Does BC actually have a "Health Information Act"?

Not by that name. The phrase is in common use, but BC's health information privacy regime is distributed across BC PIPA (private practices), FIPPA (public bodies), and the E-Health Act (shared e-health repositories). Alberta HIA is a single named statute; BC's equivalent regime is not.

Which BC statute applies to my dental practice?

A private-sector dental practice in BC is generally governed by BC PIPA (which applies to all private-sector personal information including health information). A dental practice operating under a public health authority is governed by FIPPA. An independent practice that shares records into the provincial e-health system is also subject to the E-Health Act for that shared information.

Does the BC HIA regime require breach notification?

Yes. BC PIPA has required mandatory breach notification since February 2023. FIPPA has required breach notification for public bodies under certain conditions. The E-Health Act has its own breach reporting obligations.

Is the BC regime stricter than Alberta HIA?

They are different rather than strictly stricter or more lenient. Alberta HIA is more prescriptive about custodian-affiliate roles, Privacy Impact Assessments, and the provincial Netcare environment. BC's distributed regime is structurally more complex but substantively comparable on safeguards and breach notification.

Should BC MSPs serving healthcare align to HIPAA as well?

When the BC practice has US clients or US-resident patients, HIPAA can become directly relevant. Even when it does not, HIPAA-aligned safeguards generally satisfy BC PIPA / FIPPA expectations and many practices treat HIPAA as a superset.

What is BC Health Information Act (BC HIA)? Definition, components, and why it matters

Definition

The phrase "BC Health Information Act" or "BC HIA" is in common use among MSPs, healthcare clinics, and procurement teams in BC, but unlike Alberta HIA (which is a single statute) BC does not have a single named "Health Information Act." BC's health information privacy and security regime is distributed across multiple statutes.

For BC private-sector healthcare practices — independent dental clinics, naturopaths, optometrists, chiropractors, family physicians in private practice, specialty clinics, dental groups, pharmacies — health information privacy is governed by BC PIPA. PIPA's general rules about consent, safeguards, and breach notification apply to health information when held by a private-sector practice.

For BC public bodies — health authorities, hospitals, public health agencies, public post-secondary medical schools — health information privacy is governed by the BC Freedom of Information and Protection of Privacy Act (FIPPA) and, for shared electronic health record information, the E-Health (Personal Health Information Access and Protection of Privacy) Act.

Core components

PIPA for private healthcare practices. Independent dental practices, primary-care clinics, specialty clinics, pharmacies, and similar private healthcare businesses are governed by BC PIPA for personal information including health information.
FIPPA for public bodies. BC public health authorities, hospitals, and public-sector medical bodies are governed by FIPPA, which has its own consent, access, and security rules.
E-Health Act for shared electronic health records. The E-Health (Personal Health Information Access and Protection of Privacy) Act governs information shared into and accessed from designated provincial e-health repositories.
Mandatory breach notification. Through PIPA (since Feb 2023) for private practices, and through FIPPA-related obligations for public bodies, BC has mandatory breach notification across the regime.
Custodian-affiliate relationships. Conceptually similar to Alberta HIA: a healthcare practice controls health information and engages service providers (including MSPs) as agents. The contractual and security expectations on the agent flow through PIPA.
OIPC oversight. The Office of the Information and Privacy Commissioner for BC enforces both PIPA and FIPPA.

Why it matters

BC healthcare practices and the MSPs that serve them face a privacy regime that is more fragmented than Alberta's. Knowing which statute applies — PIPA, FIPPA, or the E-Health Act — depends on whether the practice is private-sector, public-sector, or sharing into the provincial e-health system.

For BC MSPs serving healthcare clients, the practical compliance picture is: PIPA for the great majority of private healthcare practices; FIPPA for public health authority work; and E-Health Act layered on top when the client uses provincial shared health record systems.

Cross-border data transfers are particularly sensitive in BC healthcare. FIPPA in particular has historically required public health information to be stored in Canada (with some narrowed exceptions added in 2021). Even for private practices under PIPA, US-hosted services raise questions client procurement teams want answered.

How Lavawall® helps with BC Health Information Act (BC HIA)

Lavawall® bundles BC HIA — meaning the combined PIPA / FIPPA / E-Health Act regime — as a first-class framework alongside Alberta HIA, PIPEDA, the provincial PIPAs, Quebec Law 25, and HIPAA. Practices choose the correct statute combination from the framework selection rather than maintaining each separately.

Lavawall® is hosted in Canada (currently AWS Montreal, migrating to dedicated Calgary servers) so BC health data does not leave Canada when stored on Lavawall® itself — important for both private-practice procurement (under PIPA) and public-body compliance (under FIPPA).

ThreeShield Information Security Corporation, the Calgary-based audit firm that built Lavawall®, has worked with BC healthcare practices on PIPA breach-notification, security incident response, and procurement-driven evidence requirements. The control mapping reflects the actual question patterns BC healthcare practices encounter.

For BC MSPs serving healthcare, Lavawall® produces both the technical-safeguards evidence the practice needs and the agent-relationship documentation that flows through to client procurement teams.

Frequently asked

Does BC actually have a "Health Information Act"?: Not by that name. The phrase is in common use, but BC's health information privacy regime is distributed across BC PIPA (private practices), FIPPA (public bodies), and the E-Health Act (shared e-health repositories). Alberta HIA is a single named statute; BC's equivalent regime is not.
Which BC statute applies to my dental practice?: A private-sector dental practice in BC is generally governed by BC PIPA (which applies to all private-sector personal information including health information). A dental practice operating under a public health authority is governed by FIPPA. An independent practice that shares records into the provincial e-health system is also subject to the E-Health Act for that shared information.
Does the BC HIA regime require breach notification?: Yes. BC PIPA has required mandatory breach notification since February 2023. FIPPA has required breach notification for public bodies under certain conditions. The E-Health Act has its own breach reporting obligations.
Is the BC regime stricter than Alberta HIA?: They are different rather than strictly stricter or more lenient. Alberta HIA is more prescriptive about custodian-affiliate roles, Privacy Impact Assessments, and the provincial Netcare environment. BC's distributed regime is structurally more complex but substantively comparable on safeguards and breach notification.
Should BC MSPs serving healthcare align to HIPAA as well?: When the BC practice has US clients or US-resident patients, HIPAA can become directly relevant. Even when it does not, HIPAA-aligned safeguards generally satisfy BC PIPA / FIPPA expectations and many practices treat HIPAA as a superset.