What is an Information Manager?
According to Section 66(1) of the HIA, an ““information manager” means a person or body that
(a) processes, stores, retrieves or disposes of health information,
(b) in accordance with the regulations, strips, encodes or otherwise transforms individually identifying health information to create non‑identifying health information, or
(c) provides information management or information technology services in a manner that requires the use of health information
but does not include an individual employed by a custodian who performs any of the functions listed in clauses (a) to (c).”
Common examples of information managers relevant to physiotherapy practice include EMR providers, AI scribe systems, virtual care platforms, and organizations hired to store and manage paper records on behalf of a physiotherapist.
Is an Information Manager a custodian of health information?
According to Section 1(a)(iv) of the HIA, an information manager is designated as an affiliate to the custodian of the health information. The information manager is not a custodian in their own right. If you are acting in the role of custodian under the HIA and you choose to hire a third-party to store, retrieve, transform, or dispose of health information; or to provide IT services that require the use of health information, that third-party provider is your affiliate.
Custodians are responsible for the actions of their affiliates. This means that you are responsible to ensure that the information manager is adhering to the requirements of the Health Information Act, and your HIA compliant policies and procedures.
You need to ensure that any contract you enter with a third-party provider for information management or information technology services enables you to monitor their actions and to impose requirements to ensure that they (and you) are in compliance with the HIA.
When do I need an Information Manager Agreement?
You need to have an Information Manager Agreement in place any time another party is contracted to provide services where that other party has access to health information (both registration information and diagnostic, treatment and care information). Examples include:
- Companies that provide offsite (paper) health record storage
- Companies that provide document scanning services (i.e., transforming paper records into digital format)
- EMR providers
- AI scribe tool providers
- Virtual care platforms
- IT service provider, for example, if they support backups or help restore data and as a result need to view/access health information
What must be included in an Information Manager Agreement?
Section 7.2 of the Health Information Regulation describes requirements for Information Manager Agreements. Form 09: Information Manager Agreement Checklist in the Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians includes a checklist of content that must be included in these agreements.
What do I need to consider when working with large providers of information management or information technology services, (e.g., a national or multinational EMR provider)?
This might be challenging, as the larger the provider the more likely they are to provide contracts for services on a "take it or leave it" basis. However, that does not alter your responsibilities as a custodian under the HIA. If a third-party provider is not willing to comply with the requirements of the HIA, physiotherapist custodians will be required to find alternate providers who will.
Key things to keep in mind when working with larger providers include
- Information Manager Agreements must refer to the correct legislation. It is Alberta’s Health Information Act that you are subject to, and it is that piece of legislation that will govern the information that the third-party provider has access to.
- If the information manager’s servers are located outside of Alberta, health information will be transmitted across borders for processing or storage. The health information may be subject to legislation in addition to the HIA, for example the Personal Information Protection and Electronic Documents Act, and privacy legislation in effect in the jurisdiction where the server is located.
- Information Manager Agreements need to address the requirements of Section 8(4) of the Health Information Regulation when health information is to be stored or used outside of Alberta.
- Custodians are expected to be able to monitor the Information Manager’s compliance with the agreement. The Custodian will need to review the Information Manager Agreement and confirm that they can audit the Information Manager’s actions and their compliance with the legislation and the custodian’s policies and procedures.
What other resources are available to help with the development of IMAs?
- Health Information Act, Section 66
- Health Information Regulation, Sections 7.2 and 8
- Health Information Act Policies and Procedures for Alberta Physiotherapist Custodians
The College strongly encourages physiotherapists to seek independent legal counsel when developing or entering Information Manager Agreements, to ensure that they are fulfilling their legislated responsibilities.
