Alberta’s health custodians will soon be required to notify Albertans whose health information has been subject to a privacy breach.
The mandatory breach reporting requirements under the Health Information Act (HIA) come into force on August 31, 2018. The amendments include requiring that health custodians:
Health custodians include Alberta Health, Alberta Health Services, Covenant Health and health professionals regulated under the HIA, such as physicians, pharmacists, dentists, optometrists, among others.
“This is good news for the privacy of Albertans. I’m pleased that individuals affected by a health information breach will now have the right to be notified, which will bring Alberta in line with a majority of Canadian provinces and territories,” said Information and Privacy Commissioner Jill Clayton. “Health information is among the most sensitive of personal details anyone can share. When health information is breached, it’s important that people know so that they can take steps to protect themselves from potential harm.”
There are also new offence and penalty provisions if a health custodian:
A person who is found guilty of one of these offences is liable to a fine.*
Health custodians need to pay particular attention leading up to the new reporting requirements and offence provisions.
A 2015 investigation report on mandatory breach reporting preparedness in Alberta’s health sector found that breach response practices “vary widely and the health sector is not uniformly prepared,” said Commissioner Clayton in the report.
She added in a news release, “Although larger health custodians have breach management and response frameworks in place, many regulated health professionals may not be able to meet their legislated obligations when the HIA amendments come into force.”
Since 2014-15, more than 460 breaches – approximately 115 per year on average – involving health information have been voluntarily reported by health custodians to the Office of the Information and Privacy Commissioner. It is expected that more health information breaches will be reported annually as a result of these new requirements, but it is difficult to determine how many more at this time.
An order in council approved on Tuesday, May 8 set the date for the requirements to be in force. The amendments were passed under the Statutes Amendments Act, 2014 in May 2014. Alberta Health is the Ministry responsible for the HIA.
The Information and Privacy Commissioner of Alberta works independently of government to uphold the access and privacy rights of all Albertans.
Office of the Information and Privacy Commissioner
|*Correction notice: When issued, the news release said, "A person who is found guilty of one of these offences is liable to a fine of up to $50,000." Please refer to the Health Information Act for the exact wording of how fines apply to the new penalties. This correction was issued on August 31, 2018.|
Copyright 2018 OIPC. All rights reserved.