Privacy Breach Response and Reporting under the Health Information Act

Slide Note
Embed
Share

Understanding privacy breaches under the Health Information Act (HIA) is crucial for organizations dealing with health data. This document outlines what constitutes a breach, mandatory notification requirements, factors to consider in determining risk of harm, and potential offences and penalties for non-compliance. It emphasizes the importance of safeguarding health information and the responsibilities of custodians in reporting breaches to the relevant authorities.

renn_yl
renn_yl Follow

Uploaded on Sep 13, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Privacy Breach Response and Reporting Under the Health Information Act August 2018

  2. Disclaimer This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the Personal Information Protection Act, the Health Information Act, the Freedom of Information and Protection of Privacy Act and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of the Alberta Queen s Printer at www.qp.alberta.ca. 2

  3. What is a Privacy Breach under the HIA? A privacy breach means a loss of, unauthorized access to, or unauthorized disclosure of individually identifying health information. (Section 60.1 of the HIA) 3

  4. Mandatory Breach Notification and Reporting If a privacy breach occurs, and a custodian determines there is a risk of harm to the individual, the custodian must notify (section 60.1(3)): Individual(s) affected The Information and Privacy Commissioner The Minister of Health Affiliates, which include but are not limited to a custodian s employees, service providers or information managers, must also notify the custodian when a privacy breach occurs (section 60.1(1)). 4

  5. Determining Risk of Harm The Health Information Regulation requires custodians to consider all relevant factors when assessing risk, such as whether there is a reasonable basis to believe that health information: Has been or may be accessed by a person Has been or may be disclosed to a person Has been misused or will be misused Could be used for identity theft or to commit fraud Could cause embarrassment Could cause physical, mental or financial harm Could damage an individual s reputation Could adversely affect the provision of a health service to the individual 5

  6. Offences and Penalties As of August 31, 2018, there are offence and penalty provisions if a health custodian: Fails to report a breach Failure by a custodian to notify affected individuals, the Commissioner and the Minister of Health; and failure by an affiliate to notify a custodian Does not take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards A person who is found guilty of one of these offences is liable to fines (section 107(7)). 6

  7. Common Breaches Reported to the OIPC Loss or theft of unencrypted mobile devices (e.g. laptops, USB sticks) Misdirected communications (via email, fax or mail) Employee snooping of patient or customer records Hacking of computer servers and websites Malicious software ( malware ) attacks, including ransomware Phishing or social engineering attacks Failure to wipe hard drives of computers and other devices prior to being resold Stolen paper records from an office or employee s vehicle or home Improper disposal of records or devices 7

  8. How to Avoid Privacy Breaches as much as possible Review organization practices Conduct privacy impact assessments for new or changed systems and processes Conduct security reviews, audits and penetration tests Develop and implement policies and procedures Implement staff training and awareness on systems, processes, policies and procedures 8

  9. Duty to Protect Does a breach mean that you failed in the duty to protect health information? Yes and no Breaches may occur despite reasonable safeguards Breaches may reveal gaps in privacy and security arrangements that should or must be addressed in response to a breach 9

  10. Plan Your Breach Response Assume you will have a privacy breach, despite your best efforts Identify a breach response team ahead of time Establish a policy and plan regarding breaches Practice makes perfect test your plan and make sure staff is educated and trained on it 10

  11. Breach Response Pitfalls No written breach response plan required as a reasonable safeguard No backup person when decision makers are away Scrambling to secure external agencies (e.g. forensic audit company, law firm, etc.) Waiting for "perfect" information Improper risk assessment of the harm to individuals No internal communication and/or action plan Vague notification to affected individuals leads to complaints Not reporting a privacy breach at all 11

  12. Steps to Respond to Privacy Breaches Step One: Contain the Breach Step Two: Evaluate the Risks Step Three: Notification and Reporting Step Four: Prevention 12

  13. Step One: Contain the Breach Take immediate steps to stop the breach Take corrective action Investigate what happened Gather information and start the risk assessment 13

  14. Step Two: Evaluate the Risks What was the cause and extent of the breach? Who are the affected individuals? What information was involved? What is the possible harm? Consider all relevant factors, including those in the Health Information Regulation(section 8.1) 14

  15. Step Three: Breach Notification and Reporting Who should or must we notify? Legislated or contractual obligations Office policies and procedures Risk of harm to affected individuals When should or must notification occur? As soon as practicable (section 60.1(2) of the HIA) 15

  16. Step Three: Notification and Reporting Under the Health Information Regulation, there are certain elements notices must include when notices are given by: Affiliates to the custodian (section 8.2(1) of the Regulation) Custodians to the Commissioner (section 8.2(2) of the Regulation) Custodians to the Minister of Health (section 8.2(3) of the Regulation) Custodians to the affected individual(s) (section 8.2(4) of the Regulation) 16

  17. Step Three: Notification and Reporting The Health Information Regulation outlines what a notice to an individual must include (section 8.2(4)) When notifying affected individuals: Be open and honest Explain what happened and what you are doing Offer support Be prepared to answer questions or develop FAQs 17

  18. Step Three: Notification and Reporting When reporting to the OIPC: Use the Privacy Breach Report Form for Use by Organizations, Custodians and Public Bodies Review the Reporting a Breach to the Commissioner Practice Note to help guide custodians in completing the form Be prepared to answer questions, if required Resources are available at www.oipc.ab.ca on the How to Report a Breach webpage available from the homepage. 18

  19. Step Four: Prevention Develop or improve safeguards Review and update policies and procedures, as needed Regularly educate and train staff on safeguards and policies Audit to ensure prevention plan has been implemented 19

  20. Resources OIPC How to Report a Privacy Breach www.oipc.ab.ca/action-items/how-to-report-a-privacy-breach.aspx Alberta Health HIA Guidelines and Practices Manual https://open.alberta.ca/publications/9780778582922 Alberta Health HIA Help Desk 780-427-8089 Toll free by dialing 310-0000, followed by 780-427-8089 hiahelpdesk@gov.ab.ca 20

  21. Thank you www.oipc.ab.ca

Related


Understanding Breach of Confidence and Privacy Rights in English Law

Understanding Breach of Confidence and Privacy Rights in English Law

teodor
Understanding the Privacy Paradox: Attitudes vs. Behaviors

Understanding the Privacy Paradox: Attitudes vs. Behaviors

clai_evi
Understanding Alabama Data Breach Notification Act for County Governments

Understanding Alabama Data Breach Notification Act for County Governments

cromartie_l
Effective Method to Protect Web Servers Against Breach Attacks

Effective Method to Protect Web Servers Against Breach Attacks

birr_tt
Postsecondary Data Breach Exercise: Prepare for the Unexpected!

Postsecondary Data Breach Exercise: Prepare for the Unexpected!

althea
Privacy Breach Management Guide by Health PEI

Privacy Breach Management Guide by Health PEI

zack
NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

haley
Understanding Privacy in Information Security Training

Understanding Privacy in Information Security Training

lillia
Privacy-Preserving Analysis of Graph Structures

Privacy-Preserving Analysis of Graph Structures

bilal
Essential Steps for Personal Data Breach Management

Essential Steps for Personal Data Breach Management

alayah
Data Breach Exercise: Responding to a School District Breach

Data Breach Exercise: Responding to a School District Breach

owais
Legal Case Study: Compensation for Breach of Promise

Legal Case Study: Compensation for Breach of Promise

crumbley_y
FMCSA Privacy Awareness Training Overview for 2022

FMCSA Privacy Awareness Training Overview for 2022

natan
Understanding Data Privacy Laws and Regulations in Saudi Arabia

Understanding Data Privacy Laws and Regulations in Saudi Arabia

twyla
Privacy Considerations in Data Management for Data Science Lecture

Privacy Considerations in Data Management for Data Science Lecture

maen728
Understanding VA Privacy Issues and Sensitive Information

Understanding VA Privacy Issues and Sensitive Information

mariposa
Kansas Student Data Privacy Legislation Overview

Kansas Student Data Privacy Legislation Overview

herme
Dynamic Pricing Algorithms with Privacy Preservation in Personalized Decision Making

Dynamic Pricing Algorithms with Privacy Preservation in Personalized Decision Making

lillia
Understanding Data Privacy in Emerging Technologies

Understanding Data Privacy in Emerging Technologies

odysseus
Cyber Security and Data Privacy Recommendations in Autonomous Vehicles

Cyber Security and Data Privacy Recommendations in Autonomous Vehicles

cayh
Affordable Care Act (ACA) 1094/1095 Reporting Guidelines

Affordable Care Act (ACA) 1094/1095 Reporting Guidelines

lung766
The Economics of Privacy: Evolution and Implications

The Economics of Privacy: Evolution and Implications

treadwell_t
Understanding FERPA: Family Educational Rights and Privacy Act

Understanding FERPA: Family Educational Rights and Privacy Act

portia
Privacy Act Notice and GRB Status Update for October 2023 Meeting

Privacy Act Notice and GRB Status Update for October 2023 Meeting

barry

More Related Content

Understanding the Domino's Data Breach Incident and Its Implications
Understanding the Domino's Data Breach Incident and Its Implications
Exploring Computer Ethics and Privacy Principles
Exploring Computer Ethics and Privacy Principles
Privacy and Benefits of the Schools and Students Health Survey in North Yorkshire
Privacy and Benefits of the Schools and Students Health Survey in North Yorkshire
Data Privacy in Sharing Sensitive Information
Data Privacy in Sharing Sensitive Information
Safeguarding Personal Information at DHS
Safeguarding Personal Information at DHS
UNEP Support for Improving UNCCD Reporting Procedures
UNEP Support for Improving UNCCD Reporting Procedures
Enhancing Privacy and Anonymous Communications with Technology
Enhancing Privacy and Anonymous Communications with Technology
Privacy and Data Protection in the Digital Age
Privacy and Data Protection in the Digital Age
Privacy and Registered Training Organisations: Lessons and Insights
Privacy and Registered Training Organisations: Lessons and Insights
Powering the Digital Economy: Regulatory Approaches to Securing Consumer Privacy, Trust, and Security
Powering the Digital Economy: Regulatory Approaches to Securing Consumer Privacy, Trust, and Security
Privacy-Aware Smart Buildings: Ensuring Privacy Policies and Preferences
Privacy-Aware Smart Buildings: Ensuring Privacy Policies and Preferences
Understanding Big Data and Privacy Issues in Today's Society
Understanding Big Data and Privacy Issues in Today's Society
Privacy-Preserving Prediction and Learning in Machine Learning Research
Privacy-Preserving Prediction and Learning in Machine Learning Research
Social Networks, Privacy, and Freedom of Association in the Digital Age
Social Networks, Privacy, and Freedom of Association in the Digital Age
Security and Privacy in 3G/4G/5G Networks: The AKA Protocol
Security and Privacy in 3G/4G/5G Networks: The AKA Protocol
Safeguarding Student Privacy in Educational Technology: A Comprehensive Guide
Safeguarding Student Privacy in Educational Technology: A Comprehensive Guide
Protecting User Privacy in Web-Based Applications through Traffic Padding
Protecting User Privacy in Web-Based Applications through Traffic Padding
Privacy Training Workshop on Media and Freedom of Expression Law
Privacy Training Workshop on Media and Freedom of Expression Law
Privacy-Preserving Surveillance: Design and Implementation
Privacy-Preserving Surveillance: Design and Implementation
Enhancing Privacy with Randomized MAC Addresses in 802.11 Networks
Enhancing Privacy with Randomized MAC Addresses in 802.11 Networks
Exploring Privacy Features with Hyperledger Besu in Ethereum Development
Exploring Privacy Features with Hyperledger Besu in Ethereum Development
HIPAA Privacy
HIPAA Privacy
Understanding HIPAA and FERPA Privacy Laws in Schools
Understanding HIPAA and FERPA Privacy Laws in Schools
Climate Change Monitoring, Reporting, and Verification (MRV) Training Session Overview
Climate Change Monitoring, Reporting, and Verification (MRV) Training Session Overview