Data Privacy Day 2019 Events for You!

Posted on January 11, 2019 by Jean Eaton in Blog No Comments

Data Privacy Day is an internationally recognized day dedicated to creating awareness about the importance of privacy and protecting personal information.

Information Managers Ltd is a Data Privacy Champion!

As a DPD Champion, Information Managers recognizes and supports the principle that organizations, businesses, and government all share the responsibility to be conscientious stewards of data by respecting privacy, safeguarding data and enabling trust.

“Each of us is responsible to manage our name and our identity. When you share your personal information, you have the right and responsibility to ask the person or business why they need the information and how they will protect your personal information.”

Jean L. Eaton, Your Practical Privacy Coach of Information Managers Ltd.

Data Privacy Day Activities

Understanding Mandatory Privacy Breach Notification

To celebrate Data Privacy Day, Information Managers is hosting a free 30-minute webinar on Monday January 28, 2019.

Mandatory Privacy Breach Reporting is here!

Do you know how this will affect your healthcare practice?

. . then this free webinar is for you!

If you are a custodian–including physicians, pharmacists, optometrists, dentists, dental hygienists, chiropractors, nurse practitioners, podiatrists, midwives, optometrists, opticians, and more!–as defined by Alberta's Health Information Act, then . . then this free webinar is for you!

You need to know how mandatory privacy breach notification will affect you!

In this Free Webinar, Jean L. Eaton, Your Practical Privacy Coach will explain

what is a privacy breach
why a privacy breach is a significant problem
why have mandatory privacy breach notification
offence and penalty provisions of the HIA
privacy breach notification requirements
what you need to do now

Registration opens soon!

“Talk Shop – Protect Your Business from Information Breaches”

Jean Eaton is a guest on Lauren Sergy’s “Talk Shop” YouTube channel.

Talk Shop learn from industry experts to be a better communicator in work and in life hosted by @lsergy. Privacy tips for business owners just in time for Data Privacy Day!

Talk Shop learn from industry experts to be a better communicator in work and in life hosted by Lauren Sergy!

I Heart Privacy!

Just in time for Data Privacy Day!

Print badges for your team.

Right-Click the image and select ‘Save As' to download and insert the image into your favourite templates to make badges or stickers or labels.

Or, use the done-for-you sheet of labels that you can print right away and slip into badge holders or print to stickers or labels.

I Heart Privacy DPD Badges I Heart Privacy Badges

You can even customize the labels and add your business name!

“Data Privacy Day Forum in Edmonton”

Alberta’s Office of the Information and Privacy Commissioner (OIPC) OIPC is hosting a free event on Friday January 25 including Mandatory Breach Reporting under the Health Information Act: The First Four Months . Register at https://www.oipc.ab.ca/.

Follow Us On Social Media!

Each day from Jan 22 – 28, we will have for daily privacy tips, and free links to additional resources on our social media accounts that you can download right away! Follow us!

Stay Safe Online

For more information about how to get involved in Data Privacy Day and the Champions program, visit https://staysafeonline.org/dpd . You can also follow the campaign on Twitter at @DataPrivacyDay or Facebook at https://www.facebook.com/DataPrivacyNCSA and use the official hashtag #PrivacyAware to join the conversation.

Please use the social share buttons below to share these Data Privacy Day activities with your friends and colleagues.

5 Reasons to Hire a Summer Student In Your Healthcare Practice

Posted on January 8, 2019 by Jean Eaton in Blog No Comments

Summer is often a time to ‘catch up’ on outstanding projects. It can also be a time to prepare for programs for the fall.

Summer students can help you with jobs like archiving patient records, taking inventory, or creating new patient information brochures or provide content for your website.

They can prepare for your fall flu clinic season and make sure that you have a project plan ready to implement.

STEP (Summer Temporary Employment Program) provides funding to eligible Alberta employers to hire high school and/or post-secondary students into summer jobs.

You can provide students with the opportunity to build meaningful work experience, increase their skills, and workplace insight.

Use the STEP Summer Student employment program to find an enthusiastic employee at a fraction of the cost.Click To Tweet

Why You Should Consider Hiring a Summer Student

It is a cost-effective solution for short-term hiring needs; employers get quality skills at affordable prices.

It is an excellent way to evaluate potential employees.

Students bring fresh, innovative ideas to your business.

It is an investment that you make in attracting dedicated employees.

There is an Alberta funding program available for employers of students. (Other provinces have similar programs.)

STEP Students:

Represent a large pool of available workers

Enthusiastic and tech savvy

Accustomed to multi-tasking

At home with cultural diversity

What’s In It For Me? (WIFM)

Often, we learn more about what we do when we teach someone else. When you hire a STEP student, you mentor an enthusiastic student. You provide knowledge, experience and connections to further the career direction of a STEP student.

You can provide a positive difference in a young person’s career by setting an example of professionalism. You encourage the student to strive for and provide a focus on future career direction and advancement.

STEP Offers

4-16 week wage subsidy program.
Standardized wage subsidy of $7.00/hr maximum 37.5 hrs/week provided to approved applicants.
- Employers are encouraged to pay an appropriate wage and must pay at least the minimum wage ($15.00 / hr)
Guidelines, webinars and other links to help you in this process.

Students must be at least 15 years of age. This could include a high school student or post-secondary (returning to high school or post-secondary no later than November 1).

Don't Miss These Dates

Deadline for employers to apply for STEP student is February 9, 2019.

Students hired in April 2019

Summer positions start May 1, 2019

You can recruit a student interested in healthcare career or with secretarial / administrative skills, marketing, social media, or business skills that supports your business.

Contact STEP today for application forms and more information.

STEP will make it easy for you to find a summer student to help you!

STEP, summer student

Do You Have a Password on Your Point of Sale Device? You Should!

Posted on November 30, 2018 by Jean Eaton in Blog

Avoid scams with your credit / debit machine now. Check out this article from CBC news

You can activate a security feature with your credit / debit machine that allows you to create a password before someone can access the administrative controls on your device. In this case, the scammer used a pre-programmed ‘credit card' and inserted it into the point of sale (POS) device. The card is actually a fake “administrative card,” which gives them complete access to the terminal, and allows them to manually enter in an alternative, usually stolen, credit card number.

The scammer walks away without using any of their money for the purchase. And the clinic owner is stuck with the bill.

When the purchase is discovered as fraudulent, the vendor has to pay back to the credit card company whatever the amount that the scammer entered into your POS device.

You will also likely receive a “chargeback” fee from the credit card processor.

Do you know who manages the POS password in your clinic? Who is the back-up person?

Do you maintain the passwords in a secure, corporate, password manager service?

Have you added this to your Health Information Privacy and Security Manual? You should!

clinic, Fraud, healthcare, password, point of sale device

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Posted on November 29, 2018 by Jean Eaton in Blog

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

You are in breach of the HIA.
You may incur fines under the HIA.
You may face sanctions and disciplinary actions from your professional regulatory college.
Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (https://www.oipc.ab.ca/news-and-events/news-releases/2013/investigation-report-h2013-ir-01.aspx)

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

IMA must be signed by the custodian.
Agreements signed by individuals who are not custodians are not valid under the HIA.
Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians. but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.

ISA IMA

An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

Download the FREE Report - Top 3 Agreements Your Healthcare Practice MUST Have

If you are a member of Practice Management Success, login here to access the Top 3 Agreements.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

chiropractors, dentists, health care, Health Information Act, healthcare, HIA, IMA, information management agreement, information manager agreement, information sharing agreement, ISA, medical, physicians, Practice Management Success, successor custodian

Privacy Like No One Is Watching

Posted on October 30, 2018 by Jean Eaton in Blog

Sometimes it feels like everyone's eyes are on you. CTV cameras, hackers, on-line scrapers, cookies, are watching and tracking us and regulators are telling us what we need to do to meet compliance requirements.

Even facial recognition software at shopping malls are watching you – and sending you targeted specials to your phone as you walk by the stores in the mall!

We can’t expect that everyone who has collected our information, like the shopping malls, will protect your personal information.

We should each be aware of and concerned about how our personal information is collected, used, and disclosed with – and without – our knowledge and consent.

I think that we should practice privacy like no one is watching.

We each need to build privacy into everything that we do in our personal life and our business because it makes sense to us to do that—not because someone says that you should.

The internet can instantly connect us to webpages that answer our questions and promise stuff to fulfill our dreams.

But now, the internet is also connecting to physical things. These things provide a service or convenience that we want. For example, an app on your smart phone will start to warm up your car on a winter day so that you don't have to scrape the windows. But, if someone hacks your internet enabled phone and remotely controls your car while you are driving, well, that's an example of how internet connected things can now physically harm you.

Listen to more examples with Bruce Schneier's interview on CBC podcast, SPARK, talking about his book ‘Click Here to Kill Everybody'.

So, lets take control of our privacy by making sure that we have some solid privacy practices that we can follow every day. And prevent internet connected things from harming us and hackers, and other folks to collect our information without our consent.

Protect you identity. It isn't about keeping secrets. It is about protecting what makes you, you.

Practical Privacy Tips Infographic

I created this Practical Privacy Tips infographic to share with the librarians and tech folks attending The Alberta Library Netspeed conference this month. I shared my practical obsession with privacy and confidentiality during my keynote ‘Privacy Like No One Is Watching'.

By clicking on the image below, you will download your infographic that you can print.

Post it in your place of work to remind you to take control by using practical privacy tips.

Yes, you can share!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

infographic, practical privacy tips, privacy

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

Posted on September 25, 2018 by Jean Eaton in Blog

You are working at the reception desk of a healthcare practice. Suddenly, there is a police officer or court officer giving you a court order to produce patient records!

Don’t Panic!

In this month’s Q&A with Jean, we discussed how to prepare patient records for a court order with confidence!

Now, just a reminder, I’m not a lawyer and I don’t play one on TV. These are my recommendations based on my experience as a director of health records in hospitals in Canada, as a court reporter, and as a mentor to clinic managers in independent healthcare practices and not legal advice.

Follow These Steps

In this article, I am not discussing a situation which relates to a life-threatening situation that requires an immediate response. I am also not discussing when order relates to the type or quality of healthcare provided to the patient or when the actions of the healthcare provider or clinic is being challenged or reviewed. These are topics for a different article.

Your reception staff should not accept the court order but, instead, immediately ask the officer to wait for a few minutes so that they can request their supervisor or privacy officer to meet with them.

When the court order is an administrative request for information, the supervisor or privacy officer will accept the court order from the officer. Before the officer leaves, make sure that you read the court order carefully and ensure:

Who is named in the court order often the clinic manager of the clinic. Your clinic should be specifically named or, perhaps, the name of your lead physician or healthcare provider.
Record the date and time that you received the order.
Clarify when the response is required.
The name and the contact person of the officer that delivered the court order (if possible) or, at minimum, the contact information of the court, for example, the court clerk’s office or the witness co-ordinator, or the sheriff’s office is included on the court order.
The province or jurisdiction of the court. Generally, it should be the same province where your clinic operates. If not, contact your lawyer for advice on how to respond.

Review Your Policies and Procedures

This is not a routine request from a patient to access their health records or a request to disclose their records to a third party like a lawyer or insurance company. In those routine requests, patients routinely require to provide a written, signed consent before you can disclose their records.

When you receive a court order or subpoena to produce patient records at a court or other legal proceeding, you are not required to get a signed consent from the patient.

Each healthcare practice should have detailed policies and procedures on how to prepare patient records for a court order. Review these now.

If you don’t have up-to-date policies and procedures, see the Practice Management Success Tip, How to Prepare Patient Records for a Court Order.

Validate the Court Order

Read the court order carefully. In particular,

Phone the contact number on the court order.
Confirm the date, time, and location that you are required to appear.

Locate the Patient Record

Find the patient information maintained in an electronic database, electronic medical record (EMR) and/or paper records. Remember to look for both active and inactive patient records as needed by the court order.

Read the patient record carefully, line by line, to ensure that the record is complete. For example, make sure that all lab reports, prescriptions, consultation notes, etc. are included in the record.

Secure the record to prevent snooping or modification to the record. Also ensure that the record is available for continuing care and treatment of the patient, if needed.

In an electronic record, prepare an audit log of all the transactions on that patients’ chart.

Ensure there is no duplicate or second chart for the patient that may have been created in error. Search by alternate names, spellings, date of birth, etc.

Ensure that each custodian included in the patients’ care and your healthcare practice’s privacy officer is informed of the court order to produce the record. The custodian should be provided an opportunity to review their clinic notes. Remind the custodian that they cannot further disclose the patient's record.

Prepare the Patient Record

Review the court order and identify exactly what information is requested. It might be for specific dates or a condition or treatment.

Keep complete and detailed notes about how you prepared your response to the court order. You will bring your notes with you to court to assist you in your testimony about how your clinic creates and maintains patient records and what you did to respond to the court order. After your court appearance, you will maintain your notes as part of the business records for the clinic.

Collect the information and record each of your steps and your results, including the records that you searched for and did not find any results.

If you maintain your patient records in an electronic medical record (EMR) or digital practice management software, print out a hard copy of all the information that responds to the information that is requested.

Sever (also known as redact or black-line) any information that is not appropriate to include in the disclosure. Cross-reference each redacted entry to the legal authority not to include the information in the disclosure.

If you are using an EMR, organize the paper print-out in a format that makes sense. This might be chronological date order, or group like records (clinic notes, lab results, etc.) together.

Create a ‘Table of Contents’ of the information in the patient record. This will help you in your testimony to quickly find requested information, help the court to locate information in the records that you have prepared.

At the same time, handwrite in ink at the bottom of each page the sequential page number in the package. Update the table of contents with the page numbers.

Stamp ‘COPY’ on each page.

When the package is complete, make a photocopy (or two) of the entire package. The ‘original’ paper copy will be maintained at the clinic. Bring the original and the copy to court and ask the court to accept your copy. Return the original package to the clinic and securely maintain this as part of the business records of the clinic until the court file is complete.

When You Attend At Court

As the clinic manager, your role at the court is to tell the court how patient information is collected and maintained in your healthcare practice. Your job is not to interpret the content of the clinic notes.

A few days prior to the court date indicated on the court order, phone the clerk’s office or witness support office to confirm the date, time, and location of the proceedings and if you are still required to attend.

On the day of the proceedings, report to the clerk of the court.

Bring with you the court order, your photo ID, the patient record, and your notes. Bring a good book to read in case you have a long wait.

You will be advised (again) if you are required that day. If you are not required, the clerk will make a notation on your court order to appear that you attended and that you have been dismissed. Keep this in your business records with the patient record.

If your testimony and the patient records are required, you will be called as a witness during the court proceeding.

You will be asked to swear or affirm an oath to speak honestly during your testimony.

Typical questions that you should be prepared to answer include:

Your name.
Your role at the clinic, how long you have been in that role, your routine tasks and responsibilities at the clinic.
Describe how patient records are maintained. Be prepared to explain your EMR or computer patient management system (if you have one).
Bring your notes about the steps that took to prepare for the court order. You may ask permission of the court to refer to your notes that you created when preparing to respond to the court order during your testimony, if necessary.
Explain that the patient records are kept electronically and that you have prepared a paper print-out of those notes.
Be prepared to explain how you know that the records are complete, not missing any details, etc.
If the court asks you to enter the records into evidence, explain that you have an ‘original’ and a ‘copy’ and ask the court to accept the ‘copy’ into evidence.

When You Return to the Clinic

Complete your notes by documenting your day at the court. Write a short summary of your day including:

Did you give a copy of the patient records to the court? To whom?
Remember to add this notation to the patients’ record that you disclosed this information according to the court order.
Any follow-up required for this disclosure?
Review your procedures. Anything that you would edit or provide additional instructions that will help you to be better prepared for next time you receive a court order?
Submit a copy of your out of pocket expenses (parking receipts, meals, etc.) for re-imbursement by your employer, if applicable.

What You Should Do Now

Review your policies and procedures now to ensure that it includes how to respond to a court order.
Train your reception staff on what to do if they receive a court order.
Train your privacy officer and clinic manager on how to prepare a patient record for a court order.

Depending on where you work, you may receive a court order regularly or it might be a once-in-a-career experience. When you have policies and procedures and a little bit of training to assist you, you can respond to a court order calmly and confidently.

If you are a member of Practice Management Success, login and access the ’Procedure: Preparing Patient Records for a Court Order’ template and the replay of the tutorial video.

Download the FREE eBook - Preparing Patient Records for a Court Order Now!

When we know better, we can do better…

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

court order patient records, health care, health records, healthcare, medical, Practice Management Success, subpoena to produce patient records, template procedure

New Mandatory Privacy Breach Notification Form

Posted on September 13, 2018 by Jean Eaton in Blog

AS of August 31, 2018, the new Alberta regulations regarding mandatory privacy breach notification requirements are in force.

The Alberta Minister of Health (MOH) and the Office of the Information and Privacy Commissioner (OIPC) have published the mandatory notification forms for you to submit your privacy breach notifications.

You can download the forms here:

Notification to Alberta’s Minister of Health: http://www.health.alberta.ca/about/Health-Information-Act.html

Notification to the OIPC: https://www.oipc.ab.ca/forms.aspx

You Will Be FINED $50,000 if You Don't Do This!

If you don’t have an active privacy breach management program and are not compliant with mandatory privacy breach notification, you may be fined up to $50,000.

I recommend that you also use an internal privacy breach reporting form to document your investigation and reporting. The form will help you to navigate the privacy breach management process and record information for your internal use. You can then copy and paste the necessary information to the mandatory notification forms.

If you are a member of Practice Management Success, login and access the Procedure Privacy Breach Management Template including the Privacy Breach Report Form.

Not a member of Practice Management Success, yet?

What are you waiting for?

Get Your Practice Management Success membership

If you are a member of the 4 Step Response Plan, login and access my video and review of how to use the MOH and the OIPC forms.

What You Should Do Now

Update your current privacy breach reporting policies and procedures with the new requirements for mandatory privacy breach notification.
Include copies of these new forms in your procedures so that you can easily access them when needed.
Ensure that your custodians are aware of the new mandatory privacy beach notification regulations. You can share the e-book, Understanding Privacy Breach Notification, to assist you.

Additional Resources

Alberta Health has also added a new chapter, Duty to Notify, to their HIA Guidelines Manual. You can download this chapter here. This provides additional examples of privacy breaches and appropriate responses including comments from OIPC investigations.

When we know better, we can do better…

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Alberta, Canada, health care, healthcare, mandatory breach notification, mandatory privacy breach notification, medical, Practice Management Success

Can You Use Text Messaging With Patients?

Posted on September 6, 2018 by Jean Eaton in Blog

Have you ever said…

“If only I had someone to ask!”

Each month, we discuss your questions about practice management, human resources issues, clinic management best practices, procedures, resources, practical privacy tips, and more in Practice Management Success membership.

In this Q&A, we're talking about:

Can you use text messaging with patients?

The short answer is, ‘Yes’.

The longer answer is ‘Yes, but . . . make sure that you are really clear about why you want to use text messaging, carefully plan the implementation and monitor its use.’

What is the Purpose for Texting?

Clinics are feeling pressured to provide texting as a communication option to their patients.

It is important to be clear about why you want to use texting.

Texting from the Patient to the Clinic

What is the primary purpose for patients to text the clinic? It may be because they are in a remote community and texting is the only way to keep in touch with their healthcare provider. You might choose to accept text messages for appointment requests or continuing care and treatment.

Texting is generally not a secure communication method. It is difficult to confirm the identity of both the sender and receiver which can result in both communication and medical error.

It is difficult to communicate clearly using text short form and emoji!

What Are the Risks?

As the custodian, you need to weigh the risks of using texting vs not using texting. For example, if your work includes assisting people who are in crisis or are otherwise at risk, you may decide that the risk to the patient who has access to their healthcare provider using unsecured text messaging is less of a risk than the patient who experiences a critical incident and does not have other access to their healthcare provider.

You must decide what are the acceptable risks and appropriate use of text messaging.

I find that creating scenarios is a good way to do help you set up your boundaries. In what situations is using text messaging OK? In what scenarios is it not appropriate to use text messaging? Are there alternative technologies that can better, and more securely, meet these needs?

Record your reasons about what you will – and what you won’t – accept in your text messaging solution as part of your project documentation and implementation training.

text messaging risks

Workflow When You Receive Text Messages from the Patient

Consider how you will document the communication from your patient into the patient’s health record.

Is the device to receive the text message registered with the clinic?
Who will receive the text message from the patient?
How will you transpose that meaningful communication with the patient to the patients’ health record?

Be guided by the discussions in your team and with your patients to develop your policies and risk mitigation plans.

Texting From the Clinic to the Patient

Is your goal of a text solution to automate a workflow like routine appointment reminders? Or, perhaps, some episodic messaging like offering follow up appointments to discuss test results?

Authorization

Remember that the custodian (physician, pharmacist, dentist, dental hygienist, chiropractor, and more) assumes the risk of using unsecure technology. You can’t transfer the risk to the patient. However, you can mitigate the risk of error and unauthorized use of the health information by creating rules for use and ensuring that the patient understands:

how the technology is used,
your offer to use the technology in your healthcare practice,
the risks to the patient’s privacy and security of their personal information,
the patients’ role to prevent misuse of their personal health information, and
an agreement to follow the rules about the technology solution.

If you are a member of Practice Management Success, click here to access the sample authorization agreement.

Mitigation strategies

Alternate Technology Solutions

There are some third party vendors that can help you with routine text messaging with your patients. Wherever possible, use two factor authentication. For example, you might have a system where the patient must enter a PIN number before they can read the entire message from the clinic.

There are trusted technology solutions that you can use for text messaging. Many EMR providers now allow the clinic to text message your patients right from the EMR or patients can access the EMR using a patient portal. This is, by far, the most efficient workflow. It is usually the most secure technology and integrates the communication into the patients’ health record without copying and pasting, uploading, or re-typing into the patient record.

Microquest’s Healthquest EMR, for example, offers integrated appointment reminders via email, text, or voice messaging. Clinics can also allow patients to book their own appointments online with an online calendar integrated to the clinic’s Healthquest EMR.

Alternate third party texting solutions from trusted vendors that we have interviewed on our podcast, Practice Management Nuggets for Your Healthcare Practice, include Bleen and ezReferral.

Bleen is a third party patient appointment management application that allows patients to register with your clinic to receive appointment reminders by text message or phone call. The system also provides a self-help solution to patients to schedule their own appointment with their healthcare providers.

Clients with Bleen have seen dramatic changes in their patient management resources – reducing 40% to 60% of phone calls and 75% of no shows.

Click here to listen to the Practice Management Nuggets interview with Chris Narine and Robert Cove of Bleen.

ezReferral provides a third party referral management application that improves communication between the patient and the referring and consulting providers. The system saves an average of 60 minutes of staff time for each referral and improves the patients’ access to health care in a timely, efficient manner. It also includes a built-in secure fax solution.

This solution is ideal for healthcare practices with referrals within the medical community and even better when you are working with multidisciplinary referral teams. ezReferral works well for both paper based and electronic medical record based practices.

Click here to listen to the Practice Management Nuggets interview with Dr. Denis Vincent of ezReferral.

Privacy Impact Assessment

Before you implement a text solution to your practice you need to update your privacy impact assessment (PIA) or prepare a new, project based PIA. This doesn't have to be a big undertaking but it is really important that you take the time to design and document your application and implementation.

Privacy Impact Assessment

If you need some help with your PIA, I encourage you to take a look at our on-line e-course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments.

Efficient work flow, clear procedures, and rules of use authorization with your patients improves the likelihood that text messages will be used the way that you intended. However, these practices does not make the technology breach-proof. Carefully consider the merits of text messaging and how you can mitigate the risks before implementing text messaging in your healthcare practice.

Tell me more about PIA's

Download the FREE Report - Can You Use Text Messaging with Patients?

If you are a member of Practice Management Success, login and access the webinar replay, and the patient authorization form template.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

health care, healthcare, medical texting, Practice Management Success, Text messaging with patients, texting patients, texting with patients

Do Your Patients Know Your Office Holiday Hours?

Posted on August 27, 2018 by Jean Eaton in Blog

Holiday hours are great opportunities to easily create social media content for your healthcare practice–let your patients know about changes to your office holiday hours.

The Easy Way to Add Content to Your Social Media

One of the most frequent question that every office receives is – what are your office hours?

It makes sense to share this information in an automated way. This saves time in the telephone queue and makes everyone's day a little smoother. Add the information to your telephone answering system messages, website, posters in your clinic, and in your social media channels.

Common social media channels include Facebook, Twitter, and Instagram.

When the content appears in your social media channel, your patients will expect regular updates from you around each holiday and will return to your social media channel again and again over the year.

Let your patients know about changes to your office holiday hours!

Encourage your patients to visit your social media over and over again!
Easy for you to add content that your patients want to see.
No new technology for you to learn – copy and paste!

There is a simple way to create this content.

Follow these steps:

1. Select Your Images

You can use any related image and size it to print and display in your clinic or your social media channel.

2. Add Your Logo

You could use an image without adding your branding. But, for more impact, I recommend that you take just a few minutes and use a photo editing software to add your clinic name and logo to the image. You want the reader to know which clinic the image is about! This is also a good way to continue branding for your clinic.

There are many free and easy photo editing software systems. I like to use Canva.

Once your images are edited, download them to your computer network system.

3. Prepare Your Social Media Content

Working with your authorized social media manager, confirm your holiday hours and related messages.

Sample message that you will type into the new social media post.

Happy Easter from all of us at ABC Clinic!

Please note we will be closed Monday March xx to March xx.

We will be back to regular office hours on Tuesday.

For our latest hours of operation, please visit our website [insert website address].

4. Save Your Files

Keep a copy of your images and your social media messages for use next year.

You might store the images and your notes on a shared folder on your computer network. For example,

Social Media >> Holiday Announcements >> Month Holiday

5. Publish Your Holiday Announcements

Add your images and the messages to your website and social media channels.

Let Me Make This Easier For You!

I've found images that you can use for your office holiday hours messages.

Download the FREE Holiday Hour Templates

and receive 10 images that you can use all year long!

template

Get the Free Statutory Holidays Images Templates

Would you like more tips like this?

Members of Practice Management Success Membership enjoy access to Tips, tools, templates and training to help you start, grow, fix, or maintain your healthcare practice!

Membership is open to all healthcare practices of any size – physicians, optometrists, audiologists, dentists, chiropractors, physiotherapists, nurse practitioners, and more!

Member access to online resources when you need it along with networking and support from other clinic managers, practice managers, and healthcare providers in independent community practices – just like you!

Learn More About Practice Management Success

clinic management, facebook, healthcare, holiday hours template, medical, practice management, social media images

Mandatory Privacy Breach Reporting Comes to Alberta!

Posted on July 30, 2018 by Jean Eaton in Blog

I didn't think it was going to happen . . . but it did!

Mandatory privacy breach reporting has been proclaimed in Alberta.

In May of 2018, the province of Alberta proclaimed mandatory breach reporting amendments to the Health Information Act (HIA) and the Health Information Regulation (HIR). These amendments were accepted by the Legislative Assembly in 2014 and will come into force on August 31, 2018.

Custodians will be required to report privacy breaches with risk of harm to the Office of the Information and Privacy Commissioner (OIPC) and the Minister of Health of Alberta. Currently, breach notification is voluntary.

This will impact ALL custodians including physicians, pharmacists, chiropractors, dentists, dental hygienists, podiatrists, midwives, optometrists, opticians, registered nurses and more!

What is a Privacy Breach?

A privacy breach is a loss, unauthorized access to, unauthorized use, unauthorized disclosure, authorized access for unauthorized use of personal information.

Personal information may include your name, date of birth, address, account information, or even your email address.

Why is a Privacy Breach a Significant Problem?

A privacy breach affects the individual, the business, and the healthcare industry.

There is an active market for personal identities, with great financial incentive to steal or misuse this personal information. In fact, healthcare data is more valuable than financial information. Once someone has access to personal health information, they can use it to make a fraudulent insurance claims, access to services, and leverage the information for identity theft and fraud. Healthcare providers are a high-value target because of the long-term value of health information.

Privacy breaches happen all the time. Did you know that 80% of all privacy breaches occur internal to the business? Most of these breaches are an ‘oops’ or honest mistakes or a result of not carefully following procedures. Sometimes there is a pattern of similar breaches that indicate a broken work flow or automated process or carelessness or disregard to the security of personal information.

Sometimes information is intentionally stolen to harm a specific person or for financial gain. Sometimes the theft is by employees and sometimes by visitors to the business. Sometimes the theft occurs from outside of the business (i.e. hackers, contracted service providers, or business agents).

The individual may be embarrassed, inconvenienced, or angry directly related to what information has been breached and who now has access to the information. The individual may now be at a real risk of harm from identity theft, stalking, loss of employment, fraud, and the unexpected expense to manage the loss of personal information. These are examples of ‘risk of significant harm’.

Of particular importance in healthcare, is the risk of medical identity theft where the breached information is used to fraudulently access healthcare services. As a result of this, inaccurate information may be added to the owner’s healthcare records which can cause errors or delays in receiving necessary care and treatment.

Managing a Privacy Breach is Expensive

The healthcare business can spend $150 to $2,000 or more for each individual that requires notification about a privacy breach. When a privacy breach is identified, the business must (with some few exceptions) notify the individuals affected (including the patient and the healthcare providers identified in the breach) to let them know about the breach, advise them how they might be affected by the breach, and how they can protect themselves from further harm.

Your internal privacy beach investigation takes time and may require additional support from external experts including a consulting privacy officer, lawyer, investigator, human resources, communications and marketing experts.

The process of managing the notification also costs time, resources, and money. The incident might cause negative publicity for the business. Addressing and correcting the cause of the breach, improving processes to prevent further incidents, and the administrative tasks of managing and reporting the breach all contribute to a significant expense to the business.

Why Have Mandatory Privacy Breach Reporting?

A privacy breach in one healthcare organization affects all healthcare businesses. The healthcare system is a highly integrated information sharing system designed to provide timely and accurate care and treatment to patients, and to receive financial compensation for those services. A weakness or problem at one business may have down-stream implications to other businesses. When one business has a privacy or security breach, there is a risk that the public (including patients and clients) may think that all healthcare businesses have the same problems.

Mandatory privacy breach reporting to the Privacy Commissioner of Alberta (OIPC), and the Minister of Health in Alberta will help to ensure that the breach response and notification is comprehensive. A central oversight with the OIPC and the Minster will provide the opportunity to anticipate any additional risks to privacy and security within the broader health care system in Alberta.

It is our job to manage each privacy breach with confidence, compassion, and transparency to the individuals affected by the breach. We need to take all reasonable steps to prevent a privacy breach and be prepared to respond to the breach when it occurs.

The importance of securing health information and to appear to appropriately respond to a privacy breach is part of the desired outcomes of the new mandatory privacy breach reporting.

Notification Triggers

The trigger for notifying the OIPC, the Minister, and individuals about an incident is present when there is a ‘risk of harm’ to an individual as result of the loss or unauthorized disclosure (HIA s. 60.1(4).

Custodians are required to consider five categories of triggers to assess the likelihood of risk of harm (HIR s.8.1(a to e)). In addition to any other relevant factors, custodians must assess if there is a reasonable basis to believe that the information:

Has been or may be accessed by or disclosed to a person
Has been misused or will be misused
Could be used for the purpose of identity theft or to commit fraud
Could cause embarrassment or physical, mental or financial harm or damage to the reputation of the individual who is the subject of the information
Has adversely affected or will adversely affect the provision of a health service to the individual who is the subject of the information

Mitigating Risk of Harm

When custodians implement reasonable safeguards as part of their routine privacy and security strategies, the likelihood of risk of harm is reduced. These situations (HIR s.8.1(f to i)) occur when the information included in the loss or unauthorized access has been

Encrypted or otherwise secured (applicable to electronic information), or
Destroyed or rendered inaccessible

When information is lost or disclosed and subsequently recovered by the custodian, and the custodian can demonstrate:

The information was not accessed before it was recovered, or
The only person who access the information is a custodian, affiliate, information manager subject to section 60 of the Act or,
Accessed the information as part of their role as a custodian or affiliate and not for an improper use and
Did not improperly use or disclose the information,

the custodian is not required to give notice of the loss or unauthorized access or disclosure under HIA s.60.1(2).

Remember that the custodian must record each privacy breach in their practice including their reasons for their decision to notify and their decision not to notify.

When you record each privacy breach, including ‘oops’, errors, or mistakes that, individually, may not trigger notification requirements, you may find that there is a pattern of breaches that may indicate:

broken work flow, or
broken automated process, or
carelessness or disregard to the security of personal information.

These situations may trigger mandatory privacy breach notification requirements.

It's an Offence to Fail to Protect Personal Health Information

The new amendments detail the reporting responsibilities of custodians and affiliates in the event of a privacy breach.

For Custodians

The new regulations also include new penalties for custodians and affiliates who:

Fail to report a breach
Fail to take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards (HIA s.107(1.1)(a))

A custodian or affiliate found guilty of one of the above offences can face a fine of up to $50,000 per occurrence.

For Affiliates

Affiliates (generally, the employees of the custodian) must report any loss, unauthorized access or disclosure of identifying health information to their custodian. This applies to information managers (vendors and service providers to custodians), too.

New Notification Requirements

If the custodian believes the breach could result in harm to the individual, the custodian, as soon as practicable, is required to notify (HIA s60.1):

The Privacy Commissioner of Alberta (OIPC), and the
Minister of Health in Alberta and
The Individual(s) affected by the privacy breach

Don’t forget that there continues to be other people you may need to notify. Depending on the unique circumstances this may include the police, insurance, primary care networks, Netcare, and other information sharing partners.

The notice to the Privacy Commissioner of Alberta (OIPC) must be in writing in a form approved by the Commissioner and must include (HIR s.8.2(2)):

Name of the custodian
Description of the circumstances
Date or time period which the incident occurred
Date which the incident was discovered
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Number of individuals affected by the incident
Description of the steps that the custodian has or intends to take to reduce the risk of harm
Plans to prevent the risk of future loss, or unauthorized access or disclosure
Copy of the notice that will be provided to the individual(s) and a description of how the notice will be provided directly or by substitutional service
- If the custodian believes that notifying the individual about the incident may result in harm to the individual, the custodian must immediately notify the Commissioner (HIA s.60.1(5))
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

The notice to the Minister of Health in Alberta must be in writing in a form approved by the Minister and must include (HIR s.8.3):

Name of the custodian
Description of the circumstances
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Number of individuals affected by the incident
Description of the steps that the custodian has or intends to take to reduce the risk of harm
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

The notice to the individual must be in writing and include (HIR s.8.4):

Description of the circumstances
Date or time period which the incident occurred
Name of the custodian
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Description of the steps that the custodian has or intends to take to reduce the risk of harm to the individual
Plans to prevent the risk of future loss, or unauthorized access or disclosure
Advice that the custodian believes the individual may be able to take to reduce the risk of harm to the individual
A statement that the individual may ask the Commissioner to investigate the incident and the contact information of the OIPC
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

Your Next Steps

Prepare your Privacy Breach Management Program in your healthcare practice. Review (or create) your privacy breach management program including these 5 key elements:

Privacy breach management policy
Privacy and security incident response plan
Training for your privacy officer, management team, and custodians
Human resources privacy breach discipline policy and
Privacy breach reporting record keeping procedures

If you are a privacy officer, clinic manager, or healthcare provider you can prevent privacy breach pain with the “4 Step Response Plan”.

This on-line education with quick and helpful videos, examples, policy templates, privacy breach reporting templates, and risk of significant harm templates will guide you to properly manage a privacy breach, create your Privacy Breach Management Program, and be prepared for Mandatory Privacy Breach Notification requirements.

This is critical to the continued success of your business!

See: https://InformationManagers.ca/4-step

References

These amendments were passed under the Statutes Amendments Act, 2014 in May 2014 and will be proclaimed in force August 31, 2018

Health Information Amendment Regulation

Office of the Information and Privacy Commissioner

Statutes Amendment Act, 2014, Chapter 8, Health Information Act

You need to know how mandatory privacy breach reporting will affect you!

Don't miss this!

Stay up to date on mandatory privacy breach reporting! Sign up here to receive tips, tools, templates, and training when they become available.

You will also receive occasional bits of FREE privacy wisdom tips, tools, templates, and training!

PRIVACY NUGGETS emails designed to provide to you tips, tools, templates and training that you can use right away!

Privacy Nuggets will be provided direct to your email in-box and includes:

privacy tips, tools, templates (usually including references to external resources) designed for you to share with your staff, patients, and family.
Privacy Breaches – What You Need to Know – you will receive an example of a recent privacy breach in the news that you can use to review and improve your practices. Learn from someone else's mistakes!
publication previews and announcements
workshop and webinar events

I am honoured that you choose to spend your time with me today.

Thank you for the opportunity to share my obsession about privacy, confidentiality and security with you!

I promise this list will be secure and you'll be able to unsubscribe at any time.

– Jean L. Eaton, Your Practical Privacy Coach

Alberta, Health Information Act, mandatory privacy breach reporting, privacy breach investigation, privacy breach notification, privacy nuggets

1 2 3 ›»