Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Breach Response and Reporting

Published byReynold Blankenship Modified over 5 years ago

Similar presentations

Presentation on theme: "Privacy Breach Response and Reporting"— Presentation transcript:

1 Privacy Breach Response and Reporting
Under the Health Information Act August 2018

2 Disclaimer This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the Personal Information Protection Act, the Health Information Act, the Freedom of Information and Protection of Privacy Act and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of the Alberta Queen’s Printer at

3 What is a Privacy Breach under the HIA?
A privacy breach means a loss of, unauthorized access to, or unauthorized disclosure of individually identifying health information. (Section 60.1 of the HIA)

4 Mandatory Breach Notification and Reporting
If a privacy breach occurs, and a custodian determines there is a risk of harm to the individual, the custodian must notify (section 60.1(3)): Individual(s) affected The Information and Privacy Commissioner The Minister of Health Affiliates, which include but are not limited to a custodian’s employees, service providers or information managers, must also notify the custodian when a privacy breach occurs (section 60.1(1)).

5 Determining Risk of Harm
The Health Information Regulation requires custodians to consider all relevant factors when assessing risk, such as whether there is a reasonable basis to believe that health information: Has been or may be accessed by a person Has been or may be disclosed to a person Has been misused or will be misused Could be used for identity theft or to commit fraud Could cause embarrassment Could cause physical, mental or financial harm Could damage an individual’s reputation Could adversely affect the provision of a health service to the individual What is not a reportable privacy breach under the HIA? Section 8.1(2) of the Health Information Regulation outlines the scenarios in which a custodian is not required to give notice of a privacy breach. Those scenarios include the custodian being able to demonstrate that one of the following factors apply: Electronic information was encrypted that would prevent the informationi from being accessed by a person who is not authorized to access the information or encryption would render the information unintelligible Information was lost and destroyed, or lost and rendered inaccessible or unintelligible Information was lost and not accessed before it was recovered Information was disclosed but the only person who accessed the information: Was a custodian or an affiliate Is subject to confidentiality policies and procedures that meet requirements of section 60 of the HIA In a manner that is in accordance with the person’s duties as a custodian or affiliate and not for an improper use, and Did not further use or disclose the information except for determining there had been an error in order to address the unauthorized access or disclosure

6 Offences and Penalties
As of August 31, 2018, there are offence and penalty provisions if a health custodian: Fails to report a breach Failure by a custodian to notify affected individuals, the Commissioner and the Minister of Health; and failure by an affiliate to notify a custodian Does not take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards A person who is found guilty of one of these offences is liable to fines (section 107(7)). Under section 107(1.1) it is an offence for a custodian: to fail to take reasonable steps in accordance with the HIA regulations to maintain administrative, technical and physical safeguards that will protect against any reasonably anticipated threat or hazard to the security or integrity of health information or of loss of health information to fail to give notice of a reportable privacy breach under section 60.1(2) of HIA to the Commissioner, the Minister of Health and affected individuals, in accordance with section 60.1(3) of HIA to fail to consider all relevant factors, including the factors prescribed by regulations, in assessing whether there is a risk of harm to an individual for determining whether notice of a privacy breach must be given, in accordance with section 60.1(4) of HIA to fail to give notice to the Commissioner of a decision not to notify an affected individual of a privacy breach in accordance with section 60.1(5) Under section 107(1.2), it is also an offence for an affiliate of a custodian to fail to notify the custodian in accordance with section 60.1(1) of HIA of a privacy breach of individually identifying health information in the custody or control of the custodian. If guilty of an offence, an individual is subject to a fine of between $2,000 and $10,000, and for any other person a file between $200,000 and $500,000 (section 107(7)).

7 Common Breaches Reported to the OIPC
Loss or theft of unencrypted mobile devices (e.g. laptops, USB sticks) Misdirected communications (via , fax or mail) Employee “snooping” of patient or customer records Hacking of computer servers and websites Malicious software (“malware”) attacks, including ransomware Phishing or social engineering attacks Failure to wipe hard drives of computers and other devices prior to being resold Stolen paper records from an office or employee’s vehicle or home Improper disposal of records or devices

8 How to Avoid Privacy Breaches …as much as possible
Review organization practices Conduct privacy impact assessments for new or changed systems and processes Conduct security reviews, audits and penetration tests Develop and implement policies and procedures Implement staff training and awareness on systems, processes, policies and procedures It’s not a matter of if you will experience a privacy breach, but when. There are steps to be taken to help minimize the risk of one. Privacy impact assessments are required to be submitted to the OIPC under section 64 of the HIA. A PIA is meant for proposed legislative schemes, administrative practices and/or information systems that relate to the collection, use or disclosure of individually identifying personal or health information. More information and a guide for completing PIAs is available from Proactively minimize the risk of a privacy breach by: Starting with collection, use and disclosure practices Limit the collection, use and disclosure of health information to only what is required for a certain purpose Training, training and more training so you and your staff are aware of ways to protect health information, once collected Know what individually identifying health information you have, where it is and what you are doing with it: What health information do you need to protect? Take an inventory When and where do you collect health information? Where does the information go? Who can access it and what do they do with it? You must understand your data before you can protect it!

9 Duty to Protect Does a breach mean that you failed in the duty to protect health information? Yes and no Breaches may occur despite reasonable safeguards Breaches may reveal gaps in privacy and security arrangements that should or must be addressed in response to a breach Mitigation plans may include: Unauthorized collection, use or disclosure by internal or authorized parties Unauthorized collection, use or disclosure by external parties Loss of integrity Loss or destruction, or loss of use Unauthorized collection, use or disclosure by contractor or business partner Know your vulnerabilities. For example: Are third parties collecting health information for you? Do you use paper-based application forms? How do these get to where they need to be protected? If you lose the paper-based form, how do you know who to contact about a possible loss of their information? What happens when you upgrade your computer systems? Do the old systems remain active and properly updated or secured? You must try to identify your weak spots before a breach identifies them for you.

10 Plan Your Breach Response
Assume you will have a privacy breach, despite your best efforts Identify a breach response team ahead of time Establish a policy and plan regarding breaches Practice makes perfect – test your plan and make sure staff is educated and trained on it

11 Breach Response Pitfalls
No written breach response plan – required as a reasonable safeguard No backup person when decision makers are away Scrambling to secure external agencies (e.g. forensic audit company, law firm, etc.) Waiting for "perfect" information Improper risk assessment of the harm to individuals No internal communication and/or action plan Vague notification to affected individuals – leads to complaints Not reporting a privacy breach at all The OIPC released an investigation report in December 2015 that looked into the health sector’s preparedness for mandatory breach notification and reporting requirements. The office notes in the investigation that custodian’s have breach response policies and protocols in place when reviewing privacy impact assessments. The report recommends that not only should custodians have written breach response policies and procedures, but staff should be made aware of their obligations under these policies, which now need to consider the mandatory breach notification requirements under HIA.

12 Steps to Respond to Privacy Breaches
Step One: Contain the Breach Step Two: Evaluate the Risks Step Three: Notification and Reporting Step Four: Prevention The OIPC Key Steps in Responding to Privacy Breaches Guide on at outlines the four steps to respond to privacy breaches.

13 Step One: Contain the Breach
Take immediate steps to stop the breach Take corrective action Investigate what happened Gather information and start the risk assessment

14 Step Two: Evaluate the Risks
What was the cause and extent of the breach? Who are the affected individuals? What information was involved? What is the possible harm? Consider all relevant factors, including those in the Health Information Regulation (section 8.1) This is information is repeated from the slide on “Determining Risk of Harm”. The Health Information Regulation requires custodians to consider all relevant factors when assessing risk, such as whether there is a reasonable basis to believe that health information: Has been or may be accessed by a person Has been or may be disclosed to a person Has been misused or will be misused Could be used for identity theft or to commit fraud Could cause embarrassment Could cause physical, mental or financial harm Could damage an individual’s reputation

15 Step Three: Breach Notification and Reporting
Who should or must we notify? Legislated or contractual obligations Office policies and procedures Risk of harm to affected individuals When should or must notification occur? “As soon as practicable” (section 60.1(2) of the HIA)

16 Step Three: Notification and Reporting
Under the Health Information Regulation, there are certain elements notices must include when notices are given by: Affiliates to the custodian (section 8.2(1) of the Regulation) Custodians to the Commissioner (section 8.2(2) of the Regulation) Custodians to the Minister of Health (section 8.2(3) of the Regulation) Custodians to the affected individual(s) (section 8.2(4) of the Regulation) This presentation does not go into detail on how to notify the Minister of Health, since Alberta Health provides guidance on reporting a breach to the Minister of Health. Alberta Health also provides more information related to breach reporting in its “Health Information Act Guidelines and Practices Manual”. These resources are available from You may also phone or the HIA Help Desk at or

17 Step Three: Notification and Reporting
The Health Information Regulation outlines what a notice to an individual must include (section 8.2(4)) When notifying affected individuals: Be open and honest Explain what happened and what you are doing Offer support Be prepared to answer questions or develop FAQs Section 8.2(4) of the Health Information Regulation. A notice to an individual of a loss of or unauthorized access to or disclosure of individually identifying health information under section 60.1(2) of the Act must be in writing and must include a description of the circumstances of the loss or unauthorized access or disclosure, the date on which or period of time within which the loss or unauthorized access or disclosure occurred, the name of the custodian who had custody or control of the health information at the time of the loss or unauthorized access or disclosure, a non‑identifying description of the type of information that was lost or that was the subject of the unauthorized access or disclosure, a description of the risk of harm to the individual as a result of the loss or unauthorized access or disclosure, including a description of the type of harm and an explanation of how the risk of harm was assessed, a description of any steps that the custodian has taken or is intending to take, as of the date of the notice, to reduce the risk of harm to the individual as a result of the loss or unauthorized access or disclosure, a description of any steps that the custodian has taken or is intending to take, as of the date of the notice, to reduce the risk of a future loss or unauthorized access or disclosure, a description of any steps that the custodian believes the individual may be able to take to reduce the risk of harm to the individual, a statement that the individual may ask the Commissioner to investigate the loss or unauthorized access or disclosure that includes contact information for the Office of the Information and Privacy Commissioner, the name and contact information for a person who is able to answer questions on behalf of the custodian about the loss or unauthorized access or disclosure, and any other information that the custodian considers relevant.

18 Step Three: Notification and Reporting
When reporting to the OIPC: Use the Privacy Breach Report Form for Use by Organizations, Custodians and Public Bodies Review the Reporting a Breach to the Commissioner Practice Note to help guide custodians in completing the form Be prepared to answer questions, if required Resources are available at on the “How to Report a Breach” webpage available from the homepage. A custodian may decide not to notify one or more affected individuals of a privacy breach if notification could reasonably be expected to result in a risk of harm to the individual’s mental or physical health. In such cases, the custodian must immediately notify the Commissioner of the decision not to give notice of the privacy breach to the individual (HIA, section 60.1(5)). An appendix to the OIPC’s Privacy Breach Report Form includes the information the Commissioner requires when a custodian decides not to give notice of privacy breach to individuals. Section 8.2(2) of the Health Information Regulation states the notice of a breach to the Commissioner must be in writing in a form approved by the Commissioner and include the following information: the name of the custodian who had custody or control of the information at the time of the breach a description of the circumstances of the breach the date on which or period of time within which the breach occurred the date on which the breach was discovered a non-identifying description of the type of information that was the subject of the breach a non-identifying description of the risk of harm to an individual as a result of the breach, including a description of the type of harm and an explanation of the how the risk of harm was assessed that includes a non-identifying description of the custodian’s consideration of the factors referred to in section 8.1(1), including any relevant factors not detailed in that section the number, or if the number cannot be determined, an estimate of the number, of individuals to whom there is a risk of harm as a result of the breach a description of any steps that the custodian has taken or is intending to take, as of the date of the notice, to reduce the risk of harm to an individual as a result of the breach a description of any steps that the custodian has taken or is intending to take, as of the date of the notice, to reduce the risk of a future breach a non-identifying copy of the information that has been or will be provided in the notice to the affected individuals together with a statement indicating the method referred to in section 103 of HIA that has been or will be used to give notice to the individuals if the custodian is requesting the authorization of the Commissioner to give notice to an individual by substitutional service under section 103(c) of HIA, the request together with a statement of the reasons for the request the name and contact information for a person who is able to answer questions on behalf of the custodian about the breach any other information that the custodian considers relevant

19 Step Four: Prevention Develop or improve safeguards
Review and update policies and procedures, as needed Regularly educate and train staff on safeguards and policies Audit to ensure prevention plan has been implemented

20 Resources OIPC – How to Report a Privacy Breach Alberta Health – HIA Guidelines and Practices Manual Alberta Health – HIA Help Desk Toll free by dialing , followed by

21 Thank you

Download ppt "Privacy Breach Response and Reporting"

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
VIU Workshop: Creating a Culture of Privacy Awareness June 12, 2013 By Justin Hodkinson OIPC Policy Analyst/Investigator Office of the Information & Privacy.

VIU Workshop: Creating a Culture of Privacy Awareness June 12, 2013 By Justin Hodkinson OIPC Policy Analyst/Investigator Office of the Information & Privacy.
Research and the Health Information Act Rachel Hayward Office of the Information and Privacy Commissioner of Alberta.

Research and the Health Information Act Rachel Hayward Office of the Information and Privacy Commissioner of Alberta.
Complying with Privacy to Enable Innovation & Research

Complying with Privacy to Enable Innovation & Research
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
BC Freedom of Information and Protection of Privacy Act

BC Freedom of Information and Protection of Privacy Act
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Network security policy: best practices

Network security policy: best practices
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
An Educational Computer Based Training Program CBTCBT.

An Educational Computer Based Training Program CBTCBT.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.

Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Similar presentations

Ads by Google