Privacy Guide

In 2026, the privacy landscape for Alberta physiotherapists changed dramatically with the declaration that registrants of the College of Physiotherapists of Alberta are designated custodians under the Health Information Act (HIA, “the Act”). Health information collected, used, stored, and disclosed by physiotherapists is governed by the Health Information Act.

Physiotherapists are required to comply with the HIA regardless of their practice environment and nature of their employment; however, the extent of work they are individually required to undertake to ensure compliance will vary depending on their practice setting and role within that setting.

An important distinction between the HIA and other privacy legislation, (such as the Personal Information Protection Act (PIPA) which previously applied to health information collected, used, and disclosed in private practice physiotherapy settings), is that the HIA is authority-based legislation rather than being consent-based.

Under the HIA, physiotherapists are granted the authority to collect, use, and disclose health information for purposes that have been identified in the Act. The physiotherapist does not seek consent when collecting or using health information for a purpose identified in the Act, provided they identified their legal authority to collect health information and the purpose(s) for health information collection or use to the client at the time of collection. The physiotherapist only seeks consent for collection, use and disclosures of health information that is not authorized by the Act. This differs considerably from PIPA in that, under PIPA, a physiotherapist was required to obtain consent for all collection, use, and disclosure of patient information.

This guide contains information about the HIA and is intended to help physiotherapists comply with that legislation. The guide focuses on the requirements of the HIA in relation to the collection, use, disclosure, security, and destruction of health information as defined in the Act and underlying privacy principles that support compliance with the Act. It should be used in conjunction with Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians, which provides information regarding policy and procedure requirements for physiotherapist custodians.

The HIA applies to all health information; however, there are instances where physiotherapists may also collect and use private information that is not subject to the HIA. For more information about information that is not subject to the HIA and the legislation and requirements relevant to this information, see Appendix 1.

Please review this guide in its entirety as it contains important information that is difficult to summarize.

Section 1(1) of the Health Information Act (HIA) includes several terms which have specific meaning and which all physiotherapists must be familiar with.

Custodian: a health services provider who is designated in the HIA or Health Information Regulation (HIR) as a custodian, or who is within a class of health services providers that is designated in the HIR. Custodians include health organizations (such as hospitals and continuing care facilities) and regulated members of health professions who are designated custodians in the HIR.

Custodians are accountable to ensure that policies, procedures, and practices are in place to protect health information and comply with the stipulations of the HIA and HIR. Custodians are responsible for their affiliates’ compliance with the HIA.

Affiliate: an individual who has been designated as an affiliate by a custodian under the HIA, and who:

• Is employed by the custodian,
• Performs a service for the custodian as an appointee, volunteer, or student or under a contract or agency relationship with the custodian,
• Is an information manager, or
• Is designated under the regulations to be an affiliate.

In cases where a physiotherapist custodian employs support personnel in the private sector, the support personnel must be designated as affiliates of the physiotherapist custodian.

Health information: one or both of the following:

• Diagnostic, treatment, and care information
• Registration information

Diagnostic, treatment and care information: information about (and includes any other information collected when a health service is provided to the individual):

• The physical and mental health of an individual
• A health service provided to an individual, including information specified in the Act about the physiotherapist who provided physiotherapy services
• A health care aid, device, product, equipment, or other item provided to an individual
• The amount of any benefit paid or payable under the Alberta Health Care Insurance Act or any other amount paid or payable related to a health service

Registration information: means an individual’s demographic information, location, residency, health service eligibility, telecommunication information, and billing information.

Individually Identifying: when used to describe health information, means that the identity of the individual who is the subject of the information can be readily identified from the information.

Personal Information: for the purposes of this document, includes all information to which the HIA does not apply but would be considered private and confidential, including employee information protected under PIPA, and information that is subject to the Protection of Privacy Act (POPA), the Access to Information Act (ATIA) or the Personal Information Protection and Electronic Documents Act (PIPEDA).

Privacy Management Program: includes the custodian’s policies and procedures for health information management, and their plans regarding training, monitoring, oversight, and risk management related to the custodian’s compliance with the requirements of the HIA and its regulations. Additional information about privacy management program expectations can be found on the Government of Alberta website (effective late June 2026).

According to the Health Information Act and Health Information Regulation (HIR, the Regulation), all registrants of the College of Physiotherapists are designated custodians under the Act. As custodians, each physiotherapist is responsible and accountable for their compliance with the HIA’s provisions.

Physiotherapists should default to the understanding that they are a custodian with all the responsibilities and requirements inherent with that role.

However, there are times when a physiotherapist may be designated as an affiliate to an individual or organization that is a custodian under the HIA (e.g., physiotherapists employed in hospital settings or continuing care centres). In such situations, the relationship between affiliate and custodian and their respective responsibilities and accountabilities must be clearly identified in writing and address the requirements specified in the HIR.

To be designated as an affiliate to a custodian, the following requirements must be met:

• The other individual or organization must be designated as a custodian under the Health Information Act, in accordance with Section 1(1)(f) of the Health Information Act or Section 2 of the Health Information Regulation.
• The other individual or organization has identified, in writing, that the physiotherapist is their affiliate.

Regardless of the practice setting, “A custodian must designate an individual who is responsible for the overall security and protection of health information in the custody or under the control of the custodian.” (HIR, Section 8(2)). This individual is often referred to as the practice setting’s Privacy Officer.

The Privacy Officer may be a custodian under the Act or may be an affiliate of a custodian:

• Hospitals and other large institutions that are custodians under the Act typically identify an employee to be the Privacy Officer. This person, by virtue of their employment relationship, would be classified as an affiliate of the institution.
• Large private practice settings may employ multiple health professionals who are each designated as custodians under the Act. If these custodians all employ the same operational systems, policies, and procedures, they may designate a single Privacy Officer to oversee the security and protection of health information. This individual may be an affiliate of the custodians (e.g., by virtue of their employment relationship) or may belong to a category of people designated as custodians under the Act. Designating a Privacy Officer does not change the fact that each of these health professionals is a custodian under the Act and is ultimately held accountable for their compliance with the Act.
• In a sole practice environment, the individual physiotherapist remains a custodian under the Act and must also fulfill the duties of Privacy Officer. In essence they appoint themselves to fulfill the duties described in HIR, Section 8(2).

A Privacy Officer oversees activities related to adherence with the Act and the security and protection of health information. They may also be assigned other privacy-related duties such as responding to privacy concerns and serving as a single point of contact for patients and the Office of the Information and Privacy Commissioner. The individual should be familiar with the HIA and related guidance documents and have the authority to fulfill the role.

However, even if they have assigned privacy related duties to a Privacy Officer, the physiotherapist remains a custodian and retains ultimate responsibility for all aspects of their compliance with the Act.

Custodians are required to develop formal written policies and procedures that outline how they will fulfill their obligations under the HIA.

Physiotherapists designated as affiliates are subject to policies and procedures developed by their custodian. They are required to be familiar with the custodian’s policies and procedures and to identify instances where these policies and procedures are not consistent with the requirements of the Act.

If the physiotherapist is not designated as an affiliate to a custodian, the physiotherapist is required to develop these policies and procedures themselves.

Refer to Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians for further information and guidance. Formal written policies and procedures are a requirement for HIA compliance and are a prerequisite for eligibility for Netcare access.

If you are uncertain about how to manage a privacy situation, and the legislation and other documents are not instructive, consider the following nine privacy principles that serve as the foundation for the Health Information Act.

Access

Individuals have the right to access their health information and have the right to seek a correction or amendment to the health information about the subject that is in the custodian’s custody and control. Both rights are subject to some exceptions as specified in the legislation (HIA, Part 2, Sections 7, 11, 13 & 14).

Accountability

Custodians are responsible for the protection of health information under their custody and control. Physiotherapists in the role of custodian are responsible and accountable to fulfill all the duties of a custodian as identified in the Act. Physiotherapists who are designated as affiliates are responsible and accountable to adhere to the policies and procedures of the custodian, and the requirements of the HIA.

Accuracy

Health information must be as accurate, complete, and current as necessary.

Authorization

Individually identifying health information may only be collected or used for purposes authorized by Section 27 of the Act. When collecting health information, the custodian and their affiliates must identify their specific legal authority to collect the information. Section 20(b) of the Health Information Act authorizes collection where the information is required for a purpose authorized under Section 27.

Some disclosures of individually identifying health information are authorized by Section 27. Where legislative authority for disclosure does not exist, information may only be disclosed with the knowledge and consent of the individual, with limited exceptions specified in the legislation.

Challenging compliance

A custodian must provide a way for individuals to challenge their compliance with the above principles. In Alberta, clients can complain to the Information and Privacy Commissioner if they believe that a custodian has contravened privacy legislation.

Limiting collection, use, disclosure, and retention

The HIA’s underlying assumption is that a custodian only collects, uses, or discloses individually identifying health information for a purpose identified under Section 27 of the HIA, or with consent of the client, and that the least information necessary shall be collected, used, or disclosed to fulfill that purpose. The information collected is limited to what is necessary to fulfill the purposes identified and must be collected by fair and lawful means. Individually identifying health information must only be used and disclosed for the purpose for which it was collected, except with consent or as required by law. Information can be kept only as long as necessary to fulfill the identified purpose.

Openness

Information about a custodian’s privacy policies and practices must be readily available upon request.

Purpose

The purpose for which the information is being collected must be identified before or during the collection.

Safeguards

Health information must be protected by adequate administrative, physical, and technical safeguards appropriate to the information’s sensitivity.

Step 1: Get Familiar with the HIA and HIR

To enhance your understanding of privacy rules, review the legislation and other resources.

• Health Information Act (HIA) - legislation is available from Alberta King’s Printer.
• The Health Information Act Guidelines and Practices Manual provides additional information about the Act.
• The Office of the Information and Privacy Commissioner of Alberta’s website (www.oipc.ab.ca) contains comprehensive information about the HIA.

Questions? Contact

• Service Alberta HIA Help Desk 780.427.8089 (for toll-free dial 310.0000 first)
• Office of the Information and Privacy Commissioner of Alberta 780.422.6860 or 1.888.878.4044

Step 2: Review or Establish Policies and Procedures

If employed as an affiliate of a custodian designated under the HIA, you are required to follow privacy policies and procedures put in place by your employer. Review the policies to confirm they address the principles and requirements set out in this guide and the requirements of the Act and ensure that you are in compliance with the HIA.

If working as a custodian, you are required to create and administer policies and procedures that address the requirements of the HIA.

Remember that unless you have documentation indicating that you are an affiliate to a designated custodian under the HIA (such as a contract, job description or other formal document), YOU are the custodian and this is your work to do.

Refer to Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians for information and guidance on what considerations should be addressed by these policies and procedures and how to develop them. The document also contains sample language that physiotherapists can use as a starting point for policy and procedure development.

Step 3: Appoint a Privacy Officer/Individual Responsible to Oversee Compliance with the HIA

“A custodian must designate an individual who is responsible for the overall security and protection of health information in the custody or under the control of the custodian.” (HIR, Section 8(2)).

A Privacy Officer may be a custodian under the Act or may be an affiliate of a custodian. The individual should be familiar with the HIA and related guidance documents and have the authority to fulfill the role. The individual does not have to be a physiotherapist.

The Privacy Officer’s role is to oversee activities related to adherence with the Act. They have a legislated duty to oversee security and protection of health information. However, they may also take on other privacy-related duties such as responding to privacy concerns and serving as a single point of contact for patients and the Office of the Information and Privacy Commissioner. This person’s name must be clearly identified and made known to patients and others within the practice setting.

The Privacy Officer

• Oversees the custodian’s privacy management program, including the administration of the custodian’s privacy policies and procedures.
• Ensures that:
  • The custodian’s collection notice is made publicly available.
  • Staff are adequately trained regarding the custodian’s privacy policy and procedures.
  • Forms consistent with the requirements of the HIA are used to obtain consent for disclosure (when required), and for other actions authorized under the Act (e.g., Access, Amendment, Research Disclosure).
  • Safeguards are in place to protect personal information.
  • Information Manager Agreements are in place with third-party service providers consistent with the requirements of the Act.
• Responds to questions/concerns regarding the protection of health information.
• Liaises with external groups and serves as a single point of contact for the Office of the Information and Privacy Commissioner and for members of the public to respond to questions regarding the custodian’s privacy policies and procedures, address concerns and respond to privacy breaches.
• Processes privacy-related complaints.
• Manages requests for access or corrections to a client’s file

However, unless a physiotherapist has been designated as an affiliate to a custodian, they remain a custodian under the Act. The physiotherapist retains responsibility for all aspects of their compliance with the Act and for the actions of their affiliates, including the actions of the Privacy Officer.

If a custodian has not designated a Privacy Officer, or works in a sole practice environment, the individual physiotherapist custodian must fulfill the duties of Privacy Officer.

Step 4: Train Affiliates in HIA Requirements, Policies, and Procedures

As part of the privacy management program, custodians must ensure their affiliates are aware of the provisions of the HIA, the custodian’s privacy policies and procedures, and that affiliates have the knowledge and skills necessary to handle privacy concerns.

Custodians are encouraged to have their affiliates review this guide in addition to the custodian’s HIA policies and procedures, and to review and sign confidentiality agreements on an annual basis.

Step 5: Review and Update Privacy Policies and Forms Regularly

Privacy legislation and risks to privacy and confidentiality continue to evolve. Review your policies and procedures regularly to ensure compliance with legislation and to determine if your systems and processes meet your policy objectives and legislated responsibilities as well as maintain client privacy and confidentiality. Include a schedule for regular review of legislation and policies in your privacy management program.

Step 6: Identify Legislated Authority and HIA Authorized Purposes

When collecting health information subject to the HIA, the custodian and their affiliates must identify their specific legal authority to collect the information under Section 20(b) of the Health Information Act for purposes authorized under Section 27.

Section 27 of the HIA identifies the list of authorized purposes for which individually identifying health information may be collected, used, and disclosed. Custodians and their affiliates are required to identify, at the time of collection, the purposes for which they are collecting individually identifying health information. A custodian does not need to collect individually identifying health information for all of the authorized purposes identified in the Act. However, if they do not identify an authorized purpose at the time of collection, they may not use the individually identifying health information they collected for that purpose without first obtaining client consent to do so.

Non-identifying health information may be collected, used, and disclosed for any purpose.

Step 7: Create an Inventory of Health Information

Identify the health information you currently collect, use, store and disclose to create the inventory. (See Appendix II for a worksheet to help with this exercise.) You can categorize collected information into three groups:

Registration information

• Demographic information, including the individual’s personal health number
• Location information
• Telecommunications information
• Residency information
• Health service eligibility information
• Billing information

Diagnostic, treatment, and care information

• Details of all client assessments, treatments, and education
• Advice provided
• Communication with or regarding the patient

Information to which the HIA does not apply

• Employee Information (applies to employees, contractors, students, or volunteers)
• Information pertaining to services identified under Section 3.1 of the HIR as being excluded from the definition of a health service under the HIA.

When completing the inventory, identifying the category of information will help you understand if it is subject to the HIA or not, why the information is being collected, for what purposes it may be used and disclosed, how the information is currently secured, and the level of sensitivity of the information.

If during the creation of your inventory, you find you are collecting information that is not required for the provision of health services, consider revising your collection practices to prevent the collection of similar information in the future.

Step 8: Review or Establish and Publicly Display your Collection Notice

Create a collection notice identifying the authority under which health information is collected and the purposes for which that information will be used. If a custodian employs an automated system for the collection or processing of health information (e.g., an AI scribe), notice of the use of that system would be included in the Collection Notice.

Refer to Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians for more information and an example collection notice.

Step 9: Limit Information Collection

The HIA requires that custodians and affiliates collect only the information needed to fulfill the purposes for which it was collected. Consider the information currently collected and ensure it directly relates to the identified purposes. If you identify that you are collecting more information than is required to fulfill the identified purposes of collection, stop collecting it.

Collect personal information directly from the individual in question unless they are unable to provide the information or authorize your collection from another source.

Step 10: Understand When Consent is Required and When It Isn’t

Under the HIA, consent is not required for collection, use or disclosure of individually identifying health information for purposes authorized by the Act. Custodians and their affiliates may also share individually identifying health information with other custodians for the purposes authorized by the Act (such as the provision of health services) without the consent of the client who is the subject of the information.

Non-identifying health information (for example information that has been stripped of individual identifiers) can be used for any purpose, without the consent of the client who is the subject of the information.

When collection, use, or disclosure of health information is not authorized under the Act, express consent from the client who is the subject of the information is required.

In circumstances where consent is obtained to enable disclosure of individually identifying health information governed by the HIA, consent must include detailed information specified in the Act.

Refer to Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians for a sample consent form that addresses the Act’s consent requirements.

Step 11: Ensure Information on File is Current, Complete, and Accurate

Staff must make reasonable efforts to ensure the currency, completeness, and accuracy of health information being collected, used, or disclosed.

Step 12: Identify Processes to Access and Change or Amend Health Information

Clients and those authorized to act on the client’s behalf have the legislated right to request access to records containing their health information at any time. The HIA specifies that custodians have 30 days to respond to access requests. The HIR specifies legislated fees for access to copies of records.

Custodians must ensure clients understand the processes and fees for accessing copies of health information in their custody.

When responding to access to information requests ensure that health information about another person is not inadvertently disclosed.

Requests for amendments to health information should be made by the client, in writing, using approved forms that capture the required information. These forms become part of the patient record.

If patients request a change to their health information, determine if the information on file is factually correct. While incorrect facts/details should be amended, changing a professional opinion because a patient disagrees is not required or appropriate. If an amendment is made, the original information related to a diagnosis or treatment already rendered is to be retained. If the request is denied, ensure that the patient is aware of their options for further action as established under Section 14(1) of the HIA.

See Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians for sample access and amendment forms that address the Act’s requirements.

Step 13: Identify Third Party Service Provider Affiliates

It is also important to identify any third-party consultants/contractors who may have access to health information because of their work with you. A person who “performs a service for the custodian as an appointee, volunteer or student or under a contract or agency relationship with the custodian” is an affiliate to the custodian.

Physiotherapist custodians are responsible for ensuring that their affiliates comply with the HIA. The requirement to comply with the HIA and the custodian’s policies and procedures must be clearly stated in information manager agreements with third parties. Information Manager Agreements must fulfill the requirements specified in Section 7.2 or the HIR.

Step 14: Establish and Communicate Processes for Handling Privacy Concerns

To ensure an open process for handling privacy related concerns:

• Identify the name of the individual responsible to address privacy concerns and complaints (i.e., the Privacy Officer).
• Ensure a confidential complaints process.
• Consider concerns objectively.
• Respond to concerns in the manner they were expressed (e.g., if submitted in writing, respond in writing).
• Seek an informal resolution wherever reasonably possible.
• Document steps taken to address concerns.
• Adjust privacy policies and practices to prevent or limit future similar concerns.

Step 15: Complete Privacy Impact Assessments

A Privacy Impact Assessment (PIA) is required when a custodian implements or significantly changes administrative practices (e.g., operational policies and procedures) related to management of health information under the HIA, and whenever a custodian is considering implementing or making a significant change to systems used to collect, use, store, or dispose of health information (e.g., the implementation of a new electronic medical record system or contract with a new information manager).

Custodians must prepare and submit PIAs to the Office of the Information and Privacy Commissioner for review prior to implementing or changing the administrative practice or information system. Refer to Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians for more information about PIAs. Additional PIA resources are available from the Office of the Information and Privacy Commissioner:

• Privacy Impact Statements [here]
• Privacy Impact Statements FAQs [here]

Step 16: Safeguard Personal Information

Appropriate safeguards must be in place to prevent unintended or unauthorized access, modification, or destruction of health information. Completing a PIA will help custodians to identify appropriate safeguards for the health information in their custody and control. Safeguards are classified as physical, technical, or administrative controls and include but are not limited to:

Physical controls

• Locked offices and file cabinets
• Keyed or key card access to file rooms and office spaces
• Locking cables to secure electronic devices to workstations
• Preventing unauthorized viewing of computer screens through intentional positioning of devices
• Designing workspaces to limit the risk of being overheard when discussing health information
• Destroying paper records by shredding and completely expunging electronic files

Technical controls

• Unique user logins and strong passwords
• Encryption of personal information while in storage and when transmitted
• Use of firewalls and antivirus software
• Keeping software systems updated
• Data access rules based on defined user roles
• Routine updates to IT systems and software
• Auditing systems to monitor access and changes to information
• Preventing unauthorized viewing of computer screens through use of password-protected screen savers.

Administrative controls

• Identifying a Privacy Officer
• Staff training on privacy-related issues, policies, and practices
• Privacy and confidentiality agreements
• Operational policies and practices such as requiring unique user logins and strong passwords for electronic systems
• Operational policies and practices that define if paper records or devices used for electronic health information management can be removed from the practice location, and how those files or devices must be secured when in transit or out of the practice location
• Having defined employee termination procedures to ensure that access to health information and information technology systems is rescinded when employment is terminated

As part of the appropriate use of safeguards, custodians are required to regularly reassess the safeguards they have in use to ensure that foreseeable risks to health information security and integrity are properly mitigated and that appropriate safeguards are implemented when emerging risks are identified. This schedule for review of safeguards is included as part of a custodian’s privacy management program.

Ensure service providers employ safeguards and follow privacy policies

Custodians are responsible to ensure that the health information in their custody and control is used and safeguarded in accordance with the HIA. This includes responsibility for how affiliates safeguard and use health information.

If a custodian chooses to enter an Information Manager Agreement with a third party (e.g., electronic medical record software providers, information technology specialists, accountants, etc.) the custodian must designate the third party as their affiliate. The custodian must ensure the third party knows that health information is governed by the HIA and must be collected, used, secured, disclosed, and destroyed in accordance with the provisions of the HIA and the custodian’s policies and practices. Information Manager Agreements must fulfill the requirements of Section 7.2 of the HIR and include the requirement to comply with the custodian’s policies and procedures and the provisions of the HIA.

See Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians for more information about the content that must be included in Information Manager Agreements.

Service agreements with providers located or storing information outside of Alberta must include provisions that protect the information and enable the Custodian to monitor and ensure compliance with the HIA. Such agreements are one administrative safeguard used to protect private information.

Keep in mind that custodians retain responsibility for the privacy and confidentiality of health information in their custody and control, and for compliance with the HIA even when contracting out services to information managers or other parties.

Step 17: Plan for Privacy Breach Response and Reporting

Custodians are required to notify the Office of the Information and Privacy Commissioner of Alberta, the responsible government of Alberta minister, and the individual(s) affected in the event of a breach of individually identifying health information that poses a “risk of harm.”

Affiliates are expected to report suspected or confirmed privacy breaches to the custodian or their designated privacy officer according to the custodian’s policies and procedures. The custodian will then determine next steps.

See Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians for more information about responding to suspected or confirmed privacy breaches of individually identifying health information, and Section 8.1 of the HIR for information about determining if a breach poses a risk of harm. Additional information about breach reporting under the HIA can be found in Chapter 14 of the Health Information Act Guidelines and Practices Manual.

1. Can I be an affiliate of a chiropractor?

Yes, a physiotherapist may work as an affiliate of any custodian designated under the Act. This includes both organizations designated as custodians (e.g., hospitals) and registrants of health profession regulators designated as custodians (e.g., chiropractors, physicians).

To be considered an affiliate of the custodian, the physiotherapist’s employment agreement or other formal documentation must clearly identify that they are an affiliate of the custodian.

2. My employer is not a custodian under the HIA. What do these rules mean for me?

If your employer is not designated as a custodian under the Act, you are the custodian and remain responsible for compliance with the HIA. You may opt to complete the day-to-day actions related to the management of health information in your custody and control or may opt to designate an affiliate to be responsible for the overall security and protection of health information in your custody and under your control (i.e., act as your Privacy Officer). This affiliate may be your employer or another individual.

However, even if you designate your employer as your affiliate for the purpose of fulfilling information management responsibilities, you retain ultimate accountability to ensure that the requirements of the HIA are met.

3. Whose responsibility is it to report a privacy breach?

The College recommends that clients speak to the custodian’s Privacy Officer if they have concerns about how their health information is collected or used, or believe that their privacy has been breached. This allows the Privacy Officer the opportunity to discuss the client’s concerns, investigate the matter, and take corrective action to address the underlying issue. Clients also have the right to contact the Privacy Commissioner’s office directly if they have a complaint or concern.

If a physiotherapist who works in the role as an affiliate becomes aware of a privacy breach or situation which may constitute a privacy breach, they should notify the custodian’s Privacy Officer as soon as possible, following the custodian’s breach reporting policies and procedures. It is the Privacy Officer’s responsibility to address the privacy breach and report it to the appropriate authority, in the case that the breach reaches the threshold for mandatory reporting.

If no Privacy Officer has been designated by the custodian, the physiotherapist, as a custodian under the HIA, is responsible to address the privacy breach and fulfill the duties associated with a breach response.

4. How does a custodian know if they need to report a breach?

A privacy breach is any breach of individually identifying health information which poses a risk of harm to the individual affected by the breach.

Under HIA, custodians must report privacy breaches involving individually identifying health
information as soon as practicable “if there is a risk of harm to an individual as a result of the
loss or unauthorized access or disclosure.”

5. How does the Privacy Officer know if a privacy breach poses a risk of harm?

Section 8.1 of the HIR lists factors to consider when assessing if there is a risk of harm arising from a privacy breach.

See Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians for more information about responding to privacy breaches.

6. Who does the Privacy Officer report a privacy breach to?

Privacy breaches are reported to the Office of the Information and Privacy Commissioner of Alberta, the government minister responsible, and to the individual who is the subject of the health information affected by the breach.

7. How can I ensure privacy and confidentiality of health information when using online platforms or booking systems for charting, booking, or billing?

Ensure that the third party providing the service is designated as an affiliate to the custodian and is subject to an Information Manager Agreement that includes appropriate contract terms, such as:

• Ensuring Information Manager Agreements require service providers to comply with the custodian’s policies and procedures and the provisions of the HIA.
• Ensuring the custodian has the ability to monitor the third party’s adherence to HIA policies, procedures, and legislation.

Examples of other measures include:

• Ensuring information is encrypted while electronically transmitted or stored.
• Requiring unique logins and passwords for all users.
• Employing data auditing systems to monitor for unauthorized access or changes to information.
• Limiting the collection of data/sharing of data through these platforms to the minimum mandatory information required.

8. We collect patient email addresses as part of our new patient intake practices. Is there anything I can’t send to a patient via email?

Emailing information creates privacy risks due to the potential for misdirection or unauthorized access to the information. Use of a patient email address, for purposes authorized under the HIA, such as provision of care (sending appointment reminders, client information materials, or home exercise programs) is permitted; however, physiotherapists must protect the information transmitted electronically.

If you are sending patient-specific information via email it is recommended that:

• You confirm you have the correct email address
• Send the least information necessary
• Password protect and encrypt health information

The HIA categorizes client email addresses as registration information (a subset of health information) and prohibits the use of health information (both diagnostic, treatment and care information AND registration information) for marketing purposes.

Prior to using the client’s email to send a clinic newsletter or similar marketing communications, the custodian must obtain express consent, in the format prescribed by the HIA.

9. We have recently had some thefts at our clinic and are considering installing a surveillance camera. Are there any rules I need to comply with?

Video surveillance is subject to privacy legislation. If you implement a surveillance camera, you need to inform those accessing your premises that video surveillance is occurring. You must also limit the use and viewing range of cameras. Some areas within a physiotherapy practice must not be filmed (i.e., change rooms and treatment spaces).

Visit the Office of the Information and Privacy Commissioner’s website for more guidelines on video surveillance in the private sector.

10. I work for a school board. How does the designation of physiotherapists as custodians under the HIA apply to me?

School boards and other public bodies, as that term is defined in the Protection of Privacy Act (POPA), are subject to POPA. However, Section 4 of the HIA states: “If a provision of this Act is inconsistent or in conflict with a provision of another Act or of a regulation, the provision of this Act prevails unless

(a) another Act, or

(b) a regulation under this Act

expressly provides that the other Act or regulation, or a provision of it, prevails despite this Act.”

POPA does not include wording that indicates that it prevails over the HIA.

If a physiotherapist provides health services for a public body, the health information they collect, use, and disclose in relation to the health service is subject to the HIA.

Section 3.1 of the HIR identifies services that are not considered to be health services under the HIA. If a client’s information is used in the delivery of a service identified in Section 3.1, it would be subject to the provisions of another piece of privacy legislation, in this case POPA.

11. In the past the college talked about PTs being custodians of private information, now you’re saying a person is only a custodian if designated under the HIA. Which is it?

In the past the College made a distinction between individuals who had custody of client private information subject to the provisions of the Personal Information Protection Act and those who had been designated as custodians under the HIA.

In both cases the person who had custody and control of the client’s information had responsibility to protect the information, and to collect, use, disclose, and destroy that information securely. However, the source of the legislated duties varied.

Prior to being designated as custodians under the HIA, physiotherapists were only ever in the position of having custody and control of private information in the context of private practice subject to the provisions of PIPA. With the change to being designated as custodians under the HIA, physiotherapists may be either custodians or affiliates to custodians under the HIA. PIPA no longer applies to the health information collected, used, or disclosed by physiotherapists in the provision of health services.

12. Earlier you said, “Information can be kept only as long as necessary to fulfill that purpose.” If that’s the case, why are we directed to retain records for 10 years, or longer in the case of a client who is a minor?

The retention period is established in the Standards of Practice and reflects the period of time that a client has to bring forward a civil suit in the event of an adverse event or conflict with their physiotherapist. The College directs the retention of the record for this period to ensure that documentation from the time of the client’s physiotherapy service is available as evidence if required.

Given that the College has established the retention period, the physiotherapist who retains the record for the specified period of time is retaining information consistent with the requirements of the HIA.

13. My colleague and business partner and I are both custodians. We share an electronic health record and were told that we have specific responsibilities because we share health information. Is that correct?

The concepts of “shared health information” and “sharing custodians” has been introduced to address group practice scenarios involving multiple custodians.

“Shared Health Information” occurs when more than one custodian has custody of the same electronic health information, as in the case where multiple custodians share a single electronic medical record.

The expectation is that if you work in a group practice setting where multiple custodians share health information, the custodians involved (referred to as “sharing custodians”) will fulfill specific requirements related to that shared health information and practice arrangement. These requirements include

• Completing a PIA
• Establishing common policies and procedures that fulfill the requirements of the HIA
• Defining roles and responsibilities related to shared custody of health information

Additional information about these concepts and detailed requirements will be available on the Government of Alberta website in late June 2026.

14. Can I accept verbal consent from a client to disclose health information to a third party where there is no legislated authorization to disclose the information without consent?

Recent amendments to the HIA mean that custodians may now accept consent for disclosure of health information verbally. A custodian only needs to obtain consent when disclosure is not authorized under the Act. Physiotherapy scenarios where this would be relevant include disclosure of health information to a lawyer or insurance company.

If accepting verbal consent for disclosure of health information, the custodian must:

• Ensure that the consent includes the information specified in Section 34(2)(a)-(f) of the Act
• Document that the required information was provided, the individual understood the risks and benefits of the disclosure
• The individual authorized the disclosure

If they are considering accepting verbal consent for disclosures, a custodian must include verbal consent provisions as part of their privacy management program. The privacy management program must include:

• The purposes for which verbal consent for disclosure can be sought
• The requirement to verify the identity of the individual
• A description of how the individual’s identity will be verified using verification methods that are reliable
• Provisions for the retention of verbal consent documentation for 10 years

There are instances where health information is not subject to the HIA. The provisions of the HIA apply to diagnostic, treatment and care information about a health service provided to an individual (HIA 1(1)(i)). However, the HIR establishes services which are excluded from the HIA definition of a health service. The complete list of exclusions is found in Section 3.1 of the HIR; many would not typically apply to physiotherapy practice.

Examples of services excluded from the HIA definition of a health service include the “review, interpretation or assessment by a health services provider of:

• results from a drug or alcohol test performed on a bodily substance from an individual, but only to the extent necessary or reasonably required to determine the individual’s fitness to work, OR
• results from a medical or health assessment of an individual, but only to the extent necessary or reasonably required to determine the individual’s fitness to work;”

Information related to a service identified under Section 3.1 of the HIR is not subject to the HIA. Its use for an excluded purpose would be subject to another Act.

For greater clarity, a client’s health information may be collected and used for an authorized purpose under the HIA, such as the provision of health services, but when used for an excluded purpose, (such as determining the person’s fitness to work), that same information would be subject to the provisions of another piece of privacy legislation rather than the HIA.

For example, if a public body was using a person’s health information to determine their fitness to work, that use of health information would be subject to the provisions of POPA. In this scenario, although the internal documents and decisions about return to work are subject to POPA, the health information collected by physiotherapists for the purpose of providing treatment is subject to the provisions of the HIA.

Physiotherapists who employ others in the private sector are advised that the employee information they collect and use for the purpose of managing employment or volunteer relationships, including financial and performance records, is subject to the Personal Information Protection Act (PIPA).

If the physiotherapist collects, uses, stores and discloses information governed by PIPA, POPA or AIA within in their practice, they are expected to have operational policies and procedures in place that address how this information will be collected, secured, used, and disclosed, and that operating policies will be consistent with the requirements of the relevant legislation.

Following the declaration of physiotherapists as custodians under the HIA, PIPA applies to physiotherapy practice in limited circumstances.

When Does PIPA Apply to Health Information?

PIPA applies when a physiotherapist working in the private sector is providing services excluded from the definition of a health service under the HIA.

Consent under PIPA

PIPA is consent-based legislation. Consent is required for the collection, use and disclosure of personal information unless a specific exception applies; however, the Act does not specify the form of consent required (verbal versus written). Under PIPA, you must have reasonable purposes for the collection, use or disclosure of personal information, and you must limit the amount of information to what is reasonable to meet the intended purposes.

When Does PIPA Apply to Employee Information?

PIPA applies in the private sector to personal employee information which the legislation defines as:

“… in respect of an individual who is a potential, current or former employee of an organization, personal information reasonably required by the organization for the purposes of

(i) establishing, managing or terminating an employment or volunteer-work relationship, or

(ii) managing a post-employment or post-volunteer-work relationship

between the organization and the individual, but does not include personal information about the individual that is unrelated to that relationship.”

PIPA includes specific rules for the collection, use, and disclosure of personal employee information. The general rule is that the information can be collected, used, or disclosed by an organization without the consent of an individual if the individual is or was an employee or volunteer of the organization and:

• The collection, use, or disclosure is reasonable for the purpose for which it was collected, used, or disclosed.
• For current employees or current volunteers, the personal employee information includes only personal information related to establishing, managing, or terminating that individual’s employment or volunteer relationship.
• For former employees or former volunteers, the personal employee information includes only information related to managing the post-employment or post-volunteer relationship.
• For current employees or current volunteers, before collecting, using, or disclosing the information, employees and volunteers are notified of the collection, use and disclosure and its purpose.

Access to employees’ personal information

The rules regarding access to information also apply to employee information. Therefore, advise employees that they can access their information in the practice’s custody/control.

Together, POPA and AIA establish the rules for collecting, using, disclosing, and accessing information or records in the possession of a “public body” defined as:

• Alberta government department, branch, or office
• Agency, board, commission, corporation, office, or other body designated as a public body in the regulations (e.g., WCB)
• Local public body (e.g., educational body, health-care body, or local government such as a municipality or a municipal board)

When do POPA and AIA apply?

Although POPA and AIA apply to the records in the public body’s custody/control, they do not apply to health information as defined in the HIA (POPA, Section 3(2)), except for the use of health information for purposes that are excluded from the definition of a health service under the HIA.

POPA and AIA may also apply to the handling of employee information by a public body (e.g., employment records of a staff member working on a hospital unit will be subject to POPA).

Consent under POPA and AIA

Physiotherapists working for public bodies to which POPA and AIA apply are directed to the public body’s Privacy Officer to understand consent requirements that apply to the collection, use, and disclosure of information under these Acts.

This legislation establishes the rules for the collection, use, disclosure of, and access to personal information during the course of “commercial activities.” Personal information is broadly defined as “information about an identifiable individual” but does not include the name, title or business address or telephone number of an employee of an organization.

When does PIPEDA apply?

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to Alberta physiotherapists in limited circumstances when information collected, used, and disclosed by physiotherapists is transmitted across provincial boarders (e.g., when delivering cross-border physiotherapy services, communicating with a third-party insurer in another province).

Consent under PIPEDA

PIPEDA requires that consent be obtained for the collection, use and disclosure of personal information, unless a specific exception applies such as relating to the collection of a debt. The collection, use or disclosure of personal information should be limited to purposes that a reasonable person would consider appropriate in the circumstances.

Under PIPA, an organization must, without reasonable delay, report a privacy breach of private information governed by PIPA, where “a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.”

The Office of the Information and Privacy Commissioner of Alberta must also be notified if a breach of information governed by PIPA or POPA occurs. If a breach of information governed by PIPEDA occurs, custodians are required to notify the Office of the Privacy Commissioner of Canada and the individual(s) affected if the breach of personal information involves a real risk of significant harm.

• Personal Information Protection Act (PIPA) - legislation, additional information and resources are available at www. servicealberta.ca/pipa
• Protection of Privacy Act (POPA) – Additional information about the Act is available from the Government of Alberta website [here]
• Access to Information Act (AIA) – Additional information about the Act is available from the Government of Alberta website [here.]
• Personal Information Protection and Electronic Documents Act (PIPEDA) - legislation and awareness tools (questions and answers, glossary, poster, and brochures) are available at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
• Service Alberta PIPA Help Desk 780.427.5848 (for toll-free dial 310.0000 first)
• Office of the Information and Privacy Commissioner of Alberta 780.422.6860 or 1.888.878.4044
• Office of the Privacy Commissioner of Canada 1.800.282.1376

Step 1: Request Received

• Confirm HIA applies (i.e., the information does not relate to a service identified in Section 3.1 of the HIR)

Step 2: Who’s Asking

• Patient: the patient has a right of access to their health information.
• Lawyer or other party acting on patient’s behalf: a client can give any other person written authorization to act on the client’s behalf. If a lawyer or third party has written authorization from the client to act on the client’s behalf, they are treated as if the client had made the request directly to the custodian.
• Authorized custodian or affiliate of an authorized custodian, acting in their role as affiliate: if the custodian or their affiliate is requesting access to client information for an authorized purpose under the Act, the information can be provided to them.
• Third Party Payer: release of information is subject to the client’s consent. The consent must fulfill the requirements specified in section 34(2) of the Act.

Step 3: Fee Estimate

The custodian may only charge “for the cost of producing the copy.” The custodian must provide an estimate of the fee before producing the chart copy. Per the Health Information Regulation permitted fees include:

• Basic Fee: $25 for file preparation, clarifying the request, obtaining consent, retrieving the record, preparing the record, AND photocopying the record.
• Photocopies and computer printouts: $.25/page if the cost of photocopying the chart, when calculated at $.25/page exceeds $5 (chart greater than 20 pages long, $.25/page for pages 21 onwards).
• Producing a record from an electronic record:
  • Computer processing - actual costs
  • Computer report generation - $10 per 1/4 hour

Step 4: Response Timelines

Must respond to the request within 30 days of receipt of the request.