The Health Information Act (HIA) deals with complex issues concerning the collection, use, disclosure and protection of health information used in the health-care system. It provides individuals with the right to request access to health records in the custody or control of custodians and covers the actions of affiliates.
As of Aug. 31, 2018, there are new privacy breach reporting requirements that impact Alberta registered nurses and nurse practitioners. In the event of a privacy breach where there is a risk of harm to an individual, health custodians are now required to notify the individual, the Office of the Information and Privacy Commissioner (OPIC) and the minister of health. Penalties for failure to comply with the new legislation may result in large fines of up to $50,000.
HIA defines a privacy breach as “a loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health."
All CARNA members are custodians under HIA unless they are an affiliate of another custodian. Examples of custodians include:
Registered nurses employed by these organizations are affiliates. An "affiliate" is:
As a custodian, your responsibility is to ensure safeguards are in place to avoid potential privacy breaches. This includes taking reasonable steps to maintain administrative, technical and physical safeguards that will protect against anticipated threats or hazards to the security or integrity of health information or loss of health information. In the event that a privacy breach occurs, the custodian’s role is to:
As an affiliate, your role is to understand and comply with the legislation and policies your employer has in place and notify the custodian of a privacy breach.
OIPC and the Minister of Health have specific forms that are required for their notification on their websites.
When notifying an individual of the breach, the custodian must provide the individual with:
There may be times when a custodian determines it is not appropriate to provide notice to the individual regarding the breach, including circumstances where it could be reasonably expected to result in a risk of harm to the individual’s mental or physical health. In this instance, the custodian must immediately give notice to the OPIC of the decision not to notify the individual, and the reasons for that decision.
Further information regarding the reporting of breaches can be found in the Health Information Act Regulations, section 8.2(4).