Organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, are required to report to the Office of the Privacy Commissioner (OPC) any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. They also need to notify affected individuals about those breaches, and keep records of all data breaches within the organization.
On today's podcast, PIPEDA’s Mandatory Privacy Breach Notification, we will look at how PIPEDA applies to healthcare organizations and the vendors that support them.
The Privacy Commissioner shares lessons learned after one year of mandatory breach reporting requirements under PIPEDA.
PIPEDA applies to private sector businesses across Canada with the exception of Quebec, Alberta, and BC. In these provinces, provincial legislation wish is substantially similar to PIPEDA applies. In all cases, businesses which handle personal information which crosses provincial or national borders fall under PIPEDA regardless of which province that they are based in.
In Alberta, we have privacy legislation called the Health Information Act (HIA) that takes precedence over PIPEDA and Alberta's Personal Information Protection Act, (PIPA). If a business, like a physician's office, has a privacy breach which includes health information, then the custodian of the physician office must report the privacy breach following the HIA regulations. If it's employee information or other non-health information is included in the breach then that triggers privacy breach notification under PIPA. Sometimes, a breach can include both types of information and the physician office must notify under both legislation.
In BC the Personal Information Protection Act (PIPA) is BC's private sector privacy laws has also been deemed substantially similar to the federal private sector privacy law. BC does not have health information specific privacy legislation, so PIPA applies to private organizations in BC, including physician practices, and governs how the personal information about patients, employees and volunteers may be collected, used and disclosed.
If you are a business in Canada, for example, an electronic medical records (EMR) business and you have a data center in Canada where all of your clients provide their information and store it in your data center, the EMR vendor likely falls under the PIPEDA regulations.
The vendor may be responsive to other legislation as well. If you are an EMR vendor, you do not directly comply with the HIA in Alberta because that applies only to custodians. However, as an information manager of a custodian under the HIA, you have some obligations under the HIA in the event of a privacy breach. But that does not mean that you don't also have obligations under PIPEDA.
Listen to the podcast to learn more!
You can advance the audio to the time entries
03:18 Does PIPEDA apply to you?
04:53 British Columbia
05:26 EMR vendor and businesses that support healthcare practices
06:52 What is personal information
07:44 Why is privacy important?
In 2017, 65% of large organizations with more than 100 employees indicated that they were privacy aware, but only 43% of small businesses indicated that they were privacy aware.
09:11 What Is A Privacy Breach
12:44 PIPEDA Mandatory Privacy Breach Reporting Process
12:55 Keep Records
14:04 Report to the OPC
Information Manager Agreement – should indicate if a vendor should directly notify a patient about the privacy breach or if the custodian will do the notification. The Information Manager Agreement should also identify which party (parties) is responsible for the cost of notification.
See the Practice Management Success Tip – Top 3 Agreements https://InformationManagers.ca/Top-3
15:46 What is ROSH?
17:47 What information, circumstances of the breach.
19:33 CASL Canada’s Anti-Spam Legislation
20:34 Good Privacy Is Good For Business
I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.
How to Manage a Privacy Breach with Confidence
The 4 Step Response Plan will help you with prevent privacy breach pain and give you the tips, templates, training, and tools that you can use right away to prepare your privacy breach response plan:
Click here for more information on the on-line 4 Step Response Plan course available now!
Did you hear something on today’s podcast that you would like to go back and listen to again?
Or, maybe you heard something on one of our previous podcasts that you want to listen to again, but you can’t remember which one and you would like to find it quickly and easily.
Well, that’s easy to do now!
If you heard something on this podcast that you want to re-visit, go to PracticeManagementNuggets.Live/search and enter the keyword in the magic box.
You will automatically be brought to the podcast at the exact spot where we talked about it.
I am honoured that you choose to spend your time with me today. Thank you for the opportunity to share my obsession about privacy, confidentiality and security with you!
Reviews for the podcast on whatever platform that you use is greatly appreciated!
When you provide your honest feedback it helps other people just like you find content that may help them, too. If you received value from this episode, please take a moment and leave your honest rating and review.
Jean L. Eaton, Your Practical Privacy Coach
and Your Practice Management Mentor
with Information Managers Ltd.