Privacy FAQs

What is a provincial Organizational Readiness Assessment?

A provincial Organizational Readiness Assessment (pORA) is an assessment of the ability of a clinic to protect the security of provincial health information databases for which health service providers are seeking access. The pORA is largely about computer security and related processes. It is required when a health service provider is seeking approval to access a provincial health information database by connecting to portals such as the Alberta Netcare electronic health record portal. It is an assurance that the clinic is able to provide sufficient security to meet the requirements of the Health Information Act.

The pORA process is managed by the Alberta Health Information and Policy Compliance (IPC) unit. For more information on the pORA, please contact the following:

Alberta Netcare Enrolment Line
1.866.756.2647 toll free
or in Edmonton 780.642.4082
Email

What is a privacy impact assessment?

A privacy impact assessment (PIA) is a due diligence exercise in which a custodian of health information identifies, analyzes and addresses potential privacy risks that might occur in the course of a clinic's operations. For example, there is potential for privacy risk in administrative practices and within information systems relating to the collection, use or disclosure of individually identifying health information.

Not only is a PIA conducted to inform a specific project such as the implementation of a new medical record system, but it can also be used to examine organization-wide practices that may have an impact on privacy.

A PIA provides documented assurance to your clinic, the Office of the Information and Privacy Commissioner (OIPC) of Alberta and the public that all privacy issues related to a particular initiative have been identified and addressed. A PIA is also a mandatory exercise for each Physician Office System Program (POSP) clinic during the transition to a qualified electronic medical record solution. During the development of the PIA, a POSP resource assists the clinic in reviewing and documenting the physicial, technical and administrative privacy and security functions.

For more information, contact OIPC at 780.422.6860 or visit the OIPC website.

Why does a privacy impact assessment need to be conducted?

Section 64 of Alberta's Health Information Act states that each custodian must prepare a privacy impact assessment that describes how proposed administrative practices and information systems relating to the collection, use and disclosure of individually identifying health information may affect the privacy of the individual who is the subject of the information. The custodian must submit the privacy impact assessment to the Commissioner for review and comment before implementing any proposed new practice or system or any proposed change to existing practices and systems.

How does POSP assist with the privacy requirements?

Once you have selected your qualified service provider (EMR vendor), the Physician Office System Program will assist you in completing your privacy impact assessment, which reviews the risks that the introduction of any new program, system and practice may have on individual patient privacy. Any changes to your clinic's operation are evaluated to ensure compliance with the privacy requirements under Section 64 of Alberta's Health Information Act.

How is the privacy impact assessment conducted for my clinic?

Your Physician Office System Program (POSP) change management advisor or portfolio coordinator will assist you in scheduling a privacy and security expert who will assist you in completing your clinic's privacy impact assessment (PIA).

A draft PIA will be prepared for your review. It will then be your clinic's responsibility to finalize the assessment and submit it to the Office of the Information and Privacy Commissioner (OIPC) of Alberta for review and comment before your new electronic medical record (EMR) solution becomes operational.

You are also required to advise POSP when you submit your PIA to OIPC. Copy POSP on the OIPC covering letter and send to:

Privacy & Security, POSP
Suite 200, 12431 Stony Plain Road NW
Edmonton, AB T5N 3N3
Fax: 780.452.1869

When would it be necessary to change or amend our clinic's PIA?

A privacy impact assessment (PIA) is a dynamic document that must be reviewed and/or updated before implementing any proposed new practice or system or any proposed change to existing practices or systems. Examples would be a new hardware and/or software or electronic medical record implementation could create privacy risks relating to the collection, use or disclosure of individually identifying health information.

A clinic that is physically moving should also review its security to ensure consistency with its PIA.

Do we need to review or amend our PIA if a new physician joins our clinic?

The incoming physician is required to read and acknowledge understanding of your clinic's privacy and security policies and procedures and review the clinic's PIA — which should be done at the clinic with the appointed privacy officer. The physician then signs a letter which acknowledges acceptance of the clinic's PIA. The letter is sent to the Office of Information and Privacy Commissioner (OIPC) of Alberta to update their files and a copy sent to POSP at:

Privacy & Security, POSP
Suite 200, 12431 Stony Plain Road NW
Edmonton, AB T5N 3N3
Fax: 780.452.1869

Is any privacy training available to support our clinic?

Privacy training is available as one of Physician Office System Program's (POSP's) change management services to ensure your clinic's privacy officer, physicians and other clinic members are knowledgeable on privacy regulations and best practices. This service is recommended following electronic medical records (EMR) selection and clinics may return to the training anytime to refresh their knowledge or train new staff.

Privacy training is available online. Physician privacy training is accredited for Mainpro-M1 credits.

What process should we follow if our clinic has a privacy breach?

A suspected privacy breach should be identified and immediately reported to the clinic manager and privacy officer, who in turn notifies POSP Privacy and Security, and the Office of Information and Privacy Commissioner (OIPC) of Alberta. A privacy breach can take place when there is unauthorized access to or collection, use, disclosure or disposal of personal or health information. Each clinic's privacy impact assessments (PIA) details the process to follow should a suspected privacy breach take place.

For more information, contact the OIPC at 780.422.6860 or visit the OIPC website.

We currently use an EMR vendor other than Med Access or TELUS Physician Solutions (PS Suite and Wolf EMRs). What privacy issues might be realized during the transition to our VCUR 2008 EMR solution and how should they be managed?

A transition from a VCUR 2006 EMR vendor or other vendor to a Physician Office System Program (POSP) VCUR 2008 solution has the potential to create privacy issues. POSP has reviewed the anticipated risks and submitted a Data Migration Privacy Impact Assessment to the Office of Information and Privacy Commissioner (OIPC) of Alberta that outlines potential risks and a proposed mitigation strategy. Clinics will be briefed prior to transitioning and sign an Information Manager Agreement with the vendor who is providing the new solution. The agreement outlines the process and necessary steps to protect the data.

Is it necessary to inform POSP if our clinic changes its privacy officer?

A change of privacy officer should be communicated to:

Privacy & Security, POSP
call 780.452.1616
or toll free 1.866.817.3875

Who do I contact at POSP for more information and assistance with our clinic's privacy requirements?

For information and assistance regarding your privacy impact assessment or other privacy and security issues related to your VCUR 2008 electronic medical record contact:

Privacy & Security, POSP
Tel: 780.452.1616
Toll Free: 1.866.817.3875