Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Mandatory Privacy Breach Reporting Comes to Alberta!

Posted on July 30, 2018 by Jean Eaton in Blog

I didn't think it was going to happen . . . but it did!

Mandatory privacy breach reporting has been proclaimed in Alberta.

In May of 2018, the province of Alberta proclaimed mandatory breach reporting amendments to the Health Information Act (HIA) and the Health Information Regulation (HIR). These amendments were accepted by the Legislative Assembly in 2014 and will come into force on August 31, 2018.

Custodians will be required to report privacy breaches with risk of harm to the Office of the Information and Privacy Commissioner (OIPC) and the Minister of Health of Alberta. Currently, breach notification is voluntary.

This will impact ALL custodians including physicians, pharmacists, chiropractors, dentists, dental hygienists, podiatrists, midwives, optometrists, opticians, registered nurses and more!

Sign Up Now - Don't Miss These Important Updates!
     

What is a Privacy Breach?

A privacy breach is a loss, unauthorized access to, unauthorized use, unauthorized disclosure, authorized access for unauthorized use of personal information.

Personal information may include your name, date of birth, address, account information, or even your email address.

Why is a Privacy Breach a Significant Problem?

A privacy breach affects the individual, the business, and the healthcare industry.

There is an active market for personal identities, with great financial incentive to steal or misuse this personal information. In fact, healthcare data is more valuable than financial information. Once someone has access to personal health information, they can use it to make a fraudulent insurance claims, access to services, and leverage the information for identity theft and fraud. Healthcare providers are a high-value target because of the long-term value of health information.

Privacy breaches happen all the time. Did you know that 80% of all privacy breaches occur internal to the business? Most of these breaches are an ‘oops’ or honest mistakes or a result of not carefully following procedures. Sometimes there is a pattern of similar breaches that indicate a broken work flow or automated process or carelessness or disregard to the security of personal information.

Sometimes information is intentionally stolen to harm a specific person or for financial gain. Sometimes the theft is by employees and sometimes by visitors to the business. Sometimes the theft occurs from outside of the business (i.e. hackers, contracted service providers, or business agents).

The individual may be embarrassed, inconvenienced, or angry directly related to what information has been breached and who now has access to the information. The individual may now be at a real risk of harm from identity theft, stalking, loss of employment, fraud, and the unexpected expense to manage the loss of personal information. These are examples of ‘risk of significant harm’.

Of particular importance in healthcare, is the risk of medical identity theft where the breached information is used to fraudulently access healthcare services. As a result of this, inaccurate information may be added to the owner’s healthcare records which can cause errors or delays in receiving necessary care and treatment.

Managing a Privacy Breach is Expensive

The healthcare business can spend $150 to $2,000 or more for each individual that requires notification about a privacy breach. When a privacy breach is identified, the business must (with some few exceptions) notify the individuals affected (including the patient and the healthcare providers identified in the breach) to let them know about the breach, advise them how they might be affected by the breach, and how they can protect themselves from further harm.

Your internal privacy beach investigation takes time and may require additional support from external experts including a consulting privacy officer, lawyer, investigator, human resources, communications and marketing experts.

The process of managing the notification also costs time, resources, and money. The incident might cause negative publicity for the business. Addressing and correcting the cause of the breach, improving processes to prevent further incidents, and the administrative tasks of managing and reporting the breach all contribute to a significant expense to the business.

Why Have Mandatory Privacy Breach Reporting?

A privacy breach in one healthcare organization affects all healthcare businesses. The healthcare system is a highly integrated information sharing system designed to provide timely and accurate care and treatment to patients, and to receive financial compensation for those services. A weakness or problem at one business may have down-stream implications to other businesses. When one business has a privacy or security breach, there is a risk that the public (including patients and clients) may think that all healthcare businesses have the same problems.

Mandatory privacy breach reporting to the Privacy Commissioner of Alberta (OIPC), and the Minister of Health in Alberta will help to ensure that the breach response and notification is comprehensive. A central oversight with the OIPC and the Minster will provide the opportunity to anticipate any additional risks to privacy and security within the broader health care system in Alberta.

It is our job to manage each privacy breach with confidence, compassion, and transparency to the individuals affected by the breach. We need to take all reasonable steps to prevent a privacy breach and be prepared to respond to the breach when it occurs.

The importance of securing health information and to appear to appropriately respond to a privacy breach is part of the desired outcomes of the new mandatory privacy breach reporting.

Notification Triggers

The trigger for notifying the OIPC, the Minister, and individuals about an incident is present when there is a ‘risk of harm’ to an individual as result of the loss or unauthorized disclosure (HIA s. 60.1(4).

Custodians are required to consider five categories of triggers to assess the likelihood of risk of harm (HIR s.8.1(a to e)). In addition to any other relevant factors, custodians must assess if there is a reasonable basis to believe that the information:

  • Has been or may be accessed by or disclosed to a person
  • Has been misused or will be misused
  • Could be used for the purpose of identity theft or to commit fraud
  • Could cause embarrassment or physical, mental or financial harm or damage to the reputation of the individual who is the subject of the information
  • Has adversely affected or will adversely affect the provision of a health service to the individual who is the subject of the information

 

Mitigating Risk of Harm

When custodians implement reasonable safeguards as part of their routine privacy and security strategies, the likelihood of risk of harm is reduced. These situations (HIR s.8.1(f to i)) occur when the information included in the loss or unauthorized access has been

  • Encrypted or otherwise secured (applicable to electronic information), or
  • Destroyed or rendered inaccessible

When information is lost or disclosed and subsequently recovered by the custodian, and the custodian can demonstrate:

  • The information was not accessed before it was recovered, or
  • The only person who access the information is a custodian, affiliate, information manager subject to section 60 of the Act or,
  • Accessed the information as part of their role as a custodian or affiliate and not for an improper use and
  • Did not improperly use or disclose the information,

the custodian is not required to give notice of the loss or unauthorized access or disclosure under HIA s.60.1(2).

Remember that the custodian must record each privacy breach in their practice including their reasons for their decision to notify and their decision not to notify.

When you record each privacy breach, including ‘oops’, errors, or mistakes that, individually, may not trigger notification requirements, you may find that there is a pattern of breaches that may indicate:

  • broken work flow, or
  • broken automated process, or
  • carelessness or disregard to the security of personal information.

These situations may trigger mandatory privacy breach notification requirements.

It's an Offence to Fail to Protect Personal Health Information

The new amendments detail the reporting responsibilities of custodians and affiliates in the event of a privacy breach.

For Custodians

The new regulations also include new penalties for custodians and affiliates who:

  • Fail to report a breach
  • Fail to take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards (HIA s.107(1.1)(a))

A custodian or affiliate found guilty of one of the above offences can face a fine of up to $50,000 per occurrence.

For Affiliates

Affiliates (generally, the employees of the custodian) must report any loss, unauthorized access or disclosure of identifying health information to their custodian. This applies to information managers (vendors and service providers to custodians), too.

New Notification Requirements

If the custodian believes the breach could result in harm to the individual, the custodian, as soon as practicable, is required to notify (HIA s60.1):

  • The Privacy Commissioner of Alberta (OIPC), and the
  • Minister of Health in Alberta and
  • The Individual(s) affected by the privacy breach

Don’t forget that there continues to be other people you may need to notify. Depending on the unique circumstances this may include the police, insurance, primary care networks, Netcare, and other information sharing partners.

The notice to the Privacy Commissioner of Alberta (OIPC) must be in writing in a form approved by the Commissioner and must include (HIR s.8.2(2)):

  • Name of the custodian
  • Description of the circumstances
  • Date or time period which the incident occurred
  • Date which the incident was discovered
  • Description of the type of information that was lost, accessed, or disclosed
  • Risk of harm to an individual and an explanation of how the risk of harm was assessed
  • Number of individuals affected by the incident
  • Description of the steps that the custodian has or intends to take to reduce the risk of harm
  • Plans to prevent the risk of future loss, or unauthorized access or disclosure
  • Copy of the notice that will be provided to the individual(s) and a description of how the notice will be provided directly or by substitutional service
    • If the custodian believes that notifying the individual about the incident may result in harm to the individual, the custodian must immediately notify the Commissioner (HIA s.60.1(5))
  • Contact information for the custodian or their responsible affiliate (privacy officer)
  • Any other relevant information

The notice to the Minister of Health in Alberta must be in writing in a form approved by the Minister and must include (HIR s.8.3):

  • Name of the custodian
  • Description of the circumstances
  • Description of the type of information that was lost, accessed, or disclosed
  • Risk of harm to an individual and an explanation of how the risk of harm was assessed
  • Number of individuals affected by the incident
  • Description of the steps that the custodian has or intends to take to reduce the risk of harm
  • Contact information for the custodian or their responsible affiliate (privacy officer)
  • Any other relevant information

The notice to the individual must be in writing and include (HIR s.8.4):

  • Description of the circumstances
  • Date or time period which the incident occurred
  • Name of the custodian
  • Description of the type of information that was lost, accessed, or disclosed
  • Risk of harm to an individual and an explanation of how the risk of harm was assessed
  • Description of the steps that the custodian has or intends to take to reduce the risk of harm to the individual
  • Plans to prevent the risk of future loss, or unauthorized access or disclosure
  • Advice that the custodian believes the individual may be able to take to reduce the risk of harm to the individual
  • A statement that the individual may ask the Commissioner to investigate the incident and the contact information of the OIPC
  • Contact information for the custodian or their responsible affiliate (privacy officer)
  • Any other relevant information

Your Next Steps

Prepare your Privacy Breach Management Program in your healthcare practice. Review (or create) your privacy breach management program including these 5 key elements:

  • Privacy breach management policy
  • Privacy and security incident response plan
  • Training for your privacy officer, management team, and custodians
  • Human resources privacy breach discipline policy and
  • Privacy breach reporting record keeping procedures

If you are a privacy officer, clinic manager, or healthcare provider you can prevent privacy breach pain with the “4 Step Response Plan”.

This on-line education with quick and helpful videos, examples, policy templates, privacy breach reporting templates, and risk of significant harm templates will guide you to properly manage a privacy breach, create your Privacy Breach Management Program, and be prepared for Mandatory Privacy Breach Notification requirements.

This is critical to the continued success of your business!

See: https://InformationManagers.ca/4-step

 

References

These amendments were passed under the Statutes Amendments Act, 2014 in May 2014 and will be proclaimed in force August 31, 2018

Health Information Amendment Regulation

Office of the Information and Privacy Commissioner

Statutes Amendment Act, 2014, Chapter 8, Health Information Act

You need to know how mandatory privacy breach reporting will affect you!

Don't miss this!

Stay up to date on mandatory privacy breach reporting! Sign up here to receive tips, tools, templates, and training when they become available.

to receive emails

We use MailChimp as our marketing automation platform. By clicking below to submit this form, you acknowledge that the information that you provide will be transferred to MailChimp for processing in accordance with their Privacy Policy and Terms.

You will also benefit from the occasional Privacy and Practice Management tips by email of similar resources that you can use right away!

Sign up to Privacy Nuggets

 

You will also receive occasional bits of FREE privacy wisdom tips, tools, templates, and training!

PRIVACY NUGGETS emails designed to provide to you tips, tools, templates and training that you can use right away!

Privacy Nuggets will be provided direct to your email in-box and includes:

  • privacy tips, tools, templates (usually including references to external resources) designed for you to share with your staff, patients, and family.
  • Privacy Breaches – What You Need to Know – you will receive an example of a recent privacy breach in the news that you can use to review and improve your practices. Learn from someone else's mistakes!
  • publication previews and announcements
  • workshop and webinar events

I am honoured that you choose to spend your time with me today.

Thank you for the opportunity to share my obsession about privacy, confidentiality and security with you!

I promise this list will be secure and you'll be able to unsubscribe at any time.

 – Jean L. Eaton, Your Practical Privacy Coach

Alberta, Health Information Act, mandatory privacy breach reporting, privacy breach investigation, privacy breach notification, privacy nuggets

How Will Mandatory Privacy Breach Reporting Affect You?

Posted on July 24, 2018 by Jean Eaton in Blog, PMN Upcoming

Mandatory Privacy Breach Reporting is Coming to Alberta!

Do you know how this will affect your healthcare practice?

. . then this free webinar is for you!

If you are a custodian–including physicians, optometrists, pharmacists, dentists, dental hygienists, chiropractors,  nurse practitioners, podiatrists, midwives, optometrists, opticians, and more!–as defined by Alberta's Health Information Act, then  . . then this free webinar is for you!

You need to know how mandatory privacy breach reporting will affect you!

In this Free Webinar, Jean L. Eaton, Your Practical Privacy Coach will explain

  • what is a privacy breach
  • why a privacy breach is a significant problem
  • why have mandatory privacy breach reporting
  • offence and penalty provisions of the HIA
  • privacy breach notification requirements
  • what you need to do before August 31, 2018

Join us for this Free webinar

Recorded LIVE Thursday July 26, 2018

Register NOW to get immediate access to the replay and valuable resources to help you prevent privacy breach pain!

. . . available for a limited time!

Register for the FREE Live Webinar Replay!

Check your email for the link to the webinar!

You will also benefit from receiving notices about upcoming events on Privacy Nuggets and similar announcements.

We don't sell or share your personal information. Ever.

 

 

Jean L Eaton, Your Practical Privacy Coach with Information Managers Ltd.

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too!

I help primary care practice managers and health care providers properly manage the risk of a privacy breach, stay out of jail, avoid fines AND keep an efficient practice!

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

#PracticeManagementNuggets, amendment, health care, healthcare, mandatory privacy breach reporting, medical, privacy breach, privacy breach notification, Privacy Impact Assessment

Privacy Breach Notification

Posted on June 9, 2014 by Jean Eaton in Blog

Privacy breach notification to a regulator may not be mandatory in the jurisdiction, industry and circumstances of a specific incident.  Whether or not it is discretionary or mandatory to notify individuals, this is always a step that should be considered for each incident.  No matter what type of industry that we work in, it is important to recognize a privacy breach and understand our roles and responsibilities to properly manage a privacy breach.

Generally, a privacy breach happens whenever there is a loss, unauthorized access to or disclosure of personally identifying information. There must be some harm – some damage or detriment or injury.

The harm must be “significant” – it must be important, meaningful, and with non-trivial consequences or effects. There must be a “real risk” of harm – does not require that harm will certainly result from the incident, but the likelihood that it will result must be more than mere speculation or conjecture. There must be a cause and effect relationship between the incident and the possible harm.

Privacy Breach Notification

Generally accepted privacy practices guide us to ensure that individuals are notified about the breach.  If individuals are not aware of the incident, then they can’t take steps to protect themselves.  The breach can get bigger, broader, and a greater degree of harm. We want to make sure that we are notifying all the individuals affected by the breach.  Remember that the author of the information, not just the person that the information is about, may also need to be notified.

Alberta’s Health Information Act has had a lot of activity lately relating to requirements of notification in the event of a privacy (or security) breach.

Summary of changes to HIA breach notification 

Here is a summary of Health Information Act breach notification that you need to know.

Bill 12: Statutes Amendment Act, 2014 was submitted to Legislative Assembly of Alberta.  The First Reading occurred May 5, 2014 and received Royal Assent on May 14, 2014. Although all bills become law when they have received Royal Assent, they do not necessarily come into force at that time.  A bill may specify that it comes into force on proclamation.  Proclamations may be used if a bill is to come into effect at a date after Royal Assent or if different parts of a bill are to come into effect at different times. Bill 12, Health Information Act section, specifies that “This section comes into force on Proclamation.”  It is not known when the statue will be proclaimed.

Give notice

When the statute is proclaimed, the current wording requires a custodian as soon as practicable to give notice of the breach.  The notice must be given to (a) the Commissioner, (b) the Minister, and (c) the individual who is the subject of the individually identifying health information. Ms. Jill Clayton, Information and Privacy Commissioner, issued a news release on May 7, 2014.  The news release provides background on the explanation of ‘real risk of significant harm’.  Note:  the Statute Amendment (which has not yet been proclaimed) includes only the wording of ‘risk of harm’. See the OIPC website for more information on the current Health Information Act notification process.   Other tools that may be of assistance include our Document Management Tip:  Privacy Breach Reporting Form.  Note that this tool was developed before the May 2014 changes to the Health Information Act.

The details of the new HIA notification process is not yet determined.  We can, however, anticipate the requirements of notification to the OIPC by looking at the notification requirements of similar legislation, Personal Information Protection Act.  See OIPC website for more information.

Stay tuned as we update our tools and resources as additional information becomes available.

Practical Privacy Coach, privacy breach notification

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"The 15 Day Privacy Challenge has given me some additional information on day-to-day responsibilities that I hadn't considered until now. Each Privacy Challenge has been so informative and I've been sharing it with our office staff."

- Vera, Alberta Health Services

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}