Privacy & Security

Protecting the privacy of Albertans’ is a shared responsibility; we all have a role to play to ensure that health information remains safe.

Privacy: Individuals have the right to the privacy and protection of their personal health information. The Health Information Act requires custodians and affiliates to only collect, use and disclose health information in the most limited manner, with the highest degree of anonymity possible and on a need-to-know basis.     

Security: A number of security safeguards are in place to protect patient information and information systems from unauthorized access, use, disclosure, modification or destruction. These include access controls, audit logs, encryption and monitoring of use. The security controls used to protect information in Alberta Netcare are based on international standards and best practices. Learn more about Alberta Netcare security controls in place by exploring the Information Security and Access Permissions expandable lists below.   

Confidentiality: Protecting confidentiality involves ensuring that only authorized health service providers can use or access a person's health information. A "trust" relationship exists between the person supplying the information and the individual or organization collecting it. Custodians have an obligation to protect health information from unauthorized disclosure (Section 60 of the Health Information Act mandates this).  

Be aware that Alberta Netcare Portal and Alberta Netcare Electronic Health Record (EHR) applications are routinely monitored and audited, and can also be audited at the request of a patient, physician or authorized custodian. By accessing Alberta Netcare, you agree to be bound by the Terms of Use and Disclaimer as noted on the Alberta Netcare Portal login page, and to comply with all legislation.     

 

Alberta's Health Information Act

The Health Information Act (HIA) establishes rules to protect the privacy of an individual's health information. It also regulates how health information can be collected, used and disclosed. When health professionals access Alberta Netcare, it is considered to be “using” health information, so they must follow the rules set out by the HIA.

View the Roles & Responsibilities in Alberta Netcare Quick Reference document to learn more on how the HIA affects you as a user in Alberta Netcare.

A training session “Health Information Act (HIA) for Alberta Netcare Users” is available for your review and can be found here.

 

Masking Your Electronic Health Record in Alberta Netcare

Alberta Netcare Masking allows patients to request that their information be "masked" in Alberta Netcare. This means that only their demographic information will be visible to ensure that the appropriate record is being accessed. It is the responsibility of an authorized custodian or their affiliates to determine if this is appropriate, or if there are unreasonable risks associated with applying a mask.

  

OIPC

The Office of the Information and Privacy Commissioner (OIPC) oversees compliance with the Health Information Act and monitors how it is administered in the health system.

For more information visit the OIPC website.

 

To learn more on Privacy & Security in Alberta Netcare visit the Alberta Netcare EHR's Privacy and Security page. You will find further information on who is allowed to access the Electronic Health Record (EHR) and Information Security within Alberta Netcare (ANP).

Privacy and Security Breaches

An information security or privacy breach occurs when there is a violation of: HIA, rules for accessing Alberta Netcare information, or security or privacy policies of the custodian. A breach can also happen if there is a failure or absence of required safeguards to prevent a loss of confidentiality, integrity or availability of information. The HIA has established fines for anyone who knowingly collects, uses, or discloses health information or who gains or attempts to gain access to health information in contravention of the HIA. Individuals who breach privacy and access rules could be subject to criminal charges, fines, and disciplinary measures within their licensing or professional organizations. The Provincial Reportable Incident Response Process (PRIRP) will be followed when reporting suspected security and privacy incidents. The PRIRP has been designed to ensure that all health stakeholders such as community custodians, AHS and health service partners are appropriately involved to respond to a suspected or real threat. All suspected breaches for Alberta Netcare must be reported using the PRIRP form in PDF (or PRIRP form in MS Word).

Contact information for questions or the reporting of breaches:

 


Information Security

A number of security safeguards are in place to make sure that only authorized users can access the EHR. These include multiple levels of access controls and encryption. The security controls used to protect information in the EHR are based on international standards and best practices.

Secure Access

Access to the EHR is provided through secure networks (such as those in Alberta Health Services Facilities) or securely over the internet using two-factor authentication. Two-factor authentication involves a password and ID to be used in conjunction with an authentication device (SecureID Remote Access Token). Both must be present for the individual to gain access.

Encryption

All electronic messages that are shared are encrypted, which means that the information is encoded to provide a high level of security.

Controls

Additional network security controls include the use of firewalls and an intrusion detection system to alert the appropriate personnel of any unusual activity.

Audit Logs

Access to Alberta Netcare is logged and audited, which ensures that the information is accessed appropriately. The Alberta Health (AH) Privacy and Security Unit will follow up if a breach is suspected.

Penalties

The HIA has established fines for anyone who knowingly collects, uses, or discloses health information or who gains or attempts to gain access to health information in contravention of the HIA. Individuals who breach privacy and inappropriately access or use health information within Alberta Netcare could be subject to criminal charges, fines of up to $100,000, and disciplinary measures within their licensing or professional organizations.

In 2021, a pharmacist received a $5,000 fine plus a $1,000 victim fine surcharge due to improperly accessing another person's medical information through the Alberta Netcare Portal in contravention of the HIA.



Access Permissions

Only authorized custodians and their affiliates may access health information in Alberta Netcare. The requirements for becoming an authorized custodian are set out in the EHR Regulation.

As part of the registration process, each custodian must complete a series of privacy and security assessments. The custodian signs an Information Manager Agreement (IMA), through which they agree to comply with the rules related to the access and use of health information in Alberta Netcare. The regulations also require a health profession's regulatory colleges to have standards of practice governing how their members manage electronic records, prior to members of that profession gaining access to Alberta Netcare and becoming an authorized custodian.


User Permission Levels

Users are only permitted to access information that is relevant to their role in the health system. This means that access permissions and other security credentials are set up so that users have information on a "need-to-know" basis. Permission levels are established at the time of new user account creation, and are to be verified periodically to ensure that the access is still appropriate for the user’s role.