Health custodians, including pharmacists, will soon be required to notify Albertans whose health information has been subject to a privacy breach.
Amendments to the Health Information Act (HIA) and Health Information Regulation (HIR) requiring reporting of health information breaches come into force on August 31, 2018.
All registrants, particularly pharmacy licensees, are encouraged to review the new Chapter 14 of the Health Information Act Guidelines and Practice Manual that provides interpretation and guidance about your “Duty to Notify” in compliance with these amendments. Service Alberta will be posting a form for reporting and other supporting materials in the weeks ahead.
Passed in June 2014, the HIA amendments require a custodian to, as soon as practicable, give notice in accordance with the regulations of a loss of, any unauthorized access to, or disclosure of individually identifying health information in the custody or control of the custodian if there is a risk of harm to an individual because of the loss, unauthorized access, or disclosure. As soon as practicable, in the context of section 60.1 of the HIA, means as soon as the affiliate or custodian becomes aware of the loss, unauthorized access, or disclosure, and has the information that is necessary to properly execute the notice.
Notice is to be given to the Information and Privacy Commissioner of Alberta, the Minister of Health, and the affected individual(s). The requirements for the form and content of these notices are set out in section 8.2 of the HIR. The amendments also require an affiliate of a custodian who becomes aware of any loss, any unauthorized access to, or disclosure of individually identifying health information in the custody or control of the custodian to, as soon as practicable, notify the custodian in accordance with the regulations.
Custodians and affiliates are subject to offence penalties for failure to meet their duty to notify. Custodians are also subject to an offence for failure to take reasonable steps in accordance with the regulation to maintain administrative, technical, and physical safeguards that will protect against any reasonably anticipated threat or hazard to the security or integrity of health information and against any loss of health information.
Source: Introduction to Health Information Act and Guidelines and Practices Manual, August, 2018
