Information and Privacy Commissioner Jill Clayton has written to the Minister of Health to formally request the Government of Alberta consider amending Alberta’s Health Information Act (HIA) to include mandatory breach reporting and notification provisions.
In the letter, items for consideration in an amendment to the legislation include who should be notified about a breach, what the triggers are for notification, what should be reported and in what time frame, and whether there should be penalties, sanctions or other consequences for failing to notify. A copy of Commissioner Clayton’s letter has been posted to the Office of the Information and Privacy Commissioner’s website at www.oipc.ab.ca.
There are several current legislation that requires mandatory privacy breach reporting including PIPA in Alberta. We have best practices to follow when we have a privacy breach involving health care. (See our Document Management Tip: Privacy Breach Reporting Form as a sample tool to follow).
In healthcare, we strive to pay attention to details to provide the best care and treatment for our patients and respect the privacy of their personal information. However, we are human and errors do happen. How ‘small' or ‘big' does a privacy breach need to be require notification to a regulator? What might be the implications to a business if they must report each privacy breach? Are there other alternatives to mandatory breach reporting that we should consider?