New mandatory breach notification requirements under Alberta's Health Information Act (HIA) will come into force on August 31, 2018. The threshold for notification is set at 'risk of harm', notably lower than the 'real risk of significant harm' threshold that currently exists under Alberta's Personal Information Protection Act (PIPA) and that will soon come into force federally under PIPEDA as of November 1, 2018.
More specifically, as of August 31, 2018, HIA will require that health custodians:
- Notify an individual affected by a privacy breach if there is a risk of harm to the individual;
- Notify the Information and Privacy Commissioner of Alberta of a privacy breach when there is a risk of harm to an individual; and
- Notify the Minister of Health of a privacy breach when there is a risk of harm to an individual.