Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

5 Strategies for Writing Engaging Social Media Posts for your Practice with Guest Expert Kayla Das

Posted on February 27, 2023 by Izza Nuguit in Blog

Strategies for Writing Engaging Social Media Posts for your Practice with Guest Expert Kayla Das

Are you a new clinic owner and wondering if social media marketing is for you?

Maybe you have been dabbling into social media marketing but now you are feeling overwhelmed?

Or, maybe you have an established social media presence but you want to learn new ways to get social media engagement.

In this Episode #109 of the Practice Management Nuggets Podcast For Your Healthcare Practice, guest expert Kayla Das of Evaspare Inc. provides 5 strategies for writing engaging social media posts for your practice!

Why Is Using Social Media Important?

​Kayla Das believes that the purpose of social media marketing is to inspire, entertain and to give more than you try to sell.

People are on social media because they want to be taken away temporarily from their day so they are much more likely to click on things that inspire, entertain or provide them some type of guidance and support.

After they gain trust with what you have to say you’ll be the first person they think of when they need professional support.

Interview Right to Hire Right Nelson Scott #1 Tip
Interview Right to Hire Right Nelson Scott #1 Tip

Kayla's #1 Tip

​“My number #1 tip for clinic managers about social media marketing is when you are starting out is to start small. Choose only one or two social media platforms. You do not need to be on every social media platform to get engagement. Start with a social media platform that you are familiar with and that you believe that your ideal client uses.” – Kayla Das

Listen To The Podcast

​5 Strategies for Writing Engaging Social Media Posts for your Practice | Episode #109

Listen to the Practice Management Nuggets for Your Healthcare Practice podcast. Get practical practice management, and privacy tips to help you start, grow, and improve your healthcare practice. If you are a clinic manager, team lead, healthcare provider or practice owner, these practical tips will save you time and money. 

I help you manage the pink elephant in the room. 

Listen here: Practice Management Nuggets Podcast

Listen To The Podcast Here
social media engagement for healthcare providers Kayla Das contact
engaging social media templates Kayla Das

Featured Guest: Kayla Das, Evaspare Inc.

Kayla Das is a Social Worker and Business Coach for therapists and coaches. Kayla works with therapists to:

  • create a strong private practice foundation based on values;
  • develop marketing strategies that are authentic and generate profits; and
  • establish business systems and processes that are designed for practice sustainability.

Would you like more social media and business strategy tips from Kayla?

Pop over to the podcast show notes here to listen to the podcast!

Be sure to grab Kayla’s gift to help you create engaging social media images.

You may also be interested in:

Social media is about creating a strong digital presence and building relationships – with your clients, with employees and new recruits, and with other colleagues and allies in your field.

If you decide to use social media in your business, you need clear rules about who will authorize messages. You also need a strong social media policy to provide direction and education to your employees about what they can – and can’t – say on-line.

Social Media Practice Management Success Tip – Social media policies, procedures templates to help ensure a professional and privacy compliant presence online while also positively representing and supporting your business brand.

social media management practice management success tip

#PracticeManagementNugget, engagement, podcast, social media, social media post

Build a Strong Privacy Management Program for Your Clinic with These 5 Critical Modules

Posted on February 23, 2023 by Izza Nuguit in Blog

Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Many privacy officers in small healthcare practices have other roles—as a clinic manager, healthcare provider, computer network technician, or business owner. It is little wonder that new privacy officers can feel overwhelmed when trying to balance these responsibilities every day.

But that's not the end of the problem. It actually gets worse!

You could continue to –

😮 Panic when a patient asks for their information for access or correction.

😔 Scramble when new employees and healthcare providers join your clinic . . .and suddenly realize that you never got around to providing privacy and cybersecurity awareness training.

😯 Hope that your practice will not be tapped on the shoulder for a practice review by your college or the OIPC.

🤐 Ignore privacy breach and hope no one else notices.

😒 Avoid difficult decisions with your owners / staff who insist on doing things their way – even when it is not privacy compliant.

😞 Never get ‘review privacy impact assessment’ and ‘review privacy policies and procedures’ off of your to-do list.

😥 Avoid discussing privacy and security with your EMR and computer networks managed service providers because you are unsure of what questions to ask and what types of answers you should receive.

If you don’t have a written privacy management program and action plan, you are missing the systems to monitor routine tasks that will protect privacy and alert you to potential problems before they become privacy and security incidents.

Carrying out the duties of a Privacy Officer correctly is vital to ensure your organization is safe from the consequences of a big privacy breach.

But did you know that those organizations who have a privacy officer and a privacy management program are:

  • Less likely to have a privacy or security incident
  • Increased staff satisfaction
  • Increased patient satisfaction and outcomes

We Know That Privacy Is Good For Business

​We know that having policies, procedures, and systems in place will improve your privacy compliance in your organization and help you make good business decision.

When we have consistent practices in place, it improves communication and prevents a multitude of problems.

I’d like to share with you what I believe are the 5 critical modules of a privacy management program

The 5 Modules of a Strong Privacy Management Program for Your Clinic includes

  1. Know Your Obligations
  2. Train
  3. Privacy Breach Management
  4. Document
  5. Access and Disclosure

We expect organizations which collect, use, or disclose health information to have key components of a privacy accountability program. These include:

Every healthcare and private organization that is subject to privacy laws must comply with them. A comprehensive privacy management program provides an effective way for organizations to create a culture of privacy in their practice, practice accountability for the collection, use, disclosure, and access of personal information, and show compliance with regulations.

Module 1—Know your Obligations

​Key accountability for your privacy management program starts with your healthcare provider(s). These are also known as “custodians”. They are ultimately responsible for the privacy, confidentiality and security of personal health information (PHI).

The key healthcare provider—physician, dentist, chiropractor, nurse—can assign or delegate a key person who is accountable to the custodian to implement and monitor a privacy management program. This is often known as a privacy officer. In many smaller healthcare practices, the clinic manager or practice manager is also the privacy officer.

The business owner (who might also be the healthcare provider) also has obligations to follow the privacy laws as it relates to the privacy of personal information of employee, customers, and general business information.

The healthcare provider, business owner, and privacy officer form a ‘trifecta’ of authority and responsibility in your practice to ensure that you comply with privacy legislation, professional standards of practice, and contractual commitments.

Knowing your obligations includes clear authority and accountability in your practice, identifying what identifying information that you have in your practice, and understanding how privacy legislation guides your business. Your privacy officer and custodians may require training in these areas to better understand their obligations.

Module 2—Training

​Training is an important component of your privacy management program. The privacy officer in your organization ensures that privacy awareness, cybersecurity, and privacy breach management are provided in your healthcare practice.

There should be both a formal and an informal training plan. A pre-planned privacy awareness training must be available for everyone in your organization, including new and seasoned professionals. It is critical that you can provide and document that everyone in your organization completed consistent common training.

We can provide informal training throughout the year. For example, have a standing agenda item during your staff meeting to do something consistently for everyone in the organization throughout the year. Leverage activities like Data Privacy Day, Change Your Password Month, Cybersecurity Awareness Week to provide a variety of content.

A frequently missed trigger for additional training happens when an employee is promoted to a new position. This is a great opportunity for the privacy officer to meet with the employee and discuss their new role and how their responsibility, for example, of authorizing new users or supervising employees contributes to the confidentiality and security of PHI.

Remember to document who attended the training opportunities and keep copies of the training content to show your actions to protect privacy.

Listen to the podcast How To Keep Privacy Awareness Top Of Mind | Episode #093 for more tips and resources to help you plan training throughout the year.

Module 3 – Privacy Breach Management Plan

​Ensure that a written privacy breach management procedure is part of your overall privacy management program. The privacy officer will document your privacy breach management policies and procedures, sanctions policies and procedures, and train all employees to identify a privacy breach and report it to their supervisor. The privacy officer will manage a (suspected) privacy breach and ensure notification to their custodians, individuals affected by the breach, and others as needed.

The privacy officer will manage mandatory privacy breach notification requirements under the health privacy legislation like the Alberta Health Information Act (HIA), Ontario Personal Health and Information Protection Act (PHIPA) and the Personal Information Protection of Electronic Documents Act (PIPEDA) and other province’s legislation.

See Understanding a Privacy Breach for more tips.

Module 4—Document

​I think most people in healthcare are familiar with the adage, “If it is not documented, it didn’t happen.” This applies to your privacy management program, too. Your program should include written:

  • Health Information Privacy and Security Policies, Procedures
  • Risk Assessment – Safeguards
  • Practical Privacy Review
  • Privacy Impact Assessment
  • Information Management Agreement
  • Information Sharing Agreement
  • Successor Custodian
  • Training plan

These actions will help you protect the PHI of your patients and your business. They help to demonstrate your compliance with your privacy and security obligations. Review and update these key documents annually.

See Privacy Impact Assessment for more tips.

Module 5 – Access and Disclosure

​When you collect PHI from patients and PI from employees and customers, you must ensure that they can access, correct, and authorize disclosure of their information.

Release of information (ROI) policies and procedures is a critical module of your privacy management program. Your privacy officer is tasked with ensuring that your ROI plan is written, understood, includes specific training to your employees, and follows legislated standards and professional college standards of practice. When you meet your ROI obligations, you avoid complaints and breaches, work efficiently, and improve the trust of your patients.

Struggling to Learn Your Role As A Privacy Officer On Your Own?

If you are a privacy officer in a healthcare practice who needs practical privacy management strategies to protect your patients and your healthcare business but aren’t sure how to get started, register for the Practical Privacy Officer Strategies training here.

The training starts on February 28, 2023.

Not sure if this is for you?

Send me an email and ask me! I'm happy to mentor you and help you assess your practice management and privacy compliance priorities.

Listen to the replay of my recent LinkedIn Live Event here.

Clinic Privacy, Data Privacy, Healthcare Privacy, privacy compliance, privacy management

The True Cost of Hiring Mistakes and How to Avoid It

Posted on February 2, 2023 by Izza Nuguit in Blog

The True Cost of Hiring Mistakes and How to Avoid It

Hiring mistakes can have a significant impact on your healthcare business. Nelson Scott reminds us that we are hiring an employee not just to fill today’s vacancy, but potentially hiring an employee who will be our co-worker for the next ten years. It makes sense to take the time necessary to be prepared to hire the right employee. [See: Interview Right to Hire Right with Guest Expert Nelson Scott | Episode #108]

Otherwise, you may pay the direct and indirect costs of your hiring mistakes summarized below.

What is the Cost of Hiring the Wrong Person?

​Have you ever made a mistake and hired the wrong person? You are not alone. In fact, the CareerBuilder reports that:

75% of employers believe that they hired the wrong person for a position

and ended up losing an average of $15,000 for every hire.

So, what makes up the cost of your hiring mistake? Here are common direct and indirect costs.

Time and Effort

​When hiring the wrong person, immense amounts of time and effort are wasted. Not only does it take a considerable amount of time to interview and recruit candidates, but the hiring process itself can take up to 42 days or more. From there, the wrong hire can cause a drop in productivity and lost time in recruiting and training new personnel.

Decreased Morale

 

Lady healthcare poor morale hiring mistakes ​

 

 

 

 

 

 

 

 

Hiring the wrong person can have a significant effect on morale and team dynamics. The National Business Research Institute found that 37% of companies who reported bad hires claimed it impacted employee morale, and 18% reported it had a negative impact on client relations. Bad hires can cause good employees to be overworked and resentful, leading them to consider looking for alternative employment.

Loss of Productivity​

Hiring the wrong person can have a significant negative impact on an organization's productivity because of the lost time and effort spent on recruiting, training and managing the employee, as well as the potential for distracting the team, lowering morale, and damaging customer relationships. The poor performance of one employee can cause the rest of the team to put in extra effort to make up for it, leading to burnout and frustration.

Training Costs​

Hiring the wrong person can be a costly mistake, with the financial costs ranging from recruitment advertising fees, staff time spent on recruitment processes, salary payments, costs of education and training, and costs of rehiring.

With training costs, it's important to consider the investment of both time and money. An average new hire takes 3 months to become productive. During this time, they need extensive training to get the replacement up to speed on the company and the job. This involves the time of several individuals, and can be a considerable expense.

The cost of hiring—again–a new employee and then training them can be double what it would have cost to hire the right person the first time.

Reduced Quality​

Hiring the wrong person can have a significant impact on quality. The employee may not have the required skills, resulting in mistakes that can be detrimental to the company's reputation and lead to a loss of customers. Poor employees may be habitually late to work or miss days, which affects on the efficiency of the clinic operations and patient satisfaction reviews. The wrong person can cause a drop in employee morale and productivity, as well as disrupt team dynamics. In extreme cases, it can damage reputational relationships and advertising. In this way, a hiring mistake can impact your healthcare practice’s quality standards.

Expenses Associated with Recruiting​

The expenses associated with recruiting can include writing a great job posting, paying job search websites to post a job ad, screening resumes for the right work experience, reaching out to passive and active candidates, following up with qualified applicants, scheduling and conducting interviews, performing background checks, negotiating annual salary, sending offers to candidates, and waiting on candidates to decline or accept an offer.

Loss of Reputation

 

Male healthcare reputation​

 

 

 

 

 

 

 

 

Losing reputation associated with hiring mistakes can have a significant effect on the cost of hiring. If they perceived a business to have bad hires due to negative reviews, disgruntled former employees, or poor customer service, it can lead to a drop in patient satisfaction, referrals, and reputation. If your healthcare practice has a rotating door of new employees, your reputation can make it harder to recruit excellent candidates.

The Financial Cost​

In hiring the right person for a job, it is important to consider the financial cost of hiring the wrong person. We often estimate that the cost of a bad hire can be up to 2.5 times the salary of the employee.

Interview Right to Hire Right​

Hiring the right person for the job is one of the biggest tasks for a manager. It is important to invest in the right person for the job to ensure a successful hire and avoid the cost of hiring the wrong person. That's why it is so important to take the necessary steps to reduce the chances of a bad hire and make sure that you are getting the right people for the job.

In a recent Practice Management Nugget Podcast for Your Healthcare Practice episode, Jean L. Eaton interviewed Nelson Scott. Nelson is an expert in hiring employees and a coach for managers who need to be better prepared to manage employes. You can listen to the podcast episode #108 here: Practice Management Nuggets Podcast

9 Steps to Hire (and Keep!) Employees in Your Healthcare Practice ​

It takes time to prepare to recruit, interview, hire, orientate and maintain the right employee for your healthcare practice.

And a little help from a friend (or a Jeannie 😊) is appreciated!

The 9 Steps to Hire provides a comprehensive guide to the entire hiring process, from the job description to onboarding. It goes further than just understanding the cost of a bad hire, and provides tangible steps on how to make sure the right people are hired. It’s a must-read for any healthcare practice looking to hire new employees.

Check out our templates and training available to you right away!

See: 9 Steps to Hire (and Keep!) Employees in Your Healthcare Practice.

If You Need Somebody Now

Many practices appreciate the importance of hiring the right person. But, they may not have the luxury of the time. They need someone to do the job now.

A virtual medical office assistant and virtual receptionist might be an excellent solution for your healthcare practice.

Read the article here, How Virtual Medical Office Administration Services Can Help Your Healthcare Practice With Kyle Sherritt

References

Career Builder. How Much Is That Bad Hire Costing Your Business? DECEMBER 7, 2017 

Enkel. The True Cost of Hiring a New Employee in Canada Omar Visram / CEO and Co-founder Enkel. June 24, 2021

Hubspot. Replacing a single employee costs from 16 to 213 percent of annual salary. 

hiring

Interview Right to Hire Right with Guest Expert Nelson Scott

Posted on January 30, 2023 by Izza Nuguit in Blog

Interview Right to Hire Right

Do you feel that you are “unlucky” when making hiring decisions?

Have you ever hired someone and then within a few days realized that this isn’t the right fit?

Would you like to avoid common hiring mistakes?

Would you like some tips on how to improve your hiring process?

Hiring the right person for the job is one of the biggest tasks for a manager. It takes time and preparation to conduct effective interviews.

In this Episode #108 of the Practice Management Nuggets Podcast For Your Healthcare Practice, guest expert Nelson Scott of SEA Consulting provides interview tips that you can use to gather high-quality information on which to base your hiring decisions using Behaviour Description Interviewing (BDI).

“If you ask good questions, you're going to get good answers. You're going to get the kind of information you need to make a prediction as to whether this  person is the right person to hire.”  Nelson Scott

Why Is Hiring the Right People Important?

​

Nelson Scott believes that people are what makes the organization successful. The right people make it more successful. You want to bring in people that fit the culture of the organization and are in line with the values and purpose and mission of your organization. You want to have people who will come into your organization and they'll feel they belong there.

Interview Right to Hire Right Nelson Scott #1 Tip

Nelson’s #1 Tip

​Nelson’s #1 Tip for clinic managers, healthcare providers of small healthcare practices about hiring employees?

First, identify the top performers in your practice. Then look for the candidates that are most like your top performers. Remember, you are hiring not just for the immediate vacancy, but potentially for the next 10 years. Take the time necessary to find the right employee for your practice.

Listen To The Podcast

In the podcast, Nelson explains how to conduct interviews that will yield high quality information on which to base hiring decisions.

  • Behaviour Description Interviewing (BDI)
  • How to:
    • Write interview questions
    • Get high quality information during interviews
    • Conduct reference checks

We also discuss how to alter common interview questions so that you will get better quality replies.

This will help you to make better hiring decisions.

Listen here: Practice Management Nuggets Podcast

Listen To The Podcast Here
Interview Right to Hire Right Nelson Scott Contact

Featured Guest: Nelson Scott, SEA Consulting

Nelson is an expert in hiring employees and a coach for managers who need to better be prepared to manage employees.

Nelson Scott has trained thousands of managers and supervisors from a variety of public, private and not-for-profit sector organizations on how to use interviews to gather high-quality information on which to base their hiring decisions. He also works with clients to develop interview questions, to prepare them to conduct interviews, and to manage the selection process on their behalf.

Nelson Scott has conducted thousands of interviews and been involved in hiring hundreds from frontline staff to CEOs. And along the way, he had made more hiring mistakes that he cares to admit. For more than two decades he had focused his writing and speaking about how to hire, engage and retain the right people. He is the author of three books, including a soon-to-be-published book on staff recognition.

Would you like more interview and staff recognition tips from Nelson?

Check out Nelson’s Briefly Noted Newsletter Here: GREAT Staff Recognition – SEA Consulting

You may also be interested in:

Managing Employees When They Make Mistakes With Stacey Messner

9 Steps to Hire (and Keep!) Employees In Your Healthcare Practice

#PracticeManagementNugget, hiring, podcast

Roadmap to Start Your On-Line Healthcare Practice

Posted on January 10, 2023 by Izza Nuguit in Blog

What is an On-line Healthcare Practice?

An on-line healthcare practice is a medical practice that provides services through the internet.

It typically involves using technology such as an Electronic Medical Record System (EMR) or practice management software, and billing software to manage patient health records and transactions.

Additionally, it may include using secure telecommunications like video meeting, asynchronous messaging, and telephone. A website and social media platforms help patients and clients to find your services.

Technology Supports On-line Healthcare Business

Telemedicine and virtual healthcare has exploded in the last few years. Patients-–and healthcare providers—are more willing to deliver health services differently. The rules guiding how healthcare providers are compensated or paid
for virtual services has changed. This has opened the gates to new opportunities for healthcare entrepreneurs.

More technology options offer the small business owner to purchase services from reputable vendors with privacy secure programs. The software as a service and cloud-based hosting, affordable business grade computer systems for home-based businesses, and high speed internet infrastructure makes it easier for healthcare entrepreneurs to start online healthcare practices.

Why Start an On-line Healthcare Practice?

Individual healthcare providers may want a practice that mixes in-person consultation with virtual follow-up visits.

(See my Practice Management Nuggets podcast, Why Medical Practices Will Have to Offer Telemedicine in the Future to Compete | Episode #095 interview with Dr. Michael Greiwe)

Others may want to a work experience where they are the boss and work from a location of their choice.

Some will keep their practice small—themselves, perhaps with administration support.

Some will hire a few practitioners to deliver a small suite of services.

Still others may develop a virtual workforce spread across the country.

Each of the above models benefit from these advantages.

1. Access to a larger patient population

Starting an online healthcare practice allows providers including physicians, pharmacists, dentists, mental health, nutrition, nurses (and more!) to access a larger patient population. By using technology such as secure messaging, appointment requests and prescription refills, patients can get the care they need without having to travel to a brick-and-mortar office.

This allows providers to reach more people in rural areas where it may be difficult for them to open up a brick-and-mortar practice. It also gives patients more flexibility in managing their health care needs from anywhere at any time of day or night.

2. Increased convenience for patients

Starting an online healthcare practice increases convenience for patients by allowing them to manage their health and communicate with their provider's office 24/7 from anywhere online or using a mobile app. The patient portal provides secure messaging and may provide patients access to their own lab results, for example.

3. Lower overhead costs

Starting an on-line healthcare practice can help to offset some of the operational costs. It allows you to work independently or join a group practice, which can save on start-up expenses.

This reduces the need for equipment, furniture, and other resources needed to run a traditional brick-and-mortar clinic.

4. Ability to offer specialty services

Starting an online healthcare practice allows providers to offer specialty services to their patients in a convenient and cost-effective manner. By eliminating the need for brick-and-mortar locations, online healthcare providers can reduce overhead costs and offer lower rates for services. Additionally, online healthcare providers can offer more specialized care than traditional practices due to the increased efficiency and access to a larger geographic reach.

5. Increased efficiency thanks to technology

Software as a service model and cloud based hosting allows the small business access to equipment and support previously only available to larger businesses.

6. Opportunity to offer new services, such as telemedicine

Virtual services and communication technology allows you to offer more convenient services that are accessible from anywhere at any time without having to be physically present in the office or clinic setting. Additionally, it opens up opportunities for expanding into new markets that may not have been previously available due to geographical restrictions.

7. Increased profits thanks to decreased overhead costs

Starting an on-line healthcare practice can help increase profits due to decreased overhead costs like commercial office space.

8. Ability to meet the needs of a growing population

The ability to meet the growing needs of a population is a compelling reason to start an on-line healthcare practice. With more and more people around the world struggling to access basic healthcare services, an on-line healthcare practice can provide convenient, affordable, and accessible care for those who need it most. Offering online consultations that are accessible 24/7 via smartphone or laptop computer reduces the barrier of entry preventing those in rural communities from accessing quality advice when they need it most.

What Compliance Requirements Do I Need to be Aware of When Starting an On-line Healthcare Practice?

When starting an on-line healthcare practice, you should be aware of the compliance requirements that keep healthcare regulated and secure for people across the country. These include:

  • Registering as a business entity.
  • Undergoing a credentialing process with professional colleges.
  • Acquiring EMR, computer equipment, and software to handle health records in compliance with provincial privacy legislation and professional colleges' standards of practice.
  • Billing payment processors for fee-for-service and uninsured services.
  • Policies, procedures, privacy and security risk assessment, and privacy impact assessment to securely manage personal health information across all technologies.

It is critical that your legal compliance and privacy compliance practices are in writing. This includes your contracts with vendors, employees, partner, and patients and clients.

What is a roadmap to start an online healthcare practice?

Join the 60-minute webinar for time-saving tips and a roadmap of critical steps on your journey to open your regulated healthcare practice. You will break through the fear and overwhelm around legal and privacy issues in starting a healthcare practice online.

Co-hosted by Canadian business lawyer Corinne Boudreau of Online Legal Essentials Inc. and Jean L. Eaton, Practical Privacy Coach & Practice Management Mentor of Information Managers Ltd.

digital health, healthcare practice management, on-line healthcare practice

How To Include Cybersecurity In Your Privacy Impact Assessment

Posted on November 2, 2022 by Izza Nuguit in Blog

How To Include Cybersecurity In Your Privacy Impact Assessment

Keeping information safe and secure is a challenging development for businesses of all sizes over the last few years. Remote working and using cloud hosted services forced healthcare practices to change, or at least re-examine, their cybersecurity practices and protocols.

According to CyberEdge’s Cyberthreat Defense Report, 85% of organizations suffered from a successful cyberattack in 2021.

A privacy impact assessment (PIA) is an important tool to help understand the risks to patient health information and your healthcare business.

The recent Technology Fact Sheet, “How To Protect Against Ransomware“ from the Ontario Information and Privacy Commissioner, provides explanations and recommendations for all businesses.

Conduct privacy and security risk assessments whenever major new technology changes are introduced, and ensure that all critical elements of your IT environment are regularly reassessed.

Ontario Information Privacy Commission

Does Your PIA Include Cybersecurity Risks and Mitigation Plan?

You should review your PIA regularly, at least annually, and update your risk mitigation plans when there is a change in your administrative, technical, or physical practices. You also need to consider that the threat environment external to your business, like the increasing risk of cybersecurity vulnerabilities, can damage your business.

In this Episode #107 of the Practice Management Nuggets Podcast, Jean L. Eaton, Practical Privacy Coach with Information Managers shows us how to include cybersecurity risks in your PIA.

My Takeaways

A Privacy Impact Assessment is a type of a risk assessment. We know that cybersecurity vulnerabilities is a real risk for all businesses, including medical, dental, and other healthcare practices.

Take the time now to consider the new cybersecurity risks. Discuss this with your IT and managed services provider. Find strategies that work best in your practice. Remember—ignoring the risk doesn’t make it go away!

Next time you update or amend your PIA, include what you have done lately to prevent a cybersecurity incident in your practice.

Listen To The Podcast

Cybersecurity in Your Privacy Impact Assessment | Episode #107​

Expert tips with Jean L. Eaton on Practice Management Nuggets Podcast For Your Healthcare Practice.

Listen here: Practice Management Nuggets Podcast

Listen To The Podcast Here

#PracticeManagementNugget, #PrivacyImpactAssessment, cybersecurity, podcast

Managing Employees When They Make Mistakes With Stacey Messner

Posted on October 3, 2022 by Izza Nuguit in Blog

Managing Employees When They Make Mistakes – Addressing Employee Performance and Restoring the Workplace

Have you ever had an employee who has made a mistake and now you’re scrambling about what to do next?

Your business needs a set of reasonable rules and guidelines for employees to follow. This helps to create a safe and respectful workplace and protect the privacy rights of your patients and employees.

Your healthcare practice should have a written policy and procedure to guide you in your response to a privacy and security incident.

Sometimes, our employees have been directly involved in the incident. For example:

  • Petty theft (personal gain)
  • Snooping in patient or employee records (disregarding policies)
  • Faxing a report to the wrong recipient (carelessness)
  • Using patient or employee information to cause harm (malice)

When employees and healthcare providers do not meet our expectations, sanctions or discipline may be appropriate.

In this episode #105 of the Practice Management Nuggets Podcast, guest human resources expert Stacey Messner gives practical advice to clinic managers and privacy officers to navigate difficult conversations after an employee makes a mistake.

Listen To The Podcast

Managing Employees When They Make Mistakes – Addressing Employee Performance and Restoring the Workplace | Episode #105

Expert tips with Jean L. Eaton on Practice Management Nuggets Podcast For Your Healthcare Practice.

Listen here: Practice Management Nuggets Podcast

Listen To The Podcast Here

Are you prepared to have difficult conversations with your employees?

Grab this tip sheet from Stacey Messner free when you subscribe to Stacey’s newsletter list.

Listen in a different way

Featured Guest: Stacey Messner

Stacey Messner Will Teach You How to Manage Employees When They Make Mistakes – Address Employee Performance and Restore the Workplace

Human resources expert Stacey Messner, Leader in HR gives practical advice to clinic managers and privacy officers to navigate difficult conversations after an employee makes a mistake, addressing employee performance improvement and workplace restoration practices.

Get Stacey Messner Listen Differently Tip Sheet

Download the free tip sheet from Stacey here
Managing Employees Stacey Messner

Stacey Messner, Leader in HR, has been providing human resource consultation on a contract basis to businesses in the North Peace Region of Alberta since 2016.

With over 20 years of experience working in all disciplines of HR in many industries including not for profit, Stacey prides herself in providing HR services and support to leaders in workplaces who are responsible for their HR programs.

The services Stacey offers are HR advisory, training and development, workplace assessment, conflict resolution, and special projects such as job description review, HR policy manual, performance review, recruitment, and orientation programs. Stacey was born and raised in the Saskatchewan prairies and married into a Peace Country family where she lives with her husband and kids.

She is an active member in her community, loves raising a family in a rural setting, and enjoys the activities and beauty of the region.

#PracticeManagementNugget, podcast

Best Computer Service Support Options for Your Small Healthcare Practice

Posted on August 30, 2022 by Izza Nuguit in Blog

What is the Best Computer Service Support for Your Small Healthcare Practice?

Many healthcare providers starting their first practice are ‘bootstrapping’ their business. They don’t have external investors in their business. Business owners are balancing what can they do themselves and what services to hire from someone else.

Today, we will strategize how to implement technology in your healthcare practice and have a look at the different options available to you to select the best computer service support for your small healthcare practice.

Should You Do It Yourself?

When starting your own healthcare practice, it can be tempting to try to save costs by trying your hand at a DIY approach for managing the hardware and software required to run a practice.

That might work for a while. But soon, you will want to look into your options for outsourcing some of this.

When outsourcing your information technology (IT) need, it’s important to remember that you are ultimately responsible for managing the collection, use, security and safeguards for all personal information that you collect and control.

Let me help you with some definitions, terminology, resources to help you manage your computer network system and to determine what services are best suited for your needs.

We’ll have a look at:

  • Internet Service Providers
  • Managed Service Providers VS Managed Security Service Providers
  • Hardware as Service
  • Value Added Resellers
  • Cloud Service Providers
  • Software As A Service (SaaS), and
  • Remote Monitoring and Management Tools

Keep reading to find out the differences of these.

What is an Internet Service Provider (ISP)?

Internet service providers are likely the service on this list you are already most familiar with-–after all most of us deal with them in our personal lives, as well as in our professional lives.

These are companies which provide services which allow us to access the internet.

Unfortunately, some people assume that their ISP is also providing network security at the same time, which is simply not the case the majority of the time.

Something as simple as not changing the default password on your modem or wireless router can lead to vulnerabilities in your network. Right away, many DIY business owners are starting to feel the pinch about not knowing enough about IT to keep their practices secure.

There are some internet service providers also now offering managed service provider system as well. If you choose to go this route, ensure that you have a clear understanding about what they can and cannot do and documentation to show what exactly what is included in your fees.

Managed Service Providers (MSP) and Managed Security Service Providers (MSSP)

The definition of Managed Service Provider (MSP) is:

A MSP delivers services, such as network, application, infrastructure and security, via ongoing and regular support and active administration on customers’ premises, in their MSP’s data center (hosting), or in a third-party data center.

MSPs may deliver their own native services in conjunction with other providers’ services (for example, a security MSP providing sys admin on top of a third-party cloud IaaS). Pure-play MSPs focus on one vendor or technology, usually their own core offerings. Many MSPs include services from other types of providers. The term MSP traditionally was applied to infrastructure or device-centric types of services but has expanded.

– Gartner's Information Technology Glossary

Managed service providers are a great option for end users without the technical expertise required to manage their own networks.

If considering an MSP, you may consider referencing the Risk Considerations For Managed Service Provider Customers document put out by the Cybersecurity and Infrastructure Security Agency which outlines risk considerations organizations need to consider when they partner with a MSP.

MSP vs MSSP

Managed Security Service Providers (MSSP) provide security monitoring and management services to organizations to ensure they are protected from cybersecurity threats.

The types of services MSSPs can offer include threat monitoring and intrusion detection, firewall management, patch management, endpoint protection, and penetration testing as examples.

An MSP ensures your IT systems are operational, but a MSSP offers true security as a service, ensuring your people and systems are safe, secure and compliant.

Managed Services are a good way for businesses to get a high-quality IT service at a predictable monthly cost, instead of having to manage everything themselves, in-house.

What is Hardware as a Service?

Hardware as a Service allows customers to outsource the procurement, installation and support of their IT hardware, at a fixed and predictable monthly cost. Companies who use Hardware as a Service benefit from knowing any issues with their hardware will be diagnosed and fixed by the provider, without having to guess at the cost of the repair.

This is a convenient way of getting the best hardware without having to spend much cash upfront. The service model is similar to leasing or licensing whereby a business obtains IT hardware from a company, and the terms are dictated by a Service Level Agreement (SLA). In the case of hardware breakdown or any hardware becoming obsolete, the hiring company is responsible for repairing or changing it. Hardware as a Service can be provided by a managed service company or as a stand-alone service provided to businesses who are looking to acquire IT hardware.

Typically, these vendors do not provide ongoing monitoring, updates, and patch support to your network.

What is a Value-added Reseller?

A value-added reseller takes existing hardware, adds features such as third-party software, and then sells it at a markup to the end user.

The biggest difference between VARs and MSPs is the term of their involvement with the end user. VARs generally operate on a transactional basis (per license or seat), or a short-term contract. By contrast, MSPs operate on longer-term annual or multi-year contracts, and the tenure of their relationship is open-ended.

What is a Cloud Service Provider (CSP)?

CSPs offer access to technology and infrastructure that they own. This may be part of your digital transformation plan.

You’ve likely heard of some of the more popular cloud service providers, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform.

If you choose to use a cloud service for storing information, you’ll want to do some due diligence to determine the security the service has in place, where the information is stored, and to avoid services which have servers outside of Canada. Even when you use a CSP, you are still responsible to ensure that your local computer environment is secure. This is referred to as a Shared Responsibility model.

Best Computer Service Support Tiny

What is the Software As A Service (SaaS) Business Model?

SaaS is a type of CSP. The vendor provides a software on their data centre and you remotely access the software and use it on your device. Examples of this includes Microsoft Office 365, Google Workspaces, and even some electronic medical record (EMR) and electronic dental record (EDR) service providers.

If you’re using a service such as this, the same security caveats which come with cloud services need to be considered such as where the servers storing the information are located.

Privacy, confidentiality, and security of personal information is a shared responsibility whether it is on your device or an outsourced service.

You must properly configure your SaaS so that it is properly securing your data, and communication between yourself and your vendor is critical to understanding the shared responsibility of securing the data.

managed service provider

As the end user, you are responsible for security ‘in’ the cloud. This includes the responsibility of:

  • Collecting and maintaining the customer / PHI data
  • Identity and access management (IAM)
  • Application management
  • Operating system and firewall on your devices
  • Client side data encryption, data integrity, authentication
  • Server-side encryption
  • Network traffic management

Remote Monitoring and Management Tools (RMM)

Many MSPs, and some internal IT teams, use a remote monitoring and management tool (RMM). This is the software put on the workstations and servers, primarily. These tool report back to the RMM server and provides data so that the MSP can monitor and manage the system.

The tool allows the MSP to see issues such as:

  • When software needs to be updated
  • If computer needs to be rebooted
  • That there was an error in a system log that needs to be addressed.

All of this happens behind the scenes and allows the MSP to manage your system remotely.

The issue with RMM is that the software has the ability to fully control your computers so these RMM tools need to be secured.

If not secured properly from internal threats as well as external threats and a bad guy is able to get into your MSP’s RMM, they now have access to every single client network—including yours!–that the MSP manages. And that is a bad, bad day!

Vet Your Vendors for the Best Computer Service Support Option

Most healthcare providers start with a DIY approach to their computer network. Over time, your needs will change. It is good practice to meet regularly with your vendors to re-visit your IT strategy.

Your best computer service support option during your start-up phase will likely be different as your business matures.

When you select the right outsourced service to support your healthcare practice, you will improve your practice management efficiency and privacy compliance.

Remember to vet the vendor before you enter into a service agreement and Information Management Agreement.

See the Practice Management Nuggets Podcast for Your Healthcare Providers, What Healthcare Practices Should Know About Vendor Vetting And Accountability | Episode #085 with guest Expert Donna Grindle for tips to help you with this step.

Join Practice Management Success Today!

As a healthcare provider, you need to stay on top of changing trends and technologies that impact privacy compliance and efficient practice management.

Changing technology and properly managing computer systems is just one aspect of that.

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom!

Become a member of the Practice Management Success Membership!

digital health, healthcare practice management, privacy

How Does Unique User ID Protect Patient Information In Your Practice?

Posted on August 18, 2022 by Izza Nuguit in Blog

Why You Need Unique User ID In Your Healthcare Practice

When you’re setting up computer systems for your healthcare practice, start by ensuring that every user has a unique user identity (user ID).

Sharing login credentials for everyone on your team can lead to compromised account security, which makes you more vulnerable to phishing attempts, and leads to a greater risk of sensitive information getting into the wrong hands.

Today we’re going to look at why you need to ensure everyone on your team who requires access to IT systems has their own unique user ID and login credentials.

What is User ID?

The user ID or username that you create when you are granted access to a computer network or software application should be unique to the user (not shared). The user ID is persistent—that is, it doesn’t change.

While a user ID needn’t be as complex as a password, you want to avoid an easily guessed or spoofed name. Instead, create a user ID that is reasonably short and uses a mix of letters and numbers and special characters. The system should not allow duplicate user ID’s and may have additional criteria about what the name can include.

Sometimes, the user ID appears linked to the content that you enter. For example, the username might be associated with a clinic note you enter in the electronic medical record, internal messaging, or even a blog post.

You can think of the user ID as your digital signature that uniquely identifies the computer user.

 

Unique user id

You may also have certain programs or additional software, applications, and data, including sensitive information, personally identifying information (PII), and personal health information (PHI) which require an additional unique user ID and password.

Don’t Share Your Unique User ID!

Individuals are responsible for their unique user ID. A user ID is important to provide non-reputability for the user. It ensures that the user cannot deny having taken a particular action.

For example, in an office computer, a user ID would be used to login to the system. Once the user is logged in, they can view their personal folders, shared folders, access to printers, and so on. If the user were to deny accessing and printing a particular file, the user ID would prove that they had indeed accessed and printed the file.

Layers of Protection Is Better

A two-step process that requires the user to enter their unique user ID to access a computer or device, and another unique user ID to access a program like an EMR, is an example of a dual login. This added level of security ensures that an authorized user has access to both the local device and the software.

Multi-factor authentication (MFA) is a better level of security. Again, this starts with entering a unique user ID on the device, a different unique user ID to access specific software, and a token or code that is sent to the user. The user must enter the code into the software prior to access granted. The goal of this authentication intent is to make it more difficult to access devices or applications without the subject’s knowledge, such as by malware on the endpoint.

MFA is a core component of a strong identity and access management (IAM) policy. It all starts with having a unique username, password, and an additional verification factor, which decreases the likelihood of a successful cyber attack.

79% of organizations have experienced an identity-related security breach in the last two years [Identity Defined Security Alliance] and 61% of all breaches resulted from stolen credentials, whether through social engineering or brute force attacks. [Verizon Data Breach Investigations Report]. 

Why You Need Unique User ID In Your Healthcare Practice

Benefits of enforcing unique user ID for every user include:

  • Tracking user activity and manage overall operations on a particular system, network or application.
  • Improved security, decreased likelihood of inappropriate access, reduced errors, reduced malicious actions internal and external to the business.
  • Avoidance of fines and sanctions, under privacy legislation.

My EMR / EDR Has Unique User ID. Isn’t That Good Enough?

Many healthcare practices have not yet implemented a unique user ID policy. Instead, they rely on the electronic medical record (EMR), electronic dental record (EDR) or other practice management software (PMS) system to require unique user ID to access this sensitive data.

This simply isn’t good enough. Locking the back door while the front door is unlocked is not a sufficient deterrent to prevent unauthorized access to your systems and the information that it contains.

I’m certain that there are other sections in your computer files where sensitive information (employee, business, and/or patient information) is maintained. This needs to be protected by identity management and audit tracking, too.

The extra layer of protection of having unique user ID to access your computer system AND another unique user ID to access your EMR / EDR is a reasonable safeguard. Alberta Netcare, NIST, and privacy regulations recommend this minimum standard.

In IBM’s Cost of Data Breach Report 2021, compromised credentials were responsible for 20% of breaches.

Having shared user accounts (instead of unique user ID) increases the likelihood that the user credentials will be compromised and may result in a privacy and security incident.

The IBM report also identified that a zero trust approach helped reduce both the likelihood and the cost of a privacy and security breach. Zero trust means that everyone accessing electronic data must use strong authentication and authorization at all times. In short, don’t assume that because the user is accessing a computer at a specific location, that the user is authorized to access the computer.

Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.

Make It Easy To Implement Unique User ID Policy

Businesses should use business-grade computer hardware and software for their computer networks and mobile devices. Select operating systems that make it easy to create and manage user accounts. Ensure that user activity audit logging is enabled.

You might be ‘pretty good’ at managing a computer. However, I recommend that healthcare providers, clinic managers, and business owners contact a local computer network technician or managed service provider to help you properly set up user management. Protect your patient’s information and your practice with good computer user management.

Join Practice Management Success Today!

As a healthcare provider, you need to stay on top of changing trends and technologies-–not just those related to your work, but things in the world which can affect how you manage your practice and patients.

Changing technology is a huge part of that world, and properly managing computer systems is just one aspect of that.

Become a member of the Practice Management Success Membership!

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom!

digital health, healthcare practice management, privacy, security

Alberta’s New OIPC Commissioner

Posted on July 30, 2022 by Izza Nuguit in Blog

Alberta’s New OIPC Commissioner

The Select Special Information and Privacy Commissioner Search Committee recommends the appointment of Diane McLeod as Alberta’s Information and Privacy Commissioner effective August 1, 2022.

The next time that you correspond with the AB OIPC office, make sure to change the following names in your templates:

Change the name of the outgoing Commissioner, Jill Clayton, and replace with the name of the new Commissioner, Diane McLeod.

More details are in the news release from the Office of the Information and Privacy Commissioner here.

What Does the Alberta OIPC Do?

The Commissioner is an agent of the Legislative Assembly of Alberta. This is not a government department nor is it a department under Alberta Health Services.

The mission of the Office of the Information and Privacy Commissioner of Alberta (OIPC) is to advocate for the access and privacy rights of Albertans, to ensure that public bodies, health custodians and private sector organizations uphold the access and privacy rights contained in the laws of Alberta, and to provide fair, independent and impartial reviews in a timely and efficient manner. OIPC of Alberta

There is a similar role in each of the provinces in Canada.

When to Contact the Alberta OIPC Commissioner

If you are in Alberta and you are a custodian (including physicians, dentists, chiropractor, podiatrist, optometrist, pharmacist, RN and others) you might need to contact the AB OIPC Commissioner in any one of these scenarios.

  • You are submitting a new Privacy Impact Assessment.
  • You have a change in custodians in your practice (a custodian moves, retires, or you add a new custodian to your practice.)
  • You have experienced a privacy breach in your practice and must inform the Commissioner.

If you are a resident of Alberta, you might contact the Commissioner if

  • You have a complaint about how a business manages your personal information. Ideally, you will bring your complaint to the privacy officer of the business first, before filing a complaint to the OIPC. Ideally, you will bring your complaint to the privacy officer of the business, first, before filing a complaint to the OIPC.

There are other situations that may arise that you may need to contact the OIPC. The Commissioner performs the responsibilities set out in Alberta’s three access to information and privacy laws:

  • Freedom of Information and Protection of Privacy Act (FOIP)
  • Health Information Act (HIA)
  • Personal Information Protection Act (PIPA)

The Commissioner checks or regulates that the businesses to whom the above legislation (and others) apply works according to these laws.

The OIPC website has many resources and reports available to better understand your roles and responsibilities regarding the collection, use, access, and disclosure of personal information.

Do you have questions about privacy compliance and practice management at your healthcare business? I’m happy to help you!

Email Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor to book a quick, 10-minute call with me.

OIPC Commissioner, privacy
12

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

Well it happened! We recently had a privacy breach. It was an ‘oops’ but never the less a privacy breach. I had started the 4 Step Response Plan - Prevent Privacy Breach Pain but thought I had time to go through it. Unfortunately not. Your course has been a godsend with all the information and forms that I need to work through this privacy breach and notifying process.

- Nancy D.

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

1 shares
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}