Do Alberta health authorities need PIAs under POPA?
Yes. Alberta Health Services (AHS), the provincial health authority, and other health-related public bodies are subject to POPA. Additionally, health information custodians are subject to the Health Information Act (HIA), which has its own PIA requirements under Section 64. Health authorities may need to complete PIAs under both frameworks depending on the type of information involved — personal information under POPA and health information under HIA.
Why is health data the most sensitive category?
Health information is among the most sensitive categories of personal information. The Ministerial Regulation deems certain personal information to be highly sensitive, and health data falls squarely into this category. PIAs involving health data are more likely to require OIPC submission, safeguards must be proportionately high, and the consequences of unauthorized access — whether through a breach or foreign legal process — are severe for patients.
What SaaS tools do health authorities need PIAs for?
Health authorities use a broad range of SaaS tools: electronic health record (EHR) systems, patient scheduling and registration platforms, telehealth and video conferencing (Zoom Health, Teams), clinical collaboration tools, HR and payroll systems, email and productivity suites, and research data platforms. Any tool that touches patient data, employee data, or operational data involving personal information requires a PIA.
How does the CLOUD Act affect health data?
If a health authority uses a US-parented SaaS tool to process patient data, that data is subject to the CLOUD Act. A US legal order could compel the provider to produce patient records — regardless of where the data is physically stored. This is a direct conflict with the duty of confidentiality that health authorities owe to patients. The OIPC template's Section H2, Risk 7 requires explicit documentation of this exposure.
What should health authorities do first?
Inventory every SaaS tool that processes personal or health information. Prioritize tools that handle patient data — these carry the highest sensitivity and are most likely to require OIPC submission. Complete PIAs using the mandatory template, paying particular attention to Section G (service provider jurisdiction) and Section H2 (cloud computing risks including CLOUD Act). Consider whether Canadian-hosted or Canadian-owned alternatives exist for the most sensitive use cases.
Auto-fill your health authority PIA template
Select your clinical, administrative, and communication tools. Our PIA Research Tool generates Sections F, G, and H2 of the mandatory OIPC template from a 753-tool database. $199.
Start PIA Research Tool →Alberta POPA overview → · CLOUD Act & Canadian data → · Data residency vs sovereignty → · PIA Research Tool →
Frequently asked questions
Any system that collects, uses, or discloses personal information requires a PIA under POPA. For health information specifically, Section 64 of the HIA also applies. The scope is broad.
Yes. Zoom is US-parented. Patient consultations conducted over Zoom involve the transmission and potentially the recording of health information through a US-jurisdictional platform.