PIPEDAAB PIPABC PIPAPharmacies

Privacy Law for Pharmacies in Canada

PIPEDA and provincial PIPA obligations for Canadian pharmacies — what patient prescription records require, how Alberta's Health Information Act applies, breach reporting for health information, and compliance requirements for pharmacy operations.

What makes pharmacies distinct

Pharmacies hold prescription records — a direct window into a patient's health conditions, chronic illnesses, medications, and treatment history. Prescription data reveals information patients may not have disclosed to employers, insurers, or family members. A breach of prescription records creates risks of discrimination, stigma, and significant personal harm beyond what most personal information breaches produce.

Pharmacies in Alberta also operate under the Health Information Act as health custodians — a parallel privacy regime with distinct obligations for health information that runs alongside PIPEDA.

Which laws apply

Jurisdiction	Law	Applies to	Regulator
Alberta	Health Information Act (HIA)	Patient health information held by pharmacists and pharmacies — prescription records, medication history, drug interaction notes, clinical interventions	OIPC Alberta — oipc.ab.ca
Alberta	Alberta PIPA	Non-health personal information (patient contact and payment details, employee information)	OIPC Alberta — oipc.ab.ca
BC	BC PIPA	Patient information at private pharmacies (BC has no private-sector health privacy statute equivalent to Alberta's HIA)	OIPC BC — oipc.bc.ca
Federal	PIPEDA	Commercial activities; interprovincial activity; provinces without substantially similar legislation	OPC — priv.gc.ca

Important: Alberta HIA obligations for pharmacy custodians are detailed and sector-specific. This guide covers the PIPEDA and provincial PIPA layer. Alberta pharmacies should obtain legal advice specific to HIA compliance in addition to using this guide.

What personal information pharmacies hold

Patient prescription records: Medication names and dosages, prescribing physician, fill dates and refill history, drug interaction checks, clinical intervention notes, allergy information. Prescriptions reveal health conditions — a medication for a specific condition implies that diagnosis even if the diagnosis is not stated.

Patient administrative information: Full name, date of birth, address, phone number, provincial health card number, private insurance provider and policy number.

Patient financial information: Payment records, credit card or banking details, insurance claim and reimbursement records.

Employee information: SINs, banking details, professional licensing records, employment records.

Common breach scenarios

Ransomware: Pharmacy management systems are primary ransomware targets — patient prescription records have significant extortion value given their sensitivity. A ransomware attack on a pharmacy affects every patient in the system. See Ransomware Attack: What Canadian SMEs Must Do.

Pharmacy management system breach: A breach of a cloud-based or networked pharmacy management system is a vendor breach scenario if the platform provider is compromised. The pharmacy's accountability for patient data does not transfer to the provider. See Vendor or Third-Party Breach.

Unauthorized employee access: A pharmacy staff member accessing prescription records for patients who are not their assigned customers — motivated by curiosity (a known patient), personal interest in another person's health status, or financial motivation (identity fraud using health card numbers). See Unauthorized Employee Access.

Improper disposal: Printed prescription labels, medication packaging with patient information, or paper prescription records not shredded. See Physical Records Breach.

RROSH in a pharmacy breach

Prescription data is among the most sensitive personal information categories under PIPEDA. A breach of prescription records will almost always meet the RROSH threshold. The specific harm profile includes:

Disclosure of health conditions: Prescriptions for psychiatric medications, HIV treatments, or stigmatized conditions create risk of discrimination and significant personal distress
Insurance fraud: Health card numbers enable fraudulent prescription claims
Identity fraud: Patient name, date of birth, and health card number together are sufficient for identity fraud in some contexts

Mental health and substance use medications: These categories carry the highest stigma risk and are the most sensitive within the prescription record category. A breach specifically involving these medications requires particular attention in individual notifications — be specific about what was involved without unnecessarily broadcasting the health information in the notification itself.

Core compliance obligations

Privacy officer: Designate a named individual responsible for PIPEDA (and in Alberta, HIA) compliance. In most pharmacies this is the pharmacist owner or manager. Their contact must appear in the privacy policy.

Privacy policy: Describe what patient information is collected, why, how it is used and protected, how long it is kept, and how patients can access their records or make a complaint. Must be available to patients and posted in the pharmacy.

Retention: Pharmacy regulations and professional college requirements govern minimum retention periods for prescription records. In Alberta, College of Pharmacists of Alberta standards and HIA requirements govern health record retention — contact your regulatory college for profession-specific guidance. Do not rely on the general PIPEDA retention principle alone for prescription records.

Vendor contracts: Every pharmacy management system, insurance portal, and IT service provider that accesses patient data must have a written contract with privacy and security obligations.

Safeguards: Encrypted storage for prescription records, access controls limiting staff to patients they are actively serving, audit logging to detect unauthorized access, secure destruction of printed prescription labels and paper records, and MFA on all systems holding patient data.

Patient notification specifics: When notifying patients of a prescription record breach, describe specifically which records were involved — but do so in a way that does not disclose the patient's health condition to third parties who may see the notification. Advise patients to monitor their provincial health insurance account for unauthorized prescription claims and to contact their insurer if private insurance records were involved.

Experienced a breach at your pharmacy? ClearBreach walks pharmacies through their RROSH assessment across PIPEDA and provincial PIPA and generates regulator reports and patient notification letters in under 15 minutes. Start your assessment →

ClearBreach assesses your obligations under PIPEDA, Alberta PIPA, and BC PIPA. Alberta HIA obligations are a separate assessment that ClearBreach does not currently cover — Alberta pharmacies should obtain HIA-specific legal advice in parallel with using ClearBreach for their PIPEDA/PIPA assessment.

This guide covers PIPEDA, Alberta PIPA, and BC PIPA obligations for pharmacies. Alberta HIA obligations for health custodians require separate legal advice and are not fully covered here. College of Pharmacists requirements for record-keeping are separate from privacy legislation and are not covered here. Quebec's Law 25 is not covered here.

Frequently asked questions

Does PIPEDA apply to pharmacies?

Yes, but it is not the only law that applies. In Alberta, pharmacies and pharmacists are 'custodians' under the Health Information Act (HIA), which governs patient health information — prescription records, medication history, drug interaction notes — separately from PIPEDA. In BC, pharmacies are subject to BC PIPA for patient information. PIPEDA applies to commercial activities. The result is that most pharmacies operate under multiple overlapping privacy regimes. This guide covers the PIPEDA and provincial PIPA layer; HIA obligations in Alberta should be addressed with legal counsel familiar with Alberta health privacy.

Patient prescription records were accessed in a ransomware attack — what are our obligations?

You must assess your obligations under both health legislation and PIPEDA or provincial PIPA simultaneously. In Alberta, HIA requires custodians to notify affected individuals and the OIPC Alberta of unauthorized access to health information. Under PIPEDA, you must assess RROSH and notify the OPC and affected individuals if the threshold is met. For prescription records — which reveal medications and by implication health conditions — RROSH is almost certain to be present. Both assessments must proceed concurrently, not sequentially.

Can patients access their own prescription records?

Yes. Under PIPEDA and provincial privacy legislation, individuals have the right to access their personal information, including health records. In Alberta, the HIA gives patients a specific right of access to their health information held by custodians. Your pharmacy must have a process for responding to access requests within the applicable timeline (30 days under PIPEDA and BC PIPA; timelines under HIA vary). Prescription records are the patient's personal health information — they have a right to access them.

We use a third-party pharmacy management system — what are our obligations if that system is breached?

Your accountability for patient prescription records does not transfer to the pharmacy management system vendor. Under PIPEDA Principle 1, you remain accountable for personal information you transfer to a third party for processing. If the vendor is breached and patient data is affected, your notification obligations apply. Your contract with the vendor must include privacy and security obligations and a requirement to notify you promptly if a breach occurs.

This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.