On August 31st, new provisions in Alberta’s Health Information Act will come into force that have important implications for users and providers of cloud computing services.
These provisions impose new breach reporting obligations on healthcare service providers and other individuals and entities subject to the Health Information Act.
However, it is important for cloud computing service providers to know that they also have a statutory duty to report certain types of breaches to their custodians – irrespective of what the cloud computing contract says and irrespective of whether the breach is a result of an error or omission by the cloud computing service provider.
What happens on August 31st?
Beginning on August 31st, custodians in Alberta that are covered by the Health Information Act will be required to report certain privacy breaches to the Office of the Information and Privacy Commissioner of Alberta (OIPC), the Minister of Health, and affected individuals. In addition, an affiliate of a custodian (such as an information manager) will have a duty to report certain privacy breaches to the custodian. In each case, the report must be made as soon as practicable.
What are the penalties for noncompliance?
Failure to comply with the new breach reporting provisions is a provincial offence. Fines for noncompliance range between $200,000 and $500,000 for organizations and between $2,000 and $10,000 for individuals. Alberta has a track record of prosecuting Health Information Act offences.
Who are custodians?
Custodians include a wide-range of healthcare service providers and stakeholders in the Alberta healthcare sector. Custodians include regulated health professionals (like doctors, pharmacists, and dentists), healthcare service delivery organizations (like hospitals, nursing homes, and ambulance operators) as well as other governmental bodies involved in the healthcare sector (like provincial health boards, regional health authorities and community health councils).
What do cloud service providers have to do?
A cloud service provider may be an “affiliate” under the Alberta Health Information Act. Cloud service providers should obtain legal advice as to whether they fall under the definition of “affiliate” in the Health Information Act and, if they operate outside of Alberta, whether they are subject to Alberta’s jurisdiction when they provide services to Alberta entities.
Beginning August 31, affiliates have direct obligations under the Health Information Act to notify the custodian of any loss of individually identifying health information or any unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian. Reports must contain prescribed information and be made as soon as is practicable.
An “affiliate” includes (among others) “information service managers” and other individuals and entities that perform a service for a custodian under a contractual relationship. An “information service manager” is an individual or organization that does any of the following:
- processes, stores, retrieves or disposes of health information,
- strips, encodes or otherwise transforms individually identifying health information to create non‑identifying health information, or
- provides information management or information technology services.
What do custodians have to do?
Custodians should ensure that they have implemented policies, procedrues and training to meet their new statutory obligation to give notice of any loss of individually identifying health information or unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian if there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure. The notice must be given as soon as practicable and contained certain prescribed information.
Custodians should ensure that their cloud service providers are aware of their broad obligation to report privacy breaches in accordance with these new provisions. Custodians should review their contracts to make sure that the terms relating to breach notification are broad enough to cover the scope of what is reportable under the Health Information Act. This is particularly important if there is an argument that the cloud service provider is beyond Alberta’s jurisdictional reach.
In addition, custodians should ensure that all individually identifying health information is encrypted at rest and in transit. Effective encryption is a factor that may avoid having a reportable breach. The Regulations provide that if a custodian is able to demonstrate that the information was encrypted and could not be accessed or would be unintelligible, the custodian is not required to give notice of the loss or unauthorized access or disclosure to the OIPC, the Ministry or the individual.
Do these provisions only cover unauthorized access by to or disclosure of health information to third parties?
No, the provisions are not limited to access by or disclosure to third parties. Unauthorized internal access and unauthorized disclosure between custodians are subject to the breach reporting provisions.
Do cloud service providers only have to report breaches where there is a risk of harm?
No, the risk of harm analysis test does not apply to cloud service providers. Whether there is a risk of harm is for the custodian to decide.
What factors can the custodian consider when evaluating a risk of harm?
The Regulations set out a non-exhaustive list of factors to be considered by the custodian when considering whether there is a risk of harm to an individual. These factors include (but are not limited to) whether:
- the information has been or may be accessed and/or disclosed
- the information has been misused or will be misused;
- the information could be used for the purpose of identity theft or to commit fraud;
- the information could cause embarrassment or physical, mental or financial harm to or damage to the reputation of the affected individual;
- the breach has adversely affected or will adversely affect the provision of a health service to the individual;
- the information was encrypted or otherwise secured in a manner that would prevent the information from unauthorized access or render the information unintelligible by a person who is not authorized to access the information;
- the information was lost in circumstances in which the information was destroyed or rendered inaccessible or unintelligible;
- the information was not accessed before it was recovered if it was recovered; and
- any access or disclosure was only to a custodian or an affiliate and (i) that person is subject to confidentiality policies and procedures that meet the requirements of the Act, (ii) the person accessed the information in a manner that is in accordance with the person’s duties as a custodian or affiliate and not for an improper purpose, and (iii) the individual did not use or disclose the information except in determining that the information was accessed by or disclosed to the person in error and in taking any steps reasonably necessary to address the unauthorized access or disclosure.
Find the amendments to the Health Information Act here.
The amendments to the Regulations can be found here.