Information Management Agreements
The Faculty of Medicine & Dentistry (FoMD) will be implementing an Information Management Agreement (IMA) for those physician and dentist members who need to be compliant with the Province of Alberta Health Information Act(HIA). If you are a member of the FoMD, you will need to sign an IMA under any of the three circumstances below in which the University of Alberta/FoMD acts as an information manager for you:
-
Employees of the U of A/FoMD manage patient identifiable health information for you.
-
Your patients' identifiable health information is physically stored within a U of A building.
-
Your patients' identifiable health information is stored or managed electronically by the FoMD's MedIT or the U of A Information Services and Technology (IST).
Section 66 of the HIA requires, when needed, a custodian of health information to enter into a written information management agreement with another custodian, or a third party who provides information management services:
(1) An "information manager" means a person or body that
(a) processes, stores, retrieves or disposes of health information,
(b) in accordance with the regulations, strips, encodes or otherwise transforms individually identifying health information to create non-identifying health information, or(c) provides information management or information technology services.
(2) A custodian must enter into a written agreement with an information manager in accordance with the regulations for the provision of any or all of the services described in subsection (1).
Even though section 66 further outlines the role(s) of Custodian and Information Managers, it emphasizes that the Custodian is ultimately responsible for compliance with the HIA.
(3) A custodian that has entered into an agreement with an information manager may provide health information to the information manager without the consent of the individuals who are the subjects of the information for the purposes authorized by the agreement.
(4) An information manager to which information is provided pursuant to subsection (3) may use or disclose that information only for the purposes authorized by the agreement.
(5) An information manager must comply with (a) this Act and the regulations, and (b) the agreement entered into with a custodian in respect of information provided to it pursuant to subsection (3).
(6) Despite subsection (5)(a), a custodian continues to be responsible for compliance with this Act and the regulations in respect of the information provided by the custodian to the information manager.
(7) A custodian that is an information manager for another custodian does not become a custodian of the health information provided to it in its capacity as an information manager, but nothing in this section prevents the custodian from otherwise collecting, using or disclosing that same health information in accordance with this Act.
The Office of the Information and Privacy Commissioner of Alberta provides useful tips on IMAs, and also highlights that if an IMA is needed with a third party outside of province, all aspects of security and privacy requirements as specified within the Alberta HIA must still be met.
The Alberta Medical Association provides both generic and vendor IMA templates which can be downloaded from the website.
For more information about custodians and affiliates, see GetHIP! February 2019: Am I a Custodian or an Affiliate? It's Confusing!
Stay tuned for the next issue of Get HIP! for information on data and information sharing agreements.
To check out other tips on health information privacy, click to access past issues of Get HIP!
References/Resources
- Alberta Health Information Act
- Alberta Medical Association: What you need to know about privacy agreements
- OIPC Health Information, A Personal Matter: A practical guide to the Health Information Act