Mandatory Privacy Breach Reporting Coming to Alberta’s Health Sector

May 24, 2018

Alberta’s health custodians will soon be required to notify Albertans whose health information has been subject to a privacy breach.

The mandatory breach reporting requirements under the Health Information Act (HIA) come into force on August 31, 2018. The amendments include requiring that health custodians:

  • Notify an individual affected by a privacy breach if there is a risk of harm to the individual.
  • Notify the Information and Privacy Commissioner of a privacy breach when there is a risk of harm to an individual.
  • Notify the Minister of Health of a privacy breach when there is a risk of harm to an individual.

Health custodians include Alberta Health, Alberta Health Services, Covenant Health and health professionals regulated under the HIA, such as physicians, pharmacists, dentists, optometrists, among others.

“This is good news for the privacy of Albertans. I’m pleased that individuals affected by a health information breach will now have the right to be notified, which will bring Alberta in line with a majority of Canadian provinces and territories,” said Information and Privacy Commissioner Jill Clayton. “Health information is among the most sensitive of personal details anyone can share. When health information is breached, it’s important that people know so that they can take steps to protect themselves from potential harm.”

There are also new offence and penalty provisions if a health custodian:

  • Fails to report a breach.
  • Does not take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards.

A person who is found guilty of one of these offences is liable to a fine.*

Health custodians need to pay particular attention leading up to the new reporting requirements and offence provisions.

A 2015 investigation report on mandatory breach reporting preparedness in Alberta’s health sector found that breach response practices “vary widely and the health sector is not uniformly prepared,” said Commissioner Clayton in the report.

She added in a news release, “Although larger health custodians have breach management and response frameworks in place, many regulated health professionals may not be able to meet their legislated obligations when the HIA amendments come into force.”

Since 2014-15, more than 460 breaches – approximately 115 per year on average – involving health information have been voluntarily reported by health custodians to the Office of the Information and Privacy Commissioner. It is expected that more health information breaches will be reported annually as a result of these new requirements, but it is difficult to determine how many more at this time.

An order in council approved on Tuesday, May 8 set the date for the requirements to be in force. The amendments were passed under the Statutes Amendments Act, 2014 in May 2014. Alberta Health is the Ministry responsible for the HIA.

The Information and Privacy Commissioner of Alberta works independently of government to uphold the access and privacy rights of all Albertans.