Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Improve Your Healthcare Practice Security With Audit Logs

Posted on March 15, 2023 by Jean Eaton in Blog

Sharing is caring!

0 shares
  • Share
  • Tweet
  • LinkedIn
  • Email

How to Improve Your Healthcare Practice Security With Audit Logs

When was the last time that you reviewed your access logs in your healthcare practice?

 

In our policies, procedures, risk assessments, and privacy impact assessment submissions, we indicate the reasonable safeguards that we expect to implement in our practices to protect the privacy and security of health information.

But policies and good intentions alone isn’t enough.

We also need to take action on our policies.

We have tools, like audit logs, available to us. Audit logs of our computer and software systems are available to monitor users who have accessed the system and the information contained in the systems.

Audit Log Image

Audit logs monitor and records the transactions of users’ activities in your computer network and your electronic medical record (EMR). It is an automated, real-time recording of who did what, and when, in your system.

For example, when a user logs in to your computer network at the beginning of the work day, the user name, date, time, and perhaps the workstation identifier is recorded in the audit log.

When the user logs into the EMR and creates, views, modifies, or prints from a specific patient record, each activity is recorded in the audit log. In this way, the audit log records both the activity of each user and, in each patient’s electronic medical record, who has accessed that patient’s health information.

You MUST implement, use, and monitor your audit logs

The regular review of the audit logs can demonstrate that the administrative, technical, and physical safeguards that we implement to protect the health information, our people, and our assets are working. Review of audit logs can also identify weaknesses so that corrective action can be taken to improve our privacy and security strategy.

For example, when you review your audit log, you may see that an employee (authorized user) is accessing the EMR after clinic hours. When you investigate, you find out that the billing clerk is doing the billing submission from home.

This might be OK in your healthcare practice (or not). But, now you know what is happening iin your clinic EMR after hours and you can take appropriate action.

 

Audit Logs Are Valuable Metadata

Taken from a different point of view, the audit log provides important additional information, or metadata, about the care and treatment of the patient. Knowing who created a clinic note, wrote a prescription, or reviewed a test result provides a story about the care that the patient received. For this reason, the audit log of the EMR is usually required by legislation to be maintained for the entire retention period of the patient’s record. This is generally 10 or more years for adult patients and longer if the patient was a child at the time that they were a patient or client in your practice.

 

How You Can Use Audit Logs to Improve the Security of Health Information In Your Practice

Snooping, or viewing someone’s health information for an unauthorized use, is not uncommon in healthcare. Snooping is always a breach of confidentiality and trust that our patients give to us.

Sometimes, snooping is because someone is concerned or curious about a family member or friend and don’t intend to do anything ‘bad’ with that information.

We also know that people will sometimes access information for malicious means – that is,  using a ‘criminal intent’ or to be mean or disparaging to the individuals involved.

Say No to Snooping

When you regularly review your audit logs, you

  • Create a deterrent to all users to check something out ‘just this once, no one will know’.
  • Find potential threats or weaknesses in your current systems that you can improve to better mitigate your risks.

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This means having appropriate policies and procedures in place and demonstrate and document that you have implemented your plans.

 

Action Steps That You Should Do Now

Use these points as a checklist to help you start using your audit logs to improve security in your healthcare practice.

  • Computer Network System Audit Log
    • Ensure that your computer network system has audit logging enabled.
    • Access and review your audit log. Don’t skip this step! Don’t assume that your audit logging is properly set up. You must discover how to access the audit log and record the procedure so that you can quickly access the audit log in the event that you have a privacy and security breach or routine security audit.
    • Determine how long your audit log information is accessible or retained. Is it included in your routine backup files? Legislative retention requirements differ but you probably want to keep the audit logs accessible for six months or longer.
    • Can you automate an audit log reporting tool to make it easier to review your audit logs regularly? Who in your healthcare practice is responsible to do this?
  • Electronic Medical Records (EMR) / Electronic Health Records (EHR) System Audit Log
    • Most health information legislation and regulations now require EMR / EHR to include an integrated audit log / access log. Confirm that you have enabled your EMR / EHR audit log.
    • Access and review your audit log. Don’t skip this step! Don’t assume that your audit logging is properly set up. You must discover how to access the audit log and record the procedure so that you can quickly access the audit log in the event that you have a privacy and security breach or routine security audit.
    • Determine how long your audit log information is accessible or retained. Is it included in your routine backup files? Legislative retention requirements differ but you probably want to keep the audit logs accessible for as long as you retain the entire patient record – generally, 10 or more years years.
    • Can you automate an audit log reporting tool to make it easier to review your audit logs regularly? Who in your healthcare practice is responsible to do this? Check out the Practice Management Nuggets Podcast

      How AI Improves EMR Auditing | Episode #094 with Rob Pruter from SPHER.

    • User activity recorded in an audit log is often visible to subsequent EMR users when they access a patient record. In the course of routine workflow, users may observe and question inappropriate access to an individual patient record. Instruct your users to notify the clinic manager or privacy officer if the audit log indicates a suspicious activity.
    • Include the review of audit logs as part of your routine privacy and security monthly audit.

Click the link below to get your copy of the audit templates and the training video!

I Want the Audit Templates to Improve Privacy and Security!

Are you already a member of Practice Management Success?

The instructional video and Privacy and Security Monthly Audit Template is already in your membership!

Click the button now to go to the membership to access your resources.

Go to my Practice Management Success membership

 When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS
audit log, EMR, health care, healthcare practice, medical, reasonable safeguards

October Is Cyber Security Awareness Month!

Posted on October 20, 2022 by Jean Eaton in Blog

Cyber Security Awareness – 4 Cyber Security Tips to Keep Your Business Safe and Secure

Keeping information safe and secure is challenging developments for businesses of all sizes over the last few years. Remote working and using cloud hosted services forced healthcare practices to change, or at least reexamine, their cybersecurity practices and protocols. According to CyberEdge’s Cyberthreat Defense Report, 85% of organizations suffered from a successful cyberattack in 2021.

Now, businesses who have suffered cyberattacks along with companies who’ve been fortunate enough to avoid being a victim of breaches and hack are looking at ways they can bolster their defenses and safeguard their data. But which plans, practices, and services should these organizations invest in?

Below are 4 steps businesses of all shapes and sizes can take to better protect themselves against cyber attacks:

Identify “Crown Jewels” of Your Business

Understanding what information cybercriminals are after most is essential to combating cyber attacks. Know where your patient, employee, business, financial data is collected and stored in your practice and by your vendors. Create a written inventory of your data and the hardware and software you use to manage and store the data. Review who has access to important data and end outdated user access to anyone who does not need access to the data to do their job. This practice will ensure that business leaders have a track record of accessibility so that they know where to look in case of a vulnerability or breach.

Protect Assets by Updating and Authenticating

Protecting your data and devices from malicious actors is what cybersecurity is all about. Make sure your security software is current. When you invest in the most up to date softwares, web browsers, and operating systems you defend against a host of viruses, malware, and other online threats. Furthermore, make sure these devices have automatic updates turned on so employees aren’t tasked with manually updating devices. Additionally, make sure all data is securely backed up in a remote location.

Another important way to keep your assets safe is by ensuring staff are using strong authentication to protect access to accounts and ensure only those with permission can access them. This includes strong, secure, and differentiated passwords. According to a 2021 PC Mag study, 70% of people admit they use the same password for more than one account. Using weak and similar passwords makes a hacker's life a lot easier and can give them access to more materials than they could dream of. See “How Does Unique User ID Protect Patient Information In Your Practice?” 

Finally, make sure employees are using multi-factor authentication. While this may result in a few extra sign-ins, MFA is essential to safeguarding data and can be the difference between a successful and unsuccessful breach.

Monitor and Detect Suspicious Activity

Companies must always be on the lookout for possible breaches, vulnerabilities and attacks, especially in a world where many often go undetected. This can be done by investing in cybersecurity products or services that help monitor your networks such as antivirus and antimalware software. Moreover, make sure your employees and personnel are following all established cybersecurity protocols before, during, and after a breach. Individuals who ignore or disregard important cybersecurity practices can compromise not only themselves, but the entire organization. Paying close attention to whether your company is fully embracing all of your cybersecurity procedures and technology is incumbent upon business leaders.

Have an Incident Response Plan Ready

No matter how many safeguards you have in place, the unfortunate reality is that cyber incidents still occur. However, responding in a comprehensive manner will reduce risks to your business and send a positive signal to your customers and employees.  Regular cyber security awareness training will help prevent incidents and help you to quickly respond to an incident when it happens. Therefore, businesses should have a cyber incident response plan ready to go prior to a breach. In it, companies should embrace savvy practices such as disconnecting any affected computers from the network, notifying your IT staff or the proper third-party vendors, and utilizing any spares and backup devices while continuing to capture operational data.

Here's a great no-cost opportunity to provide cyber security awareness training to your team!

October is Cyber Security Awareness Month, a global effort to help everyone stay protected whenever and however you connect. The overarching theme for the month is, ‘Do Your Part. #BeCyberSmart.’ and Information Managers is proud to be a champion and support this online safety and education initiative this October.

 

Events This Month

Myla Cybersecurity Training Anne Genge cyber security awareness

Ask your questions live with Cybersecurity and Data Privacy experts in an interactive webinar format.

Join us for the first “Ask Me Anything” style webinar for healthcare professionals, practice managers, privacy officers, and owners on Friday October 21 at 1pm EST. It’s free to attend. Once you register, you’ll have access to the Zoom link on the day of the event.

We know that when we train our teams to identify cybersecurity risks, that we can reduce our risk of a business disruption and privacy breaches. And, when an incident occurs, we can identify the problem more quickly and reduce the harm and the cost.

It all starts with better understanding cybersecurity.

Click the button to hop over to the Myla Training website for more information and to register right away!

Register Ask Me Anything!

 

CyberSecurity Champions

cyber security awareness month champion

Information Managers Ltd has been a CyberSecurity Champion for many years – and now you can, too!

We want to help you, your family, friends and our community stay protected all year long, too. We encourage you to sign up as an individual Cybersecurity Awareness Month Champion. After signing up, you’ll receive a toolkit of free resources, including simple online safety habits and steps you can take to #BeCyberSmart.

National Cybersecurity Awareness Month is co-led by the National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security. For more information about ways to keep you and your family safe online visit https://staysafeonline.org/cybersecurity-awareness-month/ and/or cisa.gov/ncsam.

 

 

 

Follow Information Managers blog posts, social media, and resources that you can download and use right away!

 

#BeCyberSmart

How Virtual Medical Office Administration Services Can Help Your Healthcare Practice With Kyle Sherritt

Posted on October 12, 2022 by Jean Eaton in Blog

How Virtual Medical Office Administration Services Can Help Your Healthcare Practice

 

Have you ever said, ‘If only, . . .

  • our referral backlog was caught up,
  • our incoming faxes were sorted,
  • our billing team was more confident, or
  • someone could help with the incoming phone calls during our busiest hours or lunch hour!'

If you have uttered these words, then you want to listen to our episode today how virtual medical office assistants and receptionists can help your healthcare practice.

In this Episode #106 of the Practice Management Nuggets Podcast, guest expert Kyle Sherritt, VP Sherritt Services shows us how a virtual medical office assistant and virtual receptionist can improve the bottom line of your healthcare practice and improve the patient experience.

My Takeaways

Many—heck!—most healthcare practices have staffing fluctuations.

When you start your healthcare practice, you hire an entry-level receptionist and medical office assistant (MOA). You learn together how to set up your appointment scheduler, your patient recall reminders, and your fee-for-service billing.

Then, you get a little busier, but not busy enough to hire another MOA to assist the busy hours. Your new MOA is ready to take holidays, but you don’t have a relief person on board, yet.

The physician is doing most of the billing because they haven’t trained the MOA to do that, yet.

You want the MOA to step up and take on more administration roles in the clinic, but they can’t meet your expectations because they can’t walk away from the ringing telephone.

You might find that your dreams of a smooth-running office so that you can focus on your patients’ needs are spiraling out of control.

Or, maybe you have heard about a no-staff office practice for your small one-person practice. It sounds great, but you discover that you really don’t enjoy making appointment reminder phone calls yourself.

Would you like some help with that?

Sherritt Services is now providing virtual medical office administration services!

Imagine—phones answered promptly even during your peak hours and your patients receiving a warm reception without staff running off to put yet another person on hold.

Your billing is now done by your in-clinic staff correctly, without coaching from the physician now that the staff has successfully completed the Alberta Medical Billing Online Course.

These new services are brought to you by Sherritt Services, the medical office administration service provider trusted by healthcare providers for over 25 years.

Listen To The Podcast

​How Virtual Medical Office Administration Services Can Help Your Healthcare Practice | Episode #106

Expert tips with Jean L. Eaton on Practice Management Nuggets Podcast For Your Healthcare Practice.

Listen here: Practice Management Nuggets Podcast

Listen To The Podcast Here
Kyle Sherritt virtual medical office administration

Kyle Sherritt is the VP Sherritt Services Inc. and the Sales Director.

Kyle has contributed to the business development of Sherritt Services since 2009.

#PracticeManagementNugget, podcast

Should You Use Encrypted Emails In Your Practice?

Posted on June 27, 2022 by Jean Eaton in Blog

Should You Use Encrypted Emails In Your Practice?

There are many jokes around these days like “Fax machines? Who still uses those? And why are you still using fax machines? It’s the 2020s, not the 1990s!

People who don’t use them regularly may not realize it, but there are still many places which still use fax machines today—from legal offices, to governments, and yes—doctors offices.

This is because fax machines are much more secure than electronic networks such as email.

One doctor’s office asks: As healthcare professionals, we routinely send our referring physicians a report of the patient’s progress by fax. One clinic would like us to send the reports to them using their encrypted email link instead of fax.

Can we do that?

Today we’ll look at the pros and cons of switching to encrypted email as a method to securely send personal health information and try to answer this question.

What Are The Issues With Email?

First, we need to look at regular, non-encrypted email.

Grant Dakin, President of Solid Technology Solutions reminds us:

“When it comes to sharing sensitive information via email it should always be assumed that it is insecure. Basic email is generally open text, and to many email servers out there, especially on the public side, are not setup to handle encrypted email protocols.”

Even if your email service provider offers message encryption while a message is traveling between computers, this often does not apply on either end, and the message in the outgoing sent box and incoming inbox are often left unencrypted and vulnerable.

If information is not appropriately sorted once it arrives in the recipient’s inbox, there may still be issues with storing information in your email.

If the sender and the receiver do not appropriately manage their in and out boxes to ensure that it has limited information, appropriate access to only the right persons, and has been securely deleted, you have only addressed part of the problem.

When sending information to another clinic or doctor’s office, you may ask what practices does the other clinic have for storing information?

The same questions are important for patients as well:

  • Does the patient have access to a computer where they can download information?
  • Are they using a personal computer or an employer’s computer?
  • Do they have a secure place to access the information?

These are all things which need to be taken under consideration before you send personal information by email in your healthcare practice.

Why Are Some People Switching to From Faxing?

So, a referring partner who typically sends the consultation report to you by fax now wants to send it to you by encrypted email.

It’s not uncommon for places to want to upgrade their technology.

Fax machines can be large and clunky, and using encrypted email for consultation reports, referral requests, and more can be attractive to streamline operations. Many people feel that fax machines are obsolete. In early March of 2021, the Government of Ontario announced it would phase out its use of all fax machines by the end of the year.

However, there isn’t a common alternate communication standard across healthcare, private, and public users that is as common as the fax machine.

There have also been numerous privacy breaches in healthcare related to improper use of fax machines. For example, in the Ontario Information and Privacy Commissioner’s 2020 Annual Report, the IPC found that, in 2020 about 58 per cent of breaches experienced by health information custodians were caused by misdirected faxes. 

How Does Encrypted Email Work?

Encrypted email works using an encryption key.

What is Encryption? Encryption is a method to disguise a message into a secret code. Only the people that have the ‘key’ to the secret code can un-scramble the message so that it can be read.

In order to use them, both the sender and the receiver need to have a key—the sender uses it to encrypt the message before sending it, and the receiver needs a key to decipher the message.

Grant Dakin explains: “Encrypted email services are a third-party service that will securely store the message, typically a secure web page, until a verification process is completed. This is key. The recipient needs to prove their identity to be able to view the message. At minimum, this can be a username / password challenge using a verified recipient owned email address. When possible, it is recommended to have multifactor authentication (MFA) employed. The use of MFA is dictated by compliance requirements, the type of information and your user base.”

This might seem overly complicated if you’re not used to using encryption services, which may not be an issue when sending information to another clinic, especially if they’re the ones who suggested using encrypted email.

encrypted email diagram

Encrypted Email Process Diagram

 

When it comes to sending information to patients, especially those who aren’t very tech savvy, you need to consider if encrypted email is the right option.

Things to Consider When Implementing Encrypted Email

If you’re considering implementing encrypted email into your practice, you’ll want to first do a risk assessment, which should include:

  • Discussions with IT vendor / Managed Service Provider
  • Assess the reputation of the encryption vendor
  • Does the encrypted email meet industry compliance requirements?
  • Review your existing policies and procedures
  • Update those policies and procedures as required
  • Approval from Privacy Officer / Custodian / CEO
  • Prepare / update your privacy impact assessment (PIA)
  • Training for your staff on how to use the encryption software
  • Is there a verification process to ensure that the right person is viewing / accessing the information?
  • Verify that there are encryption protocols being used (If retrieving from a browser, verify that there is a valid SSL certificate)

For further guidance on choosing an encrypted email service, Grant Dakin offers the following:

“When looking for an encrypted email service, be certain that the service provider can demonstrate compliance. Most third-party providers base their compliance on HIPAA, which is a US based compliance, but it is very much in line with Alberta's Health Information Act (HIA) and our various Privacy Acts. For us, at SolidTech, the most common encrypted email service provider that we deploy would be Microsoft 365, which is HIPAA / HIA compliant, providing it is set up properly.”

Consider also that if you send information via encrypted email, there will probably be a learning curve for the receiver of the information as well. You may want to offer a basic outline to patients who opt to receive email this way about how it all works.

It may seem surprising at how much time it takes to appropriately and correctly implement an email encryption service in your healthcare practice. But if you will “axe the fax” and discontinue the use of a fax machine, you need to complete a risk assessment and plan an alternate solution.

What Else Can I Use, Instead of Encrypted Email?

If you aren’t ready to make the jump to encrypted email systems but want to get away from using fax machines in your practice, there are alternatives to encrypted email to consider.

Some of these include:

  • Portals from electronic medical record (EMR) systems
  • Sharing networks
  • Secure messaging

PrescribeIT® enables prescribers to electronically transmit a prescription directly from an electronic medical record (EMR) to the pharmacy management system (PMS) of a patient’s pharmacy of choice. See the blog post, “Using PrescribeIT To Streamline Your Workflow”.

Any changes to how you send personal information, whether to patients or other clinics can’t just be a unilateral decision on your part.

Just because you’re ready to make a change, it doesn't mean that the recipients are ready to receive it in that way. You must communicate with your partners and patients about your plans and ensure everyone is on board.

Furthermore, it’s always good to have a business continuity plan in case your chosen method ceases to work as expected.

I’m Ready To Implement Encrypted Email—What’s Next?

If you think encrypted email might be the right choice for your practice, you might wonder, “What next?”

Getting started with a change like this may seem overwhelming, but you don’t have to do it alone.

Connect with Grant Dakin of Solid Technologies Solutions Inc. 

Also see, “Texting with Patients; Can You Use Text Messaging With Patients?” 

digital health, healthcare practice management, privacy

Why You Need Policies and Procedures

Posted on March 15, 2022 by Jean Eaton in Blog

Why You Need Health Information Policies and Procedures

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

  • Information that you collect from patients/clients
  • Website
  • Email
  • Business practices including electronic (or paper) patient records, and computer network
  • Financial information
  • Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

  • They contribute to consistent, efficient workflow.
  • You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
  • They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
  • They help support your accreditation efforts.
  • On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

  • Internal disputes within your team and external disputes with your patients and clients
  • Re-work and re-training employees
  • Poor customer service
  • Poor reputation
  • Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

Fines for not having policies and proceduresYou might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the physician, pharmacist, dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

  1. It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier.

  1. It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

  1. It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

  • Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
  • The policies and procedures become the foundation of your privacy impact assessment.
  • Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
  • You must have them as part of your legislative compliance.
  • It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

 

Not Sure Which Policies and Procedures That You Need?

Show Me Policy And Procedure Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are? 

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

Privacy Impact Assessments (PIA)

 

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, privacy, Privacy Impact Assessment, reasonable safeguards

Piles of Paper: Shredding Options For Employees Who Work From Home

Posted on March 10, 2022 by Jean Eaton in Blog

Piles of Paper: Shredding Options For Employees Who Work From Home

In the spring of 2020 many workplaces and employees had to make fast pivots to deal with the reality of the COVID-19 pandemic.

Kitchen tables and spare bedrooms became home offices and remote classrooms.

Employee commutes were drastically reduced down to the time it takes to walk from the kitchen after breakfast to their makeshift workspaces.

Many people have found they enjoy the freedom and extra time this has given them, to spend time with family, work on hobbies, or simply just not having to sit in traffic or on transit every day.

As the pandemic starts to wind down, many employees and employers are taking a critical look at where and how we work.

Managers are realizing their staff can be just as productive from a home office, and they don’t need to always be present in the office to be productive.

Companies are offering more flexibility, continuing to allow work from home arrangements or hybrid models for those who prefer it in order to retain staff.

However as the landscape of work has changed, employers continue to have a responsibility to ensure privacy of data from clients and patients, even when employees are working at home.

It’s been nearly two years since many employees shifted to working from home as a result of the onset of the COVID-19 pandemic, and many have accumulations of records which need to be disposed of properly.

Do you have a plan in place to manage shredding services for employees who have been, and continue to work remotely?

shredding work from home messy desk

We know it is a common privacy breach to have confidential information discarded in the garbage or recycling bin and subsequently disclosed to unauthorized persons.

Many offices may have overlooked this in the rush to have employees work from home at the start of the pandemic, when many of us thought this would just be a temporary measure, maybe a few weeks and then back in the office.

However, this has gone on much longer than anyone could have anticipated, and now there is a workforce with papers piling up at home, many of will continue to work remotely going forward.

Now is a good time to review previous procedure decisions and tweak them as necessary.

Spring might be a good time for a little house (or home office) cleaning.

Prevent Paper Privacy Breaches

The ultimate goal is to prevent privacy breaches from paperwork being disposed of improperly.

With this in mind, there are a few options to consider:

  • Having employees return the confidential paper to their place of employment for secure shredding. This could be difficult for those who normally commute by public transit or simply don't want the hassle to carry boxes of paper to the office.
  • Arranging for a shredding company to do a home office pick-up. This could be done through a courier service or arranged with your current shredding company. Both would likely already be covered by existing contracts and security precautions – but check this for surety.
  • The employee arranges to have a shredding service pick up at their home office. The employee pays for the service and either bills back to the employer for expenses or, perhaps, include in their home office expenses at tax time for a tax credit. In this case you may want to vet shredding companies in your area first and make suggestions as to which ones are approved for this purpose.

Arranging remote shredding services for your work from home employees means happier employees (as they no longer have to worry about papers piling up), and more peace of mind for clients as well.

Choose Convenience And Security

 The cost of having a secure shredding service attending the home office is far more likely to be managed securely and completed.

Some things to look for when choosing a shredding company include:

  • Do they have an understanding of compliance requirements for shredding personal health information?
  • What training do their staff have?
  • Are their staff subject to background checks?
  • Mobility – Will they come directly to you?
  • What prep work do they require of you (for instance do you need to remove all of the staples from your files before shredding)
  • Do they have a reputation for arriving on schedule? (check reviews)
  • Can they shred documents on site, rather than taking them to a secondary location?
  • How do they handle the waste from shredding, will it be responsibly recycled?
  • Transparent pricing with no surprises
  • Do they offer a certificate of destruction?

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Managing Records When Transitioning from Work to Home Alberta OIPC

Is Remote Working A Good Choice For Your Healthcare Practice? Information Managers

healthcare practice management

Going Digital: Using PrescribeIT® To Streamline Your Workflow And Modernize Your Healthcare Practice

Posted on February 17, 2022 by Jean Eaton in Blog

Using PrescribeIT Makes Prescribing Easier And More Convenient

As a family physician you have a lot of responsibilities.

One of which involves writing, and refilling prescriptions for your patients.

This task, in and of itself, is simple enough, however, there’s often much more to it.

You’re dealing with patients calling in to get a refill, or the pharmacy looking for clarity, or wanting to make a substitution.

Managing all of this can be time consuming and frustrating – but there is a better way.

Would you like to take back the time and reduce frustration in your practice?

PrescribeIT® might be the solution you’ve been waiting for.

PrescribeIT® makes prescribing easier and more convenient for Canadians, prescribers, and pharmacists. It also improves patient safety and health outcomes and protects patient privacy.

A project of the Canada Health Infoway initiative, which aims to help bring healthcare into a digital world, so that physicians can better connect with patients and pharmacies.

Using PrescribeIT Canada Health Infoway logo

Benefits of Using PrescribeIT Digital Prescriptions

Paper and fax-based prescriptions are outdated, inefficient, and costly – going digital can help you reclaim your valuable time and money.

Prescribe IT® can help reduce errors in prescriptions, due to lack of legibility, and eliminate patients calling to have a script re-done because they’ve lost it.

Some of the benefits to managing prescriptions digitally using Prescribe IT® Include:

  • The ability to electronically generate, accept, renew, and cancel prescriptions directly from your electronic medical records (EMR) at no additional cost
  • Avoid errors which can arise with fax transmissions
  • Offers secure transmission from your office to the pharmacy – email isn’t secure, and you never know who is on the other side of a fax machine
  • Streamlined system for pharmacies to request refills and renewals
  • Enhanced patient safety and privacy

All of these benefits can be implemented with minimal changes to your current workflow processes.

Paper Prescriptions Are Inefficient

Did you that over 600 million prescriptions dispensed in Canada annually?

At a recent in-service with the Edmonton and District Clinic Managers Association, guest speaker Joelle Withers, Manager, Prescriber Relations & Deployment, Canada Health Infoway revealed the following statistics about prescriptions in Canada:

  • Nine percent are narcotics or another controlled drug
  • Over forty percent of prescriptions are handwritten
  • Thirty five percent of prescriptions are computer generated and taken to the pharmacy in person
  • Over four million Canadians have admitted to losing or damaging a prescription, including:
    • 415,000 prescriptions have taken a spin in the wash cycle
    • 140,000 prescriptions decided to go puddle jumping in the rain
    • 88,000 of those prescriptions were eaten by dogs (tell this to every teacher who has heard the “my dog ate my homework excuse)

As a result of lost or damage prescriptions, over seven hundred thousand Canadians have decided to go without their medications, rather than calling to have a new one issued.

Finally, as many as seventy eight percent of Canadians prefer to go directly to the pharmacy right after receiving their prescription to pick up their medication.

Workflow Efficiencies

Using Prescribe IT® in your practice, allows you to electronically send your patients prescriptions directly to the pharmacy of their choice.

This will create efficiencies and save you time:

  • No more lost prescriptions, no more time wasted needing to redo paperwork.
  • No more telephone or fax tag with pharmacies – Instead, Prescribe IT® offers secure physician to pharmacy messaging.
  • Integration into the patient record in your EMR – you can view that the prescription is dispensed.
  • Patients select the pharmacy of their choice – and arrive to pick up the prescription with no waiting to drop-off and pick-up delay.
  • Patients who prefer a paper copy of their prescription still have this option
  • Prescribe IT® is approved for use with the Triplicate Prescription program.

Which Pharmacies Accept PrescribeIT?

Many pharmacies have been approved to participate in PrescribeIT including Rexall, Guardian, IDA, Shoppers, and Safeway.

I’m Ready To Try Prescribe IT In My Practice – What’s Next?

Are you ready to bring Prescribe IT® into your practice?

Let’s take a look at how to get started.

I’m Opening A New Clinic

If you’re opening a new clinic and want to use Prescribe IT®, you’ll need to follow the following steps:

  • Prepare your Privacy Impact Assessment which describes your organization management system and your selected electronic medical records (EMR) solution.
  • PrescribeIT integration is currently available with the following EMR solutions: Telus Medaccess, Microquest Healthquest, QHR Accuro (soon).
  • Submit your application of interest to PrescribeIT now to be ready to implement when your Privacy Impact Assessment is accepted by the Office of the Information and Privacy Commissioner (OIPC).
  • Once your application is approved, Canada Health Infoway will send to you a Privacy Impact Assessment for PrescribeIT that you will review, edit if necessary, and submit to the OIPC.

I Have An Existing Clinic

You can apply to Canada Health Infoway to start using PrescribeIT® in your current clinic, if

  • You are using one of the accepted EMR vendors, and
  • You have an accepted Privacy Impact Assessment for your EMR implementation.

After your application submission, Canada Health Infoway will send to you a Privacy Impact Assessment for PrescribeIT that you will review, edit if necessary, and submit to the OIPC.

Get Started with Prescribe IT® Today

Are you ready to do away with paper prescriptions?

Tired of playing phone tag with the pharmacy, or having to redo paperwork due to patients losing paperwork?

To get started with PrescribeIT®, please fill out an application of interest form HERE

Do You Need A Privacy Impact Assessment?

If you’re looking for assistance with your Privacy Impact Assessment, we’re here to help you.

Contact Information Managers today!

 

PrescribeIT® is registered by Canada Health Infoway. Used with permission.

digital health, healthcare practice management

Data Privacy Day 2022 Events and Resources For You!

Posted on January 25, 2022 by Jean Eaton in Blog

Data Privacy Day 2022 Events and Resources for You!

Data Privacy Day is an internationally recognized day dedicated to creating awareness about the importance of privacy and protecting personal information.

That means a lot to me and I think it means a lot to you, too. I think it is important that we give our patients and clients the gift of privacy. And that we have the right tools and resources for our employees to make good privacy and security decisions in our businesses.

Information Managers Ltd. is a Data Privacy Champion!

Data Privacy Day Champion

As a DPD Champion, Information Managers recognizes and supports the principle that organizations, businesses, and government all share the responsibility to be conscientious stewards of data by respecting privacy, safeguarding data, and enabling trust.

Each of us is responsible to manage our name and our identity. When you share your personal information, you have the right and responsibility to ask the person or business why they need the information and how they will protect your personal information.

Jean L. Eaton

Your Practical Privacy Coach, Information Managers Ltd.

You can be a Data Privacy Day Champion, too! Follow this link and complete the Organization Champion Form with the National Cyber Security Alliance.

Data Privacy Day Activities

5 Steps To Prevent Employee Snooping

SAY NO TO SNOOPING!

If an individual affiliate knowingly breaches the privacy and security of health information, and the custodian can demonstrate that reasonable safeguards (including privacy awareness training) were in place, the individual affiliate can be charged under the Health Information Act. Fines of up to $50,000 may be applied to the individual, in addition to other sanctions from their employers and/or their professional regulatory colleges where applicable (HIA s.107).

What Is Snooping?

Looking at someone’s personal information without having an authorized purpose to access that information to do your job is known as ‘snooping’.

Even when you are “just looking” at personal information but don’t share that information with anyone else, this is still a privacy breach.

It is illegal.

Snooping incidents are on the rise and can cost you time, money, heartache, and headache in your practice.

When there is an offence under the privacy legislation like the Health Information Act, there may be an investigation, charges and court appearances, fines, penalties, and loss of employment.

Snooping is entirely preventable. 

How Can You Prevent Employee Snooping?

Let’s take a look at the pro-active steps that you can take today to prevent employee snooping.

 

prevent employee snooping

Download the Practice Management Success Tip 5 Steps to Prevent Employee Snooping

The Practice Management Success Tip, 5 Steps to Prevent Employee Snooping, will help you

  • Take 5 practical steps to prevent employee snooping.
  • Provide clarity about what is considered a privacy breach.
  • Contribute to the health information privacy compliance in your healthcare practice.
Download 5 Steps to Prevent Employee Snooping HERE!

I Heart Privacy!

Just in time for Data Privacy Day! Print badges for your team.

I Heart Privacy
I Heart Privacy

Right-click the image and select ‘Save As' to download and insert the image into your favourite templates to make badges or stickers or labels.

Or, use the done-for-you sheet of labels that you can print right away and slip into badge holders or print to stickers or labels.

You can even customize the labels and add your business name!

Get the label sheets using the buttons below.

I Heart Privacy Badges with Data Privacy Day logo
I Heart Privacy Badges

Protect Your Organization and Your Patients With a Privacy Awareness Quiz

Equip your staff with the information they need to confidently and correctly handle personal health information.

Healthcare businesses need privacy awareness training to support key policies and procedures, and risk management programs need a privacy awareness training program.

Reasonable Safeguards

As an employer and healthcare provider, you are responsible to provide training to all of your employees about privacy awareness.

If you don't provide the training, or if the employees don't understand the policies and there is a privacy breach, then the healthcare provider is more likely to be held accountable under the legislation and face penalties, including fines and even prison!

Patients value the privacy and security of their information.

Healthcare providers and clinic managers value privacy and security, and they value not having adverse results as a lack of compliance or patient safety issues.

Data Privacy Day Privacy Awareness Quiz

Patients trust their healthcare providers with their sensitive, personal, and financial information.

If patients don't feel that the healthcare provider will keep their information confidential and secure, patients may choose not to share their information, which may impact their healthcare and treatment.

When we are privacy aware, we can better respond to patients' questions and build their trust in the quality of services that we provide.

Download the Privacy Awareness Quiz to use today to train your employees and protect your patients' health information.

Download the Privacy Awareness Quiz!

Privacy Protection In The Pink Seat with Dr. Angela Mulrooney & Jean Eaton

While privacy is not technology driven, the lack of privacy, perhaps, is impacted by technology.

Many dental practices are overwhelmed with creating and implementing privacy and security policies and procedures and how to prepare a privacy impact assessment.

Angela and I discussed practical privacy tips for your dental practice to help reduce the overwhelm.

These tips apply to all types of healthcare practices.

 

“Talk Shop – Protect Your Business from Information Breaches”

Jean Eaton is a guest on Lauren Sergy's “Talk Shop” YouTube channel.

Talk Shop: learn from industry experts to be a better communicator in work and in life, hosted by @lsergy. Privacy tips for business owners, just in time for Data Privacy Day!

For more Data Privacy Day resources and events from the National Cyber Security Alliance, click the button below!

Visit the National Cyber Security Alliance - Data Privacy Day website

Stay Safe Online

For more information about how to get involved in Data Privacy Day and the Champions program, visit https://staysafeonline.org/data-privacy-day.

You can also follow the campaign on Twitter at @StaySafeOnline or Facebook at https://www.facebook.com/DataPrivacyNCSA and use the official hashtags #PrivacyAware and #DataPrivacyDay to join the conversation.

Please use the social share buttons to share these Data Privacy Day activities with your friends and colleagues.

Follow Us On Social Media!

I share privacy tips and free links to additional resources on social media accounts that you can download and use right away!

Follow Us Here:

  • Follow
  • Follow
  • Follow

#DataPrivacyDay, #PrivacyAware, Data Privacy Day, Data Privacy Day Champion, Data Privacy Day Edmonton, healthcare

Virtual Healthcare Privacy Lessons

Posted on January 14, 2022 by Jean Eaton in Blog

Virtual Healthcare Privacy Lessons

You've probably heard about the Office of the Information and Privacy Commissioner (OIPC) investigation report into Babylon Health. The investigation report provides privacy guidance for vendors of virtual health solutions and the healthcare providers who use the digital health solutions. This is a great demonstration on why it is so important to ensure that you have current information management agreements with your vendors. Jean Eaton shares tips to help you keep your vendor agreements current and explains why it is important to the protection of patient information and the reputation of your business.

The OIPC issued its findings and recommendations after investigating the Babylon by Telus Health app under HIA. There were eight findings and 11 recommendations made in this investigation.

The recommendations from the Babylon Health Investigation Report can be used to guide healthcare providers, clinic managers, privacy officers, and vendors to develop and implement virtual healthcare solutions in your practice.

In the Practice Management Nuggets Podcasts, Jean Eaton reviews the investigation report and offers practical suggestions that you can use regarding

• key criteria when reviewing (or preparing) your privacy impact assessment (PIA)
• policies, procedures
• information management agreements (IMA)
• privacy and security awareness training
• data storage outside of Alberta

Read the investigation report here: H2021-IR-01 Jul 29 2021Babylon Health Canada Limited et al

Listen To The Podcast

Lessons From The Babylon Telus Health OIPC Investigation Report | Episode #103

Expert tips with Jean L. Eaton on Practice Management Nuggets Podcast For Your Healthcare Practice.

Listen here: Practice Management Nuggets Podcast 

Listen To The Podcast Here

If you need virtual care policies, procedures, sample consent notices, risk assessment, and do-it-yourself PIA templates, I can help you with that!

Virtual Care and Remote Working Privacy Impact Assessment on-line course.

PIA Templates for Remote Working and Virtual Care

#PracticeManagementNugget, podcast

Use These Reports To Improve Privacy Compliance

Posted on December 29, 2021 by Jean Eaton in Blog

Use These Reports To Improve Your Privacy Compliance

Investigation reports of privacy breach incidents helps to inform and update policies, procedures, and risk assessments can be used by privacy officers, clinic managers, and healthcare custodians to improve privacy compliance in their healthcare practice.

Recent publications by the Alberta Office of the Information and Privacy Commissioner (OIPC) and the College of Physicians and Surgeons of Alberta (CPSA) are great resources.

We can use these real-world examples to improve our current practices to protect the privacy, confidentiality, and security of personal health information and to protect personal health information from unauthorized access, use, disclosure, and loss.

Alberta OIPC Annual Report

In the Alberta OIPC Annual Report 2020-21, Jill Clayton, the Privacy Commissioner, noted that ‘this past year was a year like no other for access to information and protection of privacy in Alberta as the COVID-19 pandemic raised new challenges for regulated stakeholders and my office.’

Work from home mandates impacted how organizations responded to access to information requests and the security of personal information as employees shifted to remote work. The OIPC received over 150 privacy impact assessments (PIA) and notifications about the implementation of new virtual care (or telemedicine) projects.

Overall, the OIPC reports that there was a 31% increase in the number of PIAs that they had received over the previous years. The healthcare sector may not have applied the usual rigour to assess new virtual care solutions as has been previously applied to, for example, EMR implementation. The urgency of the pandemic may have triggered this weakness, but it's something that now we should be able to do better.

There were 930 breaches reported by health information custodians to the OIPC in 2020-21, representing a slight decrease from 2019-20 (938). There were four convictions under the Health Information Act (HIA) for unauthorized access to health information in 2020-21.

Download the Annual Report from the OIPC here

CPSA Virtual Care Standards of Care

The Alberta College of Physicians and Surgeons (CPSA) released on December 20, 2021, its updated Virtual Care Standards of Practice. This was previously released as telemedicine standards.

Download the CPSA Virtual Care Standards of Care here.

I want to highlight a few things that have changed and a few things that we should know about already. The standard provides clarity about physicians who can provide virtual care services for Albertans. A physician who has been licensed to practice and provide care in Alberta, with some exceptions. Other healthcare providers outside of Alberta should not be providing virtual care to residents of Alberta.

The standards also provide guidance on the procedures that a regulated member providing virtual care must follow, including Standard #8:

  • provide the patient with their name, location and licensure status during the initial virtual care encounter;
  • take reasonable steps to confirm the identity and location of the patient during each virtual care encounter;
  • confirm the patient’s physical setting is appropriate given the context of the encounter and ensure consent to proceed, in accordance with the Informed Consent standard of practice;
  • offer the patient the opportunity for in-person care; and
  • ensure there is a plan in place to manage adverse events or emergencies and make patients aware of appropriate steps to take in these instances.

The standards also remind physicians that prior to implementing new virtual care technologies or practices, that you must prepare a PIA. This applies even if you are ‘just’ using telephone to provide virtual care.

PIA Remote Working and Virtual Care Templates

Last year, Information Managers created a virtual care privacy impact assessment package which includes template policies, procedures, implementation tips, and privacy training. This follows the requirements from the standards from the CPSA and the HIA.

The PIA Remote Working and Virtual Care Templates provide you virtual care procedures, workflow, tips, and Privacy Impact Assessment templates that you can quickly and easily download and customize for your healthcare practice. The training provided will help you to assess privacy and security options to assist you to select the best technology solution for your needs. Then, use the Privacy Impact Assessment templates to document your decisions and submit to the OIPC.

 

Yes! I Want Virtual Care Templates

privacy compliance
123›»

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

I have used Corridor's Privacy Awareness in Healthcare: Essentials online training program. The course has helped satisfy the training requirements of the Health Information Act. Staff go through the course at their own pace while we monitor to ensure completion.

- Luke Brimmage, Executive Director, Aspen Primary Care Network

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

0 shares
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}