Add Custodians To Your PIA
Congratulations! You have expanded your practice and recruited a new healthcare provider to your team. Now you also need to add a custodian your PIA.
To do this, you need to orientate the provider to your practice including the policies and procedures to protect the privacy, confidentiality, and security of the personal health information and inform the Office of the Information and Privacy Commissioner (OIPC).
When the new healthcare provider is a member of a regulated health profession as defined by the health privacy legislation in Alberta, the Health Information Act (HIA), the provider also has responsibilities as a custodian.
A health service provider; specifically, a member of the following regulated health professions: Optometrists, Opticians, Chiropractors, Midwives, Podiatrists, Denturists, Dentists and dental hygienists, Registered nurses, Pharmacists, and Physicians (and others).
An employee of a custodian or as designated by the custodian, for example medical office assistant, receptionist.
The incoming custodian must ensure that the reasonable safeguards to project the administrative, technical, and physical safeguards of the personal health information are implemented in the practice. This includes ensuring that they have reviewed the current privacy impact assessment (PIA).
The lead custodian also has an obligation under the Alberta Health Information Act (HIA) to inform the Office of the Information and Privacy Commissioner (OIPC) when there are changes to the organization management of the clinic.
How To Add Custodians To Your PIA
In Alberta, the lead custodian in a clinic must update their PIA regularly and inform the OIPC when there are significant changes to their PIA.
One common trigger for informing the OIPC is the addition of a custodian to the practice. Often, this PIA amendment can be as simple as a letter to the OIPC.
- The lead custodian or privacy officer will prepare an amendment to the previously submitted Privacy Impact Assessment when new custodians join the practice. Often a letter to the OIPC signed by the lead custodian is sufficient.
- The PIA amendment must include how the custodian has been made aware of the current PIA and how they are meeting their requirements to enter into an agreement with information managers as defined in the Health Information Act section 66.
- The lead custodian will submit the PIA amendment to the OIPC for acceptance.
- The new custodian must acknowledge that they have been informed of the Health Information Privacy and Security Policies and Procedures and the submitted PIA and agree to follow these practices. The new custodian will sign the letter to the OIPC and attach it to the PIA amendment from the lead custodian (in step #1 above) to the OIPC for acceptance.
Routine Onboarding Of New Employees
Before the new custodian is granted access to patient health information, your computer network, and your electronic medical record (EMR), you need to ensure that new custodians are aware of your Health Information Privacy and Security Policies and Procedures, PIAs, and information manager agreements, including the information management agreements with Alberta Netcare Portal, patient records management, EMR vendor, billing vendor, and/or others.
You should have a written policy and procedure ‘When a New Physician / Custodian Joins Your Practice’ to guide you when onboarding new custodians. The procedure should include the forms below and template letters to the OIPC. These templates are also available to members of Practice Management Success.