Mandatory privacy breach reporting coming to Alberta's health sector
May 30, 2018
Effective August 31, 2018, Alberta’s health custodians, including pharmacists, will be required to notify Albertans whose health information has been subject to a privacy breach.
The mandatory breach reporting requirements will be included in the Health Information Act (HIA). The amendments to the HIA include requiring that health custodians
- notify an individual affected by a privacy breach if there is a risk of harm to the individual,
- notify the Information and Privacy Commissioner of a privacy breach when there is a risk of harm to an individual, and
- notify the Minister of Health of a privacy breach when there is a risk of harm to an individual.
Health custodians include Alberta Health, Alberta Health Services, Covenant Health, and health professionals regulated under the HIA, such as pharmacists, physicians, dentists, optometrists, among others.
There are also new offence and penalty provisions if a health custodian
- fails to report a breach or
- does not take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical, and physical safeguards.
A person who is found guilty of one of these offences is liable to a fine of up to $50,000.
For more information on mandatory breach reporting requirements, visit the Office of the Information and Privacy Commissioner of Alberta website.