Member Menu

Responding to a Privacy Breach

What is a Privacy Breach?

A privacy breach means a loss of, unauthorized access to, or unauthorized disclosure of individually identifying health information.

Types of Breaches Examples
  • Loss of health information
  • Loss of electronic or paper files
  • Unauthorized access
  • An individual accesses information that they were not authorized to access
  • Unauthorized disclosure of individually identifying health information
  • A deliberate or accidental disclosure of individually identifying health information

The custodian has a duty to respond when there is a privacy breach.

The Health Information Act (Section 60) states that a custodian must give notice as soon as practical for a breach if it results in a risk of harm to an individual.

Action Steps

  1. Report suspected breach to Privacy Officer

    Report the potential breach to the clinic’s privacy officer immediately.

  2. Contain the breach

    If the breach is ongoing, take immediate steps to contain the breach. Examples of breach containment include:

    • Call the police for theft or criminal activity
    • Recover records
    • Stop the unauthorized activity
    • Correct weaknesses in physical security
    • Contact IT

  3. Evalutate the risk of harm

  4. Mandatory reporting to the OIPC

    Start collecting the required information by filling out the AMA Breach Documentation Form. Parts A to D below reference the sections of the Breach Documentation Form.

    Be sure to describe any steps that the custodian has taken to address the current breach and steps they are intending to take, to reduce the risk of future breaches. This information will be needed in your report to the OIPC and Minister of Health.

    Don't forget to keep a copy of the Breach Documentation Form and all other documents that were used to report the breach in a secure location for your clinic's record of the breach investigation and follow up.

    Breach Documentation Form

  5. Migation

    Review and update your clinic’s privacy risk mitigation strategies regularly.

    • Review and update safeguards
    • Update policies and procedures
    • Educate and train your clinic team. Enrol your entire team for free AMA Privacy Training on Learn@AMA.

Sections of Breach Documentation

Collect all relevant information about the breach.

  • Once the breach has been contained, use Part A of the form to collect all relevant information about the breach. The information will be necessary when you report your breach to the required parties.
  • Be as specific as possible in your descriptions.

Determine if there is a risk of harm.

  • The Health Information Regulation defines the factors custodians must consider when assessing the risk of harm. Part B of the form will assist you in assessing the risk.
  • If you answer Yes to any of the questions, the breach may be reportable.

Evaluate the mitigating factors that a custodian must consider in reporting a breach.

  • A custodian may decide that notification is necessary even when mitigating factors are present. Each situation is unique and all factors should be considered.

Report the breach and document mitigation strategies and implementation.

If your clinic determined that there has been a reportable privacy breach, you must notify the Office of the Information and Privacy Commissioner of Alberta (OIPC), Alberta Health (Minister), and the affected individual as soon as practicable with:

Learn@AMA Training

Enrol your medical clinic in AMA's free privacy training tailored to physician, privacy officer and staff roles through Learn@AMA sign-up your whole community-based clinic team today!

Enrol Today!
Developed by