An investigation into privacy breach reporting in Alberta’s health sector found that practices vary widely and the health sector is not uniformly prepared for mandatory breach reporting and notification.
Alberta’s Health Information Act (HIA) was amended in May 2014 to include breach reporting and notification requirements, as well as new offence provisions for failing to report a breach. These provisions are not currently in force.
The Commissioner’s investigation was launched in January 2014 to learn how breaches are currently managed, tracked and reported, and to assess the health sector’s ability to manage and respond to privacy breaches.
Key findings from the investigation include:
“Although larger health custodians have breach management and response frameworks in place, many regulated health professionals may not be able to meet their legislated obligations when the HIA amendments come into force,” said Commissioner Jill Clayton.
“I’m also concerned that the EHRDSC, with oversight of Netcare, has been allowed to lapse. Effective governance is essential to good data stewardship and the proper management of privacy breaches.”
The report makes a number of recommendations to health custodians, Alberta Health, and Research Ethics Boards. In particular, the report recommends Alberta Health consult with the Commissioner’s office on the specific wording of breach reporting and notification amendments to the Health Information Regulation.
Alberta Health has committed to most recommendations, except it has not provided draft regulations for review. The OIPC will review whether Alberta Health has complied with the remaining recommendations in six months.
Office of the Information and Privacy Commissioner
Copyright 2021 OIPC. All rights reserved.