Mandatory Privacy Breach Reporting - When is notice required

Mandatory privacy breach reporting comes into effect in Alberta as of August 31, 2018. From that date forward, custodians of patient information must notify the Privacy Commissioner, the Minister of Health, and the individual whose information was lost or improperly disclosed if there is risk of harm. Let’s examine how to assess risk of harm so that you can be sure if and when a breach needs to be reported. Your first step to assessing risk or harm is understanding the intent of the amendment to the regulation. These changes are meant to ensure individuals can take measures to protect themselves in the event the confidentiality of their personal information is compromised. In the wrong hands, patient information can be used for identity theft which has potential to damage the patient financially through fraud and medically through contamination of their medical record. With that perspective as your lens, you must consider all factors to determine risk or harm. Asking these questions will inform your investigation and help you decide if the breach must be reported:

• Is there reasonable basis to believe the information was accessed by or disclosed to an inappropriate person?
• Could the leaked information be used to commit fraud? (Of course, any leaked information would require reporting)
• Is there a chance the information could cause embarrassment, physical, mental, or financial harm,or damage to the individual’s reputation?
• Could the breach adversely affect the delivery of healthcare for the patient (such as contaminated records)?

Answering yes to any of these questions would tell you the breach must be reported. This is not an exhaustive list of all factors to consider. For a more complete description of considerations, consult the Health Information Regulations (HIR) or contact us for assistance.  

**There are some instances where a privacy breach may not need to be reported**

The regulations recognize that if information secured against access, notice is not necessary as long as you can prove the information wasn’t accessed before it was recovered. In that case, the burden is on you to prove the information is and was inaccessible. Information that is rendered unintelligible or completely deidentified can also be exempt from breach reporting. But again, burden of proof falls on you - which is difficult in the case of stolen hardware especially because you’re concerned with all future impact. Who the information was disclosed to also makes a difference. If you can demonstrate the improper recipient of the patient information was a custodian or affiliate, or another person subject to the rules of the Health Information Act (HIA), you’re not required to give notice. Similarly, if the person who received the information accessed the information only to determine their access was inappropriate and is taking reasonable steps to address the access, a breach need not be reported.  

What to do when breach reporting is required:

If a breach in your clinic must be reported, you have to notify the necessary authorities as well as any affected patients. We’ll cover the process of reporting and review what needs to be reported in our next post.