The Alberta Health Information Act (HIA) governs how health information custodians collect, use, and disclose health information in Alberta. ThreeShield delivers HIA security safeguard assessments, PIA support, and continuous Lavawall® monitoring tailored to Alberta healthcare requirements.
Custodians must protect health information against unauthorized access, use, disclosure, modification, loss, and destruction. Safeguards must be "reasonable" given the sensitivity of the information and the risk of harm. The OIPC publishes guidance on what "reasonable" means technically.
Custodians must notify affected individuals and the OIPC when there is a breach that could "reasonably be expected to cause harm." Notification must happen as soon as reasonably practicable. Breach response plans are essential.
New information systems and programs involving health information require PIAs submitted to the Minister (Alberta Health). EMR implementations, cloud migrations, and telehealth platforms all trigger PIA requirements. ThreeShield supports PIA development.
Health information stored or processed outside Canada requires authorization under the HIA. Default M365 and Google Workspace configurations may store data in US regions. Custodians must configure Canadian data residency or obtain appropriate authorization.
Custodians must have agreements with affiliates (including software vendors, MSPs, and IT providers) that establish obligations for health information handling. Your IT provider and EMR vendor must be operating under appropriate agreements.
Access to health information must be restricted to those who need it. Access logs must be maintained to detect unauthorized access. Lavawall® monitors M365, EMR access patterns, and device compliance continuously.
The Office of the Information and Privacy Commissioner of Alberta (OIPC) investigates HIA breaches and can issue orders requiring compliance, including specific technical controls. OIPC investigations are often triggered by patient complaints or self-reported breaches. ThreeShield's CISSP/CISA assessments use OIPC guidance as the compliance benchmark.
Yes. The HIA applies to all health information custodians regardless of size - including a solo physician's practice. The standard for 'reasonable' safeguards is scaled to the sensitivity of the information and the organization's resources, but the obligation exists. Many small clinics are surprised by what reasonable safeguards actually require when they first go through an assessment.
Not automatically. HIPAA compliance addresses US federal requirements; HIA compliance requires meeting Alberta-specific obligations including PIA submissions, data residency requirements, and OIPC notification procedures. Your EMR vendor being HIPAA compliant is a positive indicator, but you still need to assess your specific HIA custodian obligations.
The harm threshold considers: the sensitivity of the information involved, the probability the information will be used in a harmful way, the severity of the harm, the number of individuals affected, and whether the information could identify the individual. In practice, any breach involving diagnostic information, mental health records, or HIV/AIDS status typically meets this threshold. When in doubt, notify - the HIA favors notification over silence.
ThreeShield meets you at your current security maturity. Every level includes Lavawall®.
For lean IT teams and cost-conscious organizations with internal security capacity
Expert guidance alongside your team - ideal for MSPs and organizations with some internal IT capacity
Full compliance delivery - ThreeShield manages the entire program end to end
Choose your engagement model: DIY via Lavawall®, supported by ThreeShield's CISSP/CISA team, or fully done-for-you. Every model includes continuous monitoring so you stay compliant year-round.
Book a Scoping CallDIY · Supported · Done-for-You · Available globally