Information Managers
  • Home
  • Services
    • All Services
  • Blog
  • Upcoming Events
  • Contact Us
  • Practice Management Success
  • Podcasts

PIPEDA Mandatory Privacy Breach Notification

Posted on January 19, 2020 by Jean Eaton in Blog No Comments

Organizations subject to PIPEDA are required to report to the OPC any breaches of security safeguards involving personal information that pose a risk of significant harm to the individuals.

PIPEDA

PIPEDA is a Canadian federal law that sets out the rules for the collection, use and disclosure of personal information in the course of those commercial activities. PIPEDA outlines the 10 Fair Information Privacy Principles that businesses must follow regardless of their size. Organizations need to know privacy rules and make sure that you have the appropriate safeguards implemented in your business.

 

Does PIPEDA Apply To You?

image of map of Canada

PIPEDA applies to most businesses across Canada, excepting Quebec, British Columbia, and Alberta. These provinces have their own private sector laws that are substantially similar to PIPEDA.

But even in those provinces, PIPEDA covers federally regulated industries like transportation, telecommunications and banking. In addition, all businesses that operate in Canada and handles personal information that crosses provincial or national borders are subject to PIPEDA, regardless of which province or territory that they're based in. All businesses in the three territories also fall under PIPEDA.

In Alberta, we have privacy legislation called the Health Information Act (HIA) that takes precedence over PIPEDA and Alberta's Personal Information Protection Act, (PIPA). If a business, like a physician's office, has a privacy breach which includes health information, then the custodian of the physician office must report the privacy breach following the HIA regulations. If employee information or other non-health information is included in the breach then that triggers privacy breach notification under PIPA. Sometimes, a breach can include both types of information and the physician office must notify under each legislation.

In BC, the Personal Information Protection Act (PIPA) is BC's private sector privacy law that has also been deemed substantially similar to the federal private sector privacy law. BC does not have health information specific privacy legislation, so PIPA applies to private organizations in BC, including physician practices, and governs how the personal information about patients, employees and volunteers may be collected, used and disclosed.

If you are a business in Canada, for example, an electronic medical records (EMR) business and you have a data center in Canada where all of your clients across Canada provide their information and store it in your data center, the EMR vendor likely falls under the PIPEDA regulations.

The vendor may be responsive to other legislation as well. If you are an EMR vendor, you do not directly comply with the HIA in Alberta because that applies only to custodians. However, as an information manager of a custodian under the HIA, you have some obligations under the HIA in the event of a privacy breach. But that does not mean that you don't also have obligations under PIPEDA.

 

What Is Included In Personal Information?

image file folders

Personal information is more than just a name or an address. It's data about an identifiable individual that can, by itself or combined with other information, identify a person. It could be a person's age, ethnicity, medical information, credit card number or even an income level. It might also include their Internet Protocol (IP) address or their website or email information.

Regular surveys done by the Office of the Privacy Commissioner of Canada says that small businesses tend to be less aware of their privacy responsibilities than larger organizations. In 2017, 65% of large organizations with more than 100 employees indicated that they were privacy aware. But only 43% of small businesses indicated that they were privacy aware. Smaller companies may not have dedicated compliance officers or privacy officers, and they may not have a sense of privacy knowledge.

The compliance challenge for smaller organizations is made more difficult by the limited human and sometimes the financial resources available to them and the gap on the knowledge about the privacy obligations.

Lack of awareness can potentially lead to complaints about your business, which has an impact on your business's reputation.

 

Privacy Breach

A privacy breach occurs when there is an unauthorized access to or the collection, use, disclosure, our disposal of personal information. There are many things that could qualify as a privacy breach. If you have a financial transaction that includes clients’ information and now is publicly available on your website, that's a privacy breach. If you have somebody in your organization who has access to personally identifying information as part of their job, but they use it for some purpose other than their job, that's snooping, and that is a privacy breach.

There are many examples about what is a privacy breach, but any time that you view, use, or disclose without aauthorization is considered a privacy breach.

Privacy breaches also have a negative impact to our business because it takes time and resources to manage a privacy breach, and it has a huge impact to the reputation of an organization.

 

Privacy Breach Notification

image timeline

The November 2018 PIPEDA mandatory privacy breach notification regulations requires you to know where all of your personally identifiable information sources are and know the safeguards implemented to protect the data.

Then, you need to monitor the data to identify any breaches. If there is a breach of those security safeguards, you need to record all breaches. So even if there is a breach of a safeguard that nobody has exploited, you still need to record that you have identified that there is a potential risk and what you've done to be able to manage that risk and prevent that from happening again.

Next, you need to determine the risk of significant harm, or ROSH. (more about this later.)

The risk of harm test that identifies what information had been included in the breach and the type of harm that could happen to that individual as a result of the breach. When it reaches that ROSH threshold, then you need to notify the Office of the Privacy Commissioner of Canada office. Or, if you are in BC, Alberta or Quebec, you need to report that to the provincial privacy commissioner.

You also need to notify other people about that privacy breach.

You probably need to notify your clients. If you are an EMR vendor or another vendor that's providing a service to healthcare providers, you need to notify them about the breach.

As an example, if you are an EMR vendor that has been breached–perhaps a security compromise or hack into your data centre–you have a responsibility to notify the healthcare providers who collected the personal information. The EMR vendor must also report the privacy breach to the Office of the Privacy Commissioner.

You might also have an obligation to notify the individuals that have been affected by that breach. In your information manager agreement in Alberta, you should have clear written expectations about whether or not a vendor should notify the patients directly about a privacy breach or if the custodian or the health care provider is going to assume that responsibility. This is an important detail that you need to identify in your information manager agreement.

Also see the Practice Management Success Tip Top 3 Agreements Your Healthcare Practice Must Have (And Why) from Information Managers at https://InformationManagers.ca/top-3 for more on information management agreements (IMA.)

 

ROSH

image lady with paper

The risk of significant harm (ROSH) is a framework for assessing the risk to the individual as a result of the breach of individually identifying information. Adopt and use a framework for your organization to assist you to quickly and consistently assess a breach for ROSH.

If there is personally identifying information included in the breach, we can assume that the information is sensitive information to the individual. Generally, I recommend a default that if individually identifiable information is included in the breach, then assess that there is a significant risk of harm to the individual.

The circumstances of a breach may make the information more or less likely to be used maliciously. For example, additional questions that you may want to consider include how did the breach occur? How likely is it that someone would be harmed by the breach? Who actually accessed or could have accessed that personal information? How long has that personal information been exposed? Is there evidence of malicious intent, like hacking? Or was it a theft? Or did somebody intentionally tried to use that information and use it in a very covert way? Were a number of pieces of personal information breached therefore, increasing the risk of misuse? Is the breached information in the hands of an individual that represents a reputation to the risk of that individual or themselves? Or, was the information exposed to a limited, known number of entities who have committed to destroy and not disclosed the data.

 

Privacy Is Good For Business

image people in business

As always, good privacy is good for business. Poor privacy protection can damage your company's reputation and cut into your profit margin. When your practice proactive privacy, you enjoy the confidence and trust of your customers. Canadians tell us that the more they trust a company, the more likely they are to do business with it. Getting privacy right is your opportunity to demonstrate that you deserve their trust and their business.

Remember that one of the fair information principles is accountability. At the end of the day, you are responsible for protecting the personal information that you have collected.

 

Reference: Privacy and your business: An introduction to the Personal Information Protection and Electronic Documents Act. Office of the Privacy Commissioner of Canada. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/pp_bus/

Privacy Management Program

Build privacy protections into everything you do is a business. Having clear policies and procedures for the collection, use and disclosure of personal information is of vital importance for your business.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

How to Manage a Privacy Breach with Confidence

The 4 Step Response Plan will help you with prevent privacy breach pain and give you the tips, templates, training, and tools that you can use right away to prepare your privacy breach response plan:

In the world of privacy breaches ‘If’ has become ‘When’. Will you be ready?

The best way to do this is by developing a privacy management program that covers all aspects of how you handle personal information. The 4 Step Response Plan will help your organization be prepared to prevent privacy breach pain. 

Click here for more information on the on-line 4 Step Response Plan course available now!

image

 

 

Learn How To Manage A Privacy Breach With Confidence
#PracticeManagementNugget, Canada, healthcare, mandatory notification, mandatory privacy breach notification, personal information protection electronic documents act, PIPEDA, podcast, privacy breach

Data Privacy Day 2020 Events for You!

Posted on January 14, 2020 by Jean Eaton in Blog No Comments

Data Privacy Day is an internationally recognized day dedicated to creating awareness about the importance of privacy and protecting personal information.

Information Managers Ltd is a Data Privacy Champion!

As a DPD Champion, Information Managers recognizes and supports the principle that organizations, businesses, and government all share the responsibility to be conscientious stewards of data by respecting privacy, safeguarding data and enabling trust.

“Each of us is responsible to manage our name and our identity. When you share your personal information, you have the right and responsibility to ask the person or business why they need the information and how they will protect your personal information.”

 Jean L. Eaton, Your Practical Privacy Coach of Information Managers Ltd.

Data Privacy Day Activities

Understanding Mandatory Privacy Breach Notification

To celebrate Data Privacy Day, Information Managers is hosting a free 30-minute webinar on Tuesday January 28, 2020.

Mandatory Privacy Breach Reporting is here!

Do you know how this will affect your healthcare practice?

. . then this free webinar is for you!

If you are a custodian–including physicians, pharmacists, optometrists, dentists, dental hygienists, chiropractors,  nurse practitioners, podiatrists, midwives, optometrists, opticians, and more!–as defined by Alberta's Health Information Act, then  . . then this free webinar is for you!

What you need to know about mandatory privacy breach notification!

In this Free Webinar, Jean L. Eaton, Your Practical Privacy Coach will explain

  • what is a privacy breach
  • why a privacy breach is a significant problem
  • why have mandatory privacy breach notification
  • lessons learned in the first year of mandatory notification
  • offence and penalty provisions of the HIA
  • privacy breach notification requirements
  • what you need to do now

Click Here to Register for the Free Webinar

“Talk Shop – Protect Your Business from Information Breaches”

Jean Eaton is a guest on Lauren Sergy’s “Talk Shop” YouTube channel.

Talk Shop learn from industry experts to be a better communicator in work and in life hosted by @lsergy. Privacy tips for business owners just in time for Data Privacy Day!

Talk Shop learn from industry experts to be a better communicator in work and in life hosted by Lauren Sergy!

 

 

I Heart Privacy!

Just in time for Data Privacy Day!

Print badges for your team.

I heart privacy Right-Click the image and select ‘Save As' to download and insert the image into your favourite templates to make badges or stickers or labels.

 

 

 

 

 

 

Or, use the done-for-you sheet of labels that you can print right away and slip into badge holders or print to stickers or labels.

I Heart Privacy DPD Badges      I Heart Privacy Badges

You can even customize the labels and add your business name!

 

Follow Us On Social Media!

Each day from Jan 22 – 28, we will have for daily privacy tips, and free links to additional resources on our social media accounts that you can download right away! Follow us!

Twitter

 

Stay Safe Online

For more information about how to get involved in Data Privacy Day and the Champions program, visit https://staysafeonline.org/data-privacy-day. You can also follow the campaign on Twitter at @DataPrivacyDay or Facebook at https://www.facebook.com/DataPrivacyNCSA and use the official hashtag #PrivacyAware to join the conversation.

Please use the social share buttons to share these Data Privacy Day activities with your friends and colleagues.

#DataPrivacyDay, #PrivacyAware, Data Privacy Day, Data Privacy Day Champion, Data Privacy Day Edmonton, healthcare

The Future Of Privacy Virtual Summit

Posted on January 7, 2020 by Jean Eaton in Blog

Discover why privacy, protecting personal information and securing critical data assets are priorities for business leaders in 2020.

I'm tickled pink to be presenting ‘Privacy of Health Information, an IFHIMA Global Perspective’ with Lorraine Fernandes at Bright Talk’s upcoming Data Security and Privacy Virtual Summit. All professionals with an interest in Data Security and Privacy are welcome!

The increasingly mobile, rapidly digitizing world of data is transforming all aspects of information and leading to new policies and regulations to support data privacy.

Beyond its primary purpose of improving personal healthcare outcomes, health data is being used for a wide range of purposes from improving population health, disease surveillance and the study of health economics. There are dramatic changes in how patients, consumers, or individuals access and use their health data. And, new technologies such as machine learning, artificial intelligence and biometric authentication are further compounding health information privacy challenges. Now more than ever, it is critical that the privacy of health information be protected.

Lorraine Fernandes and Jean L. Eaton will share:

  • The role of The International Federation of Health Information Management Associations (IFHIMA)
  • The need for a privacy information sharing agreement (ISA) explored in the IFHIMA healthcare whitepaper
  • High level overview of global privacy trends impacting healthcare
  • Why privacy is a priority for business leaders in 2020
  • The importance of a privacy management program and privacy awareness training to protect personal information and secure critical data assets
  • Prepare for emerging privacy trends

Register here (https://ifhima.org/sign-up-for-ifhima-global-news-whitepaper-and-events/) to receive this free white paper and learn more about IFHIMA.

Join BrightTALK’s upcoming virtual summit for a global, three-day online event.

Register for free thought leadership from the world’s top speakers, vendors and evangelists in the form of live webinars, panel discussions, keynote presentations and webcam videos. From Data Protection Officers, to CISOs and CTOs, all professionals with an interest in Data Security and Privacy are welcome!

Register To Attend Bright Talks' Free Virtual Summit

Three Virtual Summit Tracks

The 2020 Compliance Landscape – January 21, 2020 Learn what’s needed to achieve and maintain your CCPA, GDPR, PCI and HIPAA compliance.

The Future of Privacy – January 22, 2020 Discover why privacy, protecting personal information and securing critical data assets are priorities for business leaders in 2020.

Data Security Done Right – January 23, 2020  Find out how to improve security from the ground up and what’s needed for building security-by-design.

#IFHIMA, Bright Talk, privacy, virtual summit

Top 3 Practice Management Nuggets Blogs and Podcasts in 2019

Posted on January 2, 2020 by Jean Eaton in Blog

I wish you a prosperous New Year and personal and professional growth.

Practice Management Nuggets blog posts and podcasts is designed to help you achieve that. I started this in January 2014. We’ve grown over the years and improved the technology and platforms to better help you start, grow, and improve your healthcare practice. I help you to manage the pink elephant in the room!

Over the last year, you have made these blog posts and podcasts rank in the top 3 for 2019. If you missed these, or want to re-visit them, follow the links below.

Check out these top 3 Practice Management Nuggets blog posts and podcasts.Click to Tweet

Here Are The 3 Best Blog Posts And Podcasts Of 2019

Top 3 Blogs 

Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Curiosity Is NOT Need-To-Know

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

 

Top 3 Practice Management Nuggets Podcasts For Your Healthcare Practice

Privacy Awareness Quiz #PrivacyMatters | Episode #076

How Improved Patient Satisfaction Saves You Time And Money | Episode #074

Fax Received in Error – Is this a Notifiable Privacy Breach? | Episode #067

Stay tuned for more guest experts, tips, tools, templates and training in 2020!

blog, healthcare, podcast, privacy

How To Correctly Identify Patients And Use Photo ID

Posted on December 10, 2019 by Jean Eaton in Blog

Patients should be asked to show their Alberta Health Care Insurance Plan (AHCIP) card and photo identification when visiting a practitioner office.

The Importance Of Correct Patient Identification

Failure to correctly identify patients can lead to serious problems such as medication errors, as well as privacy breaches.

Positive patient identification is critical to ensure patient safety and protect patient data. According to industry research cited by RAND, 7-10% of registering patients are misidentified upon entry.

Patient mis-identification contributes to:

  • 27% of radiation errors
  • 29% of medication errors
  • 5% of wrong-patient/wrong-site surgeries
  • 850 medical errors and 20 deaths related to blood transfusions

And, of course, we must deal with the administrative headache of privacy breaches and medical identity theft and duplicate patient records!

In Canada, health ministries have underscored the importance of correct patient identification when they issue Patient Safety Alerts. Correct patient identification criteria is also included in Accreditation Canada standards.

Verifying patient information improves patient care and efficient business practices.Click to Tweet

Verifying patient information improves patient care and efficient business practices.

  • Care – Good patient care starts with correct patient identification. Incorrectly identifying patients contributes to medication, transfusion, procedure and testing, errors.
  • Good Documentation – Avoid incomplete, inaccurate, and duplicate patient records!
  • Gatekeeper –Each caregiver has the responsibility to identify the patient before providing a health service. I think that the family physician has an added role and responsibility of the patients’ gatekeeper to additional health services to ensure that the documentation of patient identification is correct at the time of registration.
  • Billing – Avoid rejected billing and re-work when you correctly identify the patient and record the data correctly the first time. Patient demographic information is best corrected while the patient is present at the clinic instead of trying to contact the patient after they leave the clinic.
  • Uninsured Services – The practitioner will submit a claim to the Alberta Health Care Insurance Plan directly for all insured services provided. If a provincial health care card is not shown or the individual is not eligible for coverage, they may be asked to pay for health services before receiving them.

How To Correctly Identify Patients

Ask The Patient Questions – When a patient presents to register for a new or repeat visit, ask for at least two sources of patient identification. You may also request new patients to complete a new patient registration form.

Ask for Photo Identification – Photo identification will validate that the information and the image of the patient in front of you corresponds to the information from the patient and AHCIP. If there is a discrepancy, the best time to sort it out is when the patient is still at the clinic.

New Patient Registration Form (optional) – A paper form allows for discretion when asking for demographic information including date of birth, address, medications, Alberta Health Care Insurance Plan, allergies, etc. This reduces overhearing the conversation from other patients and staff and can often improve workflow and reduce congestion at the reception desk.

Document – Record on the new patient registration form or the clinic note that the photo identification was reviewed and that the image matches the individual. Use a clinic note or other location in patient record that is used consistently in your healthcare practice. (Bonus Tip: You might be able to create a template clinic note in your EMR for this. Or, create a check list template of this and related tasks to be completed for each (new) patient registration.)

Enter the information into the patient demographic or EMR system. Use registration document standards to ensure consistent data entry.

Validate – the AHCIP # and the patient information is valid by using the Netcare parameter launch browser between the EMR and Netcare. This will also help to ensure that there are no data entry errors in the EMR. If necessary, assist the patient to complete a change of information form for AHCIP, or make an update entry in Patient Registry if you have appropriate access. If you don’t have access to the Netcare via browser or web sign-on, use the phone number to AHCIP for this purpose.

Don’t Photocopy The Photo Identification

You should record that you viewed the photo ID and verified, but do not record the unique number associated with the photo identification (for example, driver’s license number). Do not photocopy the photo identification.

Remember, we have a responsibility to collect the least amount of information necessary. Viewing photo id to verify the identity of the patient, is a reasonable step to ensure the safety of the patient and to prevent an error. Recording the drivers license number or photocopying the drivers license is not necessary to provide a health service and an unnecessary (and probably illegal) privacy and security breach.

Listen To The Podcast Here

Members of Practice Management Success

If you are a member of Practice Management Success, login and access the webinar replay, patient registration procedure template, collection notice template, and the new patient registration form template.

Not a member of Practice Management Success, yet? What are you waiting for?

Get Your Practice Management Success Membership Now!
#PracticeManagementNugget, AHCIP, Alberta Health Care, dentists, drivers license, healthcare, medical errors, Netcare, Patient identification, photo ID, podcast, registration, risk

Ransomware – 6 Mistakes Made By Dentists (And Their IT)

Posted on November 14, 2019 by Jean Eaton in Blog

Anne Genge of Alexio tells us that 96% of healthcare providers are concerned about how their staff are using personally identifying health information.

But, many healthcare providers and business owners don’t know what to do about it!

Can your staff protect you from a ransomware attack?

Yes, they can!

And it doesn’t have to be hard or expensive to do that.

Anne will help us to understand the cyber security risks that every healthcare practice in Canada is facing now and what you can do now to reduce your risk on Practice Management Nuggets For Your Healthcare Practice. Anne Genge, CEO of Alexio Corporation is my guest expert.

 

Anne Genge's #1 Tip to healthcare providers and practice managers

Invest in a professional cyber security risk assessment for your practice.Click to Tweet

My Favorite Takeaways From The Podcast

  • Ransomware is the biggest threat to any digital environment
  • Healthcare data is urgent – we need it to treat our patients.
  • Cyber security awareness is very low among healthcare providers.
  • Data loss often happens even when you can de-encrypt the data often resulting in 15% loss.
  • Without proper remediation, repeat ransomware attacks can happen.
  • Good backup insulate yourself from data loss, remediation costs, mandatory privacy breach reporting, loss of reputation, fines, and penalties.
  • Intrusion detection and prevention software can alert users to potential problems, but sometimes, individual users’ behaviour continues to put the practice at risk.
  • 90% -92% of successful breaches are facilitated by human error.
  • IT focus on efficient workflow and communications between systems. Security professionals monitor access to ensure it is authorized and appropriate. Both roles is necessary in our digital practices.

6 Mistakes Made By Dentists (And Their IT)

  1. Think that IT has them covered and that ransomware won't happen to me!
  2. Not updating and monitoring computer systems with intrusion prevention/detection.
  3. Don't have a comprehensive backup of all of your data in at least 3 locations.
  4. Don't run backup restore tests regularly.
  5. Don't have a written mandatory cyber security awareness training plan.
  6. Don't have an independent cyber security risk assessment and management plan annually.

Instead,

Take steps to prevent a ransomware attack – including cyber security education for your team, implement good IT systems, complete and comprehensive backup, and an annual cyber security risk assessment preventative digital IT health assessment.

Let Alexio help assess your risk, protect your practice, ensure data recovery, and train your staff.

Protect your investment today.

Get started with a quick on-line self assessment

Book a 30 minute consultation with Anne!

Follow Anne and Alexio on social media for more training and tips

InformationManagers.ca/Likes-Alexio

Anne GengeFeatured Guest: Anne Genge

Alexio Corporation

Anne Genge is a pioneer in protecting health data and those who use it. She is a Certified Information Privacy Professional with a specialization in dentistry. Anne also holds certifications for HIPAA, Credit Card Security, Internet, and Network Security. Ransomware and data theft have changed the face of dentistry in the past decade meaning dentists need a new toolkit for protecting their practices.

With over 20 years of experience, Anne knows the challenges healthcare providers face with technology. She and her team at Alexio Corporation work with dental and medical professionals to minimize data risk and maximize patient care. As healthcare grows increasingly dependent on the digital environment, cyber-security becomes increasingly more difficult. Protection of patient data is not only law, it’s imperative for business success and reputation. Anne simplifies cyber-security for dentists and other healthcare providers and gives ‘real world’ strategies to protect patient information and the practice business.

Be sure to tune in to my interview with Anne Genge,

Ransomware – 6 Deadly Mistakes Made By Dentists (And Their IT) | Episode #082

Listen To The Podcast Here
#PracticeManagementNugget, Alexio, Anne Genge, dentists, healthcare, podcast, ransomware, security risk assessment

Privacy of Health Information, an IFHIMA Global Perspective

Posted on November 12, 2019 by Jean Eaton in Blog

The 19th Congress of IFHIMA, the International Federation of Health Information Management Associations, will feature the release of IFHIMA’s latest whitepaper, “Privacy of Health Information, an IFHIMA Global Perspective.” I’m honoured to be the Chair of the Working Group and one of the authors. After months of work from dedicated HIM professionals and IFHIMA volunteers, I’m tickled pink to be able to share this with you.

Privacy of Health Information, an IFHIMA Global Perspective whitepaper provides a synopsis of current trends in privacy in healthcare around the globe, discusses the role of HIM professionals in privacy, and offers more detailed perspectives through case studies from Australia, the European Union, India, Qatar, the Republic of Korea (South Korea), and the USA.

Health Information Management (HIM) professionals have transitioned from their traditional role of health records custodian to data stewards and information privacy advocates and have an opportunity to take a leadership role with regard to the privacy of health information.

This privacy paper includes discussion on

  • Global privacy trends
  • What is personal information?
  • Privacy and trust
  • Challenges in maintaining trust when technology moves faster than regulations
  • Privacy stewardship foundations, including the role of the privacy/compliance officer
  • Avoiding risks, harm, and breaches
  • The complexity of breach notifications
  • How technology impacts privacy

After a thorough discussion, the paper also suggests several actionable steps that anyone can implement and discuss with their teams. Privacy is a team effort, but it requires a strong, trusted leader who can be the voice of clarity and transparency for patients, consumers, and regulators — all while building consensus.

These steps include:

  1. Get involved as privacy regulations are developed
  2. Assess what the regulations may mean to your organization
  3. Communicate your insight to the team, leadership, and regulatory bodies
  4. Identify required changes to systems, processes, and technologies
  5. Train your teams, admins, and patients about their privacy rights and responsibilities
  6. Commit to ongoing professional growth to stay abreast of the changing landscape

Privacy regulations that bring together emerging technology, healthcare processes and individual rights should take a pragmatic approach with consideration to future health information technology solutions such as telemedicine, Internet of Things and big data.

 

HIM professionals, in our role as stewards of health data, should be the voice of clarity and transparency for patients, consumers, and regulators. #IFHIMAClick to Tweet

6 Case Studies

The whitepaper includes observations and commentary about the status of privacy projects around the world, including the following case studies

  • My Health Record – The Australian Experience
  • General Data Protection Regulation of the European Union Reaches Far Beyond Europe
  • Health Care Privacy: An Indian Scenario
  • Developing a Global Standard for Health Information Privacy Workforce Education – A Republic of Korea (South Korea) Case Study
  • Health Information Exchange Implementation – Qatar, HIE Consent Model for Privacy Concerns – Privacy Regulatory Framework
  • Laying the Foundation for Privacy Practice and Compliance in the Outpatient Setting: Policies and Procedures. Download the Privacy of Health Information

This whitepaper will aid anyone tasked with planning for increased data sharing while trying to manage healthcare privacy. Ministers or Department of Health staff, privacy and data governance consultants, vendors, and health systems should find it especially helpful. Whether you are from a nation crafting its initial privacy regulations, or a nation revising insufficient policies, the information is relevant and enlightening.

I’d like to express my appreciation for the hundreds of hours of work contributed by this exemplary group of volunteers, including

Lorraine Fernandes

Angelika Haendel

Jenny Gilder

Mujeeb C. Kandy

Ok Nam Kim

Dr. Sabu Karakka Mandapam

Veronica Miller Richards

Dorinda M. Sattler

Dr. Rajesh Kumar Sinha

Selvakumar Swamy

Christopher Wilde

 

Click here to Register and receive this whitepaper and IFHIMA Global News, published three times per year.

 

Privacy of Health Information, an IFHIMA Global Perspective
#IFHIMA, healthcare, privacy, whitepaper

Improved Communication, Improved Dental Business

Posted on November 5, 2019 by Jean Eaton in Blog

Would you like to increase your dental business practice revenue immediately?

Maybe you have a need to maximize efficiencies and create your dream team.

Dr. Angela Mulrooney believes that when you focus on communication with your customers and create consistency in your dental practice, you will increase your revenue and reduce your working hours.

Angela Mulrooney is the Business Doctor, and today she is my guest expert.

Meet Dr. Angela Mulrooney

Angela Mulrooney is published author, a retired dentist, and a dental practice coach who resides in Calgary.

Angela Mulrooney discussed how communication with patients and your team and a marketing strategy can improve your business.

If you would like to transform your dental practice and maximize the potential within the practice so that you can focus on spending more time with patients, giving them the best care that you possibly can while trying to level up everyone's skills in the practice as well, be sure to tune in to my interview with Dr. Angela Mulrooney, Improved Communication, Improved Business Episode | #081.

Don’t Miss This!

Angela has a generous offer for you to get a complimentary 1 hour strategy call to discuss your practice.

Listen to the Practice Management Nuggets Podcast For Your Healthcare Practice Here.

#PracticeManagementNuggets, #SocialMediaGuru, Angela Mulrooney, business, coaching, dental, dental business My Business Doctor, dentist, marketing

Confident Women Leaders – 10 Key Steps To Prevent A Privacy Breach

Posted on October 22, 2019 by Jean Eaton in Blog

It only takes a little time and effort now to dramatically reduce the likelihood of a privacy breach in the future.

Recently, I was a guest on Confident Women Leaders Community Facebook Live hosted by Kathy Archer, Leadership Development Coach with Silver River Coaching.

It was a lot of fun to talk with Kathy about how small business, not-for-profit organizations, and clubs can quickly and easily build in privacy with their employees and volunteers as part of good business practices.

Practical Privacy Tips

We talked about the 3 simple practical tips every organization can use to prevent a privacy breach. This works for every type of organization.

Tip #1: Create an inventory of the personal information that your organization collects and is now responsible to keep confidential and secure.

Know what you collect, and review the reason why you collect the information. Make sure that you collect the least amount of information on a need to know basis at the highest level of anonymity. Use the inventory like a library account – keep track of who has access to the information, and when it is returned.

Tip #2: Create a checklist for the orientation of each new employee and volunteer that clearly tells them of your organizations expectations about how they will keep volunteer, employee, client, and donor personal information private, confidential, and secure.

Name a privacy officer in your organization and make sure everyone knows who this is. Make sure to train and support your privacy officer so that they can do a good job for you.

You can use the 10 Key Steps To Prevent A Privacy Breach Checklist as part of your orientation package.

Tip #3: Make it easy for volunteers and employees to keep information confidential and secure.

It’s not always about technology.

You can manage personal information on paper. Or, you could use private shared computer networks for your authorized users, like board directors and managers, to access all of their organization business records.

Here’s an example of a breach in a social service agency who did not properly secure board minutes containing confidential information on a computer server and faced a $25 million lawsuit.

Join Kathy's Private Community of Women Leaders to watch the Facebook Live replay (available for a limited time!) You can take these easy to implement steps to protect your clubs, healthcare practices, and small businesses from errors, omissions or attacks that could result in complaints, fines and even jail time!

I've put together a checklist for you about the 10 Key Steps To Prevent A Privacy Breach.

Download the checklist and make sure that you implement these best practices in your business.

10 Key Steps To Prevent a Privacy Breach

Confident Women Leaders Community

Confident Women Leaders Community with Kathy Archer is ongoing training for women leaders in Canada’s non-profit organizations.

Leaders often hit a point where they find themselves in over their heads and wondering if they have what it takes to lead. Maybe that is where you are at now! Know you are not alone!

As a Leadership Development Coach and Leader of the Confident Women Leader’s Community Kathy Archer is here to provide you with guidance, support, information and a big hug when you need it!

But it’s not just me. We are all in this together!

CONNECT WITH Kathy Archer
https://www.silverrivercoaching.com/

 

confident, Kathy Archer, leaders, privacy breach, Silver River Coaching, women

Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Posted on October 15, 2019 by Jean Eaton in Blog

In August 2018, Alberta proclaimed amendments to the Health Information Act (HIA) that requires healthcare providers (custodians) to report a privacy breach with a risk of significant harm to the Office of the Information and Privacy Commissioner (OIPC), the Ministry of Health of Alberta, and of course, to patients affected by the privacy breach.

This requirement that custodians must report a privacy breach to the to the OIPC has resulted in a huge increase in the number of reported privacy breaches in healthcare.

Custodians includes healthcare providers like physicians, pharmacists, chiropractors, dentists, optometrists, registered nurses, health authorities, and more

This is not unexpected. We in healthcare know that there are many privacy breaches that happen everyday. Many of these breaches are honest mistakes. However, an increasing number are intentional, malicious actions intended to harm others.

The benefit of having these breaches reported to a regulator is to improve compliance to reasonable safeguards to protect the health information of Alberta residents. And, as a result, more custodians and affiliates (people that work for a custodian) are being held accountable under the HIA legislation to ensure that they are meeting the reasonable safeguards.

In the first year of mandatory privacy breach notification, the OIPC has received over 1,000 reports. Previously, when privacy breach reporting was discretionary, the OIPC received an average of 130 voluntary reports of privacy breaches annually.

​

What Happens When A Privacy Breach Is Reported To The OIPC

When a privacy breach is reported to the OIPC, the OIPC will review the report and consider the custodian’s determination if a reasonable risk to the patient(s) was present. The OIPC will review the report and consider:

  • agree (or not) with the determination of risk of harm
  • was the patient notified appropriately
  • is there an offence under the HIA
  • is an investigation warranted

If an investigation is indicated, the OIPC will conduct the investigation and report their findings to the Crown prosecutors at Alberta Justice. The Crown will determine if it will continue to press charges under the HIA.

Under the recent amendments to the HIA a custodian or an affiliate or both could if found guilty of an offence is liable for a fine anywhere between $2,000 to $500,000 depending on the circumstances and the nature of the offense. Other sanctions may also be applied by the court.

It takes time to report a privacy breach, have it reviewed and investigated by the OIPC and the Crown, and have individuals charged and appear in court.

We are now starting to see the first cases charged after the August 2018 amendments coming to court and privacy breach convictions under the HIA.

Unauthorized Access By Employees

During a routine internal audit of health records in the Alberta Public Laboratories clinical lab at the Red Deer Regional Hospital identified unauthorized access by lab employees. These breaches were first identified by the hospital during a routine audit of their electronic record systems. The internal investigation between December 2018 and May 2019 identified 2,158 patient records were accessed. Alberta Health Services reported that 30 staff were involved in these breaches and three staff are no longer employed by the lab.

Do you do routine audits? Here’s how.

There have been three recent decisions in from the Alberta provincial courts as a result of mandatory privacy breach reporting legislation.

Suspicious Activity Leads to Investigation And Charges

In June 2018, Alberta Health Services (AHS) received reports of suspicious activity by a billing clerk in Red Deer. An internal audit and investigation indicated that the clerk accessed the health records of 52 Albertans without authorization. AHS reported the breaches to the OIPC in June 2018.

The OIPC opened an offence investigation and referred its findings to the Specialized Prosecutions Branch of Alberta Justice. Charges were laid in July 2019. The former AHS billing clerk received a $5,000 fine on August 2019 and was ordered not to access health information for one year.

Snooping By A Clinic Employee

In another case, an Edmonton medical clinic employee was fined after pleading guilty to health data breach. The employee knowingly accessed health information of two people and made suspicious statements to the two individuals about their personal medical details. The individuals then requested access to the audit logs and the provincial electronic health record system, Alberta Netcare.

The individuals reported a complaint to the OIPC at which point the OIPC conducted an investigation.

The employee was charged in March 2019 and plead guilty in provincial court on September 26, 2019. She was fined $3,500 and ordered to pay a victim surcharge of $525.

Are Your Employees Privacy Aware? Start now!

Unauthorized Access By A Billing Clerk

On September 30, 2019 in Red Deer Provincial Court a billing clerk with Alberta Health Services was fined $8,000 for illegally accessing health records. The clerk opened health records of 81 people over 4,7471 occasions without authorization from his employer and custodian. The court also added the following conditions

  • 1-year probation
  • order to attend treatment and counselling and
  • not be employed in a position that allows him access to health information for 1 year

We will continue to see investigations under the HIA at appearing in our courts. The OIPC is currently investigating over 20 incidents and has flagged 70 more as potential offences.

Each of these incidents involved employees making poor choices about accessing patient health information. Reasonable prevention steps include privacy awareness training for every employee, healthcare provider, and contractor. In addition, every healthcare practice should be, monitoring access to records with routine audits and applying sanctions.

We obviously don’t speak often enough about what is acceptable, appropriate, and authorized access to patient’s health information.

Preventing a privacy breach is always less expensive than managing a privacy breach.

A privacy breach management plan will help you to prevent a breach and, when a breach happens, identify a privacy breach early to limit the risk of harm, size, and the cost of the breach.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE 15 Minute Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?

 

References

CBC News. Investigation finds improper access to patient records at Red Deer hospital. Posted: Oct 04, 2019 12:48 PM MT | Last Updated: October 4 https://www.cbc.ca/news/canada/edmonton/red-deer-patient-records-breach-1.5309419

CBC News. Edmonton medical clinic employee fined after admitting to health data breaches. Posted: Oct 03, 2019 10:56 AM MT | Last Updated: October 3 https://www.cbc.ca/news/canada/edmonton/health-information-alberta-access-1.5307453

CBC News. AHS billing clerk fined $8,000 for illegally accessing health records Posted: Oct 09, 2019 10:47 AM MT | Last Updated: October 9. https://www.cbc.ca/news/canada/edmonton/ahs-billing-clerk-fined-8-000-for-illegally-accessing-health-records-1.5314783

CBC News. Jennifer Lee. Reports of health-care privacy breaches spike in Alberta. Posted: Oct 11, 2019 5:00 AM. https://www.cbc.ca/news/canada/calgary/health-care-privacy-breaches-spike-alberta-1.5316230

clinic, custodian, health, Health Information Act, healthcare, HIA, mandatory privacy breach notification, medical, physicians, privcy breach, reasonable safeguards
123›»

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

I have used Corridor's Privacy Awareness in Healthcare: Essentials online training program. The course has helped satisfy the training requirements of the Health Information Act. Staff go through the course at their own pace while we monitor to ensure completion.

- Luke Brimmage, Executive Director, Aspen Primary Care Network

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2019 Information Managers Ltd.