On August 31, 2018, the Alberta Health Information Act (HIA) was amended, bringing into force mandatory breach notification and reporting for personal health information data breaches. Thus, Alberta has joined the growing group of provinces, including Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador that impose these obligations on health care providers and other health service providers (‘custodians’) subject to provincial health privacy laws.
The new HIA provisions require custodians to notify affected individuals, as well as the Minister of Health and the Office of the Information and Privacy Commissioner of Alberta, as soon as practicable, of certain privacy breaches that could create a risk of harm to the affected individual.
Risk of Harm Test
If the custodian becomes aware of a loss of, or unauthorized access to, or disclosure of, individually identifying health information in the custody or control of the custodian, the custodian must engage in a risk of harm analysis. The regulations set out a non-exhaustive list of factors in subsection 8.1(1) that the custodian must consider when assessing the risk of harm. These factors include whether there is a reasonable basis to believe that:
- The information has been or may be accessed by or disclosed to a person without authorization.
- The information has been misused or will be misused.
- The information could be used for identity theft or to commit fraud.
- The information could cause embarrassment or physical, mental, financial or reputational harm to the individual.
- The breach has adversely or will adversely affect the provision of health care to the individual.
Risk Reducing Factors
The custodian must also consider risk-reducing factors such as whether the information was appropriately encrypted or in the case of a loss of information, whether it was destroyed, rendered inaccessible or unintelligible, or whether the custodian can demonstrate that the information was not accessed before it was recovered (which is certainly the case for some ransomware attacks). Finally, a mitigating factor would be where certain criteria are met when there has been unauthorized access or accidental sharing between custodians or between affiliates of a custodian, such as if the recipient who accessed the information was acting accordance with their duties and not for an improper purpose. If the custodian can demonstrate that risk-reducing factors apply in the case of a loss of or unauthorized access to or disclosure of personal health information, the custodian is not required to notify individuals or report the breach.
Regardless of the jurisdiction, the risk of harm considerations provided by the HIA regulations are extremely helpful for the health sector in assessing harm, as a matter of best practice, when the privacy of personal health information has been compromised.
Fines for a Failure to Comply
A custodian that fails to comply with these obligations commits an offence under the HIA. Individuals (e.g., regulated health professionals) can be subject to a fine of between $2,000 and $10,000. Organizations (e.g., a hospital or nursing home) are potentially subject to fines of between $200,000 and $500,000.
Responsibilities of Affiliates
The amendments to the HIA include rules requiring affiliates of a custodian (such as employees, agents and information managers of custodians) to report any breach (no harms-based threshold) to the custodian. Alberta has a strong track record of prosecuting unauthorized access to medical records by health professionals and has obtained nine convictions under the HIA since 2001. Alberta’s willingness to prosecute individuals may extend to prosecuting affiliates for failures to report breaches to custodians.
Taking Privacy Breaches Seriously
Although the Ontario PHIPA has required individual notification since the law’s inception in 2004, breach reporting obligations (to the Ontario Information and Privacy Commissioner and to the Colleges of regulated health professionals) only just came into force in October 2017.
Meanwhile, mandatory breach notification and reporting rules will come into force under PIPEDA, Canada’s private sector privacy law, on November 1, 2018.
All relevant breach notification and reporting laws need to be taken seriously and prepared for in a timely manner. Similarly, custodians in the province of Alberta and their affiliates must develop policies and procedures that meet the requirements of the HIA amendments.
For assistance with your breach response plans, contact PRIVATECH.