Informationmanagers.ca Logo
Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Struggling to Learn Your Role As A Privacy Officer?

In many small healthcare practices, the privacy officer is also the clinic manager, healthcare provider, IT technician, or business owner. It’s no surprise that new privacy officers feel overwhelmed trying to balance competing responsibilities.

Without a clear plan, you may find that you

  • Panic when a patient asks for their information for access or correction.
  • Scramble when new employees and healthcare providers join your clinic . . .and suddenly realize that you never got around to providing privacy and cybersecurity awareness training.
  • Hope that your practice will not be tapped on the shoulder for a practice review by your college or the OIPC.
  • Ignore privacy breach and hope no one else notices.
  • Avoid difficult decisions with your owners / staff who insist on doing things their way – even when it is not privacy compliant.
  • Never get ‘review privacy impact assessment’ and ‘review privacy policies and procedures’ off of your to-do list.
  • Avoid discussing privacy and security with your EMR and computer networks managed service providers because you are unsure of what questions to ask and what types of answers you should receive.

If you don’t have a written privacy management program and action plan, you are missing the systems that prevent small issues from becoming privacy and security incidents.

The good news? Organizations with an active privacy officer and privacy management program are less likely to experience breaches and report better staff engagement and patient trust.

Privacy Is Good For Business

Strong privacy practices aren’t just about legal compliance. Policies, procedures, and systems improve communication, reduce risk, and support better decision-making.

A practical privacy management program creates accountability for the collection, use, and disclosure of health information, while demonstrating compliance to regulators and professional colleges.

Based on my experience, the five critical modules of a privacy management program are:

  1. Know Your Obligations
  2. Train
  3. Privacy Breach Management
  4. Document your Privacy Management Program
  5. Access and Disclosure

Module 1—Know your Obligations

Accountability starts with your healthcare provider(s)—also known as “custodians.” They are legally responsible for the privacy, confidentiality, and security of personal health information (PHI).

Custodians can delegate day-to-day tasks to a privacy officer, often the clinic or practice manager in smaller settings. Business owners also have obligations for employee and customer information. Together, the healthcare provider, business owner, and privacy officer form a trifecta of authority responsible for privacy compliance.

Knowing your obligations means:

  • Establishing clear roles and accountability
  • Identifying all types of personal and health information in your practice
  • Understanding how privacy legislation applies to your operations

Training for custodians and privacy officers is often required to build confidence and competence in these responsibilities.

Module 2 – Training

Privacy training is essential and must be consistent across your organization. Every staff member—new and experienced—should complete privacy awareness and cybersecurity training, and you should document attendance.

Effective training includes both formal and informal opportunities:

  • Formal: orientation programs, annual refreshers, and documented privacy awareness training
  • Informal: short reminders in staff meetings, activities tied to events like Data Privacy Day or Cybersecurity Awareness Month

Don’t overlook staff moving into new roles—promotions are an ideal time for targeted training about new responsibilities, such as authorizing users or supervising others.

Module 3 – Privacy Breach Management Plan

Every practice needs a written privacy breach management procedure. The privacy officer should ensure staff know how to recognize and report a breach, and custodians must be notified promptly.

Your plan should cover:

  • How to contain and investigate suspected breaches
  • Sanctions for non-compliance
  • Notification to patients and regulators when required

The privacy officer will manage mandatory privacy breach notification requirements under the health privacy legislation like the Alberta Health Information Act (HIA), Ontario Personal Health and Information Protection Act (PHIPA) and the Personal Information Protection of Electronic Documents Act (PIPEDA) and other province’s legislation.

Module 4 – Document: The Backbone of Privacy Compliance

Privacy training is essential and must be consistent across your organization. Every staff member—new and experienced—should complete privacy awareness and cybersecurity training, and you should document attendance.

Effective training includes both formal and informal opportunities:

  • Formal: orientation programs, annual refreshers, and documented privacy awareness training
  • Informal: short reminders in staff meetings, activities tied to events like Data Privacy Day or Cybersecurity Awareness Month

Don’t overlook staff moving into new roles—promotions are an ideal time for targeted training about new responsibilities, such as authorizing users or supervising others.

Module 5 – Access and Disclosure: Ensuring Patient Rights

Patients and employees have the right to access and correct their information. Release of information (ROI) policies and procedures are essential.

Your ROI plan should:

  • Define clear steps for handling requests
  • Train staff on how to respond appropriately
  • Align with legislation and college standards of practice

Doing this well helps you avoid complaints and breaches, improves efficiency, and strengthens patient trust.

Bringing It All Together

Being a privacy officer doesn’t have to feel overwhelming. With a structured privacy management program built on these five modules, you’ll have the systems to protect patients, support your staff, and strengthen your business.

If you’re a privacy officer in a healthcare practice and want practical strategies you can apply right away, join the upcoming Practical Privacy Officer Strategies training.

Training starts October 9, 2025

Register here https://informationmanagers.ca/ppo

Not sure if this is for you?

Send me an email and ask me! I’m happy to mentor you and help you assess your practice management and privacy compliance priorities.

Do You Want To Be A Confident Healthcare Privacy Officer?

Do You Want To Be A Confident Healthcare Privacy Officer?

Understanding the Role: What Is a Privacy Officer?

privacy officer is a key employee in a healthcare organization who is named by the healthcare provider (custodian) and assigned the responsibility to oversee all activities related to the implementation of, and adherence to, the organization’s privacy practices, and to ensure operational procedures are in compliance with relevant privacy laws. The Privacy Officer monitors employees and systems about how information is collected, used, and disclosed and access to identifying information.

A privacy officer may be known by other titles like privacy compliance officer or a security officer.

If your healthcare business involves the collection, use, and disclosure of your clients’ and patients’ personal health information, a privacy officer is necessary in order to meet legislated requirements.

Consequences of Operating Without a Privacy Officer

Healthcare practices without a privacy officer often experience confusion about how patients’ personal health information should be collected, used, and disclosed. Patients may complain about lack of access to their personal health information. Without a named privacy officer to assume the responsibility to implement and monitor reasonable administrative, technical, and physical safeguards you are more likely to experience privacy and security incidents, privacy breaches, investigations, fines, and charges under the privacy legislation!

Case Studies: Real-world Implications of Privacy Officer Absence

In 2019, the British Columbia Office of the Information and Privacy Commissioner (OIPC) conducted a privacy audit of 22 medical clinics. OIPC auditors examined 22 clinics and found gaps in privacy management programs at several clinics, including the absence of a designated privacy officer, a lack of funding and resources for privacy and a failure to ensure that privacy practices keep up with technological advances.

Here’s another example. A complaint was made against a medical clinic with an employee suspected of accessing health information for an unauthorized purpose. The Alberta OIPC investigated and revealed confusion around the roles and responsibilities of privacy compliance among the custodians and the privacy officer. The OIPC determined that the custodian was in contravention of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to the all of the custodian’s administrative, technical, and physical safeguards with respect to health information. 

Say No to Snooping: The Need for Privacy Enforcement

Employees are not aware of privacy requirements and engage in snooping into personal health information. Consequences of employee snooping include firing, charges under the Health Information Act and court ordered fines, jail time, probation, community service and more.

say not so snooping animation of thief taking papers from folder

Roles and Responsibilities of a Healthcare Privacy Officer

So, what does a privacy officer do? The roles and responsibilities of a privacy officer in a typical healthcare practices include the following:

  • Identify privacy compliance issues for the business.
  • Ensure privacy and security policies and procedures are developed and keep them up to date.
  • Ensure that everyone working at your clinic and your vendors are aware of their privacy obligations.
  • Monitor your clinic’s ongoing compliance with privacy legislation like the Health Information Act (HIA) in Alberta.
  • Provide advice and interpretation of related legislation for the business.
  • Respond to requests for access and corrections to personal information.
  • Ensure the security and protection of personal information in the custody or control of the business.
  • Act as the primary point of privacy and access contact for staff, patients, vendors, regulators and other stakeholders.
 

Introducing Practical Privacy Office Strategies Training

I want to help you become a confident healthcare privacy officer. And a guide (or a Jeannie ) to help you is a good thing.

Practical Privacy Officer Strategies will help you to assess your current PIA and privacy management program and plan your privacy compliance activities for the next year!

Practical Privacy Officer Strategies will help you to assess your current PIA and privacy management program and plan your privacy compliance activities for the next year!
5 Modules with Live 1-hour training and on-line mentoring will help you to build systems to monitor the routine tasks that will protect privacy and alert you to potential problems before they become privacy and security incidents.
 
How the training will be delivered:
  • Pre-recorded core training in each of the 5 modules. You watch the 1 hour video before the live coaching call.
  • Live 1 hour coaching call with practical case study, discussion, and accountability in each of the 5 modules.
  • Actionable plan with templates, tools, and resources to use what you learned.
  • Every module includes both WHY you need the information and HOW you should use the information.
 
Find Out More!
Privacy Principles Applies After Death

Privacy Principles Applies After Death

 

Privacy Principles Applies After Death

Are your staff looking at medical records when they shouldn’t be?

Many people have the mistaken impression they can look at a patient’s medical records as long as they don’t tell anyone else.

It’s not okay.

We continue to see examples of snooping where both seasoned and new healthcare providers and support staff don’t realize that looking at patient’s health information—even with good intentions—is a serious privacy violation.

As privacy lawyer Kate Dewhirst puts it

  • Privacy = Don’t look
  • Confidentiality = Don’t tell

Despite years of experience, many healthcare professionals still need a refresher on the basics. Privacy awareness training remains essential.

In this article, I am sharing an example of the Ontario’s Information Privacy Commissioner (IPC). This case involves a privacy complaint submitted by the family of a deceased individual. It’s a good reminder that whether you’re running a brand-new clinic or managing an established practice, it’s critical to understand your legal responsibilities and have systems in place to protect patient information.

What Happened

In 2014, a physician accessed a deceased patient’s health records while acting in his role as a coroner. The patient was also a family member. Soon after, the family alleged that the physician continued to access the individual’s personal health information (PHI) contrary to Ontario’s Personal Health Information Protection Act (PHIPA).

The family submitted a complaint to the hospital. Initially, the hospital’s response did not satisfy the family. The family filed a complaint to the Information and Privacy Commissioner (IPC) of Ontario.

The IPC started a complaint investigation.

privacy principles after death privacy breach incident scenario diagram

Privacy Complaint Investigation

Under PHIPA, the hospital is a health information custodian and the physician is an agent of the hospital.

During the IPC investigation, the physician admitted he “accessed the health information in response to his concern about the individual’s well-being.”

“I know now that proceeding in this way was misguided and wrong.” He would never disclose the information to anyone; that would be a violation of patient privacy and a breach of doctor – patient confidentiality.

He acknowledged he misunderstood the difference between:

• Privacy: The general right of every individual (living or deceased) to limit access to their health information.
• Confidentiality: The duty to not share that information once accessed.
• Circle of care / Need to know: You must only access information required to provide care at that moment.

4 Step Response Plan

When you have a privacy breach, follow these four steps to manage the privacy breach incident.

Step 1 – Spot and Stop the Breach

The family’s complaint prompted the hospital to begin the first step to spot and stop the breach.

Step 2 – Evaluate the Risks

An initial risk assessment was conducted, and after the IPC got involved, the hospital re-opened the investigation. They completed a comprehensive review and used audit log reporting tools to trace access.

Step 3 – Notify

The hospital eventually informed the family of the privacy breach—but the notification wasn’t timely. A more thorough and timely response could have helped address the family’s concerns more effectively.

Step 4 – Prevent the Breach From Happening Again

Following the breach, the hospital implemented several improvements:

  • Introduced a new auditing program that enhances its ability to detect unauthorized access.
  • Updated its Privacy and Confidentiality Policy, which applies to all agents of the hospital.
  • Launched mandatory annual electronic privacy training program for all staff, volunteers and learners. Physicians must complete this training as part of the annual reappointment process.
  • Strengthened the privacy warning on its electronic system, which warns users that unauthorized use of personal health information may result in disciplinary action.

privacy principles after death sanctions

The hospital’s Medical Advisory Committee also recommended disciplinary actions:

  • A three-month suspension of the physician’s hospital privileges
  • Three years of enhanced monitoring of his access to patient records
  • A requirement to present at Grand Rounds on privacy topics upon his return

The IPC concluded that the disciplinary consequences for the physician were sufficient in the circumstances.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. Here’s how you can be proactive to prevent privacy breach pain.

  • Go beyond policies—model good practices
  • Use real-life examples in staff meetings
  • Incorporate gamification and ongoing discussions to engage your team

Privacy awareness is everyone’s responsibility. Make sure your staff know what’s expected, what’s at risk, and what to do if something goes wrong.

If you need to start or update your privacy awareness training program, check out the on-line education Privacy Awareness in Healthcare: Essentials.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget’ to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

References and Resources

Dewhirst, Kate. After Death: Who Can Access The Records Of A Patient After Death? May 7, 2019. https://katedewhirst.com/blog/2019/05/07/after-death-who-can-access-the-records-of-a-patient-after-death/

Ontario Information and Privacy Commissioner IPC Investigation Report PHIPA DECISION 74 HC15-4 Sault Area Hospital August 10, 2018.

Changes to Alberta’s Privacy Impact Assessment (PIA) Review Process

Changes to Alberta’s Privacy Impact Assessment (PIA) Review Process

 

PIA Review Process for Healthcare Practices In Effect Now

If you’re a clinic manager or privacy officer in Alberta, this is an important update for you. The Office of the Information and Privacy Commissioner (OIPC) has announced changes to the Privacy Impact Assessment (PIA) review process that will impact custodians under the Health Information Act (HIA), public bodies under the Freedom of Information and Protection of Privacy Act (FOIP Act), and private sector organizations under the Personal Information Protection Act (PIPA).

In Alberta, when a healthcare practice completes a PIA, it gets signed off internally by the custodian—whether that’s a physician, dentist, chiropractor, or another health professional. From there, the PIA is submitted to the OIPC for review. This review process has been a crucial step in ensuring that health information privacy is adequately protected. The OIPC issues a file number once the submission is received.

Starting October 1, 2024, the OIPC is streamlining its review process.

  • The OIPC will receive the PIA.
  • The PIA will be reviewed as it is submitted.
  • PIAs will no longer be ‘accepted’, ‘conditionally accepted’, or ‘not accepted’.
  • Instead, the PIA will be reviewed and a closing letter with comments and recommendations will be issued to the custodian.

One important detail: if the OIPC finds that your PIA is incomplete, they will close the file and notify you to consider re-submitting once the gaps are addressed.

It’s worth noting that the PIA requirements laid out in the OIPC Privacy Impact Assessment Requirements Guide (2010) are still valid. While changes are on the horizon, the OIPC has confirmed that the current guidelines remain applicable for the time being.

What This Means for You

If you’re a custodian under the HIA, you’re required to submit PIAs to the OIPC for review before implementing new administrative practices or information systems (HIA s.64). The key steps in the PIA process include:

1. Prepare health information privacy and security policies and procedures that comply with the HIA.
2. Conduct a privacy and security risk assessment and documenting any mitigation strategies
3. Complete the PIA using the OIPC’s format, which must be signed off by the healthcare custodian and the organization.
4. Submit the PIA to the OIPC for review. The custodian is encouraged to ensure the PIA is complete and thorough before submission.
5. Receive a closing letter from the OIPC with any comments or recommendations.

Also, PIAs submitted before October 1, 2024, but not yet reviewed by the OIPC, will still fall under the new process.

PIA Privacy Impact Assessment Pink Elephant Log

Need Help with Your PIA?

If you’re planning to introduce new technology, implement new systems, open a new clinic, or make amendments to your existing PIA—whether you’re moving from local servers to the cloud, relocating clinics, or adding new services—these changes could affect you.

Navigating the PIA process can feel like tackling the elephant in the room. But you don’t have to do it alone. If you need help with your PIA or guidance on amendments, visit InformationManagers.ca/PIA for support. We’re here to help you every step of the way.

Table-Top Privacy Breach Fire Drill

Table-Top Privacy Breach Fire Drill

What is a Table-Top Privacy Breach Fire Drill?

A table-top privacy breach fire drill is a cost-effective way to prepare for a privacy and security incident in your healthcare organization. You should have a written privacy breach incident response plan in your healthcare practice. Have you practiced your response plan lately?

A table-top privacy breach fire drill allows your incident response team to rehearse their skills in a controlled exercise.

Do you remember your school days when every month or two you had a fire drill? The fire alarm would go off and everybody would go out the doors and very calmly go down the stairs and out the doors and into their muster point.

We take the same approach with privacy breach fire drills. Fires can happen at different times, places, and for different reasons. Whey you change the scenario, you develop alternate strategies or playbooks to best respond to the fire.

A privacy breach incident playbook contains all the actionable steps to take when a privacy beach incident occurs. Your playbook will have many ‘plays’ or actions to take when different types of privacy breach incidents occur. You could also think of it as a recipe book. You have many types of recipes to select from. Identify the ingredients that you have on hand (or the characteristics of the latest privacy incident) and select the most appropriate recipe to resolve the incident.

The Importance of Practicing Your Privacy Breach Response Plan

Healthcare providers, owners, and privacy officers hear about big privacy breaches on the news and hope it won’t happen to them. It keeps them up at night…because they know that properly preventing or managing a privacy breach is critical to the continued success of their business. Implementing a table-top privacy breach fire drill will help!

Picture this. You call a meeting of your incident response team. This may include your privacy officer, computer network support or managed services provider lead, physician, dentist, or other healthcare lead, your media spokesperson, and clinic manager. The privacy officer distributes a privacy breach incident scenario summarized on one page.

The team members read the scenario and then discuss what steps that they would take to respond to the privacy breach incident.

Using the 4 Step Response Plan as your playbook guideline, the incident response team note-keeper documents the hypothetical steps that the team takes to respond to the breach. Record the decisions, the resources, and the questions that you explore in this scenario.

When the table-top exercise is complete, you now have a detailed action steps that you can take when a similar privacy incident occurs in your healthcare practice.

How To Use The Table-Top Privacy Breach Fire Drill Technique

The goal of a privacy breach fire drill is to develop your playbook so you can spring into action when a similar privacy and security incident occurs in your healthcare practice.

Real-World Scenarios: Turning Headlines into Practice Drills

First, identify a scenario that could happen in your practice. Unfortunately, it’s easy to find an example about a privacy and security breach in the news. Grab a privacy breach example and pull out the bits and pieces of the information that might apply to your organization. When you select scenarios that could happen in your organization the exercise is more meaningful for you, and you will develop tools and templates that are going to help you in the event that a very similar privacy and security incident happens in your organization.

Let’s use the recent privacy breach incident that came from the province of Saskatchewan* when a cybersecurity attack that happened in their E-Health system. This attack may have started when an employee who had authorized access to the e-health system used a personal tablet to connect with a USB to the Saskatchewan health authority’s computer. This enabled a virus from that personal tablet to infect the computer system and ultimately the e-health system, allowing millions of files to be stolen. Strip the example down to its key points. Create additional details and assumptions where needed to give the team members enough information to discuss the scenario during the fire drill exercise.

Step 1 Contain The Breach Immediately

The first step in every incident is to spot and stop the breach. Make an assumption that the employee who connected the personal device to your computer is now seeing that message on the screen that says that there’s a virus in the system. One of your incident team members plays the role of the employee and completes Step 1 of the privacy breach incident response form and notifies their supervisor or the privacy officer.

Another team member assumes the role of the privacy officer and explains what their next action steps would be.

Record each action that you consider. Document each policy, resource, phone number and email address that you would use in a real event. This creates the action steps in your playbook.

Step 2 Evaluate the Risks Thoroughly

Discuss the risks that could affect the computer systems. What tools do you need to evaluate the harm of this incident? How might this affect patient care and the privacy of patient information?

Contact your vendors and ask them to contribute to the risk assessment in this scenario.

Who else might you want to call on for assistance to investigate this incident?

You might want to revisit the news item for additional information about the actions that were taken that you might also need to explore.

In your playbook, record good leading questions to help you to investigate the incident and evaluate the risks of harm.

Step 3 Notify the Right People and Authorities

Strategize who you would notify about the incident. Prepare written notification to the custodians, patients, regulators and even media statements. These become templates in your playbook that you can quickly implement in your real event.

Role-play your media spokesperson being interviewed on the evening news. It’s much better to practice now, before you are in a crisis.

Step 4 Prevent the Breach From Happening Again

This might be the most valuable step in the privacy breach fire drill. Complete the privacy breach incident worksheet and summarize this practice scenario. Consider how likely this scenario could happen in your practice. What type of training could be done now to prevent this from happening? What tools or training do your incident response team members need today to make it easier for them to monitor and prevent this scenario from happening?

The Benefits of Regular Privacy Breach Fire Drills

At the conclusion of this fire-drill, your team is ready, energized, and have the tools that they need to make sure that they can respond to that privacy and security breach as quickly as possible. This absolutely is a great investment in your time. These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.