Did you know?
As health custodians, opticians in Alberta are now required to file reports and notify patients if their health information has been subject to a privacy breach. The mandatory breach reporting requirements under the Health Information Act (HIA) came into effect on August 31, 2018. Mandatory breach reporting is a new way to ensure that patients are in the know about possible vulnerabilities; and as patients of other health professionals, you are entitled to this peace of mind too!
But what do opticians need to do?
It’s your responsibility to notify:
- The Information and Privacy Commissioner of a privacy breach when there is a risk of harm to your patient.
- The Minister of Health of a privacy breach when there is a risk of harm to your patient.
- Your patient if they are affected by a privacy breach and there is a risk of harm to them.
These new rules bring Alberta in line with most Canadian provinces and territories with regards to health information and privacy. Health information is extremely sensitive and personal; when a breach occurs, it’s important that your patients know so that they can take proactive measures to keep themselves safe.
When should a breach be reported?
Immediately. The HIA requires that custodians inform the OIPC of a breach “as soon as practicable”. The OIPC recommends that you report a breach as soon as possible, even if you don’t yet have all the information requested on the Privacy Breach Report Form. You can provide additional information to the Commissioner as it becomes known; when a breach happens, time can be of the essence to ensure there is as little damage as possible from the event.
What is a privacy breach?
A privacy breach means “a loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health information.”
Examples of situations that would constitute a breach:
- Lost or stolen laptops, USB keys, phones, or other mobile devices containing health information.
- Misdirected emails, faxes or mail.
- “Snooping” of patient files by someone who has no right to access the file.
- Evidence of hacking of computers or servers containing health information.
- Malware, Phishing, and other attacks that could potentially gain access to personal information.
- Reselling old computers and forgetting to wipe the hard drive first.
- Stolen paper records from an employee’s vehicle, home, or office.
- Improper disposal of records or devices.
How do you report a breach?
A breach may catch you off guard, and it can be overwhelming and intimidating thinking of all the steps you are legally required to take. That’s why it’s best to familiarize yourself with the process BEFORE a breach happens. That way, you won’t lose any time reporting it, and you’ll feel confident that you’ve done your due diligence in service of your patient. Remember, you have to report a breach to the OIPC, the Minister of Health, and the patient (unless doing so would be dangerous for their mental or physical health).
Reporting to the Office of the Information and Privacy Commissioner (OIPC)
Custodians must submit a written notice to the Commissioner in an approved form. The notice needs to include the following information, as per section 8.2(2) of the Health Information Regulation:
- The custodian’s name.
- A description of what happened.
- When the breach occurred.
- When the breach was discovered.
- A non-identifying description of the breached information.
- A non-identifying description of the risk to the patient because of the breach, including;
- a description of the type of harm,
- an explanation of the how the risk of harm was assessed,
- a description of the custodian’s considerations for the following, as per section 8.1:
- If the information may have been accessed by an unauthorized person,
- Whether it’s reasonable to believe it will be misused,
- If the information could be used for identity theft or fraud,
- If the breached information could cause embarrassment or physical, mental, or financial harm to the patient, or damage their reputation.
- Whether the breach will adversely affect the provision of a health service to the affected patient.
- If digital information was encrypted or otherwise secured in a manner that would protect the information despite the breach,
- If information that was lost was already destroyed or inaccessible,
- Whether the information that has been recovered after a breach was accessed before it was recovered,
- If the custodian can demonstrate that the only person who accessed breached information was a custodian, affiliate, or someone subject to confidentiality procedures that would safeguard the information, and that they:
- only accessed it in accordance with their duties and not for improper purposes,
- didn’t use or disclose the information,
- took steps to ensure it doesn’t happen again,
- Exactly or approximately how many people’s information was breached.
- A description of the steps that the custodian will take to reduce the risk of harm to the patient.
- A description of the steps that the custodian will take to reduce the risk of a future breach.
- A non-identifying copy of the information that will be sent to the affected individuals regarding the breach, as well as a statement indicating the method that will be used to give notice to the individuals.
- If the custodian is requesting permission to give notice to an individual by substitutional service under section 103(c) of HIA, include both the request and the reasons for the request.
- The name and contact information for a person who can answer questions on behalf of the custodian about the breach.
- Any other information that the custodian considers relevant.
Breach Reporting Form
This is a long checklist, but it is made easier by the fact that the OIPC has done the hard work already, and provided a Breach Reporting Form. Read through that document, and refer to the Health Information Regulation Amendments for the original wording if something is unclear. You should also refer to this informative document created by the OIPC explaining how to fill out the Breach Report Form; this document goes in depth on each section and clearly explains what you should include.
Reporting to the Minister of Health
The Minister of Health requires similar information to the OIPC. To report a breach to the Minister of Health, simply fill out the Notification to the Minister of Health form, available on the Health Information Act page of the Alberta Health website. Remember to use non-identifying information when describing the breach, so as not to compromise your patient’s health information further. You can refer to the Health Information Regulations and the recent Amendments, or refer to the summary list from the OIPC section above. You can report a breach to the Minister by emailing your completed form to HIABreachReporting@gov.ab.ca.
Informing the Patient
In addition to the Minister of Health and the OIPC, you must also inform anyone whose health information has been breached. The notice you send to your patient must include:
- Detailed information regarding the breach.
- The health information involved.
- Risk of harm to the patient.
- Steps taken to reduce the risk of harm.
- Steps the patient can take to further reduce the risk of harm.
- A statement that the patient may ask the Commissioner to investigate the incident.
- Contact information for the Office of the Information and Privacy Commissioner of Alberta.
In most cases, the patient needs to know if their health information has been breached. However, there are times when you need to use your discretion and decide whether keeping your patient abreast of the situation will be harmful to their health. For example, if you have an elderly patient with a heart condition, you may not want to cause them undue stress. If you think that informing your patient of a breach will result in a risk of harm to their mental or physical health, there are provisions in place for you to use your judgement. In that case, you must explain to the Commissioner your reasons for not giving notice to the affected individual.
Offences and Penalties
To ensure compliance, there are also new penalties for custodians and affiliates who fail to adhere to the legislation. A custodian or affiliate who is found guilty of one of these offences may be issued a steep fine.
It is an offence if a custodian fails to:
- Take reasonable steps to maintain administrative, technical, and physical safeguards that will protect against a breach.
- Report a privacy breach to the Commissioner, the Minister of Health, and affected individuals (except when deemed harmful to the individual).
- Consider all relevant factors in determining if there is a risk of harm from a breach, and whether it needs to be reported.
- Inform the Commissioner of a decision not to notify an affected individual of a privacy breach, if the custodian has determined that doing so would be harmful to the individual’s mental or physical health.
It is also an offence for an affiliate of a custodian to fail to notify the custodian of a health information privacy breach.
Even the most secure organizations suffer breaches sometimes; wherever there is sensitive information, there is a risk of it being compromised. That’s why it’s so important to prepare for the worst case scenario in addition to actively working to prevent it. Take time to read through the documents provided, and if you need any more information on this topic, there are specialists at the HIA Help Desk who can answer your questions: