WIXLIB

ATTENTION: All practice managers, healthcare providers, clinic managers of private healthcare practices.This Practice Management Success Tip has been created especially for you!Understanding Privacy Breach NotificationIt is our job to manage each privacy breach with confidence, compassion, and transparency to theindividuals affected by the breach. We need to take all reasonable steps to prevent a privacy breach and beprepared to respond to the breach when it occurs.This Practice Management Success Tip will help you Understand the requirements of mandatory privacy breach notification. Inform your team including custodians, affiliates, privacy officers, and vendors of your role to notifythe regulators and individuals when a privacy breach occurs. Assist you to prepare your privacy breach management program.What to do nextUse the attached article to discuss with your custodian(s) and your clinical, administrative, and managementteam members the impact of recent amendments of Alberta’s Health Information Act (HIA).Example that you can useWatch the free webinar “How Will Mandatory Privacy Beach Reporting Affect You”.Register reach-reporting-comes-to-alberta/Need more templates like this?Become a member of Practice Management Success! On-line tips, tools, templates and training to help youin your career and help you to start, grow, or fix the business of a healthcare practice.www.PracticeManagementSuccess.caThis is part of the Practice Management Success Tip series. July 2018.This publication provides general guidance for healthcare practices in Alberta. It is expected that you willreview and refine these documents to meet your needs. For additional assistance, please contactINFORMATION MANAGERS LTD.Jean L. Eaton, B Admin (Healthcare), CHIM, CCYour Practical Privacy Coach and Practice Management MentorINFORMATION MANAGERS LTD.www.InformationManagers.caPractice Management Success TipPrevent Privacy Breach Pain Understanding Privacy Breach NotificationInformation Managers Ltd June 2018Page 2 of 8

MANDATORY PRIVACY BREACH REPORTING COMES TO ALBERTA!In May of 2018, the province of Alberta proclaimed mandatory breach reporting amendments to theHealth Information Act (HIA) and the Health Information Regulation (HIR). These amendments wereaccepted by the Legislative Assembly in 2014 and will come into force on August 31, 2018.Custodians will be required to report privacy breaches with risk of harm to the Office of theInformation and Privacy Commissioner (OIPC) and the Minister of Health of Alberta. Currently,breach notification is voluntary.This will impact ALL custodians including physicians, pharmacists, chiropractors, dentists, dentalhygienists, podiatrists, midwives, optometrists, opticians, registered nurses and more!What is a Privacy Breach?A privacy breach is a loss, unauthorized access to, unauthorized use, unauthorizeddisclosure, authorized access for unauthorized use of personal information.Personal information may include your name, date of birth, address, account information, oreven your email address.Why is a Privacy Breach a Significant Problem?A privacy breach affects the individual, the business, and the healthcare industry.There is an active market for personal identities, with great financial incentive to steal ormisuse this personal information. In fact, healthcare data is more valuable than financialinformation. Once someone has access to personal health information, they can use it to makea fraudulent insurance claims, access to services, and leverage the information for identity theftand fraud. Healthcare providers are a high-value target because of the long-term value of healthinformation.Privacy breaches happen all the time. Did you know that 80% of all privacy breaches occurinternal to the business? Most of these breaches are an ‘oops’ or honest mistakes or a resultof not carefully following procedures. Sometimes there is a pattern of similar breaches thatindicate a broken work flow or automated process or carelessness or disregard to the security ofpersonal information.Sometimes information is intentionally stolen to harm a specific person or for financial gain.Sometimes the theft is by employees and sometimes by visitors to the business. Sometimes thetheft occurs from outside of the business (i.e. hackers, contracted service providers, or businessagents).The individual may be embarrassed, inconvenienced, or angry directly related to whatinformation has been breached and who now has access to the information. The individual maynow be at a real risk of harm from identity theft, stalking, loss of employment, fraud, and theunexpected expense to manage the loss of personal information. These are examples of ‘risk ofsignificant harm’.Of particular importance in healthcare, is the risk of medical identity theft where the breachedinformation is used to fraudulently access healthcare services. As a result of this, inaccurateinformation may be added to the owner’s healthcare records which can cause errors or delaysin receiving necessary care and treatment.

Managing a Privacy Breach is ExpensiveThe healthcare business can spend 150 to 2,000 or more for each individual that requiresnotification about a privacy breach. When a privacy breach is identified, the business must (withsome few exceptions) notify the individuals affected (including the patient and the healthcareproviders identified in the breach) to let them know about the breach, advise them how theymight be affected by the breach, and how they can protect themselves from further harm.Your internal privacy beach investigation takes time and may require additional support fromexternal experts including a consulting privacy officer, lawyer, investigator, human resources,communications and marketing experts.The process of managing the notification also costs time, resources, and money. The incidentmight cause negative publicity for the business. Addressing and correcting the cause of thebreach, improving processes to prevent further incidents, and the administrative tasks ofmanaging and reporting the breach all contribute to a significant expense to the business.Why Have Mandatory Privacy Breach Reporting?A privacy breach in one healthcare organization affects all healthcare businesses. Thehealthcare system is a highly integrated information sharing system designed to providetimely and accurate care and treatment to patients, and to receive financial compensation forthose services. A weakness or problem at one business may have down-stream implications toother businesses. When one business has a privacy or security breach, there is a risk that thepublic (including patients and clients) may think that all healthcare businesses have the sameproblems.Mandatory privacy breach reporting to the Privacy Commissioner of Alberta (OIPC), and theMinister of Health in Alberta will help to ensure that the breach response and notification iscomprehensive. A central oversight with the OIPC and the Minster will provide the opportunity toanticipate any additional risks to privacy and security within the broader health care system inAlberta.It is our job to manage each privacy breach with confidence, compassion, andtransparency to the individuals affected by the breach. We need to take all reasonable steps toprevent a privacy breach and be prepared to respond to the breach when it occurs.The importance of securing health information and to appear to appropriately respond to aprivacy breach is part of the desired outcomes of the new mandatory privacy breach reporting.Notification TriggersThe trigger for notifying the OIPC, the Minister, and individuals about an incident is presentwhen there is a ‘risk of harm’ to an individual as result of the loss or unauthorized disclosure(HIA s. 60.1(4).Custodians are required to consider five categories of triggers to assess the likelihood of riskof harm (HIR s.8.1(a to e)). In addition to any other relevant factors, custodians must assess ifthere is a reasonable basis to believe that the information: Has been or may be accessed by or disclosed to a person Has been misused or will be misused Could be used for the purpose of identity theft or to commit fraudPractice Management Success TipPrevent Privacy Breach Pain Understanding Privacy Breach NotificationInformation Managers Ltd June 2018Page 4 of 8

Could cause embarrassment or physical, mental or financial harm or damage to thereputation of the individual who is the subject of the information Has adversely affected or will adversely affect the provision of a health service to theindividual who is the subject of the informationMitigating Risk of Harm When custodians implement reasonable safeguards as part of their routine privacy andsecurity strategies, the likelihood of risk of harm is reduced. These situations (HIR s.8.1(f to i))occur when the information included in the loss or unauthorized access has been Encrypted or otherwise secured (applicable to electronic information), or Destroyed or rendered inaccessibleWhen information is lost or disclosed and subsequently recovered by the custodian, and thecustodian can demonstrate: The information was not accessed before it was recovered, or The only person who access the information is a custodian, affiliate, informationmanager subject to section 60 of the Act or, Accessed the information as part of their role as a custodian or affiliate and not for animproper use and Did not improperly use or disclose the information,the custodian is not required to give notice of the loss or unauthorized access or disclosureunder HIA s.60.1(2).Remember that the custodian must record each privacy breach in their practice includingtheir reasons for their decision to notify and their decision not to notify.When you record each privacy breach, including ‘oops’, errors, or mistakes that, individually,may not trigger notification requirements, you may find that there is a pattern of breaches thatmay indicate: broken work flow, or broken automated process, or carelessness or disregard to the security of personal information.These situations may trigger mandatory privacy breach notification requirements.It's an Offence to Fail to Protect Personal Health InformationThe new amendments detail the reporting responsibilities of custodians and affiliates in theevent of a privacy breach.For CustodiansThe new regulations also include new penalties for custodians and affiliates who:Practice Management Success TipPrevent Privacy Breach Pain Understanding Privacy Breach NotificationInformation Managers Ltd June 2018Page 5 of 8