What you need to know about privacy agreements

Privacy agreements

As custodians of health data, physicians are responsible for ensuring the privacy, confidentiality and security of personal health information. Tools and guidelines have been created to assist custodians in meeting their privacy obligations and ensuring compliance with the Health Information Act and the CPSA Standards of Practice. This includes guidance on the agreements that must be in place for Primary Care Networks (PCNs) when exchanging, sharing and otherwise using health data on behalf of the custodian.

Using the Tools

AMA has worked with legal counsel and key stakeholders to create both memorandum which addresses privacy obligations of custodians, and templates that physicians and PCNs can use as a starting point for addressing their privacy obligations.

Each PCN and/or clinic is unique and it’s critical that these templates be customized to reflect the nature of the data use and data sharing in each situation. Details surrounding the use of data or the description of services provided can be embedded in the body of the agreement or documented in a separate schedule as part of the agreement.

Refer to the Privacy Agreement Matrix and Frequently Asked Questions to determine which agreement(s) is appropriate for your situation.

Privacy Impact Assessment

A Privacy Impact Assessment (PIA) is a legislative requirement for custodians. They must submit a PIA when they plan to implement new administrative practices or information systems that collect, use or disclose health information about identifiable individuals. This applies to changes to practices or systems (section 64 of the Health Information Act [HIA]). The OIPC provides guidance on PIA requirements.

Information Manager Agreement

An Information Manager Agreement (IMA) is a legislative requirement under the HIA between custodians and the Information Manager(s).

An Information Manager is defined in the HIA [section 66 (1)] as a person or body that

(a) processes, stores, retrieves or disposes of health information,
(b) in accordance with the regulations, strips, encodes or otherwise transforms individually identifying health information to create non-identifying health information, and
(c) provides information management or information technology services.

The AMA has developed two IMA templates to address the various scenarios.

The Generic IMA is appropriate for

  • Improvement facilitators or other external consultants with access to EMR data;
  • PCN staff performing information manager functions as identified in the HIA;
  • PCN staff sharing EMR data with AHS and receiving altered data in return;
  • Data stripped, encoded, or transformed by a party other than the custodian, including non-clinical PCN staff.

The Vendor IMA can be used for scenarios where

  • PCNs or member clinics are using a billing agent or external transcription service;
  • PCNs or member clinics are using a storage firm for electronic or paper records;
  • PCNs or member clinics are using an application service provider or remote data storage;
  • Data is processed, stored, retrieved, or disposed of by a party other than the custodian, including non-clinical PCN staff;  
  • A party other than the custodian provides information technology services.  

Information Sharing Agreement

An Information Sharing Agreement (ISA), as per the standards of the College of Physicians & Surgeons of Alberta (CPSA), is the legal contract that defines the data stewardship rules and processes that the parties have agreed to.   

Many physicians enter practice and share patient charts without considering what happens to the records when one of their colleagues leaves or when there is a change in management/ownership of the clinic. When forming/joining a clinic, physicians need to ensure they have an ISA that

  • Ensures all professional obligations and legal duties related to the use and disclosure of records are fulfilled;
  • Outlines the terms and conditions of the exchange (sharing) of custodian duties in a common manner within a shared patient record environment;  
  • Helps guide issues pertaining to the management, security requirements, and professional responsibilities relating to the sharing of patient records;
  • Outlines what will happen to the patient records as custodians enter and leave the clinic.

Supporting Documentation

For more information, or if you have questions or concerns, please contact Caroline Garland.

The Alberta Medical Association stands as an advocate for its physician members, providing leadership & support for their role in the provision of quality health care.