HIA and privacy breach reporting

The Health Information Act (HIA) deals with complex issues concerning the collection, use, disclosure and protection of health information used in the health-care system. It provides individuals with the right to request access to health records in the custody or control of custodians and covers the actions of affiliates.

As of Aug. 31, 2018, there are new privacy breach reporting requirements that impact Alberta registered nurses and nurse practitioners. In the event of a privacy breach where there is a risk of harm to an individual, health custodians are now required to notify the individual, the Office of the Information and Privacy Commissioner (OPIC) and the minister of health. Penalties for failure to comply with the new legislation may result in large fines of up to $50,000.

HIA defines a privacy breach as “a loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health."

All CARNA members are custodians under HIA unless they are an affiliate of another custodian. Examples of custodians include:

• Alberta Health Services
• Covenant Health
• Nursing home operators

Registered nurses employed by these organizations are affiliates. An "affiliate" is:

• An individual employed by a custodian.
• A person who performs a service for a custodian as an appointee, volunteer or student or under a contract or agency relationship with the custodian, and a health services provider who is exercising the right to admit and treat patients at a hospital as defined in the Hospitals Act.

As a custodian, your responsibility is to ensure safeguards are in place to avoid potential privacy breaches. This includes taking reasonable steps to maintain administrative, technical and physical safeguards that will protect against anticipated threats or hazards to the security or integrity of health information or loss of health information. In the event that a privacy breach occurs, the custodian’s role is to:

• Assess the risk of harm to the individual(s) subject to the privacy breach
• If assessed as a risk, notify the Commissioner, Minister and individual subject to the breach “as soon as practicable”1.

As an affiliate, your role is to understand and comply with the legislation and policies your employer has in place and notify the custodian of a privacy breach.

OIPC and the Minister of Health have specific forms that are required for their notification on their websites.

• OIPC: How to Report a Privacy Breach
• Minister of health: Notification to minister of health report form

When notifying an individual of the breach, the custodian must provide the individual with:

• Details regarding the breach.
• The date or time period when the breach occurred.
• The name of the custodian in control of the health information at the time of the breach.
• A non-identifying description of the type of information involved in the breach.
• A description of risk of harm to the individual.
• Steps the custodian is taking/intending on taking to reduce the risk of harm to the individual and to reduce the risk of a future breach.
• Steps the individual can take to reduce the risk of harm.
• A statement that the individual may request an investigation to be performed by the Commissioner, including the contact information for OPIC.
• The name and contact information of a person who can answer questions on behalf of the custodian.
• Other information deemed relevant by the custodian.

There may be times when a custodian determines it is not appropriate to provide notice to the individual regarding the breach, including circumstances where it could be reasonably expected to result in a risk of harm to the individual’s mental or physical health. In this instance, the custodian must immediately give notice to the OPIC of the decision not to notify the individual, and the reasons for that decision.

Further information regarding the reporting of breaches can be found in the Health Information Act Regulations, section 8.2(4).