New Mandatory Privacy Breach Notification Form

Posted on September 13, 2018 by Jean Eaton in Blog

AS of August 31, 2018, the new Alberta regulations regarding mandatory privacy breach notification requirements are in force.

The Alberta Minister of Health (MOH) and the Office of the Information and Privacy Commissioner (OIPC) have published the mandatory notification forms for you to submit your privacy breach notifications.

You can download the forms here:

Notification to Alberta’s Minister of Health: http://www.health.alberta.ca/about/Health-Information-Act.html

Notification to the OIPC: https://www.oipc.ab.ca/forms.aspx

You Will Be FINED $50,000 if You Don't Do This!

If you don’t have an active privacy breach management program and are not compliant with mandatory privacy breach notification, you may be fined up to $50,000.

I recommend that you also use an internal privacy breach reporting form to document your investigation and reporting. The form will help you to navigate the privacy breach management process and record information for your internal use. You can then copy and paste the necessary information to the mandatory notification forms.

If you are a member of Practice Management Success, login and access the Procedure Privacy Breach Management Template including the Privacy Breach Report Form.

Not a member of Practice Management Success, yet?

What are you waiting for?

Get Your Practice Management Success membership

If you are a member of the 4 Step Response Plan, login and access my video and review of how to use the MOH and the OIPC forms.

What You Should Do Now

Update your current privacy breach reporting policies and procedures with the new requirements for mandatory privacy breach notification.
Include copies of these new forms in your procedures so that you can easily access them when needed.
Ensure that your custodians are aware of the new mandatory privacy beach notification regulations. You can share the e-book, Understanding Privacy Breach Notification, to assist you.

Additional Resources

Alberta Health has also added a new chapter, Duty to Notify, to their HIA Guidelines Manual. You can download this chapter here. This provides additional examples of privacy breaches and appropriate responses including comments from OIPC investigations.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Alberta, Canada, health care, healthcare, mandatory breach notification, mandatory privacy breach notification, medical, Practice Management Success

Mandatory Privacy Breach Reporting Comes to Alberta!

Posted on July 30, 2018 by Jean Eaton in Blog

I didn't think it was going to happen . . . but it did!

Mandatory privacy breach reporting has been proclaimed in Alberta.

In May of 2018, the province of Alberta proclaimed mandatory breach reporting amendments to the Health Information Act (HIA) and the Health Information Regulation (HIR). These amendments were accepted by the Legislative Assembly in 2014 and will come into force on August 31, 2018.

Custodians will be required to report privacy breaches with risk of harm to the Office of the Information and Privacy Commissioner (OIPC) and the Minister of Health of Alberta. Currently, breach notification is voluntary.

This will impact ALL custodians including physicians, pharmacists, chiropractors, dentists, dental hygienists, podiatrists, midwives, optometrists, opticians, registered nurses and more!

What is a Privacy Breach?

A privacy breach is a loss, unauthorized access to, unauthorized use, unauthorized disclosure, authorized access for unauthorized use of personal information.

Personal information may include your name, date of birth, address, account information, or even your email address.

Why is a Privacy Breach a Significant Problem?

A privacy breach affects the individual, the business, and the healthcare industry.

There is an active market for personal identities, with great financial incentive to steal or misuse this personal information. In fact, healthcare data is more valuable than financial information. Once someone has access to personal health information, they can use it to make a fraudulent insurance claims, access to services, and leverage the information for identity theft and fraud. Healthcare providers are a high-value target because of the long-term value of health information.

Privacy breaches happen all the time. Did you know that 80% of all privacy breaches occur internal to the business? Most of these breaches are an ‘oops’ or honest mistakes or a result of not carefully following procedures. Sometimes there is a pattern of similar breaches that indicate a broken work flow or automated process or carelessness or disregard to the security of personal information.

Sometimes information is intentionally stolen to harm a specific person or for financial gain. Sometimes the theft is by employees and sometimes by visitors to the business. Sometimes the theft occurs from outside of the business (i.e. hackers, contracted service providers, or business agents).

The individual may be embarrassed, inconvenienced, or angry directly related to what information has been breached and who now has access to the information. The individual may now be at a real risk of harm from identity theft, stalking, loss of employment, fraud, and the unexpected expense to manage the loss of personal information. These are examples of ‘risk of significant harm’.

Of particular importance in healthcare, is the risk of medical identity theft where the breached information is used to fraudulently access healthcare services. As a result of this, inaccurate information may be added to the owner’s healthcare records which can cause errors or delays in receiving necessary care and treatment.

Managing a Privacy Breach is Expensive

The healthcare business can spend $150 to $2,000 or more for each individual that requires notification about a privacy breach. When a privacy breach is identified, the business must (with some few exceptions) notify the individuals affected (including the patient and the healthcare providers identified in the breach) to let them know about the breach, advise them how they might be affected by the breach, and how they can protect themselves from further harm.

Your internal privacy beach investigation takes time and may require additional support from external experts including a consulting privacy officer, lawyer, investigator, human resources, communications and marketing experts.

The process of managing the notification also costs time, resources, and money. The incident might cause negative publicity for the business. Addressing and correcting the cause of the breach, improving processes to prevent further incidents, and the administrative tasks of managing and reporting the breach all contribute to a significant expense to the business.

Why Have Mandatory Privacy Breach Reporting?

A privacy breach in one healthcare organization affects all healthcare businesses. The healthcare system is a highly integrated information sharing system designed to provide timely and accurate care and treatment to patients, and to receive financial compensation for those services. A weakness or problem at one business may have down-stream implications to other businesses. When one business has a privacy or security breach, there is a risk that the public (including patients and clients) may think that all healthcare businesses have the same problems.

Mandatory privacy breach reporting to the Privacy Commissioner of Alberta (OIPC), and the Minister of Health in Alberta will help to ensure that the breach response and notification is comprehensive. A central oversight with the OIPC and the Minster will provide the opportunity to anticipate any additional risks to privacy and security within the broader health care system in Alberta.

It is our job to manage each privacy breach with confidence, compassion, and transparency to the individuals affected by the breach. We need to take all reasonable steps to prevent a privacy breach and be prepared to respond to the breach when it occurs.

The importance of securing health information and to appear to appropriately respond to a privacy breach is part of the desired outcomes of the new mandatory privacy breach reporting.

Notification Triggers

The trigger for notifying the OIPC, the Minister, and individuals about an incident is present when there is a ‘risk of harm’ to an individual as result of the loss or unauthorized disclosure (HIA s. 60.1(4).

Custodians are required to consider five categories of triggers to assess the likelihood of risk of harm (HIR s.8.1(a to e)). In addition to any other relevant factors, custodians must assess if there is a reasonable basis to believe that the information:

Has been or may be accessed by or disclosed to a person
Has been misused or will be misused
Could be used for the purpose of identity theft or to commit fraud
Could cause embarrassment or physical, mental or financial harm or damage to the reputation of the individual who is the subject of the information
Has adversely affected or will adversely affect the provision of a health service to the individual who is the subject of the information

Mitigating Risk of Harm

When custodians implement reasonable safeguards as part of their routine privacy and security strategies, the likelihood of risk of harm is reduced. These situations (HIR s.8.1(f to i)) occur when the information included in the loss or unauthorized access has been

Encrypted or otherwise secured (applicable to electronic information), or
Destroyed or rendered inaccessible

When information is lost or disclosed and subsequently recovered by the custodian, and the custodian can demonstrate:

The information was not accessed before it was recovered, or
The only person who access the information is a custodian, affiliate, information manager subject to section 60 of the Act or,
Accessed the information as part of their role as a custodian or affiliate and not for an improper use and
Did not improperly use or disclose the information,

the custodian is not required to give notice of the loss or unauthorized access or disclosure under HIA s.60.1(2).

Remember that the custodian must record each privacy breach in their practice including their reasons for their decision to notify and their decision not to notify.

When you record each privacy breach, including ‘oops’, errors, or mistakes that, individually, may not trigger notification requirements, you may find that there is a pattern of breaches that may indicate:

broken work flow, or
broken automated process, or
carelessness or disregard to the security of personal information.

These situations may trigger mandatory privacy breach notification requirements.

It's an Offence to Fail to Protect Personal Health Information

The new amendments detail the reporting responsibilities of custodians and affiliates in the event of a privacy breach.

For Custodians

The new regulations also include new penalties for custodians and affiliates who:

Fail to report a breach
Fail to take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards (HIA s.107(1.1)(a))

A custodian or affiliate found guilty of one of the above offences can face a fine of up to $50,000 per occurrence.

For Affiliates

Affiliates (generally, the employees of the custodian) must report any loss, unauthorized access or disclosure of identifying health information to their custodian. This applies to information managers (vendors and service providers to custodians), too.

New Notification Requirements

If the custodian believes the breach could result in harm to the individual, the custodian, as soon as practicable, is required to notify (HIA s60.1):

The Privacy Commissioner of Alberta (OIPC), and the
Minister of Health in Alberta and
The Individual(s) affected by the privacy breach

Don’t forget that there continues to be other people you may need to notify. Depending on the unique circumstances this may include the police, insurance, primary care networks, Netcare, and other information sharing partners.

The notice to the Privacy Commissioner of Alberta (OIPC) must be in writing in a form approved by the Commissioner and must include (HIR s.8.2(2)):

Name of the custodian
Description of the circumstances
Date or time period which the incident occurred
Date which the incident was discovered
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Number of individuals affected by the incident
Description of the steps that the custodian has or intends to take to reduce the risk of harm
Plans to prevent the risk of future loss, or unauthorized access or disclosure
Copy of the notice that will be provided to the individual(s) and a description of how the notice will be provided directly or by substitutional service
- If the custodian believes that notifying the individual about the incident may result in harm to the individual, the custodian must immediately notify the Commissioner (HIA s.60.1(5))
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

The notice to the Minister of Health in Alberta must be in writing in a form approved by the Minister and must include (HIR s.8.3):

Name of the custodian
Description of the circumstances
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Number of individuals affected by the incident
Description of the steps that the custodian has or intends to take to reduce the risk of harm
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

The notice to the individual must be in writing and include (HIR s.8.4):

Description of the circumstances
Date or time period which the incident occurred
Name of the custodian
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Description of the steps that the custodian has or intends to take to reduce the risk of harm to the individual
Plans to prevent the risk of future loss, or unauthorized access or disclosure
Advice that the custodian believes the individual may be able to take to reduce the risk of harm to the individual
A statement that the individual may ask the Commissioner to investigate the incident and the contact information of the OIPC
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

Your Next Steps

Prepare your Privacy Breach Management Program in your healthcare practice. Review (or create) your privacy breach management program including these 5 key elements:

Privacy breach management policy
Privacy and security incident response plan
Training for your privacy officer, management team, and custodians
Human resources privacy breach discipline policy and
Privacy breach reporting record keeping procedures

If you are a privacy officer, clinic manager, or healthcare provider you can prevent privacy breach pain with the “4 Step Response Plan”.

This on-line education with quick and helpful videos, examples, policy templates, privacy breach reporting templates, and risk of significant harm templates will guide you to properly manage a privacy breach, create your Privacy Breach Management Program, and be prepared for Mandatory Privacy Breach Notification requirements.

This is critical to the continued success of your business!

See: https://InformationManagers.ca/4-step

References

These amendments were passed under the Statutes Amendments Act, 2014 in May 2014 and will be proclaimed in force August 31, 2018

Health Information Amendment Regulation

Office of the Information and Privacy Commissioner

Statutes Amendment Act, 2014, Chapter 8, Health Information Act

You need to know how mandatory privacy breach reporting will affect you!

Don't miss this!

Stay up to date on mandatory privacy breach reporting! Sign up here to receive tips, tools, templates, and training when they become available.

You will also receive occasional bits of FREE privacy wisdom tips, tools, templates, and training!

PRIVACY NUGGETS emails designed to provide to you tips, tools, templates and training that you can use right away!

Privacy Nuggets will be provided direct to your email in-box and includes:

privacy tips, tools, templates (usually including references to external resources) designed for you to share with your staff, patients, and family.
Privacy Breaches – What You Need to Know – you will receive an example of a recent privacy breach in the news that you can use to review and improve your practices. Learn from someone else's mistakes!
publication previews and announcements
workshop and webinar events

I am honoured that you choose to spend your time with me today.

Thank you for the opportunity to share my obsession about privacy, confidentiality and security with you!

I promise this list will be secure and you'll be able to unsubscribe at any time.

– Jean L. Eaton, Your Practical Privacy Coach

Alberta, Health Information Act, mandatory privacy breach reporting, privacy breach investigation, privacy breach notification, privacy nuggets

Recruit Admin and Support Staff for Your Healthcare Practice

Posted on March 24, 2018 by Jean Eaton in Blog, Clinic Manager / Privacy Officer, New Practice

Information Managers can assist your healthcare practice in Alberta to recruit administrative and support staff. Recruiting is one of our Virtual Clinic Manager Services.

What is the Virtual Clinic Manager?

We are not an employment agency – we can help you recruit to fill your vacancies in your healthcare practice.

This might include:

Create customized job description, job posting, on-line application form.
Distribute advertising for the opening to multiple locations.
Receive application forms and create and maintain a database of applicants. This will help to quickly review incoming applications and follow-up with candidates. The applications will come directly to Information Managers. The client will receive the information from all candidates.
Screen candidates by telephone. When I identify a candidate(s) that meets your requirements, I will contact the client. You can decide at that time if you want me to do the first in-person interview with the candidate or if you want me to do the first in-person interview.
After the interview, I can assist you with the reference checking and follow-up with the candidate. This may include a thank you notice to the candidates selected for a telephone interview and draft letter of offer to the successful candidate.

Show Me More About VCM Services

Contact Jean to discuss if our Virtual Clinic Manager Service is for you.

Alberta, clinic manager, dental associate, dental hygienist, Edmonton, healthcare, interpreter, job, job posting, medical office assistant, MOA, opportunities, practice manager, receptionist, recruit, recruiting

Shared Health Record Project Includes Community Health Providers

Posted on February 13, 2018 by Jean Eaton in Blog, Guest Post

Are you a Community Healthcare Provider in Alberta?

The Alberta Netcare project, the provincial electronic health record (EHR), has been in development since 1999. The EHR is a secure and confidential electronic system of Alberta patient health information. The Shared Health Record Project is one of the latest Netcare initiatives.

One of the largest source of patient health information resides with community healthcare providers.

The Shared Health Record Project intends to provide the solution to integrate information from a healthcare providers' office based electronic medical record (EMR) into the provincial EHR to improve the communication between healthcare providers to better provide continuing care and treatment to the patient.

If you are a healthcare provider who believes that secure access to more patient health information can improve health outcomes, this article is for you!

In this guest author post, Lyuba Fleysher, Program Director, ConnectCare, provides an update of the Shared Health Record Project.

The primary goal of the Shared Health Record (SHR) Project is to establish a foundation for sharing clinical information between physician office electronic medical records (EMRs) and the Alberta Netcare EHR repositories managed by Alberta Health Services (AHS). The purpose of this integration is to support continuity of care and clinical decision-making.

It is well acknowledged that 70 to 80% of health services are delivered in community settings – outside of AHS programs and services. It was expected that provincial availability of information captured within physician office EMRs would support continuity of care and enhance patient safety by providing a more complete electronic health record (EHR).

The primary focus of SHR is on enabling system-to-system integration to access to information held in the Netcare EHR repositories managed by AHS and currently only available via the Netcare Portal.

Note this integration does not replace eDelivery of reports delivered to physicians who are named on the report.

The SHR implementation will:

Enable authorized users to search for, view, and download clinical documents (e.g. discharge summaries, consult reports, diagnostic imaging reports) and encounters via system-to-system messaging.
Include capabilities to automatically propagate report updates to providers who had downloaded and replicated copies of reports in their EMR (or paper chart) or requested receiving updates. The propagation of updates is to eliminate potential impact to patient safety of using incorrect or out-of-date information for clinical decision making.
Honor the patient’s expressed wishes for a Global Person-Level Mask (GPLM) and require users to provide a reason for unmasking the record if they wish to access a masked record.

The scope of the project includes implementation with a limited production rollout (LPR) of clinics that use the Alberta Qualified Services Provider (QSP) vendor – Microquest. However the SHR interface specifications will become an Alberta HISCA standard and be available for implementation with non-QSP (Alberta Qualified Services Provider) EMR vendors or other applications (e.g. Personal Health Portal).

The Shared Health Record (SHR) project is a key component of the Alberta Netcare Electronic Health Record (EHR). The SHR project is an initiative to further develop the value and completeness of the information shared within the provincial Netcare EHR, and enables further access to health information to support clinical decision making at the point of care.

The success of the Netcare EHR has been achieved by enabling access to demographic information, drug information, lab test result data, diagnostic imaging and other report information to physicians, pharmacists, hospitals, home care, and other health care professionals across the province. The goal of the next phase of the development of Netcare, as defined within the “Alberta Provincial Healthcare IM/IT Strategic Plan 2009-2015” , is to share relevant clinical information in addition to the information domains presently available within Netcare.

SHR is a concept that was developed by Canada Health Infoway. The Shared Health Record (SHR) is a mechanism for sharing person-specific clinically-relevant data not held in other domain repositories (e.g. DI, Lab, and Drug). The SHR is intended to hold a copy of subsets of information captured in the point of service (PoS) applications and should focus only on clinically relevant data appropriate for sharing. The following are types of information that Infoway suggests maybe included:

Basic Encounter Information
Referral Orders and Referral Notes
Encounter Summaries
Clinical Observations
Problems/Conditions/Diagnosis
Care Plans
Care Protocols
Health Status indicators

The SHR completed extensive consultation with stakeholders and established the following consensus:

The SHR should initially focus on Encounters, Reports, Immunizations/Adverse Reactions, Care Composition Profiles, Screenings and Alerts.
Both data integrity (accredited source, accuracy, timeliness) and presentation (the manner in which information is accessed from within the EHR) are paramount.
Conceptually, the SHR project should endeavor to allow the EHR to act as a “summary profile” which guides and points to client information supplied, managed and accredited by other distributed sources. This profile may be based on Client/Provider/Site Encounters.

Guest Author: Lyuba Fleysher, Program Director, ConnectCare, Alberta Netcare

For more information about the Shared Health Record, see: www.albertanetcare.ca/SharedHealthRecord.htm and www.ahs.ca/connectcare .

If you are using an EMR, contact your EMR representative to discover how the SHR integrates into your EMR.

Alberta, Alberta Netcare, Canada Health Infoway, health care, healthcare, shared health record

PIPA is extended for 6 months

Posted on November 11, 2014 by Jean Eaton in Blog

On October 30, the Supreme Court of Canada (SCC) granted a six-month extension which will allow the Government of Alberta to make amendments to the Personal Information Protection Act, 2003 (PIPA).

Yesterday’s decision was welcomed by Alberta’s Information and Privacy Commissioner Jill Clayton, “If PIPA is allowed to lapse, Alberta’s citizens and businesses will lose the unique benefits afforded by the legislation, including: mandatory breach reporting and notification to affected individuals, local enforcement without court involvement, and protection for the access and privacy rights of employees of provincially-regulated private sector businesses.”

PIPA applies to not for profit and private business sector in Alberta. For more information about PIPA, join us at the PIPA Conference in Calgary Nov 13-14.

Alberta, PIPA

Alberta’s Minimum wage increase Sept 1

Posted on September 28, 2014 by Jean Eaton in Blog

Did you know . . . Alberta’s general minimum wage increased to $10.20 from $9.95 per hour effective September 1, 2014.

For more information about Alberta’s Employment Standards, see http://work.alberta.ca/documents/Minimum-Wage.pdf

How savvy are you about your rights and responsibilities?

Take the on-line quiz at http://work.alberta.ca/workright.

Alberta, minimum wage, workplace

Netcare access to Registered Nurses as Custodians

Posted on September 22, 2014 by Jean Eaton in Blog

Are you a Registered Nurse and work in occupational health, at a First Nations care centre, at a remote nursing station, for a federal jurisdiction or for an authorized homecare service? Are you self employed?

If any of these describe your practice setting, you may be eligible to apply for access to Netcare as a custodian.

One of first things you need to do is submit a Privacy Impact Assessment (PIA) to the Office of the Information and Privacy Commissioner (OIPC).

Privacy Impact Assessment for Netcare (often bundled with EMR implementation Privacy Impact Assessment) must refer to Alberta Netcare Portal (ANP) Privacy Impact Assessment H3879. OIPC will not accept any PIA's referencing the ‘old’ Netcare PIA H1124.

If custodians (physicians, pharmacists, registered nurses, etc) have a PIA accepted prior to August 2012 and they want new / continued access to ANP they must amend their PIA and submit to OIPC.

Netcare (ANP) now requires all Provincial Organization Readiness Assessement (pORA) including completing “Section Two: Mandatory Security Requirements for S2S Sites”.

For more information, see

CARNA website and resources.

Information Mangers blog post, Do you have Netcare

Alberta, CARNA, HIA, Netcare, Registered Nurses

Do you have Netcare?

Posted on September 22, 2014 by Jean Eaton in Blog

Netcare's PIA Process

When we provide our personal and sensitive information to a healthcare provider, we want assurances that the confidential information will be respected. We expect that our information will only be shared with people who need to know the information to provide health services to us. Alberta's Health Information Act requires healthcare providers (custodians) to put appropriate safeguards in place to protect the privacy, confidentiality, and security of health information.

Alberta Netcare, also known as the Alberta Electronic Health Record (EHR), is a network of information systems that allows authorized users to see prescriptions, lab results, diagnostic images (e.g. x-rays and ultrasounds) and hospital reports (e.g. hospital discharge summaries). Netcare is used throughout Alberta in hospitals run by Alberta Health Services and Covenant Health and in medical clinics and pharmacies. This is managed by Alberta Health, Government of Alberta. Alberta Health Services (regional health authority), community pharmacies, labs and diagnostic imaging centres and other agencies upload patient information to Netcare.

Netcare Portal PIA

Each custodian is required by Health Information Act to submit a Privacy Impact Assessment to the OIPC. Alberta Health submitted a Privacy Impact Assessment (H1124) in 2006 for Alberta Netcare Portal (ANP) and an updated Privacy Impact Assessment (H3879) in March 2013.

Healthcare providers (custodians) who request access to Alberta Netcare Portal (ANP) must submit a Privacy Impact Assessment to the OIPC that documents the healthcare providers’ computer systems integration with Alberta Netcare.

If you have a previous Privacy Impact Assessment that was accepted by the OIPC regarding your access to Alberta Netcare Portal and it is less than two years old, you can submit a Privacy Impact Assessment Addendum. If you have previously completed a Provincial Organization Readiness Assessement (pORA) you will need to review and update the pORA including completing “Section Two: Mandatory Security Requirements for S2S Sites” and return it to Alberta Health for review and approval.

If you have not yet submitted a Privacy Impact Assessment

You need to submit a PIA to the OIPC for acceptance. This must reference the ANP Privacy Impact Assessment (H3879). You must also complete and submit a pORA including “Section Two: Mandatory Security Requirements for S2S Sites”.

Questions to ask:

1) When was the last time we reviewed our PIA? (This should be reviewed annually.)

2) Do we have / do we want access to Alberta Netcare Portal (ANP)? If ‘yes’, then:

3) Was your Privacy Impact Assessment accepted more than two years ago (before August 2012)? If ‘yes’, then

Review and amend your PIA and submit to OIPC including reference to ANP Privacy Impact Assessment H3879 and
Review your pORA including “Section Two: Mandatory Security Requirements for S2S Sites”. You will likely need additional support from your computer network vendor and your EMR vendor.

4) If you are a Registered Nurse and work in occupational health, at a First Nations care centre, at a remote nursing station, for a federal jurisdiction or for an authorized homecare service or self employed, you may be eligible to apply for access to Netcare as a custodian. The above steps also applies to you.

Please share this information with colleagues and your computer network support, EMR vendor, and privacy officer in your organization.

PS

Not all healthcare providers are custodians as defined by Health Information Act. For more information, see our blog, HIA Amendments and Document Management Tip

For more information see:

Alberta OIPC. Bulletin Health Information Act Bulletin August 2014 Update.

Alberta Netcare, Your System Integration with Alberta Netcare.

CARNA Netcare Access to Registered Nurses as Custodians.

Need to do a Privacy Impact Assessment or a Privacy Impact Assessment amendment? We have a course for that!

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course

Alberta, E-course PIA; privacy impact assessment, HIA, Netcare, PIA, pORA, Practical Privacy Coach, privacy officer

Mandatory privacy breach reporting proposed for HIA

Posted on March 3, 2014 by Jean Eaton in Blog

Information and Privacy Commissioner Jill Clayton has written to the Minister of Health to formally request the Government of Alberta consider amending Alberta’s Health Information Act (HIA) to include mandatory breach reporting and notification provisions.

In the letter, items for consideration in an amendment to the legislation include who should be notified about a breach, what the triggers are for notification, what should be reported and in what time frame, and whether there should be penalties, sanctions or other consequences for failing to notify. A copy of Commissioner Clayton’s letter has been posted to the Office of the Information and Privacy Commissioner’s website at www.oipc.ab.ca.

There are several current legislation that requires mandatory privacy breach reporting including PIPA in Alberta. We have best practices to follow when we have a privacy breach involving health care. (See our Document Management Tip: Privacy Breach Reporting Form as a sample tool to follow).

In healthcare, we strive to pay attention to details to provide the best care and treatment for our patients and respect the privacy of their personal information. However, we are human and errors do happen. How ‘small' or ‘big' does a privacy breach need to be require notification to a regulator? What might be the implications to a business if they must report each privacy breach? Are there other alternatives to mandatory breach reporting that we should consider?

Send me a comment by email and we'll compile the list and add to a future article.

Related Articles:

When is a privacy breach a privacy breach?

Webinar March 25, 2014 – 3 Mistakes in managing a privacy breach

Alberta, healthcare, Practical Privacy Coach, privacy breach reporting

PIPA Legislation Submission

Posted on January 15, 2014 by Jean Eaton in Blog

The Supreme Court of Canada recently declared that Alberta's Personal Information Privacy Act (PIPA) is in breach of s. 1 of the Charter. The Alberta legislature must now decide how to make the legislation constitutionally compliant.

PACC is a national, non‑partisan, non-profit association and the leading organization in Canada that is dedicated to access and privacy in both the private sector and the public sector. PACC is the certifying body for access and privacy professionals, and engages in outreach efforts to advance awareness about access to information and data privacy in Canada.

PACC is dedicated to ensuring the independent autonomy of Canada’s access and privacy professionals to administer Canadian privacy legislation, while directly and impartially addressing the needs of industry, the public and private sectors. PACC is preparing a submission to the review process and invites you to participate. For more information or to become a member of the PACC, visit www.PACC-CCAP.ca or their newsletter.

Questions to consider: What aspects of PIPA should remain unchanged, and why? What will be the positive and negative consequences of preserving these aspects as they now are. What aspects of PIPA should change, and in what way? What will be the practical effect of your proposed changes. What, if any, aspects of PIPA (Alberta), PIPA (BC), and PIPEDA ought to remain unique? What, if any, ought to use consistent language or definitions?

Alberta, PACC, PIPA, privacy legislation

1 2 3