As of August 31, 2018, custodians and their affiliates will have obligations to provide breach notifications under Alberta’s Health Information Act.
More specifically, a custodian will be required to give notice of any loss or unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian if there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure.
The notice must be given to:
- the Alberta Information and Privacy Commissioner;
- the Minister of Health; and
- the individual who is the subject of the individually identifying health information (unless giving such notice would put the individual's physical or mental health at risk).
Similarly, any affiliate of a custodian will be obligated to notify the custodian of any or unauthorized access to or disclosure of individually identifying health information in the custody or control of the affiliate relevant to the custodian.
Each of the foregoing notices is required to be provided “as soon as practicable”.
Once amended by the Alberta Health Information Amendment Regulation on August 31, 2018, the Alberta Health Information Regulation provides a non-exhaustive list of factors that must be considered by a custodian when assessing whether there is a risk of harm to an individual as a result of a loss of or an unauthorized access to or disclosure of individually identifying health information.
These factors include whether there is a reasonable basis to believe that the applicable information:
- has been or may be accessed by or disclosed to a person;
- has been misused or will be misused;
- could be used for the purpose of identity theft or to commit fraud; and
- could cause embarrassment or physical, mental or financial harm to, or damage the reputation of the subject individual.