HIPAA vs. Alberta HIA: What Calgary Healthcare Organizations Actually Need to Know

Note: This article provides general information about regulatory frameworks. It does not constitute legal advice. Consult qualified legal counsel for advice specific to your situation.

First: HIPAA Is a US Law

HIPAA - the Health Insurance Portability and Accountability Act - is federal legislation of the United States of America. It applies to US-based covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. If you're a Calgary family physician seeing only Canadian patients under Alberta Health, HIPAA does not govern your practice.

This surprises some healthcare organizations, particularly smaller practices who have heard about HIPAA from US industry news, vendor documentation, or colleagues who trained in the US. The confusion is understandable. HIPAA is extensively discussed, and it's a reasonable proxy for "healthcare privacy compliance" in general. But it's not the right framework for Alberta healthcare operations.

When HIPAA Does Apply in Calgary

HIPAA becomes relevant for Calgary organizations in several scenarios:

• Canadian companies processing data for US healthcare entities. If your Calgary health tech company provides a SaaS product to US hospitals or clinics, your customers may require HIPAA compliance as a condition of doing business with them. You'd typically be a Business Associate under HIPAA, with obligations defined in a Business Associate Agreement (BAA).
• Healthcare organizations with US operations or patients. A Calgary clinic that also operates in the US, or a research organization that participates in US-funded studies involving patient data, may have HIPAA exposure depending on the nature of the data flows.
• Health tech companies seeking US market access. If you're building healthcare software and planning to sell into the US market, HIPAA compliance (and ideally SOC 2 with HIPAA overlays) is essentially a market entry requirement for enterprise healthcare customers.

What the Alberta Health Information Act Actually Requires

For Alberta healthcare custodians - physicians, clinics, hospitals, pharmacists, PCNs, and other regulated health practitioners - the Alberta Health Information Act (HIA) is the primary governing statute.

The HIA defines "custodians" (those who collect and manage health information) and "affiliates" (those who act on behalf of custodians). Custodians have direct obligations; affiliates have obligations to the custodian. If you're a software vendor processing health information on behalf of an Alberta clinic, you're likely an affiliate with specific obligations under the HIA - even though the regulatory relationship looks different from a HIPAA Business Associate relationship.

Key HIA requirements from a security perspective include:

Section 60 - Safeguards: Custodians must protect health information against unauthorized access, use, disclosure, modification, and loss. The Act requires "reasonable" technical, physical, and administrative safeguards. The standard of "reasonable" is defined in practice by the Office of the Information and Privacy Commissioner of Alberta (OIPC), which has published specific guidance on technical safeguards.

Section 60.1 - Breach Notification: Custodians must notify affected individuals and the OIPC when there is a breach of health information that could "reasonably be expected to cause harm." This is a proactive obligation - you must notify, not wait to be asked.

Privacy Impact Assessments: Certain activities involving health information - particularly those involving new information systems, significant changes to existing systems, or use of cloud services - require Privacy Impact Assessments (PIAs) that must be submitted to Alberta Health.

The Cloud Storage Problem Under Alberta HIA

One of the most practically significant distinctions between HIPAA and Alberta HIA is their approach to data residency and US cloud services. HIPAA has no data residency requirement - a US covered entity can store PHI with US cloud providers under a BAA without geographic restriction.

Alberta HIA takes a more conservative position. The Act requires custodians to notify Alberta Health and obtain approval before storing or processing health information outside Canada. This has significant implications for cloud services, because many default configurations of Microsoft 365, Google Workspace, and AWS store data in US regions.

Microsoft 365 with Canadian Data Residency enabled stores data in Canadian Azure regions. Google Workspace has a Canadian-region option. Both require explicit configuration - they're not the default. And some services within these platforms still replicate data to US regions for certain functions. Understanding exactly what your cloud configuration does with health information requires investigation, not assumptions.

When You Face Both Frameworks

Calgary health tech companies selling into both Canadian and US healthcare markets commonly face obligations under both HIA and HIPAA simultaneously. Managing these dual obligations is not as complicated as it sounds - the frameworks share the same underlying logic of protecting health information with reasonable safeguards - but the specific requirements, breach notification timelines, and oversight bodies are different.

The practical approach is to identify the more stringent requirement in each area and build your program around that baseline. Alberta HIA's data residency requirements are more restrictive than HIPAA's - so designing for HIA compliance typically means your data handling also satisfies HIPAA from a residency perspective. HIPAA's Security Rule has more prescriptive technical safeguard requirements in some areas than HIA's general "reasonable" standard - so satisfying the HIPAA technical requirements typically means you satisfy HIA's safeguard requirements as well.

What Compliance Actually Requires in Practice

For a typical Calgary clinic or healthcare organization, HIA compliance from a security standpoint involves:

• A documented risk assessment identifying threats to health information
• Technical safeguards including access controls, audit logging, encryption at rest and in transit, and malware protection
• Physical safeguards for locations where health information is stored or accessed
• Administrative safeguards including workforce training, a designated privacy officer, and formal policies and procedures
• Affiliate/Business Associate agreements with all third-party service providers who access health information
• Documented breach response procedures and evidence that they've been tested
• PIAs for cloud services and information systems

Lavawall® automates much of the technical evidence collection for these requirements - access logs, encryption status, patch compliance, MFA enforcement, and configuration monitoring. The administrative documentation - policies, procedures, workforce training records, PIA submissions - requires human expertise and institutional context that ThreeShield's team provides.