Mandatory Privacy Breach Reporting Comes to Alberta!

Posted on July 30, 2018 by Jean Eaton in Blog

I didn't think it was going to happen . . . but it did!

Mandatory privacy breach reporting has been proclaimed in Alberta.

In May of 2018, the province of Alberta proclaimed mandatory breach reporting amendments to the Health Information Act (HIA) and the Health Information Regulation (HIR). These amendments were accepted by the Legislative Assembly in 2014 and will come into force on August 31, 2018.

Custodians will be required to report privacy breaches with risk of harm to the Office of the Information and Privacy Commissioner (OIPC) and the Minister of Health of Alberta. Currently, breach notification is voluntary.

This will impact ALL custodians including physicians, pharmacists, chiropractors, dentists, dental hygienists, podiatrists, midwives, optometrists, opticians, registered nurses and more!

What is a Privacy Breach?

A privacy breach is a loss, unauthorized access to, unauthorized use, unauthorized disclosure, authorized access for unauthorized use of personal information.

Personal information may include your name, date of birth, address, account information, or even your email address.

Why is a Privacy Breach a Significant Problem?

A privacy breach affects the individual, the business, and the healthcare industry.

There is an active market for personal identities, with great financial incentive to steal or misuse this personal information. In fact, healthcare data is more valuable than financial information. Once someone has access to personal health information, they can use it to make a fraudulent insurance claims, access to services, and leverage the information for identity theft and fraud. Healthcare providers are a high-value target because of the long-term value of health information.

Privacy breaches happen all the time. Did you know that 80% of all privacy breaches occur internal to the business? Most of these breaches are an ‘oops’ or honest mistakes or a result of not carefully following procedures. Sometimes there is a pattern of similar breaches that indicate a broken work flow or automated process or carelessness or disregard to the security of personal information.

Sometimes information is intentionally stolen to harm a specific person or for financial gain. Sometimes the theft is by employees and sometimes by visitors to the business. Sometimes the theft occurs from outside of the business (i.e. hackers, contracted service providers, or business agents).

The individual may be embarrassed, inconvenienced, or angry directly related to what information has been breached and who now has access to the information. The individual may now be at a real risk of harm from identity theft, stalking, loss of employment, fraud, and the unexpected expense to manage the loss of personal information. These are examples of ‘risk of significant harm’.

Of particular importance in healthcare, is the risk of medical identity theft where the breached information is used to fraudulently access healthcare services. As a result of this, inaccurate information may be added to the owner’s healthcare records which can cause errors or delays in receiving necessary care and treatment.

Managing a Privacy Breach is Expensive

The healthcare business can spend $150 to $2,000 or more for each individual that requires notification about a privacy breach. When a privacy breach is identified, the business must (with some few exceptions) notify the individuals affected (including the patient and the healthcare providers identified in the breach) to let them know about the breach, advise them how they might be affected by the breach, and how they can protect themselves from further harm.

Your internal privacy beach investigation takes time and may require additional support from external experts including a consulting privacy officer, lawyer, investigator, human resources, communications and marketing experts.

The process of managing the notification also costs time, resources, and money. The incident might cause negative publicity for the business. Addressing and correcting the cause of the breach, improving processes to prevent further incidents, and the administrative tasks of managing and reporting the breach all contribute to a significant expense to the business.

Why Have Mandatory Privacy Breach Reporting?

A privacy breach in one healthcare organization affects all healthcare businesses. The healthcare system is a highly integrated information sharing system designed to provide timely and accurate care and treatment to patients, and to receive financial compensation for those services. A weakness or problem at one business may have down-stream implications to other businesses. When one business has a privacy or security breach, there is a risk that the public (including patients and clients) may think that all healthcare businesses have the same problems.

Mandatory privacy breach reporting to the Privacy Commissioner of Alberta (OIPC), and the Minister of Health in Alberta will help to ensure that the breach response and notification is comprehensive. A central oversight with the OIPC and the Minster will provide the opportunity to anticipate any additional risks to privacy and security within the broader health care system in Alberta.

It is our job to manage each privacy breach with confidence, compassion, and transparency to the individuals affected by the breach. We need to take all reasonable steps to prevent a privacy breach and be prepared to respond to the breach when it occurs.

The importance of securing health information and to appear to appropriately respond to a privacy breach is part of the desired outcomes of the new mandatory privacy breach reporting.

Notification Triggers

The trigger for notifying the OIPC, the Minister, and individuals about an incident is present when there is a ‘risk of harm’ to an individual as result of the loss or unauthorized disclosure (HIA s. 60.1(4).

Custodians are required to consider five categories of triggers to assess the likelihood of risk of harm (HIR s.8.1(a to e)). In addition to any other relevant factors, custodians must assess if there is a reasonable basis to believe that the information:

Has been or may be accessed by or disclosed to a person
Has been misused or will be misused
Could be used for the purpose of identity theft or to commit fraud
Could cause embarrassment or physical, mental or financial harm or damage to the reputation of the individual who is the subject of the information
Has adversely affected or will adversely affect the provision of a health service to the individual who is the subject of the information

Mitigating Risk of Harm

When custodians implement reasonable safeguards as part of their routine privacy and security strategies, the likelihood of risk of harm is reduced. These situations (HIR s.8.1(f to i)) occur when the information included in the loss or unauthorized access has been

Encrypted or otherwise secured (applicable to electronic information), or
Destroyed or rendered inaccessible

When information is lost or disclosed and subsequently recovered by the custodian, and the custodian can demonstrate:

The information was not accessed before it was recovered, or
The only person who access the information is a custodian, affiliate, information manager subject to section 60 of the Act or,
Accessed the information as part of their role as a custodian or affiliate and not for an improper use and
Did not improperly use or disclose the information,

the custodian is not required to give notice of the loss or unauthorized access or disclosure under HIA s.60.1(2).

Remember that the custodian must record each privacy breach in their practice including their reasons for their decision to notify and their decision not to notify.

When you record each privacy breach, including ‘oops’, errors, or mistakes that, individually, may not trigger notification requirements, you may find that there is a pattern of breaches that may indicate:

broken work flow, or
broken automated process, or
carelessness or disregard to the security of personal information.

These situations may trigger mandatory privacy breach notification requirements.

It's an Offence to Fail to Protect Personal Health Information

The new amendments detail the reporting responsibilities of custodians and affiliates in the event of a privacy breach.

For Custodians

The new regulations also include new penalties for custodians and affiliates who:

Fail to report a breach
Fail to take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards (HIA s.107(1.1)(a))

A custodian or affiliate found guilty of one of the above offences can face a fine of up to $50,000 per occurrence.

For Affiliates

Affiliates (generally, the employees of the custodian) must report any loss, unauthorized access or disclosure of identifying health information to their custodian. This applies to information managers (vendors and service providers to custodians), too.

New Notification Requirements

If the custodian believes the breach could result in harm to the individual, the custodian, as soon as practicable, is required to notify (HIA s60.1):

The Privacy Commissioner of Alberta (OIPC), and the
Minister of Health in Alberta and
The Individual(s) affected by the privacy breach

Don’t forget that there continues to be other people you may need to notify. Depending on the unique circumstances this may include the police, insurance, primary care networks, Netcare, and other information sharing partners.

The notice to the Privacy Commissioner of Alberta (OIPC) must be in writing in a form approved by the Commissioner and must include (HIR s.8.2(2)):

Name of the custodian
Description of the circumstances
Date or time period which the incident occurred
Date which the incident was discovered
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Number of individuals affected by the incident
Description of the steps that the custodian has or intends to take to reduce the risk of harm
Plans to prevent the risk of future loss, or unauthorized access or disclosure
Copy of the notice that will be provided to the individual(s) and a description of how the notice will be provided directly or by substitutional service
- If the custodian believes that notifying the individual about the incident may result in harm to the individual, the custodian must immediately notify the Commissioner (HIA s.60.1(5))
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

The notice to the Minister of Health in Alberta must be in writing in a form approved by the Minister and must include (HIR s.8.3):

Name of the custodian
Description of the circumstances
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Number of individuals affected by the incident
Description of the steps that the custodian has or intends to take to reduce the risk of harm
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

The notice to the individual must be in writing and include (HIR s.8.4):

Description of the circumstances
Date or time period which the incident occurred
Name of the custodian
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Description of the steps that the custodian has or intends to take to reduce the risk of harm to the individual
Plans to prevent the risk of future loss, or unauthorized access or disclosure
Advice that the custodian believes the individual may be able to take to reduce the risk of harm to the individual
A statement that the individual may ask the Commissioner to investigate the incident and the contact information of the OIPC
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

Your Next Steps

Prepare your Privacy Breach Management Program in your healthcare practice. Review (or create) your privacy breach management program including these 5 key elements:

Privacy breach management policy
Privacy and security incident response plan
Training for your privacy officer, management team, and custodians
Human resources privacy breach discipline policy and
Privacy breach reporting record keeping procedures

If you are a privacy officer, clinic manager, or healthcare provider you can prevent privacy breach pain with the “4 Step Response Plan”.

This on-line education with quick and helpful videos, examples, policy templates, privacy breach reporting templates, and risk of significant harm templates will guide you to properly manage a privacy breach, create your Privacy Breach Management Program, and be prepared for Mandatory Privacy Breach Notification requirements.

This is critical to the continued success of your business!

See: https://InformationManagers.ca/4-step

References

These amendments were passed under the Statutes Amendments Act, 2014 in May 2014 and will be proclaimed in force August 31, 2018

Health Information Amendment Regulation

Office of the Information and Privacy Commissioner

Statutes Amendment Act, 2014, Chapter 8, Health Information Act

You need to know how mandatory privacy breach reporting will affect you!

Don't miss this!

Stay up to date on mandatory privacy breach reporting! Sign up here to receive tips, tools, templates, and training when they become available.

You will also receive occasional bits of FREE privacy wisdom tips, tools, templates, and training!

PRIVACY NUGGETS emails designed to provide to you tips, tools, templates and training that you can use right away!

Privacy Nuggets will be provided direct to your email in-box and includes:

privacy tips, tools, templates (usually including references to external resources) designed for you to share with your staff, patients, and family.
Privacy Breaches – What You Need to Know – you will receive an example of a recent privacy breach in the news that you can use to review and improve your practices. Learn from someone else's mistakes!
publication previews and announcements
workshop and webinar events

I am honoured that you choose to spend your time with me today.

Thank you for the opportunity to share my obsession about privacy, confidentiality and security with you!

I promise this list will be secure and you'll be able to unsubscribe at any time.

– Jean L. Eaton, Your Practical Privacy Coach

Alberta, Health Information Act, mandatory privacy breach reporting, privacy breach investigation, privacy breach notification, privacy nuggets

How NOT to Respond to a Privacy Complaint!

Posted on January 18, 2018 by Jean Eaton in Blog

Do your staff know how to respond to a privacy complaint? Do your staff, volunteers, or directors login to a server to access documents remotely? Have you done a security assessment to ensure that the access is secure? Do they know how to manage confidential documents once they have downloaded them?

You Can Use This Privacy Breach Example to Review and Improve Your Practices

Do you store confidential documents on your website? After all, a website is a type of a file server accessible from an internet connection that is often hosted by a third party. There is often a public access and a members-only side for authorized users to login and view and download documents.

Maybe you intended only authorized users to access the file – but are you sure that it is secure? Here's what can happen if your confidential documents can be found by the public!

In 2016, personal information of the 285 clients was compiled into an electronic file, prepared for the service’s board of directors on new cases arising between April and November of 2015, but was not properly secured on the agency’s website. The files were subsequently viewed by the public.

What happened

An alleged privacy breach at Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) of Brockville, Ontario in 2016 has led to the agency being sued for negligence, invasion of privacy and a breach of the Canadian Charter of Rights and Freedoms.

The personal information of the 285 clients was compiled into an electronic file, and prepared for the service’s board of directors to review in the course of their business.

The list was publicly available to anyone, who knew the correct URL website address.

Someone accidently ‘found’ the website address and saw the confidential information. She notified the FCSLLG and warned them that the information was available to the public. When she did not receive a response from FCSLLG that acknowledged her concern and correct the problem, she posted the information on Facebook.

If you ignore a privacy complaint, this could happen to you!Click To Tweet

The lawsuit seeks $25 million in general damages, $25 million in special damages and $25 million in punitive, aggravated and exemplary damages.

The lawsuit alleges that the FCSLLG website was completely unsecured between February and April 2016, with the full knowledge of FCSLLG.

Privacy Nuggets You Need to Know

We can only wonder about the outcome of the breach if the staff at the agency had promptly responded to the privacy breach complaint. It is possible that if the agency had secured the information immediately and limited any further disclosure that the law suit might had been avoided.

Know how to properly respond to a privacy and security complaint or privacy breach. Create or review your written procedures now!
Identify and train a privacy officer in your business.

This unfortunate breach is a good reminder for all businesses to follow-up with your information technology and website host support to ensure that your server has been properly secured and training provided to staff to properly upload files to the secure server. In addition:

Consider hiring a managed service provider to ensure secure access only to authorized users. If you allow remote access to confidential information, you can’t afford not to have experts to help you!
Know how to secure documents on your file server.
Make sure that your authorized users know how to securely manage the documents after they have downloaded them from your secure file server.

There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

FREE 15-minute Privacy Breach Awareness On-line Training.

Along with your registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!
Read More

healthcare, medical, privacy breach, privacy breach nugget, privacy complaint, privacy nuggets

9,000 Employee Records Lost

Posted on May 1, 2017 by Jean Eaton in Blog

Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices

USB Flash Drive Missing

In June 2015, Newfoundland’s Eastern Health Authority (EHA) notified approximately 9,000 employees that their personal information contained in their employee records was compromised when a USB flash drive with their data on it had been lost. The Human Resources department had electronically scanned employee files so that hard copies of the files could be stored offsite.

This loss of control over employee records is a violation of Access to Information and Protection of Privacy Act (ATIPPA) and was reported to the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC).

Missing USB Drive NOT Encrypted

When the EHA discovered the USB flash drive missing, they searched the office and hired a third party specializing in this type of search to go over the office area.

The EHA conducted an internal investigation that included determining the type of information lost. They discovered there was personal information on the USB drive including employee names and some employees’ social insurance numbers (SIN).

The next step was to alert the employees affected by the breach.

The EHA first notified employees with the highest risk of significant harm (ROSH) because of the type of information included in the breach (for example, social insurance numbers) by phone. The remaining employees were notified by letter.

The EHA also provided information to the affected individuals on how to protect themselves from identity theft, and they offered to cover the cost of a credit check for any employee wanting one.

What Came From the Breach

The USB flash drive in question was found in August in a file folder.

To prevent a similar incident, the EHA has taken a number of precautionary steps:

EHA plans to upgrade their system, so USB drives are automatically encrypted before being used.
EHA has requested that all non-encrypted USB drives currently in use be returned and securely destroyed.
EHA is no longer using SIN to index and transfer employee files.
EHA also will review and update their policy regarding the issuance, control, and use of mobile devices.

The OIPC determined that the EHA responded adequately to the privacy breach complaint.

Privacy Nuggets That You Need to Know

Step 1 – Spot and Stop – The privacy breach was brought to EHA’s attention by the office that lost the USB flash drive. This is the first step in privacy breach awareness – spot the privacy breach and stop it.

Step 2 – Investigate – EHA identified what information was lost and the individuals affected by the incident.

Step 3 – Notify – EHA subsequently notified the affected individuals directly. The custodian also made the information about the breach public and provided the employees affected with information to protect themselves against any further harm.

Step 4 – Prevent the breach from happening again – EHA took steps to make sure this type of breach doesn’t happen again. Proactive steps—like requesting non-encrypted USB drives currently in use be returned and securely destroyed, and ensuring that only encrypted mobile devices can be used—are reasonable safeguards that all businesses should implement now.