Should You Use Encrypted Emails In Your Practice?

Posted on June 27, 2022 by Jean Eaton in Blog

Should You Use Encrypted Emails In Your Practice?

There are many jokes around these days like “Fax machines? Who still uses those? And why are you still using fax machines? It’s the 2020s, not the 1990s!

People who don’t use them regularly may not realize it, but there are still many places which still use fax machines today—from legal offices, to governments, and yes—doctors offices.

This is because fax machines are much more secure than electronic networks such as email.

One doctor’s office asks: As healthcare professionals, we routinely send our referring physicians a report of the patient’s progress by fax. One clinic would like us to send the reports to them using their encrypted email link instead of fax.

Can we do that?

Today we’ll look at the pros and cons of switching to encrypted email as a method to securely send personal health information and try to answer this question.

What Are The Issues With Email?

First, we need to look at regular, non-encrypted email.

Grant Dakin, President of Solid Technology Solutions reminds us:

“When it comes to sharing sensitive information via email it should always be assumed that it is insecure. Basic email is generally open text, and to many email servers out there, especially on the public side, are not setup to handle encrypted email protocols.”

Even if your email service provider offers message encryption while a message is traveling between computers, this often does not apply on either end, and the message in the outgoing sent box and incoming inbox are often left unencrypted and vulnerable.

If information is not appropriately sorted once it arrives in the recipient’s inbox, there may still be issues with storing information in your email.

If the sender and the receiver do not appropriately manage their in and out boxes to ensure that it has limited information, appropriate access to only the right persons, and has been securely deleted, you have only addressed part of the problem.

When sending information to another clinic or doctor’s office, you may ask what practices does the other clinic have for storing information?

The same questions are important for patients as well:

Does the patient have access to a computer where they can download information?
Are they using a personal computer or an employer’s computer?
Do they have a secure place to access the information?

These are all things which need to be taken under consideration before you send personal information by email in your healthcare practice.

Why Are Some People Switching to From Faxing?

So, a referring partner who typically sends the consultation report to you by fax now wants to send it to you by encrypted email.

It’s not uncommon for places to want to upgrade their technology.

Fax machines can be large and clunky, and using encrypted email for consultation reports, referral requests, and more can be attractive to streamline operations. Many people feel that fax machines are obsolete. In early March of 2021, the Government of Ontario announced it would phase out its use of all fax machines by the end of the year.

However, there isn’t a common alternate communication standard across healthcare, private, and public users that is as common as the fax machine.

There have also been numerous privacy breaches in healthcare related to improper use of fax machines. For example, in the Ontario Information and Privacy Commissioner’s 2020 Annual Report, the IPC found that, in 2020 about 58 per cent of breaches experienced by health information custodians were caused by misdirected faxes.

How Does Encrypted Email Work?

Encrypted email works using an encryption key.

What is Encryption? Encryption is a method to disguise a message into a secret code. Only the people that have the ‘key’ to the secret code can un-scramble the message so that it can be read.

In order to use them, both the sender and the receiver need to have a key—the sender uses it to encrypt the message before sending it, and the receiver needs a key to decipher the message.

Grant Dakin explains: “Encrypted email services are a third-party service that will securely store the message, typically a secure web page, until a verification process is completed. This is key. The recipient needs to prove their identity to be able to view the message. At minimum, this can be a username / password challenge using a verified recipient owned email address. When possible, it is recommended to have multifactor authentication (MFA) employed. The use of MFA is dictated by compliance requirements, the type of information and your user base.”

This might seem overly complicated if you’re not used to using encryption services, which may not be an issue when sending information to another clinic, especially if they’re the ones who suggested using encrypted email.

Encrypted Email Process Diagram

When it comes to sending information to patients, especially those who aren’t very tech savvy, you need to consider if encrypted email is the right option.

Things to Consider When Implementing Encrypted Email

If you’re considering implementing encrypted email into your practice, you’ll want to first do a risk assessment, which should include:

Discussions with IT vendor / Managed Service Provider
Assess the reputation of the encryption vendor
Does the encrypted email meet industry compliance requirements?
Review your existing policies and procedures
Update those policies and procedures as required
Approval from Privacy Officer / Custodian / CEO
Prepare / update your privacy impact assessment (PIA)
Training for your staff on how to use the encryption software
Is there a verification process to ensure that the right person is viewing / accessing the information?
Verify that there are encryption protocols being used (If retrieving from a browser, verify that there is a valid SSL certificate)

For further guidance on choosing an encrypted email service, Grant Dakin offers the following:

“When looking for an encrypted email service, be certain that the service provider can demonstrate compliance. Most third-party providers base their compliance on HIPAA, which is a US based compliance, but it is very much in line with Alberta's Health Information Act (HIA) and our various Privacy Acts. For us, at SolidTech, the most common encrypted email service provider that we deploy would be Microsoft 365, which is HIPAA / HIA compliant, providing it is set up properly.”

Consider also that if you send information via encrypted email, there will probably be a learning curve for the receiver of the information as well. You may want to offer a basic outline to patients who opt to receive email this way about how it all works.

It may seem surprising at how much time it takes to appropriately and correctly implement an email encryption service in your healthcare practice. But if you will “axe the fax” and discontinue the use of a fax machine, you need to complete a risk assessment and plan an alternate solution.

What Else Can I Use, Instead of Encrypted Email?

If you aren’t ready to make the jump to encrypted email systems but want to get away from using fax machines in your practice, there are alternatives to encrypted email to consider.

Some of these include:

Portals from electronic medical record (EMR) systems
Sharing networks
Secure messaging

PrescribeIT^® enables prescribers to electronically transmit a prescription directly from an electronic medical record (EMR) to the pharmacy management system (PMS) of a patient’s pharmacy of choice. See the blog post, “Using PrescribeIT To Streamline Your Workflow”.

Any changes to how you send personal information, whether to patients or other clinics can’t just be a unilateral decision on your part.

Just because you’re ready to make a change, it doesn't mean that the recipients are ready to receive it in that way. You must communicate with your partners and patients about your plans and ensure everyone is on board.

Furthermore, it’s always good to have a business continuity plan in case your chosen method ceases to work as expected.

I’m Ready To Implement Encrypted Email—What’s Next?

If you think encrypted email might be the right choice for your practice, you might wonder, “What next?”

Getting started with a change like this may seem overwhelming, but you don’t have to do it alone.

Connect with Grant Dakin of Solid Technologies Solutions Inc.

Also see, “Texting with Patients; Can You Use Text Messaging With Patients?”

digital health, healthcare practice management, privacy

Why You Need Policies and Procedures

Posted on March 15, 2022 by Jean Eaton in Blog

Why You Need Health Information Policies and Procedures

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

Information that you collect from patients/clients
Website
Email
Business practices including electronic (or paper) patient records, and computer network
Financial information
Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

They contribute to consistent, efficient workflow.
You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
They help support your accreditation efforts.
On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

Internal disputes within your team and external disputes with your patients and clients
Re-work and re-training employees
Poor customer service
Poor reputation
Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

You might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the physician, pharmacist, dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier.

It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
The policies and procedures become the foundation of your privacy impact assessment.
Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
You must have them as part of your legislative compliance.
It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

Not Sure Which Policies and Procedures That You Need?

Show Me Policy And Procedure Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are?

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

Privacy Impact Assessments (PIA)

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, privacy, Privacy Impact Assessment, reasonable safeguards

Piles of Paper: Shredding Options For Employees Who Work From Home

Posted on March 10, 2022 by Jean Eaton in Blog

Piles of Paper: Shredding Options For Employees Who Work From Home

In the spring of 2020 many workplaces and employees had to make fast pivots to deal with the reality of the COVID-19 pandemic.

Kitchen tables and spare bedrooms became home offices and remote classrooms.

Employee commutes were drastically reduced down to the time it takes to walk from the kitchen after breakfast to their makeshift workspaces.

Many people have found they enjoy the freedom and extra time this has given them, to spend time with family, work on hobbies, or simply just not having to sit in traffic or on transit every day.

As the pandemic starts to wind down, many employees and employers are taking a critical look at where and how we work.

Managers are realizing their staff can be just as productive from a home office, and they don’t need to always be present in the office to be productive.

Companies are offering more flexibility, continuing to allow work from home arrangements or hybrid models for those who prefer it in order to retain staff.

However as the landscape of work has changed, employers continue to have a responsibility to ensure privacy of data from clients and patients, even when employees are working at home.

It’s been nearly two years since many employees shifted to working from home as a result of the onset of the COVID-19 pandemic, and many have accumulations of records which need to be disposed of properly.

Do you have a plan in place to manage shredding services for employees who have been, and continue to work remotely?

We know it is a common privacy breach to have confidential information discarded in the garbage or recycling bin and subsequently disclosed to unauthorized persons.

Many offices may have overlooked this in the rush to have employees work from home at the start of the pandemic, when many of us thought this would just be a temporary measure, maybe a few weeks and then back in the office.

However, this has gone on much longer than anyone could have anticipated, and now there is a workforce with papers piling up at home, many of will continue to work remotely going forward.

Now is a good time to review previous procedure decisions and tweak them as necessary.

Spring might be a good time for a little house (or home office) cleaning.

Prevent Paper Privacy Breaches

The ultimate goal is to prevent privacy breaches from paperwork being disposed of improperly.

With this in mind, there are a few options to consider:

Having employees return the confidential paper to their place of employment for secure shredding. This could be difficult for those who normally commute by public transit or simply don't want the hassle to carry boxes of paper to the office.
Arranging for a shredding company to do a home office pick-up. This could be done through a courier service or arranged with your current shredding company. Both would likely already be covered by existing contracts and security precautions – but check this for surety.
The employee arranges to have a shredding service pick up at their home office. The employee pays for the service and either bills back to the employer for expenses or, perhaps, include in their home office expenses at tax time for a tax credit. In this case you may want to vet shredding companies in your area first and make suggestions as to which ones are approved for this purpose.

Arranging remote shredding services for your work from home employees means happier employees (as they no longer have to worry about papers piling up), and more peace of mind for clients as well.

Choose Convenience And Security

The cost of having a secure shredding service attending the home office is far more likely to be managed securely and completed.

Some things to look for when choosing a shredding company include:

Do they have an understanding of compliance requirements for shredding personal health information?
What training do their staff have?
Are their staff subject to background checks?
Mobility – Will they come directly to you?
What prep work do they require of you (for instance do you need to remove all of the staples from your files before shredding)
Do they have a reputation for arriving on schedule? (check reviews)
Can they shred documents on site, rather than taking them to a secondary location?
How do they handle the waste from shredding, will it be responsibly recycled?
Transparent pricing with no surprises
Do they offer a certificate of destruction?

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Managing Records When Transitioning from Work to Home Alberta OIPC

Is Remote Working A Good Choice For Your Healthcare Practice? Information Managers

healthcare practice management

Going Digital: Using PrescribeIT® To Streamline Your Workflow And Modernize Your Healthcare Practice

Posted on February 17, 2022 by Jean Eaton in Blog

Using PrescribeIT Makes Prescribing Easier And More Convenient

As a family physician you have a lot of responsibilities.

One of which involves writing, and refilling prescriptions for your patients.

This task, in and of itself, is simple enough, however, there’s often much more to it.

You’re dealing with patients calling in to get a refill, or the pharmacy looking for clarity, or wanting to make a substitution.

Managing all of this can be time consuming and frustrating – but there is a better way.

Would you like to take back the time and reduce frustration in your practice?

PrescribeIT® might be the solution you’ve been waiting for.

PrescribeIT® makes prescribing easier and more convenient for Canadians, prescribers, and pharmacists. It also improves patient safety and health outcomes and protects patient privacy.

A project of the Canada Health Infoway initiative, which aims to help bring healthcare into a digital world, so that physicians can better connect with patients and pharmacies.

Benefits of Using PrescribeIT Digital Prescriptions

Paper and fax-based prescriptions are outdated, inefficient, and costly – going digital can help you reclaim your valuable time and money.

Prescribe IT® can help reduce errors in prescriptions, due to lack of legibility, and eliminate patients calling to have a script re-done because they’ve lost it.

Some of the benefits to managing prescriptions digitally using Prescribe IT® Include:

The ability to electronically generate, accept, renew, and cancel prescriptions directly from your electronic medical records (EMR) at no additional cost
Avoid errors which can arise with fax transmissions
Offers secure transmission from your office to the pharmacy – email isn’t secure, and you never know who is on the other side of a fax machine
Streamlined system for pharmacies to request refills and renewals
Enhanced patient safety and privacy

All of these benefits can be implemented with minimal changes to your current workflow processes.

Paper Prescriptions Are Inefficient

Did you that over 600 million prescriptions dispensed in Canada annually?

At a recent in-service with the Edmonton and District Clinic Managers Association, guest speaker Joelle Withers, Manager, Prescriber Relations & Deployment, Canada Health Infoway revealed the following statistics about prescriptions in Canada:

Nine percent are narcotics or another controlled drug
Over forty percent of prescriptions are handwritten
Thirty five percent of prescriptions are computer generated and taken to the pharmacy in person
Over four million Canadians have admitted to losing or damaging a prescription, including:
- 415,000 prescriptions have taken a spin in the wash cycle
- 140,000 prescriptions decided to go puddle jumping in the rain
- 88,000 of those prescriptions were eaten by dogs (tell this to every teacher who has heard the “my dog ate my homework excuse)

As a result of lost or damage prescriptions, over seven hundred thousand Canadians have decided to go without their medications, rather than calling to have a new one issued.

Finally, as many as seventy eight percent of Canadians prefer to go directly to the pharmacy right after receiving their prescription to pick up their medication.

Workflow Efficiencies

Using Prescribe IT® in your practice, allows you to electronically send your patients prescriptions directly to the pharmacy of their choice.

This will create efficiencies and save you time:

No more lost prescriptions, no more time wasted needing to redo paperwork.
No more telephone or fax tag with pharmacies – Instead, Prescribe IT® offers secure physician to pharmacy messaging.
Integration into the patient record in your EMR – you can view that the prescription is dispensed.
Patients select the pharmacy of their choice – and arrive to pick up the prescription with no waiting to drop-off and pick-up delay.
Patients who prefer a paper copy of their prescription still have this option
Prescribe IT® is approved for use with the Triplicate Prescription program.

Which Pharmacies Accept PrescribeIT?

Many pharmacies have been approved to participate in PrescribeIT including Rexall, Guardian, IDA, Shoppers, and Safeway.

I’m Ready To Try Prescribe IT In My Practice – What’s Next?

Are you ready to bring Prescribe IT® into your practice?

Let’s take a look at how to get started.

I’m Opening A New Clinic

If you’re opening a new clinic and want to use Prescribe IT®, you’ll need to follow the following steps:

Prepare your Privacy Impact Assessment which describes your organization management system and your selected electronic medical records (EMR) solution.
PrescribeIT integration is currently available with the following EMR solutions: Telus Medaccess, Microquest Healthquest, QHR Accuro (soon).
Submit your application of interest to PrescribeIT now to be ready to implement when your Privacy Impact Assessment is accepted by the Office of the Information and Privacy Commissioner (OIPC).
Once your application is approved, Canada Health Infoway will send to you a Privacy Impact Assessment for PrescribeIT that you will review, edit if necessary, and submit to the OIPC.

I Have An Existing Clinic

You can apply to Canada Health Infoway to start using PrescribeIT® in your current clinic, if

You are using one of the accepted EMR vendors, and
You have an accepted Privacy Impact Assessment for your EMR implementation.

After your application submission, Canada Health Infoway will send to you a Privacy Impact Assessment for PrescribeIT that you will review, edit if necessary, and submit to the OIPC.

Get Started with Prescribe IT® Today

Are you ready to do away with paper prescriptions?

Tired of playing phone tag with the pharmacy, or having to redo paperwork due to patients losing paperwork?

To get started with PrescribeIT®, please fill out an application of interest form HERE

Do You Need A Privacy Impact Assessment?

If you’re looking for assistance with your Privacy Impact Assessment, we’re here to help you.

Contact Information Managers today!

PrescribeIT® is registered by Canada Health Infoway. Used with permission.

digital health, healthcare practice management

Data Privacy Day 2022 Events and Resources For You!

Posted on January 25, 2022 by Jean Eaton in Blog

Data Privacy Day 2022 Events and Resources for You!

Data Privacy Day is an internationally recognized day dedicated to creating awareness about the importance of privacy and protecting personal information.

That means a lot to me and I think it means a lot to you, too. I think it is important that we give our patients and clients the gift of privacy. And that we have the right tools and resources for our employees to make good privacy and security decisions in our businesses.

Information Managers Ltd. is a Data Privacy Champion!

As a DPD Champion, Information Managers recognizes and supports the principle that organizations, businesses, and government all share the responsibility to be conscientious stewards of data by respecting privacy, safeguarding data, and enabling trust.

Each of us is responsible to manage our name and our identity. When you share your personal information, you have the right and responsibility to ask the person or business why they need the information and how they will protect your personal information.

Jean L. Eaton

Your Practical Privacy Coach, Information Managers Ltd.

You can be a Data Privacy Day Champion, too! Follow this link and complete the Organization Champion Form with the National Cyber Security Alliance.

Data Privacy Day Activities

5 Steps To Prevent Employee Snooping

SAY NO TO SNOOPING!

If an individual affiliate knowingly breaches the privacy and security of health information, and the custodian can demonstrate that reasonable safeguards (including privacy awareness training) were in place, the individual affiliate can be charged under the Health Information Act. Fines of up to $50,000 may be applied to the individual, in addition to other sanctions from their employers and/or their professional regulatory colleges where applicable (HIA s.107).

What Is Snooping?

Looking at someone’s personal information without having an authorized purpose to access that information to do your job is known as ‘snooping’.

Even when you are “just looking” at personal information but don’t share that information with anyone else, this is still a privacy breach.

It is illegal.

Snooping incidents are on the rise and can cost you time, money, heartache, and headache in your practice.

When there is an offence under the privacy legislation like the Health Information Act, there may be an investigation, charges and court appearances, fines, penalties, and loss of employment.

Snooping is entirely preventable.

How Can You Prevent Employee Snooping?

Let’s take a look at the pro-active steps that you can take today to prevent employee snooping.

Download the Practice Management Success Tip 5 Steps to Prevent Employee Snooping

The Practice Management Success Tip, 5 Steps to Prevent Employee Snooping, will help you

Take 5 practical steps to prevent employee snooping.
Provide clarity about what is considered a privacy breach.
Contribute to the health information privacy compliance in your healthcare practice.

Download 5 Steps to Prevent Employee Snooping HERE!

I Heart Privacy!

Just in time for Data Privacy Day! Print badges for your team.

Right-click the image and select ‘Save As' to download and insert the image into your favourite templates to make badges or stickers or labels.

Or, use the done-for-you sheet of labels that you can print right away and slip into badge holders or print to stickers or labels.

You can even customize the labels and add your business name!

Get the label sheets using the buttons below.

I Heart Privacy Badges with Data Privacy Day logo

I Heart Privacy Badges

Protect Your Organization and Your Patients With a Privacy Awareness Quiz

Equip your staff with the information they need to confidently and correctly handle personal health information.

Healthcare businesses need privacy awareness training to support key policies and procedures, and risk management programs need a privacy awareness training program.

Reasonable Safeguards

As an employer and healthcare provider, you are responsible to provide training to all of your employees about privacy awareness.

If you don't provide the training, or if the employees don't understand the policies and there is a privacy breach, then the healthcare provider is more likely to be held accountable under the legislation and face penalties, including fines and even prison!

Patients value the privacy and security of their information.

Healthcare providers and clinic managers value privacy and security, and they value not having adverse results as a lack of compliance or patient safety issues.

Patients trust their healthcare providers with their sensitive, personal, and financial information.

If patients don't feel that the healthcare provider will keep their information confidential and secure, patients may choose not to share their information, which may impact their healthcare and treatment.

When we are privacy aware, we can better respond to patients' questions and build their trust in the quality of services that we provide.

Download the Privacy Awareness Quiz to use today to train your employees and protect your patients' health information.

Download the Privacy Awareness Quiz!

Privacy Protection In The Pink Seat with Dr. Angela Mulrooney & Jean Eaton

While privacy is not technology driven, the lack of privacy, perhaps, is impacted by technology.

Many dental practices are overwhelmed with creating and implementing privacy and security policies and procedures and how to prepare a privacy impact assessment.

Angela and I discussed practical privacy tips for your dental practice to help reduce the overwhelm.

These tips apply to all types of healthcare practices.

“Talk Shop – Protect Your Business from Information Breaches”

Jean Eaton is a guest on Lauren Sergy's “Talk Shop” YouTube channel.

Talk Shop: learn from industry experts to be a better communicator in work and in life, hosted by @lsergy. Privacy tips for business owners, just in time for Data Privacy Day!

For more Data Privacy Day resources and events from the National Cyber Security Alliance, click the button below!

Visit the National Cyber Security Alliance - Data Privacy Day website

Stay Safe Online

For more information about how to get involved in Data Privacy Day and the Champions program, visit https://staysafeonline.org/data-privacy-day.

You can also follow the campaign on Twitter at @StaySafeOnline or Facebook at https://www.facebook.com/DataPrivacyNCSA and use the official hashtags #PrivacyAware and #DataPrivacyDay to join the conversation.

Please use the social share buttons to share these Data Privacy Day activities with your friends and colleagues.

Follow Us On Social Media!

I share privacy tips and free links to additional resources on social media accounts that you can download and use right away!

Follow Us Here:

#DataPrivacyDay, #PrivacyAware, Data Privacy Day, Data Privacy Day Champion, Data Privacy Day Edmonton, healthcare

Virtual Healthcare Privacy Lessons

Posted on January 14, 2022 by Jean Eaton in Blog

Virtual Healthcare Privacy Lessons

You've probably heard about the Office of the Information and Privacy Commissioner (OIPC) investigation report into Babylon Health. The investigation report provides privacy guidance for vendors of virtual health solutions and the healthcare providers who use the digital health solutions. This is a great demonstration on why it is so important to ensure that you have current information management agreements with your vendors. Jean Eaton shares tips to help you keep your vendor agreements current and explains why it is important to the protection of patient information and the reputation of your business.

The OIPC issued its findings and recommendations after investigating the Babylon by Telus Health app under HIA. There were eight findings and 11 recommendations made in this investigation.

The recommendations from the Babylon Health Investigation Report can be used to guide healthcare providers, clinic managers, privacy officers, and vendors to develop and implement virtual healthcare solutions in your practice.

In the Practice Management Nuggets Podcasts, Jean Eaton reviews the investigation report and offers practical suggestions that you can use regarding

• key criteria when reviewing (or preparing) your privacy impact assessment (PIA)
• policies, procedures
• information management agreements (IMA)
• privacy and security awareness training
• data storage outside of Alberta

Read the investigation report here: H2021-IR-01 Jul 29 2021Babylon Health Canada Limited et al

Listen To The Podcast

Lessons From The Babylon Telus Health OIPC Investigation Report | Episode #103

Expert tips with Jean L. Eaton on Practice Management Nuggets Podcast For Your Healthcare Practice.

Listen here: Practice Management Nuggets Podcast

Listen To The Podcast Here

If you need virtual care policies, procedures, sample consent notices, risk assessment, and do-it-yourself PIA templates, I can help you with that!

Virtual Care and Remote Working Privacy Impact Assessment on-line course.

PIA Templates for Remote Working and Virtual Care

#PracticeManagementNugget, podcast

Use These Reports To Improve Privacy Compliance

Posted on December 29, 2021 by Jean Eaton in Blog

Use These Reports To Improve Your Privacy Compliance

Investigation reports of privacy breach incidents helps to inform and update policies, procedures, and risk assessments can be used by privacy officers, clinic managers, and healthcare custodians to improve privacy compliance in their healthcare practice.

Recent publications by the Alberta Office of the Information and Privacy Commissioner (OIPC) and the College of Physicians and Surgeons of Alberta (CPSA) are great resources.

We can use these real-world examples to improve our current practices to protect the privacy, confidentiality, and security of personal health information and to protect personal health information from unauthorized access, use, disclosure, and loss.

Alberta OIPC Annual Report

In the Alberta OIPC Annual Report 2020-21, Jill Clayton, the Privacy Commissioner, noted that ‘this past year was a year like no other for access to information and protection of privacy in Alberta as the COVID-19 pandemic raised new challenges for regulated stakeholders and my office.’

Work from home mandates impacted how organizations responded to access to information requests and the security of personal information as employees shifted to remote work. The OIPC received over 150 privacy impact assessments (PIA) and notifications about the implementation of new virtual care (or telemedicine) projects.

Overall, the OIPC reports that there was a 31% increase in the number of PIAs that they had received over the previous years. The healthcare sector may not have applied the usual rigour to assess new virtual care solutions as has been previously applied to, for example, EMR implementation. The urgency of the pandemic may have triggered this weakness, but it's something that now we should be able to do better.

There were 930 breaches reported by health information custodians to the OIPC in 2020-21, representing a slight decrease from 2019-20 (938). There were four convictions under the Health Information Act (HIA) for unauthorized access to health information in 2020-21.

Download the Annual Report from the OIPC here

CPSA Virtual Care Standards of Care

The Alberta College of Physicians and Surgeons (CPSA) released on December 20, 2021, its updated Virtual Care Standards of Practice. This was previously released as telemedicine standards.

Download the CPSA Virtual Care Standards of Care here.

I want to highlight a few things that have changed and a few things that we should know about already. The standard provides clarity about physicians who can provide virtual care services for Albertans. A physician who has been licensed to practice and provide care in Alberta, with some exceptions. Other healthcare providers outside of Alberta should not be providing virtual care to residents of Alberta.

The standards also provide guidance on the procedures that a regulated member providing virtual care must follow, including Standard #8:

provide the patient with their name, location and licensure status during the initial virtual care encounter;
take reasonable steps to confirm the identity and location of the patient during each virtual care encounter;
confirm the patient’s physical setting is appropriate given the context of the encounter and ensure consent to proceed, in accordance with the Informed Consent standard of practice;
offer the patient the opportunity for in-person care; and
ensure there is a plan in place to manage adverse events or emergencies and make patients aware of appropriate steps to take in these instances.

The standards also remind physicians that prior to implementing new virtual care technologies or practices, that you must prepare a PIA. This applies even if you are ‘just’ using telephone to provide virtual care.

PIA Remote Working and Virtual Care Templates

Last year, Information Managers created a virtual care privacy impact assessment package which includes template policies, procedures, implementation tips, and privacy training. This follows the requirements from the standards from the CPSA and the HIA.

The PIA Remote Working and Virtual Care Templates provide you virtual care procedures, workflow, tips, and Privacy Impact Assessment templates that you can quickly and easily download and customize for your healthcare practice. The training provided will help you to assess privacy and security options to assist you to select the best technology solution for your needs. Then, use the Privacy Impact Assessment templates to document your decisions and submit to the OIPC.

Yes! I Want Virtual Care Templates

privacy compliance

How Long Does It Take to Do a PIA?

Posted on December 3, 2021 by Jean Eaton in Blog

Click the >> arrow above to play the video.

I’m opening my practice next month.

I just learned that I need to complete a Privacy Impact Assessment.

What do I do now?

Unfortunately, I hear this question far too often!

Here’s What You Need to Know About the Timelines Required to Complete a Privacy Impact Assessment

In the perfect world, you will start your PIA process about 6 months before you plan to open your practice.

You will start with developing the privacy and security policies and procedures.

Next, you will discuss with the EMR vendors, computer IT support vendors, and other stakeholders about your operational needs and ensure that the vendors can meet PIA requirements.

At this point, about 4 months before Go Live, you will start writing your Privacy Impact Assessment documents.

You will review and accept the Privacy Impact Assessment internally to your organization and ensure that each of the custodians have reviewed, understood, and accepted the Privacy Impact Assessment.

Then, you will submit the Privacy Impact Assessment to the Office of the Information and Privacy Commissioner (OIPC) about 3 months before your go-live date.

Start With Privacy and Security Policies and Procedures

If you are planning to open your healthcare practice soon or planning to implement a new project in your existing clinic, your first step is to review (or create) your privacy and security policies and procedures..

Templates make it easier to complete your policies and procedures. Make this fast and easy with our templates!

Guidance for Electronic Health Record Systems

To help you with your discussion of PIA requirements with your vendors, the OIPC has produced a document, “Guidance for Electronic Health Record Systems“.

This guide was developed to assess the safeguards in electronic health record (EHR) systems. Custodians and their EHR service providers may use this document to support a Privacy Impact Assessment on an EHR system, or to examine whether changes to a system comply with Health Information Act requirements. Published in June 2016.

This is intended to assist you to have a discussion with your vendors. The guidelines are not part of the PIA submission. The Guideline will help you to ask good questions with your vendors so that you can get good answers. You will include the answers to the questions in your PIA submission.

If you are currently looking for a vendor for your EMR, practice management system, computer network system or, perhaps, your billing system, these are the questions that you need to discuss with your vendor. Their answers will help to inform you and assist you in selecting good vendors for your practice.

If You Are a Vendor That Supports Healthcare Practices

If you are a vendor that supports healthcare practices, I encourage you to download the document, Guidance for Electronic Health Record Systems, and complete it from the perspective of your product or service even if your product isn't an EHR. Then, you can share the completed document with your prospective clients and custodians as a demonstration of your privacy and security practices and support your clients with their PIA submission.

Don't Wait!

If you haven’t done your PIA yet, you definitely need to get this completed. You need to have your policies and procedures completed and your PIA submitted to the OIPC for their review and acceptance before you open your new practice.

Want more content like this?

For more information about Privacy Impact Assessments, see

Click Here to Get More About PIA's

health care, healthcare, medical, plan a PIA, Privacy Impact Assessment, timeline

Do You Know Where Your Policies And Procedures Are?

Posted on November 15, 2021 by Jean Eaton in Blog

Do You Know Where Your Policies and Procedures Are?

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. #Policies Click to Tweet

Don't let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta's Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

Privacy-Breach-Nugget-023-Policies-Procedure-Manual

Show Me Policy and Procedure Checklist

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you've done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, Patient privacy, physicians, Policies and procedures, Prevent privacy breaches, privacy, privacy breach, Privacy Impact Assessment, reasonable safeguards, templates

How To Make A Profit In Your Healthcare Business

Posted on September 13, 2021 by Jean Eaton in Blog

How To Make A Profit In Your Healthcare Business

Healthcare providers learn their skills at medical school, but don’t learn how to make their business profitable. One of the best ways you can serve your customers better is by having a more profitable business.

However, healthcare practitioners face unique pitfalls and business challenges. Many health professions naturally lend themselves to self-employment but often don’t receive training on entrepreneurship and how to start a healthcare business and especially the financial side having a profitable business. This can very quickly lead to feelings of stress and overwhelm which can cause otherwise skilled healthcare providers to leave their profession.

Many healthcare providers find that their job is physically demanding and, if their health requires them to work less for a period of time, they worry that they don’t have the financial resiliency to fund a reduced work schedule.

Independent healthcare practices often have small numbers of clinic staff who are expected to fulfill many roles. Clinic managers are often tasked with bookkeeping even when they haven’t received training to help them with that.

Consequently, many healthcare providers and business owners don’t have simple systems to manage the finances of their business and are making business decisions on wishes.

My Takeaways

Tammy Hyska’s personal experiences as the financial manager of her husbands’ chiropractic business and as an accountant to healthcare businesses in Alberta helps her to break things down for non-accounting people to understand without feeling overwhelmed.

On the most recent episode of Practice Management Nuggets podcast, I interviewed Tammy Hyska. Tammy shares practical tips for all practice owners, healthcare providers, and clinic managers who have an active role in managing the billing and the finances in the healthcare practice.

Tammy understands the common problems that healthcare providers experience when they manage their own business. She knows that people don’t train to be healthcare providers to have an excuse to do bookkeeping.

Instead, Tammy provides 5 practical tips to have a healthy business without becoming an accountant.

Have a separate business bank account and a separate personal bank account
Have a spending plan
Read Profit First by Mike Michalowicz
Use an accounting software
Avoid debt

Tammy Hyska's #1 Tip to Healthcare Practices

It's not what you MAKE but what you KEEP that matters! Click to Tweet

Listen To The Podcast

5 Critical Things Healthcare Practitioners Need To Have A Profitable Business | Episode #102. Expert tips with Tammy Hyska on Practice Management Nuggets Podcast For Your Healthcare Practice.

Listen here: Practice Management Nuggets Podcast

Listen To The Podcast Here

Featured Guest: Tammy Hyska

Tammy Hyska Can Help You Enjoy A Profit In Your Healthcare Business From Day #1!

Tammy Hyska will help you avoid money stress with these tips to set up the financial side of your business the right way with a simple strategy that will teach you just enough to have financial success without the overwhelm.

Get started right away with the free 5 Critical Things Healthcare Practitioners Need To Have A Profitable Business.

Download this free guide from Tammy here:

Download the free guide from Tammy here

Financial Confidence Formula

Then, check out the Financial Confidence Formula For Healthcare Practitioners training from Tammy Hyska. This is a complete system for operating a profitable business.

This course is ideal for new business owners and existing business owners and clinic managers who haven’t yet implemented the blueprint to a highly profitable business.

When you receive support to simplify and streamline the accounting side of things in your practice, you will reduce money stress.

Tammy will cover everything you need to get it right and avoid all the unnecessary pitfalls to make a profit in business.

Tammy Hyska, CPA, CA, has been a Chartered Accountant for over 20 years. As the Financial Freedom Coach in her independent consultancy, Tammy helps entrepreneurs have more profitable businesses. Tammy has in-depth understanding of health care businesses as her husband is a health care provider and Tammy helps her husband run the financial side of his practice. Tammy is passionate about helping small business owners have a more profitable business.

#PracticeManagementNugget, dental, dental business, healthcare, healthcare business, podcast