On Aug. 31, Alberta will become the latest province to enact mandatory breach notification and reporting for personal health information data breaches. Alberta will join a small but growing group of provinces that includes Ontario, New Brunswick, Nova Scotia and Newfoundland, and Labrador that impose these obligations on health care providers and organizations subject to health-sector privacy legislation.
Who is affected?
The new provisions of the Alberta Health Information Act and the associated regulations apply to “custodians” and their “affiliates.”
The definition of “custodian” in the HIA includes a broad spectrum of health care service delivery organizations such as hospitals, nursing homes, ambulance operators, pharmacies and other health care organizations, as well as regulated health care providers such as physicians, pharmacists and dentists (among others). Employees, volunteers and agents of the custodians, as well as information managers (including an information technology service provider) are “affiliates” of custodians under the HIA.
What are the responsibilities of custodians?
The new HIA provisions require custodians to notify affected individuals, as well as the Minister of Health and the Office of the Information and Privacy Commissioner of Alberta of certain privacy breaches that could create a risk of harm to the affected individual. Not all breaches are subject to these obligations. There is a harm-based trigger.
If the custodian becomes aware of a loss of, or unauthorized access to, or disclosure of, individually identifying health information in the custody or control of the custodian, the custodian must engage in a risk of harm analysis. The regulations set out a non-exhaustive list of factors in subsection 8.1(1) that the custodian must consider when assessing the risk of harm. These factors include whether there is a reasonable basis to believe that:
- The information has been or may be accessed by or disclosed to a person.
- The information has been misused or will be misused.
- The information could be used for identity theft or to commit fraud.
- The information could cause embarrassment or physical, mental, financial or reputational harm to the individual.
- The breach has adversely or will adversely affect the provision of health care to the individual.
The custodian must also consider mitigating factors such as whether the information was appropriately encrypted or was recovered without any intervening access. Another mitigating factor is whether the loss of the information was because it was destroyed or rendered unintelligible. Finally, a mitigating factor would be whether the unauthorized access or disclosure involved accidental sharing between custodians or between affiliates of a custodian and all the following criteria were met:
- The person that accessed the information or to whom the information was disclosed was under a duty of confidentiality that meets the requirements of the HIA.
- The recipient who accessed the information was acting accordance with their duties and not for an improper purpose.
- Any use or disclosure by the recipient was solely for the purposes of determining that there was an erroneous access or disclosure and taking steps reasonably necessary to address the issue.
If the custodian concludes that the test for risk of harm has been met, then the custodian must give notice to the individual and the breach must be reported to the OIPC and the minister as soon as practicable. Section 8.2 of the regulations sets out content requirements for the individual notifications and the reports to the OIPC and to the minister.
A custodian that fails to comply with these obligations commits an offense under the HIA. Individuals (e.g., a physician or dentist) can be subject to a fine of between $2,000 and $10,000. Organizations (e.g., a hospital or nursing home) are potentially subject to fines of between $200,000 and $500,000.
What are the exceptions?
One of the very helpful aspects of the new HIA breach notification and reporting provisions is the adoption of several “safe harbors” for custodians. If the custodian can demonstrate that the breach falls within one of these safe harbors, then this can trump other considerations in the risk-of-harm analysis.
Subsection 8.1(2) of the regulations states that the custodian does not have to notify the individual and report the breach to the OIPC and the minister if any of these are true:
- The information is encrypted in a manner that would prevent access or render the information unintelligible.
- The information was lost in a manner that involved the destruction of the information or rendering it inaccessible or unintelligible.
- The information was recovered and was not accessed before it was recovered.
In addition, there is a safe harbor for certain accidental disclosures between custodians and their affiliates. Notification and reporting would not be required if:
- The person who had unauthorized access or to whom the information was disclosed is another custodian.
- The recipient custodian or affiliate is subject to certain prescribed confidentiality requirements.
- The unauthorized access or disclosure was accidental in the sense that it did not involve an improper purpose.
- The information wasn’t used or disclosed by the recipient except for the purpose of determining there had been an error and to address the unauthorized access or disclosure.
Section 60.1(5) allows the custodian to withhold individual notification if notifying the affected individual could reasonably be expected to result in a risk of harm to the individual’s mental or physical health. However, the custodian must still notify the OIPC of the breach and the decision not to notify the individual.
What are affiliate responsibilities and liabilities?
Subsection 60.1(1) of the HIA requires affiliates of a custodian (such as employees, agents and information managers of custodians) to report any loss of, or unauthorized access to, or disclosure of, individually identifying health information in the custody or control of the custodian. There is no safe harbor or other exception and there is no harms-based threshold before reporting is required. It is an offense for affiliates not to report breaches to the custodian with fines of between $2,000 and $10,000 in the case of an individual and between $200,000 and $500,000 in the case of an organization.
Subsection 8.2(1) of the regulations requires that affiliates follow the custodian’s requirements regarding the form and content of notifications. If the custodian has not established any requirements then the affiliate must provide certain prescribed details in the notification. These details include a description of the circumstances of the breach, the date or period during which the breach occurred, the date the breach was discovered, and a description of the information involved.
Not a paper tiger
The new HIA provisions should be taken seriously by individuals and organizations operating in the health care sector in Alberta. Alberta has strong privacy law enforcement. Custodians in the province and their affiliates should develop policies and procedures that meet the requirements of the legislation. In particular, the requirement that affiliates report breaches should be taken seriously. Alberta has a strong track record of prosecuting unauthorized access by health professionals and has obtained nine convictions under the HIA since 2001. Alberta’s willingness to prosecute individuals may extend to prosecuting affiliates for willful blindness or other deliberate failure to report breaches to custodians.
Photo credit: abdallahh via Flickr
If you want to comment on this post, you need to login.