- Letter: HIA Breach Reporting Recommendation (PDF)
Information and Privacy Commissioner Jill Clayton has written to the Minister of Health to formally request the Government of Alberta consider amending Alberta’s Health Information Act (HIA) to include mandatory breach reporting and notification provisions.
In the letter, Commissioner Clayton provides an overview of breach reporting and notification requirements in health privacy legislation in other jurisdictions. In Canada, nine jurisdictions have passed or introduced broadly focused health privacy legislation and of those, six include mandatory breach reporting or notification provisions.
The Commissioner also details the issues that should be considered when designing an appropriate legislative scheme. These include consideration for who should be notified about a breach, what the triggers are for notification, what should be reported and in what time frame, and whether there should be penalties, sanctions or other consequences for failing to notify.
At this time, of the province’s three access and privacy laws, only Alberta’s private sector law, the Personal Information Protection Act, requires an organization to report a privacy breach and gives the Commissioner the power to require the organization to notify affected individuals.
In the Commissioner’s July 2013 submission to the Government of Alberta’s Review of the Freedom of Information and Protection of Privacy Act, she recommended the FOIP Act be amended to, “[r]equire public bodies to report privacy incidents meeting certain criteria to my Office and giving me the power to require public bodies to notify affected individuals.” She is recommending similar amendments be considered for health custodians under the HIA.
“Including privacy breach notification and reporting requirements in all three of Alberta’s access and privacy laws is an important component of protecting Albertan’s privacy rights and will help to put Alberta at the forefront of privacy protection,” commented Commissioner Clayton. “I commend the government for considering amendments to the Health Information Act”.