Privacy Breach Response and Reporting under the Health Information Act

Understanding privacy breaches under the Health Information Act (HIA) is crucial for organizations dealing with health data. This document outlines what constitutes a breach, mandatory notification requirements, factors to consider in determining risk of harm, and potential offences and penalties for non-compliance. It emphasizes the importance of safeguarding health information and the responsibilities of custodians in reporting breaches to the relevant authorities.

• Privacy breach
• Health Information Act
• Notification requirements
• Risk assessment
• Data protection

renn_yl Follow

Uploaded on Sep 13, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Privacy Breach Response and Reporting Under the Health Information Act August 2018

2. Disclaimer This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the Personal Information Protection Act, the Health Information Act, the Freedom of Information and Protection of Privacy Act and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of the Alberta Queen s Printer at www.qp.alberta.ca. 2

3. What is a Privacy Breach under the HIA? A privacy breach means a loss of, unauthorized access to, or unauthorized disclosure of individually identifying health information. (Section 60.1 of the HIA) 3

4. Mandatory Breach Notification and Reporting If a privacy breach occurs, and a custodian determines there is a risk of harm to the individual, the custodian must notify (section 60.1(3)): Individual(s) affected The Information and Privacy Commissioner The Minister of Health Affiliates, which include but are not limited to a custodian s employees, service providers or information managers, must also notify the custodian when a privacy breach occurs (section 60.1(1)). 4

5. Determining Risk of Harm The Health Information Regulation requires custodians to consider all relevant factors when assessing risk, such as whether there is a reasonable basis to believe that health information: Has been or may be accessed by a person Has been or may be disclosed to a person Has been misused or will be misused Could be used for identity theft or to commit fraud Could cause embarrassment Could cause physical, mental or financial harm Could damage an individual s reputation Could adversely affect the provision of a health service to the individual 5

6. Offences and Penalties As of August 31, 2018, there are offence and penalty provisions if a health custodian: Fails to report a breach Failure by a custodian to notify affected individuals, the Commissioner and the Minister of Health; and failure by an affiliate to notify a custodian Does not take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards A person who is found guilty of one of these offences is liable to fines (section 107(7)). 6

7. Common Breaches Reported to the OIPC Loss or theft of unencrypted mobile devices (e.g. laptops, USB sticks) Misdirected communications (via email, fax or mail) Employee snooping of patient or customer records Hacking of computer servers and websites Malicious software ( malware ) attacks, including ransomware Phishing or social engineering attacks Failure to wipe hard drives of computers and other devices prior to being resold Stolen paper records from an office or employee s vehicle or home Improper disposal of records or devices 7

8. How to Avoid Privacy Breaches as much as possible Review organization practices Conduct privacy impact assessments for new or changed systems and processes Conduct security reviews, audits and penetration tests Develop and implement policies and procedures Implement staff training and awareness on systems, processes, policies and procedures 8

9. Duty to Protect Does a breach mean that you failed in the duty to protect health information? Yes and no Breaches may occur despite reasonable safeguards Breaches may reveal gaps in privacy and security arrangements that should or must be addressed in response to a breach 9

10. Plan Your Breach Response Assume you will have a privacy breach, despite your best efforts Identify a breach response team ahead of time Establish a policy and plan regarding breaches Practice makes perfect test your plan and make sure staff is educated and trained on it 10

11. Breach Response Pitfalls No written breach response plan required as a reasonable safeguard No backup person when decision makers are away Scrambling to secure external agencies (e.g. forensic audit company, law firm, etc.) Waiting for "perfect" information Improper risk assessment of the harm to individuals No internal communication and/or action plan Vague notification to affected individuals leads to complaints Not reporting a privacy breach at all 11

12. Steps to Respond to Privacy Breaches Step One: Contain the Breach Step Two: Evaluate the Risks Step Three: Notification and Reporting Step Four: Prevention 12

13. Step One: Contain the Breach Take immediate steps to stop the breach Take corrective action Investigate what happened Gather information and start the risk assessment 13

14. Step Two: Evaluate the Risks What was the cause and extent of the breach? Who are the affected individuals? What information was involved? What is the possible harm? Consider all relevant factors, including those in the Health Information Regulation(section 8.1) 14

15. Step Three: Breach Notification and Reporting Who should or must we notify? Legislated or contractual obligations Office policies and procedures Risk of harm to affected individuals When should or must notification occur? As soon as practicable (section 60.1(2) of the HIA) 15

16. Step Three: Notification and Reporting Under the Health Information Regulation, there are certain elements notices must include when notices are given by: Affiliates to the custodian (section 8.2(1) of the Regulation) Custodians to the Commissioner (section 8.2(2) of the Regulation) Custodians to the Minister of Health (section 8.2(3) of the Regulation) Custodians to the affected individual(s) (section 8.2(4) of the Regulation) 16

17. Step Three: Notification and Reporting The Health Information Regulation outlines what a notice to an individual must include (section 8.2(4)) When notifying affected individuals: Be open and honest Explain what happened and what you are doing Offer support Be prepared to answer questions or develop FAQs 17

18. Step Three: Notification and Reporting When reporting to the OIPC: Use the Privacy Breach Report Form for Use by Organizations, Custodians and Public Bodies Review the Reporting a Breach to the Commissioner Practice Note to help guide custodians in completing the form Be prepared to answer questions, if required Resources are available at www.oipc.ab.ca on the How to Report a Breach webpage available from the homepage. 18

19. Step Four: Prevention Develop or improve safeguards Review and update policies and procedures, as needed Regularly educate and train staff on safeguards and policies Audit to ensure prevention plan has been implemented 19

20. Resources OIPC How to Report a Privacy Breach www.oipc.ab.ca/action-items/how-to-report-a-privacy-breach.aspx Alberta Health HIA Guidelines and Practices Manual https://open.alberta.ca/publications/9780778582922 Alberta Health HIA Help Desk 780-427-8089 Toll free by dialing 310-0000, followed by 780-427-8089 hiahelpdesk@gov.ab.ca 20

21. Thank you www.oipc.ab.ca