Complete guide to Canadian hospital privacy impact assessment (PIA) — PHIPA requirements, PIPEDA compliance, privacy risk assessment, IPC submission, and PIA software.
PIAs are required under PHIPA for new initiatives involving PHI. Privacy commissioners oversee compliance. This guide covers Canadian PIA.
PIA Process
- Trigger identification: Identify when PIA is needed (new system, change, data sharing)
- Project scoping: Scope the project and data flows
- Data inventory: Inventory all PHI collected, used, disclosed
- Legal authority: Identify legal authority (PHIPA, PIPEDA, provincial)
- Risk assessment: Assess privacy risks (likelihood x impact)
- Mitigation: Develop mitigation measures for identified risks
- Security measures: Document security measures (encryption, access, audit)
- Consultation: Consult stakeholders (privacy officer, clinicians, IT)
- Sign-off: Obtain sign-off from privacy officer and executive
- Submission: Submit to privacy commissioner if required
PIA Risk Assessment
| Risk | Description | Mitigation |
|---|---|---|
| Unauthorised access | Staff access PHI without need | RBAC, audit logging, MFA |
| Data breach | PHI exposed to unauthorised parties | Encryption, breach response plan |
| Over-collection | Collect more PHI than needed | Data minimisation principle |
| Secondary use | PHI used for purpose other than collected | Purpose limitation, consent |
| Data sharing | PHI shared with third parties | BAA, data sharing agreement |
| AI/ML bias | AI tools may introduce bias | Algorithm audit, human oversight |
| Cloud risk | PHI stored in cloud (data residency) | Canadian data centres, BAA |
Frequently Asked Questions
- When is a PIA required in Canadian hospitals?
- A Privacy Impact Assessment (PIA) is required when: 1) Implementing new systems that collect/use PHI, 2. Changing existing systems (significant changes), 3. New data sharing arrangements, 4. New AI/ML tools using PHI, 5. Cloud migration, 6. New telehealth platforms. PHIPA requires PIAs for new initiatives. Some provinces require PIA submission to the privacy commissioner.
- What should a Canadian hospital PIA include?
- Canadian hospital PIA should include: 1) Project description, 2. Data inventory (what PHI is collected, used, disclosed), 3. Legal authority (PHIPA, PIPEDA, provincial legislation), 4. Privacy risk assessment, 5. Mitigation measures, 6. Security measures, 7. Data retention and disposal, 8. Breach response plan, 9. Stakeholder consultation, 10. Recommendations and sign-off.
- What is the role of the Privacy Commissioner?
- Canadian privacy commissioners: 1) Federal — OPC (Office of the Privacy Commissioner) for PIPEDA, 2. Ontario — IPC (Information and Privacy Commissioner), 3. BC — OIPC, 4. Alberta — OIPC, 5. Quebec — CAI. Commissioners: investigate complaints, issue orders, conduct audits, provide guidance, and review PIAs. Hospitals must cooperate with commissioner investigations and audits.