Pharmacists now required to notify individuals affected by privacy breaches
September 19, 2018
Mandatory privacy breach reporting and notification requirements under the Health Information Act (HIA) came into force on August 31, 2018, impacting Alberta’s pharmacists and their staff.
The Office of the Information and Privacy Commissioner has provided additional information and interpretation of the requirements, found below.
The amendments include requiring that health custodians1 notify
- an individual affected by a privacy breach when the custodian determines there is a risk of harm to the individual,
- the Information and Privacy Commissioner of a privacy breach when there is a risk of harm to an individual, and
- the Minister of Health of a privacy breach when there is a risk of harm to an individual.
Affiliates, which include but are not limited to a custodian’s employees, service providers or information managers, must also notify the custodian when a privacy breach occurs.
A privacy breach is defined as “any loss of individually identifying health information or any unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian” (section 60.1 of the HIA).
There are also new offence and penalty provisions if a health custodian
- fails to report a breach, and/or
- does not take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards.
A person who is found guilty of one of these offences is liable to fines (section 107(7)).
To determine whether notification is required, the Health Information Amendment Regulation requires custodians to assess “whether there is a risk of harm to an individual as a result of a loss of or an unauthorized access to or disclosure of individually identifying health information” (section 8.1 of the HIA Regulation).
The regulation requires custodians to consider all relevant factors when assessing risk, such as whether there is a reasonable basis to believe that health information
- has been or may be accessed by a person;
- has been or may be disclosed to a person;
- has been misused or will be misused;
- could be used for identity theft or to commit fraud;
- could cause embarrassment;
- could cause physical, mental, or financial harm; and/or
- could damage an individual’s reputation.
The Office of the Information and Privacy Commissioner (OIPC) released an investigation report in 2015 that looked into the health sector’s preparedness for breach reporting requirements.
Among the nine recommendations, the OIPC made the following recommendations to health custodians:
- Review existing breach notification policies and procedures and make staff aware of their obligations under these policies. Alternatively, develop and implement policies if none are established.
- Include specific breach reporting and notification clauses in contracts with service providers or information managers.
- Include breach reporting and notification requirements in agreements with researchers.
For custodians, the OIPC has published the following resources:
- Privacy Breach Report Form, to be used when reporting a privacy breach to the Commissioner;
- Reporting a Breach to the Commissioner practice note, which is designed to assist custodians in meeting the requirements under section 8.2(2) of the Health Information Regulation when reporting a breach to the Commissioner;
- “Train the trainer” PowerPoint for helping educate custodians and their affiliates about the new requirements; and
- Key Steps in Responding to Privacy Breaches guide to help manage a privacy breach.
1A custodian is an organization or entity defined in section 1(1)(f) of the Health Information Act (HIA) or designated in section 2 of the Health Information Regulation. Examples of custodians include pharmacists, physicians, nurses dental hygienists, dentists, chiropractors, optometrists, opticians, pharmacists, Alberta Health Services, Covenant Health and Alberta Health.