• Sign in to MyCARNA
  • Find a nurse
  • News
  •  
  •  
  • Registration
    & Renewal

      My permit

      • Sign in
      • Renewing your permit

      • Taking leave or retiring

      • Returning to practice

      • Self-employed practice
      • Request verification
      • Fees and payments

      Apply to be a nurse

      • Internationally educated applicants

      • New graduate applicants

      • Canadian RN applicants

      • Nurse practitioner applicants

      Registration requirements

      • Approved nursing education programs
      • English language proficiency

      • Exam requirement

      • Continuing Competence Program
      • Currency of practice

      • Fitness to practice (FTP)

      Verify a nurse

      • Verify employees (login required)
      • Request access to employee verification

      Need help?

      We may have the answers you're looking for in our frequently asked questions.

  • Practice
    & Learning

      Keep up to date with practice standards

      Browse our documents on nursing practice standards in Alberta and guidelines that are essential to your scope of practice.

      Nursing practice information

      • Standards, guidelines, and documents
      • Legislation

      • Practice consultations
      • All topics

      Learning opportunities

      • Learning modules

      • Case studies

      • Webinars

      • Events and conferences

      Other resources

      • Specialty Practice Groups

      • Resources outside of CARNA

      Featured resource

      Educational funding for nurses

      Learn about ARNET
  • Complaints
    & Concerns

      What you can do

      • File a complaint about a nurse's conduct

      • Find a nurse

      • Request a review of a complaint dismissal

      Information for members referred to a hearing

      • What to expect
      • Appealing a hearing decision

      Complaints processes

      • About the investigations process

      • About complaint resolution agreements

      • About hearings

      • Publishing disciplinary summaries

  • About

      What is CARNA?

      • What we do

      • Mission, vision and values
      • Regulatory philosophy

      • Latest news

      • Policy priorities and research

      • What's nursing in Alberta like?

      • CARNA regions

      • Our partners

      Council and committees

      • Provincial Council

      • Governance Committees

      • Regulatory Committees

      Publications and reports

      • Alberta RN magazine

      • Newsletters

      • Annual and financial reports

      Other resources and services

      • Awards and recognition

      • Shop CARNA

      • Nursing history in Alberta

  • Contact Us

      General inquiries

      • Online form
      • Phone, address and hours
      • Staff directory

      Careers

      • Work for CARNA
      • Volunteer for CARNA
      • Jobs for nurses
      • Post a job

      Requests

      • Member requests
      • Name changes
      • Information and research requests

      Follow us

      • Facebook
      • Twitter
  • Sign in to MyCARNA
  • Find a nurse
  • News
  1. Home
  2. Practice & Learning
  3. Nursing practice information
  4. HIA and privacy breach reporting

HIA and privacy breach reporting

The Health Information Act (HIA) deals with complex issues concerning the collection, use, disclosure and protection of health information used in the health-care system. It provides individuals with the right to request access to health records in the custody or control of custodians and covers the actions of affiliates.

As of Aug. 31, 2018, there are new privacy breach reporting requirements that impact Alberta registered nurses and nurse practitioners. In the event of a privacy breach where there is a risk of harm to an individual, health custodians are now required to notify the individual, the Office of the Information and Privacy Commissioner (OPIC) and the minister of health. Penalties for failure to comply with the new legislation may result in large fines of up to $50,000.

What are privacy breaches, custodians and affiliates?

HIA defines a privacy breach as “a loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health."

All CARNA members are custodians under HIA unless they are an affiliate of another custodian. Examples of custodians include:

  • Alberta Health Services
  • Covenant Health
  • Nursing home operators

Registered nurses employed by these organizations are affiliates. An "affiliate" is:

  • An individual employed by a custodian.
  • A person who performs a service for a custodian as an appointee, volunteer or student or under a contract or agency relationship with the custodian, and a health services provider who is exercising the right to admit and treat patients at a hospital as defined in the Hospitals Act.

As a custodian, your responsibility is to ensure safeguards are in place to avoid potential privacy breaches. This includes taking reasonable steps to maintain administrative, technical and physical safeguards that will protect against anticipated threats or hazards to the security or integrity of health information or loss of health information. In the event that a privacy breach occurs, the custodian’s role is to:

  • Assess the risk of harm to the individual(s) subject to the privacy breach
  • If assessed as a risk, notify the Commissioner, Minister and individual subject to the breach “as soon as practicable”1.

As an affiliate, your role is to understand and comply with the legislation and policies your employer has in place and notify the custodian of a privacy breach.

When and how to notify

OIPC and the Minister of Health have specific forms that are required for their notification on their websites.

  • OIPC: How to Report a Privacy Breach
  • Minister of health: Notification to minister of health report form

When notifying an individual of the breach, the custodian must provide the individual with:

  • Details regarding the breach.
  • The date or time period when the breach occurred.
  • The name of the custodian in control of the health information at the time of the breach.
  • A non-identifying description of the type of information involved in the breach.
  • A description of risk of harm to the individual.
  • Steps the custodian is taking/intending on taking to reduce the risk of harm to the individual and to reduce the risk of a future breach.
  • Steps the individual can take to reduce the risk of harm.
  • A statement that the individual may request an investigation to be performed by the Commissioner, including the contact information for OPIC.
  • The name and contact information of a person who can answer questions on behalf of the custodian.
  • Other information deemed relevant by the custodian.

There may be times when a custodian determines it is not appropriate to provide notice to the individual regarding the breach, including circumstances where it could be reasonably expected to result in a risk of harm to the individual’s mental or physical health. In this instance, the custodian must immediately give notice to the OPIC of the decision not to notify the individual, and the reasons for that decision.

Further information regarding the reporting of breaches can be found in the Health Information Act Regulations, section 8.2(4).

  • Practice & Learning
  • Nursing practice information
    • Standards, guidelines, and other documents
    • Legislation
    • Practice consultations
    • Infection prevention and control
    • Medical assistance in dying
    • Naloxone: Responsibilities for RNs
    • Physician assistants
    • Prescribing CDS for nurse practitioners
    • RN competency profile
    • Telehealth nursing practice
    • Aesthetic nursing FAQ
    • Harm reduction
    • HIA and privacy breach reporting
    • Restraints
    • Immunization
  • Learning opportunities
    • Other resources

      Connect with us

      Toll Free:
      1.800.252.9392
      Tel:
      780.451.0043
      Fax:
      780.452.3276
      Email:
      carna@nurses.ab.ca
      • Facebook
      • Twitter

      CARNA office

      Address:
      11120 178 Street
      Edmonton, Alberta
      T5S 1P2
      Office hours:
      Monday - Friday
      8:30 a.m. to 4:30 p.m.
      • Sitemap
      • Privacy Policy

      © 2019 College & Association of Registered Nurses of Alberta