Alberta’s Information and Privacy Commissioner, Diane McLeod, was direct when asked about the key pieces of personal information healthcare providers must protect.
“All of it, frankly.”
Personal health information, as defined in the Health Information Act (HIA) can include registration information such as names, addresses, email addresses, et cetera. It can also include diagnostic, treatment, and care information, including prescription medication information. When these types of information are grouped together, they become highly sensitive, and the risk associated with breaching this information is significant.
“Most services now are delivered through technological means or data is being stored and processed through information technology systems,” said Commissioner McLeod. “Information needs to be protected through access control. Without proper security, information being targeted by cyber thieves can be quite vulnerable. There’s also the ‘dark web’ which is a marketplace to sell information. There is some lucrative information within pharmacy systems, such as health information numbers, which are marketable on the dark web. It’s information that is unfortunately of interest.”
As custodians of personal health information, pharmacy professionals must make every effort to prevent privacy breaches. A privacy breach is defined as “any loss of individually identifying health information or any unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian” (section 60.1 of the HIA).
Pharmacies must have policies and procedures in place to protect their patients’ information, but there are further steps teams can take to ensure that information is secure.
“No matter what size your organization is and what policies and procedures you have to protect information, you should submit privacy impact assessments with any new systems you’re using and include with that a security threat risk assessment. You would likely need to hire an expert to evaluate the risks associated with your system. It’s one thing to have all of your systems and technology in good shape—you still might suffer a breach. Most breaches occur due to human error, such as a prescription being dispensed to the wrong individual. A real practical tip is to just take a minute to make sure you’ve got the right person matched with the right prescription. Something small like that can make a big difference.”
ACP’s Link article from November 14, 2018, has some excellent information about verifying a patient’s identity before releasing a prescription drug.
Despite our best efforts to prevent breaches, mistakes can happen. If a privacy breach occurs, custodians are required by the HIA to notify
- an individual affected by a privacy breach when the custodian determines there is a risk of harm to the individual,
- the Information and Privacy Commissioner of a privacy breach when there is a risk of harm to an individual, and
- the Minister of Health of a privacy breach when there is a risk of harm to an individual.
“What that means for a pharmacist or a pharmacy technician is they must conduct an assessment to determine whether there is a risk of harm to an individual as a result of the breach,” said Commissioner McLeod. “If so, they are required to notify the individuals directly about the breach and they are also required to give a copy of that notice to the commissioner. It’s also important to know that there are specific requirements that must be included in the notice and those are set out in regulation. Often, we’ll see a custodian give notice but fail to include the requirements in the regulation which could result in renotification.”
Custodians should consider all relevant factors when assessing risk of harm to an individual, such as whether there is a reasonable basis to believe that health information
- has been or may be accessed by a person;
- has been or may be disclosed to a person;
- has been misused or will be misused;
- could be used for identity theft or to commit fraud;
- could cause embarrassment;
- could cause physical, mental, or financial harm; and/or
- could damage an individual’s reputation.
Affiliates, which include but are not limited to a custodian’s employees, service providers, or information managers, must also notify the custodian when a privacy breach occurs.
Once a privacy breach is reported to the Office of the Information and Privacy Commissioner (OIPC), the report is reviewed, and the office may contact the custodian for further information.
“If we think there’s something of significant concern based on the information provided, I can exercise my authority within the Act to launch an investigation,” said Commissioner McLeod. “Under the HIA, we see a lot of reports of breaches of snooping cases, usually by an employee within a custodian’s shop. If we see those, we may launch an investigation. Several individuals have been prosecuted under the Act for that activity. Snooping is a serious issue because it undermines the trust Albertans have in custodians in sharing their health information and that’s something we have to be careful to preserve, because that can impact care significantly.”
At the end of the day, it is the legal responsibility of custodians to protect every individual’s personal information—a responsibility every regulated member must take seriously.
“The purpose of the HIA is to govern and protect health information because it is so sensitive,” said Commissioner McLeod. “That’s why we have this type of legislation across Canada. It’s the law that individuals who have access to this information are obligated to comply with the requirements of the HIA and there are offences for failing to comply.”
For more information about reporting privacy breaches, visit the OIPC website. If you have questions about your compliance with the HIA, contact the OIPC.