Informationmanagers.ca Logo
Does AI Take Your Data? AI and Data Privacy

Does AI Take Your Data? AI and Data Privacy

 

Does AI Take Your Data? AI and Data Privacy

Generative AI, including platforms like ChatGPT, DALL-E, Google Gemini, Apple Intelligence, has revolutionized our relationship with technology. Maybe these tools have completely changed how you work and engage with the internet. There seems to be endless ways to use these platforms, many of which are called large language models (LLMs). These chatbots can assist with brainstorming, writing, and even coding—but they also can be significant risks when used carelessly. One of the biggest concerns? Employees inadvertently exposing sensitive company information.

The National Cybersecurity Alliance 2024 Oh Behave report found that 65% of us are concerned about AI-related cybercrime, and most people (55%) haven’t received any training about using AI securely. For AI Fools Week, let’s change that! #AIFools

First and foremost, when you’re using an AI tool, think about what you’re sharing and how it could be used.

Generative AI

 

Think intelligent about AI

AI models process and store data differently than traditional software. Public AI platforms often retain input data for training purposes, meaning that anything you share could be used to refine future responses—or worse, inadvertently exposed to other users.

Here are the major risks of entering sensitive data into public AI platforms:

  • Exposure of private company data – Proprietary company data, such as project details, strategies, software code, and unpublished research, could be retained and influence future AI outputs.
  • Confidential customer information – Personal data or client records should never be entered, as this could lead to privacy violations and legal repercussions.

Many AI platforms allow you to toggle off the use of what you enter for training data, but you shouldn’t trust that as an ultimate failsafe. Think of AI platforms as social media: if you wouldn’t post it, don’t enter it into AI.

Check Before You Use AI At Work

Before integrating AI tools into your workflow, take these critical steps:

  1. Review company AI policies – Many organizations now have policies governing AI use. Check whether your company allows employees to use AI and under what conditions.
  2. See if your company has a private AI platform – Many businesses, especially large corporations, now have internal AI tools that offer greater security and prevent data from being shared with third-party services.
  3. Understand data retention and privacy policies – If you use public AI platforms, review their terms of service to understand how your data is stored and used. Specifically look at their data retention and data use policies.

How To Protect Your Data While Using AI

If you’re going to use AI, use it safely!

  • Stick to secure, company-approved AI tools at work – If your organization provides an internal AI solution, use it instead of public alternatives. If your workplace isn’t there yet, check with your supervisor about what you should do.
  • Think before you click – Treat AI interactions like public forums. Don’t enter information into a chatbot if you wouldn’t share it in a press release or post it on social media.
  • Use vague or generic inputs – Instead of inputting confidential information, use general, nonspecific questions as your prompt.
  • Protect your AI account with strong passwords and MFA – Protect your AI accounts like all your other ones: use a unique, complex, and long password (at least 16 characters). Enable multi-factor authentication (MFA), which will add another solid layer of protection.

Increase your AI IQ

Generative AI is powerful! But you are wise. Use AI intelligently, especially when sensitive data is involved. By being mindful of what you share, following company policies, and prioritizing security, you can benefit from AI without putting your company at risk.

You May Also Be Interested In

Is AI the Right Fit for Your Clinic? Key Considerations Before You Implement

 

 
Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

Medical Secretary Fined for Unauthorized Access And Disclosure

Privacy Breach Nugget
Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s unpack today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.

What Happened

In 2020, a medical secretary working at the University of Alberta Hospital in Edmonton, Alberta, accessed the health information of 17 individuals without any legitimate job-related reason.

The individuals whose information was accessed had personal relationships with the secretary. She went a step further by disclosing sensitive health information about two of them—including infectious disease details—to others who had no reason to know this information.

One of the individuals experienced harassment through text messages as a direct result of this disclosure.

Managing the Breach

The management of the privacy breach can be examined using the 4 Step Response Plan.

unauthorized breach

Step 1 – Spot and Stop

When a privacy incident is suspected, the first priority is to stop the unauthorized access. It would be appropriate to immediately suspend the employee’s access to health information systems like ConnectCare and Netcare.

If you suspect a privacy breach, don’t wait—report it to your Privacy Officer and Custodian right away.

Step 2 – Investigate

Alberta Health Services (AHS) completed an internal investigation including auditing the employee’s system activity.

The investigation assessed the “real risk of significant harm” (RROSH). This case is a stark reminder of how improper access and disclosure of health information can lead to serious harm.

Step 3 – Notify

In Alberta, custodians like physicians and healthcare organizations are legally required to notify:

• The Office of the Information and Privacy Commissioner (OIPC). (See Guide to Reporting Privacy Breaches)
• The Alberta Minister of Health.
• The affected patients whose personal health information was improperly accessed or disclosed.

Additional notifications may include law enforcement, insurers, or other stakeholders depending on the situation.

Step 4 –Prevent the Breach from Happening Again

Proactive prevention is key to prevent breaches like this. Here’s how:

• Conduct regular privacy training to keep privacy awareness top of mind.
• Maintain a privacy incident log to spot trends and address recurring issues.
• Implement and enforce privacy-monitoring practices to detect and deter snooping.

Diane McLeod, Alberta’s Privacy Commissioner, highlighted an “alarming rise” in snooping incidents in health information systems. The OIPC’s 2023-2024 Annual Report revealed 14 potential breaches of the Health Information Act investigated by the Commissioner’s office, with hundreds more reported.

Commissioner’s Investigation

The OIPC has implemented a process to focus on high-priority breaches. Following its investigation, the Commissioner recommended charges under the Health Information Act (HIA).

Court’s Decision

In February 2025, the court sentenced the medical secretary, Kayla Satre, to a $2,000 fine for unauthorized access to health information, violating the HIA.

However, the Crown Attorney withdrew charges related to the unauthorized disclosure of health information.

Take-Aways

Snooping is the unauthorized access to health information. This remains a persistent issue in healthcare. Here’s what you can do:

• Educate and remind your team regularly about the importance of patient privacy.
• Monitor system access proactively to detect and stop unauthorized activity.
• Share real-world examples like this one to drive home the importance of privacy compliance.

Protecting patient information isn’t just about compliance—it’s about trust. Share this example with your team and make privacy a daily priority!

Reference and Resources

Office of the Information and Privacy Commissioner of Alberta. Former Alberta Health Services employee fined for unauthorized disclosure of health information, February 6, 2025. https://oipc.ab.ca/former-alberta-health-services-employee-fined-for-unauthorized-disclosure-of-health-information/

You May Also Be Interested In

3rd Largest Fine Ever Under the HIA – Blog post on the unauthorized use of health information that led to costly fines
Practical Privacy Officer Strategies – Training for clinic manages and privacy officers includes how to respond to a privacy breach and prevention strategies.
Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches
3 Parts to Every Privacy Awareness Training Plan

3 Parts to Every Privacy Awareness Training Plan

Reasonable Safeguards – the Myth

You may have heard the myth that the Health Information Act (HIA) is a big scary thing that will interrupt your routine, rob you of countless billable hours, impact all of your staff, turn your office inside out, and change the way that you run your entire business!

Myth Buster

The HIA provides structure and framework for reasonable safeguards that apply to any healthcare business.

One of the requirements of reasonable safeguards includes having a privacy awareness training plan.

Click the >> arrow to play the video

Privacy Awareness Training

Your Privacy Awareness Training Plan should include learning objectives throughout the year, including

  • Orientation – Standardized training curriculum provided to everyone in you healthcare practice at the time of employment. This is often included during a new employee’s orientation period.
  • Specific – Privacy training that is more detailed and specific to the roles and responsibilities of that individual’s job in your healthcare practice. There may also be specific training when new software, technology, or procedures are introduced anytime throughout the employment.
  • Reward – Keep privacy awareness top of mind all year long. Recognize and reward when individuals follow privacy principles that also add value to your client satisfaction or business efficiency.

It is reasonable to expect regular privacy awareness training, especially at orientation, and a formal review annually.

What a Privacy Awareness Training Plan Can Do For You

When you implement regular privacy awareness training, you will see:

  • Privacy and security expectations clearly communicated among your team.
  • Team members demonstrate their commitment to privacy, confidentiality, security of personal health information.
  • Efficient practices that protect the privacy and save you time and money
  • Team members confidently and correctly handle personal health information using reasonable safeguards

Are You a Myth-Buster?

You can be a myth-buster, too, and implement privacy awareness training in your healthcare practice.

You can easily implement reasonable safeguards and meet HIA requirements to ensure privacy, confidentiality, and security of health information that saves you time, frustration and money.

If you need a little help, I have written a practical privacy awareness training course designed for the community health care practice. This is ideal for orientation of new employees and a refresher for the rest of us.

Privacy Awareness in Healthcare: Essentials

Understand basic health care privacy principles and how to handle personal information, use safeguards, and recognize and report a privacy breach.

Ideal for community-based health care professionals and staff, direct care providers, or anyone working with a health care, dental, or social services organization.

An effective privacy compliance program promotes organizational adherence to the Health Information Act (HIA), Personal Information Protection Act (PIPA) Alberta, Personal Health Information Protection Act (PHIPA) Ontario and the Personal Information Protection of Electronic Documents Act (PIPEDA) requirements. A compliance program is your first line of defense to promote the prevention of criminal conduct, and enforce government rules and regulations, while providing quality care to patients. All three training products help protect practices against privacy and security breaches, improper payments, fraud and abuse, and other potential liability areas through education.

Canadian Health Care Privacy Training Solutions

Corridor’s online training makes it easy for health care organizations to comply with provincial and federal legislation that mandates regular privacy training for all health care providers, staff, and vendors.

Select the training that best fits your needs:

NEW! Privacy Awareness in Healthcare Training: Dental Practices – Alberta

Dentists and dental practices in Alberta are required to have an ongoing privacy program to ensure the protection of private records and patient information. The appropriate collection, use, and disclosure of personal information is critical to maintaining privacy for patients that choose to trust in your practice. Accomplishing this important goal demands an up-to-date training strategy.

Privacy Awareness in Health Care Training – Canada

Includes detailed resources for each province and territory with key terminology and links to applicable privacy legislation. Resources are provided for our ten provinces: Alberta, British Columbia, Manitoba, New Brunswick, Newfoundland & Labrador, Nova Scotia, Ontario, Prince Edward Island, Quebec, Saskatchewan, and three territories: Northwest Territories, Nunavut and Yukon. This new product is ideal for both organizations and vendors who provide health care services or have health care clients in more than one province.

Privacy Awareness in Health Care Training – Alberta 

Includes the mandatory privacy breach notification amendments to the Health Information Act (HIA).

Privacy Awareness in Health Care Training – Ontario

Specifically covers all legislation and rules specific to the province of Ontario including the Personal Health Information Protection Act (PHIPA).

Refresher: Privacy Awareness in Health Care – Alberta

A quiz-based review of Corridor’s full Privacy Awareness course. The Refresher starts with an initial quiz to assess knowledge on the topics and information covered in the full course. Based on the quiz results, one or more of eight Refresher topic quizzes must be completed, each focusing on a specific subject area. The Refresher also includes access to the original course content.

 

Privacy Awareness in Healthcare: Essentials

Grab your on-line course from Information Managers and Corridor Interactive

for just $30 per individual 3 month subscription now!

Click Here to Grab Your On-Line Privacy Awareness Course Now!
3rd Largest Fine Ever Under the HIA

3rd Largest Fine Ever Under the HIA

3rd Largest Fine Ever Under the HIA

Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.

What Happened

An employee who had access to personal health information (PHI) had unauthorized use and altered the PHI. The employer discovered the unauthorized access and conducted an internal investigation. Subsequently, the employer reported the privacy breach to the Office of the Information and Privacy Commissioner as required under the Alberta Health Information Act (HIA).

The Alberta OIPC charged an individual with falsifying COVID-19 immunization records of nearly 200 people from September to November 2021 while they were employed in an administrative support staff role at Alberta Health Services (AHS). The false information was entered into the health information system which feeds into the Alberta Health Immunization record system.

Commissioner’s Investigation

The OIPC opened an offence investigation in June 2023. in March 2024, the OIPC recommended charges under the HIA.

In December 2024, Justice Mah of the Alberta Court of Justice sentenced Hind Mahmoud Dabash to a fine of $12,000 for the offence of knowingly using and creating health information in contravention of the HIA.

The other charge, of knowingly gaining access to the health information of 199 members of the public, was withdrawn.

Take-Aways

The custodian, AHS, was able to monitor and investigate the users’ actions in the electronic medical record systems. This capability is a requirement of health information systems and is a deterrent to individuals to access and alter PHI.

This case is unusual because the employee altered or changed the results of the immunization records which could have resulted in inaccurate diagnosis and treatment decisions for the individual and their families and contacts.

Regular privacy awareness training and monitoring of user activity audit log and supervision are essential steps to prevent and detect the unauthorized use of health information.

Reference

Alberta OIPC News Release December 19, 2024.  https://oipc.ab.ca/court-case-concludes-in-sentencing-for-offence-under-health-information-act/ 

You May Also Be Interested In

Practical Privacy Officer Strategies – Training for clinic manages and privacy officers includes how to respond to a privacy breach and prevention strategies. 
Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches
5 New Year’s Resolutions for Privacy Officers and Clinic Managers

5 New Year’s Resolutions for Privacy Officers and Clinic Managers

Why Privacy Resolutions Matter for the New Year

The start of a new year is the perfect time for clinic managers and privacy officers to reflect, reset, and refocus their efforts on safeguarding patient information. Just as individuals set personal goals for growth, healthcare organizations benefit from creating resolutions to strengthen their privacy practices. With evolving regulations, new technologies, and the ever-present risk of breaches, a proactive approach ensures your clinic stays ahead of potential challenges. These five New Year’s Resolutions will help you prioritize compliance, reduce risks, and foster a culture of privacy and accountability in your practice.

1. Review Your Clinic Description and Privacy Impact Assessment (PIA)

Start by assessing your clinic’s current operations and comparing them to your original plans. Are they still aligned, or have new challenges or opportunities arisen? Consider the following:

  • Are there any new initiatives or technologies your clinic is planning to implement this year?
  • Are there upcoming changes in personnel, stakeholders, or organizational structure?
  • Have there been any recent or anticipated legislative updates that could impact your privacy practices?
  • Identify updates that need documentation and determine if you need to notify the Office of the Information and Privacy Commissioner (OIPC).

Regularly updating your PIA ensures your clinic stays compliant, prepared, and aligned with its goals.

If you haven’t completed a PIA, make it a top priority this year! A PIA ensures compliance and protects your patients and organization.

Tip: Check out the December 2024 Q&A With Jean for the ‘Annual Review Checklist’ template to help you right away!

 

2. Monitor Privacy Breaches and Annual Trends

Take a close look at the privacy breaches and near misses from the past year. What patterns or trends stand out? Are there recurring issues, such as faxes being sent to the wrong number or patient forms being given to the wrong person?

It’s time to evaluate your current approach. If reminders to “be more careful” haven’t reduced these incidents, it’s a sign that a new strategy is needed. Process changes, additional staff training, or implementing new tools might be necessary to achieve better results.

Action Step: If you don’t already have a privacy breach reporting tool to provide a clear summary of all breaches at a glance, make it a priority to implement one now. Use this tool to document trends, analyze recurring issues, and develop actionable solutions to discuss during staff meetings.

 

3. Privacy Awareness Training for Everyone!

Recent decisions, such as Ontario IPC’s PHIPA Decision 260, highlight the importance of mandatory Privacy Awareness Training (PAW) training for all staff, including physicians.

Ensure your organization not only mandates this training but also enforces compliance. Accountability starts at the top.

Case Study: In Decision 260, a hospital faced repercussions when a physician accessed 1,400 patient records without proper authorization due to lack of enforced PAW training. How do you ensure that every employee and healthcare provider receive PAW training at your practice?

4. Plan for Succession

Every business owner needs a plan to ensure that there is a plan to continue or close their business if there is a sudden inability of the owner to do their job.

Custodians must designate a successor to ensure patients maintain access to their records in case of sudden changes. Naming a successor custodian who will advocate for and ensure the proper access and retention of patient records is a requirement of professional standards of practice and good business sense.

Clinic managers should know who the designated custodian is and ensure there’s a written agreement in place.

Thought Experiment: Succession planning is critical for privacy officers and clinic managers, too! Who will take over your role if you win the lottery tomorrow? Develop a training plan for your protégé. Check out the upcoming Practical Privacy Officer Strategies training.

5. Review Your Technology Stack

Recent outages like Microsoft 365 or platform closures (e.g., Bench) highlight the importance of contingency planning.

A technology stack inventory includes a listing of your data holdings and software and hardware vendors that you use in your business.

Include the vendor contact details and backup plans for service disruptions.

Ensure that you have written agreements for each service and appropriate access, security, and retention for PHI.

Conduct a risk assessment of the technology that you implement in your business to evaluate the impact of downtime on your clinic. The higher the risk, the more important it is to have a business continuity plan.

Bonus: Email me for a free Technology Stack template to get started!

Schedule these activities into your calendar to prompt you to dedicate time to complete your resolutions. They are not difficult and will contribute to privacy compliance in your practice.

Need some help with your privacy compliance? Join our Practice Management Success Membership for templates, guides, and expert support to make 2025 your best year yet!

 
Jean Eaton Informationmanagers.ca

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you. Jean L. Eaton Your Practical Privacy Coach INFORMATION MANAGERS