A suspected privacy breach must be identified and immediately reported to the clinic privacy officer and clinic manager. The privacy officer initiates the following key steps in responding to a privacy breach:
-
Contain the Breach
- Take immediate steps to stop the breach
- Take corrective action
- Investigate what happened
- Gather information and start the risk assessment
-
Analyze the level of risk and harm to the patient
- What was the cause and extent of the breach?
- Who are the affected individuals?
- What information was involved?
- What is the possible harm?
- Consider all relevant factors, including those in the Health Information Regulation (section 8.1)
Tool Tip: Find a Risk of Harm checklist within the Breach Management Policy.
-
Reporting, notification and follow up based on the level of risk
Who should or must we notify?
- Legislated or contractual obligations
- Risk of harm to affected individuals
When should or must notification occur?
- “As soon as practicable” (section 60.1(2) of the HIA)
-
Mitigation to prevent future breaches
Develop or improve safeguards
- Review and update policies and procedures, as needed
- Regularly educate and train staff on safeguards and policies
- Audit to ensure prevention plan has been implemented
Learn@AMA Training
Enrol your medical clinic in AMA's free privacy training tailored to physician, privacy officer and staff roles through Learn@AMA sign-up your whole community-based clinic team today!
Enrol Today!Developed by
