Preventing a Privacy Breach Is Less Expensive Than Managing A Privacy Breach!

Posted on March 4, 2019 by Jean Eaton in Blog

Do you have a privacy breach awareness program in place in your healthcare practice? Spotting a privacy breach is the first step to stopping a privacy breach. You Can Use This Privacy Breach Example to Review and Improve Your Practices.

In May 2018 an employee of the NWT was travelling on business in Ottawa.

The employee left the laptop in a locked vehicle. The laptop was stolen. The employee thought that the laptop had been encrypted; however, in the investigation it was determined that the laptop was not encrypted.

Loss of Control of Health Information

The employee had authorized access to the health information to perform statistical analysis for their job. The employee thought that the laptop was encrypted and that it had a secure password.

Later, when the theft was reported to the NWT Health Department and an internal investigation was conducted, it was determined that the laptop had not been encrypted.

There was a large amount of data on the laptop – an estimated 80% of the NWT's population might be affected by the breach.

Apparently, the laptop has not been recovered.

In 2018, the NWT Privacy Commissioner reported the investigation.

In February 2019, the investigation about the incident is still being reported in the media! The NWT Health Department has provided reams of information about the information that was included in the breach.

This breach was entirely preventable.

Keep this story in mind when you are trying to determine the return on investment to purchase a robust privacy and security management plan for your mobile devices and remote access to health information.

You can pay a little more now and ensure that your devices are securely encrypted with secure access and remote-wipe abilities and privacy awareness training . . . or you can pay over and over again for an investigation and bad publicity that never ends!

Privacy Breaches – What You Need to Know

Preventing a privacy breach from common sources of risk is usually far more cost effective than managing the privacy breach investigation!
Password protection of your laptop, smart phone, or USB device is NOT the same as encryption. Make sure that your mobile devices are encrypted. If you are not sure, find out from a reputable certified IT technician.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

References and Resources

N.W.T. employee dug through planters, trash to find stolen laptop, weeks after privacy training. Priscilla Hwang · CBC News · Posted: Feb 26, 2019 https://www.cbc.ca/news/canada/north/stolen-laptop-nwt-security-details-ottawa-1.5024775

#PrivacyBreach, encryption, Prevent privacy breach, stolen laptop

Are You Prepared For Patient Centered Care in Your Clinic?

Posted on February 21, 2019 by Jean Eaton in Blog

Do you have patients who come to your clinic once–and never return again?

Can’t remember the last time you did a patient satisfaction survey?

Do your patients complain about waiting too long, or not receiving the customer services that they expect?

Have your patients posted a complaint about your clinic on social media?

Do your staff ask you for training on how to empathize with difficult patients and their families?

Practice Management Nugget Podcast

Brian Lee, CEO of Everyone's a Caregiver Learning Systems is my guest expert on Practice Management Nugget Podcast for Your Healthcare Practice. Brian Lee, CSP, is one of North America’s leading experts in the field of World-Class patient experience, staff engagement and culture change.

Brian Lee discussed options for the healthcare provider and business owner to easily deliver training to your healthcare team so that you can improve patient satisfaction and patient centered care in your clinic.

My favorite takeaways from the podcast

In the patient centered clinic, everything that we see and do needs to meet the patient’s expectation or we need to manage those expectations.
When you improve employee morale, you improve the patient experience, too.
Most healthcare providers and support teams never receive education about healthcare customer service skills.

The return on investment of patient experience education, empowering providers and staff to deliver an enhanced, timely, patient experience, is pretty dramatic. When you are prepared for patient centered care in your clinic, you will improve patient satisfaction, and save time and money in your healthcare practice.

Be sure to tune in to my interview with Brian Lee on How Improved Patient Satisfaction Saves You Time And Money | Episode #074

Then, click here to get the free sample modules of the new Patient Centered Clinic: the unique on-line education to help you empower providers and staff to deliver an enhanced, timely, patient experience!

If you are a member of Practice Management Success, login here and view the webinar replay.

Listen to the Podcast

#PracticeManagementNuggets, Patient centered, patient centered care in Canada, patient centered care in community healthcare practices, Patient centered care in your clinic, patient centered clinic, patient centred clinic, patient-centered medical home, patient-centred, podcast

Curiosity Is NOT Need-To-Know

Posted on February 18, 2019 by Jean Eaton in Blog

I am often asked if it is ‘OK’ to look up patients information on Netcare when the patient hasn’t been seen for some time and the care provider wants to know how they are doing.

Let me be clear: If you are not currently providing a health service to the patient in a current episode of care, you must not look up that patient’s information on Netcare or any other EMR or paper system.

The patient has a right to privacy – which means don’t look unless you have a need to know.

Curiosity is not a legitimate need to know. That is snooping!

You Can Use This Privacy Breach Example to Review and Improve Your Practices

Pro-active Auditing Reveals Snooping in Sask eHealth

What Happened

On April 6, 2018, a highway collision occurred involving the hockey team Humboldt Broncos which left 16 dead and 13 injured.

The trustee of the Saskatchewan Electronic Health Record Viewer, eHealth, pro-actively audited their electronic health record system to identify potential unauthorized use of the system by authorized users.

eHealth detected that two physicians and an administrator at the Humboldt Clinic Limited inappropriately accessed the personal health information of two individuals involved in a collision involving the Humboldt Broncos.

The auditing revealed that there were many instances where access was made between April 7 and April 10 to the records of two patients. The records belonged to two individuals who died in the crash on April 6.

The physicians had provided care to the individuals in January of 2018 but were not involved in providing care to them on or about April 6. The physicians’ access was prompted because of their ‘concern’ for the individuals.

Curiosity is NOT need-to-know! Click To Tweet

Clearly, these users of the Viewer were not currently providing care and treatment to the patients.

The access of the Viewer in this example not a legitimate need-to-know under Saskatchewan’s The Health Information Protection Act (HIPA).

eHealth reported these privacy breaches to the Information and Privacy Commissioner (IPC) of Saskatchewan.

4 Step Response Plan

The trustee, eHealth, undertook the first step to respond to a privacy breach by spotting and stopping the breach. The audit identified the breach. Then eHealth contained the breach by suspending or terminating access to the Viewer.

Secondly, eHealth appropriately notified the individuals’ next of kin of the privacy breach.

The third step is to investigate the breach. eHealth notified the IPC of the breach. The clinic, however, did not investigate the cause of the privacy beach.

Preventing a similar breach is the fourth step. The clinic has privacy policies and a privacy training strategy. The eHealth Viewer also has online training for its users.

IPC Recommendations

Subsequent to its investigation, the Saskatchewan IPC observed that the training had not prevented this breach.

The IPA recommended that the clinic provide further training to its employees and contractors on the need-to-know principle. Additionally, the clinic is recommended to document the privacy breaches and the lessons learned to prevent a similar privacy breach.

Reference: Saskatchewan IPC Investigation Report 177-2018, January 29, 2019

Privacy Breach Nuggets You Need to Know

There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Pain.

“When we know better, we can do better”

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

#digitalhealth, clinic, healthcare, HIPA, Humboldt, medical, privacy breach, privacy breach nugget

How Will Netcare Patient Portal Impact Your Healthcare Practice?

Posted on February 5, 2019 by Jean Eaton in Blog

Alberta Netcare has announced the next step to grant patients access to their own record in Alberta Netcare Portal (ANP).

In fact, it seems to me that I have heard a ‘coming soon' announcement each spring since 2011. But, I think this time we really are getting closer.

Patients will soon have access to Netcare to view their lab results, immunization records, and other clinical notes.

MyHealth Records

The Alberta Netcare website says that MyHealth Records is a Personal Health Record for Albertans to access some of their health information, such as lab results, medications, and immunizations drawn from Alberta Netcare.

MyHealth Records also provides access to several health and wellness tools to help track and maintain overall health. (See the complete list of features here.

Alberta Health has announced that the first step for patients to access thier own records is to request your MyAlberta Digital ID (MADI) which will eventually act as your login credentials to the ANP.

If you have not already registered for MADI access you may do so here: MyAlberta Digital ID.

You will see 2 options – one for a basic account and one for a verified account. Select the verified account.

I understand that you will receive a personal identification number (PIN) in the mail.

The MyHealth Record app isn't available for download, yet.

Patient Portals Can Reduce Barriers

The use of a patient portal can reduce barriers for patients to access their own records. Other benefits to patient portals may include:

Increased empowerment to patients who can access their own results in a timely fashion
Better communication with patients
Fewer access requests (and increased administration efficiencies)
Fewer missed appointments (and increased access to care)

How Will Patient Portals Affect Your Healthcare Practice?

Let me know your experiences with patient portals and your questions. I really would like to know your thoughts on how portals may impact your healthcare practice.

#digitalhealth, Alberta Netcare Portal, ANP, benefits, health, healthcare, Netcare, Patient portals

Plan a Mental Health And Safety Program For Your Staff

Posted on January 29, 2019 by Jean Eaton in Blog

Are you a clinic manager? Do you need to mental health and safety program for your staff, but you feel like expensive, boring, consultants are conspiring against you and sabotaging your success?

Do you have questions about workplace mental health or maybe you need some tools to help you?

Well, look no further because Robert Manolson will give you awesome free resources and tips that you need to plan a mental health safety program without you having to become a mental health expert. Best of all, these goodies will put you on the fast-track to workplace mental health success right now.

In Practice Management Nuggets Podcasts for Your Healthcare Practice, I interviewed Robert Manolson, of Powerful Play Experiences, on how any clinic manager can plan a mental health and safety program for your staff! You can listen to the podcast here:

Positive Workplace Mental Health | Episode #049

In this Practice Management Nugget Podcast for Your Healthcare Practice, Robert Manolson, Mental Health Champion and creator of Powerful Play Experiences will:

discuss why workplace mental health is important
introduce us to The National Standard For Psychological Health and Safety in The Workplace (Canadian Mental Health Commission )
share his first-hand experiences from the Psychological Health and Safety Advisor Training program
share totally amazing, free resources available to initiate a well thought out and organized plan to address mental health in your workplace.

Learn How To Initiate Positive Workplace Mental Health

Regardless of how you choose to use these workplace mental health ideas, don't just sit on this new knowledge and forget about it. Put it to good use so you can mental health and safety program for your staff, which is really what every leader wants, right?

As Robert Manolson says, “Start today! And lead the way!”

#BellLetsTalk, #PracticeManagementNuggets, Powerful Play Experiences, Psychological Health and Safety Advisor, Robert Manolson, Workplace Mental Health

Data Privacy Day 2019 Events for You!

Posted on January 11, 2019 by Jean Eaton in Blog

Data Privacy Day is an internationally recognized day dedicated to creating awareness about the importance of privacy and protecting personal information.

Information Managers Ltd is a Data Privacy Champion!

As a DPD Champion, Information Managers recognizes and supports the principle that organizations, businesses, and government all share the responsibility to be conscientious stewards of data by respecting privacy, safeguarding data and enabling trust.

“Each of us is responsible to manage our name and our identity. When you share your personal information, you have the right and responsibility to ask the person or business why they need the information and how they will protect your personal information.”

Jean L. Eaton, Your Practical Privacy Coach of Information Managers Ltd.

Data Privacy Day Activities

Understanding Mandatory Privacy Breach Notification

To celebrate Data Privacy Day, Information Managers is hosting a free 30-minute webinar on Monday January 28, 2019.

Mandatory Privacy Breach Reporting is here!

Do you know how this will affect your healthcare practice?

. . then this free webinar is for you!

If you are a custodian–including physicians, pharmacists, optometrists, dentists, dental hygienists, chiropractors, nurse practitioners, podiatrists, midwives, optometrists, opticians, and more!–as defined by Alberta's Health Information Act, then . . then this free webinar is for you!

You need to know how mandatory privacy breach notification will affect you!

In this Free Webinar, Jean L. Eaton, Your Practical Privacy Coach will explain

what is a privacy breach
why a privacy breach is a significant problem
why have mandatory privacy breach notification
lessons learned in the first 4 months of mandatory notification
offence and penalty provisions of the HIA
privacy breach notification requirements
what you need to do now

“Talk Shop – Protect Your Business from Information Breaches”

Jean Eaton is a guest on Lauren Sergy’s “Talk Shop” YouTube channel.

Talk Shop learn from industry experts to be a better communicator in work and in life hosted by @lsergy. Privacy tips for business owners just in time for Data Privacy Day!

Talk Shop learn from industry experts to be a better communicator in work and in life hosted by Lauren Sergy!

I Heart Privacy!

Just in time for Data Privacy Day!

Print badges for your team.

Right-Click the image and select ‘Save As' to download and insert the image into your favourite templates to make badges or stickers or labels.

Or, use the done-for-you sheet of labels that you can print right away and slip into badge holders or print to stickers or labels.

I Heart Privacy DPD Badges I Heart Privacy Badges

You can even customize the labels and add your business name!

“Data Privacy Day Forum in Edmonton”

Alberta’s Office of the Information and Privacy Commissioner (OIPC) OIPC is hosting a free event on Friday January 25 including Mandatory Breach Reporting under the Health Information Act: The First Four Months . Register at https://www.oipc.ab.ca/.

Follow Us On Social Media!

Each day from Jan 22 – 28, we will have for daily privacy tips, and free links to additional resources on our social media accounts that you can download right away! Follow us!

Stay Safe Online

For more information about how to get involved in Data Privacy Day and the Champions program, visit https://staysafeonline.org/dpd . You can also follow the campaign on Twitter at @DataPrivacyDay or Facebook at https://www.facebook.com/DataPrivacyNCSA and use the official hashtag #PrivacyAware to join the conversation.

Please use the social share buttons below to share these Data Privacy Day activities with your friends and colleagues.

#DataPrivacyDayHealthcare, #PrivacyAware, Data Privacy Day, Data Privacy Day Champion, Data Privacy Day Edmonton

5 Reasons to Hire a Summer Student In Your Healthcare Practice

Posted on January 8, 2019 by Jean Eaton in Blog

Summer is often a time to ‘catch up’ on outstanding projects. It can also be a time to prepare for programs for the fall.

Summer students can help you with jobs like archiving patient records, taking inventory, or creating new patient information brochures or provide content for your website.

They can prepare for your fall flu clinic season and make sure that you have a project plan ready to implement.

STEP (Summer Temporary Employment Program) provides funding to eligible Alberta employers to hire high school and/or post-secondary students into summer jobs.

You can provide students with the opportunity to build meaningful work experience, increase their skills, and workplace insight.

Use the STEP Summer Student employment program to find an enthusiastic employee at a fraction of the cost.Click To Tweet

Why You Should Consider Hiring a Summer Student

It is a cost-effective solution for short-term hiring needs; employers get quality skills at affordable prices.

It is an excellent way to evaluate potential employees.

Students bring fresh, innovative ideas to your business.

It is an investment that you make in attracting dedicated employees.

There is an Alberta funding program available for employers of students. (Other provinces have similar programs.)

STEP Students:

Represent a large pool of available workers

Enthusiastic and tech savvy

Accustomed to multi-tasking

At home with cultural diversity

What’s In It For Me? (WIFM)

Often, we learn more about what we do when we teach someone else. When you hire a STEP student, you mentor an enthusiastic student. You provide knowledge, experience and connections to further the career direction of a STEP student.

You can provide a positive difference in a young person’s career by setting an example of professionalism. You encourage the student to strive for and provide a focus on future career direction and advancement.

STEP Offers

4-16 week wage subsidy program.
Standardized wage subsidy of $7.00/hr maximum 37.5 hrs/week provided to approved applicants.
- Employers are encouraged to pay an appropriate wage and must pay at least the minimum wage ($15.00 / hr)
Guidelines, webinars and other links to help you in this process.

Students must be at least 15 years of age. This could include a high school student or post-secondary (returning to high school or post-secondary no later than November 1).

Don't Miss These Dates

Deadline for employers to apply for STEP student is February 9, 2019.

Students hired in April 2019

Summer positions start May 1, 2019

You can recruit a student interested in healthcare career or with secretarial / administrative skills, marketing, social media, or business skills that supports your business.

Contact STEP today for application forms and more information.

STEP will make it easy for you to find a summer student to help you!

STEP, summer student

Do You Have a Password on Your Point of Sale Device? You Should!

Posted on November 30, 2018 by Jean Eaton in Blog

Avoid scams with your credit / debit machine now. Check out this article from CBC news

You can activate a security feature with your credit / debit machine that allows you to create a password before someone can access the administrative controls on your device. In this case, the scammer used a pre-programmed ‘credit card' and inserted it into the point of sale (POS) device. The card is actually a fake “administrative card,” which gives them complete access to the terminal, and allows them to manually enter in an alternative, usually stolen, credit card number.

The scammer walks away without using any of their money for the purchase. And the clinic owner is stuck with the bill.

When the purchase is discovered as fraudulent, the vendor has to pay back to the credit card company whatever the amount that the scammer entered into your POS device.

You will also likely receive a “chargeback” fee from the credit card processor.

Do you know who manages the POS password in your clinic? Who is the back-up person?

Do you maintain the passwords in a secure, corporate, password manager service?

Have you added this to your Health Information Privacy and Security Manual? You should!

clinic, Fraud, healthcare, password, point of sale device

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Posted on November 29, 2018 by Jean Eaton in Blog

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

You are in breach of the HIA.
You may incur fines under the HIA.
You may face sanctions and disciplinary actions from your professional regulatory college.
Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (https://www.oipc.ab.ca/news-and-events/news-releases/2013/investigation-report-h2013-ir-01.aspx)

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

IMA must be signed by the custodian.
Agreements signed by individuals who are not custodians are not valid under the HIA.
Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians. but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.

ISA IMA

An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

Download the FREE Report - Top 3 Agreements Your Healthcare Practice MUST Have

If you are a member of Practice Management Success, login here to access the Top 3 Agreements.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

chiropractors, dentists, health care, Health Information Act, healthcare, HIA, IMA, information management agreement, information manager agreement, information sharing agreement, ISA, medical, physicians, Practice Management Success, successor custodian

Privacy Like No One Is Watching

Posted on October 30, 2018 by Jean Eaton in Blog

Sometimes it feels like everyone's eyes are on you. CTV cameras, hackers, on-line scrapers, cookies, are watching and tracking us and regulators are telling us what we need to do to meet compliance requirements.

Even facial recognition software at shopping malls are watching you – and sending you targeted specials to your phone as you walk by the stores in the mall!

We can’t expect that everyone who has collected our information, like the shopping malls, will protect your personal information.

We should each be aware of and concerned about how our personal information is collected, used, and disclosed with – and without – our knowledge and consent.

I think that we should practice privacy like no one is watching.

We each need to build privacy into everything that we do in our personal life and our business because it makes sense to us to do that—not because someone says that you should.

The internet can instantly connect us to webpages that answer our questions and promise stuff to fulfill our dreams.

But now, the internet is also connecting to physical things. These things provide a service or convenience that we want. For example, an app on your smart phone will start to warm up your car on a winter day so that you don't have to scrape the windows. But, if someone hacks your internet enabled phone and remotely controls your car while you are driving, well, that's an example of how internet connected things can now physically harm you.

Listen to more examples with Bruce Schneier's interview on CBC podcast, SPARK, talking about his book ‘Click Here to Kill Everybody'.

So, lets take control of our privacy by making sure that we have some solid privacy practices that we can follow every day. And prevent internet connected things from harming us and hackers, and other folks to collect our information without our consent.

Protect you identity. It isn't about keeping secrets. It is about protecting what makes you, you.

Practical Privacy Tips Infographic

I created this Practical Privacy Tips infographic to share with the librarians and tech folks attending The Alberta Library Netspeed conference this month. I shared my practical obsession with privacy and confidentiality during my keynote ‘Privacy Like No One Is Watching'.

By clicking on the image below, you will download your infographic that you can print.

Post it in your place of work to remind you to take control by using practical privacy tips.

Yes, you can share!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

infographic, practical privacy tips, privacy

1 2 3 ›»