The Health Information Act (HIA) includes a requirement for health custodians1 to notify individuals who are affected by a privacy breach.
The Office of the Information and Privacy Commissioner has provided additional information and interpretation of the requirements, found below.
Health custodians must notify
- an individual affected by a privacy breach when the custodian determines there is a risk of harm to the individual,
- the Information and Privacy Commissioner of a privacy breach when there is a risk of harm to an individual, and
- the Minister of Health of a privacy breach when there is a risk of harm to an individual.
Affiliates, which include but are not limited to a custodian’s employees, service providers, or information managers, must also notify the custodian when a privacy breach occurs.
Definition of privacy breach
A privacy breach is defined as “any loss of individually identifying health information or any unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian” (section 60.1 of the HIA).
Consequences for failing to report
There are also offence and penalty provisions if a health custodian
- fails to report a breach, and/or
- does not take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards.
A person who is found guilty of one of these offences is liable to fines (section 107(7)).
When is it necessary to report a privacy breach?
To determine whether notification is required, the Health Information Amendment Regulation requires custodians to assess “whether there is a risk of harm to an individual as a result of a loss of or an unauthorized access to or disclosure of individually identifying health information” (section 8.1 of the HIA Regulation).
The regulation requires custodians to consider all relevant factors when assessing risk, such as whether there is a reasonable basis to believe that health information
- has been or may be accessed by a person;
- has been or may be disclosed to a person;
- has been misused or will be misused;
- could be used for identity theft or to commit fraud;
- could cause embarrassment;
- could cause physical, mental, or financial harm; and/or
- could damage an individual’s reputation.
For custodians, the OIPC has published the following resources:
- Privacy breach report form, to be used when reporting a privacy breach to the Commissioner;
- Notification to Alberta’s Minister of Health form;
- Reporting a Breach to the Commissioner practice note, which is designed to assist custodians in meeting the requirements under section 8.2(2) of the Health Information Regulation when reporting a breach to the Commissioner;
- Privacy Breach and Response Reporting PowerPoint for helping educate custodians and their affiliates about the requirements; and
- Key Steps in Responding to Privacy Breaches guide to help manage a privacy breach.
Relevant information is available on the How to Notify the OIPC of a Privacy Breach webpage.
- A custodian is an organization or entity defined in section 1(1)(f) of the Health Information Act (HIA) or designated in section 2 of the Health Information Regulation. Examples of custodians include pharmacists, physicians, nurses dental hygienists, dentists, chiropractors, optometrists, opticians, pharmacists, Alberta Health Services, Covenant Health and Alberta Health. ↩︎