AHS taking action on privacy breaches
By Letter to the Editor on October 23, 2019.
Re: “AHS isn’t taking personal patient information seriously enough,” Oct. 11 The editorial suggesting Alberta Health Services (AHS) is not doing enough to adequately protect patient information raises some important points requiring further elaboration. There can be no question that all Albertans expect their health information to remain confidential and secure. This is the law and all AHS staff and physicians have a duty and responsibility to uphold it. Everyone at AHS is required to act in accordance with Alberta’s privacy legislation, as well as AHS’ information privacy and security policies. Failing to protect patient privacy can have serious consequences, as well as the possibility of prosecution by the Office of the Information and Privacy Commissioner (OIPC) and regulatory fines under the Health Information Act. For members of a professional college, the consequences can be more severe. We understand every breach of patient privacy represents a breach of our patients’ trust. Not only are those directly affected by the breach placed under undue stress, the trust all Albertans place in AHS to safeguard their personal health information is seriously diminished. Over the past several years, AHS has undertaken extensive work to build greater awareness and understanding among staff and physicians about the importance of appropriate access, safeguarding and encryption of patient information. In addition to our ongoing privacy awareness campaign and associated mandatory training, AHS introduced a new organization-wide privacy policy in 2018. New mandatory encryption software was also introduced across AHS last fall, including for removable data storage devices such as external hard drives. This encryption software was not in place on the missing hard drive at the Mazankowski Alberta Heart Institute. This is unacceptable and represents a violation of AHS IT Security and Compliance Program Standards. The incident was investigated and reported to the OIPC as required by legislation, and as part of AHS’ commitment to openness and transparency. AHS has also taken internal action to ensure a similar incident does not occur again. AHS has always conducted audits of how patient information is accessed and if that access is appropriate. Violations of our privacy policies and procedures are investigated and appropriate action is taken. To further enhance and strengthen privacy and information security, over the next few months AHS will be implementing a new audit/monitoring technology. This tool will help our Privacy team identify and followup on any incidents that violate the confidentiality and integrity of patient information. Linda C. French Chief Privacy Officer and Legal Counsel Alberta Health Services 10-9
