Beginning Aug. 31, 2018, changes to Alberta’s Health Information Act (HIA) require any organization that handles personal health information to give notice of health information breaches to governing bodies and affected individuals, particularly if the breaches present a real risk of harm.
Similar to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Alberta’s HIA imposes information security breach reporting and notification obligations.
Failing to comply with the HIA could result in fines up to $50,000.
Background
In 2014, the Statutes Amendment Act, 2014 amended the HIA to introduce security breach notification obligations. In May 2018, the Government of Alberta issued an Order in Council to bring those obligations into force Aug. 31, 2018.
Once in force, the HIA will regulate the collection, use and disclosure of any health information that is in the custody or control of a custodian. Under the HIA, a custodian can include, but is not limited to, the following:
• An ambulance
• A nursing home operator
• A provincial health board
• A regional health authority
• A community health council
In addition, the HIA may also apply to an affiliate of a custodian. This can include individuals who are employed by or perform services for a custodian.
Breach Notification Obligations
The following is a summary of the breach notification obligations set out in the HIA and its Health Information Regulation:
• Custodians’ duty to notify—In the event that individually identifying health information is lost or maliciously accessed/disclosed and a risk of harm exists, the custodian that controls this information must provide notice to:
o The Information and Privacy Commissioner of Alberta (the Commissioner)
o The Alberta Minister of Health (the Minister)
o The owner/subject of the individually identifying health information
• Loss, unauthorized access/disclosure and risk of harm—Notably, the HIA does not explicitly define what constitutes a loss, unauthorized access, disclosure or risk of harm. Instead, the HIA requires custodians to consider all relevant factors to determine whether a risk of harm exists. If, after reviewing available information, the custodian demonstrates that the health information was not improperly accessed or used, then the custodian is not required to provide notice to the Commissioner, Minister or individual. Specifically, the HIA suggests custodians take the following into account when examining an incident:
o Whether information has or may be accessed by or disclosed to another person
o Whether the information has or may be misused
o Whether the information could cause embarrassment or harm (i.e., physical, mental, financial or reputational distress) to the affected individual
o Whether the incident has or will adversely affect the provision of a health service to the affected individual
o Whether opportunities to mitigate the potential for a risk of harm exist, including:
- Whether the information was sufficiently encrypted or secured in another electronic format
- Whether the information was destroyed or rendered inaccessible or unintelligible
- Whether the information was not accessed before recovery
- Whether the information was mistakenly accessed by a qualified custodian/affiliate in the course of their duties
• Notice to the Commissioner—A custodian’s notice to the Commissioner must be made in writing in an approved form. Notices should include prescribed, detailed information regarding:
o The incident
o The health information involved
o The individuals affected
o The number of individuals affected and details regarding the risk of harm to those individuals
o The steps taken to reduce the risk of harm and future incidents
o How affected individuals will be notified
• Notice to the Minister—A custodian’s notice to the Minister must be made in writing in an approved form, Notices should include prescribed, detailed information regarding:
o The incident
o The health information involved
o The individuals affected o The number of individuals affected and details regarding the risk of harm to those individuals
o The steps taken to reduce the risk of harm and future incidents o How affected individuals will be notified
• Notice to the individual—A custodian’s notice to individuals who are the subject of lost information must be made in writing and include prescribed, detailed information regarding:
o The incident
o The health information involved
o The risk of harm to the individual
o The steps taken to reduce the risk of harm
o The steps the individual could take to reduce their own risk of harm
o A statement informing the individual that they may ask the Commissioner to investigate the incident
o Contact information for the Commissioner: If a custodian determines that giving notice could cause mental or physical harm to affected individuals, notice is not required. However, in those circumstances, the custodian must at least give notice to the Commissioner and explain their rationale for not notifying affected parties.
• Affiliates’ notification obligations—An affiliate of a custodian (that is, an individual employed by or performing services for a custodian or a health service provider who admits and treats patients at designated hospitals), must notify the custodian in the event individually identifying health information is lost or maliciously accessed/disclosed. An affiliate’s notice to a custodian must be made in a form established by the custodian. If the custodian has not established any requirements for the form of notice, the notice must be made in writing and include prescribed, detailed information regarding the incident. It should be noted that, unlike a custodian’s notification obligations, there is no risk of harm assessment for an affiliate’s duty to notify a custodian. As such, it’s in an affiliate’s best interest to report any and all incidents.
In the event that a custodian fails to maintain administrative, technical and physical safeguards that protect against reasonably anticipated threats to health information, major fines may be issued. In fact, custodians and affiliates that don’t comply with the HIA’s breach notification obligations may be fined up to $50,000. Learn more To learn more about the HIA, visit Alberta’s official
website on the legalisation. There you can general information on your obligations or read the text of the act in full.