Alberta HIA privacy impact assessment walkthrough
Updated
Alberta HIA privacy impact assessment walkthrough
You bought Google Workspace, connected your calendar, started emailing clients, and got to work. Reasonable. It’s what most Alberta therapists do. There’s a step Alberta’s Health Information Act requires before a system like that goes live for health information: a privacy impact assessment, submitted to the regulator. The catch is who owes it. The duty falls on HIA custodians, and most therapists in private practice aren’t custodians.
That’s worth getting precise. The PIA requirement is the single biggest thing that separates Alberta’s regime from Ontario’s, but it binds designated custodians (physicians, nurses, pharmacists and others), not a psychologist or counselling therapist running their own practice under Alberta PIPA. This walkthrough covers what a PIA is, who HIA s.64 actually binds, when it reaches your work anyway, and how to complete and submit one when it does (or build one voluntarily when it doesn’t).
This is the deep dive on one piece of Alberta compliance. For the wider picture of what HIA asks of therapist email, start with Alberta’s Health Information Act: what therapists need to know about email.
What is a privacy impact assessment under HIA?
A privacy impact assessment is a written analysis of how a system or practice that handles health information affects the privacy of the people that information belongs to. You describe the system, map where the data flows, document your safeguards, name the risks, and explain how you’ve addressed them.
Under HIA, it’s not an internal exercise you keep in a drawer. According to the Office of the Information and Privacy Commissioner of Alberta (OIPC), s.64 requires custodians to submit the PIA to the Commissioner for review and comment before implementing a new administrative practice or information system, or a change to an existing one, that collects, uses, or discloses individually identifying health information.
Read that again, because two words carry the weight: submit, and before.
In Ontario, the IPC recommends a PIA but doesn’t require anyone to file it. In Alberta, the custodian sends it to the OIPC, and does it before the system handles real client information, not after.
Does the PIA requirement actually apply to a solo therapy practice?
Usually not, and the reason matters.
Custodian status under HIA s.1(1)(f) comes from a defined list: named entities (Alberta Health Services, hospital operators and others) plus the professions designated in the Health Information Regulation: physicians, registered nurses, pharmacists, dentists, chiropractors and other designated providers. Psychologists, counselling therapists and social workers are not designated. A psychologist registered with the College of Alberta Psychologists (CAP) running a private practice answers to Alberta PIPA, which imposes no PIA submission duty.
The s.64 duty reaches your work in two situations. First, inside a custodian organization (a clinic with physicians, a hospital, AHS): the custodian owes the PIA for systems you use there, and as an affiliate your practices belong inside it. Second, if a custodian engages you or your tooling in a way that touches their health information systems, their PIA has to account for it.
The trigger, where the duty exists, is the system, not the patient volume. Adopting Gmail for client email is a new information system that handles health information. Switching email providers is a change to one. Both fall inside what s.64 describes.
Worth a clear note on scope: CAP is the body the province named to regulate counselling therapists in Alberta, and that regulation has been slow to arrive. CAP regulation, when it lands, changes college oversight; it does not put counselling therapists on the custodian list. For where the college standards sit today, see CAP practice standards for Alberta therapists: email and digital communication.
So why keep reading? Because a voluntary PIA is still the best documentation a private practice can hold. It’s the same analysis the OIPC asks custodians for, it answers the safeguard questions Alberta PIPA does ask of you, and if your situation ever shifts into custodian territory, the work is done.
How a PIA differs from the Ontario approach
If your mental model of compliance comes from PHIPA, the PIA is the place that model breaks. Three differences matter.
Submission is mandatory for custodians. The OIPC expects to receive a custodian’s PIA. In a custodian setting this is the part with the clearest regulatory exposure if it’s missing.
Submission comes before go live. Section 64(2) requires the PIA to reach the OIPC before the system handles health information. The Commissioner’s comments aren’t a legal precondition (since October 2024 a review ends in a closing letter rather than an acceptance), but a PIA filed after the system has been emailing clients for two years isn’t doing the job s.64 asks of it.
Accountability stays with the custodian. A consultant can draft the PIA, but per the OIPC’s guidance, the custodian remains accountable for everything in it. They sign it. They own it.
None of this requires deep technical skill. A PIA is mostly careful documentation of decisions you’ve already made, plus the honesty to name the gaps you haven’t closed.
The walkthrough: completing your HIA PIA step by step
What follows is the structure of a PIA for a therapist using email. It’s a walkthrough of the thinking, not a substitute for the OIPC’s own template, which you should pull from the OIPC website before you start. If you want a copy and paste Alberta addendum that maps these sections to a Google Workspace deployment, use the Alberta HIA PIA addendum template.
Step 1: Confirm the PIA applies to you
Start by confirming whether the duty reaches you. Write one sentence that matches your situation. Custodian setting: “The practice is a custodian under HIA s.1(1)(f), adopting [system] to handle individually identifying health information by email, a new information system under HIA s.64.” Private practice: “The practice falls under Alberta PIPA; this PIA is voluntary documentation of the safeguards for [system].”
Whichever sentence is truthfully yours, write it at the top and move on.
Step 2: Scope the system and name the trigger
Define the boundary of what you’re assessing. For most solo therapists this is the email system and its immediate surroundings: Gmail, the account that sends and receives client email, any encryption layer, and the storage behind it.
Then name the trigger plainly. New system? A change to an existing one? Adopting Google Workspace for the first time is a new system. Adding an encryption tool to a Gmail setup you already use is a change. Either way, s.64 is in play. Write it down.
Step 3: Describe the information flow
This is the part the OIPC reads most carefully, so give it real attention. Trace a single client email from creation to disposal:
- What health information goes into it
- Who sends it and who receives it
- Where the message content is stored, and on whose servers
- Which third parties touch it on the way (your email provider, any encryption or routing layer)
- Whether, and where, the data leaves Canada
That last point deserves candor. Gmail message content sits on Google’s global infrastructure, and Google doesn’t offer a Canada only data region for Gmail message bodies. State that in the flow. A PIA that hides cross border movement is weaker than one that discloses it and then shows the safeguards applied on top.
Step 4: Map your safeguards against HIA requirements
Section 60 of the HIA requires custodians to take reasonable steps to protect health information with administrative, technical, and physical safeguards, in accordance with the Health Information Regulation. For an email system, document each category against what you actually have:
| Safeguard category | What to document for email |
|---|---|
| Encryption in transit | How outbound email is encrypted, and whether it depends on the recipient’s server cooperating (opportunistic TLS) or is enforced |
| Encryption at rest | How stored email containing health information is protected |
| Access controls | Who can read the account, and the authentication on it (two-step verification at minimum) |
| Audit record | Whether you can show what health information was sent, to whom, and when |
| Administrative | Your written policies: consent, retention, breach response, staff training if you have staff |
Name the gaps. Default Gmail uses opportunistic encryption, which doesn’t guarantee the message is encrypted to the recipient’s server, and standard storage doesn’t give you per message encryption that keeps the provider out of the content. Those are real gaps. A credible PIA states them and pairs each with a mitigation.
Step 5: Document consent, retention, and information manager agreements
Three pieces here.
Consent: how you obtain and record each client’s authorization to communicate health information by email, including that they understand the risks and can withdraw consent.
Retention: your retention period and disposition plan. CAP’s Standards of Practice set a 10 year minimum from last contact for psychologists, with a longer clock for minors. Email forming part of the clinical record falls under that. Secure disposition means permanent deletion, including backups, not a trip to the trash folder.
Information manager agreements: where a custodian uses a vendor as an information manager, HIA s.66 requires a written agreement, and Health Information Regulation s.7.2 sets its required contents (objectives and principles, permitted collection, use and disclosure with purposes, access and correction handling, safeguards, and related terms). Breach notice obligations come separately, from HIA s.60.1. Attach the agreement.
Step 6: Complete the risk analysis and mitigations
List the residual risks and the specific mitigation for each. For a Gmail based practice, the usual entries are message content stored outside Canada, opportunistic encryption, and Workspace AI features that could process client email. For each, write the concrete mitigation: the setting you turned off, the encryption you enforced, the recipient verification you added, the agreement you signed.
Specificity is the whole game in this section. “We take privacy seriously” tells the OIPC nothing. “We enforce TLS on outbound mail and fall back to a secured portal when TLS to the recipient can’t be verified” tells them exactly what you did.
Step 7: Submit to the OIPC before go live (custodian settings)
Submit the completed PIA to the OIPC before the system handles real client health information; that timing is what s.64(2) requires. Comments aren’t a precondition to proceed, and since October 2024 a review ends in a closing letter rather than an acceptance, but build in review time. Confirm the current submission method on the OIPC website first. The OIPC has updated its PIA process and forms more than once, so verify the active route at the time you submit rather than relying on a link from an old guide.
If a custodian system has been running without a submitted PIA, the honest move is to prepare one now and submit it, noting the system is in use. Late is a better position than never. In private practice, this step becomes: date the document, keep it with your policies, and revisit it when the system changes.
A quick companion: the email side of the checklist
A full PIA covers your whole practice. If you want a faster, email specific pass before you sit down to the PIA itself, work through the HIA email checklist for Alberta therapists. It’s a task by task companion to this walkthrough that flags the email gaps a PIA will ask you about, so you walk in with answers instead of blanks.
Where this fits across provinces
Alberta’s mandatory, submitted PIA is the outlier. Ontario’s PHIPA and BC’s PIPA both expect reasonable safeguards, but neither makes you file a PIA with the regulator the way HIA s.64 does. If you see clients across provincial lines, the safe approach is to meet the strictest applicable requirement on each dimension, which for the PIA means completing and submitting one wherever a provincial regime requires it.
For the side by side comparison of PHIPA, HIA, and BC PIPA, see the PHIPA vs HIA vs BC PIPA therapist guide.
What a PIA doesn’t fix
A submitted, well written PIA puts you in a defensible position with the OIPC. It documents your decisions, names your risks, and shows your safeguards. It does not, on its own, change what your email actually does.
If your PIA names opportunistic encryption and a missing audit trail as risks, those gaps are still there after you submit. The PIA describes them honestly; it doesn’t close them. Closing them is a separate decision about your tooling.
You also can’t PIA your way out of a system that genuinely can’t meet the safeguard standard for sensitive health information. If the analysis shows the residual risk is too high, the answer is to change the system, not to write a more reassuring assessment.
And to be direct about the limits of this guide: this is educational, not legal advice. A PIA submitted to a regulator is a document you’re accountable for. If your situation is complex, or if you’re unsure whether your safeguards meet the standard, have a privacy professional review it before you submit.
Closing the encryption and audit gaps is where infrastructure comes in. Curio encrypts outbound client email for Canadian mental health privacy law and logs every send in a Canadian audit trail, so the technical safeguards your PIA describes are real rather than aspirational. The compliance engine and audit trail run on Canadian servers in Montreal and Toronto. The PIA still belongs to you; Curio gives Sections 4 and 6 something concrete to point at.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with the OIPC of Alberta and your regulatory college before submitting a privacy impact assessment.
Coming soon
Gmail encryption, built for Canadian therapists.
