Informationmanagers.ca Logo
3rd Largest Fine Ever Under the HIA

3rd Largest Fine Ever Under the HIA

3rd Largest Fine Ever Under the HIA

Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.

What Happened

An employee who had access to personal health information (PHI) had unauthorized use and altered the PHI. The employer discovered the unauthorized access and conducted an internal investigation. Subsequently, the employer reported the privacy breach to the Office of the Information and Privacy Commissioner as required under the Alberta Health Information Act (HIA).

The Alberta OIPC charged an individual with falsifying COVID-19 immunization records of nearly 200 people from September to November 2021 while they were employed in an administrative support staff role at Alberta Health Services (AHS). The false information was entered into the health information system which feeds into the Alberta Health Immunization record system.

Commissioner’s Investigation

The OIPC opened an offence investigation in June 2023. in March 2024, the OIPC recommended charges under the HIA.

In December 2024, Justice Mah of the Alberta Court of Justice sentenced Hind Mahmoud Dabash to a fine of $12,000 for the offence of knowingly using and creating health information in contravention of the HIA.

The other charge, of knowingly gaining access to the health information of 199 members of the public, was withdrawn.

Take-Aways

The custodian, AHS, was able to monitor and investigate the users’ actions in the electronic medical record systems. This capability is a requirement of health information systems and is a deterrent to individuals to access and alter PHI.

This case is unusual because the employee altered or changed the results of the immunization records which could have resulted in inaccurate diagnosis and treatment decisions for the individual and their families and contacts.

Regular privacy awareness training and monitoring of user activity audit log and supervision are essential steps to prevent and detect the unauthorized use of health information.

Reference

Alberta OIPC News Release December 19, 2024.  https://oipc.ab.ca/court-case-concludes-in-sentencing-for-offence-under-health-information-act/ 

You May Also Be Interested In

Practical Privacy Officer Strategies – Training for clinic manages and privacy officers includes how to respond to a privacy breach and prevention strategies. 
Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches
5 New Year’s Resolutions for Privacy Officers and Clinic Managers

5 New Year’s Resolutions for Privacy Officers and Clinic Managers

Why Privacy Resolutions Matter for the New Year

The start of a new year is the perfect time for clinic managers and privacy officers to reflect, reset, and refocus their efforts on safeguarding patient information. Just as individuals set personal goals for growth, healthcare organizations benefit from creating resolutions to strengthen their privacy practices. With evolving regulations, new technologies, and the ever-present risk of breaches, a proactive approach ensures your clinic stays ahead of potential challenges. These five New Year’s Resolutions will help you prioritize compliance, reduce risks, and foster a culture of privacy and accountability in your practice.

1. Review Your Clinic Description and Privacy Impact Assessment (PIA)

Start by assessing your clinic’s current operations and comparing them to your original plans. Are they still aligned, or have new challenges or opportunities arisen? Consider the following:

  • Are there any new initiatives or technologies your clinic is planning to implement this year?
  • Are there upcoming changes in personnel, stakeholders, or organizational structure?
  • Have there been any recent or anticipated legislative updates that could impact your privacy practices?
  • Identify updates that need documentation and determine if you need to notify the Office of the Information and Privacy Commissioner (OIPC).

Regularly updating your PIA ensures your clinic stays compliant, prepared, and aligned with its goals.

If you haven’t completed a PIA, make it a top priority this year! A PIA ensures compliance and protects your patients and organization.

Tip: Check out the December 2024 Q&A With Jean for the ‘Annual Review Checklist’ template to help you right away!

 

2. Monitor Privacy Breaches and Annual Trends

Take a close look at the privacy breaches and near misses from the past year. What patterns or trends stand out? Are there recurring issues, such as faxes being sent to the wrong number or patient forms being given to the wrong person?

It’s time to evaluate your current approach. If reminders to “be more careful” haven’t reduced these incidents, it’s a sign that a new strategy is needed. Process changes, additional staff training, or implementing new tools might be necessary to achieve better results.

Action Step: If you don’t already have a privacy breach reporting tool to provide a clear summary of all breaches at a glance, make it a priority to implement one now. Use this tool to document trends, analyze recurring issues, and develop actionable solutions to discuss during staff meetings.

 

3. Privacy Awareness Training for Everyone!

Recent decisions, such as Ontario IPC’s PHIPA Decision 260, highlight the importance of mandatory Privacy Awareness Training (PAW) training for all staff, including physicians.

Ensure your organization not only mandates this training but also enforces compliance. Accountability starts at the top.

Case Study: In Decision 260, a hospital faced repercussions when a physician accessed 1,400 patient records without proper authorization due to lack of enforced PAW training. How do you ensure that every employee and healthcare provider receive PAW training at your practice?

4. Plan for Succession

Every business owner needs a plan to ensure that there is a plan to continue or close their business if there is a sudden inability of the owner to do their job.

Custodians must designate a successor to ensure patients maintain access to their records in case of sudden changes. Naming a successor custodian who will advocate for and ensure the proper access and retention of patient records is a requirement of professional standards of practice and good business sense.

Clinic managers should know who the designated custodian is and ensure there’s a written agreement in place.

Thought Experiment: Succession planning is critical for privacy officers and clinic managers, too! Who will take over your role if you win the lottery tomorrow? Develop a training plan for your protégé. Check out the upcoming Practical Privacy Officer Strategies training.

5. Review Your Technology Stack

Recent outages like Microsoft 365 or platform closures (e.g., Bench) highlight the importance of contingency planning.

A technology stack inventory includes a listing of your data holdings and software and hardware vendors that you use in your business.

Include the vendor contact details and backup plans for service disruptions.

Ensure that you have written agreements for each service and appropriate access, security, and retention for PHI.

Conduct a risk assessment of the technology that you implement in your business to evaluate the impact of downtime on your clinic. The higher the risk, the more important it is to have a business continuity plan.

Bonus: Email me for a free Technology Stack template to get started!

Schedule these activities into your calendar to prompt you to dedicate time to complete your resolutions. They are not difficult and will contribute to privacy compliance in your practice.

Need some help with your privacy compliance? Join our Practice Management Success Membership for templates, guides, and expert support to make 2025 your best year yet!

 
Jean Eaton Informationmanagers.ca

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you. Jean L. Eaton Your Practical Privacy Coach INFORMATION MANAGERS

Is AI the Right Fit for Your Clinic? Key Considerations Before You Implement

Is AI the Right Fit for Your Clinic? Key Considerations Before You Implement

Is AI the Right Fit for Your Clinic? Key Considerations Before You Implement

AI tools, like transcription apps, are revolutionizing healthcare by speeding up processes and reducing tedious tasks. But before diving in, it’s critical to ask: Is this the right choice for your clinic? A game plan is essential to assess risks, outline goals, and document decisions. Here’s what you need to know.

Essential Steps to Evaluate AI for Your Clinic

When introducing AI into your clinic, following a structured process ensures thoughtful decision-making and minimizes potential risks. Clinic managers are telling me that their docs quickly download AI apps to their phone and start dictating clinic notes. Then they want a way to upload these into their electronic medical records (EMR).

As the clinic manager or privacy officer, you need to pause and consider the privacy and security implications. Here are 6 steps to help you evaluate AI for your clinic.

Icon 1. Define Your Goals: What do you want the AI tool to achieve? Faster clinic notes? Accurate referral letters?
Icon 2. Vet the Vendor: Assess their track record, security measures, and support.
Icon 3. Understand the Workflow: Choose between local storage or cloud hosting. Start with a small-scale pilot.
Icon 4. Conduct a Risk Assessment: Examine privacy, security, and compliance risks.
icon 5. Update Policies and Procedures: Ensure staff are trained and patients informed.
icon monitor 6. Monitor to Ensure Accuracy, Efficiency, and Compliance: Regularly review your users and the AI tool performance and adjust workflows as needed.

 

The Role of AI in Clinics

Artificial intelligence mimics human actions to process information and assist decision-making. However, it’s crucial to remember that AI tools complement human judgment—they don’t replace it. For example, when assessing AI for transcription, keep in mind:

  • Hardware, Software, and Data: AI apps rely on all three. Ensure you understand where data will be stored and processed.
  • Integration: Will the tool integrate seamlessly with your EMR, or will you need to adapt workflows?

Transcription Workflow Scenarios to Consider

Trending AI projects in healthcare include using AI to assist with the generating clinic notes. Two common workflows for AI transcription tools are:

  1. Local Processing: Dictations are transcribed directly on your device. Data doesn’t leave your clinic, but users must delete files after processing to avoid breaches.
  2. Cloud-Based Systems: The tool listens during patient consultations, processes data in the cloud, and generates a text document which is uploaded to your EMR.

Anticipate how you will integrate the tool into your practice. Consider the following questions.

  • Accuracy: Who will review the transcribed reports to ensure they accurately capture the clinical conversation? AI tools can struggle with accents, unclear speech, or poor microphone usage.
  • Quality Assurance: Evaluate whether the AI effectively handles nuances in language, such as patients who are not strong English speakers. Ensure the clinical summaries are complete.
  • Efficiency vs. Quality: While AI can save time, the generated reports must meet quality standards. It may be that an AI-prompted clinical note is more complete than one that is written manually by the healthcare provider. Balance efficiency with the need for high-quality documentation.
  • Ethical Considerations: Ensure the AI’s interpretation of clinical conversations remains neutral and unbiased.

Starting small can help. For example, use the tool for specific patient visits or with one or two providers before scaling up.

Vetting the Vendor

Selecting a vendor for your AI tool requires thoughtful consideration to ensure you choose a provider with the experience and reputation you trust. The right vendor will help you implement the tool securely and effectively.

Ask these key questions:

  • How does the vendor safeguard health data?
  • Where will data be stored (locally, in Canada, or internationally)?
  • Have they conducted independent security audits?
  • How do they handle biases in AI-generated data?

A trusted vendor should answer these questions transparently. For help, check out the Canada Health Infoway’s checklist [link] for evaluating AI tools.

Privacy and Compliance

A privacy impact assessment (PIA) is a process to assess the impact of new or change to existing administrative practice, information system or practices relating to the collection, use, disclosure of personal (health) information.

The PIA documents the reasonable safeguards that you will take to protect the privacy, confidentiality, and security of health information.

Changes in technology, like implementing AI tools, trigger the need for a PIA. In particular, a PIA for transcription AI tools will include these questions.

  • How Will you Notify Patients? Inform patients how their data will be collected, processed, and used. Clearly communicate this through notices, laminated summaries, or consent forms.
  • Information Management Agreements (IMA). Ensure the vendor IMA include robust privacy clauses and clear restrictions on data use and secondary purposes.
  • Where is the Source Data Maintained? In a transcription app, know where the audio files are stored and how long they are kept. Automate deleting temporary files once their purpose is served, and ensure compliance with data retention policies.
  • How Will You Secure the Integrity of the Current Patient Record and Reduce Risk? Whenever you add new systems, you also increase the risk of compromise. Call on your computer network vendor and EMR vendor to help you assess the new AI Tool and how it might impact your current systems.

Next Steps: Plan, Document, and Ask for Help

Implementing AI takes time, effort, and clear documentation. Outline your workflow based on the steps outlined in this article: define your goals, vet the vendor, understand the workflow, conduct a risk assessment, update your policies, and monitor for accuracy, efficiency, and compliance. Then, ensure policies are updated, and staff are trained on the new processes. For guidance, visit Practice Management Success Membership or explore resources from the Office of the Information and Privacy Commissioner (for example, AI: Guidance for Small Custodians on the use of Artificial Intelligenceand the Canada Health Infoway (for example, Preparing the Health Care Community for AI Implementations

Have questions about a PIA for your AI implementation? Reach out to me—I’m here to help you with your privacy compliance.

AI tools offer exciting possibilities, but success lies in thoughtful implementation. Take the first step by assessing your clinic’s needs and evaluating risks. With the right approach, you can harness the power of AI while safeguarding patient trust.

 
Jean Eaton informationmanagers.ca

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you. Jean L. Eaton Your Practical Privacy Coach at Information Managers.

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

You are working at the reception desk of a healthcare practice. Suddenly, there is a police officer giving you a court order! Do you know how to prepare patient records for a court order?

panic button

Don’t Panic!

Take a deep breath. Then, follow these steps to help you to respond to a request for patient records for a court order with confidence!

Listen to the Design Your Practice Podcast with Kayla Das!

Episode 76: How to Prepare Client Records for a Court Order with Jean Eaton

 
designer practice podcast logo court order

Listen to the Podcast Here

You can also find the podcast on Apple Podcast, Spotify, and YouTube. Simply search for “Designer Practice Podcast” on your preferred platform.

 

Follow These Steps

In this article, I am not discussing a situation which relates to a life-threatening situation that requires an immediate response. I am also not discussing when the order relates to the type or quality of healthcare provided to the patient or when the actions of the healthcare provider or clinic is being challenged or reviewed. These are topics for a different article.

Your reception staff should not accept the court order but, instead, immediately ask the officer to wait for a few minutes so that they can request their supervisor or privacy officer meet with them.

When the court order is an administrative request for information, the supervisor or privacy officer will accept the court order from the officer. Before the officer leaves, make sure that you read the court order carefully and ensure:

  • Who is named in the court order.
    • This is often the clinic manager of the clinic. Your clinic should be specifically named or, perhaps, the name of your lead physician or healthcare provider.
  • Record the date and time that you received the order.
  • Clarify when the response is required.
  • Name and contact information.
    • This could be of the officer that delivered the court order (if possible).
    • At minimum, it should include the contact information of the court, for example, the court clerk’s office or the witness co-ordinator, or the sheriff’s office.
  • The province or jurisdiction of the court.
  • In general, this should be the same province where your clinic operates. If not, contact your lawyer for advice on how to respond.

Review Your Policies and Procedures

This is not a routine request from a patient to access their health records or a request to disclose their records to a third party like a lawyer or insurance company. In those routine requests, patients are generally required to provide a written, signed consent before you can disclose their records.

When you receive a court order or subpoena to produce patient records at a court or other legal proceeding, you are not required to get a signed consent from the patient.

Each healthcare practice should have detailed policies and procedures on how to prepare patient records for a court order. Review these now.

If you don’t have up-to-date policies and procedures, see the Practice Management Success Tip, How to Prepare Patient Records for a Court Order.

Validate the Court Order

Read the court order carefully. In particular,

  • Phone the contact number on the court order.
  • Confirm the date, time, and location that you are required to appear.

Locate the Patient Record

Find the patient information maintained in an electronic database, electronic medical record (EMR) and/or paper records. Remember to look for both active and inactive patient records as needed by the court order.

Read the patient record carefully, line by line, to ensure that the record is complete. For example, make sure that all lab reports, prescriptions, consultation notes, etc. are included in the record.

Secure the record to prevent snooping or modification to the record. Also ensure that the record is available for continuing care and treatment of the patient, if needed.

In an electronic record, prepare an audit log of all the transactions on that patients’ chart.

Ensure there is no duplicate or second chart for the patient that may have been created in error. Search by alternate names, spellings, date of birth, etc.

Ensure that each custodian included in the patients’ care and your healthcare practice’s privacy officer is informed of the court order to produce the record. The custodian should be provided an opportunity to review their clinic notes. Remind the custodian that they cannot further disclose the patient’s record.

Prepare the Patient Record

Review the court order and identify exactly what information is requested. It might be for specific dates or a condition or treatment.

Keep complete and detailed notes about how you prepared your response to the court order. You will bring your notes with you to court to assist you in your testimony about how your clinic creates and maintains patient records and what you did to respond to the court order. After your court appearance, you will maintain your notes as part of the business records for the clinic.

Collect the information and record each of your steps and your results, including the records that you searched for as well as those that you did not find any results for.

If you maintain your patient records in an electronic medical record (EMR) or digital practice management software, print out a hard copy of all the information that responds to the information that is requested.

Sever (also known as redact or black-line) any information that is not appropriate to include in the disclosure. Cross-reference each redacted entry to the legal authority not to include the information in the disclosure.

illustration of text that has black lines through sections sever or redact part of How to Prepare Patient Records for a Court Order
If you are using an EMR, organize the paper print-out in a format that makes sense. This might be in chronological date order, or by grouping like records (clinic notes, lab results, etc.) together.

Create a ‘Table of Contents’ of the information in the patient record. This will help you in your testimony to quickly find requested information, and to help the court to locate information in the records that you have prepared.

At the same time, handwrite in ink at the bottom of each page the sequential page number in the package. Update the table of contents with the page numbers.

Stamp ‘COPY’ on each page.

When the package is complete, make a photocopy (or two) of the entire package. The ‘original’ paper copy will be maintained at the clinic. Bring the original and the copy to court and ask the court to accept your copy. Return the original package to the clinic and securely maintain this as part of the business records of the clinic until the court file is complete.

When You Attend At Court

As the clinic manager, your role at the court is to tell the court how patient information is collected and maintained in your healthcare practice. Your job is not to interpret the content of the clinic notes.

A few days prior to the court date indicated on the court order, phone the clerk’s office or witness support office to confirm the date, time, and location of the proceedings and if you are still required to attend.

image of 3d figure in a witness box in court raising hand to affirm testimony How to Prepare Patient Records for a Court Order
On the day of the proceedings, report to the clerk of the court.

Bring with you the court order, your photo ID, the patient record, and your notes. Bring a good book to read in case you have a long wait.

You will be advised (again) if you are required that day. If you are not required, the clerk will make a notation on your court order to appear that you attended and that you have been dismissed. Keep this in your business records with the patient record.

If your testimony and the patient records are required, you will be called as a witness during the court proceeding.

You will be asked to swear or affirm an oath to speak honestly during your testimony.

Typical questions that you should be prepared to answer include:

  • Your name.
  • Your role at the clinic, how long you have been in that role, your routine tasks and responsibilities at the clinic.
  • Describe how patient records are maintained. Be prepared to explain your EMR or computer patient management system (if you have one).
  • Bring your notes about the steps that took to prepare for the court order. You may ask permission of the court to refer to your notes that you created when preparing to respond to the court order during your testimony, if necessary.
  • Explain that the patient records are kept electronically and that you have prepared a paper print-out of those notes.
  • Be prepared to explain how you know that the records are complete, not missing any details, etc.
  • If the court asks you to enter the records into evidence, explain that you have an ‘original’ and a ‘copy’ and ask the court to accept the ‘copy’ into evidence.

When You Return to the Clinic

Complete your notes by documenting your day at the court. Write a short summary of your day including:

  • Did you give a copy of the patient records to the court? To whom?
  • Remember to add this notation to the patients’ record that you disclosed this information according to the court order.
  • Any follow-up required for this disclosure?
  • Review your procedures. Anything that you would edit or provide additional instructions that will help you to be better prepared for next time you receive a court order?
  • Submit a copy of your out of pocket expenses (parking receipts, meals, etc.) for re-imbursement by your employer, if applicable.

What You Should Do Now

  1. Review your policies and procedures now to ensure that it includes how to respond to a court order.
  2. Train your reception staff on what to do if they receive a court order.
  3. Train your privacy officer and clinic manager on how to prepare a patient record for a court order.

Depending on where you work, you may receive a court order regularly or it might be a once-in-a-career experience. When you have policies and procedures and a little bit of training to assist you, you can respond to a court order calmly and confidently.

If you are a member of Practice Management Success, login and access the ’Procedure:  Preparing Patient Records for a Court Order’ template and the replay of the tutorial video.
Download Practice Management Success Tip – Preparing Patient Records for a Court Order Now!
 
 

 

 
image Jean L. Eaton

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Do You Know Where Your Policies And Procedures Are?

Do You Know Where Your Policies And Procedures Are?

Do You Know Where Your Policies and Procedures Are?

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

 

Don’t let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta’s Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

 

Show Me Policy and Procedure Checklist

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

  • The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
  • The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
  • The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

  1. Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
  2. Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
  3. Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
  4. Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you’ve done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget’ to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video “Can You Spot the Privacy Breach?”
 

 

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf