When Do You Need a PIA Amendment?

When Do You Need a PIA Amendment?

A Privacy Impact Assessment Is Good For Business

A privacy impact assessment (PIA) is part of a regular business process if you collect, use, or disclose personal health information in your healthcare practice. When you have a previous PIA that has been prepared, submitted to the Office of the Information and Privacy Commissioner (OIPC) and it has been accepted for use–well, that is not the end of your PIA journey.

You need to ensure that you are updating and amending your PIA as your practice matures and as you make administrative and technical changes to the procedures in your practice.

You need a PIA Amendment when you have a previously accepted PIA and any one of these common triggers below.

You Have a PIA That Was Written More Than 2 Years Ago

It is time to review and update this!

Under Section 8(3) of Alberta’s Health Information Regulation, custodians must periodically review the safeguards they have in place to protect health information privacy. This means that custodians need to regularly review the privacy risk mitigation plans set out in PIAs to ensure they continue to protect against reasonably foreseeable risks to the privacy of health information. The submission of your PIA to the Office of the Information and Privacy Commissioner (OIPC) is mandatory and must precede implementation of your new system or practice.

Change in Health Information Act (HIA) Legislation and Regulations

The HIA has undergone significant amendments in 2006, 2010, most recently in August 2018. Make sure that you have updated your privacy breach management program and include mandatory privacy breach notification to the (OIPC) and the Minister of Health (MOH). Again, ensure that your team training has been updated so that they know how to spot, stop, and report a privacy breach. (See Mandatory Privacy Breach Notification)

Changes In Your Electronic Medical Record or Computer Network

You have the same EMR database, but maybe the configuration has changed. For example, a change from a local to an application service provider (ASP) or cloud-based data centre or Software as a Service (SAS) model would trigger a PIA amendment.

Another trigger is a change in your computer network vendor or changes in wireless networking, remote access, or implementing mobile devices.

PIA amendment EMR computer network

Change in Participating Physicians / Privacy Officer

Since your original PIA, you may have new custodians, including physicians, registered nurses, chiropractors, and other health professionals named in the HIA that have joined or left your practice. Your Privacy Officer may have changed, too. Your amendment should include an up-to-date listing of custodians and privacy officers.

New Users / Information Sharing

There have been many recent information sharing initiatives in healthcare. You might now plan to participate in evaluation projects, patient panel management, or other community initiatives. Make sure that you have your PIA amendment and information manager agreements completed, too. (See – The Top 3 Agreements Your Healthcare Practice MUST Have (and Why).

A quick word of caution: if your new information sharing project includes data matching–the creation of new information by combining two or more sets of data—requires custodians to prepare a privacy impact assessment before performing data matching involving health information (HIA sections 70, 71). The custodian that carries out the data matching is responsible for preparing the Privacy Impact Assessment.

PIA amendment new users

Communicating With Patients

If you are adding new technology to keep in touch with patients for appointment reminders, on-line appointment booking, secure email or patient portals, these will trigger a PIA amendment or, perhaps, a project specific PIA. Make sure that your policies and procedures are up to date, too. (See – Can You Use Text Message With Your Patients? )

PIA Amendment Communicating with patients

Alberta Netcare Portal (ANP) / Community Integration Initiative (CII) / CPAR

ANP updated their PIA in 2016 and, therefore, you need to make sure that your corresponding policies and procedures and training have been updated, too. Remember – when you agreed to participate in ANP, you promised that you would review your threat risk analysis (TRA) and update your Provincial Organization Readiness Assessment (p-ORA) when changes occur and at least every two years.

Prior to applying for the Alberta  CII / CPAR Grant, your practice must have a privacy impact assessment that reflects the current clinic environment.

Maturing Practice

You have learned and grown since your original Privacy Impact Assessment submission. Have you implemented everything that you said that you would? Can you demonstrate that your teams have received privacy and security awareness training? Have you reviewed your Health Information Management Privacy and Security policies and procedures in the last two years?

Keeping up to date without any other significant changes to your practice may not trigger a Privacy Impact Assessment amendment. Make sure that you document your careful review so that you are prepared for your next Privacy Impact Assessment submission.

Important Business Decisions

Creating and reviewing your PIA regularly can help you to spot errors or gaps between the way that you do the work in the clinic and the way that you said that you were going to implement in your clinic.

The questions that we ask during the PIA process are important. The time that you take now to identify the potential risks and prevent those incidents from happening may save you time, money, reputation and even jail time in the future.


3 Options to Help you Create your Privacy Impact Assessment

DIY – Do It Yourself – The Privacy Impact Assessment course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course, Includes PIA templates, training sessions live and the replays, and access to me to ask your questions and receive feedback to help you get un-stuck.

DFY – Done For You – I prepare your Health Information Management Privacy and Security Manual policies and procedures and your Privacy Impact Assessment. You receive both paper and electronic copies of all the documents.

DWY – Done With You – a hybrid solution, you register for the on-line course and do the information gathering and preparation of your Privacy Impact Assessment submission with coaching from me in the course. I will also assist you to prepare the customized privacy and security policies and procedures, and resources as needed at an hourly consulting rate.

Find out more here: Privacy Impact Assessments or send me an email.