Guest post by: Jean L. Eaton, Information Managers Ltd.

 

I didn’t think it was going to happen . . . but it did!

 

Mandatory privacy breach reporting has been proclaimed in Alberta.

In May of 2018, the province of Alberta proclaimed mandatory breach reporting amendments to the Health Information Act (HIA) and the Health Information Regulation (HIR). These amendments were accepted by the Legislative Assembly in 2014 and will come into force on August 31, 2018.

Custodians will be required to report privacy breaches with risk of harm to the Office of the Information and Privacy Commissioner (OIPC) and the Minister of Health of Alberta. Currently, breach notification is voluntary.

This will impact ALL custodians including physicians, pharmacists, chiropractors, dentists, dental hygienists, podiatrists, midwives, optometrists, opticians, registered nurses and more!

 

What is a Privacy Breach?

A privacy breach is a loss, unauthorized access to, unauthorized use, unauthorized disclosure, authorized access for unauthorized use of personal information.

Personal information may include your name, date of birth, address, account information, or even your email address.

 

Why is a Privacy Breach a Significant Problem?

A privacy breach affects the individual, the business, and the healthcare industry.

There is an active market for personal identities, with great financial incentive to steal or misuse this personal information. In fact, healthcare data is more valuable than financial information. Once someone has access to personal health information, they can use it to make a fraudulent insurance claims, access to services, and leverage the information for identity theft and fraud. Healthcare providers are a high-value target because of the long-term value of health information.

Privacy breaches happen all the time. Did you know that 80% of all privacy breaches occur internal to the business? Most of these breaches are an ‘oops’ or honest mistakes or a result of not carefully following procedures. Sometimes there is a pattern of similar breaches that indicate a broken work flow or automated process or carelessness or disregard to the security of personal information.

Sometimes information is intentionally stolen to harm a specific person or for financial gain. Sometimes the theft is by employees and sometimes by visitors to the business. Sometimes the theft occurs from outside of the business (i.e. hackers, contracted service providers, or business agents).

The individual may be embarrassed, inconvenienced, or angry directly related to what information has been breached and who now has access to the information. The individual may now be at a real risk of harm from identity theft, stalking, loss of employment, fraud, and the unexpected expense to manage the loss of personal information. These are examples of ‘risk of significant harm’.

Of particular importance in healthcare, is the risk of medical identity theft where the breached information is used to fraudulently access healthcare services. As a result of this, inaccurate information may be added to the owner’s healthcare records which can cause errors or delays in receiving necessary care and treatment.

 

Managing a Privacy Breach is Expensive

The healthcare business can spend $150 to $2,000 or more for each individual that requires notification about a privacy breach. When a privacy breach is identified, the business must (with some few exceptions) notify the individuals affected (including the patient and the healthcare providers identified in the breach) to let them know about the breach, advise them how they might be affected by the breach, and how they can protect themselves from further harm.

Your internal privacy beach investigation takes time and may require additional support from external experts including a consulting privacy officer, lawyer, investigator, human resources, communications and marketing experts.

The process of managing the notification also costs time, resources, and money. The incident might cause negative publicity for the business. Addressing and correcting the cause of the breach, improving processes to prevent further incidents, and the administrative tasks of managing and reporting the breach all contribute to a significant expense to the business.

 

Why Have Mandatory Privacy Breach Reporting?

A privacy breach in one healthcare organization affects all healthcare businesses. The healthcare system is a highly integrated information sharing system designed to provide timely and accurate care and treatment to patients, and to receive financial compensation for those services. A weakness or problem at one business may have down-stream implications to other businesses. When one business has a privacy or security breach, there is a risk that the public (including patients and clients) may think that all healthcare businesses have the same problems.

Mandatory privacy breach reporting to the Privacy Commissioner of Alberta (OIPC), and the Minister of Health in Alberta will help to ensure that the breach response and notification is comprehensive. A central oversight with the OIPC and the Minster will provide the opportunity to anticipate any additional risks to privacy and security within the broader health care system in Alberta.

It is our job to manage each privacy breach with confidence, compassion, and transparency to the individuals affected by the breach. We need to take all reasonable steps to prevent a privacy breach and be prepared to respond to the breach when it occurs.

The importance of securing health information and to appear to appropriately respond to a privacy breach is part of the desired outcomes of the new mandatory privacy breach reporting.

 

Notification Triggers

The trigger for notifying the OIPC, the Minister, and individuals about an incident is present when there is a ‘risk of harm’ to an individual as result of the loss or unauthorized disclosure (HIA s. 60.1(4).

Custodians are required to consider five categories of triggers to assess the likelihood of risk of harm (HIR s.8.1(a to e)). In addition to any other relevant factors, custodians must assess if there is a reasonable basis to believe that the information:

  • Has been or may be accessed by or disclosed to a person
  • Has been misused or will be misused
  • Could be used for the purpose of identity theft or to commit fraud
  • Could cause embarrassment or physical, mental or financial harm or damage to the reputation of the individual who is the subject of the information
  • Has adversely affected or will adversely affect the provision of a health service to the individual who is the subject of the information

 

Mitigating Risk of Harm

When custodians implement reasonable safeguards as part of their routine privacy and security strategies, the likelihood of risk of harm is reduced. These situations (HIR s.8.1(f to i)) occur when the information included in the loss or unauthorized access has been

  • Encrypted or otherwise secured (applicable to electronic information), or
  • Destroyed or rendered inaccessible

When information is lost or disclosed and subsequently recovered by the custodian, and the custodian can demonstrate:

  • The information was not accessed before it was recovered, or
  • The only person who access the information is a custodian, affiliate, information manager subject to section 60 of the Act or,
  • Accessed the information as part of their role as a custodian or affiliate and not for an improper use and
  • Did not improperly use or disclose the information,

The custodian is not required to give notice of the loss or unauthorized access or disclosure under HIA s.60.1(2).

Remember that the custodian must record each privacy breach in their practice including their reasons for their decision to notify and their decision not to notify.

When you record each privacy breach, including ‘oops’, errors, or mistakes that, individually, may not trigger notification requirements, you may find that there is a pattern of breaches that may indicate:

  • broken work flow, or
  • broken automated process, or
  • carelessness or disregard to the security of personal information.

These situations may trigger mandatory privacy breach notification requirements.

 

It’s an Offence to Fail to Protect Personal Health Information

The new amendments detail the reporting responsibilities of custodians and affiliates in the event of a privacy breach.

For Custodians

The new regulations also include new penalties for custodians and affiliates who:

  • Fail to report a breach
  • Fail to take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards (HIA s.107(1.1)(a))

A custodian or affiliate found guilty of one of the above offences can face a fine of up to $50,000 per occurrence.

For Affiliates

Affiliates (generally, the employees of the custodian) must report any loss, unauthorized access or disclosure of identifying health information to their custodian. This applies to information managers (vendors and service providers to custodians), too.

 

New Notification Requirements

If the custodian believes the breach could result in harm to the individual, the custodian, as soon as practicable, is required to notify (HIA s60.1):

  • The Privacy Commissioner of Alberta (OIPC), and the
  • Minister of Health in Alberta and
  • The Individual(s) affected by the privacy breach

Don’t forget that there continues to be other people you may need to notify. Depending on the unique circumstances this may include the police, insurance, primary care networks, Netcare, and other information sharing partners.

The notice to the Privacy Commissioner of Alberta (OIPC) must be in writing in a form approved by the Commissioner and must include (HIR s.8.2(2)):

  • Name of the custodian
  • Description of the circumstances
  • Date or time period which the incident occurred
  • Date which the incident was discovered
  • Description of the type of information that was lost, accessed, or disclosed
  • Risk of harm to an individual and an explanation of how the risk of harm was assessed
  • Number of individuals affected by the incident
  • Description of the steps that the custodian has or intends to take to reduce the risk of harm
  • Plans to prevent the risk of future loss, or unauthorized access or disclosure
  • Copy of the notice that will be provided to the individual(s) and a description of how the notice will be provided directly or by substitutional service
    • If the custodian believes that notifying the individual about the incident may result in harm to the individual, the custodian must immediately notify the Commissioner (HIA s.60.1(5))
  • Contact information for the custodian or their responsible affiliate (privacy officer)
  • Any other relevant information

The notice to the Minister of Health in Alberta must be in writing in a form approved by the Minister and must include (HIR s.8.3):

  • Name of the custodian
  • Description of the circumstances
  • Description of the type of information that was lost, accessed, or disclosed
  • Risk of harm to an individual and an explanation of how the risk of harm was assessed
  • Number of individuals affected by the incident
  • Description of the steps that the custodian has or intends to take to reduce the risk of harm
  • Contact information for the custodian or their responsible affiliate (privacy officer)
  • Any other relevant information

The notice to the individual must be in writing and include (HIR s.8.4):

  • Description of the circumstances
  • Date or time period which the incident occurred
  • Name of the custodian
  • Description of the type of information that was lost, accessed, or disclosed
  • Risk of harm to an individual and an explanation of how the risk of harm was assessed
  • Description of the steps that the custodian has or intends to take to reduce the risk of harm to the individual
  • Plans to prevent the risk of future loss, or unauthorized access or disclosure
  • Advice that the custodian believes the individual may be able to take to reduce the risk of harm to the individual
  • A statement that the individual may ask the Commissioner to investigate the incident and the contact information of the OIPC
  • Contact information for the custodian or their responsible affiliate (privacy officer)
  • Any other relevant information

 

Your Next Steps

Prepare your Privacy Breach Management Program in your healthcare practice. Review (or create) your privacy breach management program including these 5 key elements:

  • Privacy breach management policy
  • Privacy and security incident response plan
  • Training for your privacy officer, management team, and custodians
  • Human resources privacy breach discipline policy and
  • Privacy breach reporting record keeping procedures

If you are a privacy officer, clinic manager, or healthcare provider you can prevent privacy breach pain with the 4 Step Response Plan”.

This on-line education with quick and helpful videos, examples, policy templates, privacy breach reporting templates, and risk of significant harm templates will guide you to properly manage a privacy breach, create your Privacy Breach Management Program, and be prepared for Mandatory Privacy Breach Notification requirements.

Stay up to date on mandatory privacy breach reporting! Sign up at https://informationmanagers.ca/microquest-exclusive-privacy-breach-notification-training to receive free tips, tools, templates, and training and 30% off of your purchase to the course, 4 Step Response Plan – Prevent Privacy Breach Pain

 

References

These amendments were passed under the Statutes Amendments Act, 2014 in May 2014 and will be proclaimed in force August 31, 2018

Health Information Amendment Regulation

Office of the Information and Privacy Commissioner

Statutes Amendment Act, 2014, Chapter 8, Health Information Act