An investigation into privacy breach reporting in Alberta’s health sector found that practices vary widely and the health sector is not uniformly prepared for mandatory breach reporting and notification.
Alberta’s Health Information Act (HIA) was amended in May 2014 to include breach reporting and notification requirements, as well as new offence provisions for failing to report a breach. These provisions are not currently in force.
The Commissioner’s investigation was launched in January 2014 to learn how breaches are currently managed, tracked and reported, and to assess the health sector’s ability to manage and respond to privacy breaches.
Key findings from the investigation include:
- Large custodians – Alberta Health, Alberta Health Services and Covenant Health – generally have breach management frameworks in place, such as policies, procedures, education and training, but many other health professionals have significant work to do to establish robust programs.
- Considerable training and education is necessary to ensure health custodians understand their breach reporting and notification obligations under the amended HIA.
- Tracking and monitoring breaches in the health sector has been inconsistent making it difficult to estimate the number of breaches that occur, identify the underlying causes or assess the impact of mandatory breach reporting requirements.
- The Electronic Health Record Data Stewardship Committee (EHRDSC), required by legislation and responsible for overseeing stewardship of data made available through Netcare, has not met for more than two years. This is a significant compliance issue, which undermines confidence in governance of the provincial electronic health record.
“Although larger health custodians have breach management and response frameworks in place, many regulated health professionals may not be able to meet their legislated obligations when the HIA amendments come into force,” said Commissioner Jill Clayton.
“I’m also concerned that the EHRDSC, with oversight of Netcare, has been allowed to lapse. Effective governance is essential to good data stewardship and the proper management of privacy breaches.”
The report makes a number of recommendations to health custodians, Alberta Health, and Research Ethics Boards. In particular, the report recommends Alberta Health consult with the Commissioner’s office on the specific wording of breach reporting and notification amendments to the Health Information Regulation.
Alberta Health has committed to most recommendations, except it has not provided draft regulations for review. The OIPC will review whether Alberta Health has complied with the remaining recommendations in six months.