Alberta's Health Information Act (HIA) governs how health information custodians — physicians, hospitals, pharmacies, dental practices, Alberta Health Services affiliates, and their technology vendors — collect, use, and disclose health information. ThreeShield is a Calgary-based CISSP/CISA firm with direct HIA assessment experience including AHS and Alberta Government audit work. We deliver safeguard assessments, Privacy Impact Assessments, and OIPC submission support directly.
Regulated health professionals (physicians, dentists, pharmacists, optometrists, nurses, physiotherapists), facilities licensed under Alberta's Health Facilities Review Committee, regional health authorities including AHS, and Alberta Health itself. If you are a custodian, the HIA's safeguard requirements apply to every system that touches health information.
Any person or organization that handles health information on behalf of a custodian — EHR vendors, lab systems, billing companies, IT managed service providers, cloud hosting providers — is an affiliate with direct HIA obligations. Most technology vendors serving Alberta healthcare don't realize they are affiliates.
ThreeShield has served Calgary-area Primary Care Networks for over a decade and understands the specific governance, AHS affiliation, and technology environments PCNs operate within. PCN-specific compliance work is a core competency.
If your SaaS platform, application, or service will handle information about identified individuals in the context of Alberta healthcare — even if you're based in BC or Ontario — you may have Alberta HIA obligations as an affiliate before your first Alberta client signs.
Health information inventory, system boundaries, custodian/affiliate relationship mapping, PIA requirement determination.
Assessment against all required HIA safeguard categories. Lavawall® deployed. Findings documented with risk ratings.
PIA documentation completed. Priority gaps remediated. Policies and procedures written. Affiliate agreements reviewed.
Safeguard assessment report delivered. PIA in submission-ready format. Lavawall® ongoing monitoring.
The HIA requires a PIA before implementing a new information system or making a change to an existing information system that impacts privacy. If your systems haven't changed recently and you have an existing PIA, it may need to be updated to reflect current system configurations. If you've made changes without a PIA, you should conduct one retroactively — OIPC Alberta has accepted retroactive PIAs, and having one on file significantly reduces regulatory exposure.
Yes. If your company has access to or handles health information on behalf of a custodian, you are an HIA affiliate. Affiliates have direct obligations under s.65 of the HIA to comply with the custodian's privacy policies and the HIA safeguard requirements. Your service agreement with the custodian should include explicit HIA affiliate obligations. ThreeShield reviews affiliate agreements and ensures your controls meet what you've committed to.
Yes — and this is the most common combination for health tech companies serving both Alberta custodians and US covered entities. Lavawall® maps evidence to both frameworks simultaneously, and policy work overlaps significantly. A combined HIA + HIPAA engagement is more efficient than running them separately. See our HIPAA Compliance package.
ThreeShield's CISSP/CISA team delivers Alberta HIA safeguard assessments, Privacy Impact Assessments, and OIPC submission support directly. We are a Calgary-based firm with direct AHS and Alberta Government audit experience. No external partner required for HIA compliance.
Our full audit authority statement →Calgary-based. AHS experience. Fixed scope and timeline.
Book a Scoping CallFree Domain Scan →Fixed scope. No hourly billing. No minimums.