The biggest mistake in managing a privacy breach is not recognizing the privacy breach.

The second biggest mistake is not knowing what to do about it.

The recent publicity about the privacy breach in Alberta when a laptop with health information was stolen and came to the public's attention several months later is not the first news item of its kind.  In fact, this happens frequently in healthcare, retail, government departments and other industries.  This doesn't make it any easier to swallow and certainly doesn't make it right.  But this is an opportunity for you, healthcare provider or practice manager, and vendor to make sure that you have good practices in place to manage your next privacy breach.

Health information is recognized as being particularly sensitive and important to the person that the information is about.  It is so important, in fact, that a new breed of legislation was developed to set out specific rules to ensure that the health information has robust safeguards (administrative, technical, and physical) to keep the health information confidential and secure.  In Alberta, the Health Information Act (HIA) was proclaimed in 2001 to help custodians (people or organizations who collect, use, and disclose health information) ensure that they have identified the risks to breach of health information and how to prevent those risks.  The legislation also ensures that the people who the health information is about have access to their personal health information.

The HIA allows the custodian discretion whether or not to report a privacy breach to the Office of the Information and Privacy Commissioner (OIPC).  Why would a custodian not want to report the privacy breach to the OIPC?  Privacy breaches come in all types and sizes.  One of the most common forms of a privacy breach is when a clinic or healthcare provider intends to send a report to another healthcare provider for continuing care and treatment.  For example, a referral request about a patient from one physician to another physician about is sent to the wrong physician.  Or, the referral request went to the correct physician but included extra information about another patient that was not part of the referral.  This is a privacy breach.  If the healthcare provider was required to report each privacy breach to the OIPC, the health care providers and the OIPC would soon be drowning in breach reports.  Does this improve healthcare services?  Or might it put a strain on the health care provider so that they would never admit to making an error?

To each of us, our personal health information is important.  As a healthcare industry, we need to ensure that we recognize this and acknowledge that each privacy breach is important to the person the information is about.  We need to make sure that we minimize the risk of the information being used inappropriately or maliciously.  We need to acknowledge to ourselves and to our patients and clients that we are human and that sometimes we do make mistakes and we will strive to do better.

A ‘small' breach of one person one time might have a big impact.  A ‘big' breach of a lost laptop might have a big impact.  Each breach is important and needs to be recognized, contained (so it doesn't get any bigger) and corrected so it does not happen again.  The person who's information has been breached needs to be made aware of the problem and the risk that might be experienced so that they can be prepare to limit the risks.  The custodian needs to know how to manage the privacy breach and report it – internally and perhaps to other stakeholders – so that we can learn from the breach and minimize the danger that might be experienced because of the breach.

Recognize a privacy breach when it happens.

Learn what to do if you have a privacy breach.