Information Managers
  • Home
  • Services
    • All Services
  • Blog
  • Upcoming Events
  • Contact Us
  • Practice Management Success
  • Podcasts

When is a Privacy Breach a Privacy Breach?

Posted on July 13, 2019 by Jean Eaton in Blog

The biggest mistake in managing a privacy breach is not recognizing the privacy breach.

The second biggest mistake is not knowing what to do about it.

The recent publicity about the privacy breach in Alberta when a laptop with health information was stolen and came to the public's attention several months later is not the first news item of its kind.  In fact, this happens frequently in healthcare, retail, government departments and other industries.  This doesn't make it any easier to swallow and certainly doesn't make it right.  But this is an opportunity for you, healthcare provider or practice manager, and vendor to make sure that you have good practices in place to manage your next privacy breach.

Health information is recognized as being particularly sensitive and important to the person that the information is about.  It is so important, in fact, that a new breed of legislation was developed to set out specific rules to ensure that the health information has robust safeguards (administrative, technical, and physical) to keep the health information confidential and secure.  In Alberta, the Health Information Act (HIA) was proclaimed in 2001 to help custodians (people or organizations who collect, use, and disclose health information) ensure that they have identified the risks to breach of health information and how to prevent those risks.  The legislation also ensures that the people who the health information is about have access to their personal health information.

In August 2018, amendments to the HIA were proclaimed that make it mandatory to report a privacy breach that could result in harm to the Office of the Information and Privacy Commissioner (OIPC).

Privacy breaches come in all types and sizes.  One of the most common forms of a privacy breach is when a clinic or healthcare provider intends to send a report to another healthcare provider for continuing care and treatment but it is sent to the wrong physician.  Or, the referral request went to the correct physician but included extra information about another patient that was not part of the referral.

What Is Considered a Privacy Breach?

A privacy breach is an unauthorized access to or unauthorized collection, use, disclosure , loss, or disposal of personal or health information.

To each of us, our own personal health information is important.  As a healthcare industry, we need to ensure that we recognize this and acknowledge that each privacy breach is important to the person the information is about.  We need to make sure that we minimize the risk of the information being used inappropriately or maliciously.  We need to acknowledge to ourselves and to our patients and clients that we are human and that sometimes we do make mistakes and we will strive to do better.

A ‘small' breach of one person one time might have a big impact to the individuals involved.

A ‘big' breach of a lost laptop might have a bigger magnitude affecting many individuals.

When a breach also meets the requirements of mandatory notification, a custodian must report the breach regardless of how many people's information have been included in the breach.

4 Step Response Plan

When you have a privacy breach, follow these four steps to manage the privacy breach incident.

Step 1 – Spot and Stop the Breach

Each breach is important and needs to be recognized. Contain the breach so that it doesn't get any bigger.

Step 2 – Evaluate the Risks

Your privacy officer will investigate the incident and learn about the size, scope, and details about the breach. Consider if there is a reasonable basis to believe that there is a risk of harm to an individual

Step 3 – Notify

Notify the custodian, the affected individuals and (now, with the 2018 amendments), the Alberta OIPC, Minister of Health, Alberta Health (if the breach includes Netcare) and others.

The individual who's information has been breached needs to be made aware of the problem and the risk that might be experienced so that they can be prepare to limit the risks. The custodian needs to know how to manage the privacy breach and report it – internally and perhaps to other stakeholders.

Step 4 – Prevent the Breach From Happening Again

Correct and monitor the incident(s). Actively take steps so that the breach does not happen again.

Not Sure What To Do?

You never know when a privacy breach will happen! Prepare now with a privacy breach management program and coaching from the Practical Privacy Coach!

Learn what to do if you have a privacy breach.

4 Step Response Plan, Alberta, breach, Health Information Act, HIA, OIPC, privacy, privacy breach, training

Pharmacist Used Health Information for Personal Reasons

Posted on January 4, 2014 by Meghan Davenport in Blog

A Calgary pharmacist has been cited for using the health information of a patient in an attempt to establish a personal relationship with her.

The woman complained to the Information and Privacy Commissioner, alleging that the relief pharmacist employed at a pharmacy in Calgary, had contacted her twice by phone and attempted to “friend” her on Facebook.

The Health Information Act (HIA) prohibits employees from using health information for purposes not required to do their job. The investigation by the Privacy Commissioner found that the pharmacist misused health information, and that the pharmacy manager had failed to provide privacy and security training to the pharmacist.

The pharmacy had access to privacy policies and training but the pharmacist in question was not made aware of these policies by the pharmacist manager. The investigation concluded by reinforcing the need for following through on administrative and technical safeguards and training for all staff.

Do you provide privacy training for all of your staff – including professional healthcare service providers?  How do you document that each staff has received the training?  How often do you re-fresh or update the training?  A privacy management program is an important part of your responsibility as a healthcare provider, practice management  and business owner.  See our training programs for additional resources you can use right away.

For more information, check out the full OIPC Investigation Report H2013-IR-02

You can also read the Calgary Herald article (Dec 17, 2013) here

Alberta, breach, complaint, Health Information Act, HIA, OIPC, privacy, privacy breach

Alberta Netcare: What are your Patient Rights?

Posted on January 25, 2013 by Jean Eaton in Blog

Primary Care Providers may expect their patients to be asking more questions about Health Information in Netcare. Review this information and your policies and procedures with your staff so that you know how to respond.

In order to mark Data Privacy Day 2013 (January 28, 2013), the Information and Privacy Commissioner of Alberta, Jill Clayton, has announced a new initiative to inform Albertans about their privacy rights.

Under the authority of the Health Information Act (HIA), your health information is available through the province-wide electronic record system named Alberta Netcare. Netcare is a network of information systems that allows authorized users to see prescriptions, lab results, diagnostic images, and hospital reports. It is used throughout Alberta in hospitals, and in medical clinics and pharmacies.

Consent to have your health information in Netcare is not required by law, but you do have rights that allow you to exercise privacy control.

With the provincial electronic health record system, Alberta Netcare, you have the right to:

Know why your health information is collected and whether it is available in Netcare
Know what information about you is in Netcare by asking for a print-out
Limit access to your Netcare record by asking for your information to be masked
Know who has looked at your information in Netcare
Request that errors be corrected
Ask the Information and Privacy Commissioner to review or investigate if you are not satisfied with a decision or response you receive about any of these rights

See the OIPC webpage and contact information, visit: http://www.oipc.ab.ca/pages/HIA/NetcareKnowYourRights.aspx

To view the News Release from the OIPC, visit: http://www.oipc.ab.ca/Content_Files/Files/News/NR_Netcare_Know_Rights_Jan_2013.pdf

access, Alberta, electronic health record, Health Information Act, Netcare, OIPC, patient rights, privacy

Charges laid under the Health Information Act

Posted on October 31, 2012 by Jean Eaton in Blog

A self-reported breach by an individual to the Office of the Information and Privacy Commissioner resulted in an offence investigation being opened into suspicious access to health information. The completed investigation, after being referred to Crown prosecutors at Alberta Justice, led to thirty-one charges under the Health Information Act being laid for improperly accessing other individuals’ health information. Another charge was laid for inappropriate use of health information, another for inappropriate disclosure of health information, and one more charge for knowingly falsifying a record. In addition to these thirty-four charges under the Health Information Act, six charges were also laid under the Criminal Code.

The Calgary Herald reports that Brian Hamilton, OIPC Director for the Health Information Act, would only confirm the accused is not a doctor or other medical professional. The matter will be heard in Airdrie Provincial Court on Thursday, October 18, 2012.

The Edmonton Journal also reported that, in addition to the charges under the Health Information Act, the accused may face up to six Criminal Code charges.

Each organization has a responsibility to ensure that their employees (affiliates) receive education and training in their roles and responsibilities under the HIA. Information Managers can help you by providing training on-site and now by webinar. Click here for more information.

For more information, see:
the OIPC Website (http://www.oipc.ab.ca/Content_Files/Files/News/NR_Oct_2012.pdf)

http://www.calgaryherald.com/health/Charges+laid+improper+access+health+files/7400003/story.html

http://www.edmontonjournal.com/health/Alberta+Justice+lays+charges+improperly+accessing+health+information/7399425/story.html

access, Alberta, complaint, disclosure log, Health Information Act, HIA, improperly accessing health information, OIPC, privacy, privacy breach, training

Calgary pharmacy found in violation of patient privacy rules

Posted on October 31, 2012 by Jean Eaton in Blog

Remember the Privacy Principles – least amount of information, on a need to know basis? This recent investigation report from the OIPC reminds us to review our practices to collect information from patients to ensure that we are meeting our best practice standards.

An investigation into a southwest Calgary Co-op pharmacy has found its practice of collecting information on the immune status of an individual when they seek administration of an injection contravenes the Health Information Act.

A patient of the pharmacy contacted the privacy commissioner in April 2012 after he was presented with a form that asked if he had a condition that affects the immune system when he went to the Co-op Shawnessy Centre Pharmacy to receive a vitamin B12 injection.

The patient feared being stigmatized due to an immune disorder that he suffered from, and felt that the amount of information being demanded was excessive. He filed a complaint after being refused treatment without providing the information.

The Health Information Act specifies that custodians must only collect the most limited amount of health information to carry out an intended purpose.

For more information, see:
http://www.calgaryherald.com/health/Calgary+Pharmacy+found+violation+patient+privacy+rules/7346243/story.html

complaint, Health Information Act, HIA, OIPC, privacy, privacy principles

Privacy commissioners call on small- and medium-sized businesses to look before they leap into the cloud

Posted on June 16, 2012 by Jean Eaton in Blog

Privacy commissioners call on small- and medium-sized businesses to look before they leap into the cloud

EDMONTON, June 14, 2012 – Increasingly today, the word cloud is almost as likely to be spoken in a conversation about computing as it would in a discussion about the weather. New guidance issued by the Privacy Commissioner of Canada, and the Information and Privacy Commissioners of Alberta and British Columbia seeks to provide insight for small- and medium-sized enterprises (SMEs) to help their forecasting of potential benefits and risks posed by cloud-based services.

Cloud computing is the delivery of computing services over the Internet. SMEs may be attracted to cloud services as they can significantly reduce the cost and complexity of owning and operating computers and networks. Businesses using a cloud service provider don’t need to spend money on information technology infrastructure, or buy hardware or software licenses. Cloud services can also enable a business to store data offsite with the ability to access it over the Internet from the office, home or virtually anywhere.

In essence, this is a form of outsourcing. Businesses need to remember however that for any information they put in the cloud, the responsibility to safeguard it to the level required by Canada’s private sector privacy laws remains firmly with them.

The guidance includes key precautions and advice, such as:

  • Pay close attention to cloud service contracts. For example, might the fine print allow for third-party disclosures of the information stored?
  • Are your customers aware that their information might be outsourced to the cloud and do you have their consent?
  • Where in the world is the data stored and what law may apply? No matter what, the business outsourcing the data is responsible for ensuring it’s protected to a level expected under Canadian privacy law.

For more information see: OIPC website

cloud computing, cloud service provider, OIPC, privacy

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

I have used Jean Eaton’s Privacy Impact Assessment consulting services on multiple projects at a very reasonable cost. Information Managers also provides a plethora of privacy information, education and training tools for minimal costs. One thing that has helped satisfy the training needs of staff for the PIA is paying for her in service program that is online and staff go through at their own pace while we monitor to ensure completion.

- Luke Brimmage, Executive Director, Aspen Primary Care Network

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2019 Information Managers Ltd.