Home arrow Intelligence Support Services arrow Contravention of Health Information Act
Contravention of Health Information Act Print E-mail
Written by Bradley Siddell   

ab privacy commissionerIf you follow the news regarding protection of sensitive information, or have read a few other BLOGS posted on our site, then you are "up to speed" on the importance of protecting secure information and applying physical security protocols to computer hardware such as laptops. What you may less familiar with is that there is legislation (law) governing the protection of data specifically held by "custodians" in the Health Industry. You could be held criminally negligible for the release of sensitive data and very likely civilly liable for any damages caused...

A report by the Alberta Health Commissioner, Franlkin J. Work, QC concerning a stolen laptop computer from the Calgary Health Region reiterates your ethical and legal responsibilities:

 

"...The Health Information Act applies to health information in the custody or control of "custodians"... Under section 60 of the HIA, custodians have a duty to maintain administrative, technical and physical safeguards to protect the confidentiality of health information and the privacy of individuals. This section places particular emphasis on addressing the risks associated with electronic health records... An important feature of section 60 is the duty of custodians to protect against reasonably anticipated threats to the security of health information. In order for a custodian to reasonably anticipate a threat, it follows that the custodian must perform a risk assessment to determine what possible threats may affect its health information and, in particular, information held in electronic form... The risk of laptop computer theft is known to be high. This risk was well established by our Office in Investigation Report P2006-IR-005. In paragraph 64 of this Report, my colleague says, "Frequent incidents of laptop theft from employees, often despite corporate policies, are well known and publicized, making the risk real and foreseeable."... The affiliate's laptop computer was equipped with a locking cable. However, this cable was not used at the time of the theft... The database containing patient information was protected by two passwords, one to open the database interface and another to access the data. These two passwords did not meet CHR's strong password standard. In any case, their usefulness is questionable as such passwords are easily cracked or bypassed... Encryption (i.e. applying cryptographic controls) is a way to scramble data to make it unreadable. Only those who have the encryption key can decode the scrambled data. The custodian's policy on encryption was not implemented. This is unfortunate. Had sufficient cryptographic controls been properly applied, the data would have been virtually inaccessible and the risk to affected individuals negligible... In my view, it is not reasonable to count on non-technical employees to determine whether they need encryption software, download it, configure it and use it properly.

The relevant parts of section 60 of the HIA read as follows:

60(1) A custodian must take reasonable steps in accordance with the regulations to maintain administrative, technical and physical safeguards that will

(c) protect against any reasonably anticipated

(i) threat or hazard to the security or integrity of the health information or of loss of the health information, or

(ii) unauthorized use, disclosure or modification of the health information or unauthorized access to the health information,

(2) The safeguards to be maintained under subsection (1) must include appropriate measures

(a) for the security and confidentiality of records, which measures must address the risks associated with electronic health records

Section 8 of the Health Information Regulation flows from HIA section 60 above. The relevant parts of the regulation state:

8(1) A custodian must identify, and maintain a written record of, all of its administrative, technical and physical safeguards in respect of health information.

(3) A custodian must periodically assess its administrative, technical and physical safeguards in respect of

(b) any reasonably anticipated threat or hazard to the security or integrity of the health information or to the loss of the health information, and

(6) A custodian must ensure that its affiliates are aware of and adhere to all of the custodian's administrative, technical and physical safeguards in respect of health information.