks to the privacy and security of personal health information.</li></ol>



<p><sup>1</sup> “Traditional fax” refers to facsimiles (faxes) that require a paper copy of a record of personal health information to be scanned through a fax machine then transmitted via a telephone line to a recipient fax machine that prints the scanned transmission onto paper to re-create the original copy.</p>



<p><sup>2</sup> EHRs are often regarded as secure and interoperable records of your health history that are accessible across a number of health care institutions and providers. EMRs are electronic patient record keeping systems typically constrained to a specific primary care physician or group of primary care physicians. HIS are, similarly, electronic patient record keeping systems typically constrained to a specific hospital.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Communicating with Patients Electronically</title>
		<link>https://oipc.ab.ca/resource/electronic-patient-communication/</link>
		
		<dc:creator><![CDATA[ssibbald]]></dc:creator>
		<pubDate>Thu, 24 Feb 2022 22:01:32 +0000</pubDate>
				<guid isPermaLink="false">https://staging.oipc.ab.ca?post_type=resource&#038;p=2282</guid>

					<description><![CDATA[]]></description>
										<content:encoded><![CDATA[<div class="wpb-content-wrapper"><div class="vc_row wpb_row vc_row-fluid"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper">
	<div class="wpb_text_column wpb_content_element " >
		<div class="wpb_wrapper">
			<p>Custodians have a duty to protect the privacy of patients and the confidentiality of health information in their custody or control, as outlined in section 60 of the Health Information Act (HIA). The risks of communicating with patients electronically must be considered.</p>
<p>Responsibility for safeguarding health information cannot be transferred to a patient by having a patient sign a consent form or disclaimer to accept the risks associated with electronic communications.</p>
<p>Electronic communications with patients can improve efficiency by:</p>
<ul>
<li>Sending appointment reminders</li>
<li>Setting up specialist appointments</li>
<li>Notifying patients about a new service offering</li>
<li>Following up with patients on a treatment plan</li>
</ul>
<h4>Risks of Electronic Communications</h4>
<p>Electronic communications are susceptible to certain risks, such as:<br />
Interception: If accounts or devices are shared or accessible by multiple people, the wrong recipient may read the message.</p>
<ul>
<li>Misdirection: Patients may have similar names or account addresses and a message may be sent to the wrong patient.</li>
<li>Alteration: Test results can be sent to a patient who may alter the document and send the changed results to another health care provider, which will appear to be trusted health information.</li>
<li>Loss: If a service provider manages cloud storage of emails or other electronic records, when there is an outage, a security breach, or a service provider goes out of business or is taken over by another entity, access to health information may be lost. Additionally, certain security incidents may result in the loss of health information entirely.</li>
<li>Inference: The name and nature of a health service provider on its own may reveal health information of an individual if other individuals, such as friends or family members, have access to or can see notifications on a patient’s device.</li>
</ul>
<h4>Mitigating Risks</h4>
<p>HIA requires that custodians take reasonable steps to maintain safeguards to protect the confidentiality of health information and to protect against any threats to the security of health information, to the loss of health information, and to any potential breaches of health information (e.g. unauthorized use, disclosure, modification or access to health information).</p>
<p>In light of the various risks associated with communicating with patients electronically, consideration must be given to protecting health information, including:</p>
<ul>
<li>Managing electronic records: There are additional challenges for the secure storage and maintenance of electronic communications.</li>
<li>Identification: Electronic communications raise questions about how a patient can verify and trust that the sender is a clinic or custodian.</li>
<li>Device management: Electronic communication is often done with the use of mobile devices. Safeguards around how a device is stored, whether devices are used outside a clinic or office environment, who owns the device, whether health information is stored in a cloud or on a device itself, and appropriate uses of devices outside of a clinic or office environment must be considered.</li>
<li>Encryption: Diagnostic, treatment and care information should be encrypted. A message itself, attachments or a combination of these may require encryption. If mobile devices are used to store health information, those devices must be encrypted.Consider programs or technical advice to help in setting up processes and procedures for encrypting electronic communications and devices.</li>
<li>Limiting amount of health information: When sending or receiving health information that does not include clinical details, limit the amount of health information sent electronically; limit the amount of health information collected using web forms or electronic templates; and tell patients exactly what will and what will not be communicated electronically, in addition to how messages containing clinical information will or will not be accepted.</li>
<li>Policies: There are certain policies and procedures that should be considered, such as policies that address:
<ul>
<li>Communicating with patients electronically and acceptable uses of mobile devices</li>
<li>Training staff on secure electronic communication (e.g. training on encryption methods)</li>
<li>Determining how to manage records sent by patients (e.g. if a patient sends unsolicited health information via email, how will it be managed?)</li>
<li>Regularly confirming patients’ preferred methods of communication and contact information (e.g. ensure email addresses are up to date and that a patient prefers to receive certain updates via email)</li>
<li>Notifying patients of risks when communicating electronically (e.g. whether another individual has access to certain accounts or electronic devices)</li>
</ul>
</li>
</ul>
<h4>Policy and PIA Requirements</h4>
<p>HIA requires that a custodian establish or adopt policies and procedures to facilitate implementation of the Act (section 63). It also requires a custodian to submit a privacy impact assessment (PIA) to the Office of the Information and Privacy Commissioner before implementing a new practice or information system – or when making changes to an existing practice or system – that collects, uses or discloses individually identifying health information (section 64).</p>
<p>If a custodian is considering electronic communication tools to correspond with patients they must have appropriate risk mitigation strategies and policies. A PIA helps to manage privacy risks when communicating with patients electronically before such tools are implemented.</p>
<p><em>June 2019</em></p>

<table id="tablepress-2" class="tablepress tablepress-id-2">
<tbody class="row-striping">
<tr class="row-1">
	<td class="column-1"><p><strong>Disclaimer</strong><br><br />
This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the laws <a href="https://oipc.ab.ca/legislation/" target="_blank" rel="noopener">the OIPC oversees</a> and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of <a href="https://www.alberta.ca/alberta-kings-printer.aspx" rel="noopener" target="_blank">Alberta King's Printer</a>.</p><br></td>
</tr>
</tbody>
</table>
<!-- #tablepress-2 from cache -->

		</div>
	</div>
</div></div></div></div>
</div>]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
