O.C. 121/2018
May 8, 2018

A.R. 60/2018

May 9, 2018


            The Lieutenant Governor in Council makes the Health Information Amendment Regulation set out in the attached Appendix.

            For Information only

Recommended by:          Minister of Health

Authority:                           Health Information Act
                                             (section 108)


 

APPENDIX

Health Information Act    

HEALTH INFORMATION AMENDMENT REGULATION

1   The Health Information Regulation (AR 70/2001) is amended by this Regulation.

 

2   Section 5(2) is amended

                               (a)    by repealing clause (g.1);

                               (b)    in clause (g.2) by striking out “Minister of Human Services” and substituting “Minister of Justice and Solicitor General”;

                               (c)    in clause (g.3) by striking out “Minister of Human Services” and substituting “Minister of Community and Social Services”;

                               (d)    by repealing clause (h) and substituting the following:

                                       (h)    the Minister of Community and Social Services for the purpose of administering the income and employment programs of the Department of Community and Social Services;

 

3   Section 7 is amended by adding “or” at the end of clause (a) and repealing clause (b).

 

4   Section 8 is amended by adding the following after subsection (5.1):

(5.2)  Subsection (4) does not apply to health information that is disclosed to a person in a jurisdiction outside Alberta under a regulation made under section 241.31(3) of the Criminal Code (Canada).

 

5   The following is added after section 8:

Assessment of risk of harm

8.1(1)  In assessing under section 60.1(4) of the Act whether there is a risk of harm to an individual as a result of a loss of or an unauthorized access to or disclosure of individually identifying health information, a custodian must consider each of the following factors in addition to any other relevant factors:

                               (a)    whether there is a reasonable basis to believe that the information has been or may be accessed by or disclosed to a person;

                              (b)    whether there is a reasonable basis to believe that the information has been misused or will be misused;

                               (c)    whether there is a reasonable basis to believe that the information could be used for the purpose of identity theft or to commit fraud;

                              (d)    whether there is a reasonable basis to believe that the information is of a type that could cause embarrassment or physical, mental or financial harm to or damage the reputation of the individual who is the subject of the information;

                               (e)    whether there is a reasonable basis to believe that the loss of or unauthorized access to or disclosure of the information has adversely affected or will adversely affect the provision of a health service to the individual who is the subject of the information;

                               (f)    in the case of electronic information, whether the custodian is able to demonstrate that the information was encrypted or otherwise secured in a manner that would

                                        (i)    prevent the information from being accessed by a person who is not authorized to access the information, or

                                      (ii)    render the information unintelligible by a person who is not authorized to access the information;

                               (g)    in the case of a loss of information, whether the custodian is able to demonstrate that the information was lost in circumstances in which the information was 

                                        (i)    destroyed, or

                                      (ii)    rendered inaccessible or unintelligible;

                              (h)    in the case of a loss of information that is subsequently recovered by the custodian, whether the custodian can demonstrate that the information was not accessed before it was recovered;

                               (i)    in the case of an unauthorized access to or disclosure of information, whether the custodian is able to demonstrate that the only person who accessed the information or to whom the information was disclosed

                                        (i)    is a custodian or an affiliate,

                                      (ii)    is subject to confidentiality policies and procedures that meet the requirements of section 60 of the Act,

                                     (iii)    accessed the information in a manner that is in accordance with the person’s duties as a custodian or affiliate and not for an improper purpose, and

                                     (iv)    did not use or disclose the information except in determining that the information was accessed by or disclosed to the person in error and in taking any steps reasonably necessary to address the unauthorized access or disclosure.

(2)  If a custodian is able to demonstrate that a circumstance set out in subsection (1)(f) to (i) applies in the case of a loss of or unauthorized access to or disclosure of individually identifying health information, the custodian is not required to give notice of the loss or unauthorized access or disclosure under section 60.1(2) of the Act.

Notice of loss or unauthorized access or disclosure

8.2(1)  A notice to a custodian under section 60.1(1) of the Act must

                               (a)    if the custodian has established requirements respecting the notice, meet any requirements respecting form and contents established by the custodian, or

                              (b)    if the custodian has not established requirements respecting the notice, be in writing and include

                                        (i)    a description of the circumstances of the loss or unauthorized access or disclosure,

                                      (ii)    the date on which or period of time within which the loss or unauthorized access or disclosure occurred,

                                     (iii)    the date on which the loss or unauthorized access or disclosure was discovered, and

                                     (iv)    a description of the information that was lost or that was the subject of the unauthorized access or disclosure.

(2)  A notice to the Commissioner of a loss of or an unauthorized access to or disclosure of individually identifying health information under section 60.1(2) of the Act must be in writing in a form approved by the Commissioner and must include

                               (a)    the name of the custodian who had custody or control of the information at the time of the loss or unauthorized access or disclosure,

                              (b)    a description of the circumstances of the loss or unauthorized access or disclosure,

                               (c)    the date on which or period of time within which the loss or unauthorized access or disclosure occurred,

                              (d)    the date on which the loss or unauthorized access or disclosure was discovered,

                               (e)    a non‑identifying description of the type of information that was lost or that was the subject of the unauthorized access or disclosure,

                               (f)    a non‑identifying description of the risk of harm to an individual as a result of the loss or unauthorized access or disclosure, including a description of the type of harm and an explanation of how the risk of harm was assessed that includes a non-identifying description of the custodian’s consideration of the factors referred to in section 8.1(1), including any relevant factors not detailed in that section,

                               (g)    the number, or if the number cannot be determined, an estimate of the number, of individuals to whom there is a risk of harm as a result of the loss or unauthorized access or disclosure,

                              (h)    a description of any steps that the custodian has taken or is intending to take, as of the date of the notice, to reduce the risk of harm to an individual as a result of the loss or unauthorized access or disclosure,

                               (i)    a description of any steps that the custodian has taken or is intending to take, as of the date of the notice, to reduce the risk of a future loss or unauthorized access or disclosure,

                               (j)    a non‑identifying copy of the information that has been or will be provided in the notice to the individual who is the subject of the individually identifying health information referred to in subsection (4), if applicable, together with a statement indicating the method referred to in section 103 of the Act that has been or will be used to give notice to the individual, if applicable,

                              (k)    if the custodian is requesting the authorization of the Commissioner to give notice to an individual by substitutional service under section 103(c) of the Act, the request together with a statement of the reasons for the request,

                               (l)    the name and contact information for a person who is able to answer questions on behalf of the custodian about the loss or unauthorized access or disclosure, and

                             (m)    any other information that the custodian considers relevant.

(3)  A notice to the Minister of a loss of or an unauthorized access to or disclosure of individually identifying health information under section 60.1(2) of the Act must be in writing in a form approved by the Minister and must include the information set out in subsection (2)(a), (b), (e), (f), (g), (h), (l) and (m).

(4)  A notice to an individual of a loss of or unauthorized access to or disclosure of individually identifying health information under section 60.1(2) of the Act must be in writing and must include

                               (a)    a description of the circumstances of the loss or unauthorized access or disclosure,

                              (b)    the date on which or period of time within which the loss or unauthorized access or disclosure occurred,

                               (c)    the name of the custodian who had custody or control of the health information at the time of the loss or unauthorized access or disclosure,

                              (d)    a non‑identifying description of the type of information that was lost or that was the subject of the unauthorized access or disclosure,

                               (e)    a description of the risk of harm to the individual as a result of the loss or unauthorized access or disclosure, including a description of the type of harm and an explanation of how the risk of harm was assessed,

                               (f)    a description of any steps that the custodian has taken or is intending to take, as of the date of the notice, to reduce the risk of harm to the individual as a result of the loss or unauthorized access or disclosure,

                               (g)    a description of any steps that the custodian has taken or is intending to take, as of the date of the notice, to reduce the risk of a future loss or unauthorized access or disclosure,

                              (h)    a description of any steps that the custodian believes the individual may be able to take to reduce the risk of harm to the individual,

                               (i)    a statement that the individual may ask the Commissioner to investigate the loss or unauthorized access or disclosure that includes contact information for the Office of the Information and Privacy Commissioner,

                               (j)    the name and contact information for a person who is able to answer questions on behalf of the custodian about the loss or unauthorized access or disclosure, and

                              (k)    any other information that the custodian considers relevant.

Notice to Commissioner of decision not to give notice

8.3   A notice to the Commissioner under section 60.1(5) of the Act of a decision not to give notice to an individual must

                               (a)    be in writing in a form approved by the Commissioner,

                              (b)    have attached as an appendix the notice required to be provided to the Commissioner in respect of the matter under section 60.1(2) of the Act, and

                               (c)    set out the total number, or if the number cannot be determined, an estimate of the total number, of individuals that the custodian expects not to give notice to on the basis set out in section 60.1(5) of the Act.

 

6   Section 5 comes into force on the coming into force of section 4(9) of the Statutes Amendment Act, 2014.