Duty to Notify
The Alberta Health Information Act (the “Act”) has been amended by adding section 60.1 to the Act (duty to notify) which requires health custodians in Alberta to notify Albertans whose health information is subject to a privacy breach. In particular, the amendments require the health custodian, where there is a risk of harm to an individual in each case, to:
- notify an individual affected by such a privacy breach;
- notify the Information and Privacy Commissioner of Alberta (“Privacy Commissioner”) of such a privacy breach; and
- notify the Minister of Health in Alberta (“Minister”) of such a privacy breach
Among those who are health custodians in Alberta are Alberta Health Services, Alberta Health, Covenant Health, various health professionals regulated under the Health Information Act including physicians, dentists, optometrists, pharmacists, etc.
Assessment of Risk of Harm
Subsection 60.1(4) of the Act provides that a custodian must consider all relevant factors, including the factors prescribed by the regulations, in assessing for purposes whether there is a risk of harm to an individual as a result of the loss or unauthorized disclosure.
Under the Health Information Amendment Regulation (“Amending Regulation”), the Health Information Regulation (AR 70/2001) ( the “Regulation”) was also amended. Section 8.1 has been added to that Regulation and requires the custodian to consider each of the following factors, in addition to, any other relevant factors:
(a) whether there is a reasonable basis to believe that the information has been or may be accessed by or disclosed to a person;
(b) whether there is a reasonable basis to believe that the information has been misused or will be misused;
(c) whether there is a reasonable basis to believe that the information could be used for the purpose of identity theft or to commit fraud;
(d) whether there is a reasonable basis to believe that the information is of a type that could cause embarrassment or physical, mental or financial harm to or damage the reputation of the individual who is the subject of the information;
(e) whether there is a reasonable basis to believe that the loss of or unauthorized access to or disclosure of the information has adversely affected or will adversely affect the provision of a health service to the individual who is the subject of the information;
(f) in the case of electronic information, whether the custodian is able to demonstrate that the information was encrypted or otherwise secured in a manner that would
(i) prevent the information from being accessed by a person who is not authorized to access the information, or
(ii) render the information unintelligible by a person who is not authorized to access the information;
(g) in the case of a loss of information, whether the custodian is able to demonstrate that the information was lost in circumstances in which the information was
(i) destroyed, or
(ii) rendered inaccessible or unintelligible;
(h) in the case of a loss of information that is subsequently recovered by the custodian, whether the custodian can demonstrate that the information was not accessed before it was recovered;
(i) in the case of an unauthorized access to or disclosure of information, whether the custodian is able to demonstrate that the only person who accessed the information or to whom the information was disclosed
(i) is a custodian or an affiliate,
(ii) is subject to confidentiality policies and procedures that meet the requirements of section 60 of the Act,
(iii) accessed the information in a manner that is in accordance with the person's duties as a custodian or affiliate and not for an improper purpose, and
(iv) did not use or disclose the information except in determining that the information was accessed by or disclosed to the person in error and in taking any steps reasonably necessary to address the unauthorized access or disclosure.
The amending regulation also adds sections 8.2 and 8.3 to the Regulation which detail provisions on the content of the required notice to each of a custodian, the Privacy Commissioner, the Minister and an affected individual.
In addition, a new offence provision has been added for failure to report a breach or failure to take reasonable steps to maintain safeguards to protect health information (including administrative, technical and physical safeguards). Section 107 of the Act was amended by adding subsection (1.1) which provides that:
“No custodian shall
(a) fail to take reasonable steps in accordance with the regulations to maintain administrative, technical and physical safeguards that will protect against any reasonably anticipated threat or hazard to the security or integrity of health information or of loss of health information.
(b) fail to comply with section 6.1(2), (3), (4) or (5), or
(c) fail to comply with an order made by the Commissioner under section 85.1(2)(b).”
A person who has been found guilty of such an offence can be liable to a fine up to $50,000 per occurrence. These amendments were passed under the Statutes Amendments Act, 2014 in May 2014 and will be proclaimed in force August 31, 2018 [Statutes Amendment Act, 2014, Chapter 8, Health Information Act] and the Amending Regulation [Health Information Amendment Regulation].
The Alberta Information and Privacy Commissioner has noted that many regulated health professionals do not seem to be meeting their legislated obligations and need to do better. Apparently on average there are 115 breaches reported annually in Alberta. The Privacy Commissioner expects this number will increase as a result of the new requirements.