Which BC statute applies to my dental, medical, or pharmacy practice?

A private-sector practice in BC is generally governed by BC PIPA . A practice operating under a public health authority is governed by FIPPA. A system that interacts with a designated provincial Health Information Bank (CareConnect, PharmaNet, etc.) is also subject to the BC E-Health Act for that interaction.

Does the BC regime require breach notification?

Yes. BC PIPA has required mandatory breach notification since 1 February 2023. FIPPA has required public-body breach notification under certain conditions. The E-Health Act has its own breach reporting obligations for HIB-connected systems. The BC OIPC publishes guidance on the assessment and notification process.

Is the BC regime stricter than Alberta HIA?

They are different rather than strictly stricter or more lenient. Alberta HIA is more prescriptive about custodian-affiliate roles, Privacy Impact Assessments, and the provincial Netcare environment. BC's distributed regime is structurally more complex but substantively comparable on safeguards and breach notification.

Should BC MSPs serving healthcare also align to HIPAA?

When the BC practice has US clients or US-resident patients, HIPAA can become directly relevant. Even when it does not, HIPAA-aligned safeguards generally satisfy BC PIPA / FIPPA / E-Health Act expectations and many practices treat HIPAA as a useful superset.

What is BC HIA (a common term — but not a single BC statute)? Definition, components, and why it matters

Definition

The phrase "BC HIA" or "BC Health Information Act" is widely used among Canadian MSPs, healthcare procurement teams, and clinic operators, but unlike Alberta's Health Information Act, no statute by that name exists in British Columbia. BC's health-information privacy regime is distributed across three separate statutes that operate together.

For private healthcare practices in BC — independent dental, medical, naturopathic, chiropractic, optometric, pharmacy, physiotherapy, and similar offices — the operative law is BC PIPA (the Personal Information Protection Act). PIPA governs personal information including health information held in private-sector hands.

For BC public bodies — health authorities, public hospitals, the Ministry of Health, public-sector medical research institutes — the operative law is the Freedom of Information and Protection of Privacy Act (FIPPA). FIPPA has its own consent, access, security, and storage-outside-Canada notification rules.

For specifically-designated provincial Health Information Banks — CareConnect, PharmaNet, the Provincial Laboratory Information Solution, the Client Registry / Enterprise Master Patient Index, the Provider Registry — the operative law is the BC E-Health (Personal Health Information Access and Protection of Privacy) Act. This is the closest BC statute to Alberta's HIA, though it is much narrower in scope.

Core components

BC PIPA — Personal Information Protection Act. Private-sector privacy law for BC. Governs all personal information including health information held by private practices. Most BC dental, medical, naturopathic, optometric, chiropractic, and pharmacy practices sit here. Learn more.
FIPPA — Freedom of Information and Protection of Privacy Act. Public-sector privacy law for BC. Governs health authorities, public hospitals, and the Ministry of Health. Has storage-outside-Canada notification rules.
BC E-Health Act. Governs designated provincial Health Information Banks (HIBs) — CareConnect, PharmaNet, the Provincial Laboratory Information Solution, etc. The closest analogue to Alberta HIA, though narrower in scope. Learn more.
OIPC oversight. The Office of the Information and Privacy Commissioner for BC enforces all three statutes.
Mandatory breach notification. Through BC PIPA (since February 2023), through FIPPA-related obligations for public bodies, and through E-Health Act provisions for HIB-connected systems, the BC regime now requires breach notification across the spectrum.

Why it matters

The "BC HIA" term matters for search reasons even though no statute by that name exists. MSPs, procurement teams, and clinic operators search for it because they expect BC to have an Alberta-HIA-equivalent single statute. Knowing the distributed reality is important for accurate compliance work.

For BC MSPs serving healthcare, the practical compliance picture is: BC PIPA for the great majority of private healthcare practice clients; FIPPA for public health authority work; and BC E-Health Act when the client interacts with provincial HIBs. Many MSPs have clients spanning more than one of these.

Cross-border data transfers are particularly sensitive in the BC health space. FIPPA in particular has historically required public health information to be stored in Canada (with some narrowed exceptions added in 2021). For private practices under BC PIPA, US-hosted services raise procurement-evidence questions even where they are not strictly prohibited.

How Lavawall® helps with BC HIA (a common term — but not a single BC statute)

Lavawall® bundles the BC health-information regime — meaning the combined BC PIPA + FIPPA + BC E-Health Act set — as a unified framework alongside Alberta HIA, PIPEDA, the provincial PIPAs, Quebec Law 25, and HIPAA. MSPs pick the correct combination for each healthcare client from one framework selection rather than maintaining each statute separately.

Lavawall® is hosted in Canada (currently AWS Montreal, with migration to dedicated Calgary servers), so BC health information stored on Lavawall® itself does not leave Canada — important for both private-practice procurement (BC PIPA) and public-body compliance (FIPPA / BC E-Health Act).

ThreeShield Information Security Corporation, the Calgary-based audit firm that built Lavawall®, has worked with BC healthcare practices on PIPA breach-notification, security incident response, and procurement-evidence requirements. The BC control mapping reflects the actual question patterns BC healthcare procurement teams generate.

For BC MSPs serving healthcare, Lavawall® produces both the technical-safeguards evidence the practice needs and the agent-relationship documentation that flows through to client procurement teams.

Frequently asked

Does BC actually have a "Health Information Act"?: Not by that name. The phrase is in common informal use but no statute by that name exists in BC. BC's closest single statute analogue is the BC E-Health (Personal Health Information Access and Protection of Privacy) Act, but that statute applies only to designated provincial Health Information Banks — not to all health information.
Which BC statute applies to my dental, medical, or pharmacy practice?: A private-sector practice in BC is generally governed by BC PIPA. A practice operating under a public health authority is governed by FIPPA. A system that interacts with a designated provincial Health Information Bank (CareConnect, PharmaNet, etc.) is also subject to the BC E-Health Act for that interaction.
Does the BC regime require breach notification?: Yes. BC PIPA has required mandatory breach notification since 1 February 2023. FIPPA has required public-body breach notification under certain conditions. The E-Health Act has its own breach reporting obligations for HIB-connected systems. The BC OIPC publishes guidance on the assessment and notification process.
Is the BC regime stricter than Alberta HIA?: They are different rather than strictly stricter or more lenient. Alberta HIA is more prescriptive about custodian-affiliate roles, Privacy Impact Assessments, and the provincial Netcare environment. BC's distributed regime is structurally more complex but substantively comparable on safeguards and breach notification.
Should BC MSPs serving healthcare also align to HIPAA?: When the BC practice has US clients or US-resident patients, HIPAA can become directly relevant. Even when it does not, HIPAA-aligned safeguards generally satisfy BC PIPA / FIPPA / E-Health Act expectations and many practices treat HIPAA as a useful superset.