It is rumoured that Bill 12 that amended the Alberta Health Information Act (“HIA”), passed on May 14, 2014, will come into force this year. Bill 12 made 3 significant changes to the HIA:
- adds mandatory breach notification provisions;
- authorizes the Office of the Information and Privacy Commissioner (“OIPC”) to disclose information about a breach in certain situations; and
- creates new offences and penalties.
We will discuss these 3 amendments in turn.
The new HIA imposes a stringent notification regime. The proposed modifications will introduce multiple breach notification obligations:
- Section 60.1 will soon mandate a “duty to notify” in cases of breach involving “individually identifying” health information – information where the identity of the individual subject of the information can be readily ascertained from the information.
- Section 60.1(1) will require any affiliate to notify the custodian of any loss, unauthorized access to, or disclosure of, individually identifying health information in the custody or control of the custodian. This notice must be made “as soon as practicable”.
- Section 60.1(2) will require a custodian to give notice “as soon as practicable” of loss, unauthorized access to, or disclosure of individually identifying health information in its custody or control if there is a risk of harm to an individual as a result.
Notice of a breach posing a “risk of harm” must be given to the Commissioner (OIPC), the Health Minister, and the individual who is the subject of the information. Further, there is an exception to the notice requirement: if the notice could reasonably be expected to result in a risk of harm to the individual’s mental or physical health, then the custodian must immediately notify the Commissioner (OIPC) of the decision not to give notice to the individual, and the reasons for that decision. The OIPC may then require additional information from the custodian, and confirm that decision or require notification.
So, with certain requirements dependent on the “risk of harm”, a significant question facing affected organizations in the face of this change is: what exactly does a “risk of harm” entail?
The new HIA sections require a custodian must consider all relevant factors, including the factors prescribed by the regulation, in assessing whether there is harm to an individual. The changes refer specifically to the forthcoming regulations under the HIA. Affected parties will have more guidance when those regulations are proclaimed.
Canadian Privacy Legislation Compared
The “risk of harm” in the upcoming HIA sections stands apart from similar provisions in other privacy legislation, such as the Alberta Personal Information Protection Act’s (“PIPA”) “real risk of significant harm”. There are varying levels of harm thresholds required by provincial legislation across Canada. A few examples are set out in the table below.
Click here to view table
The HIA’s proposed “risk of harm” appears to occupy an amorphous middle ground between Ontario and Manitoba’s lack of harm threshold, and PIPA and PIPEDA’s “real risk of significant harm” threshold.
However, the stated intent is that the proposed HIA amendments will have the same threshold as PIPA’s “real risk of significant harm.” The forthcoming regulations will therefore be crucial in determining the threshold required to trigger the HIA’s notice requirements.
Bill 12 will add new offences to the HIA. Sanctions may follow where a custodian fails to take reasonable steps to maintain appropriate safeguards, fails to comply with the breach notification requirements, or fails to comply with an order made by the Commissioner (OIPC) relating to the custodian’s duty to notify. Sanctions may follow for affiliates for failure to notify the custodian of a privacy breach.
Additionally, the amendments will make it easier for the OIPC to crack down on these breaches, as the new offences lack the higher intent threshold that the offence was committed “knowingly.” This means there is a greater risk of committing an offence. Organizations may also commit the “reasonable safeguards” offence, intended to cover situations where a custodian is clearly negligent in the face of a well-defined industry standard. “Reasonable safeguards” typically include affiliate privacy and security education, privacy impact assessment, and appropriate policies to protect sensitive information.
Potential penalties are severe. Fines range from $2,000 to $10,000 for individuals, and $200,000 to $500,000 for any other person – this would include Albert Health Services and other organizations.
Tips for Businesses
The lack of a clear threshold in the HIA poses potential problems for affected parties under the legislation. Notifying for every single breach could create its own problems. The sheer volume of notifications could be overwhelming. Notifying an individual where there is no risk is unnecessary, but could cause needless stress and worry. Parties notifying excessively could also suffer reputational harm.
In response to Bill 12, organizations operating in Alberta should consider the following:
- Are you a “custodian” or an affiliate of a custodian? The new HIA amendments apply to you; read and understand the legislative changes.
- Organizations should ensure that their “reasonable safeguards” are in place, and that they are clearly complying with appropriate industry standards. Potential liability follows from missing one of the reasonable safeguards.
- Follow legislative updates. The release of accompanying regulations may provide valuable guidance as to the content of the threshold, such as the number of people affected by the breach, potential categories of people considered at a higher risk of harm, and perhaps defined situations where there is no risk of harm. The accompanying regulations will likely also provide the form and content of the required notification.
- Ensure you have a breach protocol in place.