Alberta Privacy Breaches Highlight a Continued Need for Privacy Training
You are likely aware by now that under the Health Information Act (HIA), as of August 31, 2018, health information breach reporting and notification requirements became mandatory. The results of this amendment seemed somewhat difficult to predict by the investigative body itself, however, if you follow privacy breach news, you may have seen just how often privacy breach stories hit our news feeds.
“The amendments require that health custodians:
- Notify an individual affected by a privacy breach if there is a risk of harm to the individual.
- Notify the Information and Privacy Commissioner (OIPC) of a privacy breach when there is a risk of harm to an individual.
- Notify the Minister of Health (Alberta Health) of a privacy breach when there is a risk of harm to an individual.
“There are also new offence and penalty provisions if a health custodian:
- Fails to report a breach.
- Does not take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards.
Prior to the amendment, the OIPC was receiving approximately 130 breach reports per year from custodians. Statistics gathered in the first six months suggest the OIPC received approximately 20 breach reports to investigate. This equates to over a 1000 breach reports annually, which is 8 times more breaches than what had been voluntarily reported in prior fiscal years.
“A total of 674 breaches were reported under HIA alone in 2018-2019 representing a 407% increase over 2017-2018”. There were also increased reports of “snooping” – unauthorized access to health information by authorized users. These reports can lead to offence investigations under HIA. It is an offence under HIA for a person to knowingly gain or attempt to gain access to health information in contravention of HIA Section 107 (2)(b))”. -OIPC Annual Report Page 35
The Commissioner said in a news release when the 2018 date was set for the amendments to come into force;
“ This is good news for the privacy of Albertans. I’m pleased that individuals affected by a health information breach will now have the right to be notified, which will bring Alberta in line with a majority of Canadian provinces and territories. Health information is among the most sensitive of personal details anyone can share. When health information is breached, it’s important that people know so that they can take steps to protect themselves from potential harm”.
Mandatory breach reporting and notification regimes are in place in most Canadian provinces and while how each investigation is handled depends on which jurisdiction it falls in and the investigative powers of each Information and Privacy Commissioners’, it is clear that Alberta is not alone in trying to prevent and reduce the number of health information breaches occurring.
Education and guidance around privacy related issues will be key in this area moving forward as the consequences are for custodians can be severe if not taken seriously.
Rustruct Consulting’s Privacy Training Workshops can help ensure your health care staff- doctors, nurses, assistants and support staff- are all clear on how to treat the personal information under their control as they would want you to treat their personal information under your control.
Topics Include (not limited to):
- Administering records under Alberta’s Access and Privacy Legislation Personal Information Protection Act (PIPA)
- Access and Privacy 101 for Small Businesses
- It’s Okay to Talk about Privacy Breaches
- Building a Culture that Respects Privacy
- Data Breach Response Plans
- Clarity of Roles
- Privacy Breach Notification Communication Plans
- Health Information Act **New** Mandatory Reporting Requirements
- Privacy training services are unique and tailored to your specific needs to minimize your privacy and security related risks
Contact us for more information
Tel: (403) 409-3447
Source: OIPC Annual Report