{"id":2256,"date":"2023-08-31T03:39:42","date_gmt":"2023-08-31T03:39:42","guid":{"rendered":"https:\/\/kleetos.com\/?p=2256"},"modified":"2025-07-15T04:05:28","modified_gmt":"2025-07-15T04:05:28","slug":"mandatory-privacy-breach-reporting-when-is-notice-required","status":"publish","type":"post","link":"https:\/\/brightsquid.com\/us\/mandatory-privacy-breach-reporting-when-is-notice-required\/","title":{"rendered":"Mandatory Privacy Breach Reporting – When is notice required"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Mandatory privacy breach reporting comes into effect in Alberta as of August 31, 2018<\/strong>. From that date forward, custodians of patient information must notify the Privacy Commissioner, the Minister of Health, and the individual whose information was lost or improperly disclosed if there is risk of harm. Let\u2019s examine how to assess risk of harm so that you can be sure if and when a breach needs to be reported.\u00a0Your first step to assessing risk or harm is understanding the intent of the amendment to the regulation. These changes are meant to ensure individuals can take measures to protect themselves in the event the confidentiality of their personal information is compromised. In the wrong hands,\u00a0patient information can be used for identity theft which has potential to damage the patient financially through fraud and medically through contamination of their medical record.<\/strong>\u00a0With that perspective as your lens, you must consider all factors to determine risk or harm. Asking these questions will inform your investigation and help you decide if the breach must be reported:<\/strong><\/p>

  • Is there reasonable basis to believe the information was accessed by or disclosed to an inappropriate person?<\/li>
  • Could the leaked information be used to commit fraud? (Of course, any leaked information would require reporting)<\/li>
  • Is there a chance the information could cause embarrassment, physical, mental, or financial harm,or damage to the individual\u2019s reputation?<\/li>
  • Could the breach adversely affect the delivery of healthcare for the patient (such as contaminated records)?<\/li><\/ul>

    Answering yes to any of these questions would tell you the breach must be reported. This is not an exhaustive list of all factors to consider. For a more complete description of considerations, consult the Health Information Regulations (HIR) or contact us for assistance.<\/p>

    **There are some instances where a privacy breach may not need to be reported**<\/i><\/h3>

    The regulations recognize that if information secured against access, notice is not necessary as long as you can prove the information wasn\u2019t accessed before it was recovered. In that case,\u00a0the burden is on you to prove the information is and was inaccessible<\/strong>.\u00a0Information that is rendered unintelligible or completely deidentified can also be exempt from breach reporting. But again, burden of proof falls on you – which is difficult in the case of stolen hardware especially because you\u2019re concerned with all future impact.\u00a0Who the information was disclosed to also makes a difference. If you can demonstrate the improper recipient of the patient information was a custodian or affiliate, or another person subject to the rules of the Health Information Act (HIA), you\u2019re not required to give notice. Similarly, if the person who received the information accessed the information only to determine their access was inappropriate and is taking reasonable steps to address the access, a breach need not be reported.<\/p>

    What to do when breach reporting is required:<\/h3>

    If a breach in your clinic must be reported, you have to notify the necessary authorities as well as any affected patients. We\u2019ll cover the process of reporting and review what needs to be reported in our next post.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

    Mandatory privacy breach reporting comes into effect in Alberta as of August 31, 2018. From that date forward, custodians of patient information […]<\/p>\n","protected":false},"author":6,"featured_media":2591,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2256","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-brightsquid-blog"],"yoast_head":"\nMandatory Reporting of Privacy Breaches | Brightsquid Blog<\/title>\n<meta name=\"description\" content=\"Understand when a privacy breach in your clinic must be reported and learn to mitigate the risks of a breach with Brightsquid\u2019s privacy training.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Mandatory Privacy Breach Reporting - When is notice required\" \/>\n<meta property=\"og:description\" content=\"Understand when a privacy breach in your clinic must be reported and learn to mitigate the risks of a breach with Brightsquid\u2019s privacy training.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/\" \/>\n<meta property=\"og:site_name\" content=\"Brightsquid US | Simplify Clinic Operations, Prevent Privacy Breaches\" \/>\n<meta property=\"article:published_time\" content=\"2023-08-31T03:39:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-15T04:05:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/brightsquid.com\/us\/wp-content\/uploads\/sites\/2\/2023\/08\/secure-clinic-messaging-mandatory-privacy-breach-reporting-brightsquid-blog.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"812\" \/>\n\t<meta property=\"og:image:height\" content=\"372\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Candace Jensen\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Candace Jensen\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/brightsquid.com\/us\/mandatory-privacy-breach-reporting-when-is-notice-required\/\",\"url\":\"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/\",\"name\":\"Mandatory Reporting of Privacy Breaches | Brightsquid Blog\",\"isPartOf\":{\"@id\":\"https:\/\/brightsquid.com\/us\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/brightsquid.com\/us\/wp-content\/uploads\/sites\/2\/2023\/08\/secure-clinic-messaging-mandatory-privacy-breach-reporting-brightsquid-blog.jpg\",\"datePublished\":\"2023-08-31T03:39:42+00:00\",\"dateModified\":\"2025-07-15T04:05:28+00:00\",\"author\":{\"@id\":\"https:\/\/brightsquid.com\/us\/#\/schema\/person\/207722aac73bbae1618de464c271cbee\"},\"description\":\"Understand when a privacy breach in your clinic must be reported and learn to mitigate the risks of a breach with Brightsquid\u2019s privacy training.\",\"breadcrumb\":{\"@id\":\"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/#primaryimage\",\"url\":\"https:\/\/brightsquid.com\/us\/wp-content\/uploads\/sites\/2\/2023\/08\/secure-clinic-messaging-mandatory-privacy-breach-reporting-brightsquid-blog.jpg\",\"contentUrl\":\"https:\/\/brightsquid.com\/us\/wp-content\/uploads\/sites\/2\/2023\/08\/secure-clinic-messaging-mandatory-privacy-breach-reporting-brightsquid-blog.jpg\",\"width\":812,\"height\":372},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/brightsquid.com\/us\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mandatory Privacy Breach Reporting – When is notice required\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/brightsquid.com\/us\/#website\",\"url\":\"https:\/\/brightsquid.com\/us\/\",\"name\":\"Brightsquid US | Simplify Clinic Operations, Prevent Privacy Breaches\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/brightsquid.com\/us\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/brightsquid.com\/us\/#\/schema\/person\/207722aac73bbae1618de464c271cbee\",\"name\":\"Candace Jensen\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/brightsquid.com\/us\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/bd53fd0c0e6ca6169ca1c900eaf47d81?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/bd53fd0c0e6ca6169ca1c900eaf47d81?s=96&d=mm&r=g\",\"caption\":\"Candace Jensen\"},\"description\":\"Candace Jensen is the Director of Privacy at Brightsquid, where she brings deep expertise in privacy compliance, healthcare operations, and leadership. A certified information privacy professional and seasoned compliance advisor, Candace supports healthcare organizations in navigating the complex landscape of Federal and Provincial privacy legislation, including the HIA, PIPA, POPA, and ATIP. She\u2019s known for her strategic approach to privacy impact assessments, breach prevention, and information security compliance. As a true privacy champion, Candace leads with clarity, care, and a touch of humor\u2014because even privacy policies can be engaging with the right mindset.\",\"url\":\"https:\/\/brightsquid.com\/us\/author\/candace\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Mandatory Reporting of Privacy Breaches | Brightsquid Blog","description":"Understand when a privacy breach in your clinic must be reported and learn to mitigate the risks of a breach with Brightsquid\u2019s privacy training.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/","og_locale":"en_US","og_type":"article","og_title":"Mandatory Privacy Breach Reporting - When is notice required","og_description":"Understand when a privacy breach in your clinic must be reported and learn to mitigate the risks of a breach with Brightsquid\u2019s privacy training.","og_url":"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/","og_site_name":"Brightsquid US | Simplify Clinic Operations, Prevent Privacy Breaches","article_published_time":"2023-08-31T03:39:42+00:00","article_modified_time":"2025-07-15T04:05:28+00:00","og_image":[{"width":812,"height":372,"url":"https:\/\/brightsquid.com\/us\/wp-content\/uploads\/sites\/2\/2023\/08\/secure-clinic-messaging-mandatory-privacy-breach-reporting-brightsquid-blog.jpg","type":"image\/jpeg"}],"author":"Candace Jensen","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Candace Jensen","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/brightsquid.com\/us\/mandatory-privacy-breach-reporting-when-is-notice-required\/","url":"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/","name":"Mandatory Reporting of Privacy Breaches | Brightsquid Blog","isPartOf":{"@id":"https:\/\/brightsquid.com\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/#primaryimage"},"image":{"@id":"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/#primaryimage"},"thumbnailUrl":"https:\/\/brightsquid.com\/us\/wp-content\/uploads\/sites\/2\/2023\/08\/secure-clinic-messaging-mandatory-privacy-breach-reporting-brightsquid-blog.jpg","datePublished":"2023-08-31T03:39:42+00:00","dateModified":"2025-07-15T04:05:28+00:00","author":{"@id":"https:\/\/brightsquid.com\/us\/#\/schema\/person\/207722aac73bbae1618de464c271cbee"},"description":"Understand when a privacy breach in your clinic must be reported and learn to mitigate the risks of a breach with Brightsquid\u2019s privacy training.","breadcrumb":{"@id":"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/#primaryimage","url":"https:\/\/brightsquid.com\/us\/wp-content\/uploads\/sites\/2\/2023\/08\/secure-clinic-messaging-mandatory-privacy-breach-reporting-brightsquid-blog.jpg","contentUrl":"https:\/\/brightsquid.com\/us\/wp-content\/uploads\/sites\/2\/2023\/08\/secure-clinic-messaging-mandatory-privacy-breach-reporting-brightsquid-blog.jpg","width":812,"height":372},{"@type":"BreadcrumbList","@id":"https:\/\/brightsquid.com\/blog\/mandatory-privacy-breach-reporting-when-is-notice-required\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/brightsquid.com\/us\/"},{"@type":"ListItem","position":2,"name":"Mandatory Privacy Breach Reporting – When is notice required"}]},{"@type":"WebSite","@id":"https:\/\/brightsquid.com\/us\/#website","url":"https:\/\/brightsquid.com\/us\/","name":"Brightsquid US | Simplify Clinic Operations, Prevent Privacy Breaches","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/brightsquid.com\/us\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/brightsquid.com\/us\/#\/schema\/person\/207722aac73bbae1618de464c271cbee","name":"Candace Jensen","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/brightsquid.com\/us\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/bd53fd0c0e6ca6169ca1c900eaf47d81?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/bd53fd0c0e6ca6169ca1c900eaf47d81?s=96&d=mm&r=g","caption":"Candace Jensen"},"description":"Candace Jensen is the Director of Privacy at Brightsquid, where she brings deep expertise in privacy compliance, healthcare operations, and leadership. A certified information privacy professional and seasoned compliance advisor, Candace supports healthcare organizations in navigating the complex landscape of Federal and Provincial privacy legislation, including the HIA, PIPA, POPA, and ATIP. She\u2019s known for her strategic approach to privacy impact assessments, breach prevention, and information security compliance. As a true privacy champion, Candace leads with clarity, care, and a touch of humor\u2014because even privacy policies can be engaging with the right mindset.","url":"https:\/\/brightsquid.com\/us\/author\/candace\/"}]}},"_links":{"self":[{"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/posts\/2256"}],"collection":[{"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/comments?post=2256"}],"version-history":[{"count":8,"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/posts\/2256\/revisions"}],"predecessor-version":[{"id":2595,"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/posts\/2256\/revisions\/2595"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/media\/2591"}],"wp:attachment":[{"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/media?parent=2256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/categories?post=2256"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/brightsquid.com\/us\/wp-json\/wp\/v2\/tags?post=2256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}