Informatics

Amendments to Alberta's Health Information Act

The new amendments to Alberta’s Health Information Act (HIA) came into force on August 31, 2018. These changes will have significant implications for members of the Faculty of Medicine & Dentistry (FoMD), so please take a minute or two to get up to speed, and Get HIP!

What is the Health Information Act?

Alberta’s HIA is a provincial privacy statute that governs the collection, use and disclosure of health information by certain health-care professionals, organizations and their employees. The amendments to the HIA introduced mandatory privacy breach notification requirements, with fines for contravening those requirements ranging from $2,000 to $500,000.

Who do these requirements apply to?

The HIA generally applies to

  • custodians” of health information, which includes physicians, dentists, regional health authorities such as Alberta Health Services (AHS), and several other parties listed in the HIA and its regulations; and
  • affiliates” of custodians, which generally includes individuals employed by a custodian or contracted to perform services for a custodian, such as physicians providing health services in an AHS- or Covenant Health-managed hospital. Employees of the FoMD might be affiliates if they provide information management or technology services for custodians. The new HIA amendments apply to both custodians and affiliates.

Health-care providers such as physicians may be custodians in one circumstance, but affiliates—often to AHS—in a different context. For example, depending on how and where health care is delivered, a physician or dentist might be a custodian for their own Electronic Medical Record (“EMR”) or when when they access Netcare from a private office, but may be an affiliate when using AHS’ eClinician (or Connect Care when implemented), or accessing Netcare within an AHS facility.

For additional information about who qualifies as a custodian, please see Custodians as Defined in the Health Information Act, published by the university’s Information & Privacy Office (IPO), or contact Steve Hughes, the FoMD’s Health Information Privacy Advisor.

What are the requirements?

  • Affiliates of a custodian must notify the custodian of any loss or breach of individually identifying health information in the custody or control of the custodian.
  • Custodians must provide notice of any loss or breach of individually identifying health information where there is a risk of harm to the affected individual. This notice must be provided to
    • the Alberta Office of the Information & Privacy Commissioner (OIPC);
    • the Alberta Minister of Health; and
    • the affected individual.

The Health Information Regulation was also amended to provide additional guidance for custodians in determining if a loss or breach constitutes a risk of harm. Section 8.1 of the Regulation provides a non-exhaustive list of factors to consider, including whether there is a reasonable basis to believe that

  • the information may have been accessed by someone, could be used to commit identity theft or fraud or could be misused;
  • the information could cause embarrassment or physical, mental, financial or reputational harm to the affected individual; or
  • the loss or breach could adversely affect the provision of a health service to the affected individual.

Exceptions

The custodian may not need to provide notice if it can be demonstrated that the lost or breached information

  • was encrypted at the time of loss or breach, or secured in a manner that rendered the information inaccessible or unintelligible to unauthorized persons;
  • was destroyed;
  • was recovered without having been accessed; or
  • was only accessed by or disclosed to a custodian or affiliate who is subject to appropriate confidentiality policies, and who only accessed the information in accordance with that person’s duties or only used or disclosed the information for the purposes of identifying and addressing the breach.

Note that these exceptions do not apply to an affiliate’s obligation to notify the custodian of a loss or breach.

Penalties

Under the new amendments, it will be an offence for any party to fail to meet these new breach notification and reporting requirements. In addition, it will be an offence for a custodian to fail to maintain appropriate safeguards for protecting against any reasonably anticipated threat to the security or integrity of health information in its custody or control.

An individual who commits an offence under these amendments may be subject to a fine ranging from $2,000 - $10,000, and an organization may be subject to a fine ranging from $200,000 - $500,000 (note that greater individual penalties may exist for contravening other sections of the HIA).

Therefore, all custodians should review their practices to ensure appropriate safeguards are in place. For example, custodians using a non-AHS EMR or non–AHS clinical information system, such as Healthquest, Telus MedAccess, Telus Wolf, etc., should ensure they have a current Privacy Impact Assessment in place regarding its use, and ensure they are following the University of Alberta’s encryption procedure and email privacy and security best practices when considering storing or transmitting health information. Instructions on how to encrypt PDFs, Word or Excel documents can be found here on the university’s IPO website.

Conclusion

The penalties for failing to comply with these new HIA amendments can be significant, and the Alberta government has demonstrated a willingness to investigate and prosecute offences in the past (the most recent prosecution concluded in June of this year, with an individual fine of $3,000, as reported by Global News here).

For more information regarding what your obligations or liability might be under these amendments, how to avoid contravening them, or regarding Privacy Impact Assessments or other privacy-related matters, please review the links below or contact the FoMD’s Health Information Privacy Advisor at 780.492.7111 or steve.hughes@ualberta.ca.

Note: None of the stated above should be construed as legal advice, but rather as information regarding compliance with applicable privacy law and university policy.

Other Links: