Privacy and Security for Alberta Netcare
The Health Information Act (HIA) establishes rules to protect the privacy of an individual's health information. It also regulates how health information can be collected, used and disclosed.
When health professionals access Alberta Netcare, it is considered to be “using” your health information, so they follow the rules set out by the HIA.
The HIA requires custodians (either named health care organizations or named professions in the Health Information Regulation) and affiliates (employees, volunteers, contractors and other authorized people who work for a custodian) to only collect, use and disclose health information in the most limited manner, with the highest degree of anonymity possible and on a need-to-know basis.
The Office of the Information and Privacy Commissioner (OIPC) oversees the HIA and monitors how it is administered in the health system. For more information visit the OIPC website.
Who Needs to Know?
Only authorized custodians and their affiliates may access health information in Alberta Netcare.
In order to be “authorized,” a custodian must complete a series of privacy and security assessments which ensures that the health facility has the technology, policies and processes in place to keep patient health information safe.
These regulations require the health profession body of which the custodian is a member to have in place, standards of practice respecting the management of information in records and the management of electronic records. Then the custodian signs an information manager agreement that commits them and everyone else that works for them at the facility to follow all of the access rules. Only then are these health professionals registered as authorized users and given a log-in ID.
One of the most important requirements for an individual to become authorized is that he or she needs the information in order to provide patient care.
This means that a health professional working outside the health system, like a doctor working for an insurance company, would NOT be authorized, and would not gain access to Alberta Netcare.
How much do they need to know?
Users are restricted in terms of the information they can access based on their role in the health care system. This means that access permissions and other security credentials are set up so that users have information they need to know to do their jobs.
For example, a medical office clerk may only have access to certain information in an electronic health record, such as a person's first and last name, date of birth, gender and personal health number, while a physician would likely have access to all of the clinical information available in the record.
Know Your Rights
The Office of the Information and Privacy Comissioner has produced a resource which outlines patient rights regarding electronic health record. Learn more about your rights in Alberta
Keeping Your Information Secure
A number of security safeguards are in place to make sure that only authorized users can access the EHR. These include multiple levels of access controls and encryption. The security controls used to protect information in the EHR are based on international standards and best practices.Secure access
Access to the EHR is provided through secure networks (such as those in Alberta Health Services Facilities) or securely over the Internet using two-factor authentication. Two-factor authentication involves a password and ID to be used in conjunction with an authentication device (SecureID remote access fob). Both must be present for the individual to gain access.
Encryption
All electronic messages that are shared are encrypted, which means that the information is encoded to provide a high level of security.
Controls
Additional network security controls include the use of firewalls and an intrusion detection system to alert the appropriate personnel of any unusual activity.
Audit logs
Access to Alberta Netcare is logged and audited, which ensures that the information is accessed appropriately. AH FOIP/HIA will follow up if a breach is suspected. Albertans have the option to request a copy of their Audit Logs if they wish to know who has viewed their Alberta Netcare record. Find out how to place a request.
Penalties
The HIA has established fines for anyone who knowingly collects, uses, or discloses health information or who gains or attempts to gain access to health information in contravention of the HIA. Individuals who breach privacy and access rules could be subject to criminal charges, fines of up to $100,000, and disciplinary measures within their licensing or professional organizations.
In 2007, a medical office clerk appeared in court and pleaded guilty to charges of improperly accessing another person's medical information through the Alberta Netcare Portal in contravention of the HIA. The medical office clerk was fined $10,000 for the offence.
The Office of the Information and Privacy Commissioner (OIPC) is charged with oversight of the Health Information Act of Alberta and has said they will not hesitate to recommend charges again in the future. Find out more by visiting the OIPC website.
The Option to Mask Your Health Information
Albertans have the option of requesting that their health information in Alberta Netcare be "masked." This means that information about an individual will not be automatically visible when a record is accessed, except for first and last name, date of birth, gender and personal health number. Masking is a way for Albertans to express their wish to limit access to their health information through Alberta Netcare.Requesting a mask
If you are interested in requesting a mask, contact a health service provider who is participating in Alberta Netcare, ideally one that you already see for health services. This health service provider can assist you with completing the request and will submit the application on your behalf. Before submitting the application, the health care provider must discuss with you the consequences of a mask. Please note that there may be circumstances where a custodian is unable to authorize the mask, for example, if masking that information could pose a threat to public health and safety.
How does masking work?
When a mask has been applied, the health information contained in your Alberta Netcare electronic health record will not automatically be displayed. Authorized health service providers may unmask a record in limited circumstances, such as with the patient's consent or if clinically necessary. All unmasking activity is flagged, electronically logged and may be audited. One of your rights as a patient is to request a copy of the audit logs for your record.
Rescinding a mask
If you have a mask on your record, you can request that a mask be removed at any time. To do this, contact a participating health service provider. A request to remove a mask may also be initiated by a health service provider if he or she becomes aware of changing circumstances that affect your eligibility for masking. In this case, the health service provider or delegates will make every attempt to inform you of their decision prior to removal of the mask.
If you would like additional information about Alberta Netcare Masking, please contact the Health Information Act Help Desk:
Phone: 780-427-8089 (toll free dial 310-0000 and the 10-digit number)
Email: hiahelpdesk@gov.ab.ca