Question

As a Medical Office Assistant, you will collect and have access to personal health information. You have the responsibility (by law) to protect a patient’s privacy by safe-guarding this information and maintaining confidentiality.

Research the federal and provincial laws that protect health information and consequences for privacy breeches.

In your post, be sure to include the following:

a brief description of the applicable laws in your region (province) Alberta

a brief description of the consequences of privacy breaches

how you will protect patient information

Answer 1

Privacy addresses the question of who has access to personal information and under what conditions. Privacy is concerned with the collection, storage, and use of personal information, and examines whether data can be collected in the first place, as well as the justifications, if any, under which data collected for one purpose can be used for another (secondary)2 purpose. An important issue in privacy analysis is whether the individual has authorized particular uses of his or her personal information.

Confidentiality safeguards information that is gathered in the context of an intimate relationship. It addresses the issue of how to keep information exchanged in that relationship from being disclosed to third parties . Confidentiality, for example, prevents physicians from disclosing information shared with them by a patient in the course of a physician–patient relationship. Unauthorized or inadvertent disclosures of data gained as part of an intimate relationship are breaches of confidentiality .

Security can be defined as “the procedural and technical measures required
(a) to prevent unauthorized access, modification, use, and dissemination of data stored or processed in a computer system,
(b) to prevent any deliberate denial of service
(c) to protect the system in its entirety from physical harm” . Security helps keep health records safe from unauthorized use. When someone hacks into a computer system, there is a breach of security (and also potentially, a breach of confidentiality). No security measure, however, can prevent invasion of privacy by those who have authority to access the record.
The more common view is that privacy is valuable because it facilitates or promotes other fundamental values, including ideals of personhood such as:
Personal autonomy (the ability to make personal decisions)
Individuality
Respect
Dignity and worth as human beings

APPLICABLE LAWS IN ALBERTA(CAN COLLABORATE AND FOLLOW THE LOWS)
The HIPAA Security Rule
The most comprehensive law passed is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which was later revised after the Final Omnibus Rule in 2013. HIPAA provides a federal minimum standard for medical privacy, sets standards for uses and disclosures of protected health information (PHI), and provides civil and criminal penalties for violations.
Prior to HIPAA, only certain groups of people were protected under medical laws such as individuals with HIV or those who received Medicare aid.[36] HIPAA provides protection of health information and supplements additional state and federal laws; yet it should be understood that the law's goal is to balance public health benefits, safety, and research while protecting the medical information of individuals. Yet many times, privacy is compromised for the benefits of the research and public health.
According to HIPAA, the covered entities that must follow the law's set mandates are health plans, health care clearinghouses, and health care providers that electronically transmit PHI. Business associates of these covered entities are also subject to HIPAA's rules and regulations.
The Oregon Genetic Privacy Act (GPA) states that “an individual’s genetic information is the property of the individual”.
Since 1995, Oregon has laws to protect the privacy of personal genetic information and prevent misuse of genetic information in clinical, research, employment, and insurance settings. While a number of states currently have such a law, Oregon was one of the first. The law is continually being evaluated to assure that it meets the goals of assuring privacy, preventing misuse of genetic information, and keeping the legal environment amenable for genetic research and genetic health services in the state.
The Oregon Genetic Privacy Laws (OGPLs) help protect your genetic information. These laws also look to prevent the misuse of genetic information.
Federal Laws
There are also federal laws that help protect your genetic information. These laws also look to prevent the misuse of genetic information.

The Genetic Information Nondiscrimination Act (GINA) is a federal law that makes it illegal for the following to discriminate against an individual based on their genetic information, including family history:
Health insurance companies
Group health plans
Employers of more than 15 employees
The Americans with Disabilities Act of 1990 (ADA) is a federal law that makes it illegal to discrimination against a person:
Who is regarded as having a disability
With symptomatic genetic disabilities
With a genetic predisposition
The Affordable Care Act (ACA) is a federal law that establishes “guaranteed issue,” meaning:
Issuers offering insurance in either the group or individual market must provide coverage for all individuals who request it.
Issuers of health insurance are prohibited from discriminating against patients with genetic diseases by refusing coverage because of pre-existing conditions.
Certain health insurers may only vary premiums based on a few specified factors such as age or geographic area, thereby prohibiting the adjustment of premiums because of medical conditions, including genetic diseases.   
Confidentiality of Medical Information Act (CMIA)
The Confidentiality of Medical Information Act (CMIA) is a state law that adds to the federal protection of personal medical records under the Health Information Portability and Accountability Act (HIPAA). CMIA protects the confidentiality of individually identifiable medical information obtained by a health care provider and includes the following:
CMIA prohibits a health care provider, health care service plan, or contractor from disclosing medical information regarding a patient, enrollee, or subscriber without first obtaining an authorization, except as specified.
CMIA requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a manner that preserves the confidentiality of the information contained within those records.
CMIA defines “medical information” to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that reveals the individual’s identity.
Any individual may bring an action against any person or entity that has negligently released confidential information or records, for either or both nominal damages of $1,000 and the amount of actual damages, if any, sustained by the patient. It shall not be necessary to prove that the plaintiff suffered or was threatened with actual damages to recovery nominal damages.
Any person or entity who knowingly and willfully obtains, discloses, or uses medical information in violation of CMIA shall be liable for an administrative fine not to exceed $2,500 per violation.*   
Genetic Information Nondiscrimination Act of 2008 (GINA)
The Genetic Information Nondiscrimination Act of 2008 enacted May 21, 2008, is an Act of Congress in the United States designed to prohibit some types of genetic discrimination. The act bars the use of genetic information in health insurance and employment: it prohibits group health plans and health insurers from denying coverage to a healthy individual or charging that person higher premiums based solely on a genetic predisposition to developing a disease in the future, and it bars employers from using individuals' genetic information when making hiring, firing, job placement, or promotion decisions.Senator Ted Kennedy called it the "first major new civil rights bill of the new century.The Act contains amendments to the Employee Retirement Income Security Act of 1974 and the Internal Revenue Code of 1986   
  
POTENTIAL TECHNICAL APPROACHES TO HEALTH DATA PRIVACY AND SECURITY
1) Privacy-preserving data mining and statistical disclosure limitation.
2) Personal electronic health record devices.
3) Independent consent management tools.
4) Pseudonymization

As a medical office assistant ,Protecting patient information is very important.You can follow the below datas.
Data encryption. Implement data encryption on your computers, laptops, tablets, and smartphones. Data encryption makes information unreadable on these devices by unauthorized persons (ie, someone who stole your laptop). It also provides safe harbor under the HITECH Act and state breach notification laws. This means that the data are considered secure; as such, the requirement to notify individuals is eliminated. You can buy data encryption software at your local computer store.
Secure email. Email services are available that provide encrypted transmission and other protections to ensure security and regulatory compliance. Free email tools are available that provide adequate privacy and security controls and protect your email from being intercepted and read without your or your patient’s authorization.
Privacy policy. Implement a privacy policy not to accept patient information over the Web or by unsecured email. Have a written policy that you and your staff adhere to specific electronic transmission of patient information. While this may not stop all of your patients from sending you information in this way, it makes it clear that you do not want to receive it in this form.
Security assessment. Perform a security assessment and determine where your patient information lives. The HITECH Act requires an annual security assessment to determine vulnerabilities in your security of patient information. This assessment should also help you understand where your office stores patient information today and how it is shared or transmitted to other providers, payers, and your patients. Many breaches occur because physicians do not know where these data are kept and how the information flows to others in day-to-day practice.
Data breach insurance. A new insurance product has emerged over the past few years to mitigate the financial cost of a breach of patient information. It covers the majority of costs associated with responding to a breach-including computer forensics investigation, consumer notification, legal advice, identity theft monitoring, and victim restoration services. Talk to your insurance professional to understand your options and obtain a policy that is right for your practice.
What to do if you discover a data breach
Now that you have taken reasonable steps to protect patient information, let’s talk about what you do if you discover a data breach. Let me start by highlighting a few examples that might alert you that a data breach has occurred.
• You walk into your office in the morning and your office assistant tells you that someone has stolen all the computers and backup drives.
• You are sitting on an airplane getting ready to fly home from a conference and suddenly realize you forgot your smartphone in the taxi…or was it the restaurant?
• You return to your car after attending to several patients at your clinic and realize your car has been broken into and your backpack containing paper-based patient files is missing.
• Your home computer with patient records is displaying a flashing message telling you it has been taken over by a virus and all of the files have been forwarded to everyone in your electronic address book.
If you find yourself facing any of these scenarios, this doesn’t necessarily mean you have a data breach situation. If your patient information was encrypted and you implemented the suggestions outlined above, your patient information is secure and would not trigger federal or state data breach notification laws. However, read on for suggestions if this was not the case.
Determine what the laws are. Call your attorney to determine whether there are federal or state data breach notification laws that apply to the situation. The circumstances of each data breach are unique, and the laws that apply are evolving. Your attorney can determine the specific laws that apply and provide legal advice on how to comply.
Determine what data were lost. Engage a computer forensics expert to determine what data were lost or stolen and whether there is a potential for misuse. It is important to first understand whether there was patient information on the affected device. This is easier said than done, because in many cases you may not know what information was on your device. Patient information may have been in a spreadsheet or document or an insurance claim file. A forensics expert may also be able to determine whether any of the information was accessed and who accessed the information. You may be able to confirm that there were no patient data on the device or that no one accessed it, which reduces the risk of it being misused.
Deploy a breach response team. This is the group of professionals whom you designate to manage the response to the data breach. It includes your attorney, forensics expert, office manager, and others who can provide an effective response so that you can remain productive in your practice. The response team provides crisis management and manages all of the vendors who help with consumer notification; call center services; and identity protection services that mitigate the regulatory, reputational, legal, and other risks of a data breach. You can engage an organization that manages this process if these resources are not available to you or your practice. It is best to engage such an organization before a breach and to get an agreement for services.
Notify affected patients and the appropriate regulatory agencies. This step is the foundation for both federal and state compliance with the breach notification provisions of the various laws. It helps the patients affected by a breach take action to protect themselves from identity theft and other forms of health care fraud. If the breach involved 500 or more records, you will be required to notify Health and Human Services (HHS) and in some cases local media concurrently. Many organizations also notify the state attorneys general and insurance commissioners where affected individuals live. Expect the HHS Office for Civil Rights to initiate an investigation of a breach of more than 500 records and be prepared to show the steps your practice had taken to protect patient information and to close security gaps that caused the breach.