What is a Privacy Breach?
A privacy breach means a loss of, unauthorized access to, or unauthorized disclosure of individually identifying health information.
| Types of Breaches | Examples |
|
|
|
|
|
|
The custodian has a duty to respond when there is a privacy breach.
The Health Information Act (Section 60) states that a custodian must give notice as soon as practical for a breach if it results in a risk of harm to an individual.
Action Steps
-
Report suspected breach to Privacy Officer
Report the potential breach to the clinic’s privacy officer immediately.
-
Contain the breach
If the breach is ongoing, take immediate steps to contain the breach. Examples of breach containment include:
- Call the police for theft or criminal activity
- Recover records
- Stop the unauthorized activity
- Correct weaknesses in physical security
- Contact IT
-
Evalutate the risk of harm
-
Mandatory reporting to the OIPC
Start collecting the required information by filling out the AMA Breach Documentation Form. Parts A to D below reference the sections of the Breach Documentation Form.
Breach Documentation Form
Be sure to describe any steps that the custodian has taken to address the current breach and steps they are intending to take, to reduce the risk of future breaches. This information will be needed in your report to the OIPC and Minister of Health.
Don't forget to keep a copy of the Breach Documentation Form and all other documents that were used to report the breach in a secure location for your clinic's record of the breach investigation and follow up. -
Migation
Review and update your clinic’s privacy risk mitigation strategies regularly.
- Review and update safeguards
- Update policies and procedures
- Educate and train your clinic team. Enrol your entire team for free AMA Privacy Training on Learn@AMA.
Sections of Breach Documentation
Collect all relevant information about the breach.
- Once the breach has been contained, use Part A of the form to collect all relevant information about the breach. The information will be necessary when you report your breach to the required parties.
- Be as specific as possible in your descriptions.
Determine if there is a risk of harm.
- The Health Information Regulation defines the factors custodians must consider when assessing the risk of harm. Part B of the form will assist you in assessing the risk.
- If you answer Yes to any of the questions, the breach may be reportable.
Evaluate the mitigating factors that a custodian must consider in reporting a breach.
- A custodian may decide that notification is necessary even when mitigating factors are present. Each situation is unique and all factors should be considered.
Report the breach and document mitigation strategies and implementation.
If your clinic determined that there has been a reportable privacy breach, you must notify the Office of the Information and Privacy Commissioner of Alberta (OIPC), Alberta Health (Minister), and the affected individual as soon as practicable with:
- OIPC Breach Reporting Form
- Notification to Alberta's Minister of Health form
Please note: To properly fill out and submit this form, you must open it in Adobe Acrobat Reader or another PDF reader. It may not function correctly in your web browser. - Notification to Patients Affected by Privacy Breach
Learn@AMA Training
Enrol your medical clinic in AMA's free privacy training tailored to physician, privacy officer and staff roles through Learn@AMA sign-up your whole community-based clinic team today!
Enrol Today!- Breach Management Policy
- Breach Documentation Form
- Notification to Patients Affected by Privacy Breach
Developed by
