Health Information Act – InfoWhistleblowers

Overview

The Health Information Act (RSA 2000, c. H-5) protects affiliates of a custodian of health data for disclosing a contravention to the Act. To be protected, a disclosure must be made to the Office of the Information and Privacy Commissioner, be made in good faith, and must be regarding the collection use, or disclosure by a custodian of health information in violation of the Act. Under the Act, any retaliation taken towards the affiliate is considered an offence and is subject to a fine.

What kind of disclosure is protected?

The Act protects s. 106(1) affiliates of custodians who, while acting in good faith and on the basis of reasonable belief, have disclosed health information to the Office of the Information and Privacy Commissioner regarding a contravention under this Act s 83(1).

Under the Act, health information s. 1 for which contraventions can be disclosed under this protection are:

“diagnostic, treatment and care information”, such as:
- the physical and mental health of an individual;
- information regarding a health service provided to an individual, including identity, title, address, profession, employer, as well as the type of service provider, their location or identification.
“registration information”, i.e. information written, photographed, recorded or stored such as: demographic information, including personal health number; location information; telecommunications information; residency information; health service eligibility information; and billing information.

The Act does not protect disclosures made in bad faith s. 83(4).

Who is eligible for protection?

The Act protects only an affiliate to a custodian who has disclosed information to the Information and Privacy Commissioner regarding a contravention under this Act.

Under the Act, an affiliate of a custodian is any of the following:

an individual employed by the custodian;
a person who performs a service for the custodian as an appointee, volunteer or student or under a contract or agency relationship with the custodian;
a health services provider who is exercising the right to admit and treat patients at a hospital as defined in the Hospitals Act; or
a person who is designated under the regulations to be an affiliate.

Affiliates also include “health information managers”, i.e. the person or organization that processes, stores, retrieves or disposes of health information; strips, encodes or otherwise transforms individually identifying health information to create non‑identifying health information; or, provides information management or information technology services s. 66(1)

The Act expressly excludes “agents”, including local authority, employer or other person or unincorporated group of persons designated as an agent and who, under the Health Insurance Premiums Act, is authorized or required to collect premiums.

Health information custodians s. 1 covered by the Act are the operators of hospitals as defined in the Hospitals Act (i.e. institutions operated for the care of diseased, sick or mentally disordered people) and of nursing homes as defined in the Nursing Homes Act (i.e. facilities for the provision of nursing home care). However, the Act does not apply to hospitals and nursing homes established under the Regional Health Authorities Act.

How are whistleblowers protected?

The Act prohibits any person from taking any kind of reprisal against an affiliate who has made a disclosure s. 106.

Any person who knowingly takes a reprisal against an affiliate who has disclosed information is guilty of an offence and liable to a fine of not more than $10,000 s.106(2).

The Act strictly prohibits affiliates from knowingly making false statements in their complaints, falsifying, concealing or destroying materials s. 107; s. 83(4).

Under the Act, the Information and Privacy Commissioner is required to keep confidential the identity of an affiliate who made a disclosure s. 83(3).

How should disclosures be made?

Be careful! Despite presenting some challenges for follow ups, one of the best protections for whistleblowers is their anonymity. Be cautious when providing any information through electronic means, especially emails! Read the security tips section.

To be protected, a disclosure of wrongdoing must be made to the Office of the Information and Privacy Commissioner (OIPC) and must:

be made by completing the Privacy Breach Report Form (for use by Organizations, Custodians and Public Bodies) (Note: It is essential that the “Third Party” section of the form is to be completed.) The form must not include individually identifying information, and should be sent to the Commissioner as soon as practicable; and
be sent to breachreport@oipc.ab.ca, as email subscriptions are preferred.

If unable to submit the form by email, the form may be submitted via mail or fax to:

Office of the Information and Privacy Commissioner of Alberta
410, 9925 - 109 Street
Edmonton, AB T5K 2J8
Fax: (780) 422 - 5682

For more information on the type of information included in the form, please visit: https://www.oipc.ab.ca/media/952732/Practice_Note_Reporting_a_Breach_Aug2018.pdf

For more information visit: https://www.alberta.ca/health-information-act.aspx